Guidelines and Recommendations

Security Measures
Health
Work
Education
Call Recording
Data Protection Officer
Data Provision
Internet Diffusion

Security Measures

The protection of personal data requires the adoption of appropriate technical and organizational measures, regardless of the sector of activity. These measures must cover information systems, internal procedures, and employee training, ensuring compliance with data protection legislation.

Basic principles of information security
  • Confidentiality – Ensuring that data is accessible only to authorized persons.
  • Integrity – Ensuring that data is not unduly or accidentally altered.
  • Availability – Ensuring that data is accessible only to those with authorization, when necessary.

Technical security measures

To prevent data breaches and unauthorized access, organizations must adopt:

  • Access controls – Restricting access to data only to authorized employees.
  • Data encryption – Using encryption techniques to protect sensitive information.
  • Strong passwords – Implementing policies for creating and updating robust passwords.
  • Multi-factor authentication (MFA) – Requiring more than one authentication factor to access critical systems.
  • Monitoring and auditing – Implementing access logs and continuous monitoring of systems.
  • Updates and security patches – Keeping operating systems and software updated.
  • Regular backups – Performing frequent backups and storing them in secure locations.

Organizational security measures

In addition to technological solutions, organizations must implement good internal practices, such as:

  • Defining internal data protection policies and training employees.
  • Periodically reviewing access, ensuring that only authorized persons access data.
  • Risk assessment to identify vulnerabilities and correct security flaws.
  • Incident response plans, including procedures for managing data breaches.
  • Contractual confidentiality, ensuring that employees and service providers sign confidentiality agreements.

Security in data transfer and storage

Organizations must ensure that personal data is protected both in storage and in transmission:

  • Avoiding sending sensitive data by email without adequate protection.
  • Using VPNs and secure networks for remote access to internal systems.
  • Storing personal data on protected servers, with controlled access and enhanced security measures.

Incident and data breach management

If an organization detects a security incident involving personal data, it must:

  1. Identify and contain the security flaw to prevent its spread.
  2. Assess the impact of the breach and the affected data.
  3. Report the breach to the CNPD if it represents a risk to data subjects.
  4. Notify data subjects if the breach could cause significant damage.
  5. Correct the flaw and strengthen security measures to prevent future incidents.

Employee training and awareness

Information security depends not only on technology but also on human behavior. Therefore, organizations must:

  • Train their employees on good data protection practices.
  • Create a security culture, encouraging the identification and communication of risks.
  • Establish clear guidelines for the use of computer devices and systems.
 
What to do in case of non-compliance with security measures?

Organizations must be prepared to respond quickly to security failures. If a data subject suspects improper processing or a data breach, they can file a complaint with the National Data Protection Commission (CNPD).


For more information on how to ensure the security of personal data in your organization, consult the CNPD.

Health

The processing of personal data in the health sector requires high levels of security and confidentiality, as this data is considered sensitive and can reveal detailed information about individuals' physical and mental health. Public or private health entities must ensure that data processing complies with data protection legislation, ensuring patient privacy and preventing undue access.

Who can process health data?
  • Health professionals subject to professional secrecy, such as doctors, nurses, pharmacists, and psychologists.
  • Healthcare providers, including hospitals, clinics, laboratories, and pharmacies.
  • Public health authorities, when necessary for health surveillance or disease prevention purposes.


Other entities cannot access or process health data without adequate legal justification.

What are the rules for processing health data?

Organizations must respect the following fundamental principles:

  • Specific purpose – Data should only be collected for legitimate purposes, such as diagnosis, treatment, and health care management.
  • Data minimization – Only strictly necessary data should be processed.
  • Security and confidentiality – Strict measures must be implemented to prevent undue access or unauthorized disclosure.
  • Informed consent – Wherever applicable, the data subject must be informed about the purpose of the processing and give their consent, except in cases where the law allows processing without consent.

How should health data be stored?

Health data must be stored in secure systems, protected against unauthorized access, including:

  • Data encryption, both in transit and at rest.
  • Access control, ensuring that only authorized professionals can consult the data.
  • Access and activity logs, allowing monitoring of who accessed the information and when.
  • Regular backups, to prevent the loss of critical data.

How long can health data be stored?

Health data should only be kept for the time necessary to fulfill the purpose of its processing. Legislation may define specific deadlines for retaining clinical records, after which the data must be deleted or anonymized.


Can health data be shared with third parties?

Sharing health data is only allowed in the following cases:

  • Between health professionals, when necessary to ensure continuity of patient care.
  • With the explicit consent of the data subject, except in legally provided situations.
  • For scientific research purposes, provided that the data is anonymized or pseudonymized.
  • By legal obligation or public interest, as in the case of epidemics or public health emergencies.

What are the rights of health data subjects?

Citizens have the right to:

  • Access their health data and obtain a copy of their clinical record.
  • Correct incorrect or outdated information in their medical records.
  • Request the deletion of their data, when legally applicable.
  • Be informed about who has access to their data and for what purpose.

What to do in case of a health data breach?

If a health entity suffers a data breach that may compromise patient privacy, it must:

  1. Notify the CNPD if the incident represents a risk to data subjects.
  2. Inform affected data subjects, when necessary.
  3. Adopt corrective measures, strengthening security to prevent future occurrences.

If a citizen suspects improper use of their health data, they can file a complaint with the National Data Protection Commission (CNPD).

For more information on data protection in the health area, consult the CNPD.

Work

Organisations have a responsibility to ensure that the processing of employees' personal data is carried out in a transparent and proportionate manner and in accordance with data protection legislation. Respect for employees' privacy must be ensured at all stages of the employment relationship, from recruitment to the end of the employment contract.


What personal data can employers collect?

Employers may only collect data that is strictly necessary for the management of the employment relationship, such as:

  • Identification data (name, address, contact details, tax identification number and social security number).
  • Contractual information (job category, date of hire, working hours and remuneration).
  • Bank details for salary processing.
  • Attendance records, provided they comply with the principles of proportionality and necessity.
  • Health information, only when strictly necessary, such as medical examinations required by law for certain jobs.

The employer may not collect or process information on political opinions, religion, sexual orientation or other categories of sensitive data, except when required by specific legal obligations or with the explicit consent of the employee.


Monitoring in the workplace: what is permitted?

The monitoring of employees must be carried out within the limits of the law, ensuring a balance between the employer's needs and the employees' right to privacy.

  • Emails and work devices: The employer may set rules for the use of equipment and corporate email accounts, but may not access employees' private content without legal justification and prior notice.
  • Video surveillance: Cameras may only be installed in the workplace for security and protection of property and people. Cameras may not be used for continuous monitoring of employee performance, and employees must be informed of their existence.
  • Biometric systems: The use of fingerprints, facial recognition or other biometric technologies for attendance monitoring must be proportionate and justified. Where less intrusive alternatives exist, these should be preferred.
  • Geolocation (GPS): The monitoring of company vehicles or mobile devices via GPS is only permitted if it is strictly necessary for work activities and has been previously communicated to employees.

Is the employee's consent mandatory for data processing?

In the workplace, consent is not always a valid legal basis for data processing, as the relationship between employer and employee may not guarantee truly free consent. Therefore, data processing must be based on other legal justifications, such as compliance with legal or contractual obligations.


How long can employee data be retained?

Employee data should only be retained for as long as necessary for the purpose for which it was collected. After the termination of the contract, the data must be deleted, unless there is a legal obligation to retain it for a specific period (e.g. for tax or social security purposes).


Can employees access and correct their data?

Yes. Employees have the right to:

  • Access their personal data processed by their employer.
  • Request the rectification of incorrect or outdated data.
  • Request the deletion of their data if it is no longer necessary for the purpose for which it was collected.

What to do in the event of a data breach in the workplace?

If there is a security incident that compromises employee data, the employer must:

  1. Assess the impact of the breach and identify the data affected.
  2. Report the incident to the CNPD if it poses a risk to data subjects.
  3. Notify affected workers if the breach could cause significant harm.
  4. Take corrective measures to prevent future security breaches.

If an employee suspects that their data is being mishandled, they can file a complaint with the National Data Protection Commission (CNPD).


For more information on data protection in the workplace, please consult the CNPD.

Education

Educational institutions, from nurseries and schools to universities and training centres, process a large amount of personal data belonging to students, parents, teachers and staff. It is essential that the processing of this information complies with data protection legislation, ensuring privacy, security and transparency in the access and use of data.


What data can be collected by educational institutions?

Educational institutions may only collect data necessary for academic and administrative management, including:

  • Student identification data (name, date of birth, identification number, address, contact details, etc.).
  • Guardian data (name, contact details and relationship to the student).
  • Academic information (grades, assessments, school attendance, behaviour records).
  • Health data, only if necessary to ensure the student's well-being (e.g. allergies, special educational needs).

Institutions may not collect excessive data or use it for purposes other than those for which it was provided.


Consent and processing of student data
  • The processing of personal data of underage students must be authorised by their parents or guardians.
  • Consent must be free, informed and specific, especially for activities such as the dissemination of images on social media or participation in studies.
  • For students of legal age, the institution must ensure that the students themselves are aware of the processing of their data and their rights.

Publication of school data and dissemination of images

Schools and universities may not publicly disclose students' personal information without valid justification and express consent. This includes:

  • Publishing grades and school results in places accessible to the public.
  • Disseminating photographs and videos of students on social media, websites or promotional materials.
  • Sharing student lists and contacts without proper protection.

Video surveillance in schools and universities

The installation of video surveillance cameras in educational spaces must comply with strict rules:

  • It can only be done for security purposes and never for continuous monitoring of students, teachers or staff.
  • Cameras cannot be installed in private places such as classrooms, changing rooms and bathrooms.
  • Students and parents must be informed about the existence of the cameras and their purpose.

Distance learning and data protection

Remote teaching and the use of digital platforms for school activities require additional care to protect the privacy of students and teachers:

  • Online teaching platforms must ensure data security by preventing unauthorised access.
  • Classes cannot be recorded or shared without the consent of all participants.
  • Students and teachers must be informed about good digital security practices when using online tools.

Sharing data with third parties

Student data cannot be shared with third parties without a clear legal basis. This includes:

  • Technology companies or educational services that request access to school data.
  • Insurance companies and external entities that intend to use student data for commercial purposes.
  • Data can only be shared with competent authorities when required by law (e.g. Ministry of Education, Social Security).

Rights of students and parents/guardians

Data subjects (or their parents/guardians) have the right to:

  • Access their personal data and know how it is being used.
  • Correct incorrect information in their school records.
  • Request the deletion of data that is no longer necessary or whose retention has no legal justification.
  • Withdraw consent when data processing is based on this authorisation.

What to do in the event of a data breach in education?

If an educational institution suffers a data breach that compromises the privacy of students or teachers, it must:

  1. Assess the impact of the breach and identify the data affected.
  2. Notify the CNPD if the incident poses a significant risk to data subjects.
  3. Inform affected data subjects, when necessary.
  4. Take corrective measures to prevent future security breaches.


If a student, teacher or parent suspects that their data is being misused, they can lodge a complaint with the National Data Protection Commission (CNPD).


For more information on data protection in the education sector, please consult the CNPD.

Call Recording

The recording of telephone calls by organizations must comply with data protection legislation, ensuring that citizens' rights are respected. The processing of these recordings must be carried out with transparency, proportionality, and security, ensuring that only strictly necessary data is collected and stored.


In what situations is call recording permitted?

Call recording can only be carried out when there is a valid legal basis, such as:

  • Compliance with a legal obligation (e.g., emergency calls, regulated financial services).
  • Execution of a contract (e.g., provision of a service requiring communication registration).
  • Legitimate interest of the organization, provided that it respects the rights of data subjects.
  • Explicit consent from the person participating in the call.

If the recording is based on consent, it must be free, informed, and specific, allowing the data subject to refuse without negative consequences.


Should organizations inform callers that the call is being recorded?

Yes. Before starting the recording, the organization must inform the call participants about:

  • The purpose of the recording and the legal basis that justifies it.
  • Who will have access to the recording and how long it will be stored.
  • The right to access the recording or request its deletion, where applicable.

The warning must be clear and understandable, allowing the person to decide whether or not to continue the call.


How long can recordings be stored?

Recordings should only be kept for as long as necessary to fulfill the purpose for which they were collected. Once this period has expired, they should be securely deleted. The retention period may vary depending on applicable legislation or the specific needs of the organization, but it should always be proportionate and justified.


Who can access the recordings?

Access to recordings should be restricted to authorized persons and only for previously defined purposes. Organizations should ensure that:

  • The recordings are not shared improperly with third parties.
  • There are adequate security measures in place to prevent unauthorized access.
  • The recordings are used only for the purposes disclosed to the data subjects.

Is it permissible to record calls made by employees in a work context?

Calls made or received by employees may not be recorded for ongoing performance monitoring. Recording may only be permitted if it is necessary for:

  • Ensure quality customer service.
  • To comply with legal obligations (e.g., banking sector, emergency services).
  • Protect legitimate rights and interests, provided that the impact on employee privacy is minimized.

In any case, workers must be informed in advance about the recording and its purpose.


What to do in case of improper call recording?

If an organization records calls without complying with legal standards, data subjects may:

  • Request information about the legal basis for recording and storage time.
  • Request access to the recording or its deletion, if applicable.
  • File a complaint with the National Data Protection Commission (CNPD) in case of misuse.

For more information on call recording and data protection, please refer to the CNPD.

Data Protection Officer

The Data Protection Officer (DPO) plays a key role in ensuring that organisations comply with data protection legislation. The DPO acts as an intermediary between the organisation, data subjects and the National Data Protection Commission (CNPD), ensuring that the principles of privacy and information security are upheld.


When is it mandatory to appoint a DPO?

The appointment of a Data Protection Officer is mandatory for:

  • Public authorities and bodies, regardless of the type of data processed.
  • Companies and organisations whose main activity involves the systematic and regular processing of personal data on a large scale.
  • Entities that process special categories of data, such as health data, biometrics or criminal records, on a large scale.

Even when it is not mandatory, any organisation can appoint a DPO to reinforce compliance and transparency in the processing of personal data.


What are the duties of the Data Protection Officer?

The DPO must:

  • Inform and advise the organisation and its employees about their legal obligations regarding data protection.
  • Monitor the organisation's compliance with data protection legislation and internal policies.
  • Provide advice on Data Protection Impact Assessments (DPIA) when required.
  • Cooperate with the CNPD and act as a point of contact for data protection issues.
  • Respond to requests from data subjects, ensuring the exercise of their rights (access, rectification, erasure, etc.).

Who can be appointed as DPO?

The Data Protection Officer may be an internal employee of the organisation or an external professional hired to perform this function. They must have:

  • Specialised knowledge of data protection and applicable legislation.
  • The ability to act independently, without receiving instructions that compromise their impartiality.
  • Direct access to senior management, ensuring that data protection policies are properly implemented.

Can the DPO be held liable for data protection breaches?

No. The DPO is not personally liable for non-compliance with data protection legislation. The responsibility lies with the organisation, with the DPO providing support and guidance to ensure compliance.


How should the DPO be communicated?

Organisations that appoint a Data Protection Officer must:

  • Announce their appointment and role within the organisation internally.
  • Communicate their contact details to the CNPD, ensuring that data subjects can exercise their rights.
  • Ensure that the DPO has the autonomy to perform their duties without conflicts of interest.

What should be done if an organisation does not appoint a DPO when it is mandatory?

If an organisation that is legally required to appoint a Data Protection Officer fails to do so, it may be subject to sanctions by the CNPD.

If a data subject has doubts about an organisation's compliance, they can lodge a complaint with the National Data Protection Commission (CNPD).


For more information on the appointment and functions of the Data Protection Officer, please consult the CNPD.

Data Provision

Organisations that collect, use or share personal data must ensure that this information is made available in accordance with data protection legislation. Data sharing must comply with the principles of purpose, proportionality and security, ensuring that data subjects retain control over their information.


In what situations can an organisation make personal data available?

Organisations may only make personal data available when there is a valid legal basis, such as:

  • Consent of the data subject, when they explicitly agree to the sharing of their information.
  • Legal obligation, when the law requires that data be provided to entities such as tax or judicial authorities.
  • Performance of a contract, when sharing is necessary to fulfil an agreement established with the data subject.
  • Legitimate interest of the organisation, provided that the rights and freedoms of data subjects do not prevail.
  • Protection of vital interests, when sharing data is essential to protect the life or physical integrity of the data subject.

If data is shared with third parties, the organisation must ensure that the purpose is compatible with that initially communicated to the data subject.


Is consent always required for data to be made available?

No. Consent is one of the legal bases, but it is not always mandatory. If the provision of data is based on consent, it must be freely given, specific, informed and explicit, allowing the data subject to withdraw their authorisation at any time.

If there is another legal basis for data processing, consent may not be necessary, but the organisation must inform the data subject about the purpose of the sharing.


Can organisations share personal data with third parties?

The sharing of personal data with third parties must be justified and protected by appropriate security measures. Organisations must:

  • Ensure that the third party complies with data protection legislation and uses the information only for the agreed purpose.
  • Enter into a data processing agreement when sharing with subcontractors or business partners.
  • Avoid unnecessary transfers and ensure that the data is not used for purposes incompatible with those originally intended.

If the sharing involves international data transfers, it is necessary to verify that the destination country ensures an adequate level of data protection.


How long can personal data be made available?

Data should only be made available for as long as necessary to fulfil the purpose for which it was shared. After this period, the organisation must delete or anonymise it, ensuring that it is not misused.


What should I do if my data is shared without authorisation?

If your data is made available inappropriately, you can:

  • Request information from the organisation about the legal basis for the sharing.
  • Demand the deletion of your data if the sharing is not duly justified.
  • Lodge a complaint with the National Data Protection Commission (CNPD) if you suspect a breach of the law.

For more information about your rights and good practices in data provision, consult the CNPD.

Internet Diffusion

Internet DiffusionThe internet has become an essential medium for communication and information sharing, but the dissemination of personal data online must be done responsibly, ensuring the privacy and security of data subjects. Organizations that publish, share, or store personal data on the internet must adopt good data protection practices, respecting the legislation in force.


When can organizations disclose personal data on the internet?

The disclosure of personal data on the internet can only occur when there is a legal basis that justifies it, such as:

  • Explicit consent of the data subject, when they authorize the publication of their information.
  • Legal obligation, if disclosure is required by law or specific regulations.
  • Performance of a contract, if publication is necessary to fulfill a contractual obligation.
  • Legitimate interest, provided that the disclosure does not violate the rights and freedoms of data subjects.

If data is made publicly available, the data subject must be informed of this possibility at the time of data collection.


What are the risks of improper data dissemination on the internet?

Uncontrolled disclosure of personal data can result in:

  • Identity theft, through the improper use of personal information.
  • Unauthorized access to sensitive information, compromising the privacy of data subjects.
  • Cyberattacks and fraud, such as phishing and social engineering.
  • Damage to reputation, especially if incorrect or out-of-context information is disclosed.

To minimize these risks, organizations must ensure that only strictly necessary data is published and that adequate security measures are applied.


Publication of customer, employee, or student data

Organizations cannot disclose personal data of customers, employees, students, or other data subjects without a valid justification. This includes:

  • Publication of names and contacts on websites or social media without authorization.
  • Disclosure of photographs or videos of employees or clients without consent
  • Sharing of academic or professional data without legal justification

Whenever data publication is necessary, the organization must inform data subjects about their rights and allow them to request the removal of the information.


Data collection through websites and social media

Organizations that collect personal data through digital platforms must:

  • Clearly inform users about the collection and processing of data (e.g., privacy policies).
  • Obtain explicit consent for the use of cookies and tracking technologies.
  • Ensure the security of collected data, preventing unauthorized access.
  • Allow users to exercise their rights, including the right to erasure of their data.

How to remove personal data from the internet?

If a data subject requests the removal of their information from the internet, the organization must:

  1. Delete the data if there is no longer a legal justification for its retention.
  2. Request the de-indexing of content from search engines, if applicable.
  3. Ensure that third parties who have accessed the data also stop processing it.

If data has been improperly disclosed, the data subject can file a complaint with the National Data Protection Commission (CNPD).


Data transfer to online platforms and cloud services

Organizations that use cloud services or online platforms must ensure that:

  • They choose providers that comply with data protection standards.
  • They verify the location of the servers, ensuring that data is not transferred to countries without adequate protection guarantees.
  • They implement security measures, such as encryption and access control.

What to do in case of a data breach on the internet?

If an organization discloses personal data without authorization or suffers an attack that compromises online information, it must:

  • Assess the extent of the breach and the data affected.
  • Notify the CNPD if the breach represents a risk to data subjects.
  • Inform affected data subjects if the breach could have a significant impact on their privacy.
  • Adopt corrective measures to prevent future occurrences.

If a data subject feels aggrieved by the improper dissemination of their information on the internet, they can file a complaint with the National Data Protection Commission (CNPD).


For more information on data dissemination on the internet and good data protection practices, consult the CNPD.

Information requests

CNPD Guidance History

Guidance on the International level

Guide for PMEs

Subscribe newsletter

Latest news

CONTACTS

Newsletter

Facebook-f Instagram Linkedin-in