Last review date: 27 December 2024

Yes.

☒         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒         obligation to take specific security measures e.g., encryption

Although not a strict legal requirement, encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption.

☒        other

Pseudonymization, adherence to an approved code of conduct (article 40 GDPR) or to an approved certification mechanism (article 42)

Last review date: 27 December 2024

Yes.

☒      public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

☒       health regulatory requirements

☒      telecommunication requirements

☒       providers of critical infrastructure

☒       digital or connected (IoT) products

Last review date: 27 December 2024

The CNCS does not publish on its official website the enforcement measures applied. However, they have recently announced that in the course of 2024 there are nine administrative procedures for the application of fines. Compared to 2023, when they confirmed that they had opened 68 administrative procedures against operators, this year has registered a significant decrease in the enforcement actions of the authority.

Last review date: 27 December 2024

Yes.

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Last review date: 27 December 2024

☒     data protection authorities

• In case of a personal data breach, unless the personal data is unlikely to result in a risk to the rights and freedoms of natural persons
• Without undue delay, and where feasible, not later than 72 hours after having become aware of it

☒     cybersecurity authorities

• In case of a cybersecurity incident.

☒     affected individuals

• Without undue delay
• If a personal data breach is likely to result in a high risk to the rights and freedoms of natural personal, unless any of the following conditions are met:
  • the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
  • the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize

☒     other

There shall be public communication or similar measures whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects individually) if the communication to the data subject would involve disproportionate effort. Portuguese legislation does not provide a timeframe for this communication to be made.

Last review date: 27 December 2024

☒     controller/ owner

• In case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
• after becoming aware of it

☒     cybersecurity authorities

Last review date: 27 December 2024

Yes.

☒       cybersecurity authorities
☒        financial services requirements

The Bank of Portugal has issued a mandatory instruction regarding the reporting of cybersecurity incidents classified as significant or severe (Instruction No. 21/2019, Bank of Portugal). Pursuant to this instruction, credit, investment and other companies are obliged to notify the Bank of Portugal of any cybersecurity incidents classified as significant or severe, in accordance with the conditions set out in the document.

☒        telecommunication requirements

According to the Electronic Communications Law (Law No. 16/2022), companies offering public electronic communications networks or publicly accessible electronic communications services must:

(a) Notify the NRA (ANACOM) and the CNCS, without undue delay, of any security incident with a significant impact on the operation of the networks or services;

(b) Inform the public, by the most appropriate means, of security incidents, when this is deemed by the NRA to be of public interest.

☒        providers of critical infrastructure

Providers of critical infrastructure must notify the CNCS of incidents with a relevant impact on the security of networks and information systems.
☒        other

According to Law nº46/2018, of 13 August, which establishes the legal framework for cyberspace security, transposing Directive (EU) 2016/1148, of the European Parliament and of the Council, of 6 July 2016:

• The Public Administration and critical infrastructure operators must notify the CNCS of incidents with a relevant impact on the security of networks and information systems.
• The operators of essential services must notify the CNCS of incidents with a relevant impact on the continuity of the essential services they provide.
• Digital service providers must notify the CNCS of incidents that have a substantial impact on the provision of digital services.

Without prejudice to the obligation to notify incidents foreseen in the referred law, any entities may notify, on a voluntary basis, incidents with a major impact on the continuity of the services they provide.

Details regarding the identified data security breach notification requirements

Pursuant to article 3-A of the Personal Data Protection and Telecommunication Privacy Act, providers of publicly available electronic communications services must, without undue delay, notify the personal data breach to the CNPD. Where the personal data breach referred to above is likely to adversely affect the personal data of the subscriber or user, providers of publicly available electronic communications services must also notify the subscriber or user of the breach, without undue delay, in order to allow them to take the necessary precautions. Note that the Personal Data Protection and Telecommunication Privacy Act defines personal data breach as an event that adversely affects the personal data or the privacy of the subscriber or user, where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation in connection with the provision and use of publicly available communications services.

According to paragraph 2 of article 2 of Regulation (EU) 611/2013, the authorities have to be informed after detection of the violation.

In addition, if the provider has not already notified the subscriber or user of the personal data breach, the CNPD may require it to do so, having considered the likely adverse effects of the breach. Potential penalties for non-compliance with the breach notice requirement amount to up to EUR 5 million. Ancillary fines may also apply. The Personal Data Protection and Telecommunication Privacy Act No does not provide a timeframe for this notification.

Another requirement is Law no. 46/2018, 13 August, which establishes the Cyberspace Security Legal Framework, imposes the obligation to notify the CNCS of certain incidents with a relevant impact on the networks and information systems of the public administration entities, critical infrastructure operators, operators of essential services and digital service providers. Potential penalties for non-compliance with the breach notice requirement amount to up to EUR 9,000. Law no. 46/2018, 13 August does not provide a timeframe for this notification.

Pursuant to this Law, an "incident" is defined as an event with adverse real effects over network and information systems security.

Finally, the Portuguese Electronic Communication Law requires public communications networks or publicly available electronic communications services to notify the National Regulatory Authority (ANACOM) of a breach of security or loss of integrity with a significant impact on the operation of networks or services. It is incumbent upon ANACOM to approve measures defining the circumstances, format and procedures applicable to notification requirements concerning breach of security or loss of integrity of networks. Non-compliance with the notification obligation may constitute a very serious offence, punishable with a fine of up to EUR 5 million. Under Regulation no. 303/2019, of 1 April, the notification process must comply with the following timeframe:

• The initial notification should be sent as soon as possible and provided that the company can conclude that there is or will be a significant impact, up to one hour after the verification of the specific circumstances;
• After the loss of the significant impact of the breach of security or of loss of integrity, and where it has not already been communicated in the initial notification, companies must submit, as soon as possible, within a maximum period of two hours after its occurrence, a notification on the end of the security breach, or loss of integrity with significant impact; and

Within 20 working days from the time the breach of security or loss of integrity ceases to have a significant impact the final notification shall be submitted.