INESC TEC PRIVACY AND PERSONAL DATA PROTECTION POLICY
- PROCESSING OF PERSONAL DATA
INESC TEC, in pursuing its activities, collects and processes different types of personal data on a regular basis, related to natural persons with whom it interacts in different contexts, being essentially the following:
- Name and personal contacts (address, email and telephone number)
- ID number, marital status and affiliation
- Workers' occupational medical certificates
- Tax identification number
- Social Security number
- Photograph and/or images
- Curriculum Vitae, certificates and supporting documentation on candidates' and employees' qualifications
- Files relating to the processing of workers' salaries
- Time sheets on Human Resources allocation to projects
- Electronic receipts
- Employment and services provision contracts
- Record of access and use of INESC TEC facilities and equipment
- Record of participation in events and training actions promoted by the Institute
- Questionnaires and surveys
- Personal data processed in the scope of the execution of R&D projects
The categories of personal data indicated above may pertain to different data subjects: from workers and other employees or former employees, to candidates for job positions, employees of partner entities, INESC TEC suppliers or customers, contractual third parties, participants in events or in R&D projects organised or carried out by the Institute.
- NOTION OF DATA PROCESSING
The processing of personal data covers all operations or set of operations carried out on personal data, by automated or non-automated means, such as:
- Collecting of personal data
- Registering and preserving of personal data
- Organising of personal data
- Adapting or changing of personal data
- Consulting and using of personal data
- Disclosing, regardless of how personal data are disseminated
- Comparing or combining personal data
- Limiting, erasing or destroying personal data
- PURPOSES OF PROCESSING AND BINDING LEGAL PRINCIPLES
The processing of personal data will only take place according to a set of specific purposes, always based on an adequate legal ground laid down in the applicable legislation.
Examples of said purposes are:
- Fulfilment of INESC TEC's statutory objectives and purports.
- Research purposes, including the development of R&D project applications and corresponding implementation
- Monitor and record the use of facilities and equipment
- Maintenance, safety and structural integrity of installations and equipment
- Record of internal processes and file maintenance
- Reporting and auditing of publicly funded projects and activities
- Compliance with legal obligations
- Organisation and management of internal and external events
- Communication and disclosure of information about the Institute's activities, including newsletters and other means of dissemination
- Issues and publications
- Processing of applications for research and employment grants, for hiring and selection purposes
- Occupational medicine purposes
- Compliance with quality certifications
- Processing of information related to Human Resources e.g. salaries, vacations, holidays and absences
- Compliance with contracts concluded by INESC TEC, namely as a partner
- Processing actions carried out as an outsourced entity, as determined by the data controller
- Protection of people and property, including the use of video surveillance systems
- Management control, billing and accounting management and preservation of accounting records
- Enforcement of debts, claims and judicial and extrajudicial defence of the institution's legitimate rights and interests
They serve as a legal basis for the aforementioned processes, essentially and according to the case:
- Legitimate interest of the institution
- Consent by the data subject
- Pre-contractual arrangements and contract execution
Fulfilment of legal requirements
- CONTROLLER OR PROCESSOR OF PERSONAL DATA PROCESSING and RECORD OF PROCESSING ACTIVITIES
INESC TEC is, according to the applicable law, the Controller of the processing of personal data, carried out whenever the purposes and means of said processing are determined. However, when carrying out personal data processing activities on behalf of others, which defines those purposes and means, INESC TEC will not act as data Controller, but as data Processor.
In any case, INESC TEC, whether as data Controller or Processor, takes on the duty and intention to carry out all personal data processing activities according to the rules provided for in Regulation (EU) 2016/679, of the European Parliament European Parliament, and of the Council of 27 April 2016 (hereinafter, GDPR), and the relevant national legislation on the protection of personal data.
INESC TEC has internally, a continuous and updated record of the personal data processing activities carried out.
- PERSONAL DATA RETENTION PERIOD
As a matter of principle, and according to the legal requirements, all personal data processed will be kept for the strictly necessary period, also taking into account the legal basis of each processing activity. At the end of that period, the data will be erased, even if the data subject does not express his/her agreement; however, data subjects may ask for the erasure of its data at any time, and under the legally permitted terms. The data retention p period may, however, be defined by legal or regulatory standards. In the latter case, the right to erase personal data provided for in article 17 of the GDPR can only be exercised once the legally defined period has expired.
- RIGHTS OF THE PERSONAL DATA SUBJECT
Data subjects are the natural persons to whom specific data or set of data relate.
The data subject is entitled to, at any time, request from INESC TEC, under the terms allowed by the applicable legislation, the compliance with the following rights:
- access to personal data
- adjustment or correction of personal data
- Erase of personal data
- Limitation of personal data processing
- Refuse to personal data processing
- Refuse to being subject to individual decisions made via exclusively automated means
- Request of the portability of personal data to any designated entity, even if the personal data are stored in digital format.
The exercise of these rights may, in practice, be limited or conditioned because of the fulfilment of a legal obligation or the compliance with the rights of third parties that take precedence over them in the specific case. However, in such circumstances, INESC TEC will never fail to provide the interested party with adequate information about those limitations or conditions.
Contacts for the exercise of these rights (no. 10 of the Policy ).
The data subject also has the right to file a complaint with a Supervisory Authority of one of EU Member-States. In Portugal, the National Supervisory Authority dedicated to supervise the compliance with personal data protection is the Comissão Nacional de Proteção de Dados (CNPD).
For more information about exercising your rights, be sure to visit the CNPD's website at: www.cnpd.pt.
- TRANSMISSION OF PERSONAL DATA TO THIRD PARTIES AND INTERVENTION BY PROCESSORS
INESC TEC, in pursuing its activities, may need to transmit personal data to third parties, doing so in order to comply with legal or contractual obligations, in the latter case, when indispensable or appropriate to the pursuit of its activities.
Third parties may comprehend public authorities with control and audit duties; activity partners, especially in R&D projects, or outsourced service providers e.g. IT, communications and data-storage service providers.
Any data transmission will be carried out in full compliance with the applicable data protection legislation, for the purposes and based on the lawfulness grounds indicated in this Policy.
IV- International data transmission
In what concerns data transmitted to entities outside the European Union, INESC TEC will be in charge of ensuring that the process meets all adequated decisions made by the European Commission, thus guaranteeing a level of data protection equivalent to that of the applicable European legislation. In the event of the absence of any decision, the transmission will take place according to the obligation of implementing appropriate measures to protect the data and the rights of the respective owners.
Cookies are small files that a browser stores on the visitors’ computer or mobile device. These files are necessary for the server's functioning; for example, the server needs to differentiate all users who visit our website (www.inesctec.pt) and maintain the performance during navigation. More specifically, cookies relate to information about the type of browser, operating systems and date and time of access to the website, rather than information about personal data e.g. name or IP. These cookies are necessary for the functioning and security of our website; as a matter of principle, they do not track or monitor the users’ behaviour.
Statistical analysis and third-party cookies:
In addition to the aforementioned performance cookies, strictly necessary for the functioning of the website, other cookies may be installed, but only after the users' consent. Examples of said cookies are those relating to statistical analysis tools, such as Matomo (https://matomo.org ), used entirely and exclusively for statistical purposes - in particular, to analyse the number of users visiting the website and evaluate their browsing experience, in order to keep improving our website. INESC TEC does not resort to third parties for the implementation of the aforementioned open-source analytics platform (Matomo). This tool ensures the protection of users' personal data through resources designed for said purpose e.g. IP-masking. In addition, INESC TEC has developed a solution to manage the users' consent on the institution's website, namely concerning the management of analytics cookies for the aforementioned statistical purposes.
It is important to point out that the website does not install this type of cookies by default.
In addition, users will always be able to control and manage these and other aforementioned cookies through the web browser settings, which can block and erase them. For this purpose, you should check your browser's "Help" menu to find out the correct way to change or disable cookies. However, we warn you that the deactivation of the strictly necessary cookies can substantially affect the browsing experience on the website, preventing users from accessing relevant features.
For more information on how to manage cookies and check your settings, we recommend visiting the site http://www.allaboutcookies.org/ .
- RESPECT THE PRINCIPLES AND PROTECTION OF THE RIGHTS OF DATA SUBJECTS IN RELATION TO THE PROCESSING OF PERSONAL DATA
INESC TEC is committed to the implementation of all formal and operational procedures for the protection of personal data, namely recording all processing activities, as well as assessing the lawfulness of said activities and, whenever necessary, the impact on the privacy of the data owners. These procedures will take place before data processing, thus ensuring compliance with the GDPR and applicable national legislation.
INESC TEC makes every effort to ensure and implement the adequate technical means to prevent the loss, misapplication, modification, unauthorised access or misappropriation of all personal data stored, as well as to minimise possible negative effects stemming from illicit accesses into our systems.
Furthermore, INESC TEC requires the implementation of internal technical and organisational security measures by service providers that carry out data processing activities independently.
INESC TEC agrees to notify the competent Supervisory Authority (in Portugal, the CNPD) -under the terms and deadlines provided for in article 33 of the GDPR – in any event of personal data breach, as well as to communicate it to the data subjects themselves, according to the cases and conditions determined by article 34 of the same Regulation.
The data subject may exercise his/her rights of access, adjustment, correction or deletion, as well as request any information regarding the processing of his/her personal data through written request addressed to INESC TEC or to INESC TEC’s Data Protection Officer (DPO), via mail and/or email addresses:
- INESC TEC - Institute for Systems and Computer Engineering, Technology and Science FEUP Campus, Rua Dr. Roberto Frias, 4200-465 Porto, Portugal
For the attention of the Legal Support service
INESC TEC may be required to amend this Policy, namely due to the need to adapt it to possible legal changes or to recommendations by Supervisory Authorities, which it is recommended its consultation regularly.