Yes, scraping public data in Portugal is generally permitted, but strict compliance with GDPR, copyright, and sector-specific laws is mandatory. Publicly accessible data does not equate to unrestricted use, as processing may still require a lawful basis under the GDPR. The Portuguese Data Protection Authority (CNPD) and the 2026 Digital Services Act (DSA) amendments impose additional scrutiny on automated data collection, particularly for large-scale or commercial purposes.
Key Regulations for Scraping Public Data in Portugal
- GDPR Compliance: Even public data requires a lawful basis for processing (e.g., legitimate interest or consent). Automated scraping may trigger obligations under Articles 5(1)(c) and 6 of the GDPR, necessitating a Data Protection Impact Assessment (DPIA) for high-risk operations.
- Copyright and Database Rights: The Portuguese Copyright Code (Decree-Law 63/85) and EU Database Directive protect structured public datasets. Scraping content from databases with sui generis rights (e.g., government portals) without authorization may constitute infringement.
- Sector-Specific Restrictions: The 2024 Electronic Communications Act and CNPD guidelines prohibit scraping telecom or public sector APIs without explicit terms of service compliance. The 2026 DSA further mandates transparency in automated data collection for platforms exceeding 45M EU users.
Practical Considerations Avoid circumventing technical protections (e.g., CAPTCHAs or rate limits), as the CNPD views such actions as potential breaches of Article 32 GDPR security obligations. Commercial use of scraped public data requires prior consultation with the CNPD, particularly if profiling or automated decision-making is involved. Always document lawful bases and data minimization strategies to mitigate enforcement risks under the 2026 EU Data Act.