To hear about GDPR in Portugal, this month we connected with João de Sousa Guimarães, Managing Partner Teixeira & Guimarães (T&G). Based in Proto, and with a branch office in Lisbon, the boutique firm provides financial and corporate legal support to national and global companies.


GDPR came into effect on 25th May – how did the Portuguese Government prepare for the new regulations?

The truth is that until recently, there haven’t been any national regulations in relation to GDPR. The Portuguese Government in fact tried to dismiss the penalties for the public sector’s non-compliance, which was faced with divided opinions, as it meant that private companies are being treated differently. Thus, the Government didn´t get the national parliament’s approval to pass a set of regulations and the issue is still to be discussed.


Are the majority of Portuguese companies compliant with the new regulations now?

No, they are not. The previous EU data protection directive has been in effect over the past 20 years, but Portuguese companies weren’t taking it seriously. Since November 2017, we have noticed the effort that big corporations have been making to be GDPR compliant, but there’s still a long way to go – especially for Portuguese SMEs and the public sector.


What are the key GDPR challenges that Portuguese SMEs are faced with?

I believe that the key challenge they are faced with is the paradigm shift. Up until now, most of the SMEs in Portugal simply haven’t considered data protection as a major issue in today’s world. And I’m not only talking about digital customer relationships – there are so many companies that collect and store customer data in physical form, without having any internal safety policies. Most SMEs don’t fully understand the importance of data protection. They see the implementation of GDPR as something unnecessary that will only cost them money, as opposed to an opportunity to improve their relationships with the company’s stakeholders and clients.

The paradigm is shifting. And even though most SMEs are afraid of the penalties (and so is the Portuguese government itself), things have started to improve.


What is your piece of advice for companies that are not GDPR compliant yet?

I think the most important thing for companies that are not compliant yet is to understand this paradigm shift. They need to find the gaps between their current policies and what GDPR requires.  They then should seek advice on how to become compliant and properly handle their clients’, employees’ and service providers’ personal data.


About Teixeira & Guimarães

T&G has recently started the ESSA (Early Stage Startup Advising) programme, which consists of a number of legal services that entrepreneurs usually need assistance with. This includes things like intellectual property, corporate support and more.

The firm has excellent relationship with several universities, being the first (and only) law firm that has been case studied by an MBA International programme (at Catolica Porto Business School).

By January 2017, T&G was the first law firm in Portugal that had its quality management system certified by SGS ICS, within the scope of Legal Service Provider and Credit Litigation.

T&G is a founder associate of the Portuguese Association for FinTech and InsurTech (AFIP) and has been involved with the Portuguese Youth Entrepreneur Association (ANJE). The firm has provided legal mentoring to the Startup Porto Accelerator as well as to the Portuguese Business Angel Association (APBA).

Teixeira & Guimarães was awarded Boutique Law Firm of the Year 2018 by the Corporate Livewire Innovation & Excellence, as well Litigation Advisory Firm of the Year 2018 by the Finance Monthly Global Awards.