Published on
Author
Paula Reis Azenha
Area
GDPR & Compliance
The GDPR is not five years old — it is seven. Portuguese case law has matured and the CNPD (Comissão Nacional de Proteção de Dados, the national data protection authority) has been increasingly active in inspecting SMEs. This checklist summarises eight points we recommend validating.
1. Records of processing activities — do they exist and are they up to date? Do they include data categories, purposes, and retention periods?
2. Data Protection Officer — appointed where required (public authority, large-scale systematic processing, or sensitive data)? Have the contact details been communicated to the CNPD?
3. Privacy policies and notices — available at all collection points (website, forms, contracts)? Clear language, free of legal boilerplate?
4. Data processing agreements — do all suppliers processing personal data have a contract compliant with Article 28 GDPR? This includes international SaaS providers.
5. Data subjects' rights — is there a defined process to respond to requests for access, rectification, erasure, and portability within 30 days?
6. Incident register — are all breaches recorded internally, even those that do not trigger a notification obligation? Is the decision not to notify the CNPD duly reasoned?
7. Training — have staff who process personal data received training? Are records of sessions kept?
8. Data Protection Impact Assessment (DPIA) — has one been carried out whenever the processing involves high risk?
This list does not replace a full audit — it is the minimum required to face a CNPD inspection with confidence.
This article is for informational purposes only and does not constitute individual legal advice. If your situation raises specific questions, schedule a consultation.