Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — PTStylized flag-color motif for editorial reference. Not an official symbol.PT
Portugal República Portuguesa

WEB ANALYTICS · COOKIE COMPLIANCE · SOUTHERN EUROPE · PT

Portugal — analytics & cookie compliance reference

CNPD aggressive on healthcare data; moderate on private sector; Portuguese-language privacy notices required.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Portugal. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Lei 58/2019  Stricter
Lei n.º 58/2019, de 8 de agosto — Lei de Execução do RGPD
National implementation of GDPR opening clauses — DPO threshold under GDPR baseline, child consent age (set at 13 — lowest in the EU), employee data, special-category data in healthcare, sanctions regime, criminal liability. CNPD challenged several articles in 2019; Deliberação 2019/494 disapplied parts of the law CNPD considered incompatible with GDPR (Arts 2, 20, 28, 37, 38, 39, 61, 62).
  • Art 9 Child consent age — set at 13 (lowest in the EU; GDPR default is 16)
  • Art 28 Employment context — works council/union information rights (CNPD-disapplied portions)
  • Art 29 Health data — special-category permissions and CNPD authorization regime
  • Art 37–39 Administrative fines — partly disapplied by CNPD Deliberação 2019/494
  • Art 47–52 Criminal liability — up to 4 years' imprisonment for intentional misuse of personal data
Diário da República n.º 151/2019, Série I — Portuguese Data Protection Implementation Law
Lei 41/2004
Lei n.º 41/2004, de 18 de agosto — Privacidade nas Comunicações Eletrónicas
Cookies + terminal-equipment access + electronic-communications privacy + direct-marketing opt-in regime. Article 5 transposes ePrivacy Art 5(3) — informed prior consent for non-strictly-necessary cookies. Article 13-A governs unsolicited commercial communications (email/SMS opt-in baseline).
  • Art 5 Cookies — informed prior consent for storage/access on terminal equipment, narrow strictly-necessary exception
  • Art 13-A Email/SMS commercial communications — prior opt-in (soft opt-in for existing-customer + similar products)
  • Art 14 Identifier-based marketing and traffic-data retention rules
Portuguese transposition of ePrivacy Directive 2002/58/EC, amended by Lei 46/2012
LCE 2022
Lei das Comunicações Eletrónicas — Lei n.º 16/2022, de 16 de agosto
2022 update modernizing the Portuguese e-communications framework. Coordinates with Lei 41/2004 on traffic/location data and confidentiality of communications. ANACOM is sectoral regulator; CNPD retains data-protection competence.
  • Art 110–115 Confidentiality of communications + traffic and location data
  • Art 175 Direct-marketing rules — coordinates with Lei 41/2004 Art 13-A
Diário da República — transposes EU Electronic Communications Code (Directive 2018/1972); revokes prior LCE (Lei 5/2004)
Código do Trabalho  Stricter
Código do Trabalho — Lei n.º 7/2009 (consolidated)
Employee privacy and monitoring rules layered on top of GDPR. Article 20 prohibits use of remote-surveillance means to monitor employee professional performance unless protecting persons or goods, with CNPD authorization. Article 21–22 regulate access to employee email and instant messaging.
  • Art 20 Remote surveillance — prohibited for performance monitoring; allowed for safety/property only with CNPD authorization
  • Art 21 Personal messages and email — privacy of employee communications
  • Art 22 Confidentiality of personal information of the worker
Portuguese Labour Code, consolidated; employee monitoring and privacy provisions

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
CNPD · Comissão Nacional de Proteção de Dados
Sole national supervisory authority — independent constitutional body under Article 35 of the Portuguese Constitution. Competence covers all sectors (public + private + healthcare + employment + telecoms data-protection dimension). ANACOM handles non-data-protection telecoms regulation.
https://www.cnpd.pt/

Coordination body

CNPD · Comissão Nacional de Proteção de Dados
Single-DPA structure — no regional or sectoral sub-authorities. CNPD is the EDPB representative and lead/concerned-DPA for cross-border cases involving Portuguese establishments.
  • 2019-09-03 · Lei 58/2019 disapplication — Deliberação CNPD 2019/494 — CNPD declared parts of Lei 58/2019 incompatible with GDPR and announced it would disapply them (Arts 2, 20, 23, 28, 37, 38, 39, 61, 62). Politically controversial; cited by other EU DPAs.
  • 2022-04 · Google Analytics — CNPD aligned with EDPB-101 task force on Schrems II; default GA Universal deployments problematic, GA4 conditional on consent + appropriate safeguards. Post-DPF (Jul 2023) CNPD takes a moderate stance — DPF-certified transfers acceptable with consent.
  • 2023-05 · Cookie guidance — CNPD reiterated that cookie consent must be free, specific, informed, unambiguous — equal-prominence reject button, no pre-ticked boxes, no cookie walls without genuine alternative.
https://www.cnpd.pt/

Notable enforcement

Portugal's enforcement profile is healthcare-heavy and politically attentive. CNPD's signature cases — Hospital do Barreiro (€400K, 2018), Município de Lisboa (€1.25M, 2021), and INE €4.3M (Dec 2022, the 2021 Census Cloudflare-CDN onward-transfer case, currently the largest Portuguese GDPR fine) — turned on access controls, unjustified data sharing, and Schrems II–style transfer mechanisms. CNPD has not pursued GA4 enforcement at the Austrian/Italian level, and private-sector analytics enforcement is moderate. The agency's 2019 Deliberação disapplying parts of Lei 58/2019 set a precedent of CNPD asserting GDPR primacy over the national implementation law.

  1. 2022-12 €4.3M
    INE (Instituto Nacional de Estatística) CNPD · Art 5, 6, 9, 28, 44–49 stood

    Five GDPR infringements in the 2021 Census — lawfulness of statistics processing, special-category processing (religion/health) without proper basis, and onward transfers via Cloudflare CDN to US/third countries without adequate safeguards. Largest Portuguese GDPR fine to date. Inquiry opened 26 Apr 2021; decision Dec 2022.

  2. 2021-05 €1.3M
    Município de Lisboa CNPD · Art 5, 6, 13 stood

    Lisbon City Council shared personal data of demonstration organizers (including a Yellow Vest protest) with foreign embassies — Russia, China, Israel and others — over an 11-year period without legal basis. Largest Portuguese GDPR fine to date.

  3. 2024-06 €750k
    Insurance group CNPD · Art 5, 6, 13, 32 stood

    Excessive retention + insufficient transparency on profiling for premium adjustment. Settlement-style outcome with corrective programme.

  4. 2018-10 €400k
    Hospital do Barreiro CNPD · Art 5(1)(c), 5(1)(f), 32 stood

    Insufficient access controls — staff (including non-medical) had access to clinical records beyond need-to-know; 985 active 'doctor' user accounts when only 296 doctors employed. First major Portuguese GDPR fine; cited as benchmark for healthcare access control.

  5. 2023-09 €175k
    Private healthcare network CNPD · Art 5(1)(f), 32 stood

    Hospital records accessible to staff without role-based access control; clinical data exposed to administrative roles. Continuation of CNPD's healthcare-focused enforcement line.

GA4 status

GA4 is usable in Portugal with prior, explicit, granular consent under Lei 41/2004 Art 5. After EU-US DPF (10 Jul 2023) CNPD accepts transfers to DPF-certified US importers including Google LLC. CNPD has not pursued GA4 enforcement at the Austrian/Italian level, but it expects a documented TIA and consent layer that meets EDPB granularity standards. Privacy notice in Portuguese is required for PT-targeted sites.

DPAStance
CNPDModerate post-DPF — DPF-certified transfers acceptable with explicit consent + Portuguese-language notice + TIA on file. No GA4-specific fines to date.

Cross-border transfers + Schrems II

CNPD takes a moderate post-DPF stance. After 10 Jul 2023 the DPF restored adequacy for DPF-certified US importers and CNPD accepts this in principle. The 2022 INE Census decision (€4.3M for inadequate Cloudflare-CDN onward transfers in the 2021 Census, pre-DPF fact pattern) showed CNPD is willing to fine when transfer mechanisms fail, but it has not pursued GA4 enforcement at the level of Austrian/Italian DPAs. Controllers are still expected to document a Transfer Impact Assessment and verify DPF certification at the importer level.

EU 2021/914 SCCs remain the fallback when DPF certification is absent or revoked. CNPD scrutinizes onward-transfer chains, particularly in healthcare and public-sector deployments.

Topic: International transfers

Employee data

Key thresholds

Child consent age
13 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Portugal vs Spain
COMPARE
Portugal vs France
COMPARE
Portugal vs Italy
COMPARE
Portugal vs Brazil

Common questions

Is Google Analytics legal in Portugal in 2026?
Yes, conditionally. GA4 is usable in Portugal with prior, explicit, granular consent under Article 5 of Lei 41/2004. After EU-US DPF (10 Jul 2023) CNPD accepts transfers to DPF-certified US importers — Google LLC remains certified. Without consent or a Portuguese-language privacy notice, CNPD treats GA4 as non-compliant. Unlike the Austrian or Italian DPAs, CNPD has not issued GA4-specific fines.
Why is CNPD especially focused on healthcare data?
CNPD's signature enforcement line is access controls in clinical settings. The 2018 Hospital do Barreiro case (€400K) found 985 active 'doctor' user accounts when the hospital had only 296 doctors — this set the template. Subsequent fines against private healthcare networks have followed the same pattern: Article 5(1)(f) integrity and confidentiality + Article 32 security of processing + Article 9 special-category processing. Any analytics or session-replay tool deployed on a healthcare patient portal will be reviewed under this stricter lens.
What was the Hospital do Barreiro fine about?
October 2018, CNPD fined Hospital do Barreiro €400,000 — the first major Portuguese GDPR fine. The hospital had no role-based access control: staff including non-clinicians could access patient records, and the user-management system had 985 'doctor' accounts when only 296 doctors were employed. Violations of Article 5(1)(c) data minimisation + Article 5(1)(f) integrity and confidentiality + Article 32 security of processing. The case is cited across the EU as a healthcare access-control benchmark.
What was the Município de Lisboa Yellow Vest fine?
May 2021, CNPD fined the Lisbon City Council €1.25M — the largest Portuguese GDPR fine to date. The Council had shared personal data of demonstration organizers (including a Yellow Vest protest) with foreign embassies — Russia, China, Israel and others — over an 11-year period without any legal basis. Articles 5, 6 and 13 were violated. The case is significant because it was a public body sanctioned for cooperating with foreign states without legal grounding.
What is the child consent age in Portugal?
13 — the lowest in the EU. Article 9 of Lei 58/2019 sets the digital-consent age at 13, while GDPR's default is 16 and most EU member states landed between 13 and 16. For services aimed at children below 13 (gaming, social, education), parental consent is required. This matters for analytics deployments on under-13 audiences — Lei 41/2004 Art 5 cookie consent cannot be obtained directly from a 12-year-old.
What language must my privacy notice be in?
Portuguese. CNPD's position aligns with the EDPB targeting test — for sites targeting Portugal (Portuguese-language content, .pt domain, EUR pricing, Portuguese-language marketing), notices and consent banners must be in European Portuguese. English-only is insufficient. Brazilian Portuguese is acceptable in spirit but European Portuguese is the safe default for PT-targeted properties.
Do I need a Portuguese DPO?
DPO designation follows GDPR Art 37 baseline — Lei 58/2019 did not lower the threshold. Mandatory when (a) processing is by a public authority, (b) core activities require regular and systematic monitoring of data subjects on a large scale, or (c) core activities involve large-scale special-category or criminal-conviction data. Healthcare networks, insurers, telecoms and large e-commerce operations almost always require a DPO under (b) or (c). Note that CNPD's 2019 Deliberação 2019/494 disapplied Lei 58/2019's stricter DPO competence rules.
Do I need a Portuguese Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behavior of people in Portugal (or any EEA state), unless the small-business exception in Art 27(2) applies. CNPD has not been the most aggressive DPA on Art 27 enforcement — German and French DPAs lead — but absence of a representative is still a finding when a complaint reaches CNPD.
What is Lei 58/2019 and why did CNPD partly disapply it?
Lei 58/2019 is Portugal's GDPR Implementation Law (Aug 2019). The same year, CNPD adopted Deliberação 2019/494 declaring parts of the law incompatible with GDPR — Articles 2, 20, 23, 28, 37, 38, 39, 61 and 62. CNPD announced it would disapply these provisions. The move was politically controversial but is now precedent: CNPD asserts GDPR primacy over the national law where they conflict.
Are pre-ticked cookie boxes acceptable in Portugal?
No. CNPD's 2023 cookie guidance reiterates the EDPB position — consent must be free, specific, informed, unambiguous, and given by a clear affirmative act. Pre-ticked boxes, cookie walls without a genuine alternative, and reject buttons less prominent than accept buttons all fail. This applies to GA4, Meta Pixel, TikTok Pixel and any non-strictly-necessary cookie under Lei 41/2004 Art 5.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Portugal's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.