This is a nonbinding translation of the Regulation. If any question regarding the meaning and interpretation of the present regulation arises, the Portuguese Version should prevail.

Instituto Superior Técnico (Técnico) privacy policy

1. General Framework

Instituto Superior Técnico (Técnico), a School belonging to the University of Lisbon, is a legal person governed by public law, endowed with statutory, scientific, cultural, pedagogical, administrative, financial and patrimonial autonomy.

As part of the exercise of its duties and functions, it makes available on its Institutional website a set of information regarding the missions it fulfils, intending to disseminate them to the respective academic community, society and other interested parties.

Privacy and protection of personal data represent a firm commitment for Técnico who acts in compliance with his legal obligations, in particular those resulting from the application of the new General Data Protection Regulation (hereinafter, GDPR), Regulation 2016/679, of April 27, 2016 (“GDPR”) and the Data Protection Law, Law nº. 58/2019, of August 8.

In this sense, Técnico has prioritised the implementation of a set of measures to reinforce its Data Protection and Privacy Policy and to protect the personal data of the University community and those who interact or collaborate with it, accordingly, also, with the Privacy and Data Protection Governance Model of Universidade de Lisboa.

As it processes personal data in its different areas of activity, whether through its multiple physical spaces or its online platform, Técnico guarantees the protection of personal data, the processing of which is carried out in accordance with applicable law and this Privacy Policy.

In order to strictly comply with the law, Técnico has implemented new security practices and enhanced its internal procedures with the ongoing objective of ensuring the security of the data it accesses, promoting within each of its structures and services that integrate a harmonised data processing policy with the University of Lisbon.

The protection of personal data is a fundamental right, so your privacy is important to Técnico. This Policy therefore clarifies the personal data it collects, for what purposes, the principles that guide this use and what rights the holders of this same data have.

In order to safeguard the protection of personal data, it is the Técnico’s objective, as the Data Controller responsible for processing your data:

• Ensure that the processing of personal data is carried out within the scope of the purpose(s) for which they were collected or for purposes compatible with the initial purpose(s) for which they were collected;
• Commit to implement a culture of data minimisation, in which only personal data is collected, used and stored strictly necessary for the development of its activity;
• Ensure the preservation (storage) and security maintenance of processed personal data.
• Ensure the effective exercise of rights by personal data holders.

In this sense, you are advised to read the Privacy Policy in order to be aware of your rights, the conditions under which you provide your personal data, and authorise its collection, use and disclosure.

2. Técnico’s Commitment: protect your personal data.

Through this Policy, Técnico recognises the importance of the security of the personal data it processes and ensures the protection of the privacy of its holders, without harming the purpose and full implementation of the different areas in which it operates.

This Policy also provides information on the rules, principles and good practices when processing personal data trusted, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data (GDPR) and other applicable legislation (see below point nº. 24), and on the means that data subjects of the data they have at their disposal to exercise their respective rights.

3. Responsible for Data Processing

Within the scope of the activity it develops in its different areas of activity, Técnico is the entity responsible for the processing of personal data, and can be contacted via the following email address: rgpd@tecnico.ulisboa.pt.

4. Data Protection Officer

With respect to the legal obligation resulting from paragraph 1.º a) of article 37.º of the GDPR, Técnico has appointed a Data Protection Officer (EPD), who is responsible for ensuring, among other aspects, compliance of personal data processing and protection activities, in accordance with applicable law and this Policy.

Among other functions, the EPD is responsible for:

• Monitor compliance of data processing with applicable legal standards;
• Serve as a contact point for clarifying questions relating to data processing;
• Cooperate with the National Data Protection Commission (CNPD), in its capacity as control authority;
• Provide information and advice to Técnico, or subcontracted entities, on their obligations, regarding privacy and data protection.

Therefore, holders of personal data, if they wish, can send a communication to the EPD, regarding matters related to the processing of personal data, using, for this purpose, the following email address: rgpd@tecnico.ulisboa.pt.

5. Changes to the Privacy Policy

Técnico reserves the right to make changes to this Privacy Policy, with these changes being duly publicised on its website and other channels it deems appropriate.

6. Técnico’s 360º Privacy Policy

Técnico has developed and implemented a 360º Privacy Policy that includes a wide range of measures to protect your personal data.

The implementation of this Policy resulted from the identification of the personal data under its responsibility, the assessment of data quality, the development of a data processing record, the definition of security controls, the protection and monitoring of data and, finally, the subsequent implementation of new procedures in a process of continuous improvement.

This information is intended, in a structured and simplified manner, to present the respective Privacy Policy for greater transparency on how Técnico treats personal data.

7. Personal Data

Personal data is any information, of any nature and in any medium (e.g. sound or image), relating to an identified or identifiable natural person (known as “data subject”).

A natural person who can be identified directly or indirectly, namely through a name, an identification number, location data, an electronic identifier or other specific elements of physical, physiological, or genetic identity, is considered identifiable. mental, economic, cultural or social status of that natural person.

8. Sensitive personal data

Sensitive data, by its nature, is subject to specific processing conditions. Special categories of personal data fall into this universe, such as:

• Personal data revealing racial or ethnic origin, political opinions, religious or philosophical convictions and trade union membership;
• Genetic data;
• Biometric data processed to unambiguously identify a person;
• Health-related data;
• Data relating to the person’s sex life or sexual orientation.

9. Data subjects

Any natural person to whom personal data relates is a data holder. In the context of the activity carried out by Técnico, data holders are:

Members of university bodies, teachers, collaborators, and employees regardless of their contractual relationship, and other service providers, researchers, and elements who collaborate directly or indirectly with Técnico, as well as all natural persons who send their data or authorise Técnico to use their data.

10. Categories of personal data processed by Técnico

Técnico processes personal data of different nature and sensitivity, as well as the purpose associated with the processing of this data, such as, for example:

• Personal identification data: name, date of birth, place of birth, gender, nationality, address, telephone number, professional qualifications, e-mail, personal identification numbers (examples: civil identification number and/or passport, taxpayer, driving license number, and social security number);
• Family situation: marital status, name of spouse, children or dependents and/or any other information necessary to determine salary supplements;
• Professional activity: hours, place of work, date of admission, position, professional category and duration of experience in the category, salary level, type of contractual relationship and professional qualification certificate(s);
• Financial information: remuneration, supplementary remuneration, variable or fixed amounts, allowances, holidays, attendance, licenses, or other information related to supplementary remuneration, amount or rates of mandatory or optional contributions, payment methods, bank name and bank account number (NIB or IBAN), declaration of role compatibility (when applicable);
• Special categories of personal data: degree of incapacity of the employee and/or any member of their household, possible temporary incapacity as a result of work accidents or occupational illnesses and sick leave.

11. Data processing registration

Técnico has a data processing record, in accordance with article 30.º of the GDPR, which identifies:

• The name and contact details of the controller and, where appropriate, of any joint controller, the representative of the controller and the data protection officer;
• The purposes of data processing;
• The description of the categories of data subjects and categories of personal data;
• The deadlines for deleting different categories of data;
• The technical and organisational measures in the field of security implemented to ensure the pseudonymisation and encryption of personal data and the ability to ensure the confidentiality, integrity, availability and permanent resilience of processing systems and services.

12. Principles regarding the processing of personal data

When processing personal data, Técnico observes the following fundamental principles:

• Lawfulness, fairness/loyalty, and transparency principle: personal data is subject to lawful, fair and transparent processing in relation to the data subject;
• Purpose limitation principle: personal data is collected for specific, explicit and legitimate purposes and is not further processed in a way that is incompatible with those purposes;
• Data minimisation principle: personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Principle of accuracy: personal data will be accurate and updated whenever necessary, with all appropriate measures being adopted so that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;
• Principle of conservation/storage limitation: personal data will be kept in a way that allows the identification of holders only for the period necessary for the purposes for which the data is processed;
• Principle of integrity and confidentiality: personal data will be processed in a way that guarantees its security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, with appropriate technical or organisational measures being adopted.

As responsible for the processing, Técnico undertakes to ensure that the processing of data subjects is carried out in strict compliance with the aforementioned principles and that he is in a position to prove compliance with them.

13. Basis for processing personal data

Técnico only processes personal data whenever at least one of the following situations occurs:

• Consent of the data subject: when the data subject has given their consent to the processing of their personal data, for one or more specific purposes, through express consent, which indicates a free, specific, informed and unequivocal expression of will that the data subject consent to the processing of your data. Consent may be obtained by any means (including electronically), with Técnico keeping a record of it, as a way of proving that the holder gave his consent to the processing of his personal data. The data subject has the right to withdraw their consent at any time, and the withdrawal of consent does not compromise the lawfulness of the processing carried out based on the consent previously given.
• Execution of a contract or pre-contractual measures: when processing is necessary for the execution of a contract to which the data subject is a party, or for pre-contractual measures at the request of the data subject. This situation includes, for example, the processing of personal data of Técnico’s professors, employees and service providers within the scope of managing the established employment relationship or the respective service providers within the scope of the contractual relationship.
• Compliance with legal obligation: when processing is necessary to comply with a legal obligation. This situation includes, for example, the processing of personal data to comply with legal obligations arising from declaratory obligations to Social Security, the T​​​ax and Customs Authority or other administrative Authorities, including the Ministry responsible for oversight of Técnico.
• Vital interests: when processing is necessary to defend the vital interests of the data subject or another natural person, for example, in the case of medical emergencies.
• Public interest/public authority: when processing is necessary for the performance of functions in the public interest. For example, the need for alerts from the General Directorate of Health. Técnico is a public entity and the educational activity is driven by the public interest, so much of the activity has this basis, although it must be evaluated in each treatment process.
• Legitimate interest: when processing is necessary for the purposes of the legitimate interests pursued by Técnico or third parties, except if the interests or fundamental rights and freedoms of the holder that require the protection of personal data prevail.

14. Sensitive data

Técnico may process sensitive data under the following conditions:

• If the data subject has given explicit consent to the processing of that personal data, for one or more specific purposes;
• When, in accordance with European Union legislation, national legislation or a collective agreement, the processing is necessary for the purposes of fulfilling obligations and exercising specific rights of Técnico or the data subject in matters of labour legislation, security social and social protection;
• When processing is necessary to protect the vital interests of the data subject or another natural person, in the event that the data subject is physically or legally incapable of giving consent;
• If the processing refers to personal data that has clearly been made public by its holder;
• If the processing is necessary for the declaration, exercise or defence of a right in legal proceedings or whenever the courts act in the exercise of their jurisdictional function;
• If processing is necessary for reasons of relevant public interest, based on European Union law or national law;
• If the treatment is necessary for the purposes of preventive or occupational medicine, for the assessment of the employee’s work capacity, medical diagnosis, the provision of health care or treatment or social action or the management of health systems and services or of social support, based on European Union law or national law or pursuant to a contract with a healthcare professional;
• If the processing is necessary for reasons of public interest in the field of public health, based on European Union law or national law;
• If the processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, based on European Union law or national law.

15. Purposes of processing personal data

Considering the diversity of its areas of activity, Técnico processes personal data for the following purposes:

• Financial data – For paying employees’ payrolls and purchasing services; payment management; reception and processing of proposals presented in purchasing procedures; execution of contracts established with suppliers.
• Contractual procedures – Drafting contracts, instructing and practising the inherent technical procedures. Receiving and processing requests for IT support; Development of new IT solutions for the academic community;
• Human Resources – Human resources management (attendance and scheduling management); salary processing; performance evaluation; promotion of safety, hygiene and health at work; granting social benefits to workers;
• Activities carried out – Organization of events within the scope of its principles and statutes, insurance for events with insurance entities, participation in international events, cooperation with other Schools or other similar entities.

16. Period of retention of personal data

Personal data is only kept for the period of time necessary to achieve the purposes for which it is processed.

Técnico complies with the legally established maximum conservation periods.

However, data may be kept for longer periods, for purposes of public interest, fulfilment of different purposes that may subsist, such as, for example, the exercise of a right in legal proceedings, archiving purposes of public interest, purposes of scientific or historical research or statistical purposes, applying – in this case – all appropriate technical and organisational measures to safeguard personal data.

These guarantees imply the adoption of technical and organisational measures aimed at ensuring, in particular, respect for the principle of data minimisation and pseudonymisation.

17. Collection of personal data

Técnico may collect data directly (i.e., directly from the data subject) or indirectly (i.e., through third parties).

Collection can be made through the following channels:

• Direct collection: in person, by phone, by email, through its platforms (examples: FÉNIX, SAP);
• Indirect collection: through its partners (for example, Public Entities, Universities or Partner Schools).

18. Rights of data subjects

Técnico ensures that data subjects exercise their rights, in accordance with applicable legislation regarding the protection of personal data, namely:

• Right of access: the holder has the right to obtain confirmation that personal data concerning him or her are being processed or not and, if applicable, the right to access his or her personal data.
• Right to rectification: the holder has the right to request, at any time, the rectification of their personal data and also the right to have their incomplete personal data completed, including through an additional statement.
• Right to erasure: the holder has the right to obtain the erasure of their data when one of the following reasons applies:
  1. the holder’s data is no longer necessary for the purpose for which it was collected or processed;
  2. the holder withdraws the consent on which the data processing is based and there is no other legal basis for said processing;
  3. the holder opposes the processing under the right to object and there are no prevailing legitimate interests that justify the processing;
  4. if the holder’s data is processed unlawfully;
  5. if the holder’s data must be deleted to comply with a legal obligation to which Técnico or subcontractor is subject.

  Under applicable legal terms, Técnico is not obliged to delete the holder’s data to the extent that the processing proves necessary to comply with a legal obligation to which it is subject or for the purposes of declaring, exercising or defending a right in proceedings. Judicial.

• Right to restriction of processing: the holder has the right to obtain limitation of the processing of their data if one of the following situations applies:
  1. if you contest the accuracy of the personal data, for a period that allows its accuracy to be verified;
  2. if the processing is unlawful and the holder opposes the deletion of the data, requesting, in return, the limitation of its use;
  3. if you no longer need the holder’s data for processing purposes, but such data is required by the holder for the purposes of declaring, exercising or defending a right in legal proceedings.
• Right to portability: the holder has the right to receive personal data concerning him or her, in a structured, commonly used and machine-readable format, and the right to transmit this data to another controller, if:
  1. the processing is based on consent or a contract to which the holder is a party; It is
  2. the processing is carried out by automated means.
• Right to object: the holder has the right to object at any time, for reasons related to his or her particular situation, to the processing of personal data concerning him or her which is based on the exercise of legitimate interests pursued or when the processing is carried out for the purposes other than those for which the personal data was collected.

The data subject also has the right to complain to the National Data Protection Commission (CNPD).

19. Exercise of rights by the data subject

The exercise of rights by the holder may be exercised by the holder through contact with Técnico, who will respond in writing (including by electronic means) to the holder’s request within a maximum period of one month from receipt of the request, except in cases of special complexity and high number of requests, in which this period can be extended up to two months, through the following means:

• Mail or in person, at the following address:
  Instituto Superior Técnico
  Av. Rovisco Pais, 1
  1649-004 Lisboa
• Via email: rgpd@tecnico.ulisboa.pt

20. Filing a complaint with the CNPD

The data subject may complain directly to the National Personal Data Control Authority, the CNPD, using the contact details provided by this entity for this purpose (at www.cnpd.pt).

21. Security measures

Taking into account the principle of proportionality and suitability, security, application costs and the nature, scope, context and purposes of the processing, as well as probability risks, Técnico applies security, technical and organisational measures, appropriate measures to ensure a level of security for personal data appropriate to the risk, such as:

• Use of firewall and intrusion detection systems in your information systems;
• Application of access control procedures, using differentiated access profiles and based on the need-to-know principle;
• Registration of actions carried out on information systems containing personal data (login);
• Execution of a backup plan;
• Antivirus and anti-spam protection for receiving and sending corporate emails;
• Installation, maintenance and management of antivirus and firewall systems on Técnico’s computers;
• Pseudonymisation of personal data;
• Access control to physical facilities;
• Automatic fire detection system, intrusion detection and video surveillance system;
• Compliance with legal regulations on security matters, namely Resolution of the Council of Ministers nº 41/2018;
• Actions to raise user awareness of good security practices in data processing;
• Computer security and user safety and cybersecurity training;
• Security audits (of systems, processes and procedures).

22. Data transfer: subcontractors and third parties

Subcontractors: Técnico may use other entities contracted by him (subcontractors), in his own name and in accordance with the instructions given by him, to process the holder’s data, in strict compliance with the provisions of the GDPR, national legislation in matters of personal data protection and in this Policy:

• Subcontractors may not transmit the holder’s data to other entities without Técnico having previously given written authorisation to do so, and are also prevented from contracting other entities without prior authorisation from Técnico.
• Técnico undertakes to ensure that these subcontractors will only be entities that present sufficient guarantees for the implementation of appropriate technical and organisational measures, in order to ensure the privacy of data subjects and the defence of their rights.
• All subcontractors are bound to Técnico through a written contract that includes the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, the rights and obligations of the parties, including the duty of confidentiality, and the security measures to be implemented.

Third parties: Técnico is bound by the Law and to comply with administrative procedures and, to that extent, obliged to transmit data, including personal data, to other entities, namely:

• Tax and Customs Authority;
• Social Security and/or Caixa Geral de Aposentações;
• Embassies;
• Professional bodies;
• Research institutions;
• Insurance companies;
• Other public institutions;
• Higher education accreditation bodies;
• Organisations within the framework of social action in higher education;
• Partner schools and universities for the purposes of the Erasmus program, or similar;
• Funding agencies/partner institutions that submit applications for national or community funding.

Whenever personal information is shared with one of these entities, Técnico will assess the need to obtain, when necessary, their consent and will take all necessary measures and/or actions to confirm that they will perform their functions in accordance with the GDPR principles.

23. Data breach

In the event of a personal data breach, and to the extent that such breach is likely to result in a high risk to the rights and freedoms of the holder, the Data Protection Officer will notify the national supervisory authority of that breach, as well as communicate the breach to the data subject, up to 72 hours after becoming aware of it.

Under the terms of the GDPR, communication to the holder is not required in the following cases:

• If Técnico has applied appropriate protection measures, both technical and organisational, and these measures have been applied to the personal data affected by the personal data breach, especially measures that make the personal data incomprehensible to any person not authorised to access such data, such as encryption;
• If Técnico has taken subsequent measures to ensure that the high risk to the rights and freedoms of the holder is no longer likely to materialise; or
• If communication to the holder involves a disproportionate effort for Técnico, in which case Técnico will make a public communication or take a similar measure through which the holder will be informed.
• When the processing of personal data is the responsibility of Técnico, any violation may be reported through the following means:
  Via email, to be sent to rgpd@tecnico.ulisboa.pt.

24. Final notes

It is recommended that you periodically consult this Privacy Policy to stay informed about how Técnico protects your personal data and keeps you updated on the information and rights available to you.

The main regulations on data protection and privacy with access to the respective documents can be consulted at the following links (click on the document you wish to access):

• Law on the Protection of Privacy in Electronic Communications (“Cookies”) – Law No. 41/2004 (.pdf)
• General Data Protection Regulation – GDPR (.pdf)
• GDPR Rectification (“Consent”) (.pdf)
• Personal Data Protection Law – Law No. 58/2019 (.pdf)

Revised on on 15^th February 2024.
Published on 23^rd May 2024.