Law Library Stacks

Back to Foreign Intelligence Gathering Laws


Constitutional principles guarantee the protection of personal data in Portugal, including its collection and use, and the privacy of a person’s home and communications.  An information system composed of intelligence services and supervisory bodies is in charge of producing intelligence for the purpose of defending national interests.  European Union Directives have been transposed into the country’s domestic legal system to regulate the protection of personal data and privacy in the telecommunications and electronic communications sectors.

I.  Constitutional Principles

The protection of personal data used in connection with information technology is a fundamental right guaranteed by the Portuguese Constitution of 1976.[1]  The law must establish effective guarantees against the acquisition and abusive use, or use that is contrary to human dignity, of information concerning individuals and families.[2]  The home and the privacy of correspondence and other private means of communication are inviolable.[3]  Any interference by public authorities with correspondence, telecommunications, or other means of communication is prohibited, except in cases provided by law on matters of criminal procedure.[4]

Back to Top

II.  Information System of the Portuguese Republic

In Portugal, intelligence activities are coordinated by the Information System of the Portuguese Republic (Sistema de Informações da República Portuguesa, SIRP).  Law No. 30 of September 5, 1984, establishes the general basis of SIRP.[5]  The purposes of SIRP are reflected exclusively in the powers and prerogatives of the information services provided for in Law No. 30.[6]  These information services are responsible for ensuring, in compliance with the Constitution and the law, the production of information necessary for the preservation of internal and external security, as well as the independence and national interests, unity, and integrity of the state.[7]

Among the bodies created to achieve the purposes of Law No. 30 are the Strategic Information Service of Defense (Serviço de Informações Estratégicas de Defesa, SIED)[8] and the Security Information Service (Serviço de Informações de Segurança, SIS).[9]  SIED is in charge of producing information that may assist in safeguarding national independence, national interests, and the external security of the country,[10] while SIS is in charge of producing information to assist in safeguarding internal security and the prevention of sabotage; terrorism; espionage; and the performance of acts that, by their nature, may alter or destroy the state as constitutionally established.[11]

Law No. 30 determines that activities that involve researching, processing, and disseminating information that poses a threat or violates the rights, freedoms, and guarantees embedded in the Constitution and the law cannot be carried out.[12]  Accordingly, the information services are subject to all the restrictions established by law in defense of rights and freedoms.[13]  Each information service may develop research activities and process information related only to its specific mission, without prejudice to the obligation to mutually communicate data and information that may be relevant to the achievement of SIRP’s purposes.[14]

Civil or military employees or agents of the information services provided for in Law No. 30 are not authorized to exercise powers, perform actions, or carry out activities under the specific jurisdiction of the courts and bodies with police functions.[15]  The information services may have data centers consistent with the nature of the service, which must process and save on magnetic files the data and information collected in the course of their business.[16]  Each data center works autonomously and is not permitted to be connected with other data centers.[17]

Back to Top

III.  European Union Directives and Domestic Laws

In 1995, the European Union issued Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.[18] During Portugal’s Constitutional Review of 1997, article 35 of the Constitution was amended to enable an adequate transposition of Directive No. 95/46/EC into Portugal’s Constitutional Charter.[19]  Subsequently, Law No. 67 of October 26, 1998, which transposed Directive No. 95/46/EC into Portugal’s domestic legislation, was enacted as the new law on the protection of personal data.[20]

Law No. 41 of August 18, 2004, transposed Directive 2002/58/EC on Privacy and Electronic Communications into Portugal’s domestic legislation.[21]  Law No. 41 applies to the processing of personal data in the context of networks and electronic communication services available to the public, specifying and supplementing the provisions of Law No. 67/98.[22]

The processing of personal data referring to philosophical or political beliefs, political party or union membership, religious faith, private life, and racial or ethnic origin, as well as the processing of data concerning a person’s health or sex life, including genetic data, is prohibited under article 7(1) of Law No. 67/98.[23]  However, article 7(2) of Law 67/98 determines that the processing of the data mentioned in article 7(1) is allowed if permission is provided by law or authorized, in specific situations, by the National Commission of Data Protection (Comissão Nacional de Protecção de Dados, CNPD).[24]  Article 5(1) of Law No. 67/98 lists the requirements for the collection and treatment of personal data.[25]

On July 17, 2008, Law No. 32 was issued to regulate the storage and transmission of traffic and location data relative to natural persons and legal entities, as well as the related data necessary to identify the subscriber or registered user, for purposes of the investigation, detection, and prosecution of serious crimes by the competent authorities.[26]  Law No. 32 transposed Directive 2006/24/EC into Portugal’s domestic legal system.[27]  According to Law No. 32, the retention of data revealing the content of communications is prohibited, without prejudice to the provisions of Law No. 41/2004 and criminal procedure law on the interception and recording of communications.[28]

The storage and transmission of data must be made exclusively in connection with the investigation, detection, and prosecution of serious crimes by the competent authorities.[29]  The transmission of data to the competent authorities may be authorized only by a written order issued by a judge, in accordance with article 9 of Law No. 32/2008.[30]  The files for the retention of data under Law No. 32/2008 must be separated from any other files used for other purposes.[31]  The data subject cannot oppose the storage and transmission of data.[32]

Back to Top

Prepared by Eduardo Soares
Senior Foreign Law Specialist
June 2016

[1] Constituição da República Portuguesa (Constitutional Revision VII (2005)) art. 35, http://www.parlamento. pt/Legislacao/Paginas/ConstituicaoRepublicaPortuguesa.aspx, archived at

[2] Id. art. 26(2).

[3] Id. art. 34(1).

[4] Id. art. 34(4).

[5] Lei No. 30/84, de 5 de Setembro, as amended by Lei Orgânica No. 4/2014 [Organic Law No. 4 of Aug. 13, 2014], art. 1,, archived at V8YF-CY26.

[6] Id. art. 2(1).

[7] Id. art. 2(2).

[8] Id. art. 7(e).

[9] Id. art. 7(f).

[10] Id. art. 20; see also Lei No. 9/2007, de 19 Fevereiro [Law No. 9 of Feb. 19, 2007], as amended by Lei No. 50/2014 [Law No. 50 of Aug. 13 of 2014], art. 26, 910&tabela=leis&ficha=1&pagina=1&, archived at

[11] Lei No. 30/84, art. 21; see also Lei No. 9/2007, art. 33.

[12] Lei No. 30/84, art. 3(1).

[13] Id. art. 3(2).

[14] Id. art. 3(3).

[15] Id. art. 4(1).

[16] Id. art. 23(1); see also Lei No. 9/2007, arts. 41–43.

[17] Lei No. 30/84, art. 23(2).

[18] Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31,, archived at (click “See the Screenshot View”).  For a discussion of this and other EU legislation, see EU survey.

[19] Quarta Revisão Constitucional, Lei Constitucional No. 1/97, de 20 de Setembro, art. 18,http://www.pgd, archived at UT7S-YX96.

[20] Lei No. 67/98, de 26 de Outubro, Lei da Protecção de Dados Pessoais [Personal Data Protection Law],, archived at

[21] Lei No. 41/2004, de 18 de Agosto, =leis&ficha=1&pagina=1, archived at; Directive 2002/58/EC, of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications), 2002 O.J. (L 201) 37,, archived at (click “See the Screenshot View”).

[22] Lei No. 41/2004, art. 1(2).

[23] Lei No. 67/98, art. 7(1).

[24] Id. art. 7(2).  Article 22(1) of Law No. 67/98 determines that the CNPD is the national authority charged with the power to supervise and monitor compliance with the laws and regulations in the area of personal data protection, with strict respect for human rights and fundamental freedoms, and the guarantees provided by the Constitution and the law.

[25] Id. art. 5(1).

[27] Directive 2006/24/EC, of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, http://eur-lex., archived at (click “See the Screenshot View”).

[28] Lei No. 32/2008, art. 1(2).

[29] Id. art. 3(1).

[30] Id. art. 3(2).

[31] Id. art. 3(3).

[32] Id. art. 3(4).