Guidelines and Recommendations

Security Measures
Health
Work
Education
Call Recording
Data Protection Officer
Data Provision
Internet Diffusion

Security Measures

Protecting your personal data is essential to ensuring your privacy and security in both the digital and physical environments. Adopting good practices can reduce the risks of unauthorised access, identity theft, fraud, and other incidents that compromise your personal information.


Protect your electronic devices
  • Use strong passwords and enable two-factor authentication whenever possible.
  • Keep operating systems and applications up to date, as updates include essential security fixes
  • Install and maintain active antivirus and firewall software to protect yourself against cyber attacks
  • Avoid connecting to unprotected public Wi-Fi networks, especially when accessing bank accounts or sensitive services.

Be careful with your personal data
  • Do not share sensitive information such as your ID number, address or bank details on social media or unsecure platforms.
  • Always read privacy policies before providing your data to an entity.
  • Be wary of requests for personal information by phone, email or messages that seem suspicious (phishing).

Protect your online accounts
  • Use unique passwords for each account and change them regularly.
  • Avoid storing passwords in unprotected files or sharing them with third parties.
  • Monitor your social media privacy settings and restrict access to your data.

Be wary of suspicious emails and messages
  • Do not click on links or open attachments from unknown senders.
  • Verify the authenticity of emails requesting personal information, especially if they mention banks or public services.
  • Use security verification tools to identify possible fraud.

Delete data securely
  • Before selling or disposing of electronic devices, make sure that all personal data has been permanently deleted.
  • Shred physical documents containing personal information before throwing them away.

Report suspicious activity

If you suspect that your data has been misused or that your privacy has been violated, you can file a complaint with the National Data Protection Commission (CNPD).


For more information on how to protect your personal data and avoid risks, consult the CNPD.

Health

Health data is considered sensitive personal data, as it contains highly private information about a person's physical or mental health. The processing of this data must be carried out with strict security measures and respect for citizens' privacy, ensuring that only authorized persons have access to this information.

Who can process health data?
Health data may only be processed by:

  • Healthcare professionals subject to confidentiality obligations, such as doctors, nurses, and pharmacists;
  • Healthcare institutions, including hospitals, clinics, laboratories, and pharmacies, when necessary for the provision of healthcare;
  • Insurance companies and public entities, only in situations provided for by law.


No other entity may collect or use health data without clear legal justification.

Can I refuse to share my health data?

Yes. As a rule, you have the right to decide who can access your health data and for what purpose. However, there are exceptions, such as legal obligations to report contagious diseases to health authorities.

How can I ensure that my health data is protected?
  • Always ask for information about who can access your data and for what purpose.
  • Avoid sharing medical information by email or social media, unless it is in a secure environment and with trusted professionals.
  • Make sure that your medical records are protected by adequate security measures at the hospital, clinic or laboratory where you receive care.
  • When downloading health apps, check that the privacy policy protects your data and does not share it with third parties without your consent.

Can my employer request my health data?

Your employer cannot demand access to detailed information about your health, except in cases provided for by law, such as occupational medical examinations to ensure fitness for certain duties.


What should I do if my health data is breached?

If you suspect that your health data has been used without authorisation, stored insecurely or shared improperly, you can file a complaint with the National Data Protection Commission (CNPD).


For more information about your rights in the area of health and the protection of your data, please consult the CNPD.

Work

In the workplace, personal data protection is essential to ensure employee privacy and compliance with legal obligations by employers. Employee personal data, including information on attendance, performance, health, and internal communications, must be handled in accordance with the principles of necessity, proportionality, and data minimization.

What personal data can be collected by the employer?

The employer may only collect data that is strictly necessary for the management of the employment relationship, such as:

  • Identification data (name, address, tax identification number, etc.);
  • Information about the employment contract (job category, working hours, remuneration, etc.);
  • Bank details for payroll processing;
  • Attendance data for monitoring schedules and attendance;
  • Health information, only when necessary and permitted by law (e.g., mandatory medical examinations).

Other sensitive data, such as information about political opinions, private life, or criminal records, cannot be processed, except in cases expressly provided for by law.

Can employers monitor work emails and devices?

The employer may set rules for the use of corporate emails and professional devices (computers, mobile phones, etc.), but may not access employees' private communications without legal justification and prior notice. Monitoring may only be carried out in a proportionate and transparent manner.

Can employers use video surveillance in the workplace?

The installation of video surveillance cameras is permitted only for security purposes and must comply with data protection legislation. The use of video surveillance for continuous monitoring of employee performance is prohibited. In addition, employees must be informed of the existence of the cameras and their purpose.

A biometria pode ser utilizada para controlo de assiduidade?

O uso de dados biométricos (como impressões digitais ou reconhecimento facial) para registo de assiduidade deve ser justificado e proporcional. Sempre que existirem alternativas menos intrusivas, estas devem ser preferidas.

What to do in case of improper data processing at work?

If a worker suspects that their data is being processed abusively, they can:

  • Request information from the employer about the processing of your data;
  • Exercise your rights of access, rectification, or deletion of data, where applicable;
  • File a complaint with the National Data Protection Commission (CNPD) in the event of a breach of data protection legislation.

For more information about your data protection rights at work, please consult the CNPD.

Education

The protection of personal data in the education sector is essential to ensure the privacy of students, teachers and other professionals in educational institutions. Schools, universities and training centres must comply with data protection regulations, ensuring that personal information is processed in a secure, transparent and proportionate manner.

What data can be collected by educational institutions?

Educational institutions may only collect and process data necessary for academic and administrative management, such as:

  • Student identification data (name, date of birth, identification number, address, contact details, etc.);
  • Academic data (grades, assessments, school attendance, among others);
  • Health information, only when necessary and permitted by law (e.g. chronic illnesses, allergies, special learning needs);
  • Data on parents or guardians for contact and legal responsibility purposes.

Institutions must ensure that the processing of such data complies with the principles of purpose, minimisation and security.

Can schools publish photographs or videos of students?

The disclosure of photographs or videos of students on social networks, websites or institutional materials requires the prior and explicit consent of parents or guardians (for minors) or of the students themselves (if they are of legal age). The authorisation must be clear as to the purpose and duration of the use of the images.

Can institutions share student data with third parties?

Student data cannot be shared with third parties without an adequate legal basis. It can only be transmitted to entities with a legitimate justification, such as the Ministry of Education, social security services or health authorities, in accordance with the law.

Can there be video surveillance in schools?

The installation of video surveillance cameras in schools is only permitted for security purposes and must comply with data protection rules. Cameras cannot be installed in places such as classrooms, changing rooms or canteens, and the school community must be informed of their existence.

Can the school monitor the use of the internet and electronic devices?

Schools may set rules for the use of the internet and electronic devices (such as school computers), but any monitoring must respect the privacy of students and teachers. Access to private content or personal communications without authorisation is prohibited.

What to do in case of misuse of data in education?

If there is suspicion of misuse of personal data in an educational context, students, parents or teachers may:

  • Request information from the institution about data processing;
  • Exercise their rights of access, rectification or deletion of data, where applicable;
  • Lodge a complaint with the National Data Protection Commission (CNPD).

For more information on data protection in the education sector, please consult the CNPD.

Call Recording

The recording of telephone calls by organizations must comply with data protection legislation, ensuring that citizens' rights are respected. The processing of these recordings must be carried out with transparency, proportionality, and security, ensuring that only strictly necessary data is collected and stored.


In what situations is call recording permitted?

Call recording can only be carried out when there is a valid legal basis, such as:

  • Compliance with a legal obligation (e.g., emergency calls, regulated financial services).
  • Execution of a contract (e.g., provision of a service requiring communication registration).
  • Legitimate interest of the organization, provided that it respects the rights of data subjects.
  • Explicit consent from the person participating in the call.

If the recording is based on consent, it must be free, informed, and specific, allowing the data subject to refuse without negative consequences.


Should organizations inform callers that the call is being recorded?

Yes. Before starting the recording, the organization must inform the call participants about:

  • The purpose of the recording and the legal basis that justifies it.
  • Who will have access to the recording and how long it will be stored.
  • The right to access the recording or request its deletion, where applicable.

The warning must be clear and understandable, allowing the person to decide whether or not to continue the call.


How long can recordings be stored?

Recordings should only be kept for as long as necessary to fulfill the purpose for which they were collected. Once this period has expired, they should be securely deleted. The retention period may vary depending on applicable legislation or the specific needs of the organization, but it should always be proportionate and justified.


Who can access the recordings?

Access to recordings should be restricted to authorized persons and only for previously defined purposes. Organizations should ensure that:

  • The recordings are not shared improperly with third parties.
  • There are adequate security measures in place to prevent unauthorized access.
  • The recordings are used only for the purposes disclosed to the data subjects.

Is it permissible to record calls made by employees in a work context?

Calls made or received by employees may not be recorded for ongoing performance monitoring. Recording may only be permitted if it is necessary for:

  • Ensure quality customer service.
  • To comply with legal obligations (e.g., banking sector, emergency services).
  • Protect legitimate rights and interests, provided that the impact on employee privacy is minimized.

In any case, workers must be informed in advance about the recording and its purpose.


What to do in case of improper call recording?

If an organization records calls without complying with legal standards, data subjects may:

  • Request information about the legal basis for recording and storage time.
  • Request access to the recording or its deletion, if applicable.
  • File a complaint with the National Data Protection Commission (CNPD) in case of misuse.

For more information on call recording and data protection, please refer to the CNPD.

Data Protection Officer (DPO)

The Data Protection Officer (DPO) is a professional responsible for ensuring that an organisation complies with personal data protection legislation. Their role is essential in promoting compliance and ensuring that citizens' rights are respected.

What does a Data Protection Officer do?

The DPO has several functions, including:

  • Ensuring the organisation's compliance with data protection standards;
  • Informing and advising the entity and its employees about their legal obligations;
  • Monitoring the application of data protection policies within the organisation;
  • Acting as the point of contact between the organisation, data subjects and the National Data Protection Commission (CNPD);
  • Providing advice on data protection impact assessments (DPIA).

Who is required to appoint a DPO?

The appointment of a Data Protection Officer is mandatory for:

  • Public authorities or bodies (regardless of the type of data processed);
  • Companies or organisations whose main activities involve the systematic and regular processing of personal data on a large scale;;
  • Entities that process special categories of data, such as health data, biometrics or criminal data.


Even when it is not mandatory, any organisation can appoint a DPO to enhance security and transparency in data processing.


Who can be appointed as Data Protection Officer?

The DPO can be an internal employee of the organisation or an external professional hired for this role. They must have specialist knowledge of data protection legislation and practices and act independently and impartially.


Can the DPO be held liable for non-compliance?

The DPO is not personally liable for non-compliance with data protection legislation. The responsibility lies with the organisation that appoints them, with the DPO acting as a support to ensure compliance.


How to contact a Data Protection Officer?

Organisations that have a DPO must make their contact details available to the public so that data subjects can exercise their rights or clarify any doubts about the processing of their personal data.


What to do if an organisation does not have a DPO when it is mandatory?

If an entity that is legally required to appoint a DPO fails to do so, it may be subject to sanctions. If you suspect a violation of the law, you can file a complaint with the National Data Protection Commission (CNPD).


For more information on the role of the Data Protection Officer and their appointment, please consult the CNPD.

Data Provision

Personal data should be provided with caution, ensuring that your information is not misused or used without your consent. Whether in a digital or physical context, it is essential to know your rights and adopt good practices to protect your privacy.

When can I be required to provide my personal data?

You may be required to provide your personal data in a number of situations, such as:

  • To access public or private services (e.g. social security, banking, health);
  • To enter into contracts (e.g. employment, insurance, telecommunications services);
  • For legal or tax purposes, as required by law.

Entities requesting your data must inform you of the purpose of the processing, the legal basis and your rights.


Can I refuse to provide my data?

Yes, except when data processing is required by law. If the provision of data is based on consent, you have the right to refuse without suffering undue consequences. consentimento, tem o direito de recusá-lo sem sofrer consequências indevidas.


Who can access my personal data?

Your data can only be accessed by:

  • Entities with a legal justification for data processing;
  • Third parties only with your explicit consent or when permitted by law;
  • Companies that guarantee adequate security measures to protect your information.

If your data is shared without your knowledge or without a legal basis, this may constitute a data protection violation.


What precautions should I take when providing my data online?
  • Avoid sharing sensitive data on social networks or untrustworthy websites;
  • Before filling out online forms, check the entity's privacy policy;
  • Be wary of suspicious emails or calls requesting personal information (phishing);
  • Use strong passwords and enable two-factor authentication to protect online accounts.

Can I ask for my data to be deleted?

Yes. Under data protection legislation, you have the right to have your data deleted in certain situations, such as:

  • When the data is no longer necessary for the initial purpose;
  • When the processing was based on your consent and you decide to withdraw it;
  • When the data has been processed unlawfully.

However, this right may be limited in cases where data retention is required by law.


What should I do if my data is used without authorisation?

If you suspect that your data has been shared or misused, you can:

  • Ask the entity responsible for processing your data for clarification;
  • Request the deletion, rectification or restriction of the use of the data;
  • Lodge a complaint with the National Data Protection Commission (CNPD).

For more information on data availability and your rights, please consult the CNPD.

Internet Diffusion

Internet DiffusionThe internet has become an essential medium for communication and information sharing, but the dissemination of personal data online must be done responsibly, ensuring the privacy and security of data subjects. Organizations that publish, share, or store personal data on the internet must adopt good data protection practices, respecting the legislation in force.


When can organizations disclose personal data on the internet?

The disclosure of personal data on the internet can only occur when there is a legal basis that justifies it, such as:

  • Explicit consent of the data subject, when they authorize the publication of their information.
  • Legal obligation, if disclosure is required by law or specific regulations.
  • Performance of a contract, if publication is necessary to fulfill a contractual obligation.
  • Legitimate interest, provided that the disclosure does not violate the rights and freedoms of data subjects.

If data is made publicly available, the data subject must be informed of this possibility at the time of data collection.


What are the risks of improper data dissemination on the internet?

Uncontrolled disclosure of personal data can result in:

  • Identity theft, through the improper use of personal information.
  • Unauthorized access to sensitive information, compromising the privacy of data subjects.
  • Cyberattacks and fraud, such as phishing and social engineering.
  • Damage to reputation, especially if incorrect or out-of-context information is disclosed.

To minimize these risks, organizations must ensure that only strictly necessary data is published and that adequate security measures are applied.


Publication of customer, employee, or student data

Organizations cannot disclose personal data of customers, employees, students, or other data subjects without a valid justification. This includes:

  • Publication of names and contacts on websites or social media without authorization.
  • Disclosure of photographs or videos of employees or clients without consent
  • Sharing of academic or professional data without legal justification

Whenever data publication is necessary, the organization must inform data subjects about their rights and allow them to request the removal of the information.


Data collection through websites and social media

Organizations that collect personal data through digital platforms must:

  • Clearly inform users about the collection and processing of data (e.g., privacy policies).
  • Obtain explicit consent for the use of cookies and tracking technologies.
  • Ensure the security of collected data, preventing unauthorized access.
  • Allow users to exercise their rights, including the right to erasure of their data.

How to remove personal data from the internet?

If a data subject requests the removal of their information from the internet, the organization must:

  1. Delete the data if there is no longer a legal justification for its retention.
  2. Request the de-indexing of content from search engines, if applicable.
  3. Ensure that third parties who have accessed the data also stop processing it.

If data has been improperly disclosed, the data subject can file a complaint with the National Data Protection Commission (CNPD).


Data transfer to online platforms and cloud services

Organizations that use cloud services or online platforms must ensure that:

  • They choose providers that comply with data protection standards.
  • They verify the location of the servers, ensuring that data is not transferred to countries without adequate protection guarantees.
  • They implement security measures, such as encryption and access control.

What to do in case of a data breach on the internet?

If an organization discloses personal data without authorization or suffers an attack that compromises online information, it must:

  • Assess the extent of the breach and the data affected.
  • Notify the CNPD if the breach represents a risk to data subjects.
  • Inform affected data subjects if the breach could have a significant impact on their privacy.
  • Adopt corrective measures to prevent future occurrences.

If a data subject feels aggrieved by the improper dissemination of their information on the internet, they can file a complaint with the National Data Protection Commission (CNPD).


For more information on data dissemination on the internet and good data protection practices, consult the CNPD.

Information requests

CNPD Guidance History

Guidance on the International level

Guide for PMEs

Subscribe newsletter

Latest news

CONTACTS

Newsletter

Facebook-f Instagram Linkedin-in