Data Protection Enforcement in Portugal

Administrative Remedies

The Data Protection Authority (the “Authority”) has the power to investigate complaints and cases, and to order the suspension of processing and/or transfer of data, as well as the destruction of data and other similar actions including administrative fines; these orders can be appealed to the courts.

Civil Remedies

Individuals can file complaints with the Authority, and can seek a judicial remedy for violations of the law.

Criminal Remedies

Fines ranging between €250,00 and €2,500,00 for natural persons, and fines between €1,500.00 and €15,000.00 for entities; and imprisonment of up to 1 year or an equivalent monetary fine. The above fines may be increased to double the amount [i.e. €500 up to €5,000 in the case of natural persons and €3,000 up to €30,000 for entities] if it concerns sensitive data. In this case, it is also possible to be subject to imprisonment of up to 2 years or an equivalent monetary fine.

Other Remedies

Directors and individuals within a company may face legal sanction.

Selected Enforcement Actions / General Comments

Some examples of recent enforcement action in Portugal:

  • Fines have been imposed for various activities; however the most common ones concern the capture of images (CCTV) without prior authorization from the Portuguese Data Protection Authority.
  • The Portuguese Data Protection Authority has applied a fine of €7,000.00 (the Portuguese Criminal Court of Porto considered the application of an admonition as sufficient), where data was collected without prior notification and communicated to third parties.

Another decision which concerned the disclosure by a legal person on the Internet of an image and credit information of a natural person, without authorization, resulted with a fine of €1,500.00 for breaching the requirement to notify the Portuguese Data Protection Authority.