We are committed to complying with personal data protection legislation in order to protect the data and privacy of our website visitors and our employees and partners.
As data controllers, we pay special attention to privacy and information security, namely by implementing the necessary measures to ensure full compliance with the data protection legislation in place.
It is of utmost importance that you read the following text so as to understand how your personal data is treated, as well as the rights you have as a data subject.
The processing of personal data is an operation or set of operations which are performed upon a specific piece of personal data or upon sets of personal data, by automated or non-automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other availability means, comparison or interconnection, restriction, erasure or destruction.
The data controller of this privacy policy is the Instituto de Saúde Pública da Universidade do Porto (ISPUP), located at Rua das Taipas nº 135, 4050-600 Porto, Portugal.
ISPUP only collects and processes the personal data required to fulfill its goals and legal obligations. Data is collected through different means and at various times, and is fundamentally made up of the following categories:
Personal data will only be processed for the respective purposes and always on a basis provided for by law.
Purposes:
Grounds for lawfulness of processing under Article 6 of the GDPR:
The relevant ground of lawfulness will vary on a case-by-case basis; however, in most situations, it will come back to one of the following:
Data collection may be done, mainly, through the following means:
a) Website
As mentioned in the cookies policy, through ISPUP’s website we collect personal data related to intensive course enrolment and newsletter subscriptions. Website visitors may suggest lines of research through a form (Citizen Space), in which some contact information will be collected.
b) E-mail
E-mail is a privileged means of institutional communication, both internal and external, and therefore involves operations of personal data processing of various kinds. The e-mail address itself often constitutes personal data.
E-mail is used, for example, in order to receive personal information related to various types of professional applications: professional internships, apprenticeships, spontaneous applications, applications for professional opportunities; recruitment and selection of human resources.
It is also the means used for updating contacts, collecting or updating the profile of each researcher, creating an institutional e-mail, sending opinions on research projects, sending comments within the scope of the scientific commission, receiving registrations for events, and sending institutional communication.
The Mautic platform is used in the context of institutional communication through e-mail, where ISPUP uses the instance located in the internal servers of the University of Porto (UP) and therefore there are no international data transfers. The access to the system is controlled and supervised by the Data Protection Officers of both UP and ISPUP.
c) In person
d) Lime Survey Platform
The Lime Survey Platform is used in various scientific projects as a means of support for carrying out questionnaires and surveys. This is an open source platform hosted on University of Porto servers.
e) Paper documentation
Questionnaires in paper format can be carried out, as well as formal contracts, or documents with information from training actions or study participants, certificates, informed consents, among others.
f) Moodle Platform
Moodle is used to support the Public Health Specialization Course. This platform is managed by the University of Porto and user access is individual and done through login with username and password. Test score and learning material access is also done this way.
g) Biometric reader
Through the biometric reader, the fingerprint matrix is collected in accordance with the legal requirements applicable in the context of access control.
In order to promote scientific dissemination and bring ISPUP closer to the community, several types of events are organized: seminars, intensive courses, exhibitions, among others.
These events may be directed to the general public or to specific audiences. Notwithstanding the privacy policy that may be adopted in each situation, the registration and processing of data in events obeys the following general principles:
We only store your personal data for the time necessary to achieve the purpose for which it was collected or, where appropriate, for the specific period stipulated by law.
For example, some data is deleted immediately or within a few days of being collected, while other data is kept for a period of 10 or more years in order to comply with legal obligations. The retention period for data necessary for scientific research also varies from case to case, depending on the respective goals and nature of the collection, without prejudice to the fact that the law, in principle, allows for longer retention periods for this purpose, provided that certain safeguards for the protection of the information are respected.
Transfer of personal data to third parties
The sharing of personal data with third parties only happens in situations which are strictly necessary or due to legal obligation, serving as an example:
The sharing of personal data with third parties only happens in situations which are strictly necessary or due to legal obligation, serving as an example:
There may be transfers of personal data outside the European Union Area, mainly for research purposes. In these situations, ISPUP is responsible for ensuring that the transfer is done based on an adequacy decision of the European Commission that ensures a level of data protection equivalent to the applicable European legislation or, if there is no such decision, that the transfer takes place in legal terms, according to the mechanisms provided for this purpose, and through the implementation of appropriate measures to protect the data and the rights of the respective holders.
Cookies are small files that are stored on your computer by your web browser. These files are used to help users navigate the website more efficiently and perform certain functions. Cookies are necessary for the functionality and security of our website and no information is collected for tracking purposes or for monitoring user behaviour.
In addition to strictly necessary cookies for the operation of our website, statistical analysis cookies may be downloaded to your computer using the Matomo statistical analysis tool, but only after your consent has been collected via the website’s cookie banner. These cookies will be used solely for statistical purposes, and will allow for the counting of web page views and the evaluation of user browsing experience.
The Matomo tool takes care of the protection of personal data, for example, by anonymizing the IP address of our website users. You may at any time withdraw your consent to the use of statistical analysis cookies for the above purposes.
By default no such cookies will be installed on your computer.
Users can manage cookies through the settings of their web browser, which will allow them to be blocked or deleted. To do this, please consult the “Help” menu of your browser to find out how to change or deactivate cookies. The deactivation of cookies that are strictly necessary for website functionality may substantially affect user experience while browsing our website, preventing certain functionalities from working correctly. For more information on how to manage cookies and their settings, we recommend that you consult the website http://www.allaboutcookies.org/.
You can consult our cookies policy for a more detailed description at any time.
ISPUP implements security measures that are appropriate for each context, aiming to protect the personal data in its custody, specifically:
In addition, the technical and organizational security measures implemented internally are also required from ISPUP service providers that process personal data on its behalf.
ISPUP undertakes to notify the competent supervisory authority (in Portugal, the CNPD) under the terms and deadlines set forth in Article 33 of the GDPR, should it become aware of any personal data breach event, as well as to communicate a possible breach to the data subjects themselves, in the cases and conditions determined by Article 34 of the same Regulation.
In accordance with applicable legislation, ISPUP undertakes to respect the confidentiality of your personal information and to guarantees the exercise of your rights. The law recognises the following rights: Information, Access, Rectification, Deletion, Portability, and Limitation of processing.
The exercise of your rights may be refused or restricted, subject to the terms and conditions provided for by applicable EU and national law, to the extent that such exercise would make it impossible or seriously undermine the achievement of the purposes of the processing for research purposes and only to the extent necessary to achieve those purposes.
For the exercise of any of your rights please use the following e-mail address: secretaria@ispup.up.pt.
The law also gives you the right to lodge complaints with a European supervisory authority. In Portugal, the competent authority is the CNPD.
For more information on the exercise of your rights please consult the website of the CNPD here.
The personal data subject may exercise their rights of access, rectification, modification or erasure, as well as request any information regarding the processing of their personal data through a written request to the following e-mail address: secretaria@ispup.up.pt or postal address: Instituto de Saúde Pública da Universidade do Porto, Rua das Taipas, 135; 4050-600 Porto, Portugal.
For any questions regarding the exercise of the rights of the data subject, complaints or requests concerning the processing of personal data, please contact our Data Protection Officer at the following address: dpo@ispup.up.pt.
ISPUP has appointed a Data Protection Officer who may be contacted at dpo@ispup.up.pt or via letter to the Institute’s address: Rua das Taipas, 135; 4050-600 Porto, Portugal.
This privacy policy may be revised and changed in order to always correspond to the procedures adopted by ISPUP regarding personal data. As such, we recommend that you consult it regularly in order to keep yourself updated.
In order to be easily identified, the changes that may be made to the privacy policy will be explicitly marked at the end of this document.
Version | Date | Updates |
V2 | May 2020 | New version of ISPUP’s privacy policy. In this version, the concept of personal data processing, processing purposes and permissions, the means of data collection, security measures, the contact details of the controller and the contact details of the Data Protection Officer have been added. The categories of personal data to be processed, third party transmission of data and personal data processing at events have been further developed in the text. |
V3 | August 2021 | The sections on “Means used for collecting personal data”, “Recording and processing of data at events”,“Time limits for storing personal data” and “Security measures” have been improved/reformulated. |