Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Portugal - Data Protection

History of Data Protection in PORTUGAL

Following the Portuguese revolution of 1974, it did not take long for data protection issues to force themselves onto the Portuguese agenda. Article 35 of the Portuguese Constitution of 1976 is a special provision on data protection that refers to the use of computerised data, and establishes rights and prohibitions.

The Portuguese Data Protection Law was established in 1991 (Law 10/91). However, the implementation of Directive 95/46/EC required further work. It was implemented in 1998 with the passing of the Data Protection Act (Law 67/98 of 26 October).

Summary of Data Protection in PORTUGAL

Title of Data Protection Legislation Act on the Protection of Personal Data (Law 67/98 of 26 October)
Name of supervisory authority National Data Protection Commission
General Powers of supervisory authority The Act sets out the "duties" (Article 22) and the "responsibilities" (Article 23) of the Commission. The "duties" include:
To supervise and monitor compliance with the laws and regulations;
To investigate processing operations. The "responsibilities" include:
issuing opinions on legal provisions and on legal instruments in preparation in Community or international institutions relating to the processing of personal data;
acting on an application made by any person or by an association representing that person concerning the protection of his rights and freedoms in regard to the processing of personal data and informing them of the outcome;
checking the lawfulness of data processing at the request of any person whenever such processing is subject to restricted access or information, and informing the person that a check has taken place;
assessing the claims, complaints or applications of private individuals;
promoting the drawing up of codes of conduct and assessing them;
Who has standing to notify the supervisory authority of breaches? Anybody
What are the penalties for data controllers if they breach the law? For administrative offences, the data controller will be punished with a fine (article 38 of the 1998 law). For the criminal offences laid down in Articles 43, 44, 45, 47 and 49, imprisonment is also a possibility. The Criminal Code (Articles 193, 195 and 196) can also apply.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? The Portuguese Constitution prohibits the creation of an 'all purpose' national identity number being attributed to citizens. Other identifiers, which may not be of general application, are established by law.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.
Does the Data Protection Legislation cover the deceased? Yes
Who is able to indirectly identify the data subject? Anybody

Laws and Regulations

Institutions