WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Republic of Portugal

Republic of Portugal

Constitutional Privacy Framework

The Portuguese Constitution has extensive provisions on protecting privacy, secrecy of communications and data protection.[4179] Article 26 states, "(1) Everyone's right to his or her personal identity, civil capacity, citizenship, good name and reputation, image, the right to speak out, and the right to the protection of the intimacy of his or her private and family life is recognized. (2) The law establishes effective safeguards against the abusive use, or any use that is contrary to human dignity, of information concerning persons and families. (3) A person may be deprived of citizenship or subjected to restrictions on his or her civil capacity only in cases and under conditions laid down by law, and never on political grounds."[4180] Article 34 states, "(1) The individual's home and the privacy of his correspondence and other means of private communication are inviolable. (2) A citizen's home may not be entered against his will, except by order of the competent judicial authority and in the cases and according to the forms laid down by law. (3) No one may enter the home of any person at night without his or her consent. (4) Any interference by public authority with correspondence or telecommunications, apart from the cases laid down by law in connection with criminal procedure, are prohibited."[4181]

In 1997, Article 35 of the Constitution was amended to give citizens a right to data protection. The new Article 35 states, "1. All citizens have the right of access to any computerized data relating to them and the right to be informed of the use for which the data is intended, under the law; they are entitled to require that the contents of the files and records be corrected and brought up to date. 2. The law shall determine what is personal data as well as the conditions applicable to automatic processing, connection, transmission and use thereof, and shall guarantee its protection by means of an independent administrative body. 3. Computerized storage shall not be used for information concerning a person's ideological or political convictions, party or trade union affiliations, religious beliefs, private life or ethnic origin. Such storage is only allowed when there is express consent from the data subject, authorization is provided for under the law with guarantees of non-discrimination, or as long as it is not possible to identify individuals in the case of data processing done for statistical purposes. 4. Access to personal data of third parties is prohibited, aside from exceptional cases as prescribed by law. 5. Citizens shall not be given an all-purpose national identity number. 6. Everyone shall be guaranteed free access to public information networks and the law shall define the regulations applicable to the transnational data flows and the adequate norms of protection for personal data and for data that should be safeguarded in the national interest. 7. Personal data kept on manual files shall benefit from protection identical to that provided for in the above articles, in accordance with the law."[4182]

Data Protection Framework

The 1998 Act on the Protection of Personal Data adopts the European Union (EU) Data Protection Directive requirements into Portuguese law.[4183] It limits the collection, use and dissemination of personal information in manual or electronic form. It also applies to video surveillance or "other forms of capture, processing and dissemination of sound and images." It replaces the 1991 Act on the Protection of Personal Data with Regard to Automatic Processing.[4184]

In August 18, 2004, the parliament enacted Law No. 41/04,[4185] which implemented the EC Directive on Privacy and Electronic Communications (2002/58/EC) without incorporating the Directive's Article 13 on unsolicited communications. That article had already been implemented in Law No. 7/04,[4186] which also implemented the EC's Directive on Electronic Commerce (2000/31/EC). Law No. 41/04 also repealed Law No. 69/98,[4187] which implemented the EC Telecommunications Privacy Directive (1997/66/EC).

In January 2005, the Health Ministry published a regulation[4188] adding HIV and AIDS to the list of diseases with compulsory notification by any doctor to the Epidemic Surveillance Center of the National Health Institute. The stated objective is to identify the epidemic pattern of the disease. The form in question included all the data needed to identify a specific individual, including the person's full name. That was corrected in a later regulation[4189] that defined a form approved by the National Data Protection Commission where the personal information was reduced.

Law 12/2005 regulates the collection and use of health and genetic information.[4190] It defines genetic information as health information of hereditary characteristics of one or more people, and includes information collected from family histories that can, by itself, announce the genetic stature of a person.[4191] Medical information should be kept confidential and secure, may only be used by the medical system in accordance with express written consent, and should be kept separate from other personal information in databases by means of tiered access controls.[4192] Genetic information not of immediate impact on health (i.e. recessive genes, questions of identity, pre-symptomatic or pre-natal) are not considered medical information and should be kept separate from medical files, and inaccessible by doctors in the case of healthy persons.[4193] Genetic tests for disease in healthy individuals can only be performed with informed written consent and after counseling. The law also regulates the usage of genetic tests, prohibiting their use in denying health and life insurance or increasing premiums.[4194] Employers may not request genetic tests, even with the consent of employees.[4195] Neither adoptions services nor future adoptive parents may request tests or use information from tests already performed in adoption cases.[4196]

Data Protection Authority

The National Data Protection Commission (Comissão Nacional de Protecção de Dados, or CNPD) is charged with controlling and enforcing the laws on protection of personal data.[4197] The Commission functioned as part of the National Parliament until 2004. In 2004, it became an independent agency that is directly responsible to the Parliament.[4198] Its functions are to register existing databases with private data, authorize and control such databases, issue directives, and oversee the Schengen Information System (SIS). The number of investigations and inspections conducted has remained fairly stable in the past six years, fluctuating between a low of 183 in 2004 and a high of 223 in 2001. There were 207 investigations and inspections conducted in 2006. Inspections fell somewhat in 2006 when CNPD, in cooperation with law enforcement, asked those authorities to inspect video surveillance systems. The number of complaints received by the Commission has also remained steady: 173 in 2003, 156 in 2004, 183 in 2005, and 177 in 2006. The number of referrals for criminal prosecution to the Public Prosecution Service is very low due to the existence of a fine system for the transgressions. There was one referral in 2001, two in 2002, one in 2003, and none from 2004 through 2006. The Commission applied 47 fines in 2006, totaling 75,000 EUR. The Commission authorized 2146 databases in 2006, compares with 2440 in 2004 and 1858 in 2005.[4199] It issued opinions on obtaining subscriber information from telecommunications providers, access to marketing databases by the Criminal Investigation Police, denied access by the Information and Security Service to the information system of the Aliens and Frontiers Department, and approved transborder data flows to the United States when the transferee company promised to protect the personal data collected pursuant to European data protection legal standards.[4200]

In 2003, the CNPD published "Guidelines on Privacy in the Workplace."[4201] These guidelines establish that information and contents of phone calls, e-mails and Internet access for private use of a worker is protected as private data and must be respected as such by the employer. In 2004, the CNPD published guidelines on the usage of Radio Frequency Identification (RFID) technology,[4202] biometrics[4203] and surveillance systems.[4204] These guidelines establish the need for the registration of the databases connected to these systems, and determine the criteria for the use of such systems to comply with data protection principles.

In September 2005, the CNPD published general principles related to electronic communications for political marketing. The principles clarified that opt-in rules apply not only to commercial marketing, but also to the electronic messages of a civil or political nature.[4205] In November 2005, the CNPD released a deliberation on privacy and electronic voting.[4206] The CNPD based its recommendations on witnessing 2004 and 2005 elections. The evaluation stresses the principles of transparency, security, and integrity. Specifically the CNPD recommended that: electronic voting be publicly debated and the public be informed by political and technological leaders about electronic voting; that software be open source and capable of being audited before and after voting; that electronic voting be used to complement, not replace, traditional methods; that voter-verified paper trails be used; that separate machines hold voter information and vote collection databases -- the former being preferably done on paper; and that the communication of voting information be encrypted and not use the public Internet or telephone network.

In 2007, the CNPD prohibited the reporting of worker absenteeism due to strike.[4207] The Director-General of Administration and Public Works (DGAEP) collects aggregate data on workers on strike and releases the totals on the Internet. The Director-General of taxation began to require that the identification numbers of workers on strike be submitted within 48 hours, via a software system, so that income can be properly allocated. The CNPD found that the automatic and independent treatment of strike data puts its legality into question. Article 35 of the Constitution prohibits computer treatment of political convictions, and the CNPD determined that strike participation is a political conviction. Therefore, absence due to strike should be reported normally along with other absences as opposed to receiving discriminatory treatment which singles out strike participation.

Wiretapping and Surveillance Rules

The Penal Code has provisions against unlawful surveillance and interference with privacy.[4208] Evidence obtained by any violation of privacy, including that of the home, correspondence or telecommunications, without the consent of the interested party is null and void.[4209] An inquiry was opened in October 1994 on illegal surveillance of politicians after microphones were discovered in the offices of a state prosecutor and several ministers.[4210] The Portuguese government ordered cellular telephone companies to assist with surveillance in October 1996.[4211] There are also specific laws on the SIS,[4212] computer crime,[4213] and counseling centers.[4214]

Roadway video surveillance is subject to law.[4215] The system is limited to specific and determined purposes: catching traffic infractions, traffic control, locating stolen or illegal vehicles, and use as evidence of a crime.[4216] The installation of the surveillance methods should be directed, as much as possible, to capture images of vehicles.[4217] Information from the system may be released for didactic and statistical purposes, as long as no individuals or vehicles are identifiable.[4218] The CNPD published a clarification in response to many inquiries concerning the surveillance.[4219] The clarification states that according to the law these systems do not need CNPD approval. The equipment should be registered with the CNPD, and the make, model and serial number of the surveillance equipment used is published on the CNPD website.

National Identity System

Law No. 7/2007 established a national identification card[4220] and it is expected to encompass the whole country by the end of 2008.[4221] Elements on the face of the card include parentage, date of birth, nationality, facial picture and an individual's civil, tax, health insurance social security numbers.[4222] The various numbers cannot be matched or interconnected other than in ways permitted by the data protection authority.[4223] The card contains an integrated circuit which stores one's residential address, a fingerprint, digital authentication and digital signature certificates, space for further data elements as well as space for personal data of the choice of the individual.[4224] The law prohibits the physical detention of the card, as well as photocopying without consent of the card owner.[4225] The biometric fingerprint may only be accessed by the will of the citizen, and only the police and justice officials may compel a citizen to identify him or herself via the biometric fingerprint.[4226] The card has a document number, comprising the civil identity number plus extra digits, but the number is unique to the document -- any new reissues of the document must have a different number.[4227] The digital certificates on the card are accessible only by the use of a PIN number, are revocable, but must be substituted when revoked.[4228] A citizen is entitled to know what is contained in the card -- including in electronic storage and in the files created during the issuance of the card -- and has the right to correct information, suppress improperly collected information, and insert omitted information.[4229]

Open Government

Law No. 65/93 of August 26, 1993 (Regula o Acesso aos Documentos da Administrção or Law on the Regulation of, and Access to, Administrative Documents) provides for access to government records in any form by any person.[4230] Documents can be withheld for "internal or external security," secrecy of justice, and personal privacy.[4231] Documents with personally identifiable information can only be accessed by the subject of that information or third parties with "direct, personal and legitimate" interest.[4232] Access to environmental information is regulated by Law No. 19/2006, which implements EC Directive 2003/4/CE.[4233] The access to government documents is overseen by the Commission for Access to Administrative Documents (CADA), an independent parliamentary agency. The CADA can examine complaints, provide opinions on access, and decide on classification of systems. CADA's decisions are not binding, so if an agency continues to deny access, further appeal can be made to an administrative court. CADA issued 330 in 2004, 306 in 2005, and 310 in 2006.[4234]

International Obligations

Portugal is a member of the Council of Europe (CoE) and has signed and ratified the CoE Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) (Convention No. 108).[4235] In November 2001, it signed the CoE Convention on Cybercrime (ETS No. 185) but has not ratified it.[4236] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[4237] It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[4179] Constitution of the Portuguese Republic, available at <>.
[4180] Id. at Article 26.
[4181] Id. at Article 34.

[4182] Id. at Article 35.

[4183] Act No. 67/98 of October 26, 1998.,Act on the Protection of Personal Data (transposing into the Portuguese legal system Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data), available at <>.
[4184] Law No. 10/91 - Lei da Protecção de Dados Pessoais face à Informática, amended by Law No. 28/94 of August 29, 1994, Aprova medidas de reforço da protecção de dados pessoais.

[4185]Law No. 41/04, available at <>.
[4186] Available at <>.
[4187] Law No. 69/98, available at <>.

[4188] Regulation No. 103/2005, available at <>.
[4189] Regulation No. 258/2005, available at <>.

[4190] Law 12/2005, of January 26, on Personal Genetic and Health Information <>.
[4191] Id. at Art. 6.
[4192] Id. at Art. 4.
[4193] Id. at Art. 6.
[4194] Id. at Art 12.
[4195] Id. at Art 13.
[4196] Id. at Art 14.

[4197] <>.
[4198] Law No. 43/2004, available at <>.
[4199] Email from Clara Guerra, International Relations, CNPD. Portugal, to Guilherme Roschke, Electronic Privacy Information Center, July 19, 2007 (on file with EPIC).
[4200] <>.

[4201] Comissão Nacional para a Protecção de Dados, "Princípios sobre a Privacidade no Local de Trabalho," October 29, 2002, available at <>.
[4202] Comissão Nacional para a Protecção de Dados, "Identificação por radiofrequência," January 13, 2004, available at <>.
[4203] Comissão Nacional para a Protecção de Dados, Principles for the use of biometric data in controlling access and monitoring hours worked, February 26, 2004, available at <>.
[4204] Comissão Nacional para a Protecção de Dados, "Princípios sobre o tratamento de videovigilância," April 19, 2004, available at <>.

[4205] CNPD, Princípios Gerais Aplicáveis ao Marketing Político no Âmbito das Communicações Electrónicas, September 2005, available at <>.
[4206] CNPD, A Privacidade dos Eleitores no Voto Electrónico, November 14, 2005, available at <>.

[4207] CNPD, Deliberação No. 225/2007.

[4208] Penal Code, Chapter VII, §§ 190-98, available at <>.
[4209] Code of Penal Procedure, Article 126, paragraph 3, available at <>.
[4210] "Bug Found in Portuguese State Prosecutor's Office," Reuters European Business Report, April 27, 1994.
[4211] "Portugal to Tap Mobile Phones in Drugs War," Reuters World Service, October 9, 1996.
[4212] Law No. 2/94 (Estabelece os mecanismos de controlo e fiscalização do Sistema de Informação Schengen), available at <>.
[4213] Law No. 109/91 (Sobre a criminalidade informática) (Law on Computer Crime), available at <>.
[4214] This law creates a duty of confidentiality for counseling centers, Article15, Law No. 3/84 (Educação sexual e planeamento familiar), available at <>.

[4215] Ministério Da Adminstração Interna, Decreto-Lei No. 207/2005, November 29, 2005 <>.
[4216] Id. at Art. 10.
[4217] Id. at Art 3.
[4218] Id. at Art 18.
[4219] CNPD, Sistemas de Vigilância Electrónica Rodoviária Utilizados Pelas Forças de Segurança: Esclarecimento da CNPD, May 16, 2006 <>.

[4220] Law No. 7, 2007, of February 5, creating a citizen's card and regulating its use and emission <>.
[4221] Portal do Governo, 14 de Fevereiro de 2007 <>.
[4222] Id. at Art. 7.
[4223] Id. at Art. 16.
[4224] Id. at Art. 8.
[4225] Id. at Art. 5.
[4226] Id. at Art. 14.
[4227] Id. at Art. 17.
[4228] Id. at Art. 18.
[4229] Id. at Art. 39.

[4230] Law No. 65/93, including alterations made by Laws No. 8/95 and 94/99, available at <>.
[4231] Perguntas Frequentes, <>.
[4232] Perguntas Frequentes, <>.
[4233] Law No. 19/2006, of June 19th, regulating access to information on the environment, <>.
[4234] Estatísticas, <>.

[4235] Signed May 14, 1981; ratified September 2, 1993; entered into force January 1, 1994.
[4236] Signed November 23, 2001.
[4237] Signed September 22, 1976; ratified November 9, 1978; entered into force November 9, 1978.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback