Data Protection


Data Protection

The new General Data Protection Regulation (GDPR) came into force in 2018, in order to bring more digital security to the European Union. Within this new legal regime, institutions must collect, process and use the citizens’ personal data following a set of new rules.

Aligned with the new GDPR, Politécnico de Leiria is committed to protecting your personal data and respecting your right to privacy. Therefore, we implemented a set of principles regarding the access and processing of data.

General Data Protection Regulation (GDPR) – Portuguese

Order No. 198/2018 – Privacy Policy and Processing of Personal Data – Politécnico de Leiria – English

information security

Personal data privacy and protection

The new General Data Protection Regulation (GDPR) came into force in 2018, in order to bring more digital security to the European Union.

Personal data

Personal data is all the information regarding an identified or identifiable person (name, address, assets, income, dates, card numbers, telephone number, IP, videos, picture, race, biometric data, presence sheets, assessment, curriculum vitae, etc.).

Personal Data Protection Department

The Politécnico de Leiria’s Personal Data Protection Department (DPO) is responsible for the protection of data and can be contacted by email (

Personal data should not be collected either in paper or electronic format without first informing the Personal Data Protection Department (DPO).

Personal data breach

When there is a personal data breach, and a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data, the security incident must be immediately reported by email (

The DPO has the responsibility and obligation to notify the authorities of any leak or loss of personal data that occurred in the organisation unless the personal data breach is not likely to result in a risk to the rights and freedoms of the natural persons.  

Sending data

When sending personal data to others, this should be encrypted or protected with a password (the password should not be sent via email).

Extra caution should be taken when processing documents containing critical information, as in the case of medical information or information concerning minors.

Before submitting information via email of a dissemination nature, such as information about training sessions, educational offers or of any other similar nature, be sure that the recipient of the message has given their written consent to receive this type of information. If you do not have this consent, try to obtain it, by email, before sending the information.

Personal data erasure

When destroying or erasing personal data, they must be permanently erased/destroyed, thus ensuring that they will not be recovered by third parties.


The General Data Protection Regulation 2016/679, Regulation of 27 April 2016, of the European Parliament and of the Council, regulates the protection of natural persons with regard to the processing of personal data and the free movement of such data and establishes the rules that will be applicable to the processing of personal data.

The legal provisions of the new General Data Protection Regulation, Regulation (EU) 2016/679, of 27 April 2016, published in the Official Journal of the European Union on the 4 May 2016 shall come into force on 25 May 2018.

The GDPR is applicable to those responsible for processing data with an establishment on the territory of the European Union, provided the processing of the data occurs within the context of the activities carried out in that establishment.

According to the GDPR, personal data is any information of any nature and regardless of its format, including sound and image, regarding an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name, identification number or to one or more factors specific to the physical, physiological, mental, economic or social identity. Examples of personal data are: name, address, income, dates, card numbers, telephone number, IP, videos, picture, race, and biometric data, among others.

No. It is only considered personal data if it is associated with the name of an individual person. It is not personal data if the email address is, for example,, but it is considered personal data if it is, for example:

The photograph or video is considered specially protected personal data, given that its processing (from collection to dissemination) is allowed when applied to some of the situations foreseen in paragraphs a) to j) of no. 2 of article 9 of the GDPR, or if the situation is within the scope of the national legislation. 

It is any operation or set of operations that are performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

It is the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and the means of the processing of personal data.

  • The personal data is processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  • The personal data is collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • The personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed («data minimization»).
  • The personal data should be accurate and, where necessary, kept up to date, and can be erased or rectified without delay («accuracy»).
  • The personal data should be kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  • The personal data should be processed with integrity and confidentiality.  

Yes, the GDPR allows further processing for archiving purposes in the public interest or for scientific or historical research purposes or statistical purposes. The data may still be stored for a period of time defined by specific legislation.

The controller should implement the appropriate technical or organizational measures in a manner that ensures the security of the personal data, including the protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Right to Information
You may request information about the processing of your personal data.

Right of Access
You may request access to personal data held about you.

Right to Rectification 
You may request that inaccurate personal data be rectified or have incomplete personal data completed.

Right to Erasure
You may request that personal data be erased, under the terms regulated by the GDPR, namely when the personal data has been unlawfully processed.

Right to Object 
You may object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation.

Right to Restriction 
You may request the restriction of the processing of your personal data in specific cases.

Right to Data Portability 
You may receive your personal data in a machine-readable format and send it to another controller.

How can you exercise your rights of access and rectification? You should submit a written request to the controller (President of Politécnico de Leiria), with the following elements:

  • Name,
  • Identification data,
  • Contact data, preferably email,
  • Indication of request in clear and precise terms,
  • Date and signature of the applicant.

To prove the identity of the data subject, the applicant must either present his or her citizen card or send a copy of the citizen card to the controller, with the following statement: 
‘I declare that I authorize the use of the copy of my citizen card to prove my personal data in the request for access/rectification of my data.’

The reply should be provided within one month of the receipt of that request. In the event that Politécnico de Leiria does not have the data or intends to reject the request, it must inform the applicant within the same time limit.

Upon analysis of the request for access made by the data subject, access can be obtained in the following ways:

  • In-person consultation,
  • Reproduction of photocopy or certificate,
  • Any other system that may be compatible with the processing of data system.

FAQ – GDPR and Human Resources

For the purposes and preservation of public employment relations (labour relations), Politécnico de Leiria, through its services, is lawfully obliged to verify if the legally established requirements are met, such as identification, nationality and age.

In addition to these documents, currently, the national identification document (EU citizen card) contains the necessary data to comply with the tax obligations (social security and tax identification).

If you don’t attach or present your ID document upon request, it is not possible to verify the general requirements for admission, and therefore the requirement has a law that makes it lawful to collect and process the referred data.

To draw up and preserve a contract, Politécnico de Leiria is legally obliged to verify various requirements, such as: if the employee/employment candidate complies with the mandatory vaccination laws. In Portugal, the vaccination is not mandatory, except for tetanus and diphtheria vaccines (the vaccine combination has both). The law in force determines:  

‘No individual may (…) be admitted to any public function, administrative bodies, (…) or collective persons of public administrative function without proving by medical certificate or declaration of the respective health authority that he or she is duly vaccinated against tetanus. (…).’

The HR Services are obliged to verify the legal requirements, however, it is beyond the competence of this service to meet these requirements, and this obligation falls on the employees. 

According to the GDPR, the processing of personal data, even if it is considered sensitive, is lawful if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In addition to this norm, Portuguese legislation obliges higher education institutions to collect and process data for statistical purposes. This data is collected in what is strictly required by the DGEEC/DGES (the entity that regulates and determines the collection of this data in higher education institutions).