Skip to main content

Portuguese DPA activities - Data Protection Impact Assessment List and DPO & Data Breaches notifications


The Portuguese Data Protection Authority (“DPA”) recently announced a public consultation on the list of processing activities that requires a Data Protection Impact Assessment (“DPIA”). This public consultation arises from the obligation imposed to the Data Protection Authorities across the European Union to establish and make public a list of kind of processing operations which are subject to the requirement for a DPIA, under paragraph 4 of Article 35 and item k) of paragraph 1 of Article 57 of the GDPR.

The list of processing activities set forth on Draft Regulation no. 1/2018 is a non-exhaustive and dynamic list to be updated whenever deemed necessary. The DPA determines that the following processing activities are subject to a DPIA:

  1. Processing of categories of personal data established in paragraph 1 of article 9 (special categories of personal data) and in Article 10 (personal data related to criminal convictions and offences) of GDPR for other purposes than those for which they have been collected, except if such processing is regulated by law and is preceded by a DPIA;
  2. Processing of information resulting from the use of sensors or other electronic devices that transmit, through communication networks, personal data, with legal effects on data subjects or that significantly affect them in a similar manner, namely those that allow to analyse and predict the localization and movements, personal preferences or interests, consumptions or other behaviours and health of data subjects (e.g.: implanted or applied medical devices);
  3. Interconnection of personal data or processing of personal data that links the data referred in paragraph 1 of Article 9 of GDPR;
  4. Processing of personal data based on indirect collection, where it is not possible or feasible to ensure the right to information, under Article 14 of GDPR;
  5. Processing of personal data consisting of profiling on a large scale;
  6. Processing of personal data that allows to track the localization or behaviour of the data subjects, except where the processing is essential for the provision of services required by Clients;
  7. Processing of biometric personal data for unambiguous identification of the data subjects, except if such processing is regulated by law and is preceded by a DPIA;
  8. Processing of personal data using new technologies or new use of existing technologies;
  9. Significant change of the information system’s architecture on which the processing of personal data is carried out.

The deadline to submit the contributions to the public consultation will end on September 18th.

In compliance with its obligations under the GDPR, the Portuguese Data Protection Authority also made available at its website ( two different forms as a result of the application of GDPR.

One of those forms is related to the communication to the DPA of the data controllers’ Data Protection Officer (“DPO”), which is available at This form allows the data controller to (i) make the notification of its DPO, (ii) amend a previous notification or (iii) communicate the termination of the duties performed by the DPO.

Finally, the other form relates to the notification of a personal data breach to the DPA, under Article 33 of GDPR and is available at This form allows data controller to (i) notify a personal data breach and (ii) amend a previous notification that has been submitted to the DPA.


Article provided by: Ricardo Henriques (Abreu Advogados)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.