Privacy Policy

1. General framework

Serviços de Ação Social da Universidade de Lisboa are a legal person of public law, with administrative and financial autonomy, in accordance with the law and the Statutes of the Universidade de Lisboa.

In the exercise of their functions, this platform provides a set of relative information to the areas of expertise activity, in order to disseminate the university community and other interested parties’ information. Privacy and protection of personal data represent a firm commitment to Serviços de Ação Social da Universidade de Lisboa operating in compliance with its legal obligations, in particular those resulting from the application of the new Data Protection General Regulation (RGPD) Regulation 2016/679 of 27 April 2016 and the Data Protection Act, Law 58/2019, of August 8.

Thus, Serviços de Ação Social da Universidade de Lisboa have been implementing a set of measures in order to strengthen its privacy policy. Protecting the personal data of the university community and of those who interact or collaborate with us is our purpose. Serviços de Ação Social da Universidade de Lisboa, insofar as they treat personal data in its different areas of activity, either through its multiple physical spaces or through its online platform, guarantees the protection of personal data, whose treatment is carried out under applicable legislation and this Privacy Policy. In strict compliance with the law, Serviços de Ação Social da Universidade de Lisboa introduced new security practices and improved their internal procedures with the ever-present objective of guaranteeing the security of the data to which they have access, as part of a harmonized treatment policy of data with the Universidade de Lisboa and the consequent implementation in a network of joint measures to create common practices for the treatment, protection and security of personal data.

The protection of Personal Data is a fundamental right, so your privacy is important for Serviços de Ação Social da Universidade de Lisboa. That is why we clarify the Personal Data we collect, for what purposes, the principles that guide this use and what rights the holders of those data have.

It is for the purpose of safeguarding data protection that, the Responsible for Data Processing:

• Ensures that the processing of Personal Data is carried out within the scope(s) for which it was collected or for purposes compatible with the initial purpose(s) for which it was collected;

• Assumes the commitment to implement a culture of data minimization, in which only the collection, use and preservation of Personal Data is strictly necessary for the development of its activity.

In summary, we believe that the reading of this document is recommended to all our employees and users so that they can become aware of the conditions under which their personal data are processed, as well as their rights are safeguarded, within the scope of our Policy of Privacy.

2. Commitement of Serviços de Ação Social da Universidade de Lisboa: Protect your personal data

Through this policy, Serviços de Ação Social da Universidade de Lisboa recognizes the importance of personal data security, dealing and guaranteeing the privacy protection of their respective holders without harming the object and full realization of the different areas in which it operates.

This Policy provides further information about the rules, principles and good practices observed in the processing of personal data entrusted to it in accordance with the General Regulation on Data Protection (RGPD) and other applicable law, and on means that the data subjects have at their disposal to exercise the respective rights.

3. Responsible for data processing

Within the scope of the activity it develops in its different areas of activity, Serviços de Ação Social da Universidade de Lisboa are the entity responsible for the processing of personal data, and can be contacted through the following e-mail address: rgpd@ulisboa.pt

4. Data Protection Officer

In view of the legal obligation resulting from paragraph a) of paragraph 1 of article 37 of the GDPR, the Universidade de Lisboa has appointed a Data Protection Officer, responsible for ensuring, among other aspects, the compliance of the processing activities and protection of personal data under your responsibility, in accordance with applicable legislation and this Policy.

Among other functions, it is his responsibility:

• Monitor the compliance of data processing with the applicable standards;

• To serve as a contact point for clarifying issues related to data processing;

• Cooperate with National Comission of Data Protection (CNPD), in its capacity as a supervisory authority;

• Provide information and advise the University of Lisbon, or the subcontracted entities, on their obligations in terms of privacy and data protection.

Thus, the holders of personal data, if they so wish, can address a communication to the Data Protection Officer, regarding matters related to the processing of personal data, using, for this purpose, the following email: rgpd@ulisboa.pt

5. Changes to the Privacy Policy

Serviços de Ação Social da Universidade de Lisboa reserves the right to make changes to this Privacy Policy, these being properly publicized changes on their website and / or other appropriate channels to consider.

6. Cookies Policy

Cookies are used on the institutional website, just to analyze traffic patterns on the web or to identify problems and provide a better browsing experience. All browsers allow the user to accept, refuse or delete cookies, namely by selecting the appropriate settings in the respective browser. Cookies can be configured in the "options" or "preferences" menu of the user's browser. Note, however, that by disabling cookies, the user may prevent some web services from functioning correctly, affecting, partially or totally, the navigation on the website. To learn more about cookies, including how to see what cookies were created and how to manage or delete them, visit www.allaboutcookies.org which includes information on how to manage your settings for the various browser providers.

To find out more about the cookie policy, consult the institutional website of SASULisboa.

By having voluntarily and expressly accepted on our website the cookie policy you agree to the collection and use of your information as set out in this Policy.

7. The 360º Privacy Policy of Serviços de Ação Social da Universidade de Lisboa

Serviços de Ação Social da Universidade de Lisboa developed and implemented a 360º Privacy Policy that includes a wide range of measures to protect your personal data. The implementation of that policy resulted in the identification of the personal data of its responsibility, evaluation of data quality, developing a data processing register, setting security controls, protection and monitoring of the data and, finally, the subsequent implementation of new procedures, integrated in a continuous improvement process.

This information, in a structured and simplified way, intends to present the respective privacy policy for greater transparency on how we treat personal data.

8. Personal Data

Personal Data is any information, of any nature and on any medium (eg, sound or image), relating to an identified or identifiable natural person (referred to as “data subject”). An identifiable person is a person who can be identified directly or indirectly, namely through a name, an identification number, a location data, an electronic identifier or other specific elements of physical, physiological, genetic identity, mental, economic, cultural or social status of that natural person.

9. Sensitive Personal Data

Sensitive Data is all personal data that is subject to specific processing conditions. It falls into this universe:

• Personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs and union membership;
• The genetic data;
• Biometric data processed with the aim of uniquely identifying a person;
• Health-related data;
• Data relating to sexual life or sexual orientation.

10. Data Holders

The data holder is any natural person to whom the personal data concern. In the context of the activities developed by the Social Action Services of the University of Lisbon, data holders are:

Members of university bodies, teachers, researchers, employees, employees regardless of their contractual relationship, and other service providers, users of the university stadium, elements that collaborate directly or indirectly with the Serviços Sociais da Universidade de Lisboa, as well as all natural persons who send their data or authorize Serviços Sociais da Universidade de Lisboa to use them.

11. Processed categories of personal data

Serviços de Ação Social da Universidade de Lisboa treats personal data of different nature and sensitivity, such as:

• Personal identification data: name, date of birth, place of birth, sex, nationality, address, telephone number, professional qualifications, e-mail, civil identification number and / or passport, taxpayer number, license number driving and social security number;
• Family status: marital status, name of spouse, children or dependent persons and / or any other information necessary to determine salary supplements;
• Professional activity: time, place of employment, date of admission, position, professional category and duration of experience in the category, salary level, type of contractual contract and professional qualification certificate(s);
• Financial information: remuneration, supplementary remuneration, variable or fixed amounts, allowances, holidays, attendance, licenses, or other information related to supplementary remuneration, mandatory or optional contribution amount or rates, payment methods, bank name and account number banking (NIB or IBAN), declaration of functions compatibility (when applicable);
• Special categories of personal data: Degree of disability of the employee and / or any member of his or her household, possible temporary disability as a result of accidents at work or occupational diseases and sick leave, other categories of sensitive data that are decisive for the attribution of direct or indirect social support.

12. Registration of data processing

Serviços de Ação Social da Universidade de Lisboa has data processing registers, under the terms of article 30 of the RGPD, in which are identified:

• The name and contact details of the controller and, where applicable, of any joint controller, the representative of the controller and the data protection officer;
• The purposes of data processing;
• The description of the categories of data subjects and the categories of personal data;
• The deadlines foreseen for the deletion of the different categories of data;
• The technical and organizational measures in the field of security implemented to ensure pseudonymisation and encryption of personal data and the ability to ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services.

13. Principles in the processing of personal data

Within the scope of the processing of personal data, Serviços de Ação Social da Universidade de Lisboa observes the following fundamental principles:

• Principle of loyalty, lawfulness and transparency: personal data is subject to a lawful, loyal and transparent treatment in relation to the data subject;
• Principle of limitation of purposes: personal data are collected for specific, explicit and legitimate purposes, and are not subsequently processed in a manner incompatible with those purposes;
• Principle of data minimization: personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Principle of accuracy: personal data will be accurate and updated whenever necessary, taking all appropriate measures so that the inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;
• Principle of limitation of retention: personal data will be kept in a way that allows the identification of the holders only for the period necessary for the purposes for which the data are processed;
• Principle of integrity and confidentiality: personal data will be treated in a way that guarantees its security, including protection against its unauthorized or unlawful treatment and against its loss, destruction or accidental damage, with the adoption of technical or organizational measures appropriate.

While responsible for the treatment, Serviços de Ação Social da Universidade de Lisboa are undertake to ensure strict observance to the mentioned principles ensuring the conditions to prove compliance with them.

14. Processing support of personal data

Serviços de Ação Social da Universidade de Lisboa only process personal data whenever there is at least one of the following situations:

1. Consent of the data subject: when the data subject has given his consent for the processing of his personal data, for one or more specific purposes, by express consent, which indicates a manifestation of free, specific, informed and unequivocal will that the data subject consents to the processing of your data. Consent can be obtained by any means (including electronic), keeping Serviços de Ação Social da Universidade de Lisboa a record of it, as a way of proving that the holder has given consent for the processing of personal data. The data subject has the right to withdraw his consent at any time, and the withdrawal of consent does not compromise the lawfulness of the treatment carried out based on the consent previously given.
2. Execution of contract or pre-contractual steps: when processing is necessary for the execution of a contract to which the data subject is a party, or for pre-contractual steps at the request of the data subject.
   In this situation, the processing of personal data of teachers and students within the scope of the processes of attribution of direct or indirect social support, employees and service providers within the scope of the management of the established employment relationship or the respective providers are included, for example. services within the scope of the contractual relationship.
3. Compliance with legal obligation: when treatment is necessary to fulfill a legal / legal obligation. This situation includes, for example, the processing of personal data to comply with legal obligations arising from declaratory obligations to Social Security, Tax Administration or other Administrative Authorities, including the Ministry of Guardianship.
4. Vital interests: when treatment is necessary to defend the vital interests of the data subject or another natural person, for example, in the case of medical emergencies.
5. Public interest / public authority: when treatment is necessary for the exercise of public interest functions. For example, in the need for alerts from the General Directorate of Health. The Social Action Services of the University of Lisbon are a public entity and their activity is driven by the public interest, so a large part of the activity has this foundation, although it must be evaluated in each treatment process.
6. Legitimate interest: when treatment is necessary for the purpose of legitimate interests pursued by Serviços de Ação Social da Universidade de Lisboa or by third parties, unless the holder's fundamental interests or rights and freedoms that require the protection of personal data prevail.

15. Sensitive Data

Serviços de Ação Social da Universidade de Lisboa can handle sensitive data under the following conditions:

• If the data subject has given his explicit consent to the processing of such personal data, for one or more specific purposes;
• When, under European Union law, national law or a collective agreement, processing is necessary for the purpose of complying with obligations and exercising specific rights of Serviços Sociais da Universidade de Lisboa or the data subject in terms of labor legislation, social security and social protection;
• When processing is necessary to protect the vital interests of the data subject or another natural person, in case the data subject is physically or legally unable to give consent;
• If the treatment relates to personal data that has been manifestly made public by its owner;
• If treatment is necessary for the declaration, exercise or defense of a right in a judicial proceeding or whenever the courts act in the exercise of their jurisdictional function;
• If treatment is necessary for reasons of relevant public interest, based on European Union law or national law;
• If treatment is necessary for the purposes of preventive or occupational medicine, for the assessment of the employee's work capacity, medical diagnosis, provision of health or social care or treatment or management of health systems and services or social action, based on European Union law or national law or under a contract with a health professional;
• If treatment is necessary for reasons of public interest in the field of public health, based on European Union law or national law;
• If processing is necessary for the purposes of archiving the public interest, for the purpose of scientific or historical research or for statistical purposes, based on European Union law or national law.

16. Purposes of processing personal data

Considering the diversity of its areas of activity, Serviços de Ação Social da Universidade de Lisboa processes personal data for the following purposes:

• Financial data – To pay the remuneration of its employees and purchase services; payment management; reception and treatment of proposals presented in procurement procedures; execution of contracts established with suppliers, analysis of requests for attribution of direct and indirect social support.
• Contractual procedures – Preparation of contracts, instructing and practicing the inherent technical procedures. Receiving and processing requests for computer support; Development of new IT solutions for the academic community;
• Human Resources - Human resources management (attendance and time management); wage processing; performance evaluation; promotion of safety, hygiene and health at work; attribution of social benefits to workers;
• Developed Activities – Organization of events within the scope of its principles and statutes, assessment of the quality of services provided, insurance for events with insurance companies, participation in international events, cooperation with other similar Universities.

17. Retention period of personal data

Personal data is kept only for as long as necessary for the purposes for which it is processed.

Serviços de Ação Social da Universidade de Lisboa complies with the maximum conservation periods legally established. However, data may be kept for longer periods, for purposes of public interest, for the fulfillment of different purposes that may persist, such as, for example, the exercise of a right in a judicial process, purposes of archiving the public interest, purposes of scientific or historical research or statistical purposes, applying - in this case - all appropriate technical and organizational measures to safeguard personal data.

These guarantees imply the adoption of technical and organizational measures aimed at ensuring, in particular, respect for the principle of data minimization and for the pseudonymisation of the same.

18. How are personal data collected?

Serviços de Ação Social da Universidade de Lisboa may collect data directly (i.e., directly from the data subject) or indirectly (i.e., through third parties). Collection can be done through the following channels:

• Direct collection: in person, by phone, by e-mail, through their platforms (example: institutional website);
• Indirect collection: through its partners (example, State Entities, Universities or Partner Schools).

19. Holder’s rights

Serviços de Ação Social da Universidade de Lisboa assure data subjects the exercise of their respective rights, under the terms of the applicable legislation in the scope of the protection of personal data, namely:

• Right of access: the holder has the right to obtain confirmation that the personal data concerning him is or is not the object of treatment and, if applicable, the right to access his personal data.
• Right of rectification: the holder has the right to request, at any time, the rectification of his personal data, as well as the right to have his incomplete personal data completed, including by means of an additional declaration.
• Right to erasure: the holder has the right to erasure his data when one of the following reasons applies: (i) the data of the holder is no longer necessary for the purpose that motivated its collection or treatment; (ii) the holder withdraws the consent on which the processing of the data is based and there is no other legal basis for said processing; (iii) the holder opposes the treatment under the right of opposition and there are no prevailing legitimate interests that justify the treatment; (iv) if the holder's data is processed unlawfully; (v) if the data of the holder has to be deleted in order to comply with a legal obligation to which Serviços de Ação Social da Universidade de Lisboa or subcontractor are subject. Under applicable legal terms, Serviços de Ação Social da Universidade de Lisboa have no obligation to delete the data of the holder to the extent that the treatment proves necessary to fulfill a legal obligation to which it is subject or for the purposes of declaration, exercise or defense of a right in court proceedings.
• Right to limitation: the holder has the right to obtain a limitation on the processing of his data if one of the following situations applies: (i) if he disputes the accuracy of personal data, during a period that allows verifying its accuracy; (ii) if the treatment is illegal and the holder opposes the deletion of the data, requesting, in return, the limitation of its use; (iii) if Serviços de Ação Social da Universidade de Lisboa no longer need the data of the data subject for processing purposes, but these data are required by the data subject for the purposes of declaring, exercising or defending a right in a judicial process.
• Right of portability: the holder has the right to receive personal data concerning him, in a structured format, in common use and automatic reading, and the right to transmit that data to another controller, if: (i) the treatment is based on the consent or a contract to which the holder is a party, and (ii) the treatment is carried out by automated means.
• Right of opposition: the holder has the right to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him based on the pursuit of legitimate interests pursued or when the treatment is carried out for purposes other than those for which personal data were collected. The holder also has the right to file a complaint with the National Data Protection Commission (CNPD).

20. Exercise of rights by the holder

The exercise of rights can be exercised by the holder by contacting Serviços de Ação Social da Universidade de Lisboa through the following means:

• • Mail or in person, at the following address:
    Serviços de Ação Social da Universidade de Lisboa
    Edifício Cantina Velha – Cidade Universitária
    Av. Professor Gama Pinto
    1600-192 Lisboa
  • Through e-mail: rgpd@ulisboa.pt

Serviços de Ação Social da Universidade de Lisboa will respond in writing (including by electronic means) to the request of the holder within a maximum period of one month after receiving the request, except in cases of special complexity and high number of requests, in which this period may be extended up to two months.

21. Submission of complaint to CNPD

The data subject can complain directly to the National Personal Data Control Authority, the National Data Protection Commission (CNPD), using the contacts made available by this entity for this purpose (at www.cnpd.pt).

22. Security measures

Taking into account the principle of proportionality and suitability, safety, application costs and the nature, scope, context and purposes of the treatment, as well as the probability risks, the Universidade de Lisboa applies safety, technical and appropriate organizational measures to ensure a level of security of personal data appropriate to the risk, such as, for example:

• Use of firewall and intrusion detection systems in their information systems;
• Application of access control procedures, using differentiated access profiles and based on the principle of the need to know;
• Record of actions taken on information systems that contain personal data (login);
• Execution of a backup plan;
• Anti-spam protection for receiving and sending corporate emails;
• Installation, maintenance and management of antivirus and firewall systems on the University's computers;
• Pseudonymization and encryption of personal data;
• Access control to physical facilities;
• Automatic fire detection and intrusion detection system;
• Compliance with legal regulations on security matters, namely the Resolution of the Council of Ministers no. 41/2018.

23. Data transfer to third parties: Subcontractors and third parties

Subcontractors: Serviços de Ação Social da Universidade de Lisboa may use other entities contracted by them (subcontractors), to, in the name of the services, and in accordance with the instructions given by them, proceed with the processing of the data of the holder, in strict compliance with the provisions of the GDPR, the national legislation on the protection of personal data and this Policy.

• Subcontractors will not be able to transmit the data of the holder to other entities unless Serviços de Ação Social da Universidade de Lisboa have previously given written authorization to do so, and are also prevented from contracting other entities without prior authorization from the Services.
• Serviços de Ação Social da Universidade de Lisboa undertake to ensure that these subcontractors are only entities that present sufficient guarantees for the execution of the appropriate technical and organizational measures, in order to ensure the privacy of the data of the holders and the defense of their rights.
• All subcontractors are linked to Serviços de Ação Social da Universidade de Lisboa through a written contract that includes, the object and duration of the treatment, the nature and purpose of the treatment, the type of personal data, the categories of data subjects , the rights and obligations of the parties, including the duty of confidentiality, and the security measures to be implemented.

Third parties: Serviços de Ação Social da Universidade de Lisboa are bound by the Law and compliance with administrative procedures and, to that extent, obliged to transmit data, including personal data to other entities, namely, among others, to:

• Court of Auditors;
• Tax Authority;
• Social Security and / or Caixa Geral de Aposentações;
• Embassies;
• Professional Corporations;
• Research institutions;
• Insurance companies;
• Other public institutions;
• Higher Education Accreditation Institutions;
• Organizations within the framework of Social Action in Higher Education;
• Partner universities for the purposes of the Erasmus program, or similar;
• Funding Agencies / Partner Institutions that submit applications for national or community funding.

Whenever the sharing of personal information with one of these entities occurs, Serviços de Ação Social da Universidade de Lisboa will assess the need to obtain, when necessary, the respective consent and will take all necessary measures and / or actions, to confirm that they will carry out its functions in accordance with the RGPD principles.

24. Data breach

In the event of a personal data breach, and insofar as such breach is likely to result in a high risk to the holder's rights and freedoms, the Data Protection Officer will notify the national supervisory authority of that breach, and report the breach. to the data subject, up to 72 hours after being informed of it.

Under the terms of the GDPR, communication to the holder is not required in the following cases:

• If Serviços de Ação Social da Universidade de Lisboa have applied appropriate protection measures, both technical and organizational, and these measures have been applied to the personal data affected by the personal data breach, especially measures that make the personal data incomprehensible to anyone unauthorized to access such data, such as encryption;
• If Serviços de Ação Social da Universidade de Lisboa have taken subsequent measures to ensure that the high risk to the rights and freedoms of the holder is no longer likely to materialize; or

If the communication to the holder will imply a disproportionate effort for the Services, in which case they will make a public communication or take a similar measure through which the holder will be informed.

Any violation of personal data, the treatment of which is the responsibility of Serviços de Ação Social da Universidade de Lisboa, can be reported via email to be sent to rgpd@ulisboa.pt

25. Endnote

We recommend that you periodically consult our privacy policy to stay informed about how Serviços de Ação Social da Universidade de Lisboa protect your Personal Data and keep up to date on the information and rights that assist you.