General Data Protection

General Data Protection Regulation (GDPR)

General Data Protection

The new General Data Protection Regulation (GDPR) came into force in 2018, in order to bring more digital security to the European Union. Within this new legal regime, institutions must collect, process and use the citizens’ personal data following a set of new rules. The Politécnico de Leiria, as a public Higher Education institution, processes the personal data to which it has access within

the development of its activities, respecting the right to privacy and other rights, freedoms and guarantees of the data subjects. Aligned with the new GDPR, the Politécnico de Leiria is committed to protecting your personal data and respecting your right to privacy. Therefore, we implemented a set of principles regarding the access and processing of data.

General Data Protection Regulation (GDPR) – PT

Despacho n.º 198/2018 – Privacy Policy and Processing of Personal Data – Polytechnic of Leiria – EN


GDPR

FREQUENTLY ASKED QUESTIONS

The General Data Protection Regulation, Regulation (EU) 2016/679, of 27th of April of 2016, of the European Parliament and of the Council, regulates the protection of natural persons with regard to the processing of personal data and the free movement of such data and establishes the rules that will be applicable to the processing of personal data.

The legal provisions of the new General Data Protection Regulation, Regulation (EU) 2016/679, of 27th of April of 2016, published in the Official Journal of the European Union on the 4th of May of 2016 shall come into force on the 25th of May of 2018.

The GDPR is applicable to those responsible for processing data with an establishment on the territory of the European Union, provided the processing of the data occurs within the context of the activities carried out in that establishment.

According to the GDPR, personal data is any information of any nature and regardless of its format, including sound and image, regarding an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name, identification number or to one or more factors specific to the physical, physiological, mental, economic or social identity. Examples of personal data are: name, address, income, dates, card numbers, telephone number, IP, videos, picture, race, and biometric data, among others.

No. It is only considered personal data if it is associated to the name of an individual person. It is not personal data if the email address is, for example, info@company.com, but it is considered personal data if it is, for example: name.surname@company.com.

The photograph or video is considered specially protected personal data, given that its processing (from collection to dissemination) is allowed when applied to some of the situations foreseen in paragraphs a) to j) of no. 2 of article 9 of the GDPR, or if the situation is within the scope of the national legislation. 

It is any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

It is the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and the means of the processing of personal data.

  • The personal data is processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  • The personal data is collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • The personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed («data minimization»).
  • The personal data should be accurate and, where necessary, kept up to date, and can be erased or rectified without delay («accuracy»).
  • The personal data should be kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  • The personal data should be processed with integrity and confidentiality.  

Yes, the GDPR allows further processing for archiving purposes in the public interest or for scientific or historical research purposes or statistical purposes. The data may still be stored for a period of time defined by specific legislation.

The controller should implement the appropriate technical or organizational measures in a manner that ensures the security of the personal data, including the protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Right to Information
You may request information about the processing of your personal data.

Right of Access
You may request access to personal data held about you.

Right to Rectification 
You may request that inaccurate personal data be rectified or have incomplete personal data completed.

Right to Erasure
You may request that personal data be erased, under the terms regulated by the GDPR, namely when the personal data has been unlawfully processed.

Right to Object 
You may object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation.

Right to Restriction 
You may request the restriction of the processing of your personal data in specific cases.

Right to Data Portability 
You may receive your personal data in a machine-readable format and send it to another controller.

How can you exercise your rights of access and rectification? You should submit a written request to the controller (President of the Polytechnic of Leiria), with the following elements:

  • Name,
  • Identification data,
  • Contact data, preferably email,
  • Indication of request in clear and precise terms,
  • Date and signature of the applicant.

To prove the identity of the data subject, the applicant must either present his or her citizen card or send a copy of the citizen card to the controller, with the following statement: I declare that I authorize the use of the copy of my citizen card to prove my personal data in the request for access/rectification of my data.

The reply should be provided within one month of the receipt of that request. In the event that the Polytechnic of Leiria does not have the data or intends to reject the request, it must inform the applicant within the same time limit.

Upon analysis of the request for access made by the data subject, access can be obtained in the following ways:

  • In-person consultation,
  • Reproduction of photocopy or certificate,
  • Any other system that may be compatible with the processing of data system.

GDPR (HUMAN RESOURCES)

Frequently asked questions

For the purposes and preservation of the public employment relations (labour relations), the Politécnico de Leiria, through its services, is lawfully obliged to verify if the legally established requirements are met, such as: identification, nationality and age.

In addition to these documents, currently, the national identification document (citizen card) contains the necessary data to comply with the tax obligations (social security and tax identification).

In the event of not annexing the identification document, or its non-presentation upon request, it is not possible to verify the general requirements for admission, and therefore the requirement has a law which makes it lawful to collect and process the referred data.

To draw up and preserve a contract, the Politécnico de Leiria is legally obliged to verify various requirements, such as: if the employee/employment candidate complies with the mandatory vaccination laws. In Portugal the vaccination is not mandatory, except for tetanus and diphtheria vaccines (the vaccine combination has both). The law in force determines:  

No individual may (…) be admitted to any public function, administrative bodies, (…) or collective persons of public administrative function without proving by medical certificate or declaration of the respective health authority that he or she is duly vaccinated against tetanus. (…).

The HR services are obliged to verify the legal requirements, however, it is beyond the competence of this service to meet these requirements, and this obligation falls on the employees. 

According to the GDPR, the processing of personal data, even if it is considered sensitive, is lawful if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In addition to this norm, there is a national legislation which obliges the higher education institutions to collect and process data for statistical purposes. This data is collected in what is strictly required by the DGEEC/DGES (entity that regulates and determines the collection of this data in the higher education institutions).