Portugal's national data protection authority this month published its 2025 Activity Report, revealing that the Comissao Nacional de Protecao de Dados (CNPD) opened 3,201 processes, conducted 244 inspections, and instated 88 administrative offence proceedings across the year - yet ultimately applied just 2 fines, totalling €47,000. The report, approved at the CNPD's board meeting on March 24, 2026, lays bare a structural gap between supervisory activity and sanctioning output that draws direct comparison to long-running criticism of Ireland's Data Protection Commission as the lead regulator for dozens of major technology companies.

The numbers behind the gap

The scale of the CNPD's investigative work in 2025 is not in dispute. According to the 2025 Activity Report, the authority opened 2,037 investigation processes - a figure essentially flat compared to the 2,046 opened in 2024 but representing a sharp increase from 1,108 in 2020. Data breach notifications climbed to 472 in 2025, up approximately 42% from 332 in 2024, with human error accounting for 128 cases and phishing-type social engineering schemes accounting for 72. The authority issued 908 decisions of various types and conducted 244 inspections - double the 122 carried out in 2024.

Against that backdrop, the sanction count is stark. Two fines. One arose from an administrative offence proceeding against a public-sector entity - local government - and the other from an investigation into unsolicited commercial communications sent by a private company. The combined value was €47,000.

The CNPD report does not attempt to conceal this outcome. It attributes the low fine count to insufficient human resources, a shortage of staff with specialised knowledge in administrative offence proceedings, procedural complexity, paper-based processes, and structural deficiencies in the legal framework. The report also notes that 88 administrative offence proceedings were opened during 2025 - cases that could theoretically have generated up to 90 fines had they each concluded with a sanction during the year, versus the 2 that actually resulted in penalties.

A staffing problem measured in years

The CNPD ended 2025 with 36 workers, its highest headcount on record, after recruiting 19 people during the year against 11 departures. The net gain of 8 staff pushed the total beyond the 28 employed at the end of 2024. But the report is explicit that 36 remains insufficient to meet the authority's legal mandate under the GDPR, the Digital Services Act, and national legislation. According to the report, 77.78% of CNPD staff are aged 45 or older, and 58.33% are aged 50 or over - an age profile the authority describes as requiring urgent rejuvenescence through competitive recruitment.

The 2025 Annual Activity Plan, approved in July 2024, had projected the recruitment of 7 additional workers as optimal for the authority's functional efficiency. The actual intake of 19 represents a significant push beyond that baseline - yet still leaves the organisation short of the staffing levels the authority itself considers necessary.

For context, Portugal serves a population of approximately 10.6 million people with those 36 staff members, a ratio of roughly one worker per 295,000 inhabitants according to data prepared by Diogo Duarte, a privacy and data protection counsel who analysed staffing ratios across EU supervisory authorities on LinkedIn. That figure places Portugal closer to Spain (one per 260,000), France (one per 280,000), Italy (one per 443,000), and Romania (one per 657,000) than to smaller, more intensively staffed supervisory authorities such as Luxembourg or Ireland. Ireland, with 175 staff and a population of 5.4 million, operates at one staff member per approximately 30,700 inhabitants - though as the lead GDPR regulator for dozens of multinational technology companies, the Irish DPC faces pressure of a qualitatively different nature.

Duarte noted on LinkedIn that the comparison "necessarily imperfect" - it does not account for cross-border caseloads, technological complexity, or institutional maturity - but that the exercise "helps contextualise Portugal within the broader European landscape." His post received 31 reactions and generated commentary noting that "those two fines, if recovered, don't even cover the CNPD's wage bill for a month."

The Irish parallel

The enforcement gap is not unique to Portugal. Ireland's Data Protection Commission has faced sustained criticism for what privacy advocates describe as a structural reluctance to act decisively against the large technology companies headquartered in Dublin. According to the advocacy group noyb, only 0.6% of fines nominally issued by the Irish DPC against major companies have actually been collected - with billions in penalties under active judicial appeal. The CNPD's situation differs in scale but echoes a similar dynamic: a regulator whose investigative workload vastly outpaces its sanctioning capability, for reasons the authority itself links to resources and legal framework constraints rather than enforcement philosophy.

Where the Irish case involves the geopolitical weight of Silicon Valley headquarters decisions, the Portuguese case is more straightforwardly about organisational capacity. The CNPD report makes clear that the paper-based contraordenational process - one where defendants must submit physical originals and duplicates of procedural documents, which the authority then digitises and returns - consumes time and specialist expertise the organisation does not have in sufficient quantity.

Legislative proposal at the Assembleia da Republica

In September 2025, the CNPD submitted a draft law to the President of the Assembleia da Republica proposing a new legal regime for administrative offences in data protection. The 41-page document, which covers both the contraordenational regime and amendments to the CNPD's own organisational law, pursues three goals. First, it would move the entire proceedings process onto an electronic platform, eliminating paper submissions and reducing the duration of individual cases. Second, it would clarify which court holds jurisdiction when a CNPD fine decision is challenged - an ambiguity in the current Law 58/2019 that has generated negative jurisdictional conflicts and, in the authority's assessment, prescription-risk delays. Third, it would create a legal basis for the CNPD's collegiate body to delegate competences to its Secretary, allowing routine decisions to be processed without a formal full board meeting.

The CNPD report draws an explicit analogy to other Portuguese regulatory bodies - the Competition Authority, ANACOM, Banco de Portugal, and the Securities Market Commission - each of which already holds autonomous standing to intervene in judicial proceedings challenging its own fine decisions. The CNPD currently lacks this capacity, which the report argues hampers effective sanctioning. Whether the Assembleia da Republica will act on the proposal during 2026 is uncertain; the CNPD had previously attempted a similar legislative initiative that was interrupted by the dissolution of parliament at the end of 2023.

Beyond sanctions, the 2025 report documents a sharp rise in data breach notifications. The 472 breaches recorded represent a high since at least 2020, when the comparable figure was 301. Of the 2025 total, 357 originated from private-sector entities and 115 from public-sector organisations. In the public sector, central government and public institutes accounted for 46 notifications, healthcare for 22, higher education for 20, and local government for 18.

The CNPD adopted 480 decisions in connection with breach cases - an increase of approximately 321% from the 114 decisions issued in 2024. The authority made specific security recommendations in each case rather than imposing fines, in keeping with a supervisory approach the report characterises as primarily corrective. The confidentiality principle was found to have been compromised in 390 of the 472 cases.

Alongside breach data, citizen complaints arrived at volume. The CNPD's Digital Counter received 9,299 requests for information and participation in 2025, up 19.2% year-on-year. The single largest category was unsolicited marketing communications (spam), which generated 1,254 specific complaints. Complaints about video surveillance increased 49.9% to 1,243. The authority issued 254 warnings under Article 39(3) of Law 58/2019 - a figure suggesting a preference for cautionary measures over the heavier contraordenational machinery.

European enforcement disparities

The CNPD's output sits within a broader European enforcement landscape characterised by significant disparity. Only 1.3% of GDPR cases resulted in fines between 2018 and 2023 across EU authorities, according to European Data Protection Board statistics. The EDPB's 2025 annual data shows national authorities issued a combined €1.14 billion in fines across the year - but that figure is overwhelmingly driven by a small number of large-economy authorities. Ireland's accumulated total since 2018 stands at approximately €2.8 billion in nominal penalties, reflecting its position as lead authority for Google, Meta, and Microsoft.

Smaller authorities face a different challenge. Belgium's Data Protection Authority, with approximately 90 staff and a population of 11.8 million, has been investing in strategic enforcement against advertising technology platforms and data brokers under a three-year plan announced in December 2025. The Belgian DPA operates one staff member per approximately 131,000 inhabitants - a substantially more intensive coverage ratio than Portugal, and one that has produced a more active sanctioning record, including a €100,000 fine against a telecoms operator for a 14-month delay in responding to a data access request.

Spain, with 189 staff supervising a population of 49.1 million, has pursued aggressive action on biometric data and AI-related GDPR violations. The AEPD fined Yoti €950,000 in early 2026 for biometric data and consent failures, following earlier penalties against FC Barcelona and AENA. Spain's ratio - one staff member per 260,000 inhabitants - is comparable to Portugal's on the surface, yet the AEPD's output in terms of sanctioned cases substantially exceeds the CNPD's. Spain's data watchdog has also produced a detailed agentic AI GDPR compliance guide, positioning itself as a technical thought leader on emerging regulatory challenges.

Germany, with 1,083 staff across 16 federal and state authorities, sits at one staff member per approximately 77,200 inhabitants. The German authorities adopted unified fine procedures in June 2025 to harmonise sanction calculations across jurisdictions - a move aimed at addressing internal inconsistency rather than low output. Germany's combined enforcement record produces far more fines annually than Portugal even at the individual state level.

International activity and the Lusophone network

The CNPD's 2025 activity was not limited to domestic supervision. The authority participated actively in European Data Protection Board plenary sessions, including the CNPD President Paula Meira Lourenco chairing part of the EDPB's December 3 plenary in place of the Board President. The CNPD also co-rapportured the EDPB's opinion on Brazil's data adequacy status - a notable role given the historical and linguistic ties between Portugal and Brazil, and one that positions the CNPD within an emerging Lusophone data protection network.

The Rede Lusofona de Protecao de Dados held its second meeting on March 20, 2025, in Praia, Cape Verde, where the network's statutes were formally approved and the presidency was assigned to Brazil's ANPD. Portugal retained the Permanent Secretariat. The network's first full meeting took place in Sao Paulo on August 26, 2025, on the margins of Brazil's annual privacy seminar. Three working groups were constituted: Biometrics and Artificial Intelligence (Brazil); Neurodata and International Data Transfers (Portugal); and Video Surveillance (Sao Tome and Principe).

The CNPD also became the coordinator, from 2025 onward, of the Ibero-American data protection network's Generative AI working group - a technical role that extends the authority's soft-power reach beyond the Lusophone world. According to the 2025 Activity Report, the CNPD participated in the Europäische Rechtsakademie annual conference on data protection in the judiciary, the Venice Privacy Symposium on digital identities, the ANACOM conference on AI and data protection, and the Oeiras Valley Science Festival, among others.

Budget and structural context

The CNPD's 2025 initial budget was €3,748,774, of which €110,000 represented own revenues and the remainder came from the Assembleia da Republica's budget allocation. Total executed revenue reached €9,284,191.55 when prior-year balance carryovers were included. Total expenditure was €2,573,852.05. The gap between revenue available and expenditure reflects accumulated surpluses rather than genuine fiscal capacity - the authority's day-to-day spending remains constrained by its allocation from the parliamentary budget.

The CNPD operates as an independent administrative entity that functions alongside the Assembleia da Republica. Its governing law, Law 43/2004 as amended by Law 58/2019, was designed primarily to transpose GDPR into the Portuguese legal order rather than to modernise the authority's internal procedures. The legislative proposal submitted to parliament in September 2025 is, among other things, an attempt to fix the gap between the ambition of GDPR supervision and the procedural reality of an authority still operating, in significant respects, on paper.

Relevance for marketing and advertising

For digital marketing professionals and advertising technology companies operating in Portugal or processing data of Portuguese residents, the practical implications are direct. The CNPD's low fine rate in 2025 does not indicate a light regulatory environment. The authority opened 2,037 investigation processes and conducted 244 inspections. GDPR's one-stop-shop mechanism means that a company headquartered elsewhere in the EU faces its lead supervisory authority rather than the CNPD for cross-border matters - but the CNPD participated in 16 cases as lead supervisory authority and 18 as a concerned authority in 2025, demonstrating engagement with the cross-border enforcement network.

The data breach trajectory - 472 breaches in 2025, up 42% from 2024 - matters specifically for ad tech and marketing infrastructure, where personal data processes are dense and cybersecurity incidents carry GDPR notification obligations. Human error and phishing remain the dominant breach causes. With 480 deliberations adopted in breach-related processes and specific security recommendations issued in each, the CNPD has been active in guiding controllers on remediation even where financial sanctions were not applied. As enforcement patterns across European supervisory authorities show ongoing variation, the CNPD's trajectory - more staff, more inspections, a legislative proposal to accelerate proceedings - points toward increased sanction output in coming years, subject to parliamentary approval of the new contraordenational regime.

Timeline

  • August 18, 2004 - Law 43/2004 establishes the CNPD's organisational framework, last substantively amended in 2019 to transpose GDPR
  • May 25, 2018 - GDPR enters into force across the EU
  • August 8, 2019 - Law 58/2019 transposes GDPR into Portuguese national law; the CNPD's operational law is updated but not restructured
  • May 11, 2023 - CNPD President Paula Meira Lourenco takes office, outlining three strategic objectives including internal reorganisation and improved sanctioning effectiveness
  • July 19, 2023 - CNPD approves its 2024-2026 triennial plan, including explicit Action 23 to increase sanctioning effectiveness
  • August 2023 - CNPD commissions Instituto Kaizen to conduct an internal reorganisation diagnostic
  • October 2023 - Kaizen delivers the "Visao de Melhoria para Reorganizacao Interna" report, estimating the CNPD needs to recruit at least 7 additional workers across all units
  • Late 2023 - Legislative initiative for CNPD statute reform interrupted by dissolution of the Assembleia da Republica
  • July 30, 2024 - CNPD approves its 2025 Annual Activity Plan, projecting 7 new hires and listing 16 strategic actions
  • October 16, 2024 - CNPD's first Fiscal Unico takes office following designation by parliamentary resolution
  • June 25, 2024 - Rede Lusofona de Protecao de Dados launched in Lisbon with the signing of the Declaracao de Lisboa by Angola, Brazil, Cape Verde, Portugal, and Sao Tome and Principe
  • March 20, 2025 - Second RLPD meeting in Praia, Cape Verde; statutes adopted; Brazil's ANPD takes the presidency; Portugal retains the Permanent Secretariat
  • August 26, 2025 - First RLPD full meeting in Sao Paulo; three working groups constituted; official logo adopted
  • September 2025 - CNPD submits draft law to Assembleia da Republica proposing electronic contraordenational proceedings and delegation of competences
  • October 16, 2025 - New CNPD board member Jose Mario Nogueira da Costa takes office; two other board seats remain vacant
  • November 26, 2025 - Entry into force of Regulation (EU) 2025/2518, adding procedural rules for GDPR enforcement - increasing CNPD compliance obligations
  • November 24, 2025 - CNPD adopts performance evaluation regulation for its staff (Regulamento 1240/2025)
  • December 31, 2025 - CNPD closes year with 36 workers (up from 28 at year-end 2024); 2 fines totalling €47,000 applied throughout the year
  • March 24, 2026 - CNPD approves the 2025 Activity Report at its board meeting

Summary

Who: The Comissao Nacional de Protecao de Dados (CNPD), Portugal's national supervisory authority for data protection, operating under GDPR and national legislation, with 36 staff and led by President Paula Meira Lourenco.

What: The CNPD's 2025 Activity Report discloses that the authority opened 3,201 processes, conducted 244 inspections, opened 2,037 investigations, and instated 88 administrative offence proceedings - but applied only 2 fines totalling €47,000. The authority attributes low sanction output to insufficient specialised staff, procedural complexity, paper-based proceedings, and an inadequate legal framework. A legislative proposal for an electronic contraordenational regime was submitted to parliament in September 2025.

When: The 2025 Activity Report covers the full calendar year 2025 and was approved on March 24, 2026.

Where: The CNPD is based in Lisbon and operates as Portugal's national supervisory authority under the Assembleia da Republica. Its supervisory jurisdiction covers all processing of personal data of persons in Portugal, as well as cross-border cases where it acts as lead or concerned authority within the EU one-stop-shop mechanism.

Why: The enforcement gap matters because GDPR requires member states under Article 52(4) to provide supervisory authorities with adequate resources. Portugal's ratio of approximately one staff member per 295,000 inhabitants is comparable to larger EU member states such as Spain and France, yet the CNPD's sanctioning output is substantially lower. The pattern draws comparison to broader European enforcement disparities - where only 1.3% of GDPR cases resulted in fines between 2018 and 2023 - and specifically to the Irish DPC's long-criticised record of nominal enforcement against major technology companies. The CNPD's legislative proposal and ongoing recruitment push signal an intent to close this gap, but parliamentary approval and sustained resourcing will determine whether the trajectory changes.

Share this article
The link has been copied!