Portuguese Legal Order
The GDPR and Law 58/2019 are the centre; around them, the regimes that intersect.
| Area | Instrument | Authority |
|---|---|---|
| Data Protection (general) | GDPR — Regulation (EU) 2016/679 | CNPD |
| Execution of the GDPR in Portugal | Law 58/2019, of 8 August | CNPD |
| DPO — designation and tasks | GDPR, Arts. 37–39; Law 58/2019, Arts. 9–13 | CNPD |
| Data for criminal/security purposes | Law 59/2019, of 8 August | CNPD |
| ePrivacy (electronic communications) | Law 41/2004 (Directive 2002/58/EC) | CNPD · ANACOM |
| Artificial Intelligence | AI Act — Regulation (EU) 2024/1689 | — |
| Cybersecurity (interface) | NIS2 — Decree-Law 125/2025 (MyCiber) | CNCS |
| Guidance and doctrine | EDPB Guidelines; WP243 (Article 29 Working Party) | CEPD / EDPB |
Further information
regimesjuridicos.pt · centrojuridico.pt · dataprotectionofficer.pt