Frequently Asked Questions

A Data Protection Officer (DPO) is responsible for overseeing an organisation's compliance with GDPR. Under Article 39 of GDPR, the DPO must:

• Monitor compliance with GDPR and other data protection laws
• Provide advice on processing activities and their lawfulness
• Cooperate with the supervisory authority (CNPD in Portugal)
• Serve as a point of contact for data subjects
• Conduct Data Protection Impact Assessments (DPIAs)

The DPO acts as an intermediary between your organisation and the regulatory authorities, ensuring data protection risks are identified and managed proactively.

A DPO is mandatory if your organisation is:

• A public authority (government, agency, municipality)
• Processing personal data as a core activity
• Conducting large-scale systematic monitoring

However, even if not legally required, appointing a DPO is a best practice for organisations handling significant volumes of personal data, as it demonstrates commitment to GDPR compliance.

Yes, absolutely. GDPR allows organisations to appoint an external DPO, either:

• External DPO Service: A specialist provider manages DPO responsibilities
• Shared DPO Model: Multiple organisations share a single DPO
• Internal DPO: An employee dedicated to data protection

External DPOs offer flexibility, expertise, and cost efficiency, particularly for organisations without dedicated data protection teams.

According to GDPR Article 37, a DPO must have expert knowledge of:

• Data protection law and practices (GDPR, local laws)
• Your organisation's processing activities and systems
• Privacy-enhancing technologies and practices

While no specific certification is required, we recommend independent certifications such as CIPM, CIPP, or specialised DPO training programmes to demonstrate professional competence.

The CNPD (Comissão Nacional de Proteção de Dados) is Portugal's independent supervisory authority for data protection. It enforces GDPR and other data protection laws in Portugal. The CNPD:

• Investigates data protection complaints
• Conducts audits and inspections
• Issues decisions and fines for non-compliance
• Provides guidance and best practice recommendations

Working proactively with the CNPD is a key DPO responsibility and demonstrates your organisation's commitment to compliance.

Yes. Portugal has implemented GDPR through Law 58/2019 and maintains additional protections:

• Código do Trabalho: Employment law with specific data protection provisions
• Public Procurement Framework: Data protection requirements for state contracts
• NIS2 Directive: Cybersecurity requirements (being implemented)
• AI Act: Emerging requirements for AI systems

International organisations operating in Portugal should review these frameworks to ensure full compliance.

Under GDPR and Portuguese law, organisations must notify:

• CNPD: Without undue delay, typically within 72 hours of discovery
• Affected Data Subjects: Without undue delay if there is risk to rights/freedoms

The DPO plays a critical role in coordinating breach response, managing notifications, and liaising with CNPD. Delays or failures can result in significant fines.

A Group DPO manages data protection compliance across multiple entities within an organisation:

• Central oversight of group-wide policies and practices
• Coordination with local DPOs or data protection contacts in each subsidiary
• Consistency in compliance approach across jurisdictions
• Efficient resource allocation

This model is ideal for multinational corporations and complex group structures. A Group DPO works with local representatives in Portugal, Belgium, and other jurisdictions.

Standard Contractual Clauses are standard terms approved by the EU that allow personal data transfers to jurisdictions outside the EU/EEA with adequate safeguards. They:

• Enable compliant data sharing with subsidiaries and partners globally
• Address transfer limitation principles of GDPR
• Require supplementary measures post-Schrems II ruling

International groups operating with Portuguese entities must implement SCCs for any cross-border data transfers.

Non-EU organisations that process personal data of EU residents must appoint an EU Representative if they:

• Offer goods or services to EU residents
• Monitor the behaviour of EU residents
• Are not subject to GDPR by virtue of being in the EU

The EU Representative acts as a single point of contact in the EU for the supervisory authority (CNPD in Portugal, if the representative is based there).

Yes, in some cases the EU Representative and DPO can be the same person or organisation, provided there are no conflicts of interest. However, they must be clearly designated for each role, as they have distinct responsibilities under GDPR.

Our DPO service covers all Article 39 GDPR responsibilities:

• Compliance monitoring and gap analysis
• Advice on lawful processing and DPIA coordination
• CNPD liaison and breach response
• Data subject rights administration
• Policy development and implementation
• Staff training and awareness

We customise our service to your organisation's size, industry, and risk profile.

Yes. Our audit service includes:

• Comprehensive compliance gap analysis
• Risk assessment across your processing activities
• Benchmark against industry best practices
• Detailed remediation roadmap
• Support for ongoing improvements

We help organisations understand their compliance posture and prioritise remediation efforts.

Our training programmes include:

• GDPR Fundamentals: Core principles and obligations
• DPO Essentials: Article 39 responsibilities and implementation
• Data Subject Rights: Access, erasure, portability management
• NIS2 & AI Act: Emerging regulatory requirements
• Sector-Specific Training: Healthcare, finance, HR, public sector

We deliver training in-person, online, or hybrid formats, tailored to your audience and language requirements.

Absolutely. We provide specialised training on Portuguese-specific requirements including CNPD approach, Código do Trabalho, public procurement framework, and local compliance practices. We also cover NIS2 and AI Act implementation for Portuguese organisations.