Portuguese Data Protection Authority activities - Data Protection Impact Assessment List and notifications for DPO and Data Breaches


The Portuguese Data Protection Authority (“DPA”) recently announced a public consultation on the list of processing activities that requires a Data Protection Impact Assessment (“DPIA”). This public consultation arises from the obligation imposed to the Data Protection Authorities across the European Union to establish and make public a list of kind of processing operations which are subject to the requirement for a DPIA, under paragraph 4 of Article 35 and item k) of paragraph 1 of Article 57 of the GDPR.

The list of processing activities set forth on Draft Regulation no. 1/2018 is a non-exhaustive and dynamic list to be updated whenever deemed necessary. The DPA determines that the following processing activities are subject to a DPIA:

  1. Processing of categories of personal data established in paragraph 1 of article 9 (special categories of personal data) and in Article 10 (personal data related to criminal convictions and offences) of GDPR for other purposes than those for which they have been collected, except if such processing is regulated by law and is preceded by a DPIA;
  2. Processing of information resulting from the use of sensors or other electronic devices that transmit, through communication networks, personal data, with legal effects on data subjects or that significantly affect them in a similar manner, namely those that allow to analyse and predict the localization and movements, personal preferences or interests, consumptions or other behaviours and health of data subjects (e.g.: implanted or applied medical devices);
  3. Interconnection of personal data or processing of personal data that links the data referred in paragraph 1 of Article 9 of GDPR;
  4. Processing of personal data based on indirect collection, where it is not possible or feasible to ensure the right to information, under Article 14 of GDPR;
  5. Processing of personal data consisting of profiling on a large scale;
  6. Processing of personal data that allows to track the localization or behaviour of the data subjects, except where the processing is essential for the provision of services required by Clients;
  7. Processing of biometric personal data for unambiguous identification of the data subjects, except if such processing is regulated by law and is preceded by a DPIA;
  8. Processing of personal data using new technologies or new use of existing technologies;
  9. Significant change of the information system’s architecture on which the processing of personal data is carried out.

The deadline to submit the contributions to the public consultation will end on September 18th.

In compliance with its obligations under the GDPR, the Portuguese Data Protection Authority also made available at its website (www.cnpd.pt) two different forms as a result of the application of GDPR.

One of those forms is related to the communication to the DPA of the data controllers’ Data Protection Officer (“DPO”), which is available at www.cnpd.pt/DPO/. This form allows the data controller to (i) make the notification of its DPO, (ii) amend a previous notification or (iii) communicate the termination of the duties performed by the DPO.

Finally, the other form relates to the notification of a personal data breach to the DPA, under Article 33 of GDPR and is available at www.cnpd.pt/DataBreach/. This form allows data controller to (i) notify a personal data breach and (ii) amend a previous notification that has been submitted to the DPA.


Article provided by: Ricardo Henriques (Abreu Advogados)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.