Clarification about data protection officers

On April 1, 2025, the National Data Protection Commission (“CNPD”) approved Resolution 2025/267 in response to various requests for clarification regarding the appointment of data protection officers (“DPOs”) and issues directly related to this appointment. Through this resolution, the CNPD clarifies legal obligations and procedures related to the appointment of DPOs.

When must a DPO be appointed?

In this resolution, the CNPD clarifies that, under the General Data Protection Regulation (“GDPR”), the appointment of a DPO is mandatory in certain circumstances. Article 37.1 of the GDPR specifies that data controllers and data processors must appoint a DPO when:

• the data is processed by a public authority or body, except for the courts when performing their judicial role;
• in the case of private entities, the data controller’s or data processor’s main activities involve processing operations which, because of their nature, scope or purpose, require regular and systematic monitoring of data subjects on a large scale; and
• also, in the case of private entities, the data controller’s or data processor’s main activities consist of the large-scale processing of special categories of data, such as sensitive data or personal data related to criminal convictions and offenses.

Law No. 58/2019 of August 8 (“GDPR Enforcement Law” or “LERGPD”) reinforces this obligation for public entities, such as the state, autonomous regions, local authorities, public institutes, public higher education institutions, and companies in the state, regional, or local business sector. For private entities, the appointment of a DPO is only mandatory in the specific situations mentioned above.

What requirements must be met regarding the DPO's profile?

The GDPR establishes that the DPO must be an individual with professional qualifications and specialized knowledge in data protection. The CNPD also clarified that the DPO may be an employee of the controller or processor, or may perform their duties under a service contract. This means that the DPO may be employed by a company other than the data controller.

What duties do data controllers and processors have regarding CNPD reporting and disclosing the DPO’s data?

Reporting the DPO’s appointment to the CNPD is a legal duty for data controllers and processors. Under the GDPR, the DPO’s contact details, but not their identity, must be disclosed and reported to the supervisory authority. However, the DPO’s name must be known to the data controller or processor and must be included in the processing records and in the report to the supervisory authority following a data breach.

The Article 29 Data Protection Working Party, as the independent European advisory body on data protection, also established the “Guidelines on Data Protection Officers (DPOs)” in 2017 (https://www.cnpd.pt/media/meplvdie/wp243rev01_pt.pdf). These guidelines are now managed by the European Data Protection Board.

In summary, the CNPD resolution establishes that appointing the DPO, whether mandatory or voluntary, as well as its disclosure, both internally and externally, and reporting their appointment to the CNPD is a legal duty of data controllers and processors and is not therefore the responsibility of the DPOs themselves.

• Practical recommendations:

1. Verifying the obligation: Entities must check whether they are required to appoint a DPO in accordance with the criteria established in the GDPR and the GDPR Enforcement Law.
2. Selecting the DPO: Ensure that the selected DPO has the required professional qualifications and expertise.
3. External hiring: Consider hiring an external DPO if there is no qualified internal employee.
4. Communication and disclosure: Ensure that the DPO's contact details are properly reported to the CNPD, disclosed as required by the GDPR, and updated when necessary.
5. Keeping records: Keep processing records up to date and ensure that the DPO's name and contact details are contained in these records.

For further information on this topic, please contact our team of data protection experts.