Privacy Policy

The data controller of this privacy policy is the Instituto de Saúde Pública da Universidade do Porto (ISPUP), located at Rua das Taipas nº 135, 4050-600 Porto, Portugal.

ISPUP only collects and processes the personal data required to fulfill its goals and legal obligations. Data is collected through different means and at various times, and is fundamentally made up of the following categories:

• Demographic (name, gender, age and/or date of birth, nationality);
• Contact information (e-mail, telephone and/or mobile phone, address, post code, city);
• Governmental (identification document number and its expiring date, passport number, tax number, social security number);
• Family (marital status, household composition: number of holders and number of dependents);
• Health (workers’ medical certificates, communications of pregnancy, food intolerances and allergies);
• Photographe, image and sound;
• Biometric (fingerprint matrix);
• Academic/professional (Curriculum Vitae, ORCID and/or CIÊNCIA VITAE, certificates and proof of qualifications of candidates and employees, certificates of training courses offered by the entity to employees, professional situation, classifications in curricular units within the Public Health Specialisation Course);
• Civil identification, such as the type contained in work contracts, service provisions or other contracts;
• Those necessary for salary processing (bank identification number/IBAN, remuneration, professional category);
• Records of access and use of facilities;
• Records of participation in events and training promoted by the institution;
• Data collected through questionnaires and surveys;
• Digital identification (IP address, cookies);
• Those treated within the scope of the execution of R&D projects, e.g. of participants and researchers from the promoting entities.

Personal data will only be processed for the respective purposes and always on a basis provided for by law.

Purposes:

• Scientific or historical research or statistical purposes;
• Institutional communication: dissemination of research carried out by ISPUP, newsletter, dissemination of professional opportunities (grants, contracts, internships or other positions) and dissemination of events (seminars, conferences, meetings, intensive courses and other activities promoted by or related to the Institute);
• Recruitment (applications for employment and research grants);
• Human resources management: employee control and management ;
• Facility control and management;
• Documentation of internal processes and archive maintenance;
• Events management: enrolment in ISPUP intensive courses, enrolment in seminars and other activities promoted by or related to ISPUP;
• Management of the Public Health Specialization Course;
• Protection of people and property;
• Occupational health, hygiene and safety; 
• Administrative and treasury management;
• Fulfilling legal and contractual obligations and exercising rights.

Grounds for lawfulness of processing under Article 6 of the GDPR: 

The relevant ground of lawfulness will vary on a case-by-case basis; however, in most situations, it will come back to one of the following:

• Consent of data subjects;
• Pre-contractual diligence and execution of a contract with the data subject;
• Compliance with legal obligations;
• Legitimate interests pursued by ISPUP.

Data collection may be done, mainly, through the following means:

a) Website

As mentioned in the cookies policy, through ISPUP’s website we collect personal data related to intensive course enrolment and newsletter subscriptions. Website visitors may suggest lines of research through a form (Citizen Space), in which some contact information will be collected.

b) E-mail

E-mail is a privileged means of institutional communication, both internal and external, and therefore involves operations of personal data processing of various kinds.  The e-mail address itself often constitutes personal data. 

E-mail is used, for example, in order to receive personal information related to various types of professional applications: professional internships, apprenticeships, spontaneous applications, applications for professional opportunities; recruitment and selection of human resources. 

It is also the means used for updating contacts, collecting or updating the profile of each researcher, creating an institutional e-mail, sending opinions on research projects, sending comments within the scope of the scientific commission, receiving registrations for events, and sending institutional communication.

The Mautic platform is used in the context of institutional communication through e-mail, where ISPUP uses the instance located in the internal servers of the University of Porto (UP) and therefore there are no international data transfers.  The access to the system is controlled and supervised by the Data Protection Officers of both UP and ISPUP.

c) In person

d) Lime Survey Platform

The Lime Survey Platform is used in various scientific projects as a means of support for carrying out questionnaires and surveys. This is an open source platform hosted on University of Porto servers.

e) Paper documentation

Questionnaires in paper format can be carried out, as well as formal contracts, or documents with information from training actions or study participants, certificates, informed consents, among others.

f) Moodle Platform

Moodle is used to support the Public Health Specialization Course. This platform is managed by the University of Porto and user access is individual and done through login with username and password. Test score and learning material access is also done this way.

g) Biometric reader

Through the biometric reader, the fingerprint matrix is collected in accordance with the legal requirements applicable in the context of access control.

In order to promote scientific dissemination and bring ISPUP closer to the community, several types of events are organized: seminars, intensive courses, exhibitions, among others.

These events may be directed to the general public or to specific audiences. Notwithstanding the privacy policy that may be adopted in each situation, the registration and processing of data in events obeys the following general principles:

• The personal data collected for registration at seminars usually entails information such as name, e-mail address and, in some cases, affiliation. This data is collected by the administrative services or the communication office for the purpose of ensuring the logistical conditions associated with the event and issuing the declaration of attendance. The data is kept for a short period after the conclusion of the event (generally around 15 days) and is then deleted;
• For the intensive courses promoted by ISPUP, we collect the following personal data: full name, telephone, e-mail address, occupation, and institution. For billing purposes, we collect information regarding name/entity, address and tax identification number; 
• In the case of the courses, it is foreseen that the personal data of the trainees are kept in encrypted format, in an independent database, allowing for the possibility of the student to request a second copy of the certificate and safeguarding the exercise of their rights, including the right to be forgotten; 
• Some events may be subject to photographic and/or sound and image capture. This circumstance will be communicated at the time of registration and, usually, participants who do not wish to be photographed or filmed are allowed to contact a member of the organisation at the beginning of the event in order to be informed of the measures implemented to protect their privacy; 
• The records obtained in these events shall be used exclusively for promotional and/or informational purposes or for institutional record keeping, and may be used by ISPUP in a more or less extensive number of media and publications such as in the Institute’s website, social networks or news. 

We only store your personal data for the time necessary to achieve the purpose for which it was collected or, where appropriate, for the specific period stipulated by law.

For example, some data is deleted immediately or within a few days of being collected, while other data is kept for a period of 10 or more years in order to comply with legal obligations. The retention period for data necessary for scientific research also varies from case to case, depending on the respective goals and nature of the collection, without prejudice to the fact that the law, in principle, allows for longer retention periods for this purpose, provided that certain safeguards for the protection of the information are respected. 

Transfer of personal data to third parties

The sharing of personal data with third parties only happens in situations which are strictly necessary or due to legal obligation, serving as an example:

• Sharing personal data with the University of Porto for the creation of institutional e-mail addresses and wireless access credentials;
• Sharing personal data with subcontracted entities, such as the company responsible for maintaining ISPUP’s website and for providing e-mail marketing management services;
• Occupational health, hygiene and safety: sharing of personal information with doctors and other service providers, the University of Porto and with the employer;
• FCT and CCDR-N within the scope of research project management;
• Public Administration bodies (Tax Authority; Social Security, among others) to comply with legal obligations;
• Statutory auditor and accountant for accounting and/or treasury purposes;
• Institutions of the banking sector and insurance companies, for management and processing of payments and signing of insurance contracts;
• Sharing, within the scope of the CESP course, of personal data with some participants of the National Healthcare System; 
• Other institutions or individuals, provided that there is consent from the data subject for this purpose.

The sharing of personal data with third parties only happens in situations which are strictly necessary or due to legal obligation, serving as an example:

• Sharing of personal data with the University of Porto for the creation of institutional email, and of access credentials to the wireless network and provision of email marketing management services (Mautic);
• Sharing of personal data with subcontracted entities, such as the company responsible for the ISPUP website maintenance 
• Occupational health, hygiene and safety: sharing of personal information with doctors and other service providers, the University of Porto and with the employer;
• FCT and CCDR-N within the scope of research project management;
• Public Administration bodies (Tax Authority; Social Security, among others) to comply with legal obligations;
• Statutory auditor and accountant for accounting and/or treasury purposes;
• Institutions of the banking sector and insurance companies, for management and processing of payments and signing of insurance contracts;
• Sharing, within the scope of the CESP course, of personal data with some participants of the National Healthcare System; 
• Other institutions or individuals, provided that there is consent from the data subject for this purpose.

There may be transfers of personal data outside the European Union Area, mainly for research purposes. In these situations, ISPUP is responsible for ensuring that the transfer is done based on an adequacy decision of the European Commission that ensures a level of data protection equivalent to the applicable European legislation or, if there is no such decision, that the transfer takes place in legal terms, according to the mechanisms provided for this purpose, and through the implementation of appropriate measures to protect the data and the rights of the respective holders.

Cookies are small files that are stored on your computer by your web browser. These files are used to help users navigate the website more efficiently and perform certain functions. Cookies are necessary for the functionality and security of our website and no information is collected for tracking purposes or for monitoring user behaviour.

In addition to strictly necessary cookies for the operation of our website, statistical analysis cookies may be downloaded to your computer using the Matomo statistical analysis tool, but only after your consent has been collected via the website’s cookie banner. These cookies will be used solely for statistical purposes, and will allow for the counting of web page views and the evaluation of user browsing experience. 

The Matomo tool takes care of the protection of personal data, for example, by anonymizing the IP address of our website users. You may at any time withdraw your consent to the use of statistical analysis cookies for the above purposes. 

By default no such cookies will be installed on your computer.

Users can manage cookies through the settings of their web browser, which will allow them to be blocked or deleted. To do this, please consult the “Help” menu of your browser to find out how to change or deactivate cookies. The deactivation of cookies that are strictly necessary for website functionality may substantially affect user experience while browsing our website, preventing certain functionalities from working correctly. For more information on how to manage cookies and their settings, we recommend that you consult the website http://www.allaboutcookies.org/. 

You can consult our cookies policy for a more detailed description at any time. 

ISPUP implements security measures that are appropriate for each context, aiming to protect the personal data in its custody, specifically:

• Physical security measures, namely in employee, collaborator and user access control to the facilities, carried out through a dedicated team of security professionals;
• Security measures for the protection of people and goods through a video surveillance system installed in close compliance with the legally prescribed requirements;
• IT security measures, such as firewalls, antivirus, wireless access with SIGARRA user credentials from the University of Porto, conditioning access to ethernet, and disk encryption;
• Data security measures, such as database access control, pseudonymization and anonymization of data, and file protection with password.

In addition, the technical and organizational security measures implemented internally  are also required from ISPUP service providers that process personal data on its behalf.

ISPUP undertakes to notify the competent supervisory authority (in Portugal, the CNPD) under the terms and deadlines set forth in Article 33 of the GDPR, should it become aware of any personal data breach event, as well as to communicate a possible breach to the data subjects themselves, in the cases and conditions determined by Article 34 of the same Regulation.

In accordance with applicable legislation, ISPUP undertakes to respect the confidentiality of your personal information and to guarantees the exercise of your rights. The law recognises the following rights: Information, Access, Rectification, Deletion, Portability, and Limitation of processing. 

The exercise of your rights may be refused or restricted, subject to the terms and conditions provided for by applicable EU and national law, to the extent that such exercise would make it impossible or seriously undermine the achievement of the purposes of the processing for research purposes and only to the extent necessary to achieve those purposes. 

For the exercise of any of your rights please use the following e-mail address: secretaria@ispup.up.pt.  

The law also gives you the right to lodge complaints with a European supervisory authority. In Portugal, the competent authority is the CNPD.

For more information on the exercise of your rights please consult the website of the CNPD here.

The personal data subject may exercise their rights of access, rectification, modification or erasure, as well as request any information regarding the processing of their personal data through a written request to the following e-mail address: secretaria@ispup.up.pt or postal address: Instituto de Saúde Pública da Universidade do Porto, Rua das Taipas, 135; 4050-600 Porto, Portugal. 

For any questions regarding the exercise of the rights of the data subject, complaints or requests concerning the processing of personal data, please contact our Data Protection Officer at the following address: dpo@ispup.up.pt.

ISPUP has appointed a Data Protection Officer who may be contacted at dpo@ispup.up.pt  or via letter to the Institute’s address: Rua das Taipas, 135; 4050-600 Porto, Portugal.

This privacy policy may be revised and changed in order to always correspond to the procedures adopted by ISPUP regarding personal data. As such, we recommend that you consult it regularly in order to keep yourself updated.

In order to be easily identified, the changes that may be made to the privacy policy will be explicitly marked at the end of this document.