Privacy Policy

Data processing by the CMVM

The CMVM, an independent administrative entity, as the regulatory and supervisory authority for the markets in financial instruments and auditing, as well as the entities that operate therein, in compliance with the principle of legality, proceeds with the processing of personal data, in accordance with the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of April 27, 2016 (GDPR – General Data Protection Regulation), with Law No. 58/2019 of 8 August, and other applicable European and national legislation.

A. Entity responsible for data processing

CMVM – Comissão do Mercado de Valores Mobiliários

Rua Laura Alves, n.º 4

1050-138 Lisboa

Telefone: +351 213 177 000

Fax: +351 213 537 077

Email: [email protected]

B. Contacts of the Data Protection Officer

Rua Laura Alves, n.º 4

1050-138 Lisboa

Telefone: +351 213 177 000

Fax: +351 213 537 077

Email: [email protected]

C. Purposes of the processing and origin of personal data

1. The purposes of the personal data processing operations carried out by the CMVM are intended for the activities it pursues, in compliance with the principle of legality, envisaged, namely, in the:

1) CMVM Statutes;

2) Framework Law of the Regulatory Entities;

3) Securities Code

4) Administrative Procedure Code;

5) Framework on the Access to Information of the Administration;

6) General Framework on Administrative Infractions;

7) General Framework for Collective Investment Undertakings;

8) General Framework of Audit Supervision;

9) Law on Real Estate Valuers;

10) Legal Framework on Securitisation;

11) Legal Framework on Venture Capital, Social Entrepreneurship and Specialised Investment;

12) Legal Framework on Money Laundering and Financing of terrorism;

1.1. At European level, the purposes of personal data processing operations result from the provisions of the European regulatory framework, and it is also necessary to act in accordance with the Guidelines of the European Securities and Markets Authority (ESMA).

2. With regard to the specific activities of the CMVM, the data can be used for:

a) Supervisory actions – obtaining knowledge and evidence of facts;

b) Administrative procedures – when by law, the CMVM imposes or allows facts;

c) Regulation – when the CMVM is competent to draw up rules or participates in their drawing up;

d) Proceedings on infractions – administrative infractions under the jurisdiction of the CMVM, reports of infractions under the jurisdiction of other entities or preliminary investigations;

e) Moral suasion (moral persuasion) – complaints from investors, requests for certificates, mediation, arbitration, recommendations, opinions or information to the market.

3. Personal data can also be used for the transversal activities of the CMVM:

a) Financial and Asset Management – namely in public acquisitions and processing of revenues and defence of public interests in the execution of contracts;

b) Human Resources – namely for assessing possible impediments, waivers and suspicions, and protecting the public interests and CMVM staff and agents in the execution of contracts;

c) Information technologies and systems – namely for data quality control and impact assessments;

d) Litigation – namely in cases where the CMVM is a party to legal actions or is required by law to cooperate with judicial authorities;

e) Organisation – namely for public registrations at the CMVM provided for by law;

f)  Studies – namely for carrying out analysis and opinions;

g) Foreign Relations – particularly cooperation with national European and international counterparts, but also with the Public Prosecutor’s Office, courts, and other public entities, including the Government and the Assembly of the Republic;

h)  Archive – pertaining to file maintenance duties of administrative and historical interest.

4. The personal data that the CMVM deals with is based on:

a) The activities mentioned above;

b) Receiving information reported to the CMVM by virtue of law or regulation, or resulting from complaints or denouncements;

c) Public data, namely those contained in public records.

5. Transversal activities are also governed by the general legislation that applies to said. 

D. Categories of personal and recipient data

1. The CMVM can only transfer data to third parties if this transfer is permitted by law or by agreement, legally provided for.

2. Data recipients are therefore typically those covered by the aforementioned cooperation.

3. The CMVM does not, as a rule, deal with special categories of personal data. These may only occur in specific situations, namely in terms of human resources, infraction proceedings, administrative procedures or supervisory actions. Typically, they can occur, under the law itself, in investigations on money laundering and terrorist financing.

E. Transfer of personal data to a third country or an international organisation

The CMVM may transfer personal data for reasons of public interest, under the terms of Article 49(1)(d) and paragraph 4 of the GDPR and Article 22 of Law No. 58/2019 of 8 August, or under the terms of the Administrative Data Transfer Agreement for Financial Supervisory Authorities in countries outside the European Economic Area, EEA, previously authorised by CNPD (The Portuguese Data Protection Authority)[1].

F. Criteria for the retention period of personal data

1. As a public entity, the CMVM is subject to the criteria of administrative interest for data retention. As long as they have administrative interest, they cannot be deleted.

2. You cannot erase them, in particular, until all the legal effects that concern said are not statute-barred.

3. When kept in a historical file, the CMVM reserves the right to access, even internally.

G. Rights of the subject 

1. The data subject is entitled to request the following from the CMVM:

a) Access to personal data concerning said,

b) Its rectification or erasure,

c) The restriction of processing with respect to the data subject,

d) The right to object processing,

e) The right to data portability.

2. The right to access may be restricted by the secrecy of supervision or justice, in accordance with national and European regulatory texts.

3. The right to erase and oppose the processing does not proceed when the CMVM is acting in the legitimate exercise of its functions, under the terms provided for in the GDPR.

4. Likewise, data portability is included in the GDPR and in the cooperation regime to which the CMVM is bound.

5. The CMVM will also comply with ESMA’s Internal Regulation and any restrictions of rights that may apply to it, pursuant to  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, namely those resulting from the decision of 1 October 2019 establishing internal rules on the conditions wherein ESMA may limit the application of rights enshrined in Articles 14 to 21 and 35, as well as in Article 4, based on Article 25 of Regulation (EU) 2018/1725.

H. Lawfulness of data processing

1. The lawfulness of data processing carried out by the CMVM results, as a rule, from exercising duties for the public interest or as a public authority for which it has been entrusted by law.

2. When the lawfulness of personal data processing is based on the consent of the data subject, said has the right to withdraw it at any time, without compromising the lawfulness of the processing carried out based on the prior consent.

I. Complaint to a supervisory authority

Data subjects have the right to lodge a complaint with The Portuguese Data Protection Authority (CNPD):

Av. D. Carlos I, 134 – 1º

1200-651 Lisboa

Tel: +351 213928400

Fax: +351 213976832

e-mail: [email protected]

J. Duty to communicate data

1. The holders are obliged to communicate the data to the CMVM, when this results from the law or regulation of the CMVM.

2. In the remaining cases, they are required to provide personal data when requested by the CMVM in the exercise of its functions.

3. The fact that information has been provided to the CMVM at the request of same, must be kept confidential by the person who provided it, except when is public by law.

4. The information provided to the CMVM must be complete, true, current, clear, objective and lawful, under penalty of constituting an infraction. Once your assumptions are verified, it may be considered as a crime of forgery.

5. The CMVM has the power to give orders to its supervisees. Failure to comply with the orders may imply a crime or an administrative infraction.

6. Refusing to provide information on personal data may constitute a crime of disobedience. 

L. Automated decisions

1. By law, no final decision by the CMVM is fully automated since there is always human intervention.

2. However, the CMVM can automatically refuse to receive requests or information when they do not comply with legal, regulatory and/or computer requirements.


[1] The administrative agreement in question is available here at