Data Protection Officer — the DPO function in Portugal
The Data Protection Officer, in Portuguese the Encarregado de Proteção de Dados (EPD), who informs, advises and monitors compliance with the GDPR within the Portuguese legal order, before the CNPD, with statutory independence.
The function
The Data Protection Officer is the figure to whom the General Data Protection Regulation entrusts a precise mission: to inform and advise the organisation, to monitor compliance and to cooperate with the supervisory authority. It does not decide the purposes or means of processing — that responsibility remains with the controller — but ensures, with technical independence, that data protection is taken seriously across the organisation.
Tasks
Tasks — the statutory tasks of the DPO, under Article 39 of the GDPR and Article 11 of Law 58/2019.
Inform and Advise
Inform and advise the controller, the processor and the staff who carry out processing of their obligations under the GDPR, Law 58/2019 and other Union or national data protection provisions.
GDPR, Art. 39(1)(a)
Monitor Compliance
Monitor compliance with the GDPR and with the controller's or processor's data protection policies, including the assignment of responsibilities, awareness-raising and the training of staff involved in processing operations.
GDPR, Art. 39(1)(b)
Advise on the DPIA
Provide advice, where requested, regarding the data protection impact assessment and monitor its performance pursuant to Article 35 of the GDPR.
GDPR, Art. 39(1)(c)
Cooperate with the Authority
Cooperate with the supervisory authority and act as its point of contact on matters relating to processing, including the prior consultation referred to in Article 36, consulting it on any other matter where appropriate.
GDPR, Art. 39(1)(d)–(e)
Point of Contact for Data Subjects
Act as the point of contact for data subjects on all matters related to the processing of their personal data and to the exercise of their rights under the Regulation.
GDPR, Art. 38(4); Law 58/2019, Art. 11(c)
Conduct Audits
Ensure the performance of audits, whether periodic or unscheduled — an express duty added by Portuguese law to the framework of Articles 37 to 39 of the GDPR.
Law 58/2019, Art. 11(a)
Awareness of Security Incidents
Raise users' awareness of the importance of the timely detection of security incidents and of the need to inform the person responsible for security without delay.
Law 58/2019, Art. 11(b)
Risk-Based Approach
In performing the tasks, have due regard to the risk associated with processing operations, taking into account their nature, scope, context and purposes.
GDPR, Art. 39(2)
A programme that demonstrates compliance
Records of processing, DPIA, contracts, security, breaches and transfers.
Services
Sectors
Public Sector & Local Authorities
For public authorities and bodies the designation of a DPO is mandatory, and Portuguese law requires at least one DPO per ministry or governmental area, per regional secretariat and per municipality. The volume and sensitivity of citizen data make this the densest theatre of obligation.
Law 58/2019, Art. 12
Health & Clinics
The large-scale processing of health data — a special category under Article 9 — typically triggers the mandatory designation of a DPO and the performance of impact assessments, with heightened security and confidentiality duties.
GDPR, Arts. 9, 35; Law 58/2019, Art. 13
Technology & SaaS
Platforms whose core activity involves the regular and systematic monitoring of users on a large scale fall within the mandatory designation, often acting as processors and requiring rigorous Article 28 contracts and transfer mechanisms.
GDPR, Art. 37(1)(b); Law 58/2019, Art. 13
Marketing & Data
Direct marketing, profiling and the use of cookies raise specific duties of consent, transparency and the right to object, at the intersection of the GDPR and the ePrivacy rules.
GDPR, Arts. 21–22; Law 41/2004
Data Protection Brief
The GDPR, the CNPD/EDPB and the practice of the DPO, periodically.