Portugal Data Privacy Laws: GDPR, Lei 58/2019, and CNPD Enforcement Guide (2026)

Portugal data protection law operates under three interlocking layers: the EU GDPR, directly applicable since 25 May 2018; Lei n.º 58/2019, the national execution law; and Article 35 of the Portuguese Constitution. The CNPD enforces these rules and can levy fines up to €20 million for serious violations.

Portugal occupies a distinctive position in European data protection. Its 1976 post-revolution Constitution pre-empted the GDPR by four decades with a detailed privacy clause explicitly addressing computers. Its national DPA challenged its own country's implementing law within weeks of enactment. And its enforcement statistics tell a story of an ambitious legal framework straining against the limits of a small authority.

This guide covers the full Portuguese data protection regime: constitutional foundations, the GDPR framework, Lei 58/2019's national additions and subtractions, the CNPD's structure and enforcement record, the landmark 2019 deliberation, the EU AI Act overlay, cross-border transfer rules, and practical compliance requirements for organizations operating in Portugal.

Quick Answer: Does the GDPR Apply in Portugal?

Yes. The GDPR has applied directly in Portugal since 25 May 2018, with no transposition required. Lei n.º 58/2019 is not a GDPR transposition. It is a supplementary execution law, filling the spaces the GDPR deliberately leaves open for member state discretion. Where Lei 58/2019 conflicts with the GDPR, the GDPR prevails. The CNPD confirmed this hierarchy in 2019 by refusing to apply several provisions of the national law.

For any organization processing personal data about Portuguese residents, or operating data processing activities in Portugal, compliance means satisfying the GDPR first and Lei 58/2019 second.

Constitutional Basis: Article 35 of the Portuguese Constitution

Portugal's constitutional framework for data protection is unusually strong and unusually specific. Article 35 of the Constitution of the Portuguese Republic, adopted in 1976, carries the heading "Use of information technology" (Utilização da informática) and guarantees citizens a set of rights that were visionary at the time and remain foundational today.

Article 35 gives every citizen the right to access any computerized data concerning them, to require the correction and updating of that data, and to be informed of the purpose for which their data is processed. It requires that the law define what constitutes personal data and specify the conditions for automated processing, connection, transmission, and use of such data. Crucially, the article mandates protection by means of an independent administrative entity, a direct constitutional requirement for what became the CNPD.

Article 35 also prohibits assigning a single national identification number to citizens, a provision that was a direct reaction to the surveillance infrastructure of the PIDE/DGS secret police under the Estado Novo dictatorship. The prohibition has practical force today: Portugal restricts the linking of identification numbers across databases to an extent that goes beyond what most EU member states require.

The article further treats certain categories of sensitive data (data related to political opinions, religious beliefs, and private life) with heightened protection, prohibiting their processing and transmission except in narrowly defined circumstances.

Article 26 of the same Constitution adds a general guarantee of the right to personal identity and to the development of personality, to civil capacity, to citizenship, to a good name and reputation, to image, to expression, and to protection of the intimacy of private and family life. This creates a constitutional right to privacy that functions independently of and alongside Article 35.

Portugal's courts have used these constitutional provisions to interpret data protection questions more broadly than a pure GDPR analysis would require. The constitutional basis gives Portuguese residents grounds to challenge data processing through constitutional courts in addition to administrative complaint routes through the CNPD.

The GDPR Framework in Portugal

The General Data Protection Regulation (EU) 2016/679 applies in Portugal as directly applicable EU law. No national transposition was required or permitted; the GDPR is the law, applicable to every organization that processes personal data of individuals in the EU or that targets EU residents with goods and services.

The GDPR's core principles apply in Portugal without modification: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

Organizations must identify a lawful basis under Article 6 GDPR for each processing activity. The six bases are: consent, contract performance, legal obligation, protection of vital interests, a task carried out in the public interest, and legitimate interests. Portugal's Lei 58/2019 adds some restrictions and clarifications to how these bases apply in specific contexts, discussed below.

Lei n.º 58/2019: The National Execution Law

Lei n.º 58/2019 of 8 August entered into force on 9 August 2019, making Portugal one of the later EU member states to finalize its supplementary GDPR legislation. The law was officially published in the Diário da República and is freely accessible at dre.pt.

The delay was significant. The GDPR had been directly applicable for more than a year before Lei 58/2019 was enacted. During that gap, Portugal operated under a transitional framework, and several companies and public bodies had already begun adapting their practices to GDPR requirements without a final national law in place.

Alongside Lei 58/2019, Lei n.º 59/2019 of the same date established separate data protection rules for competent authorities processing personal data for criminal investigation, prevention of crime, public security, and border control purposes, Portugal's transposition of EU Directive 2016/680 (the Law Enforcement Directive).

Key National Additions in Lei 58/2019

Lei 58/2019 exercises the member state options available under the GDPR in several areas:

Age of digital consent. Portugal set the age at which children can consent independently to information society services at 13 years old, the minimum permitted under Article 8 GDPR. This is one of the lowest thresholds in the EU. Germany, Austria, and the Netherlands chose 16; France chose 15; Ireland, Spain, and Italy chose 16. For children under 13, a parent or holder of parental responsibility must provide or authorize consent.

Employment context restrictions on consent. Article 28 of Lei 58/2019 restricts the use of consent as a lawful basis in employment relationships. Consent is not a valid basis where processing is necessary for the performance of the employment contract or where it produces a legal or economic advantage for the employee. The CNPD subsequently declared part of this restriction, specifically Article 28(3)(a), inapplicable as it excessively constrained employees' right to informational self-determination, but Article 28(3)(b) remained operative.

Biometric data in the workplace. Article 28(6) of Lei 58/2019 limits biometric processing in the employment context to two purposes only: controlling employee attendance and controlling access to employer premises. Only mathematical templates derived from biometric data may be stored. The raw biometric data itself may not be stored. The templates must be stored in a form that does not allow for the reversal of the biometric representation.

Video surveillance in employment. Personal data collected through remote surveillance technology, including video cameras, may only be used in employee disciplinary proceedings if the matter also constitutes a criminal case. An employer cannot use CCTV footage to discipline an employee for a workplace policy violation that does not involve criminal conduct. This is considerably more restrictive than the approach in most other EU member states.

Deceased persons. Lei 58/2019 grants data subject rights to the heirs of deceased persons, allowing them to exercise access, correction, and erasure rights on behalf of the deceased, unless the deceased person explicitly stated during their lifetime that those rights should not be exercised by third parties.

Public health and research. The law provides specific exceptions to data subject rights, including rights of access and erasure, where processing is carried out for archiving purposes in the public interest, scientific or historical research, or statistical purposes, and where exercise of the right would seriously impair the achievement of those purposes.

Fine revenue distribution. Under Article 44 of Lei 58/2019, 60% of collected GDPR administrative fines go to the Portuguese state treasury. The remaining 40% goes directly to the CNPD as operational revenue. This arrangement is unique in the EU and has generated ongoing debate about whether it creates an inappropriate financial incentive for the supervisory authority.

The CNPD's 2019 Deliberation: Disapplying Parts of Lei 58/2019

Perhaps the most remarkable episode in Portugal's data protection history occurred just weeks after Lei 58/2019 entered into force. On 3 September 2019, the CNPD issued Deliberation 2019/494, a decision declaring that it would refuse to apply several provisions of the national law it was charged with enforcing.

The CNPD's legal basis was the supremacy of EU law. Under Article 288 TFEU and the case law of the Court of Justice of the EU, EU regulations take direct effect in member state legal orders and override conflicting national provisions. A national data protection authority is required to apply the GDPR as written; where national law conflicts, the GDPR prevails and the national provision must be set aside.

The Provisions Disapplied

The CNPD identified four sets of provisions in Lei 58/2019 as incompatible with the GDPR:

Articles 37 to 39: the penalties framework. These articles established Portugal's own penalty calculation regime for GDPR violations. The problems were multiple. Articles 37(2) and 38(2) differentiated maximum fines based on whether the controller was a large company or an SME. However, the GDPR makes no such differentiation, and the CNPD concluded that Portugal could not subdivide the penalty ceilings in a manner that departed from the GDPR's unified structure. Article 39(1) set out fine calculation criteria that the CNPD found went beyond the considerations listed in Article 83(2) GDPR. Article 39(3) required the CNPD to give prior notification before initiating proceedings for negligent violations, a requirement the CNPD found incompatible with the GDPR's enforcement framework, which makes no distinction based on fault type at the notification stage.

The practical consequence is that the CNPD applies Article 83 GDPR directly when calculating fines, treating all entities within the same penalty ceiling structure and without the prior notification requirement for negligent violations.

Article 28(3)(a): consent in employment. The CNPD found that the prohibition on using consent as a basis where processing produces a legal or economic advantage for the employee excessively restricted employees' right to informational self-determination and was incompatible with Article 6(1)(a) and Article 9(2)(a) GDPR. This provision was disapplied; Article 28(3)(b) (the contract-performance restriction) was not challenged.

Article 61(2): consent and contract termination. This provision linked the expiry of consent for data processing to the automatic termination of any underlying service agreement, in a manner that the CNPD found conflicted with the GDPR's rules on withdrawal of consent.

Article 62(2): prior CNPD authorization. This article preserved a prior-authorization requirement for certain types of processing that predated the GDPR. The CNPD found the requirement incompatible with the GDPR's authorization-free regime.

The Deliberation did not strike these provisions down. The CNPD lacks constitutional court powers. Instead, it announced that the authority would not apply them in its enforcement decisions, while noting that courts would need to make their own determinations if the provisions were raised in litigation. The legal status of the disapplied provisions within the Portuguese legal order therefore remains formally unresolved; in practice, the CNPD does not treat them as operative.

The CNPD: Structure and Powers

The Comissão Nacional de Proteção de Dados (CNPD) is Portugal's independent supervisory authority under Article 51 GDPR. It was established originally under the predecessor data protection law of 1998, transitioning to its current GDPR supervisory role in 2018.

The CNPD's members are elected by the Assembleia da República, the Portuguese Parliament, which gives the body democratic legitimacy and political independence from the executive branch.

Powers and Functions

Under the GDPR and Lei 58/2019, the CNPD exercises investigative, corrective, advisory, and authorization powers. On the investigative side, it may conduct audits and inspections, request information from controllers and processors, and obtain access to all personal data and all information necessary for its investigations. On the corrective side, it may issue warnings, reprimands, orders to comply, temporary or permanent bans on processing, orders to erase or destroy data, and administrative fines.

The CNPD also performs advisory functions: it issues opinions on draft legislation affecting data protection, provides guidance on compliance questions, and publishes binding authorizations for certain types of processing where the GDPR or Lei 58/2019 requires prior approval.

Data controllers and processors subject to audits must cooperate with the CNPD. Obstruction of an inspection is itself an administrative offense.

Resources and Constraints

The CNPD is chronically under-resourced relative to its mandate. At the end of 2024, the authority had 28 employees. By the end of 2025, staffing had grown to 36. Its 2024 budget was approximately €2.98 million, with the majority funded from the national budget and a supplementary contribution from the CNPD's own fine revenue.

The authority has publicly acknowledged that limited resources affect its ability to investigate all matters brought to its attention. A legislative proposal for an electronic administrative proceedings system, addressing the authority's paper-based processes, was submitted to Parliament in September 2025.

Legal Bases and Consent Rules

Every data processing activity in Portugal must identify a valid lawful basis under Article 6 GDPR. The six bases apply as under the GDPR generally, with the following Portugal-specific considerations:

Consent must be freely given, specific, informed, and unambiguous. In the employment context, Article 28 of Lei 58/2019 (as modified by Deliberation 2019/494) restricts consent to situations where processing is not necessary for the employment contract. Employers cannot use consent to process employee data where the contractual relationship creates an inherent power imbalance that renders consent non-freely given.

Legitimate interests is available but requires a three-part test: the interest must be legitimate, the processing must be necessary for that interest, and the interest must not be overridden by the interests or fundamental rights of the data subject. Portuguese courts and the CNPD apply this balancing test seriously, particularly for marketing and employee monitoring use cases.

Legal obligation and public task bases are frequently used by Portuguese public authorities. Special category data (Article 9 GDPR), including health data, biometric data for identification, racial or ethnic origin, political opinions, and religious beliefs, requires both a valid Article 6 basis and one of the additional conditions listed in Article 9(2).

Data Subject Rights

Portuguese residents enjoy the full set of data subject rights guaranteed by the GDPR:

Right of access (Article 15). Data subjects may request confirmation of whether their personal data is being processed and, if so, a copy of that data along with information about purposes, categories, recipients, retention periods, and the existence of other rights.

Right to rectification (Article 16). Inaccurate personal data must be corrected, and incomplete data must be completed, without undue delay.

Right to erasure (Article 17). Also known as the right to be forgotten. In Portugal, where a legal retention period applies to the data, erasure can only be exercised after that period expires. This reflects Lei 58/2019's treatment of legally mandated retention obligations.

Right to restriction of processing (Article 18). Data subjects may request that processing be restricted while accuracy is contested or a legitimate interests objection is assessed.

Right to data portability (Article 20). Lei 58/2019 specifies that portability covers only data provided by the data subject, and that transfers should, wherever possible, take place in open formats.

Right to object (Article 21). Data subjects may object to processing based on legitimate interests or for direct marketing purposes. Objections to direct marketing must always be honored.

Rights in automated decision-making (Article 22). Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Human review must be available.

The CNPD operates a Digital Counter (Balcão Digital) through which data subjects can make access requests, file complaints, and obtain guidance. In 2025, the Digital Counter received 9,299 contacts, up 19.2% year on year.

Breach Notification Requirements

The GDPR's breach notification framework applies in Portugal with no significant national deviations. Controllers must notify the CNPD of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

The notification must include: the nature of the breach; the categories and approximate number of affected data subjects and records; the name and contact details of the DPO or other point of contact; a description of the likely consequences; and the measures taken or proposed to address the breach. If the notification cannot be made within 72 hours, the controller must provide the notification in phases, with reasons for the delay.

Where a breach is likely to result in a high risk, the affected data subjects must also be notified directly without undue delay. The CNPD publishes a standardized breach notification form on its website.

Breach notification volumes have grown sharply. The CNPD received 332 breach notifications in 2024. By 2025, that figure had risen to 472, a 42% increase in one year. Human error accounted for 128 of the 2025 notifications; phishing-type social engineering attacks accounted for 72.

Data Protection Officer Requirements

Lei 58/2019 does not materially deviate from the GDPR's DPO framework, though it adds two additional obligations for designated DPOs: ensuring that both periodic and unscheduled audits are carried out; and making users aware of the importance of early detection of security incidents and of the need to report them promptly.

A DPO must be designated when:

• The controller or processor is a public authority or body (except courts acting in their judicial capacity)
• Core activities require regular and systematic monitoring of data subjects on a large scale
• Core activities involve large-scale processing of special category data or criminal conviction data

For public-sector entities, the obligation extends broadly. The state, autonomous regions, local authorities, public institutes, public higher education institutions, and state-owned enterprises are all required to designate a DPO. The CNPD's 2025 priority of creating a DPO Portal is intended to formalize and streamline communication between the authority and registered DPOs.

Organizations not required to designate a DPO are encouraged, but not compelled, to do so voluntarily. Where a DPO is designated voluntarily, the GDPR's protections for DPO independence apply in full.

Cross-Border Data Transfers

Portugal follows the GDPR's three-tier framework for international transfers of personal data:

Adequacy decisions. Where the European Commission has determined that a third country provides an essentially equivalent level of protection, transfers may proceed without additional safeguards. The EU-US Data Privacy Framework, adopted in July 2023, allows transfers to certified US organizations under an adequacy decision. However, this framework remains subject to legal challenge.

Appropriate safeguards. In the absence of an adequacy decision, transfers require appropriate safeguards. The primary mechanism is Standard Contractual Clauses (SCCs), which the European Commission updated in 2021. Organizations using SCCs must also conduct a Transfer Impact Assessment (TIA) to evaluate whether the legal environment of the destination country undermines the protections guaranteed by the SCCs.

Derogations. Article 49 GDPR permits transfers in limited circumstances without adequacy or appropriate safeguards (including explicit consent, contract performance, or vital interests) but the CNPD, in line with EDPB guidance, treats these as last-resort options rather than routine compliance tools.

The INE case made clear that Portugal takes cross-border transfer compliance seriously. The €4.3 million fine in 2022 was partly premised on the transfer of Census 2021 personal data to US servers without adequate legal safeguards. For organizations transferring data from Portugal to Brazil, a common flow given Portugal-Brazil business and migration ties, SCCs accompanied by TIAs remain the recommended mechanism.

Penalties and Administrative Fines

The GDPR's two-tier penalty structure applies directly in Portugal. As a consequence of Deliberation 2019/494, the CNPD applies Article 83 GDPR directly, rather than the penalty provisions in Articles 37 to 39 of Lei 58/2019 (which it has refused to apply as incompatible with the GDPR).

Tier 1 violations (Article 83(4)) carry fines up to €10 million or 2% of total annual worldwide turnover, whichever is higher. These cover violations of technical and organizational obligations, including breaches of privacy-by-design requirements, DPO obligations, breach notification failures, and processor obligations.

Tier 2 violations (Article 83(5)) carry fines up to €20 million or 4% of total annual worldwide turnover, whichever is higher. These cover the most serious violations: breaches of core principles (lawfulness, purpose limitation, data minimization), violations of data subjects' rights, and unlawful cross-border transfers.

In addition to administrative fines, Portuguese criminal law provides for penalties in the most serious data protection violations. Unauthorized access to personal data, willful destruction of data held by controllers, and failure to comply with CNPD orders can carry criminal liability, including imprisonment.

Fine revenue is split 60/40 between the national treasury and the CNPD under Article 44 of Lei 58/2019.

CNPD Enforcement Record

Centro Hospitalar Barreiro Montijo (2018): €400,000

Portugal's first GDPR fine was issued in 2018 against a public hospital. The CNPD fined Centro Hospitalar Barreiro Montijo €400,000 for three violations: hospital staff using false profiles to access patient medical records; failure to implement adequate access controls; and absence of a Data Protection Impact Assessment. The healthcare sector case established early that the CNPD would target institutional data governance failures.

Instituto Nacional de Estatística (2022): €4,300,000

The largest GDPR fine in Portuguese history was imposed in December 2022. The CNPD fined the INE €4.3 million for five infringements connected to the 2021 Census:

1. Unlawful transfer of personal data to US-based servers without adequate safeguards
2. Failure to conduct a Data Protection Impact Assessment
3. Lack of lawfulness for processing special categories of personal data
4. Breach of transparency obligations (no accessible privacy notice on the INE website)
5. Inadequate technical and organizational security measures

The fine demonstrated that the CNPD would apply substantial penalties to government bodies, not just private companies. The INE has challenged the fine before the Portuguese courts; no final judgment had been issued as of mid-2026. The EDPB published the case as a notable cross-border transfer enforcement action.

2023 Aggregate Enforcement

The CNPD issued 90 fines totalling €559,950 across 2023. After 2022, the authority stopped publishing individual enforcement decisions, releasing only aggregate statistics. This policy has been criticized by transparency advocates and makes detailed analysis of current enforcement patterns more difficult.

2024 and 2025: Low Fine Output, Growing Activity

In 2024, the CNPD processed 2,046 investigation processes and received 332 breach notifications. The authority's 2024 budget was approximately €2.98 million, with only 28 employees on staff.

In 2025, the CNPD issued just 2 fines totalling €47,000, a strikingly low figure relative to its activity level. During the same year it opened 3,201 processes, conducted 244 inspections (double the 2024 figure of 122), initiated 88 administrative offense proceedings, and adopted 480 decisions related to breach cases. The authority attributed the low sanction output to insufficient specialized staff, procedural complexity, paper-based administrative processes, and an inadequate legal framework for its sanctioning procedures.

By the end of 2025, the CNPD had grown to 36 employees, still well below the minimum needed to close its growing case backlog. A legislative proposal for an electronic administrative proceedings regime was submitted to Parliament in September 2025.

EU AI Act Overlay

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies directly in Portugal as EU regulation. Its phased implementation schedule creates staggered compliance obligations:

• From 2 February 2025: prohibitions on unacceptable-risk AI systems and AI literacy obligations for operators.
• From 2 August 2025: governance rules, transparency obligations for general-purpose AI models, and obligations on providers and deployers of high-risk AI systems.
• From 2 August 2026: full application of obligations for most high-risk AI systems.

Portugal designated ANACOM, the national telecommunications and communications authority, in September 2025 as the national market surveillance authority and single point of contact for EU AI Act enforcement. ANACOM coordinates with the CNPD for matters at the intersection of AI governance and data protection.

The CNPD's involvement is significant because many high-risk AI systems under the AI Act process personal data, triggering concurrent GDPR obligations. Biometric identification, emotion recognition, and AI systems used in employment, education, and credit scoring are among the areas where the AI Act and GDPR obligations overlap most directly.

Portugal's national AI strategy, "AI Portugal 2030," predates the EU AI Act and is being updated to align with the Act's requirements. The strategy aims to position Portugal as a hub for ethical AI development within the EU.

Recent Developments (2024 to 2026)

Law 2/2025 (January 2025). Portugal enacted Law 2/2025 of 23 January, implementing the EU Data Governance Act (Regulation (EU) 2022/868) at the national level. The law establishes rules for the reuse of public sector data and creates a framework for data intermediation services and data altruism organizations within Portugal.

NIS2 transposition. The CNPD issued an opinion on Portugal's bill transposing the NIS2 Directive (EU 2022/2555) on security of network and information systems. Portugal's NIS2 transposition raises new obligations for organizations in the energy, transport, banking, health, water, digital infrastructure, and public administration sectors.

DPO Portal (2025). The CNPD committed in its 2025 Activity Plan to launch a portal specifically for Data Protection Officers, streamlining formal communications between DPOs and the authority. This reflects the CNPD's acknowledgment that its previous communication infrastructure was inadequate for modern compliance needs.

Electronic proceedings reform. The legislative proposal for an electronic administrative proceedings system is the most consequential pending reform for CNPD enforcement capacity. If adopted, it would replace paper-based processes and is expected to allow the authority to close cases and impose fines significantly more efficiently.

Direct marketing guidance. The CNPD issued updated guidelines on direct marketing practices in 2024-2025, addressing consent mechanisms for email marketing, cookie-based tracking for advertising purposes, and the boundaries of legitimate interest as a basis for marketing processing.

Video surveillance complaint surge. Complaints about video surveillance to the CNPD increased 49.9% in 2025, reaching 1,243 complaints. This reflects growing public awareness of surveillance in workplaces, commercial premises, and public spaces, and suggests continued CNPD attention to this sector.

Business Compliance: Portugal-Specific Requirements

Organizations operating in Portugal and processing personal data about Portuguese residents should attend to several Portugal-specific requirements beyond standard GDPR compliance:

Employee monitoring. Review all workplace surveillance and monitoring practices against Lei 58/2019's strict restrictions. Video footage may not be used in disciplinary proceedings unless the matter also constitutes a criminal case. Biometric systems must be limited to attendance tracking and access control, using only irreversible templates. CCTV deployments require CNPD-compliant signage, DPIAs for large-scale systems, and written policies.

Age of consent. If your services are directed at Portuguese users and could be used by children, note that the age of digital consent is 13. Age verification mechanisms and parental consent workflows must reflect this threshold, which differs from the 16 or 15 used in many other EU markets.

Cross-border transfers. Transfers of Portuguese resident data outside the EEA require adequacy decisions, SCCs accompanied by TIAs, or BCRs. The INE case demonstrated the CNPD's readiness to impose very large fines for inadequate transfer safeguards, even against government bodies.

Records of processing activities. Maintain ROPA documentation under Article 30 GDPR. CNPD audits routinely examine processing records, and the absence of proper records can transform a minor compliance issue into a major enforcement finding.

DPO designation. Any public authority or body, and any private organization whose core activities involve large-scale systematic monitoring or special category processing, must designate a DPO and register their contact details with the CNPD.

DPIA practice. Conduct Data Protection Impact Assessments for any high-risk processing, including large-scale processing of special category data, systematic profiling, and novel uses of emerging technology including AI systems.

AI Act readiness. Assess whether any AI systems deployed by your organization fall within the EU AI Act's high-risk categories. Prepare technical documentation, conformity assessments, and transparency notifications as required by the AI Act's phased implementation timeline.

Portugal Data Privacy Laws and Recording Laws

Portugal's data protection framework intersects directly with its recording consent laws. Under Article 199 of the Código Penal, recording a private conversation without the consent of all participants is a criminal offense. Any resulting recording constitutes personal data subject to GDPR and Lei 58/2019.

Video surveillance must comply with both the Penal Code's consent requirements and the GDPR framework. Workplace audio recording is almost entirely prohibited under both regimes. CCTV footage of identifiable individuals is personal data and subject to retention limits, access controls, and data subject rights.

Portugal's data protection rules form part of the broader EU data privacy framework that applies across all 27 EU member states.

---

Disclaimer: This article provides general information about Portugal's data privacy laws and is not legal advice. Data protection law changes frequently. Consult a qualified attorney licensed in Portugal for advice about your specific situation.