The practice of the Data Protection Officer rests on a dense but coherent body of rules, whose centre is the General Data Protection Regulation and, in Portugal, Law 58/2019 ensuring its execution. To that core are added the regimes that intersect with it — from electronic communications to artificial intelligence and cybersecurity.
The key EU data instruments that frame the practice of the DPO, and their national transposition.
| Area | EU instrument | National transposition |
|---|---|---|
| Data Protection | GDPR — Regulation (EU) 2016/679 | National laws (PT 58/2019, ES LOPDGDD, DE BDSG) |
| DPO — designation and position | GDPR, Arts. 37–39 | National specifications (PT Law 58/2019, Arts. 9–13) |
| ePrivacy | Directive 2002/58/EC | National transposition (PT Law 41/2004) |
| Law-enforcement data | Directive (EU) 2016/680 | National transposition (PT Law 59/2019) |
| Artificial Intelligence | AI Act — Regulation (EU) 2024/1689 | Directly applicable |
| Data Governance | Data Governance Act — Regulation (EU) 2022/868 | Directly applicable |
| Data Act | Data Act — Regulation (EU) 2023/2854 | Directly applicable |
| Cybersecurity (interface) | NIS2 — Directive (EU) 2022/2555 | National (PT Decree-Law 125/2025) |