Page 1

To enter

Register
Portuguese English

What are you looking for?

help us
to improve

Suggestion

Advanced Search
TUESDAY, JUNE 8, 2021

Homepage / Search / Law No. 10/91

Legislation
Law No. 10/91

PDF version
Print out

Law No. 10/91

RELATED SECTIONS

Publication: Official Gazette No. 98/1991, Series IA of 1991-04-29

Legal Analysis

Issuer:

General data

Assembly of the Republic

Type of Diploma:

European Union law

Law

Number: 10/91

regulation

Pages:

Modifications

2366 - 2372

ELI: https://data.dre.pt/eli/lei/10/1991/04/29/p/dre/pt/html

Rectifications

PDF version: Download

Digest Newsletters
REVOKED

Jurisprudence +

SUMMARY

Law on the Protection of Personal Data in Computing

TEXT

Law No. 10/91
Law on the Protection of Personal Data in Computing
The Assembly of the Republic decrees, pursuant to articles 164, paragraph d), 168, paragraph 1, subparagraphs b), c) and d), and
169, no. 3, of the Constitution, as follows:
CHAPTER I
General provisions
Article 1
general principle
The use of information technology must be carried out in a transparent manner and with strict respect for the reservation of privacy and
family and for the fundamental rights, freedoms and guarantees of the citizen.
Article 2
Definitions
For the purposes of this law, it is understood as follows:
a) "Personal data" - any information relating to an identified or identifiable natural person,
considering identifiable the person whose identification does not involve disproportionate costs or deadlines;
b) "Public data" - personal data contained in an official public document, except for the elements
confidential, such as profession and address, or disabilities noted on the birth certificate;
c) «Computer system» - the set consisting of one or more computers, peripheral equipment and
software that ensures data processing;
d) «Automated file» - the structured set of information subject to automated processing,
centralized or spread across multiple locations;
e) «Database» - the set of interrelated data, stored and structured with control of
redundancy, intended to serve one or more computer applications;
f) «Database» - the set of data related or related to a given subject;
g) «Automated processing» - the following operations carried out, in whole or in part, with the help of
automated processes: data recording, application of logical and/or arithmetic operations to that data, as well
as its modification, suppression and extraction or diffusion;
h) «Responsible for computer media» - the natural or legal person, the public authority, the service or
any competent body to decide on the purpose of the automated file, as well as the responsible
by database or database, and by the categories of personal data that must be registered and the operations that
applicable to them;
i) "Cross-border data flows" - the movement of personal data across national borders.
Article 3
Scope of application
1 - The provisions of this law shall apply:
a) The constitution and maintenance of automated files, databases and personal data banks;
b) Computer media relating to legal persons and similar entities, whenever they contain
personal data.
2 - Personal data files containing
exclusively intended information:
a) For personal or domestic use;
b) The processing of compensation of employees or employees, as well as other procedures
administrative matters relating to the mere management of services;
c) Invoicing for supplies made or services rendered;
d) The collection of membership fees from associates or affiliates.
3 - This law does not apply equally to personal data files created and maintained under the
responsibility of the Information System of the Portuguese Republic.
CHAPTER II
From the National Commission for the Protection of Computerized Personal Data
Article 4
Creation and assignments
1 - The National Commission for the Protection of Computerized Personal Data (CNPDPI) is created, with the attribution
generic to control the automated processing of personal data, in strict respect for the rights of the
man and for the freedoms and guarantees enshrined in the Constitution and the law.
2 - The CNPDPI is an independent public entity with powers of authority, which works with the
Assembly of the Republic and has its own technical and administrative support services.
Article 5
Composition
1 - The CNPDPI is composed of seven members of recognized integrity and merit, including the president and two
of the vocals are elected by the Assembly of the Republic according to the method of the highest average of Hondt.
2 - The remaining vowels are:
a) Two magistrates with more than 10 years of career, one judicial magistrate, appointed by the Council
Superior of the Magistracy, and a magistrate of the Public Ministry, appointed by the Superior Council of the
Public ministry;
b) Two personalities of recognized competence in the matter, appointed by the Government.
Article 6
Duties and incompatibilities
1 - Citizens who are not in full enjoyment of their civil rights cannot be members of the CNPDPI
and politicians.
2 - The exercise of the mandate of the members of the CNPDPI is governed, in matters of duties and incompatibilities, by the
general principles applicable to State officials and agents.
3 - The quality of members of the CNPDPI is incompatible with the exercise of functions corresponding to:
a) Holder of a sovereign body or self-government body of an autonomous region;
b) Holder of a local authority body;
c) Holder of a leading position in a political party or association or in a class organization, or an agent who has
employment relationship with any of these entities.
Article 7
remuneration status
The remuneration statute of CNPDPI members is established by the Government.
Article 8
Skills
1 - It is especially incumbent upon the CNPDPI:
a) Give an opinion on the constitution, alteration or maintenance, by public services, of automated files,
databases and personal databases, in the cases provided for in this law;
b) Authorize or register, as the case may be, the constitution, alteration or maintenance, by other entities, of
automated files, databases and personal databases, under the terms of this law;
c) Authorize, in the exceptional cases provided for in this law and under strict control, the use of data
for purposes other than collection purposes;
d) Authorize, in the exceptional cases provided for in this law and under strict control, the interconnection of files
automated databases and databases containing personal data;
e) Issue directives to guarantee the security of data either on file or circulating in the networks of
telecommunications;
f) Generically establish the conditions for access to information, as well as the exercise of the right to rectify and
update;
g) Promote, with the competent judicial authority, the procedures necessary to interrupt the
data processing, prevent the operation of files and, if necessary, proceed with their destruction, in the
cases provided for in this law;
h) Assess claims, complaints or petitions from individuals, under the terms of this law;
i) Periodically publicize its activity, namely through the publication of an annual report;
j) Denounce to the Public Prosecutor's Office the infractions to this law, justifying judicial proceedings.
2 - In the exercise of its functions, the CNPDPI pronounces decisions with mandatory force, subject to complaint and
appeal to the Supreme Administrative Court.
3 - The CNPDPI may suggest to the Assembly of the Republic the measures it deems useful for the prosecution of the
its attributions and the exercise of its competences.
Article 9
duty to collaborate
It is the duty of all public and private entities to provide collaboration to the CNPDPI for the full exercise of
their functions.
Article 10
Possession
1 - The members of the CNPDPI take office before the President of the Assembly of the Republic within 10 days
following the publication in the 1st series of the Diário da República of the list of elected members.
2 - The CNPDPI remains in office for a period of five years and until the new appointed members take office.
3 - After taking office, the CNPDPI must immediately prepare its regulations and
submit it for approval by the Assembly of the Republic.
CHAPTER III
Automated processing of personal data
Article 11
Restrictions on data processing
1 - Automated processing of personal data relating to:
a) Philosophical or political beliefs, party or union affiliation, religious faith or private life;
b) Ethnic origin, convictions in criminal proceedings, suspected illegal activities, health status and situation
equity and financial.
2 - The prohibition of the preceding paragraph does not prevent the processing of data for research or statistical purposes,
as long as the people they respect cannot be identifiable.
3 - The automated processing of personal data referred to in subparagraph b) of paragraph 1 may, however, be carried out
by public services, under the terms of the law, with guarantees of non-discrimination and prior opinion of the CNPDPI.
4 - The provisions of the preceding paragraphs do not prevent the automated processing of personal data by institution to
that have been voluntarily provided by the respective holders, with knowledge of their destination and
use.
Article 12
Collection requirements
1 - The collection of personal data for automated processing must be carried out lawfully and not misleadingly.
2 - The collection of personal data must be carried out in strict adequacy and pertinence to the purpose that the
determined.
3 - The determining purpose of data collection must be known before its beginning.
Article 13
Right to information and access
1 - Anyone has the right to be informed about the existence of an automatic file, database or database.
personal data concerning you, and their purpose, as well as the identity and address of your
responsible.
2 - Access to electoral data files is provided, under equal circumstances and under the control of the
National Election Commission, candidates and political parties.
Article 14
Data update
Personal data collected and maintained in automated files, databases and databases must be
accurate and current.
Article 15
Data usage
Personal data can only be used for the purpose determining its collection, unless authorized
granted by law.
Article 16
Limits of judicial review
No jurisdictional, administrative or disciplinary decision that implies an assessment of a behavior
human being can be based solely on the result of the automated processing of information related to the profile
or the personality of the registrant.
CHAPTER IV
Automated files, databases and personal databases
Article 17
Constitution requirements
1 - The constitution of automated files, databases and databases containing personal data, for the purposes
consented in article 11, is regulated by a special law, with prior opinion of the CNPDPI.
2 - The provisions of the previous number do not apply to automated files, databases and databases maintained
by public or private entities, which do not contain personal data referred to in article 11
3 - The entities referred to in the previous number are, however, obliged to notify the CNPDPI in advance of the
constitution of automated files, databases and databases with any other personal data and
must accompany this communication with the elements contained in the following article.
Article 18
Order instruction
Requests for an opinion or authorization from the CNPDPI for the constitution or maintenance of files
databases and databases, as well as the communication referred to in paragraph 3 of article
above, must be instructed with the following elements:
a) Name and address of the person responsible for the file;
b) Characteristics of the file and its purpose;
c) Service or services in charge of processing the information;
d) Personal data contained in each record;
e) Form of data collection and updating;
f) Purpose of the data, entities to which it can be transmitted and under what conditions;
g) Comparisons, interconnections or any other way to interrelate the registered information;
h) Measures taken to ensure the security of information;
i) Personal data retention time;
j) Category of people who have direct access to information;
l) Form and conditions under which people can learn about the data concerning them;
m) How people can correct inaccuracies in the data that concern them.
Article 19
mandatory referrals
1 - The law, in the case specifically provided for in paragraph 1 of article 17, as well as the authorizations of the CNPDPI, to which
refer to subparagraphs c) and d) of paragraph 1 of article 8, shall indicate:
a) The person responsible for the file;
b) The personal data to be included in the registration;
c) The method of collecting or updating the data;
d) The purpose for which the data is intended, the entities to which it can be transmitted and under what conditions;
e) The retention time of personal data;
f) How the holder of the registration can find out about the data concerning him and in which
conditions;
g) How the holder of the registration can correct any inaccuracies in the data concerning him.
2 - Any change to the indications contained in paragraph 1 must also be provided for in a special law, as well
authorization from CNPDPI, or only the latter, depending on the case.
Article 20
File operation
1 - Those responsible for automated files, databases and personal databases must interrupt
its operation immediately when they act in breach of this law and have received
of the competent authority in this regard.
2 - Without prejudice to the application of other sanctions provided for by law, the automated files referred to in the
previous number can be prevented from functioning and, if necessary, its contents destroyed.
Article 21
Safety equipment
Automated files, databases and personal databases must be equipped with systems of
security that prevent the consultation, modification, destruction or addition of data by a person not
authorized to do so and allow detecting intentional or unintentional information deviations.
CHAPTER V
Collection and interconnection of personal data
Article 22
Indications contained in the base documents
1 - The documents that serve as the basis for the collection of personal data must indicate:
a) The fact that such data or part of them are processed automatically;
b) The mandatory or optional nature of filling in the documents or providing data;
c) The consequences of the lack or inaccuracy of the answers;
d) The recipients of the information;
e) The purpose of data collection;
f) The person responsible for the file and its address;
g) The access conditions referred to in articles 27 and 28
2 - The provisions of the preceding paragraph do not apply to the collection of information aimed at preventing
crime and the punishment of offences, as well as the collection of information for statistical purposes, in the
terms of the legislation of the National Statistical System and the National Institute of Statistics.
Article 23
data destruction
After the authorized conservation period, the data must be destroyed, without prejudice to the extension of this
term by special law or authorization of the CNPDPI, as the case may be.
Article 24
Interconnection of personal data
1 - The interconnection of automated files, databases and personal databases is prohibited, except for the
exceptions provided for in this law.
2 - It is not allowed to assign the same citizen number for the purposes of interconnecting files
personal data containing police, criminal or medical information.
Article 25
Public data interconnection
The interconnection of automated files, databases and databases that exclusively contain data
public can be processed between entities that pursue the same specific purposes, depending on the same.
responsible referred to in subparagraph h) of article 2
Article 26
exceptional cases
The law that, in exceptional cases, allows the interconnection of automated files, banks and databases
must expressly define the types of interconnection authorized and their purpose.

CHAPTER VI
Individual rights and guarantees
Article 27
Right of access to information
All persons, provided they are properly identified, are entitled to access information about
they are registered in automated files, banks and databases, with the exception of the provisions of the law on
State secret and judicial secret.
Article 28
Exercise of the right of access
1 - The exercise of the right of access to information cannot be limited, without prejudice to being subject to
rules designed to prevent abuse.
2 - The information must be transmitted in clear language, free from coding and strictly
corresponding to the contents of the record.
3 - Information of a medical nature must be communicated to the person to whom it concerns, through the physician
designated by her.
Article 29
Excess or omission of data
When an automated file, database or database is found to contain data
excessive in relation to its purpose or sins due to the omission of some, the responsible must proceed, immediately,
suppression of surpluses or inclusion of omissions.
Article 30
Inaccurate information
1 - Any person has, in relation to personal data that concern him, the right to demand the correction of
inaccurate information and the completion of totally or partially omitted information, as well as the deletion of those that
have been obtained by unlawful or deceptive means or whose registration or retention is not permitted.
2 - Proof of inaccuracy is incumbent upon the holder of the record when the information has been provided by you or with the
your consent, as well as if you have not fulfilled the legal obligation to communicate the change.
3 - Anyone has the right to demand that their name and address be removed from files of
addresses used for direct mail.
Article 31
Responsible intervention
1 - In the situations provided for in the previous article, the person responsible for the computer support must satisfy the person
concerned or communicate what you consider convenient within a maximum period of 30 days.
2 - The holder of the record may file a complaint with the CNPDPI about the actions of the person responsible for the file.
Article 32
professional secrecy
1 - Those responsible for automated files, databases and databases, as well as people who do not
exercise of their functions, are aware of the personal data recorded therein, are obliged to secrecy
professional, even after the end of the functions.
2 - The same obligation falls on the members of the CNPDPI, even after the end of their term of office.
3 - The provisions of the preceding paragraphs do not exclude the duty to provide mandatory information, in the
legal terms, except when they appear in files organized for statistical purposes.
CHAPTER VII
Cross-border data flows
Article 33
Applicable regime
1 - The provisions of this law apply to cross-border flows of personal data, processed automatically or
that are intended to be, whatever the medium used.
2 - The CNPDPI may, however, authorize cross-border flows of personal data if the State of destination
ensure protection equivalent to that of the present law.
3 - In any case, the cross-border flow of personal data is prohibited if there are well-founded reasons to believe
that their transfer to another State is intended to circumvent prohibitions or constraints.
provided for in the law or make possible its illegal use.
CHAPTER VIII
Infractions and sanctions
Article 34
Illegal use of data
1 - Who, contrary to the provisions of the law, creates, maintains or modifies the content of an automated file, base or
database or cause the same data to be processed is punishable by imprisonment for up to one year or a fine of up to 120
days.
2 - The penalty will be increased to double its limits in the case of personal data referred to in article 11, outside
the conditions under which processing is authorized.
3 - The same penalties are incurred by those who intentionally deviate personal data from the legally defined purpose
for its collection and use.
Article 35
Obstruction of access
1 - Who, being obliged to guarantee to others, under the terms of the law, the right of access, correction or
completion of personal data contained in an automated file, database or database, if you refuse,
without just cause, to do so, or to do so intentionally erroneously or incompletely, is punishable by imprisonment until
1 year or up to 120 days fine.
2 - If the agent acts negligently, the penalty will be imprisonment for up to three months or a fine of up to 90 days.
3 - Criminal proceedings depend on a complaint.
Article 36
illegal interconnection
1 - Who, contrary to the provisions of the law, promotes or carries out the interconnection of automated files, databases or
Personal databases is punishable by imprisonment for up to one year or a fine for up to 120 days.
2 - The penalty is doubled in its limits in the case of the data referred to in article 11
3 - The provisions of the preceding paragraphs are applicable to the violation of the prohibition contained in article 24, paragraph 2.
4 - The court decrees the necessary measures to terminate the interconnection of files, bases or banks of
data or deletion of the number referred to in article 24, paragraph 2, when they survive the date of the judgment.
Article 37
false information
1 - Anyone who provides false information in the request for authorization for the constitution or maintenance of a file
automated database or personal database or make changes in it not consented to by the
The authorization instrument is punishable by imprisonment for up to 2 years or a fine of up to 240 days.
2-the same penalty is incurred by whoever intentionally omits the communication referred to in paragraph 3 of article 17
3 - If the agent acts negligently, the penalty is imprisonment for up to 6 months or fine for up to 100 days.
Article 38
Improper access
1 - Who, without proper authorization, in any way, accesses a computer system of personal data whose
access is prohibited and punishable by imprisonment for up to 1 year or a fine of up to 120 days.
2 - The penalty is increased to double its limits when accessing:
a) Is achieved through violation of technical safety rules;
b) It has made it possible for the agent or third parties to know the data;
c) Has provided the agent or third parties, with their knowledge, benefit or advantage
equity.
3 - In the case of paragraph 1, the criminal procedure depends on a complaint.
Article 39
Data tampering or destruction
1 - Whoever, without being duly authorized, deletes, destroys, damages, suppresses or modifies,
making them unusable or affecting their ability to use, personal data contained in the file
automated, base or database is punishable by imprisonment of up to 2 years or fine of up to 240 days.
2 - The penalty is doubled in its limits if the damage produced is particularly serious.
3 - If the agent acts negligently, the penalty is, in both cases, imprisonment for up to 1 year or a fine of up to 120 days.
Article 40
Qualified disobedience
1 - Whoever, regularly notified for this purpose, does not interrupt the operation of an automated file,
database or database, pursuant to article 20, is punishable with the penalty corresponding to the crime of
qualified disobedience.
2 - In the same penalty, those who:
a) Refuse, without just cause, the collaboration that is specifically required under the terms of article 9, when
to do so is regularly notified;
b) Do not proceed with the destruction of personal data, after the period of conservation authorized under the terms of article
23rd
Article 41
Violation of confidentiality
1 - Who, obligated to professional secrecy, under the terms of the law, without just cause and without due consent,
reveal or disclose, in whole or in part, personal data contained in an automated file, database or database
data, endangering the reputation, honor and consideration or intimacy of the private life of others, is punished
imprisonment for up to 2 years or fine for up to 240 days.
2 - The penalty is increased by half of its limits if the agent is:
a) Civil servant or equivalent, under the terms of criminal law;
b) Determined by the intention to obtain any patrimonial advantage or other illegitimate benefit.
3 - Negligence is punishable by imprisonment for up to 6 months or a fine for up to 120 days.
4 - Outside the cases provided for in paragraph 2, criminal proceedings depend on a complaint.
Article 42
punishment of attempt
In the crimes provided for in the previous provisions, the attempt is always punishable.
Article 43
accessory penalty
Together with the main penalties applied, the court may order the accessory penalty of publicity of the
condemnatory sentence, in full or in extract, at the expense of the convict, in one or more publications
periodic.
CHAPTER IX
Transitional and Final Provisions
Article 44

Page 2

regulation
1 - Those responsible for public services that maintain automated files, databases or databases
personnel must prepare and propose, within a period of six months, a draft regulation.
account of the provisions of this law.
2 - The Government assesses the proposals provided for in the preceding paragraph and publishes, within one year, a decree
implementing regulation of this law.
Article 45
Legalization of existing supports
1 - The entities referred to in paragraph 3 of article 17 responsible for automated files, databases or banks of
personal data that are already in operation must send to CNPDPI, within 90 days after its
installation, the information regarding its existence and functioning, in accordance with the requirements of article 18.
2 - Authorization for the maintenance of computer supports that are in need of it under the terms of the present diploma
must be requested to the CNPDPI within one year after its installation.
3 - The authorization of the CNPDPI must be granted within 60 days from the date of receipt of the request.
4 - Failure to comply with the provisions of paragraph 1 shall be subject to the measure provided for in paragraph 2 of article 20.
Approved on February 19, 1991.
The President of the Assembly of the Republic, Vítor Pereira Crespo.
Enacted on April 9, 1991.
Publish yourself.
The President of the Republic, MÁRIO SOARES.
Countersigned on April 12, 1991.
The Prime Minister, Aníbal António Cavaco Silva.

share

Site Map · Legal Notices · Suggestions · Site Accessibility · Contacts · Help

INCM, SA - ALL RIGHTS RESERVED

