The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
The General Data Protection Regulation issued by the European Union in 2016 was implemented in Portugal’s domestic legislation in 2019 and applies to the processing of personal data carried out in the national territory. A law enacted in 2004 determines that companies offering electronic communications networks and or services must guarantee the inviolability of communications. The preservation and transmission of traffic and location data relating to persons and legal entities, as well as related data necessary to identify the subscriber or registered user, for the purposes of investigation, detection, and prosecution of serious crimes by the competent authorities is regulated by a law enacted in 2008.
Notwithstanding several legal measures taken to fight the pandemic, Portugal has yet to adopt electronic means to help in the fight against the spread of COVID-19.
As of May 22, 2020, Portugal had registered 30,200 confirmed cases of COVID-19 and 1,289 related deaths. According to the National Authority of Communications (Autoridade Nacional de Comunicações, ANACOM), in 2019 Portugal had 12.4 million active cell phones in the country. However, Portugal has not yet developed a contact tracing app for the pandemic.
II. Legal Framework
A. Privacy and Data Protection
On April 26, 2016, the European Union issued the General Data Protection Regulation (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. To implement the GDPR into its domestic legislation, Portugal enacted Law No. 58 of August 8, 2019, which regulates the processing of personal data carried out in the national territory, regardless of the public or private nature of the controller or the subcontractor, even if it is carried out in compliance with legal obligations or in pursuit of missions of public interest, applying all the exclusions provided for in article 2 of the GDPR. Under the GDPR the processing of personal data must comply with the principles of lawfulness, fairness and transparency; limitation of purpose; data minimization; accuracy; storage limitation; and integrity and confidentiality. 
B. Data Retention and Location Tracking
1. Law No. 41 of August 18, 2004
Law No. 41 of August 18, 2004, transposed into domestic law the EU’s 2002 ePrivacy Directive on the processing of personal data and the protection of privacy in the electronic communications sector. Exceptions to the application of Law No. 41 that are strictly necessary for the protection of activities related to public security; defense; state security; and the prevention, investigation, and prosecution of criminal offenses are defined in special legislation.
Companies offering electronic communications networks and/or services must guarantee the inviolability of communications and respective traffic data carried out through public communications networks and publicly available electronic communications services.
The use of electronic communications networks for the storage of information or to obtain access to information stored in the terminal equipment of a subscriber or any user is only permitted when the following conditions are met:
a) Clear and complete information must be provided to the subscriber or user concerned, namely on the purposes of processing, in accordance with the provisions of the Personal Data Protection Law;
b) The subscriber or user has the right to refuse such processing.
a. Traffic Data
Traffic data relating to subscribers and users that is processed and stored by companies offering electronic communications networks and or services must be deleted or made anonymous when they are no longer needed for the purpose of transmitting the communication. Companies offering electronic communications services may process the data to the extent and for the time necessary for the commercialization of electronic communications services or the provision of value-added services, provided that the subscriber or user to whom the data refers has given prior consent, which can be withdrawn at any time.
b. Location Data
The processing of location data that relates to subscribers or users of public communications networks or publicly available electronic communications services is permitted only if the data is anonymized. Organizations with legal competence to receive emergency calls may register, process, and transmit location data for the purpose of responding to those calls. The processing of location data is also permitted to the extent and for the time necessary for the provision of value-added services, provided that prior consent is obtained from subscribers or users. Before obtaining such consent, companies offering electronic communications services to the public must inform users or subscribers about the type of location data that will be processed, the duration and purposes of the processing, and the eventual transmission of data to third parties for the purpose of providing value-added services. These companies must also guarantee subscribers and users the possibility, through simple and free means, to withdraw their consent for the processing of location data, and to temporarily refuse to authorize such processing “for each connection to the network or for each transmission of a communication.”
The processing of location data must be limited to the employees and contractors of companies that offer electronic communications networks and/or services accessible to the public or third parties that provide value-added services, and must be restricted to what is necessary for the purposes of providing such service.
2. Law No. 32 of July 17, 2008
Law No. 32 of July 17, 2008, regulates the preservation and transmission of traffic and location data relating to persons and legal entities, as well as related data necessary to identify the subscriber or registered user, for the purposes of investigation, detection, and prosecution of serious crimes by the competent authorities. It transposes into national law the EU Data Retention Directive of 2006 on the conservation of data generated or processed in the context of the offer of communication services publicly available or public communications networks.
The preservation of data that reveal the content of communications is prohibited without prejudice to the provisions of Law No. 41 of August 18, 2004, and criminal procedural legislation regarding the interception and recording of communications.
III. Electronic Measures to Fight COVID-19 Spread
On March 13, 2020, the government enacted Decree-Law No. 10-A, which established exceptional and temporary measures associated with the epidemiological situation of COVID-19. The Decree-Law applies to the prevention, containment, mitigation, and treatment of COVID-19. Among other things, it suspended classes and travel, and limited access to spaces frequented by the public.
Several other legal measures were taken by the government to fight the pandemic. However, it seems that so far none of them have addressed electronic means to stop the spread of the virus. Nor has any entity developed a contact tracing app for Portugal.
Prepared by Eduardo Soares
Senior Foreign Law Specialist
 Ponto de Situação Atual em Portugal, Direção Geral de Saúde, https://covid19.min-saude.pt/ponto-de-situacao-atual-em-portugal/.
 Serviços móveis – 2019, Autoridade Nacional de Comunicações, https://perma.cc/HPB9-CBFR. For comparison purposes, on May 5, 2020, the Portuguese population was estimated to be 10,259,625 persons. Pordata, Base de Dados Portugal Contemporâneo, https://perma.cc/2SR3-P222.
 GDPR art. 5. For an in-depth discussion of the GDPR and other EU instruments, see the European Union survey in this report.
 Id. art. 1(4).
 Id. art. 4(1).
 Id. art. 5(1) (translation by author).
 Id. art. 6(1).
 Id. art. 6(4).
 Id. art. 7(1).
 Id. art. 7(2).
 Id. art. 7(3).
 Id. art. 7(4).
 Id. art. 7(5).
 Id. art. 7(6).
 Lei No. 32/2008, de 17 de Julho, art. 1(1), https://perma.cc/T34T-CUVF. The EU Data Retention Directive was declared invalid by the Court of Justice of the European Union (CJEU) on April 8, 2014. See European Union survey in this report.
 Id. art. 1(2).
 Id. art. 1(2).
 Id. art. 9.
 Id. art. 11.
 Id. arts. 12, 13.
Last Updated: 12/30/2020