The GDPR (General Data Protection Regulation) and Portuguese data protection legislation, namely Law No. 58/2019, impose strict obligations on e-commerce operators. The CNPD (Comissão Nacional de Proteção de Dados) is the supervisory authority in Portugal, responsible for overseeing compliance and imposing sanctions for violations. For online stores, compliance with these rules is not just a legal obligation but also a trust factor with Portuguese consumers who are increasingly aware of their data rights.
Cookie management and consent
Prior explicit consent is required before placing non-essential cookies on the user's device. The cookie banner must allow users to accept, reject or customize their preferences with equal ease, without resorting to dark patterns that make refusal difficult. Strictly necessary cookies (such as session cookies and shopping cart cookies) do not require consent but must be disclosed. Analytics cookies (Google Analytics, for example) and advertising cookies (Facebook Pixel, Google Ads) require prior explicit consent before activation. The CNPD has been particularly active in enforcing cookie banner compliance, having issued specific guidelines on this matter and conducted audits of major Portuguese websites.
Mandatory privacy policy
The e-commerce website must include a clear and accessible privacy policy, written in Portuguese, informing users about: the personal data collected and the purposes of processing, the legal basis for each processing activity (consent, contract performance, legitimate interest), the recipients or categories of recipients of the data, applicable retention periods, the rights of data subjects and how to exercise them, and the contact details of the data controller and, where applicable, the Data Protection Officer (DPO). The policy must be accessible from all pages of the website, typically in the footer, and should be written in clear, plain language rather than dense legal jargon.
Customer rights and response deadlines
Customers have the right to access their personal data, rectification of incorrect data, erasure (right to be forgotten), data portability to another provider, objection to processing and restriction of processing. Requests to exercise these rights must be responded to within a maximum of one month, extendable by two months in cases of complexity. The appointment of a DPO is mandatory for companies that process data on a large scale or that carry out systematic monitoring of individuals, which may apply to online stores with loyalty programs, behavioral tracking or advanced personalization features. Even when not mandatory, having a designated privacy contact person is strongly recommended.
CNPD sanctions and enforcement
The CNPD can impose fines of up to 20 million euros or 4% of annual global turnover, whichever is higher, for the most serious infringements. For less serious infringements, fines can reach 10 million euros or 2% of turnover. Beyond fines, the CNPD can order the suspension of data processing, which for an e-commerce business could mean a complete halt of operations. Portuguese courts have also been increasingly receptive to data protection claims from consumers. Zunapro ensures complete GDPR compliance for your e-commerce platform in Portugal, including privacy audits, compliant cookie banner implementation, privacy policy drafting and ongoing compliance monitoring.
