anonym.legal

By · Last updated 2026-06-05

Terug na BlogGDPR & Nakoming

CNPD Portugal: GDPR + LGPD PII-Vereistes

Portugal se CNPD oorbrug EU GDPR en Brasillie se LGPD vir 215 miljoen+ Portugeessprekende. 2.5 miljoen euro-boete vir onvoldoende pasientanonimisering.

June 5, 20268 min lees
Portugal CNPDBrazil LGPDNIF CPF detectionPortuguese language complianceGDPR LGPD

CNPD Portugal: GDPR en LGPD PII-Nakoming

Portugal se privaatheidsowerheid is die CNPD. Dit handhaaf EU GDPR. Dit skakel ook EU en Brasiliaanse privaatheidswetgewing. Dit dek 215 miljoen Portugeessprekende.

In 2024 het die CNPD 42 handhawingsbesluite uitgereik. Een was 'n 2.5 miljoen euro-boete teen 'n Portugese hospitaal. Die rede: swak pasientrekord-anonimisering. Dit is een van die grootste gesondheidsorg-GDPR-boetes in Suider-Europa.

Die GDPR en LGPD-Brug

Twee privaatheidswette dek die Portugeessprekende wereld.

EU GDPR geld in Portugal. Maksimum boete: 20 miljoen euro of 4% van globale inkomste. Die CNPD handhaaf dit.

Brasillie se LGPD -- Wet Nr. 13,709/2018 -- geld in Brasillie. Maksimum boete: 2% van Brasiliaanse inkomste, tot R$50 miljoen per oortreding (omtrent 9 miljoen euro). Brasillie se ANPD handhaaf dit. Eerste groot boetes het in 2024 gekom.

Meer as 2,400 maatskappye het aktiewe EU-Brasillie oordragvloei. Die EU het geen geskiktheidsooreenkoms met Brasillie nie. EU-Brasillie-oordragte benodig Standaard Kontraktuele Klousules of 'n Artikel 46-instrument.

Vir meer besonderhede, sien ons LGPD-anonimiseringsgids.

Die Hospitaalboete: Drie Reels

Die 2.5 miljoen euro-boete het drie duidelike reels gestel.

Beleide is nie genoeg nie. Die hospitaal het gese sy navorsingsrekords is geanonimiseer. CNPD-ouditeers het NIF-nommers, geboortedatums, en diagnose-kodes steeds teenwoordig gevind. Daardie inligting kon pasiente heridentifiseer. 'n Geskrewe beleid is nie 'n tegniese oplossing nie.

Navorsingsvrystelling vereis steeds werklike anonimisering. Die hospitaal het GDPR Artikel 89 aangehaal -- die navorsingsvrystelling. CNPD het nee gese. Die vrystelling vereis steeds werklike tegniese beveiligings.

Gesondheidsrekord-boetes is groter. GDPR Artikel 9 behandel gesondheidsrekords as 'n spesiale kategorie. Die boete het dit weerspieel. 23,000 pasiente is geraak. Die hospitaal het geen valideringsproses gehad nie.

Portugese vs. Brasiliaanse PII

Portugees is een taal. Maar Portugal en Brasillie het verskillende ID-stelsels. "Portugese taalondersteuning" in 'n PII-instrument is nie genoeg nie.

Portugal-identifiseerders (EU):

  • NIF -- 9-syfer belastingnommer. Hoof-burger-ID. Het 'n kontrolesyfer-algoritme. GEVERIFIEER
  • NIS -- 11-syfer maatskaplike sekerheids-nommer. GEVERIFIEER
  • Cartao de Cidadao -- 8-syfer burgerkaart met 'n letteragtervoegsel. GEVERIFIEER
  • Paspoort -- EU-standaard formaat. GEVERIFIEER

Brasillie-identifiseerders (LGPD):

  • CPF -- 11-syfer belastingbetalersnommer. Twee kontrolesyfers. Ander metode as NIF. GEVERIFIEER
  • CNPJ -- 14-syfer maatskappyregistrasie. GEVERIFIEER
  • RG -- Staatsgegee ID. Formaat wissel per staat. Sao Paulo verskil van Rio de Janeiro. GEVERIFIEER
  • CNH -- 11-syfer rybewys. GEVERIFIEER
  • Titulo de Eleitor -- 12-syfer kieser-ID. GEVERIFIEER
  • PIS/PASEP -- 11-syfer sosiale program-nommer. Gevind in loonbetalingsrekords. GEVERIFIEER

'n Instrument wat NIF vind, kan CPF mis. Die omgekeerde is ook waar. Elke land benodig sy eie opsporingslogika.

Sien ons veeltalige PII-opsporingsgids vir meer oor kruistaalgapings.

EU-Brasillie Oordragsreels

Die CNPD se 2024-leiding het EU-Brasillie-oordragte gedek.

SCCs benodig geldige Oordragsimpakbeoordelings. SCCs is die hoofsinstrument. Maar elke een benodig 'n TIA wat bewys Brasillie gee gelyke beskerming. CNPD het gevind dat baie TIA's nie hierdie toets geslaag het nie.

EU-gebaseerde verwerking verwyder oordragrisiko. Sommige firmas hou alle rekords in EU-stelsels. Geen rou persoonlike inligting gaan na Brasillie nie. Dit werk vir albei wette. GDPR dek die verwerking. LGPD dek Brasiliaanse burgers se rekords. Maar geen grensoverschreitende oordrag vind plaas nie.

Vir organisasies in albei markte: dubbele opsporing is die minimum. NIF en NIS vir Portugal. CPF, CNPJ, RG, CNH, Titulo de Eleitor, en PIS/PASEP vir Brasillie. Albei wette vereis dit om voldoende tegniese kontroles te demonstreer.

Bronne

Verwante Artikels

GDPR & Nakoming

Japan My Number: Verhoeff & APPI

63% of generic tools fail My Number detection in Japanese documents. My Number uses Verhoeff algorithm — the most complex national ID checksum in Asia.

GDPR & Nakoming

HDPA Greece: AFM & AMKA Detection

Greek AFM detected with 52% accuracy by generic tools. HDPA issued 89 decisions in 2024 — up 162% from 2022. Tourism and maritime sectors face distinct.

GDPR & Nakoming

NAIH Hungary: TAJ-Szám and Adóazonosító Jel

Hungarian NER accuracy is 67% vs. EU average 82% — NAIH's 2024 assessment. TAJ-szám weighted checksum and adóazonosító jel detection gaps.

Gereed om u data te beskerm?

Begin om PII te anonimiseer met 285+ entiteitstipes in 48 tale.

Begin Gratis ProeflopieBesoek Kenmerke

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.