anonym.legal

By · Last updated 2026-06-05

返回博客GDPR 与合规

葡萄牙CNPD:GDPR与LGPD个人信息合规要点

葡萄牙CNPD是连接欧盟GDPR与巴西LGPD的关键桥梁,覆盖全球逾2.15亿葡语使用者。一家医院因病历匿名化不足被罚款250万欧元。

June 5, 20268 分钟阅读
Portugal CNPDBrazil LGPDNIF CPF detectionPortuguese language complianceGDPR LGPD

葡萄牙CNPD:GDPR与LGPD个人信息合规

葡萄牙的数据保护机构是CNPD(全国数据保护委员会)。CNPD负责执行欧盟GDPR,同时也是连接欧盟与巴西隐私法律的枢纽,覆盖范围涉及全球逾2.15亿葡语使用者。

2024年,CNPD共发出42项执法决定,其中包括对一家葡萄牙医院开出的250万欧元罚款——原因是患者病历匿名化处理不当。这是南欧医疗领域迄今最大的GDPR罚款之一。

GDPR与LGPD的桥梁

覆盖整个葡语世界的隐私法律共有两部。

欧盟GDPR适用于葡萄牙,最高罚款为2000万欧元或全球营业额的4%,由CNPD负责执行。

巴西LGPD(第13,709/2018号法律)适用于巴西,最高罚款为巴西营业额的2%,上限为每次违规R$5000万(约合900万欧元),由巴西ANPD负责执行。首批重大罚款于2024年开出。

目前有逾2,400家企业存在活跃的欧盟–巴西数据传输流。由于欧盟尚未对巴西作出充分性认定,欧盟–巴西之间的数据传输需要标准合同条款或第46条规定的其他传输工具。

如需进一步了解,请参阅我们的LGPD匿名化指南

医院罚款揭示的三条规则

这笔250万欧元的罚款确立了三条明确规则。

书面政策不等于技术保护。 该医院声称其研究记录已完成匿名化,但CNPD审计员发现其中仍残留NIF(税号)、出生日期和诊断代码等信息,足以识别患者身份。文字政策无法替代技术手段。

研究豁免条款仍需真正的匿名化。 医院援引GDPR第89条关于科研豁免的规定,但CNPD予以驳回:豁免条款同样要求采取切实的技术保护措施。

健康记录的罚款金额更高。 GDPR第9条将健康记录列为特殊类别数据,罚款据此上调。此次共涉及23,000名患者,而该医院也未建立任何验证机制。

葡萄牙与巴西个人信息标识符的差异

葡萄牙语是同一种语言,但葡萄牙与巴西采用不同的身份识别体系。「支持葡萄牙语」对于PII工具而言远远不够。

葡萄牙标识符(欧盟):

  • NIF — 9位纳税人识别号,为主要公民身份证件,具有校验位算法。已验证
  • NIS — 11位社会保障号码。已验证
  • Cartão de Cidadão — 8位公民卡号,带字母后缀。已验证
  • 护照 — 欧盟标准格式。已验证

巴西标识符(LGPD):

  • CPF — 11位纳税人编号,含两位校验位,算法与NIF不同。已验证
  • CNPJ — 14位企业注册号。已验证
  • RG — 州级身份证,格式因州而异:圣保罗与里约热内卢的格式不同。已验证
  • CNH — 11位驾驶证号。已验证
  • Título de Eleitor — 12位选民证号。已验证
  • PIS/PASEP — 11位社会保障号,常见于工资记录。已验证

能识别NIF的工具未必能识别CPF,反之亦然。两个国家需要各自独立的识别逻辑。

关于跨语言识别的更多内容,请参阅我们的多语言PII检测指南

欧盟–巴西数据传输规则

CNPD于2024年发布了欧盟–巴西数据传输相关指导意见。

标准合同条款须配合有效的传输影响评估(TIA)。 SCCs是主要工具,但每份SCC均需附有TIA,以证明巴西提供同等水平的保护。CNPD发现,许多TIA未通过该项审查。

在欧盟境内处理数据可规避传输风险。 部分企业将所有记录保留在欧盟系统中,不向巴西传输任何原始个人信息,从而同时满足GDPR和LGPD的要求,无需触发跨境传输合规义务。

对于同时在两个市场运营的企业,双重检测是基本要求:葡萄牙侧需覆盖NIF和NIS;巴西侧需覆盖CPF、CNPJ、RG、CNH、Título de Eleitor和PIS/PASEP。两部法律均要求证明已建立充分的技术控制措施。

参考资料

相关文章

GDPR 与合规

Japan My Number: Verhoeff & APPI

63% of generic tools fail My Number detection in Japanese documents. My Number uses Verhoeff algorithm — the most complex national ID checksum in Asia.

GDPR 与合规

HDPA Greece: AFM & AMKA Detection

Greek AFM detected with 52% accuracy by generic tools. HDPA issued 89 decisions in 2024 — up 162% from 2022. Tourism and maritime sectors face distinct.

GDPR 与合规

NAIH Hungary: TAJ-Szám and Adóazonosító Jel

Hungarian NER accuracy is 67% vs. EU average 82% — NAIH's 2024 assessment. TAJ-szám weighted checksum and adóazonosító jel detection gaps.

准备好保护您的数据了吗?

开始使用 285 种实体类型在 48 种语言中匿名化 PII。

开始免费试用查看功能

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.