PERSONAL DATA PROTECTION POLICY

1. About the Polytechnic Institute of Bragança

The Polytechnic Institute of Bragança (hereinafter referred to as IPB) is a public institution of higher education whose mission is the creation, transmission and dissemination of technical-scientific knowledge and professional knowledge, through the articulation of study, teaching, oriented research and experimental development.

The IPB, as an organization that deals with personal data on a daily basis, considers itself to be committed to the regulated matters and obligations imposed by the new European data protection legislation constituted in particular by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (on the protection of natural persons with regard to the processing of personal data and on the free movement of such data), hereinafter referred to as GDPR. In this sense, this Personal Data Protection Policy is approved with the purpose of reinforcing its commitment and compliance with the rules of privacy and protection of personal data. In the light of the above, this Personal Data Protection Policy is directly applicable to all operations carried out within the framework of the activities pursued by the set of bodies which form part of the IPB.

2. Scope

This Personal Data Protection Policy applies exclusively to the processing of personal data by the IPB.

3. Personal Data

For the purposes of this Personal Data Policy, ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’).

Accordingly, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifying element – such as a name, an identification number, location data, an online identifier – or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity of that natural person.

4. Entity responsible for the data processing (Controller)

The entity responsible for the collection and processing of data is the IPB, taking into account the nature, scope, context and purpose of the data processing, as well as the risks to the rights and freedoms of natural persons, in accordance with the GDPR.

5. Data Protection Officer (DPO)

For questions related to the processing of personal data and regarding the exercise of rights granted to it by the GDPR, the data protection officer can be contacted by the email This email address is being protected from spambots. You need JavaScript enabled to view it..

The data protection officer of the IPB performs, among others, the following duties:

1. To inform and advise the IPB or the subcontractor, as well as the data processing workers, regarding their obligations under the GDPR or the applicable legislation;
2. To control the compliance of data processing with the data protection provisions of the European Union or Member States, as well as with the policies of the controller or the subcontractor in relation to the protection of personal data;
3. To advise, when requested, on the evaluation of the impact of data protection and to control its implementation, in cases where it is carried out, pursuant to article 35 of the GDPR;
4. To cooperate with the supervisory authority, which he/she can consult and is his/her liaison for questions relating to data processing.

6. Personal Data Protection Policy

The IPB recognizes the right of all citizens to protect their personal data, ensuring that all data subjects, who entrust their processing to IPB, are aware of the purpose and way of processing the information provided, as well as the rights which assist them in this matter and how they are exercised, in accordance with the provisions of article 8 (1) of the Charter of Fundamental Rights of the European Union (‘Charter’), article 16 (1) of the Treaty on the Functioning of the European Union (TFEU) and of the General Data Protection Regulation (GDPR).

In this context and bearing in mind that the pursuit of such designs depends on a strong combination of responsible users, appropriate technologies and secure procedures, the IPB, under the provisions of article 24 (2) of the GDPR, and in strict compliance with the requirements legally prescribed by Articles 136 (1) and 136 (4) of the Portuguese Code of Administrative Procedure (approved by Decree-Law No 4/2015, of 07 January), establishes the present Personal Data Protection Policy, with a view to facilitate the effective application of the GDPR within the framework of its specific characteristics and specificities as a public higher education institution.

Therefore, procedures are defined to request access, rectification or erasure of personal data. Mechanisms are created to facilitate the exercise of the right to limit processing, portability and the right of opposition. In addition, new rules are also created to complement the provisions on the personal data protection and processing provided for in the Terms and Conditions governing the offer of the various products and services, which are duly publicized in the respective specific services that the academic community and other users use.

Thus, the IPB informs the Academic Community and other users of the general rules of privacy and processing of personal data, which it collects and processes in a lawful, fair and transparent way, in strict respect and compliance with the general framework of Personal Data Protection in force within the Portuguese legal system.

As responsible for the processing of personal data and information, the IPB ensures that it implements and promotes appropriate and effective technical and organizational measures to comply with data protection principles, in accordance with the GDPR, and that it takes into account the nature, scope, context and purpose of the processing of information, as well as the risk of failures to protect the rights and freedoms of natural persons. Therefore, the IPB makes available and clearly and extensively discloses this Personal Data Protection Policy and therefore recommends that all users read it carefully and responsibly.

7. Type of personal data collected

In the scope of its activity, the IPB collects and processes the personal data necessary to carry out its mission and functions, in accordance with the Legal Framework of Higher Education Institutions (Law no. 62/2007 of 10 September) and its Statutes  (approved by the Legislative Order no. 62/2008, Official Gazette nº 236, 2^nd Series, of 5 December). 

8. Personal data collection

The IPB collects personal data in person, in writing, by telephone or through computer systems. The personal data collected are processed either by non-automated means, or by computer, in strict compliance with personal data protection laws, and are stored in a specific database. Under no circumstances should the data collected be used for any purpose other than that for which the data subject's consent was given or the condition of legitimacy of the processing.

9. Lawfulness of the personal data processing

In the IPB, the processing of personal data depends on the verification of legitimacy conditions and verification of the lawfulness of the purpose of the same processing, as well as compliance with the principle of proportionality lato sensu.

Specifically, all processing of personal data in the IPB shall only occur if:

1. a) It is necessary for the pursuit of legitimate interests and if the data subject has given unambiguous consent;
2. b) It is necessary for the performance of a contract or for compliance with any legal obligation to which the controller is subject;
3. c) It is necessary for the purposes of compliance with obligations and the exercise of specific rights of the IPB, or of the data subject on labor legislation, social security and social protection, under the terms provided in the GDPR.
4. d) It is necessary in order to protect the vital interests of the data subject or another natural person;
5. e) It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. f) It is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

10. Purposes of personal data processing

Information on the processing of personal data shall be provided to the data subject at the time of collection or if personal data have been obtained from another source within a reasonable time, depending on the circumstances.

When collecting data, the IPB, as controller, provides the data subject with more detailed information about the use that will be given to the information, namely:

1. a) The identity and the contact details of the controller.
2. b) The contact details of the data protection officer.
3. c) The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
4. d) The recipients or categories of recipients of the personal data.
5. e) The data subject's rights.
6. f) The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
7. g) Which data must be provided and which are optional.

The personal data processed by the IPB can legitimately be transmitted to third parties when the fulfillment of purposes directly related to the legitimate functions of the data subject or the controller is verified.

Where personal data are likely to be legitimately transferred to another recipient, the data subject is informed in advance of the communication of personal data to third parties and, where justified, he/she may require that his/her personal data not be transferred, provided that such data does not harm the vital and legitimate interest of one of the parties or the public interest.

Whenever the IPB intends or needs to process personal data for a purpose other than the one for which it was collected, it shall provide the data subject with such information, or other necessary information, in advance. When it is not possible to inform the data subject on the origin of the data that the IPB owns, because it was collected from several sources, all the information that exists on the same source must be provided to the data subject.

11. Confidentiality

The information collected are for use of the IPB, according to the purposes indicated at the time of collection or to fulfil legal obligations.

The information collected will be processed confidentially and may be accessed by a limited number of IPB employees, in compliance with professional duties, within the precise limits and for the purposes of performing their duties.

12. Personal Data Storage Period

The period during which the data are stored and kept varies according to the purpose of the respective processing, being guided by the legally defined periods.

The IPB may keep personal data for as long as it may be required to carry out some kind of liability arising from a legal relationship, from the execution of a contract or from the application of pre-contractual measures.

Where there is no specific legal requirement, data shall be stored and retained only for the period necessary to fulfill the purposes for which it was collected and processed or for a period of time authorized by the Control Authority, after which time the data shall be deleted.

The IPB may, for the purposes of public interest archiving, scientific or historical research or for statistical purposes, keep the data for longer periods, without prejudice to applying the appropriate guarantees, in accordance with the legislation in force, for the rights and freedoms of the data subject. These guarantees imply the adoption of technical and organizational measures to ensure, among others, compliance with the principle of data minimization.

13. Data subject's rights

Under the terms of the legal framework on the  of Personal Data Protection, the IPB guarantees the data subject the right to access, update, rectify or erase their personal data, by means of a written request addressed to the Data Protection Officer.

The data subject also has the right to be notified in case of violation of the personal data, in accordance with the GDPR.

The right of access of the data subject should be limited whenever it impairs fundamental rights and legitimate interests of natural persons.

14. Security measures

The IPB seeks to protect users' personal data through a number of appropriate technical and organizational measures, from a technological point of view, uses various mechanisms and controls in accordance with best practices in the area, with the aim of guaranteeing confidentiality, integrity, availability and resilience of personal data.

In order to ensure the security of personal data, IPB implements the following measures:

1. a) Restrictions on access to personal data, based on the criterion ‘need-to-know’ as well as on the powers and duties of those who access, applied in strict accordance with the notice to the data subject when collecting the personal data;
2. b) Transfer of personal data through encrypted communication channels;
3. c) Storage of special category data is done in encrypted form, as well as the respective backup copies;
4. d) Protection of technological infrastructures with technical and organizational mechanisms to prevent unauthorized access;
5. e) Monitoring of technological infrastructures at various levels, such as access control, misuse and abnormal traffic, with the aim of preventing, detecting and block unauthorized access to personal data.

15. Communication of personal data to other entities (subcontracted third parties)

The IPB, within the scope of its attributions, may resort to subcontracted third parties to provide certain services. Where data processing is carried out by a subcontractor or a third party to whom data are transmitted, the IPB shall verify that it has sufficient guarantees to carry out appropriate technical and organizational measures so that the processing meets the requirements of the existing legislation and ensures the rights of the data subject.

Accordingly, the processing is regulated by contract or other normative act, which binds the subcontractor or the third party to the guidelines established by the IPB, as the entity responsible for the processing of the data, and defines the object, duration, nature and purpose of such processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

The contract stipulates, in particular, that the subcontractor or third party:

1. a) Only process personal data transmitted through documented IPB instructions, including transfers of data to third countries or international organizations, unless it is obliged to do so under Union law or under the law of the Member State to which it is subject, in which case the person responsible for handling this legal requirement before processing shall be informed, unless the law prohibits such information for important public interest reasons;
2. b) Ensures that persons authorized to process personal data are bound by confidentiality or are subject to appropriate legal obligations of confidentiality;
3. c) Adopts the most appropriate security measures;
4. d) Deletes or returns to the IPB all personal data after the completion of the provision of processing-related services, erasing existing copies, unless the retention of data is required under Union or Member State law;
5. e) Provides the IPB with all information necessary to demonstrate compliance with the obligations set forth in this article and facilitates and contributes to the audits, including inspections conducted by the controller or by another auditor mandated by the latter;
6. f) The subcontractor may not contract another subcontractor without the IPB’s authorization, and the request must be sent to the data controller.

In any case, the IPB also remains responsible for the personal data that it makes available.

16. Transfer of personal data outside Portugal

The pursuit of certain tasks by the IPB may imply the transfer of its data outside Portugal. The IPB checks in advance that the country or territory to which it transfers the data guarantees an adequate level of data protection or has been the subject of an adequacy decision by the European Union. If this is the case, the IPB will strictly comply with the applicable legal provisions as well as the relevant guidelines.

17. IPB’s Web Portals

The IPB respects the right to privacy and does not store on the sites any personal information without the consent of the data subjects or in an illegal way.

With respect to the collection and use of technical information, websites may use cookies, namely session cookies.

Only technical information regarding visits to this site is registered on the IPB servers. No information is collected that can be used to identify visitors to the site. The registered technical information is limited to the following items:

1. The IP (Internet Protocol) address of the visitor;
2. The type of Internet browser and operating system used by the visitor;
3. The date and time of the visit;
4. The pages visited on the site and the downloaded documents.

The technical information will be used solely for statistical purposes.

If the user does not wish to receive cookies he/she can configure their computer to notify them whenever they receive a cookie or disable all cookies through their web browser. For this purpose the user can consult the ‘Help’ menu of the browser to know the correct way to change or update cookies. If cookies are disabled, some of the features listed above may become inaccessible.

None of our cookies store any personal information of users, such as names or addresses. Please be aware that the restriction on cookies may have an impact on the functionality of the IPB’s sites.

18. Changes to the personal data protection policy by IPB

The IPB reserves the right to make adjustments or changes to this Privacy Policy at any time, these changes being duly publicized.