Portugal's Comissão Nacional de Proteção de Dados (CNPD) holds a unique position among EU data protection authorities: it bridges the European Union's GDPR and Brazil's Lei Geral de Proteção de Dados (LGPD) — the two major privacy frameworks governing the global Portuguese-language sphere covering 215 million people.
The CNPD issued 42 enforcement decisions in 2024, including a €2.5 million fine against a Portuguese hospital for inadequate patient data anonymization — one of the largest healthcare GDPR fines in Southern Europe.
The GDPR-LGPD Connection
EU GDPR (Portugal): Maximum fine €20M or 4% global revenue. Enforced by CNPD.
Brazil LGPD (Law No. 13,709/2018): Maximum fine 2% of Brazilian annual revenue, up to R$ 50 million per violation (≈ €9M). Enforced by ANPD (Autoridade Nacional de Proteção de Dados), with first major enforcement actions in 2024.
2,400+ companies maintain active EU-Brazil data transfer arrangements. The EU does not currently have an adequacy decision with Brazil, meaning EU-Brazil transfers require Standard Contractual Clauses or another Article 46 mechanism.
The Hospital Ruling: Anonymization as a Technical Standard
The CNPD's €2.5 million healthcare fine established critical precedents:
Policy ≠ compliance. The hospital had documented policies stating patient research data was "anonymized." CNPD's technical examination found the "anonymized" dataset retained NIF numbers, birth dates, diagnosis codes, and treatment dates — enabling re-identification of specific patients.
Research exemption requires technical safeguards. The hospital argued that clinical research data was covered by GDPR Article 89's research exemption. CNPD found the exemption requires genuine anonymization or appropriate safeguards — not a blanket exemption from technical measures.
Healthcare fines reflect special category status. The €2.5M fine reflected GDPR Article 9 special category treatment for health data, scale of affected patients (23,000 individuals), and failure to implement basic anonymization validation.
Portuguese vs. Brazilian PII: Why They Are Not Interchangeable
Portuguese is one language. But the national identification systems in Portugal and Brazil are completely different — creating a critical compliance gap for organizations that assume "Portuguese language support" is sufficient.
Portuguese EU identifiers:
- NIF: 9-digit tax identification number. Portugal's primary citizen identifier. Check digit validated with a specific algorithm.
- NIS: 11-digit social security identification number.
- Cartão de Cidadão: 8-digit citizen card number with letter suffix.
- Passport: EU-standard format.
Brazilian PII identifiers:
- CPF: 11-digit individual taxpayer registry, with two check digits validated using different algorithms from Portugal's NIF.
- CNPJ: 14-digit company registration number.
- RG: State-issued identity document — format varies by state of issue (São Paulo differs from Rio de Janeiro, Minas Gerais, etc.).
- CNH: 11-digit driver's license number.
- Título de Eleitor: 12-digit voter registration number.
- PIS/PASEP: 11-digit social integration program number in employment records.
An organization deploying a PII tool with "Portuguese language support" may correctly detect NIF in Portuguese documents while completely missing CPF in Brazilian documents — or vice versa. The identifiers require separate detection logic despite appearing in documents written in the same language.
EU-Brazil Transfer Compliance
For organizations with EU-Brazil data flows, the CNPD's 2024 guidance on transfer adequacy requirements:
SCCs with adequate TIA: Standard Contractual Clauses are the current primary mechanism, but must be accompanied by Transfer Impact Assessments addressing whether Brazil's legal framework provides equivalent protection. CNPD found many existing TIAs inadequate.
Processing in EU: Organizations that process Brazilian citizen data within EU infrastructure — never transferring raw personal data to Brazil — can satisfy both frameworks simultaneously. EU-based processing means LGPD applies (Brazilian citizens' data) and GDPR applies (EU processing), but no cross-border transfer occurs.
For organizations serving the Portuguese-language market across both EU and Brazil: dual-jurisdiction PII detection covering Portuguese EU identifiers (NIF, NIS) and Brazilian identifiers (CPF, CNPJ, RG, CNH, Título de Eleitor, PIS/PASEP) is not optional — it is the baseline for demonstrating adequate technical measures under both frameworks.
Sources: