Portuguese Legal Order
The regimes that frame the practice of data protection.
The practice of the Data Protection Officer rests on a dense but coherent body of rules, whose centre is the General Data Protection Regulation and, in Portugal, Law 58/2019 ensuring its execution. To that core are added the regimes that intersect with it — from electronic communications to artificial intelligence and cybersecurity.
The data protection regimes that frame the practice of the DPO, in Portugal.
| Area | Instrument | Authority |
|---|---|---|
| Data Protection (general) | GDPR — Regulation (EU) 2016/679 | CNPD |
| Execution of the GDPR in Portugal | Law 58/2019, of 8 August | CNPD |
| DPO — designation and tasks | GDPR, Arts. 37–39; Law 58/2019, Arts. 9–13 | CNPD |
| Data for criminal/security purposes | Law 59/2019, of 8 August | CNPD |
| ePrivacy (electronic communications) | Law 41/2004 (Directive 2002/58/EC) | CNPD · ANACOM |
| Artificial Intelligence | AI Act — Regulation (EU) 2024/1689 | — |
| Cybersecurity (interface) | NIS2 — Decree-Law 125/2025 (MyCiber) | CNCS |
| Guidance and doctrine | EDPB Guidelines; WP243 (Article 29 Working Party) | CEPD / EDPB |