The Banco de Portugal, in exercising its powers and competences as the national monetary, statistical, macroprudential, supervisory, resolution and payment system oversight authority, processes personal data in accordance with the principles and rules arising from European and Portuguese legislation on personal data protection, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. 

The Banco de Portugal respects the principles of lawfulness, fairness and transparency, of data collection for specified, explicit and legitimate purposes, of data minimisation, of accuracy and of information security and integrity.

The Banco de Portugal adopts the technical and organisational measures needed for its personal data processing activities to fully respect data protection laws.

Processing of personal data

The Banco de Portugal processes strictly necessary, adequate, and relevant personal data categories, limited to, what is necessary for the achievement of public interest purposes as provided for by law, under its powers as a public authority or in compliance with a legal obligation.

The Banco de Portugal also processes personal data in the context of contracts (for instance, with its staff or with service providers).

The Banco de Portugal only retains data for as long as strictly necessary for the purposes for which they are processed.

Sharing and transfer of personal data

As a member of the European System of Central Banks, the Banco de Portugal shares information with the European Central Bank and other central banks within the system. 

Within the framework of the European systems for financial supervision and bank resolution and of the Banking Union, the Banco de Portugal shares information with other members thereof, including its counterpart authorities, the European Central Bank/Single Supervisory Mechanism, the Single Resolution Board/Single Resolution Mechanism, the European supervisory and resolution authorities and the European Systemic Risk Board.

According to the law, the Banco de Portugal may also share data under its duty of cooperation with national supervisory authorities, national resolution authorities and other public entities, including the courts, the Public Prosecutor's Office, the tax and customs authority and social security, among others.

The Banco de Portugal may transfer data to third country counterpart authorities and international organisations that offer guarantees ensuring a level of data protection equivalent to that ensured by the Banco de Portugal.

The Banco de Portugal may also transfer data to service providers that act exclusively under its guidance and that implement technical and organisational measures equivalent to those binding the Banco de Portugal.

Rights of the data subjects and Data Protection Officer 

Pursuant to the applicable law, the Banco de Portugal provides the data subjects with adequate means to exercise their rights of information, access, rectification, opposition, limitation, or erasure regarding their personal data. 

The Banco de Portugal's Data Protection Officer monitors compliance of personal data processing with the General Data Protection Regulation (GDPR) and other EU data protection provisions, communicates with the data subjects and cooperates with the Comissão Nacional de Proteção de Dados (CNPD – the Portuguese Data Protection Authority), working as a point of contact between the latter and the former regarding personal data processing matters. 

Data subjects may exercise their rights: 

• at any of the Banco de Portugal’s information desks;
• by post; or
• by e-mail: info@bportugal.pt.

If the data subjects consider that their rights requests have not been properly met, or wish to submit a complaint, they can contact the Data Protection Officer by the following means:

• by e-mail: encarregado.protecao.dados@bportugal.pt
• by post: 
  Gabinete de Proteção de Dados do Banco de Portugal 
  Rua do Comércio, 148 
  1100-150 Lisbon

Control of the Banco de Portugal's activity

The Banco de Portugal's activity in the field of data protection and processing may be subject to complaint before the CNPD or to judicial appeal, under the general terms.