GDPR Enforcement in Portugal

Trend: Have the national data protection authorities in Portugal focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

Since the CNPD no longer publishes its decisions and administrative proceedings on individual cases, it is not possible to identify any particular trend in the types of non-compliance that the CNPD tracks and intends to track more closely in the future. However, in its annual activity plan for 2025, the CNPD has explicitly stated that it is committed to increasing the efficiency of sanctioning actions. In this context, for example, the CNPD has announced that it will present a bill to the Portuguese Assembly of the Republic and the Government – with a view to creating an electronic procedure, by allowing:

1. the elimination of repetitive and paper-based acts;
2. a reduction in the duration of the administrative offence procedure (which is always possible in an electronic procedure); and
3. in the event of a judicial challenge to an administrative offence decision, a clear provision as to which court has jurisdiction and that the CNPD can intervene autonomously (like other regulatory bodies such as the National Communications Authority, the Bank of Portugal or the Securities Market Commission).

As for the sectors that are more likely to be on the radar of CNPD, we believe that all sectors whose business models and marketing approach rely heavily on sending unsolicited communications are particularly prone to close supervision by the CNPD. Besides, the processing of personal data of minors is also a very topical issue that will certainly be closely followed by the CNPD.

Overall, what was the most significant fine in Portugal to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

To date, the most significant administrative fine applied by the Portuguese supervisory authority in Portugal was in December 2022 for EUR 4,300,000.00 to the Instituto Nacional de Estatística (INE), which is the entity responsible for producing and publishing official statistics in Portugal. This fine was imposed due to several violations committed by the INE, namely the unlawful processing of personal data relating to health and religion, the failure to comply with the obligation to inform data subjects, the failure to comply with the obligation to exercise due diligence in the selection of subcontractors, the failure to comply with the legal provisions relating to the international transfer of data and the failure to comply with the obligation to carry out a privacy impact assessment in relation to a specific processing activity.

The fine has been challenged by the INE before the courts and there is no final decision yet.

How is the data protection authority organised in Portugal? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The Comissão Nacional de Proteção de Dados (CNPD) is the independent administrative and supervisory authority responsible for overseeing and enforcing data protection laws in Portugal and is not assigned to any specific ministry.

The most recent activities report publicly available to date is from 2023 and according to it, the annual budget for that year was EUR 2,976,534.00. In any case, according to the 2025 Annual Plan of Activities, it is important to highlight that the draft budget approved by the CNPD on 22 July 2024 provided for the hiring of seven (7) individuals, based on the study entitled 'Vision for Improvement of Internal Reorganisation', conducted by the Kaizen Institute. This hiring aims to allow the integration of an additional seven (7) staff members across all Organisational Units of the CNPD, as this is considered the appropriate number of personnel to ensure maximum efficiency in the performance of the CNPD's duties, both at the national level and in the context of cooperation and consistency control with other national authorities of the Member States of the European Union. This provision also considers the objective of ensuring effective inspection and supervision of personal data processing throughout the national territory, as well as enhancing its sanctioning capacity — these being the foundational pillars of the ex post regulation imposed on the CNPD by the GDPR.

With regard to how many staff are employed, according to the 2023 Annual Report, the CNPD ended 2023 with a total of 29 employees. It is noteworthy, regarding the age composition of the workforce, that the majority of employees are aged 50 or over, with 75.86% falling within the 45 to 64 age group.

How does a fine procedure work in Portugal? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

The CNPD has full autonomy to impose fines and ancillary sanctions without the need of any prior authorisation by any other public or private entity.

In Portugal, the misdemeanour process, particularly concerning administrative offences related to data protection, is governed by Law no. 58/2019 of 8 August, which implements certain aspects of the GDPR. The process can be divided into two main phases: (i) the administrative phase and (ii) the judicial phase.

Administrative phase

1. Detection and reporting of the offence:

• The process begins when a potential data protection violation is detected. This can be reported by individuals or organisations or identified through inspections by the CNPD.
• Except in the case of wilful misconduct, the initiation of administrative offence proceedings depends on the CNPD's prior warning of the agent to comply with the infringed obligation or reinstate the infringed prohibition within a reasonable period of time.

2. Investigation:

• The CNPD gathers evidence and determines whether a data protection law has been violated. This may involve requesting information from the alleged offender, conducting audits and interviewing witnesses.

3. Notification of the alleged offender:

• If the CNPD finds sufficient evidence of a violation, it notifies the alleged offender of the charges. The notification includes details of the alleged offence, the evidence collected and the potential penalties.

4. Right to a hearing:

• The alleged offender has the right to present their defence. They can submit written statements, provide additional evidence and request a hearing to present their case orally.

5. Decision:

• After considering the evidence and the defence, the CNPD issues a decision. If the CNPD finds the alleged offender guilty, it imposes administrative sanctions, which can include fines, warnings or orders to cease certain activities.

6. Notification of the decision:

• The CNPD notifies the offender of its decision and the imposed sanctions. The notification includes information on the right to appeal the decision.

Judicial phase

1. Appeal to the court:

• If the offender disagrees with the CNPD's decision, they can appeal to the competent court. The appeal must be filed within a specified period (usually 30 days) from the date of notification of the CNPD's decision.

2. Judicial review:

• The court reviews the CNPD's decision, the evidence and the arguments presented by both parties. The court may request additional evidence or hold hearings to gather more information.

3. Court decision:

• After reviewing the case, the court issues a decision. The court can uphold, modify or overturn the CNPD's decision. If the court finds in favour of the offender, it may annul the sanctions imposed by the CNPD.

4. Further appeals:

• If either party is dissatisfied with the court's decision, they may have the right to further appeal to higher courts, such as the Court of Appeal (Tribunal da Relação) or the Supreme Court of Justice (Supremo Tribunal de Justiça), depending on the nature and significance of the case.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

60% of the amount of fines collected is paid to the Portuguese State and 40% is paid to the CNPD.

Is there a common, official calculation methodology for fines in Portugal (such as the fining models in the Netherlands or Germany)?

Whenever there is an application for an administrative fine, the CNPD resorts to the requirements provided in the GDPR, Law no. 58/2019 of 8 August (“Portuguese Data Protection Act”) and the Administrative Fine General Law.

Specifically, the CNPD also considers the following criteria set forth in the Portuguese Data Protection Act: (a) the economic situation of the agent, in the case of an individual, or the turnover and annual balance sheet, in the case of a legal entity; (b) the continuous nature of the infraction; and (c) the size of the entity, the number of employees and the nature of the services provided.

Can public authorities be fined in Portugal? If they can: Where does this money go?

Yes. The administrative fines provided for in the GDPR and in national law are equally applied to public and private entities.

60% of the amount of the fines collected is paid to the Portuguese State and 40% is paid to the CNPD.

In Portugal, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

As of 2022, the CNPD no longer publishes information on cases involving individual fines and the affected companies are not identifiable in publications.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

Yes. Each year, the CNPD publishes an activity report where, among other information, it details the number of cases and the fine amounts applied. From 2019 until 2023 (the latest activity report published), the numbers are as follows:

• 2019: 34 fines with a total value of EUR 600,000;
• 2020: 15 fines with a total value of EUR 45,000;
• 2021: 60 fines with a total value of EUR 1,491,500;
• 2022: 71 fines with a total value of EUR 4,802,000;
• 2023: 90 fines with a total value of EUR 559,950.

Does Portugal have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

Data subjects have the right to appoint a non-profit body, organisation or association, constituted in accordance with national law, whose statutory purposes are in the public interest and whose activity covers the defence of the rights, freedoms and guarantees of the data subject with regard to the protection of personal data, to exercise on their behalf the rights regarding the enforcement of the GDPR and national law.

As an example, in 2023, Ius Omnibus, a European non-profit consumer rights association filed three lawsuits regarding non-compliance with data protection rules against three different companies: (i) TikTok, for excessive collection of personal data, especially from minors, without proper consent; (ii) FloHealth, the developer of a female health tracking app, for sharing sensitive personal data with third parties without transparency or valid consent; and (iii) PubMatic, a digital marketing company, for the use of tracking technologies without user authorisation and lack of clarity regarding how personal data is collected, processed and transferred outside the EU.

It is also possible for data subjects to join a class action (ação popular) under the general administrative national laws.

What is more relevant in Portugal: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

Both forms of action – fines imposed by the CNPD and judicial actions – are highly relevant in the context of data protection in Portugal. On one hand, fines have an immediate impact and serve as an effective deterrent mechanism to ensure compliance with the law. On the other hand, judicial actions, particularly collective ones led by associations, such as Ius Omnibus, have been gaining increasing relevance, especially in the digital sector and areas with greater exposure to the processing of personal data. In the coming years, it is expected that both mechanisms will gain prominence, complementing each other and working together to strengthen the protection of citizens' rights.