﻿Page 1 
I SERIES 
Thursday, August 8, 2019 Number 151 
INDEX 
Assembly of the Republic 
Law No. 58/2019: 
Ensures the implementation, in the national legal order, of Regulation (EU) 
2016/679 of the Parliament and of the Council of 27 April 2016 on the 
protection of individuals with regard to the processing of data 
personal data and the free movement of such data. . . . . . . . . . . . . . . . . . . . . . . . . . . 3 
Law No. 59/2019: 
Approves the rules regarding the processing of personal data for the purposes of 
prevention, detection, investigation or prosecution of criminal or enforcement offenses 
enforcement of criminal sanctions, transposing Parliament's Directive (EU) 2016/680 
European Parliament and of the Council of 27 April 2016. . . . . . . . . . . . . . . . . . . . . . . 41 
Resolution of the Assembly of the Republic no. 138/2019: 
Termination of Decree-Law no. 20/2019, of 30 January, which 
creates the framework for transferring competences to municipal bodies 
in the fields of animal protection and health and food safety. . . 69 
Foreign Affairs 
Notice No. 70/2019: 
The Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified 
have the Republic of Nicaragua, acceded in accordance with article 63, to the 
Convention on Jurisdiction, Applicable Law, Recognition, 
Enforcement and Cooperation in Matters of Parental Responsibility and 
Child Protection Measures, adopted in The Hague on October 19, 
1996. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 
Notice No. 71/2019: 
The Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified 
have the Tunisian Republic modified its authority to the Convention on the 
Suppression of the Requirement of the Legality of Foreign Public Acts, adopted 
in The Hague, on October 5, 1961. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 
Notice No. 72/2019: 
The Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified 
the Republic of Finland has made a declaration in accordance with 
Article 42, the Convention on the Taking of Evidence Abroad Abroad 
Civil or Commercial Matters, adopted in The Hague, on March 18, 1970. . . . . . 72 
Page 2 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 2 
Notice No. 73/2019: 
The Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified 
the Republic of Estonia has made a declaration in accordance with 
Article 31, to the Convention on the Service in Foreign Countries of 
Judicial and Extrajudicial Acts in Civil and Commercial Matters, adopted in The Hague, 
on November 15, 1965.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 
Notice No. 74/2019: 
The Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified 
the Federal Republic of Germany, issued a declaration in accordance with 
with Article 63, with respect to the Jurisdictional Convention, the 
Applicable Law, Recognition, Enforcement and Cooperation in Matters 
Parental Responsibility and Child Protection Measures, adopted 
in The Hague, on October 19, 1996.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 
Agriculture, Forestry and Rural Development 
Ordinance No. 250/2019: 
Proceed to the seventh amendment to Ordinance No. 152/2016, of 25 May, which establishes 
lays down the regime for the application of action no. 10.2, “Implementation of strategies”, 
integrated in measure No. 10, “LEADER”, of area No. 4 “Local development”, 
the Continent's Rural Development Program. . . . . . . . . . . . . . . . . 78 
Autonomous Region of the Azores 
Regional Legislative Decree No. 21/2019 / A: 
Defines the strategy for the implementation of electric mobility in the Azores 80 
Page 3 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 3 
ASSEMBLY OF THE REPUBLIC 
Law No. 58/2019 
of August 8 
Summary: Ensures the implementation, in the national legal order, of Regulation (EU) 2016/679 of the 
Parliament and Council of 27 April 2016 on the protection of individuals 
with regard to the processing of personal data and the free movement of persons 
of that data. 
Ensures the implementation, in national legal order, of Regulation (EU) 2016/679 of the Parliament 
and of the Council of 27 April 2016 on the protection of individuals 
with regard to the processing of personal data and the free movement of such data 
The Assembly of the Republic decrees, under the terms of paragraph c ) of article 161 of the Constitution, 
the next: 
CHAPTER I 
General provisions 
Article 1 
Object 
This law ensures the implementation, in the domestic legal order, of Regulation (EU) 
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection 
natural persons with regard to the processing of personal data and the free movement of 
of these data, hereinafter referred to as the General Regulation for the Protection of 
Data (GDPR). 
Article 2 
Scope of application 
1 - This law applies to the processing of personal data carried out in the national territory 
regardless of the public or private nature of the controller or 
subcontractor, even if the processing of personal data is carried out in compliance with 
legal obligations or in the context of the pursuit of missions of public interest, applying 
all exclusions provided for in article 2 of the GDPR. 
2 - The present law also applies to the processing of personal data carried out outside the 
national territory when: 
a ) Are carried out within the scope of the activity of an establishment located in the national territory 
national; or 
b ) Affect data subjects who are in the national territory, when the activities of 
treatment are subject to the provisions of paragraph 2 of article 3 of the GDPR; or 
c ) Affect data that is registered with the consular posts of which they hold Portuguese 
resident abroad. 
3 - This law does not apply to personal data files created and maintained under 
the responsibility of the Information System of the Portuguese Republic, which is governed by 
specific provisions, under the terms of the law. 
Page 4 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 4 
CHAPTER II 
National Data Protection Commission 
Article 3 
National supervisory authority 
The National Data Protection Commission (CNPD) is the national supervisory authority for 
effects of the GDPR and the present law. 
Article 4 
Nature and independence 
1 - CNPD is an independent administrative entity, with legal personality under law 
public authority and powers of authority, endowed with administrative and financial autonomy, 
with the Assembly of the Republic. 
2 - CNPD controls and inspects compliance with the GDPR and the present law, as well as with 
other legal and regulatory provisions on the protection of personal data, in order to 
defend the rights, freedoms and guarantees of natural persons in the context of treatment of 
personal data. 
3 - CNPD acts independently in the pursuit of its attributions and in the exercise of its 
powers attributed to it by the present law. 
4 - CNPD members are subject to the incompatibility regime established for 
holders of high public positions and, during their term of office, they cannot perform any other 
activity, whether paid or not, with the exception of teaching in higher education and 
investigation. 
Article 5 
Composition and operation 
The composition, the method of appointment and the remuneration status of the members of the CNPD, 
as well as the respective organization and staff, are approved by law of the Assembly of the 
Republic. 
Article 6 
Duties and competences 
1 - In addition to the provisions of article 57 of the GDPR, CNPD pursues the following attributions 
tions: 
a ) Decide, on a non-binding basis, on legislative and regulatory measures 
relating to the protection of personal data, as well as on legal instruments in preparation, 
in European or international institutions, related to the same subject; 
b ) To monitor compliance with the provisions of the GDPR and other legal and regulatory provisions 
regulations relating to the protection of personal data and the rights, freedoms and guarantees of 
data subjects, and correct and sanction their non-compliance; 
c ) Make available a list of treatments subject to the impact assessment on the protection of 
data, under the terms of paragraph 4 of article 35 of the GDPR, also defining criteria that allow 
densify the notion of high risk provided for in that article; 
d ) Prepare and submit to the European Data Protection Board, as provided for in the GDPR, 
draft criteria for the accreditation of codes of conduct monitoring bodies 
pipeline and certification bodies, pursuant to articles 41 and 43 of the GDPR, and to ensure 
the subsequent publication of the criteria, if approved; 
Page 5 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 5 
e ) Cooperate with the Portuguese Institute of Accreditation, IP (IPAC, IP), regarding the application 
cation of the provisions of article 14 of this law, as well as in the definition of additional requirements 
accreditation, with a view to safeguarding the consistency of application of the GDPR; 
2 - CNPD exercises the powers provided for in article 58 of the GDPR. 
Article 7 
Previous impact assessments 
1 - Pursuant to paragraph 5 of article 35 of the GDPR, CNPD disseminates a list of types of work 
data processing whose prior impact assessment is not mandatory. 
2 - The provisions of the preceding paragraph do not prevent the controllers from making 
prior impact assessment on its own initiative. 
3 - The lists referred to in paragraphs paragraphs 4 and 5 of article 35 of the GDPR are advertised on the CNPD website 
on the Internet. 
Article 8 
Duty to collaborate 
1 - Public and private entities must provide their collaboration to the CNPD, providing 
you all the information requested by it, in the exercise of its duties 
and skills. 
2 - The duty of collaboration is ensured, namely, when the CNPD needs it, 
for the full exercise of its functions, to examine the computer system and data files 
personal data, as well as all documentation related to the processing and transmission of personal data. 
3 - The members of the CNPD, as well as their workers, service providers or 
persons mandated by them, are bound by the duty of professional secrecy, namely as regards 
personal data, professional secrets, industrial or commercial secrets or information 
essential to which they have access in the exercise of their functions. 
4 - The duty of confidentiality remains after the end of the respective functions. 
5 - The duty to cooperate provided for in the preceding paragraphs, as well as the powers of 
CNPD, do not prejudice the duty of secrecy to which the controller is 
bound by law or international standards. 
CHAPTER III 
Data protection officer 
Article 9 
General provision 
1 - The data protection officer is appointed based on the requirements provided for in 
paragraph 5 of article 37 of the GDPR, without requiring professional certification for that purpose. 
2 - Regardless of the nature of their legal relationship, the person in charge of data protection 
data carries out its function with technical autonomy vis-à-vis the entity responsible for processing 
or subcontractor. 
Article 10 
Duty of secrecy and confidentiality 
1 - In accordance with the provisions of paragraph 5 of article 38 of the GDPR, the person in charge of protection 
data is bound by a duty of professional secrecy in all matters relating to the exercise of 
of these functions, which is maintained after the termination of the functions that gave rise to them. 
Page 6 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 6 
2 - The data protection officer, as well as those responsible for processing data 
data, including subcontractors, and all persons involved in any operation 
data processing, are bound by a duty of confidentiality which is in addition to the duties of 
professional secrecy established by law. 
Article 11 
Duties of the data protection officer 
In addition to the provisions of articles 37 to 39 of the GDPR, the functions of the person in charge of 
data protection: 
a ) Ensure that audits are carried out, whether periodic or unscheduled; 
b ) To make users aware of the importance of timely detection of safety incidents 
security and the need to immediately inform the person responsible for security; 
c ) To ensure relations with data subjects in matters covered by the GDPR and 
national data protection legislation. 
Article 12 
Data protection officers in public entities 
1 - Under the terms of paragraph a ) of paragraph 1 of article 37 of the GDPR, the designation of 
of data protection officers in public entities, in accordance with the provisions of the 
following numbers. 
2 - For the purposes of the preceding paragraph, public entities are understood to be: 
a ) The State; 
b ) Autonomous regions; 
c ) Local authorities and supranational entities provided for by law; 
d ) Independent administrative entities and Banco de Portugal; 
e ) Public institutes; 
f ) Public higher education institutions, regardless of their nature; 
g ) Companies in the State business sector and regional and local business sectors 
pier; 
h ) Public associations. 
3 - Regardless of who is responsible for the treatment, there is at least one 
data protection officer: 
a ) For each ministry or governmental area, in the case of the State, being designated by the respective 
minister, with the power to delegate any secretary of state to assist him; 
b ) For each regional secretariat, in the case of autonomous regions, being designated by the 
regional secretary, with the power to delegate to a senior officer of the 1st degree; 
c ) For each municipality, being appointed by the city council, with the power to delegate 
in the president and sub-delegation in any councilor; 
d ) In the parishes where justified, namely in those with more than 750 inhabitants 
representatives, being appointed by the parish council, with the power to delegate to the president; 
e ) For each entity, in the case of the other entities referred to in the previous number, being 
designated by the respective executive, administration or management body, with the power to delegate 
in the respective president. 
4 - Pursuant to paragraph 3 of article 37 of the GDPR, the same person in charge may be appointed 
data protection services for various ministries or government areas, regional secretariats, 
local authorities or other public legal persons. 
Page 7 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 7 
5 - Each entity is responsible for the designation of the data protection officer, not being 
the exercise of functions on an exclusive basis is mandatory. 
6 - The data protection officer of a public entity that has 
regulation or control cannot exercise these functions simultaneously in an entity subject to the 
control, or inserted in the regulatory perimeter of that entity. 
Article 13 
Data protection officers in private entities 
The controller and the subcontractor designate a data protection officer 
data whenever the private activity developed, principally, implies: 
a ) Treatment operations that, due to their nature, scope and or purpose, require a 
regular and systematic control of data holders on a large scale; or 
(b ) Large-scale processing operations for special categories of data in accordance with 
Article 9 of the GDPR, or personal data related to criminal convictions and counter-offenses 
denational under the terms of article 10 of the GDPR. 
CHAPTER IV 
Accreditation, certification and codes of conduct 
Article 14 
Accreditation and certification 
1 - Under the terms of paragraph b ) of paragraph 1 of article 43 of the GDPR, the competent authority for 
the accreditation of certification bodies in the field of data protection is IPAC, IP 
2 - The accreditation act issued by IPAC, IP, must take into account the requirements 
foreseen in the GDPR, as well as the additional requirements established by CNPD. 
3 - Certification, as well as the issuing of data protection stamps and marks, is carried out 
certification bodies accredited under the terms of paragraph 1, intended to certify that the 
implemented procedures comply with the provisions of the GDPR and the present law. 
Article 15 
Codes of conduct 
1 - CNPD is responsible for promoting the development of codes of conduct that regulate activities 
determined, which must take into account the specific needs of micro, small and 
and medium-sized companies. 
2 - The processing of personal data by the direct and indirect administration of the State is the object 
own codes of conduct. 
CHAPTER V 
Special provisions 
Article 16 
Consent of minors 
1 - Pursuant to article 8 of the GDPR, children's personal data may only be subject to 
of treatment based on the consent provided for in paragraph a ) of paragraph 1 of article 6 of the GDPR 
Page 8 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 8 
and concerning the direct offer of information society services when they have already 
completed 13 years of age. 
2 - If the child is under the age of 13, treatment is only lawful if consent 
is provided by its legal representatives, preferably using means of authentication 
safe. 
Article 17 
Protection of personal data of deceased persons 
1 - The personal data of deceased persons are protected under the terms of the GDPR and the 
this law when they fall into the special categories of personal data referred to in paragraph 1 of 
Article 9 of the GDPR, or when referring to the privacy of privacy, image or data 
relating to communications, except for the cases provided for in paragraph 2 of the same article. 
2 - The rights provided for in the GDPR relating to the personal data of deceased persons, 
by the previous number, namely the rights of access, rectification and erasure, are 
exercised by whom the deceased person has designated for the purpose or, failing that, by the respective 
heirs. 
3 - Data subjects may also, under the applicable legal terms, leave a specific 
the impossibility of exercising the rights referred to in the previous number after his death. 
Article 18 
Data portability and interoperability 
1 - The right to data portability, provided for in article 20 of the GDPR, covers only 
the data provided by the respective holders. 
2 - Data portability should, whenever possible, take place in an open format. 
3 - In the scope of Public Administration, whenever data interoperability does not 
technically possible, the data subject has the right to demand that they be 
delivered in an open digital format, in accordance with the National Interoperability Regulation 
Digital in force. 
Article 19 
Video surveillance 
1 - Without prejudice to specific legal provisions that impose its use, namely 
For reasons of public security, video surveillance systems whose purpose is to 
protection of people and property ensure the requirements set out in article 31 of Law no. 34/2013, 
of May 16, with the limits defined in the following number. 
2 - The chambers cannot focus on: 
a ) Public roads, neighboring properties or other places that are not in the exclusive domain 
of the person in charge, except in what is strictly necessary to cover access to the property; 
b ) The area for entering ATM codes or other payment terminals 
ATM; 
c ) The interior of areas reserved for clients or users where privacy must be respected, 
namely sanitary facilities, waiting areas and dressing rooms; 
d ) The interior of areas reserved for workers, namely meal areas, dressings 
gymnasiums, sanitary facilities and areas exclusively dedicated to your rest. 
3 - In educational establishments, video surveillance cameras can only focus on 
the external perimeters and access places, and also on spaces whose goods and equipment 
require special protection, such as laboratories or computer rooms. 
Page 9 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 9 
4 - In cases where video surveillance is allowed, sound capture is prohibited, except 
during the period in which the supervised facilities are closed or with prior authorization 
from CNPD. 
Article 20 
Duty of secrecy 
1 - The rights to information and access to personal data provided for in articles 13 to 15. 
of the GDPR cannot be exercised when the law imposes on the controller or the 
subcontractor a duty of secrecy that is enforceable against the data subject himself. 
2 - The data subject may request the CNPD to issue an opinion on the opposability 
duty of secrecy, without prejudice to the provisions of Chapter VII. 
Article 21 
Period of retention of personal data 
1 - The period of retention of personal data is that which is established by legal norm or 
or, failing that, whatever is necessary for the pursuit of the purpose. 
2 - When, due to the nature and purpose of the treatment, namely for archival purposes 
public interest, scientific or historical research purposes or statistical purposes, it is not possible to 
possible to determine in advance the moment when it is no longer needed, it is lawful 
the conservation of personal data, provided that technical and organizational measures are adopted 
adequate measures to guarantee the rights of the data subject, namely the information on their 
servation. 
3 - When personal data are necessary for the controller, or 
the subcontractor, prove compliance with contractual or other obligations, the 
they can be preserved until the expiry of the statutory rights expires. 
respective. 
4 - When the purpose that motivated the treatment, initial or later, of personal data ceases 
personnel, the controller must proceed with its destruction or anonymisation. 
5 - In cases where there is a data retention period imposed by law, you can only 
the right to erasure provided for in article 17 of the GDPR should be exercised after this period has ended. 
6 - Data relating to contributory statements for the purpose of retirement or retirement 
can be kept without a time limit, in order to assist the holder in the reconstruction of careers 
contributory, provided that appropriate technical and organizational measures are taken to ensure 
the rights of the data subject. 
Article 22 
Data transfers 
Transfers of data to third countries to the European Union or international organizations 
carried out in compliance with legal obligations, by public entities in the exercise of 
powers of authority, are considered to be in the public interest for the purposes of paragraph 4 of 
article 49 of the GDPR. 
Article 23 
Processing of personal data by public entities for different purposes 
1 - The processing of personal data by public entities for purposes other than those 
determined by the collection is exceptional in nature and must be duly substantiated with a view to 
to ensure the pursuit of the public interest that cannot otherwise be safeguarded, under the terms of 
terms of paragraph e ) of paragraph 1, paragraph 4 of article 6 and paragraph g ) of paragraph 2 of article 9 of the GDPR. 
Page 10 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 10 
2 - The transmission of personal data between public entities for different purposes 
determined by the collection is exceptional in nature, it must be duly substantiated 
under the terms referred to in the preceding paragraph and must be the subject of a protocol 
responsibilities of each intervening entity, either in the act of transmission, or in other 
treatments to be carried out. 
CHAPTER VI 
Specific situations regarding the processing of personal data 
Article 24 
Freedom of expression and information 
1 - The protection of personal data, under the terms of the GDPR and the present law, does not prejudice the 
exercise of freedom of expression, information and the press, including the processing of data for 
journalistic purposes and for the purposes of academic, artistic or literary expression. 
2 - The exercise of freedom of information, especially when revealing personal data 
provided for in paragraph 1 of article 9 of the GDPR and in article 17 of this law, must respect the principle 
dignity of the human person provided for in the Constitution of the Portuguese Republic, as well as the 
personality rights in it and in national law enshrined. 
3 - The treatment for journalistic purposes must respect the national legislation on access and 
exercise of the profession. 
4 - The exercise of freedom of expression does not legitimize the disclosure of personal data as 
addresses and contacts, with the exception of those of general knowledge. 
Article 25 
Publication in an official newspaper 
1 - The publication of personal data in official newspapers must comply with article 5 of the GDPR, 
namely the principles of purpose and minimization. 
2 - Whenever the personal data «name» is sufficient to guarantee the identification of the holder 
and the effectiveness of the treatment, other personal data should not be published. 
3 - Personal data published in an official newspaper may not, under any circumstances, be 
altered, strikethrough or hidden. 
4 - The right to erase personal data published in an official newspaper is of a nature 
exceptional and can only take place under the conditions provided for in article 17 of the GDPR, in the 
in which this is the only way to safeguard the right to be forgotten and considering the others 
interests present. 
5 - The provisions of the preceding paragraph are carried out through the de-indexing of personal data 
in search engines, always without eliminating the publication that is publicly authentic. 
6 - In case of publication of personal data in official newspapers, it is considered responsible 
responsible for processing the entity that orders the publication, or, in the case of the offices of the 
members of the Government, the respective general secretariats. 
Article 26 
Access to administrative documents 
Access to administrative documents containing personal data is governed by the provisions of 
in Law No. 26/2016, of 22 August. 
Page 11 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 11 
Article 27 
Publication of data in the context of public procurement 
In the context of public procurement, and if the publication of personal data is necessary, 
personal data other than the name should be published, whenever this is sufficient 
to ensure the identification of the public contractor and the contractor. 
Article 28 
Labor relations 
1 - The employer can process the personal data of its workers for the purposes 
and with the limits defined in the Labor Code and respective complementary legislation or in other 
sectoral regimes, with the specificities established in this article. 
2 - The previous number also covers the treatment carried out by a subcontractor or contractor. 
certified tobacco user on behalf of the employer, for the purpose of managing industrial relations, provided that 
carried out under a service provision contract and subject to equal confidentiality guarantees. 
3 - Unless otherwise provided by law, worker consent is not a requirement 
legitimacy of the processing of your personal data: 
a ) If the treatment results in a legal or economic advantage for the worker; or 
b ) If such treatment is covered by the provisions of paragraph b ) of paragraph 1 of article 6 of 
GDPR. 
4 - Recorded images and other personal data registered using systems 
video or other technological means of remote surveillance, under the terms provided for in article 20. 
of the Labor Code, can only be used in the context of criminal proceedings. 
5 - In the cases provided for in the preceding paragraph, the recorded images and other personal data 
may also be used for purposes of determining disciplinary liability, to the extent that 
where they are in the context of criminal proceedings. 
6 - The processing of workers' biometric data is only considered legitimate for con 
control of attendance and for access control to the employer's premises, 
that only representations of the biometric data are used and that the respective process of 
collection does not allow the reversibility of said data. 
Article 29 
Processing of health data and genetic data 
1 - In the treatment of health data and genetic data, access to personal data 
it is governed by the principle of the need to know information. 
2 - In the cases provided for in paragraphs h ) and i ) of paragraph 2 of article 9 of the GDPR, the treatment of 
data provided for in paragraph 1 of the same article must be carried out by a professional obliged to secrecy or 
by another person subject to a duty of confidentiality, and appropriate measures must be guaranteed 
information security. 
3 - Access to the data referred to in the previous paragraph is made exclusively 
electronic, unless technical impossibility or express indication to the contrary of the data subject, 
subsequent disclosure or transmission is prohibited. 
4 - The holders of bodies, workers and service providers of the person in charge of the 
processing of health data and genetic data, the data protection officer, the data 
students and researchers in the field of health and genetics and all health professionals who 
have access to health-related data are bound by a duty of confidentiality. 
5 - The duty of secrecy referred to in the preceding paragraph is also applicable to all holders of 
bodies and workers that, in the context of the monitoring, financing or inspection of the 
health care activity, have access to health-related data. 
Page 12 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 12 
6 - The data subject must be notified of any access made to his data 
personal data, the controller being responsible for ensuring the availability of this mechanism 
traceability and notification. 
7 - The minimum safety measures and technical requirements inherent to the treatment of 
The data referred to in paragraph 1 are approved by order of the members of the Government responsible for 
areas of health and justice, which should regulate, in particular, the following matters: 
a ) Establishment of access permissions to differentiated personal data, due to the 
need to know and segregate functions; 
b ) Requirements for prior authentication of whoever accesses it; 
c ) Electronic record of accesses and accessed data.
Article 30 
Centralized health databases or records 
1 - Health data can be organized into central databases or records 
based on unique platforms, when treated for the purposes of the legal purposes 
provided for in the GDPR and national legislation. 
2 - Health databases or centralized registries based on single platforms 
referred to in the preceding paragraph must meet the requirements for safety and tamper-proof 
provided for in the GDPR. 
Article 31 
Treatments for the purposes of archiving the public interest, 
scientific or historical research or statistical purposes 
1 - Treatment for the purposes of public interest archiving, scientific or historical research purposes 
or statistical purposes must respect the principle of data minimization and include anonymization or 
pseudonymisation of them whenever the intended purposes can be achieved by one of these routes. 
2 - When personal data are processed for the purposes of archiving the public interest, 
purposes of scientific or historical research or statistical purposes, the rights of 
access, rectification, limitation of treatment and opposition provided for in articles 15, 16, 18 and 
21 of the GDPR, as necessary, if those rights are likely to make it impossible 
or seriously jeopardize the achievement of those ends. 
3 - To the processing of personal data for the purposes of archiving the public interest, the 
Decree -Law No. 16/93, of January 23, in its current wording. 
4 - Consent regarding the processing of data for the purpose of scientific investigation may 
cover several areas of research or be given only for certain domains or 
specific research projects, in which case the ethical standards must be respected 
recognized by the scientific community. 
5 - Without prejudice to the provisions of the Law on the National Statistical System, personal data 
used for statistical purposes must be anonymized or pseudonymised, in order to safeguard the 
protection of data subjects, namely with regard to the impossibility of re-identification 
as soon as the statistical operation is completed. 
CHAPTER VII 
Administrative and jurisdictional protection 
SECTION I 
General provisions 
Article 32 
Administrative tutelage 
Without prejudice to the right to file a complaint with the CNPD, anyone can appeal 
means of administrative protection, namely of a petitionary or impugnative nature, to guarantee 
Page 13 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 13 
compliance with the legal provisions on the protection of personal data, in accordance with 
provided for in the Code of Administrative Procedure. 
Article 33 
Civil responsability 
1 - Anyone who has suffered damage due to the unlawful processing of data or the 
any other act that violates the provisions of the GDPR or national data protection law 
personal data, has the right to obtain compensation from the responsible or subcontractor for the damage suffered. 
2 - The controller and the processor do not incur civil liability 
if they prove that the fact that caused the damage is not attributable to them. 
3 - The responsibility of the State and other public legal persons is subject to the 
provided for in Law No. 67/2007, of December 31, as amended by Law No. 31/2008, of July 17. 
Article 34 
Jurisdictional protection 
1 - Any person, in accordance with the general rules of procedural legitimacy, may 
to propose actions against decisions, namely of an administrative nature, and omissions of the 
CNPD, as well as civil liability actions for damages that such acts or omissions may 
have caused. 
2 - The actions brought against the CNPD are the responsibility of the administrative courts. 
3 - The data subject may bring actions against the controller or the subcontractor. 
contracting party, including civil liability actions. 
4 - Actions brought against the controller or a subcontractor are 
proposals in national courts if the person responsible or subcontractor has an establishment in 
national territory or if the data subject habitually resides here. 
Article 35 
Representation of data subjects 
Without prejudice to compliance with the rules on legal sponsorship, the data subject 
has the right to mandate a non-profit organization, organization or association 
constituted in accordance with national law, whose statutory purposes are in the public interest 
and whose activity encompasses the defense of the data subject's rights, freedoms and guarantees as 
the protection of personal data in order to exercise, on your behalf, the rights provided for in articles 77, 
78, 79 and 82 of the GDPR. 
Article 36 
CNPD's legitimacy 
CNPD has the legitimacy to intervene in legal proceedings in the event of a violation of the 
provisions of the GDPR and the present law, and must report criminal offenses of 
who has knowledge, in the exercise of their functions and because of them, as well as practicing the 
necessary and urgent precautionary measures to ensure the evidence. 
SECTION II 
Counterordinations 
Article 37 
Very serious infractions 
1 - The following are very serious infractions: 
a ) The processing of personal data with intentional non-compliance with the principles enshrined in 
in article 5 of the RGDP; 
Page 14 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 14 
b ) The processing of personal data that is not based on consent or otherwise 
legitimacy condition, under the terms of article 6 of the GDPR or national rule; 
c ) Failure to comply with the rules on the provision of consent provided for in article 7. 
the GDPR; 
d ) The processing of personal data provided for in paragraph 1 of article 9 of the GDPR without 
verify one of the circumstances provided for in paragraph 2 of the same article; 
e ) The processing of personal data foreseen in article 10 of the GDPR that contradicts the 
rules therein; 
f ) The requirement to pay a sum of money outside the cases provided for in paragraph 5 of 
article 12 of the GDPR; 
g ) The requirement to pay a sum of money, in the cases provided for in paragraph 5 of 
Article 12 of the GDPR, which exceeds the costs necessary to satisfy the right of the holder of the 
Dice; 
h ) Failure to provide relevant information under the terms of articles 13 and 14 of the GDPR, the 
that occurs in the following circumstances: 
i ) Omission of information on the purposes for which the treatment is intended; 
ii ) Omission of information about the recipients or categories of recipients of the data 
personal; 
iii ) Omission of information about the right to withdraw consent in the cases provided for 
in subparagraph a ) of paragraph 1 of Article 6 and paragraph a ) of paragraph 2 of Article 9 of RGPD; 
i ) Do not allow, do not guarantee or hinder the exercise of the rights provided for in articles 15. 
22nd of the GDPR; 
j ) The international transfer of personal data in violation of the provisions of articles 44 to 
49 of the GDPR; 
k ) Failure to comply with the decisions of the supervisory authority provided for in paragraph 2 of article 58. 
of the RGPD, or refusal of the collaboration required by the CNPD, in the exercise of its powers 
deres; 
l ) Violation of the rules provided for in chapter VI of this law. 
2 - The infractions referred to in the previous number are punished with a fine: 
a ) From € 5000 to € 20,000,000 or 4% of annual worldwide turnover, as 
whichever is higher, in the case of a large company; 
b ) From € 2000 to € 2,000,000 or 4% of annual worldwide turnover, as 
whichever is higher, in the case of SMEs; 
c ) From 1000 € to 500 000 €, in the case of natural persons. 
Article 38 
Serious misdemeanors 
1 - The following are serious offenses: 
a ) Violation of the provisions of article 8 of the GDPR; 
b ) Failure to provide the remaining information provided for in articles 13 and 14 of the GDPR; 
c ) Violation of the provisions of articles 24 and 25 of the GDPR; 
d ) Violation of the obligations provided for in article 26 of the GDPR; 
e ) Violation of the provisions of article 27 of the GDPR; 
f ) Violation of the obligations provided for in article 28 of the GDPR; 
g ) Violation of the provisions of article 29 of the GDPR; 
h ) Failure to register the processing of personal data in violation of the provisions of the 
article 30 of the GDPR; 
i ) Violation of the security rules provided for in article 32 of the GDPR; 
Page 15 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 15 
j ) Failure to comply with the duties provided for in article 33 of the GDPR; 
k ) Non-compliance with the duty to inform the holder of personal data in the situations provided for 
in article 34 of the GDPR; 
l ) Failure to comply with the obligation to carry out impact assessments in the cases provided for in 
Article 35 of the GDPR; 
m ) Failure to comply with the obligation to consult the supervisory authority prior to carrying out 
conducting data processing operations in the cases provided for in article 36 of the GDPR; 
n ) Failure to comply with the duties provided for in article 37 of the GDPR; 
o ) Violation of the provisions of article 38 of the GDPR, namely with regard to guarantees 
independence of the data protection officer; 
p ) Failure to comply with the duties provided for in article 39 of the GDPR; 
q ) The practice of acts of supervision of codes of conduct by non-accredited bodies 
by the supervisory authority under the terms of article 41 of the GDPR; 
r ) Failure by the code of conduct supervisory bodies to comply with the 
seen in paragraph 4 of article 41 of the GDPR; 
s ) The use of data protection seals or marks that had not been issued by organizations 
certification bodies duly accredited under the terms of articles 42 and 43 of the GDPR; 
t ) Failure by the certification bodies to comply with the duties provided for in the 
article 43 of the GDPR; 
u ) Violation of the provisions of article 19 of the present law. 
2 - The infractions referred to in the previous number are punished with a fine of: 
a ) From 2500 € to 10 000 000 € or 2% of annual turnover, worldwide, depending on 
whichever is higher, in the case of a large company; 
b ) From € 1000 to € 1,000,000 or 2% of annual worldwide turnover, as 
whichever is higher, in the case of SMEs; 
c ) From 500 € to 250 000 €, in the case of natural persons. 
Article 39 
Determination of the extent of the fine 
1 - In determining the extent of the fine, CNPD takes into account, in addition to the criteria 
established in paragraph 2 of article 83 of the GDPR: 
a ) The economic situation of the agent, in the case of a natural person, or the turnover and 
the annual balance sheet, in the case of a legal person; 
b ) The continued nature of the infraction; 
c ) The size of the entity, taking into account the number of employees and the nature of 
services provided. 
2 - For the purposes of applying the provisions of the preceding articles, the concepts of small and 
medium-sized companies (SMEs) and large companies are those defined in Recommendation No. 2003/361 / EC, 
of the European Commission, of May 6, 2003. 
3 - Except in case of fraud, the initiation of an administrative offense process depends on 
prior warning of the agent, by the CNPD, for the fulfillment of the omitted or 
reinstatement of the ban violated within a reasonable time. 
Article 40 
Prescription of the administrative offense procedure 
The administrative offense procedure is extinguished as a result of the statute of limitations as soon as 
practice of the administrative offense, the following deadlines have elapsed: 
a ) Three years, in the case of a very serious offense; 
b ) Two years, in the case of a serious offense. 
Page 16 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 16 
Article 41 
Limitation period for fines 
The fines provided for in this law prescribe within the following periods: 
a ) Three years, in the case of fines amounting to more than € 100,000; 
b ) Two years, in the case of fines of an amount equal to or less than € 100,000. 
Article 42 
Destination of fines 
The amount of fines charged reverts to 60% for the State and 40% for CNPD. 
Article 43 
Compliance with omitted duty 
Whenever the offense results from the omission of a duty, the application of the sanction 
and the payment of the fine do not release the offender from compliance if he is still able to do so. 
possible. 
Article 44 
Scope of infringements 
1 - The fines provided for in the GDPR and in this law apply equally to entities 
public and private. 
2 - Pursuant to the provisions of paragraph 7 of article 83 of the GDPR, public entities, by means of 
duly substantiated request, may request the CNPD to waive the imposition of fines 
for a period of three years from the entry into force of this law. 
3 - Public entities are subject to the CNPD's powers of correction, as prescribed by 
visas in the GDPR and in this law, with the exception of the imposition of fines under the terms defined in 
previous number. 
Article 45 
Subsidiary regime 
In everything that is not provided for in the present law in administrative matters, the following applies: 
the provisions of the general regime of the illicit of mere social order. 
SECTION III 
Crimes 
Article 46 
Use of data in a manner incompatible with the purpose of collection 
1 - Anyone who uses personal data in a manner incompatible with the determining purpose of 
collection is punishable by imprisonment for up to one year or a fine of up to 120 days. 
2 - The penalty is increased twice as much in its limits when it comes to personal data to be 
referred to in articles 9 and 10 of the GDPR. 
Page 17 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 17 
Article 47 
Improper access 
1 - Whoever, without due authorization or justification, accesses data in any way 
is punished with imprisonment for up to 1 year or with a fine of up to 120 days. 
2 - The penalty is increased twice as much in its limits when it comes to personal data to be 
referred to in articles 9 and 10 of the GDPR. 
3 - The penalty is also increased twice as much in its limits when access: 
a ) It is achieved through violation of technical safety rules; or 
b ) Has provided the agent or third parties with a patrimonial benefit or advantage. 
Article 48 
Deviation of data 
1 - Whoever copies, subtracts, assigns or transfers personal data, against payment or free of charge 
without legal provision or consent, regardless of the purpose pursued, is punished with 
imprisonment up to 1 year or a fine up to 120 days. 
2 - The penalty is increased twice as much in its limits when it comes to personal data to be 
referred to in articles 9 and 10 of the GDPR. 
3 - The penalty is also increased twice as much in its limits when access: 
a ) It is achieved through violation of technical safety rules; or 
b ) Has provided the agent or third parties with a patrimonial benefit or advantage. 
Article 49 
Addiction or data destruction 
1 - Whoever, without proper authorization or justification, erases, destroys, damages, hides, suppresses 
or modify personal data, making it unusable or affecting its potential for use, is 
punished with imprisonment for up to 2 years or with a fine of up to 240 days. 
2 - The penalty is increased to double in its limits if the damage produced is particularly severe. 
3 - In the situations provided for in the preceding paragraphs, if the agent acts with negligence it is 
punished with imprisonment: 
a ) Up to 1 year or fine up to 120 days, in the case provided for in paragraph 1; 
b ) Up to 2 years or a fine up to 240 days, in the case provided for in paragraph 2. 
Article 50 
Inserting false data 
1 - Whoever enters or facilitates the insertion of false personal data, with the intention of obtaining 
improper advantage for yourself or for a third party, or to cause injury, is punishable by imprisonment 
up to 2 years or with a penalty of up to 240 days. 
2 - The penalty is increased twice as much in its limits if the insertion referred to in the previous number 
result in an effective loss. 
Article 51 
Breach of the duty of secrecy 
1 - Who, bound by professional secrecy under the law, without just cause and without due 
consent, reveal or disclose in whole or in part personal data is punished with a penalty of 
imprisonment up to 1 year or with a penalty of up to 120 days. 
Page 18 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 18 
2 - The penalty is doubled in its limits if the agent: 
a ) Is a worker in public functions or equivalent, under the terms of criminal law; 
b ) is in charge of data protection; 
c ) Is determined by the intention to obtain any equity advantage or other benefit 
illegitimate; 
d ) jeopardize the reputation, honor or privacy of the private life of others. 
3 - Negligence is punishable by imprisonment of up to 6 months or a fine of up to 60 months. 
days. 
Article 52 
Disobedience 
1 - Whoever does not fulfill the obligations provided for in the GDPR and in this law, after exceeding 
after the deadline that has been set by the CNPD for the respective fulfillment, it is punished with 
imprisonment up to 1 year or a fine up to 120 days. 
2 - The penalty is increased twice as much in its limits if, after being notified to that effect, 
the agent: 
a ) Do not interrupt, cease or block the unlawful processing of data; 
b ) Do not proceed with the erasure or destruction of data when legally required, or after 
the retention period fixed under the terms of the present law; or 
c ) Refuse, without just cause, the collaboration that is required under the terms of article 8 of the 
this law. 
Article 53 
Punishment of the attempt 
In the crimes provided for in this section, the attempt is always punishable. 
Article 54 
Liability of legal persons 
Legal persons and similar entities, with the exception of the State, of legal persons 
in the exercise of public authority prerogatives and organizations under public international law, 
are responsible for the crimes provided for in this section, under the terms of article 11 of the Code 
Penal. 
SECTION IV 
Common provisions 
Article 55 
Infringement contest 
1 - If the same fact constitutes both a crime and an offense, the agent is always 
punished as a crime. 
2 - When there is a crime and administrative offense contest, or when, due to the same fact, 
one person must respond as a crime and another as an offense, the prosecution 
of the offense is the responsibility of the competent authorities for criminal proceedings, under the terms of 
general regime of the illicit of mere social order. 
Page 19 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 19 
Article 56 
Additional sanctions 
1 - In conjunction with the sanctions applied, it may be ordered, on an accessory basis, to 
temporary or definitive prohibition of treatment, blocking, erasure or total or total destruction 
partial data. 
2 - In the case of crimes, or fines of an amount greater than € 100,000, you can 
publicity of the conviction must be determined by means of an extract containing the identification 
of the agent, the elements of the infraction and the sanctions applied, on the Citizen Portal, for a period 
not less than 90 days. 
CHAPTER VIII 
Final and transitional provisions 
Article 57 
National Data Protection Commission 
CNPD members in office at the date of entry into force of this law remain 
in office until the end of their term of office. 
Article 58 
Technical guidelines 
Technical guidelines for the application of the GDPR by the direct and indirect administration of 
State are approved by resolution of the Council of Ministers, which may recommend their 
application also to the business sector of the State. 
Article 59 
Applicability of fines to public entities 
The possibility of non-applicability of fines to public entities, under the terms provided for 
in paragraph 2 of article 44 of this law, it must be subject to reassessment three years after the entry into 
force of this law. 
Article 60 
Situations of processing of pre-existing personal data 
1 - The processing of personal data subject to public registration, under the terms of article 31. 
of Law No. 67/98, of 26 October, remain under the responsibility of CNPD and 
available for free consultation by anyone. 
2 - Notifications and authorization requests already decided by CNPD at the time of entry 
in force of this law, but not yet published, must be in accordance with the legislation provided for 
in the previous number. 
3 - Applications for registration and authorization pending with CNPD on the date of entry into force 
of the present law expire with its entry into force. 
4 - Those responsible for the processing of personal data carried out on the basis of authorizations 
issued under the terms of Law No. 67/98, of 26 October, as well as subcontractors, are subject to 
bound to fulfill the obligations imposed by the GDPR, with the exception of the impact assessment 
on data protection referred to in Article 35 of that Regulation. 
Page 20 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 20 
Article 61 
Renewal of consent 
1 - When the processing of personal data in progress at the date of entry into force of this 
law is based on the consent of the respective owner, it is not necessary to obtain new consent if 
the former has complied with the requirements contained in the GDPR. 
2 - If the expiry of the consent is grounds for termination of the contract in which the 
data subject is a party, data processing is lawful until such time. 
Article 62 
Personal data protection regimes 
1 - The rules relating to the protection of personal data provided for in special legislation remain 
in force, in everything that does not contradict the provisions of the GDPR and in this law, without prejudice to the 
the following paragraph. 
2 - All rules that provide for authorizations or notifications for data processing 
personal data to CNPD, outside of the cases provided for in the GDPR and in the present law, shall cease to 
entry into force of the GDPR. 
CHAPTER IX 
Legislative changes 
Article 63 
Amendment to Law No. 43/2004, of 18 August 
1 - Articles 2, 3, 8, 16 to 22 and 24 to 31 of the Law on Organization and Operation 
the National Data Protection Commission, approved by Law no. 43/2004, of 18 August, 
amended by Law No. 55 -A / 2010, of December 31, are replaced by the following: 
«Article 2 
[...] 
1 - CNPD is an independent administrative entity, with legal personality under law 
public authority and powers of authority, endowed with administrative and financial autonomy, 
with the Assembly of the Republic. 
2 - CNPD is the national supervisory authority for the purposes of the General Protection Regulation 
Data Protection (GDPR), approved by Regulation (EU) 2016/679 of the European Parliament and 
of 27 April 2016, and the law that ensures its execution in the domestic legal system. 
3 - CNPD controls and inspects compliance with the GDPR and the present law, as well as with 
other legal and regulatory provisions on the protection of personal data, in order to 
defend the rights, freedoms and guarantees of natural persons in the context of treatment of 
personal data. 
4 - CNPD acts independently in the pursuit of its attributions and in the exercise of its 
powers attributed to it by the present law. 
Article 3 
Membership, designation and mandate of members 
1 - CNPD is composed of seven members of recognized integrity and merit: 
a ) A president, elected by the Assembly of the Republic; 
b ) Two personalities elected by the Assembly of the Republic according to the average method 
highest in Hondt; 
Page 21 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 21 
c ) Two magistrates, one judicial magistrate, appointed by the Superior Council of the 
gistratura, and a public prosecutor appointed by the Superior Council of the Ministry 
Public; 
d ) Two personalities appointed by the Government. 
2 - The mandate of the members of the CNPD is five years, renewable twice, and ends with 
the tenure of new members. 
3 - The designation of the members of the CNPD appears on a list published in the 1st series of the Diário da 
Republic. 
4 - CNPD members take office before the President of the Assembly of the Republic 
within 10 days of publication of the list referred to in the preceding paragraph. 
Article 8 
[...] 
The duties of CNPD members are: 
a ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
b ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
c ) Keep confidentiality about the issues or processes that are being analyzed, 
under the terms of Regulation (EU) 2016/679 of the European Parliament and of the Council of 
27 April 2016, and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 
April 2016. 
Article 16 
Advertising 
1 - The decisions regarding: 
a ) Accreditation and certification; 
b ) Revocation and annulment of accreditation and certification; 
c ) Codes of conduct; 
d ) Authorizations; 
e ) Binding rules. 
2 - Regulations and opinions on 
legal and regulatory instruments and legal instruments under preparation in European Union institutions 
and international standards, as well as generic guidelines and recommendations. 
3 - Administrative regulations are published in the 2nd series of the Diário da República , including 
including those relating to the fixing of fees and those issued under the provisions of paragraph 3 of article 22. 
Article 17 
Reporting and reporting 
1 - Denunciations and reports are presented in writing, in a specific place for the 
effect on the CNPD website, without prejudice, exceptionally, as long as duly substantiated 
if it is admitted by email or postal mail, which may be required 
confirmation of the identity of its authors. 
2 - (Repealed.) 
3 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
4 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
Page 22 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 22 
Article 18 
[...] 
1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
2 - CNPD may approve models or forms, in electronic form, with a view to allowing 
better instruction of processes. 
3 - (Repealed.) 
4 - Requests for opinions on legal and regulatory provisions in preparation must 
be sent to CNPD by the holder of the body with legal or regulatory power, instructed with 
the respective impact study on the protection of personal data. 
5 - Requests for opinions on any other legal instruments of the European Union 
international data in preparation, relating to the processing of personal data, must be sent 
to CNPD for the entity that represents the Portuguese State in the process of elaborating the initiative, 
properly instructed. 
Article 19 
[...] 
1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .: 
a ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
b ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
c ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
d ) After hearing the Commission, appoint the map staff and authorize transfers, requisitions and 
detachments; 
e ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
f ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
g ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
h ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
i ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
j ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
l ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
two - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
Article 20 
[...] 
1 - CNPD's revenues and expenses, which enjoy administrative and financial autonomy, 
included in the annual budget. 
2 - In addition to the appropriations allocated to it in the budget of the Assembly of the Republic, 
under the terms of Law no. 59/90, of November 21, the CNPD's revenues are: 
a ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
b ) The proceeds from the sale of publications; 
c ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
d ) The amount of fines collected that, under the terms of the law, revert in your favor; 
e ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
f ) Subsidies, grants, co-payments, donations and bequests, granted by entities, 
public and private, national, foreign, European Union or international; 
3 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
4 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
Page 23 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 23 
5 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
6 - The management of the CNPD budget, including appropriations not included in the budget of the 
Assembly of the Republic, is subject to the latter's regime, and the regime applicable to 
provided for in no. 10 of article 60 of Law no. 71/2018, of 31 December. 
Article 21 
[...] 
1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
a ) Accreditation and certification; 
b ) By prior consultation; 
c ) Issuing authorizations; 
d ) Appraising codes of conduct; 
e ) In other cases provided for by law. 
2 - The amount of fees, which must be proportional to the complexity of the request and the service 
provided, is set by regulation by CNPD. 
3 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
Article 22 
[...] 
1 - CNPD has its own support services that comprise units and centers. 
2 - Support services are made up of the following units: 
a ) Rights and Sanctions Unit; 
b ) Inspection Unit; 
c ) Public and International Relations Unit; 
d ) Informatics Unit; 
e ) Administrative and Financial Support Unit. 
3 - CNPD is responsible for approving the regulation of organization and functioning of services 
support, as well as the regulation for the evaluation of workers. 
4 - (Previous no. 3.) 
5 - The secretary is appointed by order of the president, obtaining a favorable opinion from the Commission.
are, in compliance with the legal requirements appropriate to the performance of the respective functions, 
preferentially chosen from among employees already belonging to the CNPD map, qualified 
with a degree and of recognized competence for the performance of the place. 
6 - (Previous nº 5.) 
Article 24 
Rights and Sanctions Unit 
The Rights and Sanctions Unit is responsible for ensuring technical support - legally, 
mind: 
a ) Instruct the administrative offense processes, as well as other open processes based on 
in reports or complaints; 
b ) Prepare the procedural documents and represent the CNPD in legal proceedings, when 
mandated for that purpose; 
c ) Prepare opinions on legislative and regulatory projects and on legal instruments 
doctors in preparation at European Union and international institutions; 
Page 24 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 24 
d ) Analyze and prepare guidance on protection impact assessment studies 
of data; 
e ) Instruct and propose decisions on prior authorization processes in the cases provided for by law; 
f ) Instruct and propose decisions on accreditation and accreditation review processes and 
certifications; 
g ) Analyze and prepare decisions in cases of notification of breaches of personal data; 
h ) Analyze and prepare decisions on codes of conduct; 
i ) Interact with data protection officers; 
j ) Collaborate in the organization of colloquiums, seminars and other initiatives for the dissemination of matters 
protection of personal data; 
k ) Instruct and propose decisions regarding the exercise of rights by the holders of personal data 
soais; 
l ) Perform any other technical and legal tasks. 
Article 25 
Public and International Relations Unit 
The Public and International Relations Unit is responsible for ensuring support in matters 
information, documentation and public relations and in interacting with European authorities and 
international organizations, namely: 
a ) Manage the contents of the CNPD website and intranet; 
b ) Organize and keep updated a documentation center with the function of collecting 
bibliography, documentation, texts, legal diplomas, normative and administrative acts and other 
elements of scientific and technical information related to the protection of personal data; 
c ) Promote the dissemination and clarification of rights and obligations related to the protection of 
personal data; 
d ) Ensure contacts with the media; 
e ) Organizing, advising and promoting the holding of colloquia, seminars and other 
events; 
f ) Collaborate in the design and edition of publications, as well as in the annual report of 
activities; 
g ) Perform any other tasks, in the scope of information and communication; 
h ) To manage institutional relations with European Union or international organizations in 
protection of personal data; 
i ) To ensure relations with similar supervisory authorities, especially in the context of 
competences of the European Data Protection Board; 
j ) Instruct and prepare decisions on cooperation and coherence procedures; 
k ) Instruct and prepare decisions regarding international transfers of personal data. 
Article 26 
Informatics Unit 
1 - The IT Unit is responsible for ensuring the normal functioning of the infrastructures 
of information and communication from CNPD and the necessary technical support in the area of information technologies. information, namely: 
a ) To ensure the integrated management and maintenance of the CNPD's computer park and the 
communications system; 
b ) To ensure the correct functioning of the computer network and information systems of the 
CNPD; 
c ) Carry out the technical studies necessary for the acquisition of computer and communication 
communication; 
Page 25 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 25 
d ) Ensuring support for users of information and communication systems, as well as 
to promote, together with the same good practices, for the safe and adequate use of these systems 
but; 
e ) Ensure the application of security standards that guarantee reliability, confidentiality 
and durability of information systems; 
f ) Conceive the global architecture of the CNPD information system; 
g ) Design, develop and operationalize the applications and interfaces necessary for the 
exercise of CNPD's activity; 
h ) Design, develop and operate the CNPD website; 
i ) Carry out studies on new technologies with an impact on the processing of personal data. 
Article 27 
Administrative and Financial Support Unit 
The Administrative and Financial Support Unit is responsible for supporting CNPD in the management of 
and human, financial and material resources, namely: 
a ) [Former point c ) .] 
b ) [Former point d ) .] 
c ) [Former point e ) .] 
d ) Promote the acquisition of goods and services; 
e ) Administer consumer goods, as well as manage facilities, vehicles and other equipment 
services at the service of CNPD; 
f ) To prepare and keep the general inventory updated; 
g ) Promote the recruitment, promotion and hiring of workers, as well as the application 
cation of mobility instruments; 
h ) Process the salaries of workers, CNPD members and the single auditor; 
i ) Organize and keep updated the information related to workers, members of the 
CNPD and the single auditor; 
j ) Promote the training of workers; 
k ) Promote the performance of the workers' assessment; 
l ) Instruct and propose decisions in disciplinary proceedings; 
m ) Secretary to the president and the secretary; 
n ) Ensure the registration and forwarding of correspondence, as well as the organization and 
document file; 
o ) Ensure external service and support for meetings; 
p ) To ensure the driving of vehicles and their maintenance and to receive and deliver expedient and 
orders; 
q ) Perform any other tasks that, in the context of its functional area, are determined by 
ended by the president or the secretary. 
Article 28 
[...] 
1 - CNPD workers are subject to the general regime of work in public functions. 
two - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
Article 29 
[...] 
CNPD workers have an identification card, which includes the position they hold. 
and the powers inherent in its function. 
Page 26 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 26 
Article 30 
[...] 
1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
two - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
3 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
4 - The period provided for in paragraph 1 of article 97 of the General Labor Law in Public Functions, 
approved in annex to Law no. 35/2014, of 20 June, does not apply to the mobility regime 
for CNPD support services, however, mobility can be terminated by decision 
the President, after hearing the Commission, or at the request of the interested party. 
5 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
6 - For the performance of functions in the support services of CNPD under the 
mobility mechanisms, and whenever it operates at the initiative of the worker, the agreement is waived 
of the originating service. 
Article 31 
Public service workers 
The appointment on service commission of workers in public functions to the position of 
consultant does not determine the opening of a vacancy in the origin map, being safeguarded all the 
rights inherent to their previous positions or functions, namely for the purpose of promoting 
progression. ' 
Article 64 
Amendment to Law no. 43/2004, of 18 August 
Articles 19-A and 24-A are added to Law No. 43/2004, of 18 August, with the following 
essay: 
"Article 19a 
Single Auditor 
1 - The single auditor is the body responsible for controlling the legality, regularity and 
good financial and patrimonial management by CNPD, and consultation by the latter in this field. 
2 - The statutory auditor is a statutory auditor, appointed by the Assembly of the Republic, 
by resolution, and who takes office before the President of the Assembly of the Republic. 
3 - The mandate of the single auditor has a duration of five years, non-renewable, remaining 
in exercise of functions until the effective replacement. 
4 - The sole auditor is remunerated for an amount corresponding to 25% of the basic remuneration 
earned by CNPD members. 
5 - It is incumbent, inter alia, on the sole auditor: 
a ) Monitor and control the financial and patrimonial management of CNPD; 
b ) Periodically examine the financial and economic situation of CNPD and verify compliance with 
regulatory standards for its activity; 
c ) Issue a prior opinion, within a maximum period of 10 days, on the acquisition, encumbrance, leasing 
moving and disposing of movable property; 
d ) Issuing an opinion on any subject submitted to it by CNPD; 
e ) Report to the competent entities the irregularities it detects. 
Page 27 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 27 
Article 24a 
Inspection Unit 
The Inspection Unit is responsible for carrying out inspections and audits within the scope of the 
course, mandated by CNPD, in particular: 
a ) To inspect the compliance of the processing of personal data, being able to access the information 
responsible and subcontractor's facilities, equipment, means of handling 
data, as well as any necessary documentation; 
b ) Investigate, within the scope of mutual assistance and joint operations provided for in 
61 and 62 of Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 
2016, the processing of personal data, under the conditions provided for in the preceding paragraph; 
c ) Carry out audits of the national part of European information systems, in accordance with 
European Union legislation. ' 
Article 65 
Amendment to Law No. 26/2016, of 22 August 
Article 6 of the regime for access to administrative and environmental information and for reuse 
administrative documents approved by Law No. 26/2016, of 22 August, will now have the 
following wording: 
«Article 6 
[...] 
1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
two - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
3 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
4 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
5 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
6 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
7 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
8 -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
9 - Without prejudice to the weightings provided for in the preceding paragraphs, in requests for access 
to nominative documents that do not contain personal data that reveal ethnic origin, the 
political opinions, religious or philosophical convictions, union affiliation, genetic data, bio 
metrics or health related data, or data related to the privacy of private life, sex life or 
sexual orientation of a person, it is presumed, in the absence of another indicated by the applicant, that the 
application is based on the right of access to administrative documents. " 
Article 66 
Repealing rule 
1 - Law No. 67/98, of 26 October, is revoked, which transposes to the Portuguese legal order 
Portuguese Directive 95/45 / EC, of the European Parliament and of the Council, of October 24, 1995, 
on the protection of individuals with regard to the processing of personal data and 
the free movement of such data. 
2 - Paragraph 3 of article 15 and paragraph 2 of article 17 of Law no. 43/2004, of 18 
August, amended by Law No. 55 -A / 2010, of December 31. 
Page 28 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 28 
Article 67 
Republication 
It is republished in an annex to this law, of which Law 43/2004, of 18, is an integral part. 
August, with the current wording and the necessary formal corrections. 
Article 68 
Entry into force and effect 
1 - This law shall enter into force on the day following that of its publication. 
2 - The sole auditor to be elected under the terms of article 19-A of Law no. 43/2004, of 18 
August, you can only start your term from 1 January 2020. 
Approved on June 14, 2019. 
The President of the Assembly of the Republic, Eduardo Ferro Rodrigues. 
Enacted on July 26, 2019. 
Publish yourself. 
The President, M ARCELO R EBELO OF S DARE . 
Countersigned on July 30, 2019. 
For the Prime Minister, Augusto Ernesto Santos Silva, Minister of Foreign Affairs. 
ATTACHMENT 
(referred to in Article 67) 
Republication of Law No. 43/2004, of 18 August 
CHAPTER I 
General provisions 
Article 1 
Scope 
This law regulates the organization and functioning of the National Commission for the Protection of 
(CNPD), as well as the personal status of its members. 
Article 2 
Nature, attributions and competences 
1 - CNPD is an independent administrative entity, with legal personality under law 
public authority and powers of authority, endowed with administrative and financial autonomy, 
with the Assembly of the Republic. 
2 - CNPD is the national supervisory authority for the purposes of the General Protection Regulation 
Data Protection (GDPR), approved by Regulation (EU) 2016/679, of the European Parliament and the 
of 27 April 2016, and the law that ensures its execution in the domestic legal system. 
Page 29 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 29 
3 - CNPD controls and inspects compliance with the GDPR and the present law, as well as with 
other legal and regulatory provisions on the protection of personal data, in order to 
defend the rights, freedoms and guarantees of natural persons in the context of treatment of 
personal data. 
4 - CNPD acts independently in the pursuit of its attributions and in the exercise of its 
powers attributed to it by the present law. 
CHAPTER II 
CNPD members 
Article 3 
Membership, designation and mandate of members 
1 - CNPD is composed of seven members of recognized integrity and merit: 
a ) A President, elected by the Assembly of the Republic; 
b ) Two personalities elected by the Assembly of the Republic according to the average method 
highest in Hondt; 
c ) Two magistrates, one judicial magistrate, appointed by the Superior Council of the 
gistratura, and a public prosecutor appointed by the Superior Council of the Ministry 
Public; 
d ) Two personalities appointed by the Government; 
2 - The mandate of the members of the CNPD is five years, renewable twice, and ends with 
the tenure of new members. 
3 - The designation of the members of the CNPD appears on a list published in the 1st series of the Diário da 
Republic. 
4 - CNPD members take office before the President of the Assembly of the Republic 
within 10 days of publication of the list referred to in the preceding paragraph. 
Article 4 
Disabilities and incompatibilities 
1 - Only citizens who are in full enjoyment of their rights may be members of the CNPD. 
civil and political rights. 
2 - CNPD members are subject to the incompatibility regime established for 
holders of high public office. 
Article 5 
Immovability 
1 - CNPD members are immovable, and their functions cannot be terminated before the 
term of office, except in the following cases: 
a ) Death or permanent physical disability or with a duration that is expected to be exceeded 
the end date of the term of office; 
b ) Resignation from office; 
c ) Loss of mandate. 
2 - In the case of vacancy for one of the reasons provided for in the preceding paragraph, the vacancy must be 
completed within 30 days of verification, by appointing a new member 
by the competent authority. 
Page 30 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 30 
3 - The member appointed under the terms of the previous number completes the member's mandate 
that replaces. 
Article 6 
Renounce 
1 - CNPD members can resign their mandate by means of a written declaration presented 
to the Commission. 
2 - The waiver becomes effective with your announcement and is published in the 2nd series of the Diário da 
Republic. 
Article 7 
Loss of mandate 
1 - CNPD members who: 
a ) Are covered by any of the disabilities or incompatibilities provided for by law; 
b ) Missing, in the same calendar year, three consecutive meetings or six interpolated, unless 
justified reason; 
c ) Commit a violation of the provisions of paragraph c ) of article 8, provided that judicially 
rada. 
2 - The loss of the mandate is the object, as the case may be, of deliberation or declaration to be published 
in the 2nd series of the Diário da República. 
Article 8 
Duties 
The duties of CNPD members are: 
a ) Exercise the respective position with exemption, rigor and independence; 
b ) Participate actively and assiduously in the work of the body they are part of; 
c ) Keep confidentiality about the issues or processes that are being analyzed, 
under the terms of Regulation (EU) 2016/679 of the European Parliament and of the Council of 
27 April 2016, and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 
April 2016. 
Article 9 
Remuneration status 
1 - The president of CNPD is remunerated according to the indicative table and the fixed regime 
appointed to the position of director-general, with the remaining members being remunerated equal to 85% 
without prejudice to the option of the option of remuneration corresponding to the place of 
origin. 
2 - The president of CNPD is entitled to a monthly allowance for representation expenses 
of an amount equal to that attributed to the directors-general. 
3 - The remaining members of the CNPD are entitled to a monthly allowance for expenses with 
presentation of an amount equal to that attributed to the sub-directors-general. 
4 - CNPD members benefit from the general social security regime, if they are not 
covered by a more favorable one. 
Page 31 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 31 
Article 10 
Guarantees 
CNPD members benefit from the following guarantees: 
a ) They must not be prejudiced in the stability of their employment, in their professional career 
and in the social security regime from which they benefit; 
b ) The period corresponding to the exercise of the mandate is considered, for all purposes 
legal, as provided in the place of origin; 
c ) The term of the mandate suspends, at the request of the interested party, the counting 
deadlines for submitting curriculum reports or providing evidence for the career of 
teaching staff or for scientific research, as well as the counting of deadlines 
the contracts of guest professors, assistants, trainee or guest assistants; 
d ) They have the right to be excused from their public or private activities, when they are 
train in functions of national or international representation of the Commission. 
Article 11 
Impediments and suspicions 
1 - Impairments and suspicions apply, with the necessary adaptations, the provisions 
of the Code of Administrative Procedure. 
2 - Impediments and suspicions are assessed by CNPD. 
Article 12 
Identification card 
1 - CNPD members have an identification card, which includes their position, their 
perks and rights inherent to their function. 
2 - The identification card is simultaneously free to travel and has access to all locations 
in which personal data are processed subject to the control of CNPD. 
CHAPTER III 
CNPD functioning 
Article 13 
Meetings 
1 - CNPD works on a permanent basis. 
2 - CNPD has ordinary and extraordinary meetings. 
3 - Extraordinary meetings take place: 
a ) At the initiative of the President; 
b ) At the request of three of its members. 
4 - CNPD meetings are not public and are held at its facilities or, in turn, 
deliberation, in any other place of the national territory, being the periodicity established in the 
terms appropriate to the performance of their duties. 
5 - The president, when he deems it convenient, may, with the agreement of the Commission, invite 
to participate in the meetings, except in the decision-making phase, any person whose presence is considered 
useful. 
6 - Minutes are drawn up of the meetings, which, after being approved by CNPD, are signed by the 
and the secretary. 
Page 32 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 32 
Article 14 
Order of business 
1 - The agenda for each ordinary meeting is fixed by the president, and must be 
communicated to the members at least two working days before the scheduled date 
for its realization. 
2 - The agenda must include the subjects indicated for that purpose by 
any member, provided that they are within the competence of the body and the request is submitted in writing 
at least five days in advance of the date of the meeting. 
Article 15 
Resolutions 
1 - CNPD can only meet and deliberate with the presence of at least four members. 
2 - The decisions of the CNPD are taken by a majority of the members present, with the 
chairman casting vote. 
3 - (Repealed.) 
Article 16 
Advertising 
1 - Decisions regarding: 
a ) Accreditation and certification; 
b ) Revocation and annulment of accreditation and certification; 
c ) Codes of conduct; 
d ) Authorizations; 
e ) Binding rules. 
2 - Regulations and opinions on 
legal and regulatory instruments and legal instruments under preparation in European Union institutions 
and international standards, as well as generic guidelines and recommendations. 
3 - Administrative regulations are published in the 2nd series of the Diário da República , including 
including those relating to the fixing of fees and those issued under the provisions of paragraph 3 of article 22. 
Article 17 
Reporting and reporting 
1 - Denunciations and reports are presented in writing, in a specific place for the 
effect on the CNPD website, without prejudice, exceptionally, as long as duly substantiated 
if it is admitted by email or postal mail, which may be required 
confirmation of the identity of its authors. 
2 - (Repealed.) 
3 - When the question raised is not within the competence of CNPD, it must be 
walk to the competent entity, with information to the exponent. 
4 - Claims, complaints and petitions that are manifestly unfounded may be filed 
by the member of the Commission to whom the respective file has been distributed. 
Article 18 
Formalities 
1 - The documents sent to CNPD and the subsequent one processed are not subject to 
special formalities. 
Page 33 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 33 
2 - CNPD may approve models or forms, in electronic form, with a view to allowing 
better instruction of processes. 
3 - (Repealed.) 
4 - Requests for opinions on legal and regulatory provisions in preparation must 
be sent to CNPD by the holder of the body with legal or regulatory power, instructed with 
the respective impact study on the protection of personal data. 
5 - Requests for opinions on any other legal instruments of the European Union 
international data in preparation, relating to the processing of personal data, must be sent 
to CNPD for the entity that represents the Portuguese State in the process of elaborating the initiative, 
properly instructed. 
Article 19 
Powers and substitution of the president 
1 - The President is responsible for: 
a ) Represent the Commission; 
b ) Superintend in support services; 
c ) Convene the sessions and set the agenda; 
d ) After hearing the Commission, appoint the map staff and authorize transfers, requisitions and 
detachments; 
e ) After hearing the Commission, authorize the hiring of the staff referred to in paragraph 5 of article 30; 
f ) Award contracts on behalf of the Commission and compel it in other legal transactions; 
g ) To authorize the realization of expenses within the limits legally included in the com 
competence of ministers; 
h ) Apply fines and ratify resolutions, under the terms provided for by law; 
i ) After hearing the Commission, establish the rules for the distribution of cases; 
j ) Submit the activity plan to the Commission for approval; 
l ) In general, ensure compliance with laws and the regularity of deliberations. 
2 - The president is replaced, in his absences and impediments, by the member that the Commission 
designate. 
Article 19a 
Single Auditor 
1 - The single auditor is the body responsible for controlling the legality, regularity and 
good financial and patrimonial management by CNPD, and consultation by the latter in this field. 
2 - The statutory auditor is a statutory auditor, appointed by the Assembly of the Republic, 
by resolution, and who takes office before the President of the Assembly of the Republic. 
3 - The mandate of the single auditor has a duration of five years, non-renewable, remaining 
in exercise of functions until the effective replacement. 
4 - The sole auditor is remunerated for an amount corresponding to 25% of the basic remuneration 
earned by CNPD members. 
5 - It is incumbent, inter alia, on the sole auditor: 
a ) Monitor and control the financial and patrimonial management of CNPD; 
b ) Periodically examine the financial and economic situation of CNPD and verify compliance with 
regulatory standards for its activity; 
c ) Issue a prior opinion within a maximum period of 10 days on the acquisition, encumbrance, leasing 
moving and disposing of movable property; 
Page 34 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 34 
d ) Issuing an opinion on any subject submitted to it by CNPD; 
e ) Report to the competent entities the irregularities it detects. 
CHAPTER IV 
Financial regime 
Article 20 
Income and expenditure regime 
1 - CNPD's revenues and expenses, which enjoy administrative and financial autonomy, 
included in the annual budget. 
2 - In addition to the appropriations allocated to it in the budget of the Assembly of the Republic, 
under the terms of Law no. 59/90, of November 21, the CNPD's revenues are: 
a ) The proceeds of the fees charged; 
b ) The proceeds from the sale of publications; 
c ) The proceeds of charges for issuing certificates and access to documents; 
d ) The amount of fines collected that, under the terms of the law, revert to your benefit; 
e ) The management balance of the previous year; 
f ) Subsidies, grants, co-payments, donations and bequests, granted by entities, 
public and private, national, foreign, European Union or international; 
g ) Any other revenue attributed to it by law or contract. 
3 - CNPD expenses are those resulting from the charges and liabilities 
of its operation, as well as any others related to the continuation of its activities. 
assignments. 
4 - The annual budget, the respective changes as well as the accounts are approved by the 
CNPD. 
5 - CNPD's accounts are subject, in general terms, to the control of the Court of 
Bills. 
6 - The management of the CNPD budget, including appropriations not included in the budget of the 
Assembly of the Republic, is subject to the latter's regime, and the regime applicable to 
provided for in no. 10 of article 60 of Law no. 71/2018, of 31 December. 
Article 21 
Fees 
1 - CNPD may charge fees: 
a ) Accreditation and certification; 
b ) By prior consultation; 
c ) Issuing authorizations; 
d ) Appraising codes of conduct; 
e ) In other cases provided for by law. 
2 - The amount of fees, which must be proportional to the complexity of the request and the service 
provided, is set by regulation by CNPD. 
3 - In the event of proven economic insufficiency, the interested party may be exempt, totally 
or partially, the payment of the fees referred to in paragraph 1, by means of a decision by the CNPD. 
Page 35 
Diário da República, 1st series
No. 151 August 8, 2019 Page 35 
CHAPTER V 
Support services 
Article 22 
Organization of support services 
1 - CNPD has its own support services that comprise units and centers. 
2 - Support services are made up of the following units: 
a ) Rights and Sanctions Unit; 
b ) Inspection Unit; 
c ) Public and International Relations Unit; 
d ) Informatics Unit; 
e ) Administrative and Financial Support Unit. 
3 - CNPD is responsible for approving the regulation of organization and functioning of services 
support, as well as the regulation for the evaluation of workers. 
4 - Support services are managed by a secretary, who is entitled to remuneration 
higher level of consultant-coordinator, as well as a monthly allowance for representation expenses 
8% of the basic remuneration. 
5 - The secretary is appointed by order of the president, obtaining a favorable opinion from the Commission. 
are, in compliance with the legal requirements appropriate to the performance of the respective functions, 
preferentially chosen from among employees already belonging to the CNPD map, qualified 
with a degree and of recognized competence for the performance of the place. 
6 - The appointment of the secretary is made on a service commission basis, for periods of 
three years. 
Article 23 
Powers of the secretary 
1 - The secretary is responsible for: 
a ) Secretary to the Commission; 
b ) Implement the decisions of the Commission, in accordance with the guidelines of the President; 
c ) To ensure the good organization and functioning of the support services, namely in the 
financial management, personnel and facilities and equipment, in accordance with the guidelines 
president's statements; 
d ) Prepare the draft budget, as well as the respective amendments, and ensure its 
execution; 
e ) Prepare the draft annual report. 
2 - The secretary is replaced, in his absences and impediments, by the superior technician or 
sultor appointed by the President, obtained a favorable opinion from the Commission. 
Article 24 
Rights and Sanctions Unit 
The Rights and Sanctions Unit is responsible for ensuring technical support - legally, 
mind: 
a ) Instruct the administrative offense processes, as well as other open processes based on 
in reports or complaints; 
Page 36 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 36 
b ) Prepare the procedural documents and represent the CNPD in legal proceedings, when 
mandated for that purpose; 
c ) Prepare opinions on legislative and regulatory projects and on legal instruments 
doctors in preparation at European Union and international institutions; 
d ) Analyze and prepare guidance on protection impact assessment studies 
of data; 
e ) Instruct and propose decisions on prior authorization processes in the cases provided for by law; 
f ) Instruct and propose decisions on accreditation and accreditation review processes and 
certifications; 
g ) Analyze and prepare decisions in data breach notification processes 
personal; 
h ) Analyze and prepare decisions on codes of conduct; 
i ) Interact with data protection officers; 
j ) Collaborate in the organization of colloquiums, seminars and other initiatives for the dissemination of matters 
protection of personal data; 
k ) Instruct and propose decisions regarding the exercise of rights by the holders of personal data 
soais; 
l ) Perform any other technical and legal tasks. 
Article 24a 
Inspection Unit 
The Inspection Unit is responsible for carrying out inspections and audits within the scope of the 
course, with mandate from the president of CNPD, in particular: 
a ) To inspect the compliance of the processing of personal data, being able to access the information 
responsible and subcontractor's facilities, equipment, means of handling 
data, as well as any necessary documentation; 
b ) Investigate, within the scope of mutual assistance and joint operations provided for in 
61 and 62 of Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 
2016, the processing of personal data, under the conditions provided for in the preceding paragraph; 
c ) Carry out audits of the national part of European information systems, in accordance with 
European Union legislation. 
Article 25 
Public and International Relations Unit 
The Public and International Relations Unit is responsible for ensuring support in matters 
information, documentation and public relations and in interacting with European authorities and 
international organizations, namely: 
a ) Manage the contents of the CNPD website and intranet; 
b ) Organize and keep updated a documentation center with the function of collecting 
bibliography, documentation, texts, legal diplomas, normative and administrative acts and other 
elements of scientific and technical information related to the protection of personal data; 
c ) Promote the dissemination and clarification of rights and obligations related to the protection of 
personal data; 
d ) Ensure contacts with the media; 
e ) Organizing, advising and promoting the holding of colloquia, seminars and other 
events; 
f ) Collaborate in the design and edition of publications, as well as in the annual report of 
activities; 
g ) Perform any other tasks, in the scope of information and communication; 
Page 37 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 37 
h ) To manage institutional relations with European Union or international organizations in 
protection of personal data; 
i ) To ensure relations with similar supervisory authorities, especially in the context of 
competences of the European Data Protection Board; 
j ) Instruct and prepare decisions on cooperation and coherence procedures; 
k ) Instruct and prepare decisions regarding international transfers of personal data. 
Article 26 
Informatics Unit 
1 - The IT Unit is responsible for ensuring the normal functioning of the infrastructures 
of information and communication from CNPD and the necessary technical support in the area of information technologies. information, namely: 
a ) To ensure the integrated management and maintenance of the CNPD's computer park and the 
communications system; 
b ) To ensure the correct functioning of the computer network and information systems of the 
CNPD; 
c ) Carry out the technical studies necessary for the acquisition of computer and communication 
communication; 
d ) Ensuring support for users of information and communication systems, as well as 
to promote, together with the same good practices, for the safe and adequate use of these systems 
but; 
e ) Ensure the application of security standards that guarantee reliability, confidentiality 
and durability of information systems; 
f ) Conceive the global architecture of the CNPD information system; 
g ) Design, develop and operationalize the applications and interfaces necessary for the 
exercise of CNPD's activity; 
h ) Design, develop and operate the CNPD website; 
i ) Carry out studies on new technologies with an impact on the processing of personal data. 
Article 27 
Administrative and Financial Support Unit 
The Administrative and Financial Support Unit is responsible for supporting CNPD in the management of 
and human, financial and material resources, namely: 
a ) Prepare budget proposals and monitor their execution; 
b ) To ensure the processing and accounting of income and expenses; 
c ) Prepare the management account and the respective report; 
d ) Promote the acquisition of goods and services; 
e ) Administer consumer goods, as well as manage facilities, vehicles and other equipment 
services at the service of CNPD; 
f ) To prepare and keep the general inventory updated; 
g ) Promote the recruitment, promotion and hiring of workers, as well as the application 
cation of mobility instruments; 
h ) Process the salaries of workers, CNPD members and the single auditor; 
i ) Organize and keep updated the information related to workers, members of the 
CNPD and the single auditor; 
j ) Promote the training of workers; 
k ) Promote the performance of the workers' assessment; 
l ) Instruct and propose decisions in disciplinary proceedings; 
m ) Secretary to the president and the secretary; 
Page 38 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 38 
n ) Ensure the registration and forwarding of correspondence, as well as the organization and 
document file; 
o ) Ensure external service and support for meetings; 
p ) To ensure the driving of vehicles and their maintenance and to receive and deliver expedient and 
orders; 
q ) Perform any other tasks that, in the context of its functional area, are determined by 
ended by the president or the secretary. 
Article 28 
Personnel arrangements 
1 - CNPD workers are subject to the general regime of work in public functions. 
2 - CNPD personnel are exempt from working hours, and therefore no payment is due. 
overtime pay, without prejudice to the provisions of article 33. 
Article 29 
Identification card 
CNPD workers have an identification card, which includes the position they hold. 
and the powers inherent in its function. 
CHAPTER VI 
Final and transitional provisions 
Article 30 
Staff 
1 - The staff, as well as the functional content of the respective careers, is fixed 
in a resolution of the Assembly of the Republic. 
2 - CNPD consultant positions will be provided on a service commission basis, by 
indefinite time, requisition or secondment, in case the appointment falls on an employee 
public, or under an individual employment contract, when not linked to the Administration 
Public. 
3 - High competence is a prerequisite for recruiting consultants. 
professional and valid experience for the exercise of the function, to be evaluated based on the respective 
curriculum . 
4 - The period provided for in paragraph 1 of article 97 of the General Labor Law in Public Functions, 
approved in annex to Law no. 35/2014, of 20 June, does not apply to the mobility regime 
for CNPD support services, however, mobility can be terminated by decision 
the President, after hearing the Commission, or at the request of the interested party. 
5 - When the complexity and or specificity of the subjects so require, the president may 
authorize the hiring of personnel under a service provision contract. 
6 - For the performance of functions in the support services of CNPD under the 
mobility mechanisms, and whenever it operates at the initiative of the worker, the agreement is waived 
of the originating service. 
Article 31 
Public service workers 
The appointment on service commission of workers in public functions to the position of 
consultant does not determine the opening of a vacancy in the origin map, being safeguarded all the 
Page 39 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 39 
rights inherent to their previous positions or functions, namely for the purpose of promoting 
progression. 
Article 32 
Basic remuneration, recruitment, promotion and progression of consultants 
1 - The basic monthly remuneration of CNPD consultants is shown in map I attached to this 
law, of which it is an integral part. 
2 - Promotion and progression in the categories of consultant - coordinator and consultant is governed 
by the principles applicable to the higher technical career. 
3 - There may be a direct recruitment for the category of consultant -coordinator, provided 
that candidates have adequate qualifications and professional experience for that purpose. 
4 - Individuals with qualified qualifications can be recruited as consultants 
cations for the exercise of the function, whenever recruitment in the category of employees is not justified. 
consultant. 
Article 33 
Permanent availability 
1 - CNPD staff is entitled to a remuneration supplement, by way of availability 
permanent, of a monthly amount corresponding to 12.5% of the base remuneration. 
2 - The supplement is paid in 12 monthly installments and is for retirement purposes, 
being considered in the calculation of the pension by the formula provided for in paragraph b ) of paragraph 1 of article 47. of the Retirement Statute. 
3 - CNPD staff covered by n. the 1, 2, 7 and 9 of article 34 is not assigned the su 
supplement referred to in the preceding paragraphs. 
Article 34 
Staff currently employed by CNPD 
1 - The employees and agents who currently provide services at CNPD and who benefit 
of the regime of no. 3 of article 26 of Law no. 67/98, of 26 October, carry over to the new framework 
according to the rules of the following numbers, maintaining its current remuneration status, 
which has the nature of personal remuneration. 
2 - CNPD staff, not linked to Public Administration, who are in the situation 
of the previous number, the same remuneration regime applies, however its legal relationship 
of employment and the individual employment contract, under the general law applicable to the 
Public. 
3 - The posts of the higher technical career and information technology specialist provided for in the table 
staff, to ensure the transition provided for in paragraphs paragraphs 1 and 2, are places to extinguish when 
rem. 
4 - Employees linked to the Public Administration to provide services at CNPD on the date 
the entry into force of this law shall be transferred to the new framework, by means of a resolution thereof, 
for the career and category that integrates the functions that the employee actually performs, 
without prejudice to the qualifications and qualifications legally required, to the extent corresponding to 
the same remuneration index, or, when there is no coincidence of the index, in the step to which 
corresponds to the closest upper index in the career structure in order to process the 
transition. 
5 - The correspondence referred to in the previous number is fixed between the remuneration indices 
defined for step 1 of the category the employee is in and step 1 of the category 
new career. 
Page 40 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 40 
6 - Employees who, under the terms of paragraph 1, transition to a different category will be counted, 
in the latter, for all legal purposes, the length of service provided in the former, provided that 
exercise of functions identical or similar to those of the new career. 
7 - The provisions of paragraph 1 also apply to the current secretary, with the necessary adaptations 
arising from the exercise of functions. 
8 - The transition to the posts of the CNPD board is made by order of the president, including 
dependent on any other formalities, without prejudice to the provisions of paragraph 1. 
9 - CNPD may decide to maintain staff commissions, requisitions or secondments 
at your service on the date of entry into force of this law, keeping employees who benefit 
of paragraph 3 of article 26 of Law no. 67/98 its current remuneration status, which is now 
of personal remuneration. 
Article 35 
Transitional provision 
1 - The suspension of the service commission of the president of the CNPD continues until the end 
of your mandate. 
2 - The application of this law this year takes place within the budgetary framework approved for 
CNPD in 2004. 
Article 36 
Repealing rule 
The following are repealed: 
a ) Decree-Law No. 121/93, of April 16; 
b ) Resolution of the Assembly of the Republic no. 53/94, of 19 August. 
ATTACHMENT 
MAP I 
(referred to in Article 32 (1)) 
1 two 3 
Consultant -coordinator. . . . . . . . . . . . . . . . . . . . 770 830 900 Consultant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690 730 770 Deputy consultant. . . . . . . . . . . . . . . . . . . . . . . . 500 
112493484 
www.dre.pt 
Page 41 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 41 ASSEMBLY OF THE REPUBLIC 
Law No. 59/2019 
of August 8 
Summary: Approves the rules regarding the processing of personal data for the purpose of prevention, 
detection, investigation or prosecution of criminal offenses or enforcement of sanctions 
criminal matters, transposing Directive (EU) 2016/680 of the European Parliament and of the Council, 
April 27, 2016. 
Approves the rules regarding the processing of personal data for the purposes of prevention, detection, 
investigation or prosecution of criminal offenses or enforcement of criminal sanctions, 
transposing Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 
The Assembly of the Republic decrees, under the terms of paragraph c ) of article 161 of the Constitution, 
the next: 
CHAPTER I 
General provisions 
Article 1 
Object 
This law establishes the rules related to the protection of natural persons with regard to 
regard to the processing of personal data by the competent authorities for the purposes of prevention, 
detection, investigation or prosecution of criminal offenses or enforcement of criminal sanctions, including 
safeguarding and preventing threats to public security, transposing it into the legal order 
internal Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016. 
Article 2 
Scope of application 
1 - This law is applicable to the processing of personal data for the purposes provided for in 
previous article, under the terms of the criminal procedural law and other applicable legislation. 
2 - The present law applies to the processing of personal data by means totally or partially 
automated systems, as well as the processing of personal data contained in a file or destined for it 
non-automated means. 
3 - This law does not apply to the processing of personal data related to security. 
national security. 
4 - The exchange of personal data between competent authorities in the European Union, 
when legally required, it is not limited or prohibited for reasons related to the protection 
natural persons with regard to the processing of personal data. 
Article 3 
Definitions 
1 - For the purposes of the provisions of the present law, the following definitions shall apply: 
a ) «Member State» means a Member State of the European Union; 
b ) «Third country», a State that is not part of the European Union; 
Page 42 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 42 
c ) "Personal data" means information relating to an identified or identifiable natural person 
('Data subject'); 
d ) «Processing», an operation or a set of operations carried out on personal data 
or on personal data sets, by automated or non-automated means, such as 
the collection, registration, organization, structuring, conservation, adaptation or alteration, 
retrieval, consultation, use, disclosure by transmission, by diffusion or by any other means 
other form of availability, comparison or interconnection, limitation, deletion or 
undoing; 
e ) «Limitation of treatment», the insertion of a mark in the personal data kept with 
the aim of limiting your treatment in the future; 
f ) «Profiling», any form of automated processing of personal data that 
consists of using that data to assess certain personal aspects of a natural person, 
namely to analyze or predict aspects related to their professional performance, 
your economic situation, your health, your personal preferences, your interests, your 
reliability, behavior, location or travel; 
g ) 'Pseudonymisation' means the processing of personal data so that they can no longer be attributed 
assigned to a specific data subject without the use of supplementary information, provided that these 
maintained separately and subject to technical and organizational measures to ensure that 
personal data cannot be attributed to an identified or identifiable natural person; 
h ) 'File', a structured set of personal data accessible according to specific criteria 
specific, centralized, decentralized or distributed in a functional or geographic way; 
(i ) 'competent authority' means a public authority responsible for preventing, investing 
investigation, detection or prosecution of criminal offenses or enforcement of criminal sanctions, including 
safeguarding and preventing threats to public security, or any other body or 
entity exercising, under the terms of the law, public authority and public powers for the 
fast effects; 
j ) «Data controller», the competent entity that, individually or together 
with others, determines the purposes and means of processing personal data, or, in the case of 
where these are determined by law, the authority indicated therein; 
k ) «Subcontractor» means the natural or legal person, the public authority, the service or other 
body that processes personal data on behalf of the controller; 
l ) “Recipient” means the natural or legal person, the public authority, the service or other 
body that receives personal data communications, regardless of whether or not it is a third 
with the exception of public authorities receiving personal data in the context of investigations 
specific terms under the law, which, not being recipients, comply with the rules of protection 
personal data, depending on the purposes of the processing; 
m ) «Personal data breach» means a breach of security that accidentally causes 
or unlawful, the destruction, loss, alteration, unauthorized disclosure of personal data transferred 
kept, preserved or otherwise treated, or unauthorized access to such data; 
n ) "Genetic data" means personal data relating to genetic, hereditary or 
acquired, from a natural person, who provide unique information about their physiology or 
health that result, inter alia, from the analysis of a biological sample of the person 
concerned; 
o ) "Biometric data" means personal data resulting from specific technical treatment, 
relating to the physical, physiological or behavioral characteristics of a natural person, 
allow or confirm their unique identification, such as facial images or fingerprint data; 
p ) 'Health data' means personal data relating to the physical or mental health of a person 
sounds unique, including the provision of health services, that reveal information about your 
health condition; 
q ) «Supervisory authority», the National Data Protection Commission (CNPD), under the terms 
the provisions of article 43; 
r ) «International organization» means an international organization and the bodies governed by law 
international public body responsible for it, or another body created by an agreement concluded between 
two or more countries or on the basis of such an agreement. 
Page 43 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 43 
2 - For the purposes of the provisions of paragraph c ) of the previous number, it is considered identifiable 
a natural person who can be identified, directly or indirectly, in particular by reference 
to an identifier such as name, identification number, location data, identifiers 
online or one or more specific elements of physical, physiological, genetic, mental, 
economic, cultural or social status of that person. 
3 - For the purposes of the provisions of paragraph i ) of paragraph 1, competent authorities are the 
and security services, criminal police bodies, judicial authorities and services 
prison and social reintegration, within the scope of its prevention, detection, investment 
investigation or prosecution of criminal offenses or enforcement of criminal sanctions, under the terms provided for 
in the respective statutes and in the laws of internal security, of organization of the criminal investigation 
and criminal proceedings. 
CHAPTER II 
Principles relating to the processing of personal data 
Article 4 
General data protection principles 
1 - The processing of personal data must be carried out in strict respect for the rights, 
freedoms and guarantees of natural persons, in particular the right to data protection 
personal. 
2 - Personal data are: 
a ) Subject to lawful and fair treatment; 
b ) Collected for specific, explicit and legitimate purposes, which cannot be processed 
in a manner incompatible with these purposes; 
c ) Adequate, relevant and limited to the minimum necessary for the pursuit of the purposes 
for which they are treated; 
d ) Accurate and updated whenever necessary, and all reasonable measures must be taken 
reasonable so that inaccurate data can be erased or rectified without delay; 
e ) Kept in such a way as to allow the identification of the data subjects only during the 
period necessary for the purposes for which they are treated; 
f ) Treated in a way that guarantees their safety, including protection against their 
unauthorized or unlawful treatment and against accidental loss, destruction or damage, 
using appropriate technical or organizational measures. 
3 - The controller must adopt the measures that allow him to prove 
that the processing of personal data is carried out in accordance with the principles set out 
in the previous number. 
Article 5 
Treatment lawfulness 
1 - The processing of personal data is only lawful if it is provided for by law and to the extent 
necessary for the exercise of an assignment by the competent authority for the purposes of 
provided for in Article 1, without prejudice to the provisions of paragraph 3. 
2 - The law indicates, at least, the objectives of the processing, the personal data to be processed and the 
treatment purposes. 
3 - If it is not authorized by law, the processing of personal data can only be 
carried out if necessary for the protection of the vital interests of the data subject or other 
individual. 
Page 44 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 44 
Article 6 
Treatment of special categories of personal data 
1 - The processing of personal data that reveal racial or ethnic origin, opinions 
political, religious or philosophical beliefs or union affiliation, as well as genetic data 
biometric data to uniquely identify a natural person, 
data relating to health or data relating to sexual life or sexual orientation, can only be 
carried out if strictly necessary, if it is subject to adequate safeguards for the protection of 
rights and freedoms of the data subject, and if: 
a ) It is authorized by law; 
b ) It is intended to protect the vital interests of the data subject or another natural person; or 
c ) It is related to data manifestly made public by the data subject. 
2 - Profile definitions that lead to discrimination against natural persons are prohibited 
based on the special categories of personal data provided for in the preceding paragraph. 
Article 7 
Purpose of the treatment 
1 - The processing of personal data is allowed, by the same or by another responsible for the 
processing, for purposes other than those for which personal data were collected, 
provided that these other purposes fall within the purposes provided for in Article 1 and that: 
a ) The controller is authorized by law to process personal data for 
that purpose; and 
b ) Treatment is necessary and proportional to that other purpose, under the terms of the law. 
2 - The treatment by the same or another responsible person includes the public interest file and 
the scientific, statistical or historical use of the data for the purposes provided for in Article 1, under 
reservation of adequate guarantees of the rights, freedoms and guarantees of the data subject. 
Article 8 
Specific treatment conditions 
1 - Personal data collected by the competent authorities for the purposes provided for in 
Article 1 may not be treated for different purposes, unless such treatment is authorized 
by law, and in this case applicable to the processing of data for these and other purposes, the provisions of 
Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, and in 
Law No. 58/2019, of 8 August. 
2 - In cases where the competent authorities exercise powers for purposes other than those 
provided for in Article 1, applies to the processing of data for these other purposes, including data 
archives of public interest, scientific or historical research or statistical purposes, the provisions of 
in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and 
in Law no. 58/2019, of 8 August. 
3 - If the competent authority transmits data the processing of which is 
subject to specific conditions, the transmitting authority informs the recipient of the data 
conditions and the obligation to comply with them. 
4 - In the transmission of data to Eurojust, Europol and other cooperation bodies 
judicial and police forces in criminal matters created within the framework of the European Union, as well as 
competent authorities of other Member States, specific conditions cannot be applied 
different from those envisaged for similar data transmissions between national authorities. 
Page 45 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 45 
Article 9 
Distinction between different categories of data subjects 
The controller should establish, if applicable and whenever possible, a 
clear distinction between the personal data of different categories of data subjects, such as: 
a ) Persons for whom there are reasonable grounds for believing that they have committed or 
are about to commit a criminal offense; 
b ) Persons convicted of a criminal offense; 
c ) Victims of a criminal offense or persons for whom certain facts lead to believe 
who may become victims of a criminal offense; and 
d ) Third parties involved in a criminal offense, such as persons who may be called upon to 
testify in criminal proceedings, persons who can provide information on criminal offenses, 
or contacts or associates of one of the persons referred to in points a ) and b ). 
Article 10 
Distinction between personal data and verification of the quality of personal data 
1 - Whenever possible, personal data based on facts should be distinguished from 
personal data based on personal assessments. 
2 - Inaccurate, incomplete, personal data may not be transmitted or made available. 
outdated or unreliable. 
3 - For the purposes foreseen in the previous number, the competent authorities verify, 
whenever possible, the quality of personal data before it is transmitted or made available 
made available. 
4 - In the case of the transmission of personal data, the competent authorities that 
transfer should provide, whenever possible, the information necessary for the authorities 
competent authorities that receive them can assess whether the data is accurate, complete, current 
and reliable. 
5 - If it is found that inaccurate data has been transmitted or data has been transmitted 
illegally, the addressee must be informed without delay, and 
rectification or erasure of the data in question or the limitation of its treatment, under the terms 
Article 17 
Article 11 
Automated individual decisions 
1 - Decisions taken solely on the basis of automated processing are prohibited 
including the definition of profiles, which have adverse effects on the legal sphere of the holder 
data or that significantly affect it, except when authorized by law, provided that 
provision is made for the right of the data subject to obtain human intervention by the data controller 
treatment. 
2 - The decisions referred to in the previous number cannot be based on the categories 
special personal data provided for in Article 6 
Article 12 
Deadlines for conservation and evaluation 
1 - Personal data may only be processed during the period necessary for the prosecution 
fulfillment of the purposes of collection, or further processing authorized in accordance with Article 7, 
after which they must be erased, without prejudice to their pseudonymization as soon as the purposes 
treatment allow. 
Page 46 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 46 
2 - The person responsible for the treatment periodically assesses the need to conserve the 
personal data processed, in accordance with internal procedures adopted for that purpose, in the 
which should, in particular, set the periodicity of the evaluation. 
3 - The periodicity of the assessment of the need to keep personal data must be 
determined according to the different categories of data subjects provided for in Article 9, as well as 
as well as the need to preserve the data in question for the purposes of processing. 
4 - The decision to keep personal data for periods in addition to the period of conservation 
original approval must be documented, justified and notified to the data subjects, without prejudice 
the provisions of Article 16. 
5 - The competent authorities must use computer systems that facilitate the evaluation 
periodic recognition of the need to preserve data and its erasure or pseudonymisation, 
namely through alerts and automatic protection measures, such as limiting 
access or concealment of data. 
CHAPTER III 
Data subject's rights 
Article 13 
Communications and exercise of the data subject's rights 
1 - The controller is responsible for facilitating the exercise of the data subject's rights in the 
pursuant to Articles 11 and 15 to 19
2 - The controller shall provide the data subject with the information to which the data 
referred to in Article 14 and makes the communications relating to Articles 11, 15 to 19 and 33 of a 
concise, intelligible and easily accessible form, using clear and simple language, and by the means 
including electronic means, and, whenever possible, using the means used 
in the order. 
3 - The controller shall inform the data subject of the follow-up given to his data 
request, in writing, and without undue delay, within a period not exceeding 30 days, which may be 
renewed for another 30 days, if justified. 
4 - The provision of information and the exercise of rights are free of charge, without prejudice to 
the following paragraph. 
5 - In cases where the request of the data subject is manifestly unfounded or 
process, namely due to its repetitive nature, the controller, by means of 
reasoned decision, may: 
a ) Demand the payment of a fee of an amount to be fixed by order of the member of the Government 
responsible for the area of justice, taking into account the associated administrative costs; or 
b ) Refuse to comply with the request. 
6 - If you have reasonable doubts as to the identity of the person making the request to the 
under Articles 15 and 17, the controller may request the applicant to 
additional information needed to verify your identity is provided. 
Article 14 
Information to be made available or to be provided by the controller 
1 - The controller shall make publicly available and permanently available 
accessible information on: 
a ) The identity and contact details of the controller; 
b ) The contact details of the data protection officer; 
Page 47 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 47 
c ) The purposes of the processing for which the personal data are intended; 
d ) The right to complain to the supervisory authority and the contact details of that authority; 
e ) The right to request the controller to have access to personal data that 
concern you, as well as their rectification or erasure and the limitation of treatment 
ment. 
2 - In addition to the information referred to in the preceding paragraph, and without prejudice to the 
in the following number, the controller provides the data subject with the following information 
additional training to enable you to exercise your rights: 
a ) The legal basis of the treatment; 
b ) The period of retention of personal data, the criteria used to define it or the 
procedures foreseen for periodic review of the need for conservation; 
c ) The categories of recipients of personal data, if applicable, including in countries 
third parties or international organizations; 
d ) If necessary, other additional information, especially if the personal data have been 
collected without the knowledge of the holder. 
3 - The provision of information referred to in the previous number may be postponed, limited 
or refused if and as long as it is necessary and proportionate to: 
a ) Avoid prejudice to investigations, inquiries or legal proceedings; 
b ) Avoid prejudice to the prevention, detection, investigation or prosecution of criminal offenses 
or for the enforcement of criminal sanctions; 
c ) Protect public security; 
d ) Protect national security; or 
e ) Protect the rights, freedoms and guarantees of third parties. 
Article 15 
Data subject's right of access to their personal data 
1 - Without prejudice to the provisions of the following article, the data subject has the right to obtain 
responsible for processing, at reasonable intervals, information on whether personal data 
concerning you are or are not being treated. 
2 - If so, the data subject has the right to access his personal data 
and information on: 
a ) The purposes and the legal basis of the processing; 
b ) The categories of personal data concerned; 
c ) The recipients or categories of recipients to whom the personal data have been 
transmitted, especially in the case of recipients from third countries or organizations 
international; 
d ) Whenever possible, the expected period of retention of personal data or, if it is not 
possible, the criteria used to set that period; 
e ) The right to request the controller to rectify or erase data 
personal data or the limitation of the processing of personal data concerning you; 
(f ) the right to lodge a complaint with the supervisory authority and to obtain the contact details of that authority. 
tority; 
g ) The communication of personal data subject to processing, as well as the information available 
available about their origin. 
Page 48 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 48 
Article 16 
Limitations of the right of access 
1 - The controller may refuse or restrict the holder’s right of access 
data as such a limitation constitutes a necessary and proportionate measure to: 
a ) Avoid prejudice to investigations, inquiries or legal proceedings; 
b ) Avoid prejudice to the prevention, detection, investigation or prosecution of criminal offenses 
or for the enforcement of criminal sanctions; 
c ) Protect public security; 
d ) Protect national security; or 
e ) Protect the rights, freedoms and guarantees of third parties. 
2 - In the cases provided for in the preceding paragraph, the controller shall inform the 
the data owner, in writing and without undue delay, of the reasons for the refusal or limitation 
access. 
3 - The information referred to in the previous number may be omitted only to the extent that 
that its performance may harm one of the purposes set out in paragraph 1. 
4 - In the cases provided for in the preceding paragraph, the controller shall inform the holder 
data on the right to submit a request for verification to the supervisory authority. 
control under article 18, or to initiate competent legal action. 
5 - The controller is responsible for providing the supervisory authority with information on 
the factual and legal grounds on which the decision to refuse or to limit the right 
access, as well as omission of information to the data subject. 
Article 17 
Right to rectify or erase personal data and to limit processing 
1 - The data subject has the right to obtain from the controller, without delay 
unjustified, the rectification of inaccurate personal data concerning you, as well as the right to 
that their incomplete personal data are completed, namely by means of 
additional clarification. 
2 - The data subject has the right to obtain from the controller, without delay 
unjustified, the deletion of personal data concerning you in cases where the 
treatment does not respect the provisions of articles 4 to 7 or in cases where the erasure 
is required to comply with a legal obligation that the controller 
be subject. 
3 - Instead of deleting, the controller limits the treatment, 
in case of: 
a ) The data subject contests the accuracy of personal data and its accuracy or inaccuracy 
cannot be ascertained; 
b ) Personal data must be kept for evidence purposes. 
4 - In the cases provided for in paragraph a ) of the previous number, the person responsible for 
the data subject forms before ending the processing limitation. 
5 - The limitation of processing implies that the data can only be processed for the purposes 
activities that prevented its erasure, and the controller must adopt the measures 
appropriate technical and organizational measures to ensure that the limitation is respected. 
6 - The data subject is informed, in writing, of the decision to refuse the rectification request 
or erasure or limitation of treatment and the respective grounds. 
Page 49 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 49 
7 - The information referred to in the previous number may be omitted or limited by the 
responsible for treatment insofar as such omission or limitation constitutes a necessary measure 
and proportional to: 
a ) Avoid prejudice to investigations, inquiries, or legal proceedings; 
b ) Avoid prejudice to the prevention, detection, investigation or prosecution of criminal offenses 
or the enforcement of criminal sanctions; 
c ) Protect public security; 
d ) Protect national security; or 
e ) Protect the rights and freedoms of third parties. 
8 - In the cases provided for in the preceding paragraph, the controller shall inform the holder 
data of the right to submit a request for verification to the supervisory authority pursuant to 
Article 18, or to initiate competent legal action. 
9 - The rectification of personal data is communicated to the competent authority of origin of the 
inaccurate data. 
10 - In case of data transmission, the controller informs the recipients 
rectification or erasure or limitation of treatment, which must be rectified or 
erase the data or limit the treatment in accordance with that information. 
Article 18 
Exercise of the data subject's rights and verification by the supervisory authority 
1 - In case of refusal of information, access, rectification, deletion or limitation of work 
on the basis of the provisions of paragraph 3 of article 14, paragraph 1 of article 16 or paragraph 7 of 
previous article, the data subject may request the supervisory authority to verify the lawfulness 
treatment. 
2 - The controller shall inform the data subject of the right that assists him / her in the 
terms of the previous number. 
3 - In the cases referred to in paragraph 1, the supervisory authority shall inform the data subject that 
carried out all necessary checks or a review of the treatment and entitlement 
assists in filing a competent lawsuit. 
Article 19 
Rights of the data subject in special cases 
The rights to information, access, rectification, erasure and limitation of work 
processing of personal data contained in criminal proceedings, a judicial decision or the 
criminal records are exercised under the terms of criminal procedural law and other applicable legislation. 
CHAPTER IV 
Data controller and subcontractor 
Article 20 
Obligations of the controller 
1 - The controller, taking into account the nature, scope, context and 
purposes of data processing, as well as the risks to rights, freedoms and guarantees 
of people, adopts the appropriate technical and organizational measures to ensure and be able to 
prove that the treatment is carried out in accordance with this law. 
2 - The measures adopted under the terms of the previous number are regularly evaluated and 
updated. 
Page 50 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 50 
Article 21 
Minimum data protection requirements 
1 - The controller is responsible for adopting the technical and organizational measures 
effectively ensure respect for the principles of data protection, as well as guarantees 
necessary to satisfy the requirements set out in this law and to protect the rights of 
data subjects. 
2 - The controller applies the appropriate technical and organizational measures 
ensure that only the personal data necessary for each purpose are processed 
specific treatment. 
3 - For the purposes of the preceding paragraph, the controller shall assess the volume of 
personal data collected, the extent of treatment, the retention period and accessibility, 
and must ensure that, by default, personal data are not made available to a specific number 
indeterminate number of persons without the consent of the respective data subject. 
4 - The measures referred to in paragraph 1 are ensured both at the time of conception, 
development and application of means of treatment as at the time of treatment itself, 
in order to allow, inter alia, pseudonymisation and data minimization. 
Article 22 
Joint controllers 
1 - For the purposes of this law, when two or more persons responsible for the treatment of 
data jointly determine the purposes and means of treatment, both are responsible for 
sets for treatment. 
2 - Jointly responsible persons determine their respective responsibilities by mutual agreement, 
in a transparent and duly documented manner in order to ensure compliance with this 
law, namely with regard to the exercise of the rights of the data subject and the duties 
to provide the information referred to in Article 14, except in cases where liability 
determined by law. 
3 - The agreement provided for in the preceding paragraph identifies which of the persons responsible is the 
tact of the data subjects for the exercise of their rights, without prejudice to the claim being able to 
be addressed to any of them. 
Article 23 
Data processing by subcontractor 
1 - The controller may use subcontractors who provide guarantees 
sufficient measures to adopt appropriate technical and organizational measures so that the treatment 
satisfy the requirements set out in this law and ensure the protection of the rights of the holder 
of the data. 
2 - The subcontractor cannot use another subcontractor without prior authorization 
specific or general, in writing, of the controller, with the exception of cases where 
subcontracting is provided for by law. 
3 - In case of general authorization, the subcontractor informs the controller 
of all the intended changes regarding the contracting of other subcontractors, and the 
controller to oppose these changes. 
4 - The processing of data in subcontracting is regulated by written contract or by law that 
establish the object, the duration, the nature and purpose of the processing, the type of personal data and 
the categories of data subjects to be processed, as well as the obligations and rights of the data controller 
for treatment. 
5 - The contract or law referred to in the preceding paragraph provides, in particular, that the 
contractor: 
Page 51 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 51 
a ) Only act in accordance with the instructions of the controller; 
b ) Ensure that the persons authorized to process personal data make a commitment 
confidentiality or are subject to legal confidentiality obligations; 
c ) Provide assistance to the controller by all appropriate means in a manner that is 
to ensure compliance with the provisions on the rights of the data subject; 
d ) After completing the treatment services, permanently delete or return the data to the 
controller, depending on his choice, and delete existing copies, unless 
that its conservation is required by law; 
e ) Provide the controller with the information necessary to demonstrate 
compliance with the provisions of this article; 
f ) Respect the conditions referred to in paragraphs. paragraphs 2 and 3 with regard to the hiring of another 
contractor; 
g ) Take the appropriate technical and organizational measures to ensure the protection of data 
personnel, in accordance with the requirements of this law, and should consider the principle of 
data protection from conception and by default. 
Article 24 
Processing under the authority of the controller or processor 
The subcontractor, as well as any person who, acting under the authority of the subcontractor or the 
responsible for the treatment, have access to personal data, cannot carry out the respective treatment 
without instructions from the controller. 
Article 25 
Duty of secrecy 
Data controllers, subcontractors, as well as any other person who, 
in the exercise of their functions, have access to personal data, are bound by professional secrecy 
even after the end of their duties. 
Article 26 
Records of treatment activities 
1 - The controller keeps a record of all categories of activities 
treatment under their responsibility. 
2 - The register must contain: 
a ) The name and contact details of the controller and, if applicable, of the controllers 
sets for processing and data protection officer; 
b ) The purposes of the treatment; 
c ) The categories of recipients to whom personal data are disclosed or made available, 
including recipients established in third countries or international organizations; 
d ) Description of the categories of data subjects and categories of personal data; 
e ) The use of the definition of profiles, if applicable; 
(f ) the categories of transfers of personal data to a third country or to an organization 
international organization, if applicable; 
g ) Indication of the legal basis for the treatment, including transfers, to which the 
personal data is intended; 
h ) If possible, the retention periods for the different categories of personal data or the 
procedures foreseen for periodic review of the need for conservation; 
(i ) a general description of the technical and organizational security measures referred to 
in Article 31; 
Page 52 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 52 
j ) The requests submitted by the data subjects and the respective processing, as well as the 
decisions of the controller with the corresponding reasoning. 
3 - The subcontractor keeps a record of all categories of treatment activities 
carried out on behalf of the controller, which include: 
a ) The name and contact details of the subcontractor or subcontractors, of each person responsible for 
processing on behalf of which the subcontractor and the data protection officer act, if 
if applicable; 
b ) The categories of data processing carried out on behalf of each person responsible for the 
treatment; 
(c ) where applicable, transfers of personal data to a third country or to a 
international organization and the instructions of the controller for transfers, 
including identification of that third country or international organization; 
(d ) a general description of the technical and organizational security measures referred to 
referred to in Article 31. 
4 - The records referred to in the previous numbers are kept in writing and in 
durable support, namely in electronic format. 
5 - The controller and the subcontractor provide the records provided for in the 
numbers prior to the supervisory authority at its request. 
Article 27 
Chronological record 
1 - The controller and the subcontractor keep in treatment systems 
automated chronological records of the following treatment operations: 
a ) Collection; 
b ) Alteration; 
c ) Consultation; 
d ) Disclosure, including transfers; 
e ) Interconnection; 
f ) Blackout; and 
g ) Limitation of treatment, including the start and end dates of the limitation. 
2 - The chronological records of the consultation and dissemination operations must allow 
determine the reason, the date and time of these operations, the identification of the person who consulted 
or disclosed personal data and, where possible, the identity of the recipients of that data 
personal. 
3 - The chronological records are used exclusively for the purpose of verifying the 
lawfulness of treatment, self-control, exercise of disciplinary power and guarantee of integrity and 
security of personal data, as well as in the scope and for the purposes of criminal proceedings. 
4 - The controller and the subcontractor provide the chronological records 
the supervisory authority at its request. 
5 - The specific laws regulating the data processing operations for the companies 
the conditions set out in Article 1 define the retention periods applicable to records 
chronological. 
6 - The controller and the subcontractor adopt technical measures that guarantee 
the integrity of the chronological records. 
Page 53 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 53 
Article 28 
Duty to collaborate 
The controller and the subcontractor cooperate fully with the authority 
control in the exercise of its powers. 
Article 29 
Impact assessment 
1 - In the event that a certain type of treatment is likely to pose a high risk 
for the rights, freedoms and guarantees of persons, the person responsible for the same must make a 
evaluation of the impact of the operations that compose it before starting it. 
2 - Taking into account people's rights, freedoms and guarantees, the impact assessment 
includes: 
(a ) a general description of the planned processing operations; 
b ) An assessment of the risks to the rights, freedoms and guarantees of the data subjects; 
c ) The measures foreseen to face the risks mentioned in the previous paragraph; 
d ) The guarantees, security measures and mechanisms to ensure the protection of 
personal data and demonstrate the compliance of the treatment with the present law. 
Article 30 
Prior consultation with the supervisory authority 
1 - The controller or the processor shall consult the supervisory authority 
before proceeding with the processing of personal data to be included in a file to be created in cases where: 
a ) The impact assessment foreseen in the previous article indicates that the treatment would result in a 
high risk, in the absence of adequate measures to mitigate that risk; or 
b ) The type of treatment involves a high risk to the rights, freedoms and guarantees of the 
data subjects, namely if they use new technologies. 
2 - The supervisory authority is consulted during the preparation of legal instruments 
in preparation in the European Union or international institutions and during the preparation of 
bilateral or multilateral agreements to be concluded between the Portuguese State and other States, as well as 
as well as legislative and regulatory proposals regarding the processing of personal data, 
also being able to issue opinions, on its own initiative, on any issue related to 
with the protection of personal data. 
3 - The supervisory authority may draw up and publicize a list of processing operations 
subject to prior consultation pursuant to paragraph 1. 
4 - The controller shall provide the supervisory authority with an impact assessment 
foreseen in the previous article and, when requested, any other information that allows you to evaluate 
the compliance of the treatment with the present law, the risks for the protection of personal data 
and the respective guarantees. 
5 - If you consider that the treatment provided for in paragraph 1 violates the provisions of this law, 
especially if the controller has not sufficiently identified or mitigated 
risks, the supervisory authority gives written instructions to the controller or controller 
subcontractor within six weeks of receipt of the request for consultation, without prejudice to 
to be able to adopt other measures within its competence. 
6 - The term provided for in the preceding paragraph may be extended by one month, taking into account 
complexity of the treatment in question, and the supervisory authority must inform the person 
for the treatment or the subcontractor of that extension and the respective grounds. 
Page 54 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 54 
Article 31 
Treatment security 
1 - The controller and the subcontractor adopt the technical and organizational measures 
appropriate measures to ensure a level of safety appropriate to the risk, in particular 
with regard to the processing of the special categories of personal data referred to in Article 6 
2 - With regard to automated data processing, the person responsible for processing or 
the subcontractor, taking into account the risk assessment, must apply measures that: 
a ) Prevent unauthorized persons from accessing the equipment used for the treatment 
(equipment access control); 
b ) Prevent data media from being read, copied, altered or removed without 
torization (control of data carriers); 
c ) Prevent the unauthorized introduction of personal data, as well as any operation 
unauthorized in relation to retained personal data (conservation control); 
d ) Prevent automated treatment systems from being used by people who are not 
authorized by means of data communication equipment (user control); 
e ) Ensure that persons authorized to use an automated treatment system 
only have access to the personal data covered by their access authorization (control of the 
access to data); 
f ) Ensure that it can be verified and determined to which bodies the personal data 
were or may be transmitted or made available using data communication equipment 
(communication control); 
g ) Ensure that personal data can be verified and determined a posteriori 
introduced into automated treatment systems, when and by whom they were introduced 
(introduction control); 
h ) Prevent that, during the transfer of personal data or the transport of media 
data, personal data can be read, copied, altered or deleted without authorization 
(transport control); 
i ) Ensure that the systems used can be restored in the event of an interruption 
(recovery); 
j ) Ensure that the functions of the system work, that operating errors are 
(reliability) and that the personal data retained cannot be falsified by 
malfunction of the system (integrity). 
3 - The provision of the preceding paragraph is applicable, with due adaptations, to the treatment 
manual of data contained or destined to a structured file. 
Article 32 
Notification of a personal data breach to the supervisory authority 
1 - In the event of a personal data breach, the controller shall notify 
the supervisory authority within 72 hours of becoming aware of the situation, unless 
the violation is not likely to result in a risk to the rights, freedoms and guarantees of 
natural persons. 
2 - In cases where it is not possible to make the notification within 72 hours, the 
responsible for the treatment must indicate the reasons for the delay. 
3 - The notification referred to in paragraph 1 is confidential and must, as a minimum: 
a ) Describe the nature of the personal data breach, including, if possible and appropriate, 
the categories and the approximate number of data subjects affected and the categories and the number 
approximate number of personal data records concerned; 
b ) Communicate the name and contact details of the person in charge of data protection or other point 
contact details for the purpose of providing additional information; 
Page 55 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 55 
c ) Describe the likely consequences of the breach of personal data; 
d ) Describe the measures taken or proposed by the controller to repair 
the breach of personal data, namely, where applicable, to mitigate any possible 
negative effects. 
4 - In cases where it is not possible to be provided simultaneously, the information 
referred to in the previous number may be provided after the notification, without delay 
unjustified. 
5 - The controller is responsible for documenting any breach of personal data, including 
the facts related to it, its effects and the remedial measures adopted, in order to 
allow the supervisory authority to verify compliance with the provisions of this Article. 
6 - If the data breach involves personal data that has been transmitted by or 
to the controller in another Member State, the information referred to in paragraph 3 is 
communicated without undue delay. 
7 - In cases of subcontracting, the subcontractor shall notify the person responsible for processing 
any personal data breach of which you are aware, without undue delay. 
8 - The notification provided for in the preceding paragraphs does not affect the reporting of incidents 
competent authorities. 
Article 33 
Communication of a personal data breach to the data subject 
1 - In the event of a personal data breach likely to result in a high level of 
risk to the rights, freedoms and guarantees of the data subject, the controller 
communicates the violation to you without undue delay. 
2 - Communication to the data subject describes, in clear and simple language, the nature 
breach of personal data and includes the information and measures referred to in points b ) , c ) 
and d ) of paragraph 3 of the previous article. 
3 - Communication is waived in cases where: 
a ) The controller has taken appropriate protective measures, both technically and 
as organizational, and these have been applied to the data affected by the breach of 
personal data, namely encryption; 
(b ) the controller has taken subsequent measures to ensure that the 
realization of the high risk referred to in paragraph 1 is no longer probable; or 
c ) Imply a disproportionate effort, in which case the controller 
inform data subjects in another equally effective way, notably through co-financing 
public communication. 
4 - If the controller has not reported a personal data breach 
the data subject, the supervisory authority, if he considers that the breach of personal data 
result in a high risk to your rights, freedoms and guarantees, you can demand from the responsible 
to proceed with such communication or dismiss it for the reasons indicated in the previous number. 
5 - The communication provided for in paragraph 1 may be postponed, limited or omitted subject to the 
conditions and for the reasons set out in paragraph 5 of article 13. 
Article 34 
Designation of the data protection officer 
1 - The controller shall designate a data protection officer for the 
assist in monitoring compliance with the obligations arising from this law, including in the 
processing of the data carried out on its behalf by the subcontractor. 
2 - The obligation provided for in the preceding paragraph does not apply to the courts or the Ministry 
Público, in the exercise of its procedural powers. 
Page 56 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 56 
3 - The data protection officer is appointed on the basis of his qualities 
professionals, in particular in their specialized knowledge in the field of legislation and 
data protection practices and their ability to perform the functions referred to in 
following article. 
4 - A single data protection officer may be assigned to several authorities 
competent, taking into account its size and organizational structure. 
5 - Without prejudice to the provisions of paragraph b ) of paragraph 1 of article 14, the controller 
inform the supervisory authority of the contact details of the data protection officer. 
Article 35 
Duties of the Data Protection Officer 
The data protection officer is responsible, in particular: 
a ) Inform and advise the controller and the workers who carry out the 
treatment as to their obligations under this law and other provisions 
legal provisions relating to the protection of personal data; 
b ) To monitor compliance with this law and other legal provisions on the protection of 
personal data, as well as the guidelines of the controller in terms of protection 
personal data, including the allocation of responsibilities, awareness and training of the 
personnel involved in processing operations and the corresponding audits; 
c ) Provide advice, when requested, with regard to impact assessment and con 
monitor its implementation, pursuant to article 29; 
d ) Cooperate with the supervisory authority; 
e ) To be a point of contact and to support the supervisory authority in matters related to the 
data processing, including the prior consultation referred to in Article 29. 
Article 36 
Exercise of functions by the data protection officer 
1 - The controller is responsible for ensuring that the data protection officer is 
appropriately and in a timely manner in all matters relating to the protection of 
personal data. 
2 - The controller supports the data protection officer in performance 
functions, granting him access to personal data and processing operations, and 
providing you with the necessary resources for that purpose and for updating your knowledge. 
3 - The controller and the subcontractor shall ensure that the controller 
data protection does not receive instructions regarding the performance of its duties and that it does not 
he may not be removed or penalized for exercising them. 
4 - The data protection officer is not prevented from exercising other functions, 
provided that the controller or the subcontractor ensures that from exercising it 
there is no conflict of interest. 
CHAPTER V 
Transfers of personal data to third countries 
or for international organizations 
Article 37 
General principles applicable to transfers of personal data 
1 - Without prejudice to other conditions required by law, the competent authorities may only 
transfer personal data to a third country or to an international organization, including 
Page 57 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 57 
data for further transfers to another third country or another 
international organization if: 
a ) The transfer is necessary for the pursuit of the purposes foreseen in article 1; 
b ) Personal data is transferred to a controller in the third country 
or the international organization competent for the purposes provided for in Article 1, without 
judgment of the provisions of article 41; 
(c ) where personal data have been transmitted or made available by another Member State 
Member State, that State has given its prior consent to the transfer, without prejudice to the 
the following number; 
d ) An adequacy decision has been taken, in accordance with the provisions of article 38, or 
adequate guarantees have been provided, in accordance with Article 39, or the 
derogations provided for in Article 40; 
(e ) in the case of a subsequent transfer to a third country or to an international organization 
international authority, the competent authority which carried out the initial transfer or another 
competent authority of the same Member State to authorize further transfer, after taking into account all 
relevant factors, namely the seriousness of the criminal offense, the purpose for which the data 
personal data were initially transferred and the level of protection in the third country or organization 
international law to which personal data are subsequently transferred; and 
f ) The transfer does not compromise the level of protection of persons ensured by the 
feel law. 
2 - Transfers without the prior consent referred to in paragraph c ) of the previous number 
are only permitted if they are necessary to prevent an immediate and serious threat to security. 
public security of a Member State or a third country, or to the essential interests of a Member 
Member State, and prior consent cannot be obtained in good time. 
3 - In the case provided for in the preceding paragraph, the authority responsible for giving consent 
is informed without delay. 
Article 38 
Transfers based on an adequacy decision 
1 - The transfer of personal data to a third country or to an international organization 
international cooperation can be carried out on the basis of an adequacy decision by the European 
determines that the third country, territory or one or more specific sectors of that third country, or 
the international organization concerned, ensure an adequate level of protection. 
2 - The transfer of personal data based on an adequacy decision does not require a 
specific authorization. 
3 - The acts of the European Commission that revoke, alter or suspend the decision to 
adequacy are without prejudice to transfers of personal data to the third country, territory or 
specific sector of the third country, or to the international organization concerned, carried out in 
pursuant to Articles 39 and 40 
Article 39 
Transfers subject to adequate guarantees 
1 - In the absence of an adequacy decision, or in the case of revocation or suspension of 
adequacy adjustments, personal data may be transferred to a third country or to a
international organization if: 
a ) Adequate guarantees have been provided with regard to data protection 
personal data by means of a legally binding instrument; or 
Page 58 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 58 
(b ) the controller has assessed all the circumstances inherent in the transfer 
transfer of personal data and concluded that there are adequate guarantees regarding the 
protection of such data. 
2 - The controller shall inform the supervisory authority about the categories of data 
transfers covered by subparagraph b ) of the previous number. 
3 - Transfers based on paragraph b ) of paragraph 1 are documented, and the 
responsible for processing make available to the supervisory authority, at its request, all documentation 
relevant information, including information on the date and time of the transfer, the competent authority 
receiving them, the justification for the transfer and the personal data transferred. 
Article 40 
Derogations applicable in specific situations 
1 - In the absence, revocation or suspension of an adequacy decision or adequate guarantees 
pursuant to the preceding articles, the transfer or categories of data transfers 
personal data to a third country or to an international organization can only be carried out if 
necessary: 
a ) To protect the vital interests of the data subject or of another person; 
b ) To safeguard the legitimate interests of the data subject; 
(c ) In order to prevent an immediate and serious threat to the public security of a Member 
Member State or a third country; 
d ) In specific cases, for the pursuit of the purposes established in article 1; or 
e ) In specific cases, to declare, exercise or defend, in the context of judicial proceedings, 
a right related to the purposes set out in Article 1. 
2 - Even if the grounds provided for in subparagraph d ) or subparagraph e ) of the 
previous paragraph, personal data are not transferred if the competent authority for 
proceed with the transfer considers that the fundamental rights, freedoms and guarantees of the 
data subject in question prevail over the purposes that would motivate the transfer by 
public interest. 
3 - Data transfers carried out pursuant to paragraph 1 are limited to data strictly 
necessary for the purpose pursued. 
4 - The controller is responsible for documenting the relevant information regarding the 
transfers made under paragraph 1, and the documentation must be made available to the 
control, at the request of the latter, including information on the date and time of the transfer, 
competent authority receiving them, the justification for the transfer and personal data 
transferred. 
Article 41 
Transfers of personal data to recipients established in third countries 
1 - By way of derogation from paragraph b ) of paragraph 1 of article 37 and without prejudice to a 
international agreement as defined in the following paragraph, a public authority with 
prevention, investigation, detection or prosecution of criminal offenses or enforcement of sanctions 
criminal law, including safeguarding and preventing threats to public security, may in 
transfer personal data directly to recipients established in third countries 
provided that, in compliance with the provisions of the present law, the following 
cumulative conditions: 
(a ) the transfer is strictly necessary for a role performed by the competent authority 
competent authority that carries out the transfer and provided for by law, in view of the purposes indicated 
in Article 1; 
Page 59 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 59 
b ) The competent authority making the transfer considers that the rights, freedoms 
fundamental guarantees and guarantees of the data subject in question do not prevail over the purposes 
require the transfer in the present case; 
(c ) the competent authority making the transfer considers that the transfer to a 
competent authority for the purposes referred to in Article 1, in the third country, proves ineffective 
or inadequate, namely because it is not possible to carry it out in a timely manner; 
(d ) the competent authority for the purposes referred to in Article 1 in the third country is informed 
without undue delay, unless it proves to be ineffective or inappropriate; and 
(e ) the competent authority making the transfer informs the recipient of the purpose or 
of the specific purposes for which the personal data must be processed, provided that the processing 
necessary. 
2 - For the purposes provided for in the preceding paragraph, an international agreement means a 
bilateral or multilateral international agreement in force between Member States and third countries 
in the field of judicial cooperation in criminal matters and police cooperation. 
3 - The competent authority making the transfer shall inform the supervisory authority 
on transfers covered by this Article. 
4 - Transfers made under the terms of this article must be documented by the 
responsible for the treatment. 
Article 42 
International cooperation in the field of personal data protection 
In relation to third countries and international organizations, controllers 
take the necessary measures to: 
a ) Establish international cooperation procedures aimed at facilitating the application 
enforcement of legislation on the protection of personal data; 
b ) Provide mutual assistance in the application of data protection legislation 
personal information, namely through notification, transmission of complaints, assistance with 
investigation and exchange of information, subject to appropriate guarantees for the 
protection of personal data and other fundamental rights and freedoms; 
c ) To involve interested parties in debates and activities aimed at promoting cooperation 
international cooperation in the application of the legislation on the protection of personal data; 
d ) Promote the exchange and documentation of legislation and practices in the field of 
protection of personal data, including on jurisdictional conflicts with third countries. 
CHAPTER VI 
Supervisory authority 
Article 43 
Supervisory authority 
1 - CNPD is responsible for guaranteeing and monitoring compliance with this law. 
2 - The provisions of the previous number do not apply to the processing of personal data carried out 
by the courts and the Public Prosecution Service in the exercise of their procedural powers. 
3 - For the purposes of paragraph 1, CNPD includes a judicial magistrate, appointed by the Council 
Superior of the Judiciary, and a Public Prosecutor, appointed by the Superior Council 
of the Public Ministry. 
4 - It is exclusively for the magistrates referred to in the previous number, without prejudice 
of the competences of the president of CNPD, the exercise of the attributions of CNPD that imply 
access to data to be processed or to chronological records of processing operations. 
5 - The appointment of the members of the CNPD referred to in paragraph 3 is made in committee 
of service. 
Page 60 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 60 
Article 44 
Assignments 
1 - In the exercise of the functions referred to in paragraph 1 of the previous article, CNPD is responsible for: 
a ) To monitor compliance and enforce the provisions of this law; 
b ) Promote public awareness and understanding of the risks, rules, 
guarantees and rights associated with the processing of personal data; 
c ) Propose and issue an opinion on legislative and administrative measures related to 
with the protection of the rights and freedoms of individuals with regard to data processing 
personal; 
d ) Promote the awareness of controllers and subcontractors to 
their obligations under the terms of this law; 
e ) Provide information to data subjects, if requested, about the exercise of 
your rights under this law; 
f ) Handle and decide on complaints made by data subjects or by an organization, 
non-profit organization or association, under the terms of articles 47 and 50, and to investigate, in the 
as necessary, the content of the complaint, informing the plaintiff of the progress and outcome 
investigation within a reasonable timeframe, especially if investigative operations are necessary 
complementary coordination or coordination with another supervisory authority; 
g ) Verify the lawfulness of the treatment and, within a reasonable period, inform the data subject of the 
result of the verification, in accordance with the provisions of Article 18, or of the reasons that prevented the 
its realization; 
h ) Cooperate, namely by sharing information, and providing mutual assistance to other 
supervisory authorities, with a view to ensuring consistency in the application and enforcement of 
this law; 
i ) Conduct investigations into the application of this law, namely on the basis of 
information received from another supervisory authority or another public authority; 
j ) To monitor relevant developments, particularly in terms of the evolution of technologies 
information and communication technologies, insofar as they have an impact on data protection 
personal; 
k ) Provide advice on the processing operations referred to in article 30; 
l ) Contribute to the activities of the Committee created by Regulation (EU) 2016/679 of the 
European Parliament and of the Council of 27 April 2016, within the scope of the tasks referred to 
Article 51 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 
2016. 
2 - CNPD facilitates the submission of complaints provided for in subparagraph f ) of paragraph 1, namely 
making forms available for filling and electronic presentation, without excluding others 
media. 
3 - The exercise of the CNPD's duties is free of charge for the data holder and for the incumbent 
data protection personnel. 
4 - In cases where the request of the data subject is manifestly unfounded or 
process, namely due to its repetitive nature, the controller, by means of 
reasoned decision, may: 
a ) Demand the payment of a fee of an amount to be fixed by order of the member of the Government 
responsible for the area of justice, taking into account the associated administrative costs; or 
b ) Refuse to comply with the request. 
5 - In the cases provided for in the preceding paragraph, the decision of the CNPD must be duly 
and demonstrate the manifestly unfounded or excessive character of the request. 
Page 61 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 61 
Article 45 
Powers 
1 - In the exercise of its powers, CNPD has powers of investigation and correction. 
2 - The investigative powers referred to in the preceding paragraph include the power to obtain 
responsible for data processing and the subcontractor authorizing access to all data 
personal data subject to treatment and to all the information necessary for the exercise of their duties. 
3 - In exercising its powers of correction, CNPD may: 
a ) Warn the data controller or the subcontractor that the operations 
of treatment are likely to violate the provisions of this law; 
b ) Order the data controller or the subcontractor to comply with the 
treatment operations to the provisions of this law, if necessary in a certain way and 
within a specified period, and, in particular, order the rectification or erasure of personal data 
or the limitation of treatment under the terms of article 17; 
c ) Impose a temporary or definitive limitation on treatment. 
4 - The exercise of the powers conferred to the supervisory authority under the terms of the 
previous cases is subject to adequate procedural guarantees under the law, including the right to 
legal action and a fair and equitable process. 
5 - CNPD reports violations of the provisions of this law to the judicial authorities 
and bodies with disciplinary competence and, if appropriate, may take legal action or intervene 
in legal proceedings, under the terms of the law. 
6 - Communications of violations of this law or related thereto are subject to 
confidentiality. 
Article 46 
Activities Report 
1 - CNPD prepares an annual activity report on the inspection of the application and the 
compliance with this law, which may include a list of the types of reported violations and the 
types of sanctions applied, and in matters relating to the courts and the Public Prosecutor's Office 
the necessary reservation must be taken into account. 
2 - The report is presented to the Assembly of the Republic and sent to the member of the Government 
responsible for the area of justice, the Superior Council for the Judiciary, the Attorney General's Office 
Republic and the other bodies and entities responsible for data management, under the terms 
of Law No. 34/2009, of July 14, in its current wording. 
3 - The report is made available to the public, the European Commission and the Committee to which it refers 
Article 44 ( 1 ) ( l ) 
CHAPTER VII 
Means of guardianship and responsibility 
Article 47 
Right to complain to the supervisory authority 
1 - Without prejudice to other legal protection measures provided for by law, the data subject has the 
right to lodge a complaint with the supervisory authority, on the grounds that the treatment of 
your personal data violates the provisions of this law. 
2 - If the complaint is not submitted to the competent supervisory authority under the terms of 
Article 43 (1), the supervisory authority to which it is presented shall transmit it without undue delay 
the competent supervisory authority, informing the data subject of such transmission and 
providing you, if requested, additional assistance. 
Page 62 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 62 
3 - The data subject is informed by the progress and result control authority 
of the complaint, namely the possibility of taking legal action under the terms of the following article. 
Article 48 
Right to bring legal action against the supervisory authority 
1 - Without prejudice to other legal remedies provided for by law, any natural or legal person 
group has the right to bring legal action against any legally binding decision 
concerning him taken by the supervisory authority. 
2 - Data subjects have the right to take legal action in cases where the authority 
the supervisory authority does not assess the complaint lodged or fails to inform the data subject, 
three months, the progress or outcome of the complaint lodged. 
Article 49 
Right to bring legal action against a controller or a processor 
Without prejudice to other legal remedies provided for by law, namely the right to apprehend 
complain to the supervisory authority, data subjects have the right to take legal action 
against the controller or against the subcontractor on the grounds of breach of 
rights conferred by this law. 
Article 50 
Representation of data subjects 
The data subject has the right to mandate a non-profit body, organization or association 
for profit, duly constituted under the terms of the law, whose statutory objectives are of interest 
public and whose activity covers the protection of the rights and freedoms of data subjects with respect to 
to the protection of your personal data, to file a complaint or take legal action on your behalf, 
under the preceding articles, without prejudice to the requirement of representation by a lawyer, in 
applicable law. 
Article 51 
Right to compensation 
Anyone who has suffered damage, property or non-property, caused by a 
breach of the provisions of this law is entitled to receive from the controller or 
any other competent authority compensation for the damage suffered, in accordance with 
non-contractual civil liability regime of the State and other public entities. 
CHAPTER VIII 
Sanctions 
SECTION I 
Counterordinations 
Article 52 
Counterordinations 
1 - Without prejudice to the sanctioning regime established in Law no. 58/2019, of 8 August, 
applicable for non-compliance with the obligations provided for in Regulation (EU) 2016/679 of the Parliament 
Page 63 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 63 
European Parliament and of the Council, of 27 April 2016, within the scope of the application of this law 
very serious misdemeanors the following conducts: 
a ) Recourse to another subcontractor without prior authorization from the controller 
personal data, in violation of paragraph 2 of article 23; 
b ) Recourse to another subcontractor in opposition to the will of the person responsible for the 
data processing, even if there is a general authorization referred to in paragraph 3 of article 23; 
c ) The processing of personal data in violation or in addition to the instructions of the 
responsible for data processing, in breach of the obligation provided for in paragraph a ) of paragraph 5 
Article 23; 
d ) Failure to comply with the obligation to permanently delete or return data 
to the person responsible, depending on his choice, after the completion of the processing services 
data, provided for in paragraph d ) of paragraph 5 of article 23; 
e ) Non-compliance with the obligation to keep the chronological records provided for in paragraph 1 
Article 27; 
f ) The keeping of chronological records that do not cover the totality of the operations of 
treatment provided for in paragraph 1 of article 27 or that do not comply with the requirements provided for in paragraphs the 2 and 6 of the same article; 
g ) The use of chronological records for purposes not provided for in paragraph 3 of article 27; 
h ) Failure to comply with the obligation to adopt appropriate technical and organizational measures 
the protection of personal data, in violation of the requirements provided for in paragraphs The 2 and 3 of Article 31 
2 - Without prejudice to the sanctioning regime established by Law no. 58/2019, of 8 August, 
applicable for non-compliance with the obligations provided for in Regulation (EU) 2016/679 of the Parliament 
European Parliament and of the Council, of 27 April 2016, within the scope of the application of this law 
serious misdemeanors the following conducts: 
a ) Failure to comply with the obligation to inform in advance the data controller 
data on changes to the hiring of other subcontractors, provided for in paragraph 3 of article 23; 
b ) Failure to comply with the obligation to notify the controller without delay 
justified, in case of personal data breach, provided for in paragraph 7 of article 32; 
c ) Failure to comply with the obligation to keep a record of activities or the conservation 
an activity register that does not comply with all the requirements set out in paragraphs the 3 and 4 
Article 26 
3 - The practice of administrative offenses provided for in paragraph 1 is punishable by a fine: 
a ) From € 5000 to € 20,000,000 or 4% of annual worldwide turnover, as 
whichever is higher, in the case of a large company; 
b ) From € 2000 to € 2,000,000 or 4% of annual worldwide turnover, as 
whichever is higher, in the case of small and medium-sized companies; 
c ) From 1000 € to 500 000 €, in the case of a natural person. 
4 - The practice of administrative offenses provided for in paragraph 2 is punishable by a fine: 
a ) From 2500 € to 10 000 000 € or 2% of annual turnover, worldwide, depending on 
whichever is higher, in the case of a large company; 
b ) From € 1000 to € 1,000,000 or 2% of annual worldwide turnover, as 
whichever is higher, in the case of small and medium-sized companies; 
c ) From € 500 to € 250,000, in the case of a natural person. 
5 - The provisions of the preceding paragraphs apply equally to public entities and 
without prejudice to public entities, upon duly substantiated request, 
can request CNPD to waive the imposition of fines for a period of three years from the date of 
the entry into force of this law. 
Page 64 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 64 
SECTION II 
Crimes 
Article 53 
Improper access to data 
1 - Whoever, without due authorization or justification, accesses data in any way 
personal data treated under this law, is punished with imprisonment of up to one year or with 
fine up to 120 days. 
2 - The penalty is increased twice as much in its limits when access: 
a ) It is achieved through violation of technical safety rules; 
b ) Has provided the agent or third parties with a patrimonial benefit or advantage; or 
c ) Has undermined investigations, investigations, legal proceedings or the enforcement of sanctions 
criminal offenses. 
Article 54 
Deviation of data 
1 - Whoever copies, subtracts, assigns or transfers personal data, against payment or free of charge 
treated under this law, without legal provision or consent, shall be punished with a penalty of 
imprisonment up to 2 years or with a fine of up to 240 days. 
2 - The penalty is increased twice as much in its limits when the conduct: 
a ) It is achieved through violation of technical safety rules; 
b ) Has provided the agent or third parties with a patrimonial benefit or advantage; or 
c ) Has undermined investigations, investigations, legal proceedings or the enforcement of sanctions 
criminal offenses. 
Article 55 
Use of data in a manner incompatible with the purpose of collection 
Anyone who uses personal data processed under this law in a manner incompatible with 
the determining purpose of the respective collection is punished with imprisonment up to 2 years or with 
penalty of up to 240 days. 
Article 56 
Illegal data interconnection 
Who intentionally promotes or makes an illegal interconnection of personal data 
treated under this law, is punished with imprisonment for up to 2 years or with a fine 
up to 240 days. 
Article 57 
Addiction or data destruction 
1 - Whoever, without proper authorization or justification, erases, destroys, damages, hides, 
priming or modifying personal data processed under this law, rendering them unusable or 
affecting its potential for use, is punished with imprisonment of up to 2 years or with 
fine up to 240 days. 
2 - The penalty is increased to double in its limits if the damage produced is particularly 
serious. 
Page 65 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 65 
3 - In the situations provided for in the preceding paragraphs, if the agent acts negligently, it is 
punished: 
a ) With a prison sentence of up to 1 year or a fine of up to 120 days, in the case provided for in paragraph 1; 
b ) With a prison sentence of up to 2 years or a fine of up to 240 days, in the case provided for in paragraph 2. 
Article 58 
Breach of the duty of secrecy 
1 - Who, bound by professional secrecy under the law, without just cause and without due 
consent, reveal or disclose, in whole or in part, personal data processed under the 
this law, is punished with imprisonment for up to 2 years or with a fine of up to 240 days. 
2 - The penalty is doubled in its limits if the agent: 
a ) is an employee or equivalent, under the terms of criminal law, a lawyer or solicitor; 
b ) is in charge of data protection; 
c ) Is determined by the intention to obtain any equity advantage or other benefit 
illegitimate; 
d ) Endanger the reputation, honor or privacy of the private life of others; or 
e ) Has undermined investigations, investigations, legal proceedings or the enforcement of sanctions 
criminal offenses. 
3 - Negligence is punishable by imprisonment of up to 6 months or a fine of up to 120 days. 
Article 59 
Qualified disobedience 
1 - Whoever does not comply with the obligations provided for in this law, after exceeding the 
period which has been set by the supervisory authority for compliance is punishable by 
the penalty corresponding to the crime of qualified disobedience. 
2 - Any person who, after being notified, incurs the same penalty as the previous number: 
a ) Not making chronological records available to CNPD, pursuant to paragraph 4 of article 27; 
b ) Refuse, without just cause, the collaboration that is specifically required under the terms of the 
Article 28; 
c ) Refuse the access provided for in paragraph 2 of article 45; 
d ) Failing to comply with the order given under paragraph b ) of paragraph 3 of article 45, especially not 
proceed with the deletion or rectification of personal data; 
e ) Failure to respect the imposition of a temporary or definitive limitation on the processing of data 
personal data, under the terms of paragraph c ) of no. 3 of article 45. 
Article 60 
Inserting false data 
1 - Whoever enters or facilitates the insertion of false personal data, with the intention of obtaining 
improper advantage for yourself or for a third party, or to cause injury, is punishable by imprisonment 
up to 2 years or with a penalty of up to 240 days. 
2 - The penalty is increased twice as much in its limits if the insertion referred to in the previous number 
result in an effective loss. 
Page 66 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 66 
Article 61 
Punishment of the attempt 
In the crimes provided for in this chapter, the attempt is always punishable. 
Article 62 
Liability of legal persons 
Legal persons and similar entities, with the exception of the State, of legal persons 
the exercise of the prerogatives of public authorities and organizations under international law 
public, are responsible for the crimes provided for in this section, under the terms of article 11. 
of the Penal Code. 
SECTION III 
Common provisions 
Article 63 
Infringement contest 
1 - If the same fact constitutes both a crime and an offense, the agent is always 
punished as a crime. 
2 - When there is a crime and administrative offense contest, or when, due to the same fact, 
one person must respond as a crime and another as an offense, the processing of the 
offense is the responsibility of the competent authorities for criminal proceedings, under the terms of the 
general of the illicit of mere social order. 
Article 64 
Accessory penalty 
Together with the penalties provided for in this chapter, sanctions may be applied 
accessories provided for in article 56 of Law no. 58/2019, of 8 August. 
Article 65 
Applicability of other sanctioning regimes 
1 - The provisions of this chapter are without prejudice to the application of articles 37 to 56 of the Law 
58/2019, of 8 August, or the provisions of the Penal Code, if such application results, in 
more serious sanction. 
2 - The provisions of this chapter are without prejudice to the application of Law No. 109/2009, of 15 
September. 
Article 66 
Civil and disciplinary liability 
The provisions of this chapter are without prejudice to the enforcement of civil liability or 
disciplinary responsibility. 
Page 67 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 67 
CHAPTER IX 
Final and transitional provisions 
Article 67 
Relationship with other European Union legal acts and existing international agreements 
1 - The specific provisions for the protection of personal data provided for in legal acts 
European Union adopted before 6 May 2016 in the field of judicial cooperation in 
criminal matters and police cooperation, which regulate treatment between Member States and the 
access by the designated authorities of the Member States to the information systems set up 
under the Treaties, remain unchanged. 
2 - International agreements that involve the transfer of personal data to countries 
third parties or international organizations, entered into by the Portuguese State before 6 
May 2016, and which comply with European Union law applicable before that date, 
continue to be in effect until they are amended, replaced or revoked. 
3 - All references made to the Personal Data Protection Law, approved by the Law 
67/98, of 26 October, are considered to be made for the regime of the present law, when they say 
regard to the protection of natural persons with regard to the processing of personal data 
competent authorities for the purpose of preventing, detecting, investigating or prosecuting 
criminal offenses or enforcement of criminal sanctions, including safeguarding and preventing 
threats to public security. 
Article 68 
Data relating to the judicial system 
1 - The processing of data contained in criminal proceedings, judicial decisions or registration 
criminal law is regulated under criminal procedural law. 
2 - The processing of data relating to the judicial system is subject to its own legal regime, 
contained in Law No. 34/2009, of 14 July. 
Article 69 
Integrated criminal information system 
The provisions of this law do not imply any restriction or limitation on sharing and exchange 
between criminal police bodies and between them and the judicial authorities, within the scope of 
duty of cooperation established in the criminal investigation organization law, namely 
of the integrated criminal information system established under the terms of Law no. 73/2009, of 12 
August, amended by Law No. 38/2015, of 11 May. 
Article 70 
Transitional regime 
1 - The conformation of the automated treatment systems created before May 6, 
2016 with the requirements set out in article 27 must be ensured by those responsible for the 
as soon as possible, until May 6, 2023, or, when compliance with this deadline causes 
serious difficulties in the operation of an automated treatment system, until May 6 
2026. 
2 - Without prejudice to the provisions of the preceding paragraph, the data controller 
must have effective methods in order, by the end of the compliance period, to be able to demonstrate the 
lawfulness of data processing, allow self-control and guarantee the integrity and security of data 
data, such as chronological or other records. 
Page 68 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 68 
Article 71 
Implementation 
This law enters into force on the day following that of its publication. 
Approved on June 14, 2019. 
The President of the Assembly of the Republic, Eduardo Ferro Rodrigues. 
Enacted on July 26, 2019. 
Publish yourself. 
The President, M ARCELO R EBELO OF S DARE . 
Countersigned on July 30, 2019. 
For the Prime Minister, Augusto Ernesto Santos Silva, Minister of Foreign Affairs. 
112493516 
www.dre.pt 
Page 69 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 69 ASSEMBLY OF THE REPUBLIC 
Resolution of the Assembly of the Republic no. 138/2019 
Summary: Termination of Decree-Law no. 20/2019, of January 30, which materializes the 
framework for transferring competences to municipal bodies in the fields of 
protection and animal health and food safety. 
Termination of Decree -Law no. 20/2019, of January 30, which materializes the transfer framework 
of competencies for municipal bodies
Page 70 
           
The Assembly of the Republic resolves, under the terms of paragraph 5 of article 166, of n. paragraphs 1 and 4 of the 169 of the Constitution, paragraph 2 of article 193 and article 194 of the Rules of Procedure, to end of Decree -Law no. 20/2019, of January 30, which establishes the framework for the transfer of 
competences for municipal bodies in the fields of animal protection and health and safety 
of food. 
Approved on July 19, 2019. 
The President of the Assembly of the Republic, Eduardo Ferro Rodrigues . 
112476814 
www.dre.pt 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 70 FOREIGN BUSINESS 
Notice No. 70/2019 
Summary: The Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified the 
Republic of Nicaragua, acceded in accordance with Article 63, to the Convention 
Concerning Jurisdiction, Applicable Law, Recognition, Enforcement and Cooperation 
on Parental Responsibility and Child Protection Measures, 
adopted in The Hague on October 19, 1996. 
By higher order it is made public that, by notification of February 28, 2019, the Ministry of 
Foreign Affairs of the Kingdom of the Netherlands has notified the Republic of Nicaragua, 
adhered in accordance with article 63, the Convention on Jurisdiction, the Applicable Law, 
Recognition, Enforcement and Cooperation in Matters of Parental Responsibility and 
Child Protection Measures, adopted in The Hague on October 19, 1996. 
(Translation) 
Accession 
Nicaragua - 27 -02 -2019 
The Convention will enter into force for Nicaragua on December 1, 2019, in accordance with 
with Article 61 (2) ( b ) 
Under Article 58 (3), accession will only take effect between Nicaragua and the United 
Contracting States who will not have raised any objection within six months from the date of 
date of this notification. 
For practical reasons, the said six-month period ends on August 31, 2019. 
The Portuguese Republic is a Party to the Convention, which was approved by Decree No. 52/2008, 
published in the Diário da República, 1st series, no. 221, of 13 November 2008. 
Under the terms of paragraph a ) of paragraph 2 of article 61 of the Convention, it is in force for 
the Portuguese Republic since August 1, 2011. 
The Central Authority is the Directorate-General for Reintegration and Prison Services of the Ministry of 
Justice that, under the terms of article 34, of Decree -Law no. 215/2012, published in the Diário da República 
public, 1st series, no. 189, of September 28, 2012, succeeded in competences to the Directorate-General 
of Social Reintegration of the Ministry of Justice. 
Department of Legal Affairs, July 26, 2019. - The Director, Susana Vaz Patto . 
112480394 
www.dre.pt 
Page 71 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 71 FOREIGN BUSINESS 
Notice No. 71/2019 
Summary: The Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified that 
Tunisian Republic modified its authority to the Convention on the Suppression 
of the Requirement of the Legality of Foreign Public Acts, adopted in The Hague, on 5 
October 1961. 
By higher order it is made public that, by notification of February 26, 2019, the Minister 
of Foreign Affairs of the Kingdom of the Netherlands, notified that the Tunisian Republic 
modified its authority to the Convention on the Suppression of the Legality Requirement of 
Foreign Public Acts, adopted in The Hague, on October 5, 1961. 
(Translation) 
Authority 
Tunisia, 25 -02 -2019 
[...] the Notaries of Tunisia are appointed as Competent Authorities, in accordance with 
with Article 6, paragraph 2, of the Convention [...]. As of March 1, 2019, notaries 
will be the only authority in Tunisia authorized to issue Handouts, in accordance with the 
legal provisions of the Convention [...]. The list of notaries practicing this profession in Tunisia is established by 
decree of the Tunisian Minister of Justice. 
The Portuguese Republic is a Party to the same Convention, which has been approved for ratification 
by Decree-Law No. 48 450, published in the Government Gazette, 1st series, No. 148, of June 24, 
1968, and ratified on December 6, 1968, in accordance with the Notice published in the Government Gazette , 
1st series, no. 50, of February 28, 1969. 
The Convention entered into force for the Portuguese Republic on February 4, 1969, in accordance 
with the one published in the Diário do Governo, 1st series, no. 50, of February 28, 1969. 
The issuance of handouts or their verification, provided for in Articles 3 and 7, respectively. 
of the Convention, it is incumbent upon the Attorney General of the Republic, under the terms of paragraph 1 of article 2 of Decree -Law no. 86/2009, of 3 April, such powers may be delegated to the Attorneys- 
-District Generals of Porto, Coimbra and Évora and in the Attorneys -Generals -Adjuncts placed together 
of the Representatives of the Republic for the Autonomous Regions, or in magistrates of the Ministry 
Public that manage the Public Prosecutor's Office based in these Regions, under the terms of no. 2 of 
referred to in article 2, in accordance with Dispatch no. 10266/2009, published in the Diário da República, 2nd series, no. 75, of April 17, further determining that Attorneys-General-Deputies placed 
representatives of the Autonomous Regions of Madeira and the Azores may subdelegate 
in the Attorneys of the Republic Coordinators of the Attorneys of the Republic based in those 
Autonomous Regions the referred competences. 
Department of Legal Affairs, July 26, 2019. - The Director, Susana Vaz Patto . 
112480304 
www.dre.pt 
Page 72 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 72 FOREIGN BUSINESS 
Notice No. 72/2019 
Summary: The Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified the 
Republic of Finland made a declaration in accordance with Article 42, 
the Convention on the Taking of Evidence Abroad in Civil or Commercial Matters 
adopted in The Hague on 18 March 1970. 
By higher order it becomes public that, by notification dated October 2, 2018, 
the Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified that the Republic of 
Finland made a declaration in accordance with Article 42, to the Convention on the 
Taking Evidence Abroad in Civil or Commercial Matters, adopted in The Hague, on 18 
March 1970. 
(Translation) 
Declaration 
Finland, 19 -09 -2018 
The Government of Finland takes note of the statements made by Ukraine on 16 
October 2015 concerning the application of the Civil Procedure Convention (1954), Convention 
on the Abolition of the Requirement for the Legalization of Foreign Public Acts (1961), the 
Convention on the Service of Judicial and Extrajudicial Acts Abroad in 
Civil and Commercial Matters (1965), of the Convention on the Taking of Evidence Abroad in 
Civil or Commercial Matters (1970), of the Convention on the Civil Aspects of International Abduction 
Children (1980), the Competence Convention, the applicable law, the Recognition, 
Enforcement and Cooperation on Parental Responsibility and Protective Measures 
Children's Day (1996) and the Convention on the International Collection of Food for Benefit 
Children and other Family Members (2007) to the «Autonomous Republic of Crimea» and the city 
Sebastopol, as well as the statements made by the Russian Federation on 19 July 
2016 regarding Ukraine's statements. 
With regard to the declarations of the Russian Federation, Finland declares, in accordance with 
with the conclusions of the European Council of 20 and 21 March 2014, which does not recognize 
the illegal referendum in Crimea, nor the illegal annexation of the “Autonomous Republic of Crimea” and 
city of Sevastopol by the Russian Federation. 
With regard to the territorial scope of the above-mentioned Conventions, 
Finland therefore considers that the conventions in principle continue to apply to the 
Autonomous Public Authority of Crimea 'and the city of Sevastopol as an integral part of the territory 
of Ukraine. 
Finland also takes note of Ukraine's statements that the 'Autonomous Republic of 
Crimea ”and the city of Sevastopol are temporarily out of their control and that the application and 
Ukraine's performance of its obligations under the Conventions in that part of the territory 
Ukrainian authorities are limited and are not guaranteed, the communication procedure being 
only determined by the central Ukrainian authorities in Kiev. 
In view of the above, Finland declares that it will not communicate and interact directly with the 
authorities of the 'Autonomous Republic of Crimea' and the city of Sevastopol, nor will it accept any 
documents or requests emanating from those authorities or transmitted through the authorities 
of the Russian Federation. It further declares that it will only communicate with the central authorities of the 
Ukraine in Kiev for the purpose of implementing and implementing the above-mentioned Conventions. 
The Portuguese Republic is a Party to the Convention, which has been approved for ratification by the 
Decree No. 764/74, published in the Government Gazette, 1st series, 2nd supplement, No. 302, of 30 
December 1974. 
Page 73 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 73 
The Convention was ratified on March 12, 1975 and is in force for the Republic 
Portuguese since May 11, 1975, according to the notice published in the Diário do Governo, 1st series, 
82, of April 8, 1975. 
The competent Portuguese Authority for this Convention is the Directorate-General for Administration 
Justice that, under the terms of article 31, no. 4, of Decree-Law no. 146/2000, published in the Diário da 
República, 1st series, no. 164, of July 18, 2000, succeeded in competences to the Directorate-General 
of Judicial Services, the authority designated for the Convention as contained in the public notice 
published in the Diário da República, 1st series, no. 122, of May 26, 1984. 
Department of Legal Affairs, July 26, 2019. - The Director, Susana Vaz Patto . 
112480337 
www.dre.pt 
Page 74 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 74 FOREIGN BUSINESS 
Notice No. 73/2019 
Summary: The Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified the 
Republic of Estonia made a declaration in accordance with Article 31, to the 
Convention on the Service of Judicial and Extrajudicial Acts Abroad 
in Civil and Commercial Matters, adopted in The Hague, on November 15, 1965. 
By higher order it becomes public that, by notification of May 2, 2019, the Ministry of 
Foreign Affairs of the Kingdom of the Netherlands has notified that the Republic of Estonia has 
a declaration in accordance with article 31, the Service of Summons and Notification 
Foreign Judicial and Extrajudicial Acts in Civil and Commercial Matters, adopted in The Hague, the 
November 15, 1965. 
(Translation) 
Declaration 
Estonia, 30 -04 -2019 
The Republic of Estonia takes note of the statements made by Ukraine on 16 October 
2015 referring to the application of the Convention on the Suppression of the Requirement of Legislation 
of Foreign Public Acts (1961), the Convention on service in the 
Foreigner of Judicial and Extrajudicial Acts in Civil and Commercial Matters (1965), of the Convention 
on the Taking of Evidence Abroad in Civil or Commercial Matters (1970), of the Convention 
On the Civil Aspects of International Child Abduction (1980), of the Convention on the 
Jurisdiction, Applicable Law, Recognition, Enforcement and Cooperation in Matters 
Parental Responsibility and Child Protection Measures (1996) to the «Autonomous Republic 
Crimea 'and the city of Sevastopol, as well as the statements made by the Federation 
of Russia on 19 July 2016 regarding the statements by Ukraine. 
With regard to the declarations of the Russian Federation, Estonia declares, in accordance with 
with the conclusions of the European Council of 20 and 21 March 2014, which does not recognize 
the illegal referendum in Crimea, nor the illegal annexation of the “Autonomous Republic of Crimea” and 
city of Sevastopol by the Russian Federation. 
With regard to the territorial scope of the aforementioned Conventions, the 
Estonia therefore considers that the conventions continue, in principle, to apply to the 'Republic 
Autonomous Region of Crimea 'and the city of Sevastopol as an integral part of the territory of Ukraine. 
Estonia also takes note of Ukraine's statements that the 'Autonomous Republic of 
Crimea ”and the city of Sevastopol are temporarily out of their control and that the application and 
Ukraine's performance of its obligations under the Conventions in that part of the territory 
Ukrainian authorities are limited and are not guaranteed, the communication procedure being 
only determined by the Government of Ukraine. 
In view of the above, Estonia declares that it will not communicate and interact directly with 
authorities of the 'Autonomous Republic of Crimea' and the city of Sevastopol, nor will it accept any 
documents or requests emanating from those authorities or transmitted through the authorities 
of the Russian Federation. It further declares that it will only communicate with the central authorities of the 
Ukraine in Kiev for the purpose of implementing and implementing the Conventions. 
The Portuguese Republic is a Party to the same Convention, which was approved by Decree-Law 
No. 210/71, published in the Government Gazette, 1st series, No. 116, of May 18, 1971, and ratified 
on December 27, 1973, according to what was published in the Government Gazette, 1st series, no. 20, of 
January 24, 1974. 
The instrument of ratification was deposited on December 27, 1973, in accordance with Notice 
published in the Government Gazette, 1st series, no. 20, of January 24, 1974. 
Page 75 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 75 
This Convention has been in force for Portugal since February 25, 1974, in accordance with 
o Notice published in the Government Gazette, 1st series, no. 20, of January 24, 1974. 
According to Notice no. 361/2010 published in the Diário da República, 1st series, no. 240, of 
December 14, 2010, the Directorate-General for the Administration of Justice of the Ministry of Justice was 
designated as central authority in accordance with Article 2 (1) 
Department of Legal Affairs, July 26, 2019. - The Director, Susana Vaz Patto . 
112480329 
www.dre.pt 
Page 76 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 76 FOREIGN BUSINESS 
Notice No. 74/2019 
Summary: The Ministry of Foreign Affairs of the Kingdom of the Netherlands has notified the 
Federal Republic of Germany, a declaration has been made in accordance with 
Article 63, in relation to the Convention on Jurisdiction, the Applicable Law, the 
Recognition, Enforcement and Cooperation in Matters of Parent Responsibility 
and Child Protection Measures, adopted in The Hague on October 19, 1996. 
By higher order it becomes public that, by notification of June 27, 2018, the Ministry 
Foreign Affairs of the Kingdom of the Netherlands has notified the Federal Republic of Germany 
morning, a declaration was made in accordance with article 63 in relation to the Convention 
Concerning Jurisdiction, Applicable Law, Recognition, Enforcement and Cooperation in 
Parental Responsibility and Child Protection Measures adopted in The Hague, 
on October 19, 1996. 
(Translation) 
Declaration 
Germany, 06 -06 -2018 
The Federal Republic of Germany takes note of the statements made by Ukraine on 
16 October 2015 concerning the application of the Convention on Civil Procedure (1954), 
of the Convention on the Abolition of the Requirement for the Legalization of Foreign Public Acts 
(1961), of the Convention on the Service of Judicial and Foreign Acts Abroad 
in Civil and Commercial Matters (1965), the Convention on the Taking of Evidence in the 
Foreigner in Civil or Commercial Matters (1970), of the Convention on Civil Aspects of the 
International Child Abduction (1980), the Convention on Competence, applicable law, 
Recognition, Enforcement and Cooperation in Matters of Parental Responsibility and 
Child Protection Measures (1996) and the Convention on the International Collection of Food 
for the benefit of children and other family members (2007) to the “Autonomous Republic 
Crimea 'and the city of Sevastopol, as well as the statements made by the Federation 
of Russia on 19 July 2016 regarding the statements by Ukraine. 
In relation to the declarations of the Russian Federation, Germany declares, in accordance with 
with the conclusions of the European Council of 20 and 21 March 2014, which does not recognize the 
illegal injuring in Crimea nor the illegal annexation of the «Autonomous Republic of Crimea» and the city 
of Sevastopol by the Russian Federation. 
With regard to the territorial scope of the above-mentioned Conventions, Germany 
therefore considers that, in principle, they continue to apply to the 'Autonomous Republic of 
Crimea 'and the city of Sevastopol as an integral part of the territory of Ukraine. 
The Federal Republic of Germany also takes note of the statements by Ukraine that the 
Autonomous Public Authority of Crimea »and the city of Sevastopol are temporarily out of their control 
and that Ukraine's application and enforcement of its obligations under the Conventions, 
in that part of the territory of Ukraine are limited and are not guaranteed, the procedure being 
relevant communication only determined by the Ukrainian central authorities in Kiev. 
In view of the above, the Federal Republic of Germany declares that it will only communicate with 
the Government of Ukraine for the purpose of implementing and implementing the Conventions on 
Autonomous Public Authority of Crimea ”and the city of Sevastopol. 
The Portuguese Republic is a Party to the Convention, which was approved by Decree No. 52/2008, 
published in the Diário da República, 1st series, no. 221, of 13 November 2008. 
Under the terms of paragraph a ) of paragraph 2 of article 61 of the Convention, it is in force for 
the Portuguese Republic since August 1, 2011. 
Page 77 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 77 
The Central Authority is the Directorate-General for Reintegration and Prison Services of the Ministry of 
Justice that, under the terms of article 34, of Decree -Law no. 215/2012, published in the Diário da República 
public, 1st series, no. 189, of September 28, 2012, succeeded in competences to the Directorate-General 
of Social Reintegration of the Ministry of Justice. 
Department of Legal Affairs, July 26, 2019. - The Director, Susana Vaz Patto . 
112480361 
www.dre.pt 
Page 78 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 78 AGRICULTURE, FORESTS AND RURAL DEVELOPMENT 
Ordinance No. 250/2019 
of August 8 
Summary: Proceed to the seventh amendment to Ordinance No. 152/2016, of 25 May, which establishes the 
regime for the application of action 10.2, "Implementation of strategies", integrated in the 
measure No. 10, “LEADER”, of area No. 4 “Local development”, of the Program for 
Rural Development of the Continent. 
Ordinance No. 152/2016, of 25 May, established the regime for the application of action No. 10.2, 
«Implementation of strategies», of the Rural Development Program of the Continent, opens 
referred to as PDR 2020. 
This amendment to Ordinance No. 152/2016, of 25 May, aims to standardize the conditions of 
farmers' access to operation 10.2.1.1, 'Small investments in agricultural holdings', 
namely the minimum investment value, in order to ensure legislative harmonization 
and complementarity between the different policy instruments available. 
Thus: 
The Government, through the Minister of Agriculture, Forestry and Rural Development, 
of paragraph b ) of no. 2 of article 5 of Decree -Law no. 159/2014, of 27 October, with the wording 
given by Decree-Law No. 215/2015, of October 6, the following: 
Article 1 
Object 
This Ordinance proceeds to the seventh amendment to Ordinance No. 152/2016, of 25 May, which 
establishes the regime for the application of action no. 10.2, "Implementation of strategies", integrated 
in measure no. 10, “LEADER”, of area no. 4, “Local development”, of the Development 
Continente Rural Development, referred to as PDR 2020 for short. 
Article 2 
Amendment to Ordinance No. 152/2016, of 25 May 
Article 9 of Ordinance No. 152/2016, of 25 May, as amended by Ordinances no. the 249/2016, of 
September 15, 238/2017, July 28, 46/2018, February 12, 214/2018, July 18, 
303/2018, of 26 November, and 133/2019, of 9 May, is replaced by the following: 
"Article 9 
[...] 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
a ) Have a total eligible cost, ascertained in the analysis, equal to or greater than 100 euros 
and less than or equal to 40 000 euros; 
b ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
c ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
d ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
e ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . » 
Page 79 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 79 
Article 3 
Entry into force and effect 
This Decree enters into force on the day following its publication and takes effect from 
from May 9, 2019. 
The Minister of Agriculture, Forestry and Rural Development, Luís Manuel Capoulas Santos, 
on August 7, 2019. 
112509051 
www.dre.pt 
Page 80 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 80 AUTONOMOUS REGION OF THE AZORES 
legislative Assembly 
Regional Legislative Decree No. 21/2019 / A 
Summary: Defines the strategy for the implementation of electric mobility in the Azores. 
Defines the strategy for the implementation of electric mobility in the Azores 
The Autonomous Region of the Azores has, in recent years, implemented an energy policy 
aligned with the guidelines and with the national and international commitments signed in this 
thematic, but also with new challenges that, however, have arisen and to which it has known 
match. 
Currently, one of the main challenges facing humanity is the phenomenon of 
climate change, the impacts of which threaten to reverse decades of development, with 
especially burdensome in the most fragile territories, such as coastal areas and islands. 
The fight against the effects of climate change takes place on two levels, through mitigation 
and adaptation. In terms of mitigation, reducing greenhouse gas (GHG) emissions, 
investing in decarbonisation and increasing energy efficiency, making it less dependent 
external energy resources. In terms of adaptation, implementing measures to protect 
resources, people and goods, increasing resilience to the impacts of climate change. 
In this sense, the Program of the XII Regional Government of the Azores defined, for the energy area, 
several objectives that aim to adopt or reinforce fuel consumption reduction policies 
fossil fuels and energy dependence abroad, promoting consumption and behavior 
energy efficient, betting on innovation, technology and energy efficiency, as well as 
how to enhance the Azores, in the context of European island and outermost regions, as a 
true laboratory of solutions for electric mobility. 
The Azores have ideal conditions for the implementation of electric mobility, considering 
taking into account the increasing autonomy of electric vehicles, the geographic, physiographic and 
environmental impacts of each of the islands and their dimensions. These conditions favor the existence of 
relatively short daily average journeys in view of the increasing autonomy of electric vehicles and 
the technological evolution of this sector, which is strongly committed to accompanying the 
implementation of the new sustainable development paradigm, further promoting competitiveness 
of the Region, as an island space, in the national, European and world context. 
The design of sustainable mobility based on electricity, especially in the transport sector
erresr, puc n prve, u so n e soc, envronmen n oursm secors, 
others, it is today a consensual bet that aims at the development of a new axis of growth 
of the low carbon Azorean economy, associated with technological innovation, the sharing of new 
forms of connectivity and environmental qualification, also enabling the integration of sources 
of renewable energy in the electro-producing system of the Azores. 
In the first phase, a vehicle charging network is being implemented 
public access trams, which will cover all islands and municipalities in the Azores archipelago. 
The progressive installation of the electric vehicle charging network will also be promoted. 
in buildings in a horizontal property regime, in tourist developments and infrastructures 
tourist, social, recreational, cultural and sporting activities, among others, as well as in 
commercial complexes and complexes, in publicly accessible car parks and in 
urban subdivision, all with the objective of providing greater comfort and safety to users 
electric vehicles, on the various routes and itineraries they carry out, satisfying the needs 
immediate or emerging loading. 
Incentives and targets for the adoption of electric mobility will also be foreseen, which contemplate 
positive discrimination against users of electric vehicles in the Azores, considering the nature 
strategic and operational nature of this type of mobility, including in public administration and in the 
Page 81 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 81 
business public, and awareness-raising, information and promotion actions are carried out 
electric mobility, aimed at different target audiences and sectors of activity. This strategy 
performance will be accompanied by the development of mobility planning instruments 
electric, regional and municipal scope, which will be subject to periodic evaluation. 
In these terms, the implementation of electric mobility in the Azores will be supported by a 
robust program aimed at implementing measures and actions defined by the adopted strategy, 
constituting itself as a catalyst for the participation of entities from the scientific system 
and technological, business, regional public administration and civil society. 
Thus, the Legislative Assembly of the Autonomous Region of the Azores decrees, under the terms of 
point a ) of paragraph 1 of Article 227 of the Portuguese Constitution and paragraph 1 of Article 37 and 
paragraph 1 of article 54 of the Political -Administrative Statute of the Autonomous Region of the Azores, the following: 
CHAPTER I 
General provisions 
Article 1 
Object and scope 
The present diploma establishes the strategy for the implementation of electric mobility in 
Autonomous Region of the Azores, hereinafter referred to as RAA, considering its characteristics 
geographic, physiographic and environmental. 
Article 2 
Principles 
Without prejudice to the application of the principles provided for in the applicable legislation, the 
electric mobility in the RAA must respect the objectives of sustainable development, as well as 
such as universal access, under equal conditions, to all citizens, companies and other 
public and private organizations, ensuring their implementation on each of the islands and in 
all municipalities in the Azores archipelago. 
Article 3 
Strategic priorities 
The promotion of electric mobility in the RAA must be aligned with the political guidelines 
national and European levels, in line with the lines of action of the international community, in 
matters of energy transition and climate, and has the following strategic priorities: 
a ) Reduce the RAA's energy dependence on fuel consumption 
fossils from abroad, as well as the unpredictability of costs to the economy resulting from 
the price fluctuations associated with those; 
b ) Contribute to the reduction of greenhouse gas emissions, as a bet on the transition 
energy for a competitive and low-carbon economy, based on a democratic model 
and fair use of territorial cohesion that enhances the generation of wealth and the efficient use of resources, 
also including the effects of climate change; 
c ) To invest significantly in the production and consumption of electric energy from 
renewable and endogenous sources, as well as increasing their penetration in the various systems 
electricity producers in the Azores, and to boost electric mobility by allocating consumption to 
charging the batteries of electric vehicles in periods of emptiness, ensuring conditions of 
security of energy supply; 
d ) Promote energy efficiency and support sustainable mobility, stimulating the transition 
energy efficiency of the land transport sector, mainly through its electrification, encouraging 
Page 82 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 82 
the introduction of electric vehicles and the installation of charging infrastructures, as well as 
vehicle sharing services, guaranteeing the improvement of environmental quality, with advantages 
for public health; 
e ) Sensitize civil society to the advantages of energy efficiency, electrification of 
economy, the decarbonisation of transport and the importance of combating climate change. 
policies, encouraging the adoption of more sustainable energy production and consumption patterns, 
through the adoption of behaviors inherent to the circular energy economy; 
f ) Promote the Azores, in the context of European island and outermost regions, as a 
laboratory of solutions for electric mobility and to encourage research, development and 
development and innovation in transport systems, especially land based, including individual 
and collectives, as well as those related to the use of regional public administration; 
g ) Reduce the energy bill for families and organizations that opt for this 
alternative mobility, contributing to the increase of regional competitiveness and to the development of 
development of a low carbon economy. 
Article 4 
Specificities 
The RAA, considering its island and archipelagic nature, as well as the particularities 
geographical and environmental characteristics that characterize the different islands, 
development of electric mobility, a set of specificities, namely: 
a ) The regional electrical system is divided into nine isolated energy systems, corresponding to 
corresponding to each of the islands, not allowing interconnection between them, and consequently, 
it is not possible to transfer the surplus energy produced by endogenous sources and 
from one island to the other, as is the case at the continental level; 
b ) The dimensioning of the islands, with relatively short daily average travels 
the increasing autonomy of electric vehicles and their technological progress, and their 
physiographic particularities, determine less battery charging needs; 
c ) The exuberant and distinctive nature of each of the islands in the RAA archipelago and the 
environmental quality, associated with the growing notoriety of the Azores as a destination 
tourism, impel the pursuit of objectives related to sustainable development, which 
they can be strengthened by investing in electric mobility; 
d ) The Political and Administrative Status and Status of the Autonomous Region of the Azores, in the context 
European Union, as an Outermost Region within the European Union, call for the assumption of 
special responsibilities in the implementation of European policies related to mobility 
electrical quality and energy efficiency. 
CHAPTER II 
Implementation of electric mobility 
Article 5 
Implementation instruments 
1 - The implementation of electric mobility in the RAA takes place through the assumption of 
a coherent, integrated and articulated set of measures and actions, namely: 
a ) Implementation of the public access electric vehicle charging network; 
b ) Development of the electric vehicle charging network in: 
i ) Buildings under horizontal ownership; 
ii ) Tourist developments; 
iii ) Tourist, social, recreational, cultural and sports infrastructures, among others; 
Page 83 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 83 
iv ) Establishments and commercial complexes; 
v ) Public access car parks; 
c ) Allocation of incentives for the adoption of electric mobility; 
d ) Definition of goals for the introduction of electric vehicles by entities that have 
fleets; 
e ) Promotion of electric mobility in regional and local public administration; 
f ) Promotion of electric mobility in civil society, namely through the availability of 
use of a portal dedicated to the theme. 
2 - The public access electric vehicle charging network, referred to in paragraph a ) of 
previous paragraph, must have a territorial expression in all islands and municipalities of the RAA. 
3 - In the development of the electric vehicle charging network, referred to in paragraph b ) 
paragraph 1, provision should be made for the installation of devices for charging vehicles 
in the following situations: 
a ) In urban operations, subject to licensing, construction, reconstruction and expansion 
buildings in a horizontal property regime, intended for housing, commerce and services; 
b ) In urban operations, subject to licensing, construction, reconstruction and 
extension of buildings used for tourism enterprises; 
c ) In tourist, social, recreational, cultural and sports infrastructures, among others; 
d ) In the installation and modification of commercial establishments and commercial complexes; 
e ) In public access car parks. 
4 - The incentives for the adoption of electric mobility, referred to in paragraph c ) of paragraph 1, may 
cover financial and non-financial incentives, namely: 
a ) Financial, among others, the following: 
i ) Acquisition of electric vehicles and charging devices; 
ii ) Acquisition of electric vehicles for the collective transport of passengers to the 
fleet renewal or conversion; 
iii ) Acquisition of electric vehicles for the social, economic and environmental sectors; 
b ) Non-financial, among others, the following: 
i ) Creation of parking spaces for electric vehicles in car parks 
providing public access; 
ii ) Creation of mobility solutions and other measures and actions that facilitate accessibility 
the electric mobility system; 
iii ) Creation of tax incentives. 
5 - The definition of goals for the introduction of electric vehicles by entities that have 
fleets, referred to in paragraph d ) of paragraph 1, aims at the progressive replacement of combustion vehicles 
by electric vehicles. 
6 - The adoption of measures and actions to promote electric mobility in public administration 
regional level, as well as in the public business sector, referred to in paragraph 1), e ), aims at 
of the internal combustion vehicle fleet by electric vehicles. 
7 - The promotion of electric mobility, referred to in paragraph f ) of paragraph 1, contemplates the development 
the development of measures and actions to raise awareness and promote electric mobility among 
citizens, companies and other entities and institutions representing civil society, as well as 
as well as the dissemination of information about the different service providers and the points of 
available in the Region. 
Page 84 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 84 
8 - The terms and conditions for the installation of the electric vehicle charging network 
referred to in paragraph b ) of paragraph 1 and paragraph 3 and the incentives for the adoption of electric mobility 
referred to in paragraph 1 c ) and paragraph 4 are regulated in specific regulations. 
Article 6 
Planning instruments 
1 - The implementation of the electric mobility policy in the RAA implies the existence of 
planning instruments, of regional and municipal scope, namely the following: 
a ) The Azores Electric Mobility Plan (PMEA); 
b ) Municipal Electric Mobility Plans (PMEM). 
2 - The department of the Regional Government with competence in matters of energy, in 
cooperation with municipalities and in conjunction with entities representing civil society 
and the social, economic and environmental sectors, the PMEA should develop, with periodic updating. 
3 - For the development of SMEs, municipalities must involve citizens, organizations and 
representative entities of civil society, companies from representative economic sectors 
of their municipalities and other entities that are justified, and may request follow-up 
technician from the Regional Government department with competence in the field of energy. 
Article 7 
Follow-up 
The body with consultative powers that may be constituted within the scope of the powers of the 
Regional Government department with competence in the field of energy should issue opinions, 
monitor the implementation of the implementation instruments, particularly the realization 
programs, measures and actions, planning instruments, and to propose lines of study and 
research for technological and scientific development in the field of electric mobility. 
Article 8 
Assessment 
1 - The department of the Regional Government with competence in the matter of energy must 
prepare assessment reports on the implementation of electric mobility in the RAA, with periodicity 
trienniality. 
2 - Municipalities must proceed with the preparation of reports evaluating their plans 
of electric mobility, with triennial periodicity. 
3 - The evaluation reports referred to in paragraph 1 must reflect the degree of implementation 
the implementation instruments, contained in article 5, and the planning instruments, 
mentioned in Article 6, in particular the PMEA and SMEs. 
4 - The evaluation reports referred to in paragraph 2, must reflect the degree of implementation 
SMEs. 
CHAPTER III 
Inspection and administrative regime 
Article 9 
Oversight 
1 - For the purposes of the present diploma, the inspection powers are vested in the 
regional government department with competence in the field of energy. 
Page 85 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 85 
2 - The provisions of this article are without prejudice to the exercise of supervisory powers which, 
due to the matter, they are competing to other public entities. 
3 - The processing of administrative offenses and the application of fines and accessory sanctions 
it is the responsibility of the Regional Government department with competence in the field of energy. 
Article 10 
Contraordenacional regime 
The provisions of Decree-Law No. 39/2010, of April 26, in the current wording, and other 
applicable legislation in this matter. 
CHAPTER IV 
Final dispositions 
Article 11 
Collection of administrative fees 
The product of administrative fees due for the examination of the registration application and the 
registration of electricity commercialization for electric mobility, by issuing a license 
operation of charging points and periodic inspection of charging points 
operated by each charging point operator is RAA's own revenue. 
Article 12 
Organic skills 
The references made in Decree-Law No. 39/2010, of April 26, in the current wording, to the Institute of 
Mobility and Transport, IP, and the Directorate-General for Energy and Geology, in the RAA, 
reported to the departments of the Regional Government with competence in the matter of transport 
terrestrial and energy, respectively. 
Article 13 
Management entity and periodic inspections 
1 - The management entity of the electric mobility network is indicated by the member of the Government 
Regional with competence in the field of energy. 
2 - It is the responsibility of the Regional Government department with competence in the matter of energy, 
in conjunction with the managing entity of the electric mobility network, the carrying out of periodic inspections 
to charge points operated by each charge point operator in the RAA. 
Article 14 
Implementation 
This law enters into force on the day following that of its publication. 
Approved by the Legislative Assembly of the Autonomous Region of the Azores, in Horta, on 5 
July 2019. 
The President of the Legislative Assembly, Ana Luísa Luís. 
Signed in Angra do Heroísmo on July 24, 2019. 
Publish yourself. 
The Representative of the Republic for the Autonomous Region of the Azores, Pedro Manuel dos Reis 
Alves Catarino. 
112471687 
www.dre.pt 
Page 86 
Diário da República, 1st series 
No. 151 August 8, 2019 Page 86 
I SERIES 
Legal deposit No. 8814/85 ISSN 0870-9963
Electronic Journal of the Republic: Internet address: http://dre.pt 
Contacts : 
E-mail: dre@incm.pt 
Phone: 21 781 0870 
Fax: 21 394 5750