Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Portuguese Data Protection Authority activities - Data Protection Impact Assessment List and notifications for DPO and Data Breaches


The Portuguese Data Protection Authority (“DPA”) recently announced a public consultation on the list of processing activities that requires a Data Protection Impact Assessment (“DPIA”). This public consultation arises from the obligation imposed to the Data Protection Authorities across the European Union to establish and make public a list of kind of processing operations which are subject to the requirement for a DPIA, under paragraph 4 of Article 35 and item k) of paragraph 1 of Article 57 of the GDPR.

The list of processing activities set forth on Draft Regulation no. 1/2018 is a non-exhaustive and dynamic list to be updated whenever deemed necessary. The DPA determines that the following processing activities are subject to a DPIA:

  1. Processing of categories of personal data established in paragraph 1 of article 9 (special categories of personal data) and in Article 10 (personal data related to criminal convictions and offences) of GDPR for other purposes than those for which they have been collected, except if such processing is regulated by law and is preceded by a DPIA;
  2. Processing of information resulting from the use of sensors or other electronic devices that transmit, through communication networks, personal data, with legal effects on data subjects or that significantly affect them in a similar manner, namely those that allow to analyse and predict the localization and movements, personal preferences or interests, consumptions or other behaviours and health of data subjects (e.g.: implanted or applied medical devices);
  3. Interconnection of personal data or processing of personal data that links the data referred in paragraph 1 of Article 9 of GDPR;
  4. Processing of personal data based on indirect collection, where it is not possible or feasible to ensure the right to information, under Article 14 of GDPR;
  5. Processing of personal data consisting of profiling on a large scale;
  6. Processing of personal data that allows to track the localization or behaviour of the data subjects, except where the processing is essential for the provision of services required by Clients;
  7. Processing of biometric personal data for unambiguous identification of the data subjects, except if such processing is regulated by law and is preceded by a DPIA;
  8. Processing of personal data using new technologies or new use of existing technologies;
  9. Significant change of the information system’s architecture on which the processing of personal data is carried out.

The deadline to submit the contributions to the public consultation will end on September 18th.

In compliance with its obligations under the GDPR, the Portuguese Data Protection Authority also made available at its website ( two different forms as a result of the application of GDPR.

One of those forms is related to the communication to the DPA of the data controllers’ Data Protection Officer (“DPO”), which is available at This form allows the data controller to (i) make the notification of its DPO, (ii) amend a previous notification or (iii) communicate the termination of the duties performed by the DPO.

Finally, the other form relates to the notification of a personal data breach to the DPA, under Article 33 of GDPR and is available at This form allows data controller to (i) notify a personal data breach and (ii) amend a previous notification that has been submitted to the DPA.


Article provided by: Ricardo Henriques (Abreu Advogados)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.