Assembleia da República (Assembly of the Republic)
Law
(This is not an official translation of the law)
Transposes into national law Directive 2002/58/EC of the European Parliament and the Council of 12 July concerning the processing of personal data and the protection of privacy in electronic communications.
Pursuant to point c) of article 161 of the Constitution, the Assembly of the Republic hereby decrees the following, to be effective as general law of the Republic:
CHAPTER I
Subject and scope
Article 1
Subject and scope of application
1 – The present law transposes to the national legal order Directive 2002/58/EC of the European Parliament and of the Council, of 12 July, concerning the processing of personal data and the protection of privacy in the electronic communications sector, except for article 13 thereof, which concerns unsolicited communications.
2 – The present law shall apply to the processing of personal data within the context of publicly available electronic communications services and networks, specifying and complementing the provisions of Law no. 67/98 of 26 October (Law on the Protection of Personal Data).
3 – The provisions of the present law shall ensure protection of the legitimate interests of subscribers who are legal persons, to the extent that such protection is consistent with their nature.
4 – The exceptions to the application of the present law that are strictly necessary for the protection of activities concerning public security, defence, State security, and the prevention, investigation and prosecution of criminal offences shall be defined in special legislation.
Article 2
Definitions
1 - For the purposes of the present law, the following definitions shall apply:
a) «Electronic communication» means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service;
b) «Subscriber» means any natural person or legal entity who or which is party to a contract with an undertakings providing publicly available electronic communications networks and/or services for the supply of such services;
c) «User» means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service;
d) «Traffic data» means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof;
e) «Location data» means any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a subscriber or of any user of a publicly available electronic communications service;
f) «Value added service» means any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof;
g) «Call» means a connection established by means of a publicly available telephone service allowing two-way communication in real time.
2 - From point a) of the preceding paragraph shall be excluded all information conveyed as part of a broadcasting service to the general public over an electronic communications network, which cannot be related to the subscriber of an electronic communications service or to an identifiable user receiving the information.
CHAPTER II
Security and confidentiality
Article 3
Security
1 - Undertakings providing networks and undertakings providing electronic communications services shall work in conjunction in order to take the appropriate technical and organisational measures to safeguard security of their services and, if necessary, the security of the network itself.
2 - The measures referred to in the preceding paragraph shall be appropriate to the prevention of risks, having regard to the proportionality of costs of their implementation and the state of technological development.
3 - In case of a particular risk of a breach of the security of the network, undertakings providing publicly available electronic communications service shall inform the subscribers thereof of such risk, free of charge, as well as of any possible remedies to avoid it, including an indication of the likely costs involved.
Article 4
Inviolability of electronic communications
1 – Undertakings providing electronic communications networks and/or services shall ensure the inviolability of communications and the related traffic data by means of a public communications networks and publicly available electronic communications services.
2 - Listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users is prohibited, without the prior and explicit consent of the users concerned, except for cases provided for in the law.
3 – The provision in the present article shall not affect any legally authorised recording of communications and the related traffic data, when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction, nor of any other communication made in the scope of a business relationship, provided that the data holder has been informed thereof and given his consent thereto.
4 - Recordings of communications by and for public services intended to provide for emergency situations of any nature shall be authorized.
Article 5
Storage and access to information
1 - The use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or of any user shall only be allowed where the following conditions have been met:
a) The subscriber or user concerned has been provided with clear and comprehensive information, namely about the purposes of the processing, in accordance with the provisions laid down in the Law on the Protection of Personal Data;
b) The right to refuse such processing has been offered to the subscriber or user.
2 – The provision of the preceding paragraph and of paragraph 1 of article 4 shall not prevent any automatic, intermediate and transient storage or access strictly necessary in order to:
a) Carry out or facilitate the transmission of a communication over an electronic communications network;
b) Provide a service in the scope of the information society that has been explicitly requested by the subscriber or by any user.
Article 6
Traffic data
1 - Without prejudice to the following articles, traffic data relating to subscribers and users which have been processed and stored by undertakings providing electronic communications networks and/or services shall be erased or made anonymous where they are no longer needed for the purpose of the transmission of a communication.
2 - The processing of traffic data necessary for the purposes of subscriber billing and interconnection payments is permitted, namely:
a) Number or identification, address and type of station of the subscriber;
b) Total number of units to be charged for the accounting period, as well as the type, starting time and duration of the calls made and/or the data volume transmitted;
c) Date of the call or service and called number;
d) Other information concerning payments such as advance payment, payments by instalments, disconnection and reminders.
3 - The processing referred to in the preceding paragraph shall be permissible only up to the end of the period during which the bill may lawfully be challenged or the payment be pursued.
4 - Undertakings providing electronic communications services may process the data referred to in paragraph 1 to the extent and for the duration necessary for the purposes of marketing electronic communications services or for the provision of value added services, provided that the subscriber or user to whom the data relate has given thereto his prior consent, which may be withdrawn at any time.
5 - For the purposes mentioned in paragraph 2 and, prior to obtaining consent from subscribers or users, for the purposes mentioned in paragraph 4, undertakings providing electronic communications services shall provide them accurate and full information on the types of traffic data which are processed, the purposes and the duration of such processing, as well as on a possible transmission to a third party for the purpose of providing the value added service.
6 - The processing of traffic data shall be restricted to workers and employees of undertakings providing electronic communications networks and/or publicly available services who are responsible for handling billing or traffic management, customer enquiries, fraud detection, marketing publicly available electronic communications services or providing a value added service, and shall be restricted to what is necessary for the purposes of such activities.
7 - The preceding paragraphs shall apply without prejudice to the possibility for courts or other competent bodies to be informed of traffic data, in conformity with applicable legislation with a view to settling disputes, in particular interconnection or billing disputes.
Article 7
Location data
1 - Where location data other than traffic data, relating to subscribers or users of public communications networks or publicly available electronic communications services, are processed, such data may only be processed when they are made anonymous.
2 -The record, processing and transmission of location data to bodies with legal competence to deal with emergency calls, for the purpose of responding to such calls, is permitted.
3 - The processing of location data shall also be permitted to the extent and for the duration necessary for the provision of a value added service, provided that the prior consent of the subscribers or users has been given.
4 - Undertakings providing publicly available electronic communications services shall, namely, inform the users or subscribers, prior to obtaining their consent, of the type of location data which will be processed, of the duration and purposes of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.
5 - Undertakings providing publicly available electronic communications services shall guarantee subscribers and users the possibility, using a simple means and free of charge:
a) To withdraw at any time their consent previously given for the processing of location data referred to in the preceding paragraphs;
b) To temporarily refuse the processing of such data for each connection to the network or for each transmission of a communication.
6 - Processing of location data shall be restricted to workers and employees of undertakings providing electronic communications networks and/or publicly available services or of the third party providing the value added service, and shall be restricted to what is necessary for the purposes of the referred activity.
Article 8
Itemised billing
1 - Subscribers shall have the right to receive non-itemised bills.
2 - Undertakings providing electronic communications networks and/or publicly available services shall take appropriate measures in order to reconcile the rights of subscribers receiving itemised bills with the right to privacy of calling users and called subscribers, namely by submitting proposals to the Comissão Nacional de Protecção de Dados/National Commission for Data Protection regarding means which allow anonymous or strictly private access to publicly available electronic communications services to subscribers.
3 - The approval on the part of the Comissão Nacional de Protecção de Dados/National Commission for Data Protection as regards the preceding paragraph shall be compulsorily subject to the prior opinion thereto on the part of the Autoridade Nacional de Comunicações (ICP – ANACOM).
4 - Calls that are free of charge to the calling subscriber, including calls to emergency services or helplines, are not to be identified in the calling subscriber's itemised bill.
Article 9
Identification of calling line and connected line
1 - Where presentation of calling line identification is offered, undertakings providing publicly available electronic communications services shall offer the calling subscribers, on a per-line basis, and the calling remaining users on a per-call basis, the possibility, using a simple means and free of charge, of preventing the presentation of the calling line identification.
2 - Where presentation of calling line identification is offered, undertakings providing publicly available electronic communications services shall offer the called subscriber the possibility, using a simple means and free of charge for reasonable use of this function, of preventing the presentation of the calling line identification of incoming calls.
3 - Where presentation of calling line identification is offered prior to the call being established, undertakings providing publicly available electronic communications services shall offer the called subscriber the possibility, using a simple means, of rejecting non-identified incoming calls.
4 - Where presentation of connected line identification is offered, undertakings providing publicly available electronic communications services shall offer the called subscriber the possibility, using a simple means and free of charge, of preventing the presentation of the connected line identification to the calling user.
5 - The provision of paragraph 1of the present article shall also apply with regard to calls to countries outside the European Union originating in national territory.
6 - The provisions of paragraphs 2, 3 and 4 shall also apply to incoming calls originating in countries outside the European Union.
7 - Undertakings providing electronic communications networks and/or publicly available services shall provide the public, especially subscribers, with transparent and up-to-date information on the possibilities referred to in the preceding paragraphs.
Article 10
Exceptions
1 - Undertakings providing electronic communications networks and/or publicly available services, where compatible with the principles of necessity, appropriateness and proportionality, shall cancel, for a period of time not exceeding 30 days, the elimination of the presentation of the calling line identification, on a written and duly substantiated request from a subscriber who wishes to determine the origin of non-identified calls that upset the peace of the family or the intimacy of private life, in which case the telephone number of calling subscribers who have prevented the line identification shall be recorded and made available to the called subscriber.
2 - In the cases provided for in the preceding paragraph, the cancellation of the elimination of the presentation of the calling line shall be preceded of a compulsory opinion on the part of the Comissão Nacional de Protecção de Dados/National Commission for Data Protection.
3 - Undertakings referred to in paragraph 1 shall also cancel, on a per-line basis, the elimination of the presentation of calling line as well as record and make available the location data of a subscriber or user, in the case provided for in paragraph 2 of article 7, in order to make available such data to bodies with legal competence to receive emergency calls for the purpose of responding to such calls.
4 - In the cases provided for in the preceding paragraphs, prior information shall be compulsorily transmitted to the holder of the referred data, on the transmission thereof, to the subscriber who required them pursuant to paragraph 1 or to the emergency services pursuant to paragraph 3.
5 - The information duty regarding data holders shall be performed through the following means:
a) In the cases mentioned in paragraph 1, through the broadcast of an automatic recording before the call is established, that informs the data holder that, from that moment and for the set period of time, his telephone number ceases to be confidential concerning calls to the subscriber who requested the number identification;
b) In the cases mentioned in paragraph 3, through the inclusion of general contractual terms in contracts signed between subscribers and undertakings providing electronic communications networks and/or services, or through explicit notification given to subscribers of contracts already signed, which allow the transmission of that information to emergency services.
6 - The record and notification referred to in paragraphs 1 and 3 shall be disclosed to the public and the use thereof shall be restricted to the intended purposes.
Article 11
Automatic call forwarding
Undertakings providing electronic communications networks and/or publicly available services shall ensure that any subscriber has the possibility, using a simple means and free of charge, of stopping automatic call forwarding by a third party to the subscriber's terminal equipment.
Article 12
Digital and analogue exchanges
1 - The provisions of articles 9, 10 and 11 shall apply to subscriber lines connected to digital exchanges and, where technically possible and if it does not require a disproportionate economic effort, to subscriber lines connected to analogue exchanges.
2 - It is incumbent upon ICP – ANACOM, as national regulatory authority, to confirm cases where it is technically impossible or which require a disproportionate economic effort to fulfil the requirements of articles 9, 10 and 11 of this law, and to notify this fact to the Comissão Nacional de Protecção de Dados/National Commission for Data Protection, which shall notify the European Commission thereof.
Article 13
Directories of subscribers
1 - Subscribers shall be informed, free of charge and before the respective data are included in printed or electronic directories, available to the public or obtainable through directory enquiry services, about:
a) The intended purposes of such directories;
b) Any further usage possibilities based on search functions embedded in electronic versions of the directories.
2 - Subscribers shall be given the opportunity to determine whether their personal data are included in a public directory, and if so, which, to the extent that such data are relevant for the purposes of the directories, as determined by the provider of the directories.
3 - Subscribers shall be given the opportunity to verify, correct, alter or withdraw the data included in the referred directories, free of charge.
4 - Additional consent shall be asked of the subscribers for any purpose of a public directory other than the search of contact details of persons on the basis of their name and, where necessary, a minimum of other elements of identification.
CHAPTER III
Sanctioning regime
Article 14
Breaches
1 - The following irregularities shall be deemed as breaches liable to a fine €1500 to €25000:
a) Non-compliance with the security standards imposed pursuant to article 3;
b) Violation of the confidentiality duty, the prohibition of interception or surveillance of communications and the related traffic data provided for in article 4;
c) Non-compliance with the conditions concerning storage and access to information provided for in article 5;
2 - The following irregularities shall be deemed as breaches liable to a fine €500 to €20000:
a) Non-compliance with the conditions concerning processing and storage of traffic data and location data provided for in articles 6 and 7;
b) Violation of obligations provided for in paragraphs 1, 2 and 4 of article 8 and in articles 9 to 11;
c) The creation, organization or updating of directories of subscribers in violation of article 13;
3 - Breaches provided for in paragraph 1 shall be liable to fines €5000 to €5000000 and those provided for in paragraph 2 shall be liable to fines €2500 to €2500000, where they have been performed by legal persons.
4 - The attempt and negligence shall be punishable.
Article 15
Procedure and application of fines
1 - It is incumbent upon the Comissão Nacional de Protecção de Dados/National Commission for Data Protection to initiate, examine and close breach proceedings as well as to apply fines on grounds of non-compliance with the provisions of paragraph 3 of article 4, of articles 5 and 6, of paragraphs 1 to 5 of article 7, of paragraphs 2 and 4 of article 8, of paragraphs 1 and 2 of article 10 and of article 13.
2 - It is incumbent upon the Board of Directors of ICP – ANACOM to pursue and close breach proceedings and to apply the respective fines as regards the remaining offences provided for in the preceding article, the examination thereof being incumbent upon the respective services.
3 - The competences provided for in the preceding article may be delegated.
4 - The amount of fines applied shall revert to the State at 60% and at 40% to the Comissão Nacional de Protecção de Dados/National Commission for Data Protection or to ICP – ANACOM, as appropriate.
Article 16
Subsidiary legislation
The sanctioning rules comprised in articles 33 to 39 of the Law for the Protection of Personal Data shall apply in all matters not provided for in the present law.
CHAPTER IV
Final and transitory provisions
Article 17
Technical features and standardization
1 - The compliance with the provisions of this law shall not determine that mandatory requirements for specific technical features are imposed on terminal or other electronic communication equipment which could impede the placing of equipment on the market and the free circulation of such equipment within the countries of the European Union.
2 - From the preceding paragraph are excepted the elaboration and issue of specific technical features necessary to the implementation of the present law, which shall be notified to the European Commission in accordance with the procedures provided for in Decree-Law no. 58/2000, of 18 April.
Article 18
Transitory provisions
1 - The provision of article 13 shall not apply to editions of directories already produced or placed on the market in printed or off-line electronic form before the present law enters into force.
2 - Where the personal data of subscribers to publicly available fixed or mobile voice telephony services have been included in a public subscriber directory, in conformity with prior legislation and before the entry into force of the present law, the personal data of such subscribers may remain included in that public directory in its printed or electronic versions.
3 - In the case provided for in the preceding paragraph, subscribers shall have the right to withdraw their personal data from the public directory in consideration, after having received complete information about purposes and options thereof, in accordance with article 13.
4 - The information referred to in the preceding paragraph shall be conveyed to subscribers within at the most six months from the date of entry into force of the present law.
Article 19
Repeal
Law no. 69/98, of 28 October, is hereby repealed.
Article 20
Entry into force
The present law shall enter into force on the day following that of its publication.
Approved on 1 July 2004.
The President of the Assembly of the Republic, João Bosco Mota Amaral
Promulgated on 2 August 2004.
Let it be published.
The President of the Republic, JORGE SAMPAIO.
Counter-signed on 5 August 2004.
The Prime Minister, Pedro Miguel de Santana Lopes.