Faculdade de Ciências da Universidade de Lisboa Privacy Policy
(This is a brief summary of the Portuguese version of the document “Política de Privacidade da Faculdade de Ciências da Universidade de Lisboa”.)
1. General Overview
The Faculdade de Ciências da Universidade de Lisboa (hereafter Ciências), is a public institution with autonomy to manage its statutes, budget and assets and define its own research, pedagogical and cultural policies.
Ciências fully adopts and has a strict compromise with the protection of privacy and personal data, fully implementing the General Data Protection Regulation (GDPR) rules and guidelines. Measures to reinforce and extend the protection of personal data of the academic community and of anyone in the scope of Ciências are permanently evaluated. Our measures are aligned with the policy defined by the Universidade de Lisboa, of which Ciências is an integral part.
We believe that the protection of personal data is a fundamental right. Ciências has a strong commitment with the accountability of its processing of personal data, responding to any question on the use, rights and guidelines that govern the use of personal data.
Therefore, Ciências:
- ensures that personal data is processed only for proposes that are compatible with those for which data was originally collected;
- promotes a culture of data minimization, by requesting, using and preserving exclusively the data that is strictly necessary to perform its activities.
2. Our Commitment: to protect personal data
With this document, Ciências acknowledges the importance of handling personal data in a secure way, in order to preserve the privacy of the owner but without compromising the services Ciências is expected to provide to the owner of the personal data.
3. Controller
The data controller is reachable by the e-mail address protecaodados@ciencias.ulisboa.pt.
4. Data Protection Officer
The responsibilities of the Data Protection Officer (DPO) are those stated in the GDPR, thus including but not limited to:
Monitor the processing of personal data according to existing regulations;
- Serve as the contact point for questions related with personal data processing;
- Cooperate with the national agency for data protection, namely Comissão Nacional de Proteção de Dados (CNPD);
- Advise Ciências about its obligations related with privacy and personal data protection.
Ciências DPO is Dr. Tiago Abade, who can be contacted at the e-mail address: rgpd@ulisboa.pt.
5. Changes to Privacy Policy
Updates to Ciências privacy policy will be published as new versions of this document and properly advertised in the Ciências website.
6. Cookies
Ciências adopts a minimalist approach to website cookies, using them exclusively for detecting website traffic patterns, simplify navigation on the website and identify problems. Cookies can be managed on the visitor browser options or directly on Ciências website.
7. Personal data
Ciências fully implements and adopts the definitions of personal data, special categories of personal data and data owner expressed in the General Data Protection Regulation (GDPR).
8. Personal data processed by Ciências
To perform its mission, personal data processed by Ciências includes but is not limited to:
- Identification data: name, place and date of birth, gender, nationality and national/passport, fiscal, drivers license and social security numbers, home address, phone numbers and e-mail addresses, professional statutes;
- Status: Marital status, name of spouse, children and others, relevant to determine tax and social security information;
- Professional Activity: work schedule, place of work, date of admission, duties, professional category, category history, type of contract, salary and any professional certificates;
- Financial information: salary, including any supplements, paid holidays and leave days, relevant tax information, payment methods, bank account number, declarations of interests;
- Personal Data fitting into the special category: disabilities and the corresponding degree of the worker, student or family member, temporary disabilities due to work accidents, sick leaves.
9. Data Processing Record
Data processing in Ciências obeys to Art. 30. of the GDPR.
10. Ciências Principles on Data Processing
In line with GDPR, Ciências applies the following principles when processing personal data:
- Data is processed only in a loyal, legitimate and transparent way to the owner of the data
- Data is only processed for the propose with which it was originally collected;
- Not more than the necessary data is collected;
- Ciências aims to keep the data as up-to-date and accurate as possible, making every effort to achieve this goal.
- Personal data will only be kept for the minimum time required to serve their original propose.
- Personal data will be processed in a secure way and protected from accidental loss or damage.
Ciências is prepared to reply to any question concerning the measures implemented to achieve these principles.
11. Support for personal data processing
Ciências assumes the compromise of only processing data in the situations defined by the GDPR, which include:
a) Owner consent for each Ciências will keep a record of the consent given by the owner. Consent can be withdrawn at any time. Withdraw has no effect on data processing performed in the past;
b) To perform a contractual obligation or in preparation of the signature of a contract;
c) To satisfy legal obligations;
d) In the vital interest of the owner for example in the case of a medical emergency;
e) In the case of public interest or of the interest of some public authority;
f) To satisfy Ciências legitimate interest provided that they do not impact the interest, rights or freedom of the owner.
12. Special categories of personal data
The processing of personal data that falls in the scope of GDPR definition of special categories is further restricted to the cases where:
- The processing is justified by EU or national legislation or agreement, Ciências is required to do so by the national government or to allow Ciências or the owner of the data to exercise specific rights, such as those resulting from laws concerning work rights, social security or social protection;
- The processing shows to be necessary to protect the owner or other third-party vital rights, provided that the owner is physically or legally incapacitated to express his consent;
- The processing uses data that the owner has expressly made public;
- The processing is required to exercise the right to defense in the court or the processing is required by a court order;
- The processing shows to be necessary for reasons of relevant public interest, as defined by EU or national laws.;
- The processing is required for the evaluation of the work capabilities of the owner, or to evaluate the health condition of the owner, in the scope of national or EU legislation and enforced by a contract with a health professional;
- The processing is required to protect public health and it is supported by EU or national legislation;
- The processing is required to preserve public archive, scientific or historical research or for statistical ends, and it is supported by EU or national legislation.
13. Preservation of personal data
Ciências preserves personal data for the time required to achieve the goals of the processing. These times can be extended to satisfy minimum conservation times established by law, possibly supported by public interest. Personal data can also be preserved if it is anticipated that it will equally support other legitimate processing, such as those enumerated above. Data conservation necessarily follows the principles of data minimization and pseudonimization.
14. Collection of personal data
Ciências collects personal data directly, by inquiring the owners using one of its many electronic systems (academic systems, human resources systems, etc) or indirectly, by requesting it from partners, which include other universities or schools. In no way the collecting method affects the rights of the data owner.
15. Owner Rights
Ciências fully implements the personal data owners rights as stated in Chapter 3 of the GDPR.
To exercise their rights, owners are requested to contact Ciências using the e-mail address protecaodados@ciencias.ulisboa.pt or the mail address Faculdade de Ciências da Universidade de Lisboa, Campo Grande, 1749-016 Lisboa.
Ciências assumes the compromise to reply to every request in not more than 1 month. The deadline can be extended to up to 2 months in cases of special complexity or if there is a large number of requests.
16. Supervisory authority
In Portugal, the supervisory authority is Comissão Nacional de Proteção de Dados (CNPD). Data owners can contact them directly using the addresses presented in https://www.cnpd.pt.
17. Security Measures
Ciências has in place a number of measures and mechanisms to protect personal data, which include but are not limited to:
- Firewall and intrusion detection system;
- User authentication and segregation according to their roles in Ciências;
- Logs of actions performed in the systems;
- Offline data preservation (backups);
- SPAM and malicious e-mail filter;
- Anti-virus;
- Physical access control to the critical facilities;
- Fire detection and suppression systems;.
18. Subcontracts
Ciências can subcontract some of the processing of personal data, with the contract clearly mentioning the processing allowed, the duration and goal of the processing as well as the personal data involved. Subcontract agreements necessarily mandate the partner to comply with GDPR, national legislation and this policy. Furthermore, partners are required to have Ciências written consent to further delegate the processing and the personal data to third parties.
19. Third-Parties
To comply with national legislation, Ciências is required to forward personal data to:
- Tax National Agency (Autoridade Tributária);
- Social Security and Retirement Agencies (Segurança Social e/ou Caixa Geral de Aposentações);
- Embassies;
- Professional orders;
- Research institutions;
- Insurance companies;
- Other public institutions;
- Higher Education Accreditation Agencies;
- Higher Education Student Support Agencies;
- Other Higher Education institutions (in the scope of Erasmus programmes);
- Research funding agencies / Research partners (in the scope of research funding programmes).
Delivery of personal data to any member of the list above will be carefully evaluated. In particular, Ciências will necessarily evaluate the need of the data being requested in the scope of the desired processing, the legitimacy of the processing, the guarantees of the institution to protect the data in respect with this policy and the need to seek consent from the owner.
20. Data breaches
Data breaches should be reported to the e-mail address protecaodados@ciencias.ulisboa.pt. In case of a verified data breach, Ciências compromises to fully implement the measures stated in the GDPR.
Ciências, 1st August 2021.