Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Public Consultation and Guidelines issued by CNPD


published on 23 May 2023 | reading time approx. 3 minutes

The National Commission for Data Protection (CNPD) in Portugal has opened a public consultation on the performance evaluation of a Data Protection Officer (DPO), with the deadline set for June 9, 2023. The subject of the consultation is the draft guidance relating to the performance evaluation of the worker who is also a DPO.

According to the CNPD, the purpose of this guideline is to address the lack of legal rules governing the status of DPOs within public entities, particularly regarding their performance evaluation when they accumulate other functions in the public entity. This led the CNPD to initiate a public consultation in order to gather feedback, including practical experiences, that can broaden perspectives and enhance the usefulness and appropriateness of the forthcoming guideline.

The current legislation, Law no. 58/2019, implemented in the Portuguese legal system to comply with Regulation (EU) 2016/679 of the Parliament and of the Council of April 27, 2016 (RGPD), was deemed insufficient to address this issue. Public organizations, due to the principle of legality, have more limited organizational autonomy when it comes to evaluating their employees. Consequently, it becomes more challenging to establish suitable evaluation methods for workers who also serve as DPOs within public entities. Therefore, until specific regulation on this matter is approved, the CNPD has decided to issue a new public consultation prior to the Guideline.

In the view of the CNPD, regarding the assessment of workers who perform DPO duties, it is crucial to distinguish between different functional activities they undertake, and it is of utmost importance that the tasks assigned to the worker outside the functional perimeter of the DPO do not include the duties and responsibilities of a DPO. Thus, regarding the activity outside the DPO functional perimeter, the employee may be evaluated under the general terms of the legal regime of evaluation of employees exercising public functions. This approach ensures the worker evaluations do not conflict with other interests.

Regarding the activity performed by the employee as a DPO, the manager of the department (where the employee performs the activity outside the DPO's functional perimeter) can never set the objectives and assess the performance of his/her duties. It is also deemed unreasonable to have a combined performed evaluation of the two functional activities by the same supervisor.

In cases where the worker exclusively carries out DPO functions, the CNPD has concluded that the assessment should be conducted by the highest hierarchical body to which the DPO reports, given that the competence to assess the worker performance is implicit in the competence of the person who appointed the DPO.

Additionally in April, the CNPD approved five new guidelines, our of which focus on the disclosure and sharing of data on the Internet with third parties through other means. 

These subjects are often topic of consultations and requests for clarification, leading the CNPD to issue guidelines on the following subjects: 
  1. Guidelines on the webcasting of meetings of municipal bodies; 
  2. Guidelines on the online publication of the minutes of collegial bodies meetings; 
  3. Guidelines on the availability of personal data processed in the framework of administrative procedures, in particular regarding tendering procedures; 
  4. Guidelines on the access to personal data held by a public entity as a subcontractor (and data processor).
Furthermore, this independent administrative body has published a guideline concerning the incompatibility between the duties of the Data Protection Officer (DPO) and the functions performed by the Information Access Officer (IAO). The CNPD identified a potential conflict of interest in the activities carried out by the DPO and IAO, as decision-making is subject to control and audit by the DPO.



Contact Person Picture

Vitor Oliveira

+351 212 4726 88

Invia richiesta

Contact Person Picture

André Rodrigues Barbosa


+351 212 4726 88

Invia richiesta


​Discover more about our offices in Portugal. 
Deutschland Weltweit Search Menu