Constitutional principles guarantee the protection of personal data in Portugal, including its collection and use, as well as the privacy of a person’s home and communications. An information system composed of intelligence services and supervisory bodies is in charge of producing intelligence for the purpose of defending national interests. European Union Directives have been transposed into the country’s domestic legal system to regulate the protection of personal data, and privacy in the telecommunications and electronic communications sectors.
I. Constitutional Principles
The protection of personal data used in connection with information technology is a fundamental right guaranteed by the Portuguese Constitution of 1976. The law must establish effective guarantees against the acquisition and abusive use, or use that is contrary to human dignity, of information concerning individuals and families. The home and the privacy of correspondence and other private means of communication are inviolable. Any interference by public authorities with correspondence, telecommunications, or other means of communication is prohibited, except in cases provided by law on matters of criminal procedure.
II. Information System of the Portuguese Republic
In Portugal, intelligence activities are coordinated by the Information System of the Portuguese Republic (Sistema de Informações da República Portuguesa, SIRP). Law No. 30 of September 5, 1984, establishes the general basis of SIRP. The purposes of SIRP are reflected exclusively in the powers and prerogatives of the information services provided for in Law No. 30. These information services are responsible for ensuring, in compliance with the Constitution and the law, the production of information necessary for the preservation of internal and external security, as well as the independence and national interests, unity, and integrity of the state.
Among the bodies created to achieve the purposes of Law No. 30 are the Strategic Information Service of Defense (Serviço de Informações Estratégicas de Defesa, SIED) and the Security Information Service (Serviço de Informações de Segurança, SIS).
SIED is the agency in charge of producing information that may assist in safeguarding the national independence, national interests, and external security of the country. SIS is the agency in charge of producing information to assist in safeguarding internal security and the prevention of sabotage; terrorism; espionage; and the performance of acts that, by their nature, may alter or destroy the state as constitutionally established.
Law No. 30 determines that activities involving research, processing, and dissemination of information that poses a threat or offense to the rights, freedoms, and guarantees embedded in the Constitution and the law cannot be developed. For this purpose, the information services are subject to all the restrictions established by law in defense of rights and freedoms. Each information service can only develop research activities and process information related to their specific mission, without prejudice to the obligation to mutually communicate data and information that may be relevant to the achievement of the purposes of SIRP.
Civil or military employees or agents of the information services provided for in Law No. 30 cannot exercise powers, perform actions, or develop activities under the specific jurisdiction of the courts and bodies with police functions. The information services may have data centers consistent with the nature of the service, which must process and save on a magnetic file the data and information collected in the course of their business. Each data center works autonomously and cannot be connected with other data centers.
III. European Union Directives and Domestic Laws
In 1995, the European Union issued Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. During Portugal’s Constitutional Review of 1997, article 35 of the Constitution was amended to enable an adequate transposition of Directive No. 95/46/EC into Portugal’s Constitutional Charter. Subsequently, Law No. 67 of October 26, 1998, was enacted as the new law on protection of personal data, which transposed Directive No. 95/46/EC into Portugal’s domestic legislation.
Law No. 41 of August 18, 2004, transposed Directive 2002/58/EC on Privacy and Electronic Communications into Portugal’s domestic legislation and applies to the processing of personal data in the context of networks and electronic communication services available to the public, specifying and supplementing the provisions of Law No. 67/98.
The processing of personal data referring to philosophical or political beliefs, political party or union membership, religious faith, private life, and racial or ethnic origin, as well as the processing of data concerning a person’s health or sex life, including genetic data, is prohibited under article 7(1) of Law No. 67/98. However, article 7(2) of Law 67/98 determines that the processing of the data mentioned in article 7(1) is allowed if permission is provided by law or authorized, in specific situations, by the National Commission of Data Protection (Comissão Nacional de Protecção de Dados, CNPD). Article 5(1) of Law No. 67/98 lists the requirements for the collection and treatment of personal data.
On July 17, 2008, Law No. 32 was issued to regulate the storage and transmission of traffic and location data relative to natural persons and legal entities, as well as the related data necessary to identify the subscriber or registered user, for purposes of investigation, detection, and prosecution of serious crimes by the competent authorities. Law No. 32 transposed Directive 2006/24/EC into Portugal’s domestic legal system. According to Law No. 32, the retention of data revealing the content of communications is prohibited, without prejudice to the provisions of Law No. 41/2004 and criminal procedure law on the interception and recording of communications.
The storage and transmission of data must be made exclusively in connection with the investigation, detection, and prosecution of serious crimes by the competent authorities. The transmission of data to the competent authorities can only be authorized by a written order issued by a judge, in accordance with article 9 of Law No. 32/2008. The files for the retention of data under Law No. 32/2008 must be separated from any other files used for other purposes. The data subject cannot oppose the storage and transmission of data.
Prepared by Eduardo Soares
Senior Foreign Law Specialist
 Constituição da República Portuguesa [C.R.P.] (Constitutional Revision VII (2005)) art. 35, available at Assembleia da República [Assembly of the Republic], http://www.parlamento.pt/Legislacao/ Paginas/ ConstituicaoRepublicaPortuguesa.aspx.
 Id. art. 26(2).
 Id. art. 34(1).
 Id. art. 34(4).
 Lei No. 30/84, de 5 de Setembro, as amended by Organic Law No. 4 of August 13, 2014, art. 1, http://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?nid=764&tabela=leis.
 Id. art. 2(1).
 Id. art. 2(2).
 Id. art. 7(e).
 Id. art. 7(f).
 Id. art. 20. See also Law No. 9 of February 19, 2007, art. 26, http://www.pgdlisboa.pt/leis/lei_mostra_ articulado.php?nid=910&tabela=leis&ficha=1&pagina=1&.
 Id. art. 21. See also Law No. 9, art. 33.
 Id. art. 3(1).
 Id. art. 3(2).
 Id. art. 3(3).
 Id. art. 4(1).
 Id. art. 23(1). See also Law No. 9, arts. 41–43.
 Id. art. 23(2).
 Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML. For a discussion of this and other EU legislation, see EU survey, supra.
 Quarta Revisão Constitucional, Lei No. 1/97, de 20 de Setembro, art. 18, available at Procuradoria-Geral Distrital de Lisboa [Lisboa Attorney General’s Office], http://www.pgdlisboa.pt/ pgdl/leis/lei_mostra_articulado. php?nid=11&tabela=leis&ficha=1&pagina=1.
 Lei No. 67/98, de 26 de Outubro, Lei da Protecção de Dados Pessoais [Personal Data Protection Law], http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php?nid=156&tabela=leis&ficha
 Lei No. 41/2004, de 18 de Agosto, http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php?nid= 707&tabela=leis&ficha=1&pagina=1.
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications), 2002 O.J. (L 201) 37, http://eur-lex.europa.eu/LexUriServ/LexUri Serv.do?uri= CELEX:32002L0058:en:HTML.
 Lei No. 41/2004, art. 1(2).
 Lei No. 67/98, art. 7(1).
 Id. art. 7(2). Article 22(1) of Law No. 67/98 determines that the CNPD is the national authority charged with the power to supervise and monitor compliance with the laws and regulations in the area of personal data protection, with strict respect for the human rights and the fundamental freedoms and guarantees provided by the Constitution and the law.
 Id. art. 5(1).
 Lei No. 32/2008, de 17 de Julho, art. 1(1), http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php? nid=1264&tabela=leis&ficha=1&pagina=1&.
 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32006L0024.
 Lei No. 32/2008, art. 1(2).
 Id. art. 3(1).
 Id. art. 3(2).
 Id. art. 3(3).
 Id. art. 3(4).
Last Updated: 06/09/2015