Saltar para o conteúdo principal

Organization responsible for coordinating and implementing public policies in the field of higher education.

Personal Data Protection and Privacy Policy

1. Data Protection and Privacy Commitment

The Institute for Higher Education (IES) is committed to complying with all applicable EU and national legal standards regarding data protection and information security.

The Institute for Higher Education (IES) has implemented a Personal Data Protection System and an Information Security System to ensure regulatory compliance and demonstrate institutional responsibility regarding data protection and information security, implementing all necessary technical and organizational measures deemed appropriate, both to comply with the legal regime of the General Data Protection Regulation (Regulation EU 2016/679 of 27 April, hereinafter referred to as GDPR), and to comply with the legal regime of the GDPR Implementing Law (Law No. 58/2019 of 8 August, hereinafter referred to as LERGPD), as well as other applicable complementary legislation.

For any clarification or additional information, or to exercise your rights in this regard, please contact the Data Protection Officer of the Higher Education Institute (IES) via email: protecaodedados@iesuprior.pt

2. Definitions

«Personal data»

«"Personal data" means any information relating to an identified or identifiable natural person ("data subject") – an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. Personal identifiers include, for example, a name, an identification number, location data, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

«"Processing of Personal Data"»

«"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

«"Cookies"» (Testimonials of Connection)

«"Cookies," also known as "Connection Testimonials" in English, are small text files containing relevant information that devices used for access (computers, mobile phones, or portable mobile devices) load through the internet browser when a website is visited by the User.

3. Data Controller 

The Institute for Higher Education (IES) Legal Entity, hereinafter referred to as IES, IP, is the entity responsible for the forms, online sites, systems or computerized applications, hereinafter referred to as channels or applications, through which Users, Service Recipients or Users have remote access to the services of IES, IP that are presented or provided, at any time, through them, being the entity considered responsible for the processing of personal data.

The use of channels, systems or applications by any User, Service Recipient or Client may involve the processing of personal data, the protection, privacy and security of which is ensured by IES, IP, as the entity responsible for the respective processing, in accordance with the terms of this Data Protection and Privacy Policy.

4. Institutional Contacts of the Data Controller 

For contact with the Data Protection Officer of IES, IP, please send an email to protecaodedados@iesuprior.pt or to each of the specific addresses identified in the forms, online sites or applications, describing the subject of the request and indicating an email address, a telephone contact address or a postal address for reply.

For any other purpose, the following general contact details of the Higher Education Institute (IES), as the Data Controller, may be used:

Bruno Miguel Abrantes de Campos e Castro

E-mail: dpo_protecaodedados@iesuprior.pt

Telephone Fixed Portugal: (+351)225323740

Start date: 2024-01-01

5. Collection and Processing of Personal Data 

IES, IP processes personal data strictly necessary for providing information and operating its channels, according to the uses made by Users, Service Recipients or Users, whether those provided for the purpose of registering requests or obtaining information, those provided for the purpose of subscribing to those channels, or those resulting from the use of services provided by IES, IP through them, such as accesses, consultations, instructions, requests or applications, transactions and other records relating to their use.

In particular, the use or activation of certain channel functionalities may involve the processing of various direct or indirect personal identifiers, such as name, home address, personal contact details, device addresses, or geographic location, provided that the specific User, Service Recipient, or Client expressly consents to this, whenever this is necessary for managing the contractual relationship or pursuing legitimate interests, or finally, for the purpose of complying with legal obligations.

In all cases, Users, Service Recipients or Users will always be informed of the need to access such data for the use of the functionalities of the channels in question, as well as the respective legal basis for processing this data.

The personal data collected by IES, IP is processed manually or, in certain cases, in an automated or computerized manner, including file processing or the possible definition of profiles, within the scope of managing the pre-contractual, contractual or post-contractual relationship with Users, Service Recipients or Clients, in accordance with current national and community regulations.

6. Categories of Personal Data Processed and Data Subjects

The categories or types of personal data processed are generally the following:

  • identification data;
  • contact details;
  • professional data;
  • billing information;
  • Traffic data and access control.

In the Data Controller's various establishments, biometric data may also be processed, collected through video surveillance systems or other biometric systems that may be installed.

The categories or types of personal data subjects whose data is processed are generally Users, Service Recipients, or Clients, and may also include, in special processing situations, members of their respective households or visitors to the Data Controller's premises.

A detailed list of categories of personal data and categories of data subjects can be found in the Data Processing Information Sheets for each specific processing activity.

7. Legal Principles

All data processing operations comply with the fundamental legal principles of data protection and privacy, particularly regarding data circulation, lawfulness, fairness, transparency, purpose limitation, data minimization, data retention, accuracy, integrity, and confidentiality. IES, IP is available to demonstrate its responsibility to the data subject, to the authorities, or to any other third party with a legitimate interest in this matter.

8. Foundations of Legitimacy

All data processing operations carried out by IES, IP have a legitimate basis, namely, either because the data subject has given their consent to the processing of their personal data for one or more specific purposes, or because the processing is considered necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, or because the processing is necessary for compliance with a legal obligation to which the controller is subject, or for purposes of public interest, or because the processing is considered necessary for the purposes of the legitimate interests pursued by IES, IP or by third parties – the specific basis being referenced in the concrete data processing activities.

9. Purpose of Treatment 

All personal data processed within the IES, IP channels is intended exclusively for providing information to Users, managing the personal information of Service Recipients deemed necessary for relationship management or communication purposes, as well as providing services to Users and, in general, managing the pre-contractual, contractual or post-contractual relationship with Users, Service Recipients or Users.

The personal data collected may also, and eventually, be processed for statistical purposes, for disseminating information or promotional activities, and for communication actions, namely to promote the dissemination of new features or new services, through direct communication, whether by mail, email, messages or telephone calls or any other electronic communication service.

Provided that prior information and express authorization are always obtained for these latter purposes, Users, Service Recipients or Users may, at any time, exercise their right to withdraw consent or their right to object to or limit the use of their personal data for purposes other than managing the relationship with the Data Controller, namely for the pursuit of legitimate interests, for sending informational communications or for inclusion in informational lists or services, and must, for this purpose, send a written request addressed to the Data Protection Officer of IES, IP, in accordance with the procedures indicated below.

10. Information Sheet on Data Processing on Websites 

In accordance with the principles of loyalty and transparency, and to guarantee compliance with the duty to inform, IES, IP directly delivers or makes publicly available to all holders of personal data, depending on how their personal data was collected, information sheets on the data processing activities carried out. These sheets are accessible for consultation at any public service unit or by request to the Data Protection Officer.

11. Use of Cookies (Connection Testimonials)

Regarding the use of Cookies or Connection Testimonials by IES, IP, please consult the Cookie Policy.

12. Data Communication to Other Entities

The provision of information or services by IES, IP to its Users, Service Recipients or Clients through the channels may eventually involve the use of services from third-party subcontractors, Joint Controllers or other independent Data Controllers, including entities based outside the European Union, for the provision of certain services, and this situation may imply access to this personal data by these entities.

Under these circumstances, and whenever necessary, IES, IP will only use entities that provide sufficient guarantees of implementing appropriate technical and organizational measures in a way that ensures the processing meets the requirements of applicable regulations. These guarantees will be formalized in a contract signed between IES, IP and each of these third-party entities.

13. Data Recipients

Except in the context of fulfilling legal obligations, executing contracts, or pursuing legitimate interests, under no circumstances will personal data of Users, Service Recipients, or Users be communicated to third parties other than subcontractors or legitimate recipients, nor will any other communication be made for purposes other than those mentioned above, without obtaining the prior express consent of the data subject.

14. International Data Transfers

Any transfer of personal data to a third country or international organization will only be carried out in compliance with legal obligations or with the guarantee of conformity with applicable Community and national legal standards in this matter.

15. Security Measures

Taking into account the most advanced techniques, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks, of varying likelihood and severity, for Users, Service Recipients or Clients, IES and all entities subcontracted by it apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

To this end, various security measures are adopted in order to protect personal data against its dissemination, loss, misuse, alteration, unauthorized processing or access, as well as against any other form of unlawful processing.

It is the sole responsibility of Users, Service Recipients, or Users to keep access codes secret, not sharing them with third parties. Furthermore, in the specific case of computer applications used to access the channels, they must maintain and keep the access devices secure and follow the security practices recommended by manufacturers and/or operators, particularly regarding the installation and updating of necessary security applications, including, among others, antivirus applications.

Should it become necessary to subcontract services to third-party entities that may have access to the personal data of Users, Service Recipients, or Users, the subcontractors of IES, IP will be obliged to adopt the security measures and protocols at the organizational level and the technical measures necessary to protect the confidentiality and security of personal data, as well as to prevent unauthorized access, loss, or destruction of personal data.

16. Exercising the Rights of Personal Data Holders 

Users, Service Recipients, or Users of IES, IP, as holders of personal data, may at any time exercise their data protection and privacy rights, including the rights to withdraw consent, access, rectification, erasure, portability, restriction, or objection to processing, under the terms and with the limitations provided for in the applicable regulations.

Any request to exercise data protection and privacy rights must be addressed in writing by the data subject to the Data Protection Officer, in accordance with the procedure and contact details described below.

The exercise of the rights of personal data subjects can be requested by email, through a request to the Data Protection Officer, via the following email address: protecaodedados@iesuprior.pt.

17. Complaints or Suggestions

Users, Service Recipients, or Customers have the right to file a complaint, either by registering the complaint in the Complaints Book or by submitting a complaint to the regulatory authorities – in the latter case, they may submit a petition or complaint directly to the National Data Protection Commission through the contacts available at [website address]. www.cnpd.pt .

Users, Service Recipients, or Users themselves may also submit suggestions via email to the Data Protection Officer at the following address: protecaodedados@iesuprior.pt.

18. Reporting of Personal Data Breach Incidents

IES, IP has implemented an incident management system within the scope of data protection and information security.

If any User, Service Recipient or Client wishes to report any personal data breach that accidentally or unlawfully results in the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, they may contact the Data Protection Officer of IES, IP or use the general contact details of IES, IP.

Reports of personal data breach incidents can be submitted via email to the Data Protection Officer at the following email address: protecaodedados@iesuprior.pt.

19. Data Protection Policies and Special Information Sheets

With a commitment to transparency and information, and to ensure the adequacy of the Data Protection and Privacy Policy to the different data processing operations carried out and, above all, to the different categories of data subjects, IES, IP may develop special Data Protection Policies, such as, for example:

– the Data Protection and Privacy Policy in the Workplace;

– the Data Protection and Privacy Policy for Application Management;

– the Data Protection and Privacy Policy for Supplier Employees or

– the "Cookies" Policy or Connection Testimonials.

These special policies are made available directly to the respective categories of data subjects or in the context of the related processing activities, and are available for consultation upon request to the Data Protection Officer, via email: protecaodedados@iesuprior.pt.

The Data Protection Policies are further complemented by Data Processing Information Sheets, reinforcing transparency and information about specific data processing activities at IES, IP, and these sheets are made available at the time of data collection, at any point of service or by contacting the Data Protection Officer.

20. Data Protection Officer

Identification of the data protection officer of IES, IP:

Bruno Miguel Abrantes de Campos e Castro

E-mail: dpo_protecaodedados@iesuprior.pt

Telephone Fixed Portugal: (+351)225323740

Start date: 2024-01-01

For any information, complaint, incident report, or exercise of any type of data protection and privacy rights, or for any matter relating to data protection and information security, Users, Service Recipients, and Users interacting with IES, IP, may contact the Data Protection Officer directly via email at protecaodedados@iesuperior.pt, describing the subject of the request and indicating an email address, a telephone contact address, or a postal address for a reply, or if they so prefer.

21. Express Consent and Acceptance

The terms of the Data Protection and Privacy Policy are complementary to the terms and provisions regarding personal data set out in the Specific Terms of Use for each of the IES, IP communication channels.

The free, specific, and informed provision of personal data by its owner implies knowledge and acceptance of the conditions contained in this Policy, considering that, by using the channels or by providing their personal data, Users, Service Recipients, and Clients are expressly authorizing its processing, in accordance with the rules defined in each of the applicable collection channels or instruments.

22. Changes to the Data Protection and Privacy Policy

In order to guarantee its updating, development and continuous improvement, IES, IP may, at any time, make changes to this Data Protection and Privacy Policy that are deemed appropriate or necessary, ensuring its publication through various channels to guarantee transparency and information to Users, Service Recipients and Clients.

23. Versions of the Data Protection and Privacy Policy

Version of this Policy: 2026-02.

Date: 2026-02-20.

To view previous versions of the Data Protection and Privacy Policy, please send a request by email to the address [email address would go here]. protecaodedados@iesuprior.pt.

Atualizado em February 26, 2026