1. Personal Data
Instituto Pedro Nunes, Associação para a Inovação e Desenvolvimento em Ciência e Tecnologia, with headquarters in Rua Pedro Nunes, 3030-199 Coimbra, Portugal, VAT 502 790 610 (hereinafter IPN), within the framework of its activities collects and treats personal data, such as:
2. Personal Data Processing
Personal data processing is performed by IPN through automated and/or analogical means (without prejudice of the provisions of chapter VIII), such as:
- Register and storage
- Search and use
- Dissemination, regardless of the disclosure means
- Comparison or interconnection
- Limitation, deletion or destruction
3. Data Subject Consent
IPN requires to the data subject, in all cases, the freely given, specific, informed and unambiguous consent for the processing of his/her personal data, using formal templates designed case by case, considering the type, scope and extension of said personal data processing.
Conditions applicable to child’s consent
According to Article 8 of the GDPR, all personal data belonging to children can only be processed under an express consent observing the rules of Article 6, number 1, point a) of the GDPR related to information society services when said children complete 13 years old.
For children with less than 13 years old, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child, preferably through the use of electronic certification means, such as Citizen Card or Digital Authentication Key.
4. GDPR Compliance
IPN is fully compliant with EU rules concerning personal data protection, approved by the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter GDPR), as well as with the full body of internal legislation if force.
IPN is responsible for the personal data processing, under automated and analogical means, since its collection, through its organization and storage, up to its deletion.
IPN keeps a continuous and thorough registry of all its personal data processing activities.
5. Lawfulness of Processing
Personal data shall be processed only according to a bundle of lawful purposes, which include:
- Performance of IPN´s statutory goals and activities
- Compliance with legislation in force and generic legal rules and obligations
- Book-keeping and document integrity legal rules
- Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- IPN´s role as subcontractor, as defined in number 8, Article 4 of the GDPR
6. Data Storage Period
Personal data will be stored for the period defined by legal rules or, in their absence, for the strict time needed for the fulfilment of the processing purpose, taking in consideration the legal basis for said processing, as well as all the remaining requisites and time periods determined by law, namely the lapse terms for legal actions based on the correlated rights.
Accordingly, in all cases where a mandatory storage period is determined by law, the right to erasure of personal data as stated in Article 17 of the GDPR can only be exercised by the data subject after said period is lapsed.
IPN shall store the personal data for the strict period of time needed for the fulfilment of the data processing purpose, as well as its erasure (or anonymization, if and when applicable/needed) immediately after said period and/or upon the data subject´s request, always considering the above-cited exceptions and all legally defined terms.
7. Data Subject Rights
The data subject has the right, at all time, to require to IPN, free of charge:
- The access to his/her personal data
- The rectification and correction of his/her personal data
- The erasure of his/her personal data (the “right to be forgotten”) (the conditions defined above in VI. on personal data storage may apply
- The limitation of his/her data processing (idem)
- The opposition of his/her data processing
- The portability of his/her personal data to an appointed third entity, provided that said data are stored exclusively in electronic form.
- In every case, if a legal rule or legal obligation is in force which supersedes these data subject rights, IPN reserves the right of denial of the data subject request (and/or to determine restrictions to said request, if and when applicable), duly communicating to the data subject the respective grounds of said decision.
The data subject is entitled to file complaints to Comissão Nacional de Proteção de Dados (hereinafter, CNPD), the Portuguese Controller Authority, according to the definitions duly stated in numbers 21 and 22 of article 4 and article 51 of the GDPR.
8. Processor and Third Party Intervention
IPN, while conducting its undertakings, may authorise third parties (as defined in number 10 of article 4 of the GDPR) to process personal data which are under IPN´s domain, in order to comply with legal duties, pre-contractual or contractual obligations and/or as indispensable means of performance of IPN´s statutory goals. Said third parties can be public authorities, namely in charge of auditing tasks, project, activity or service partners.
In order to comply with the GDPR requisites, IPN shall require the previous and mandatory consent to the data subject for this specific processing.
IPN, while conducting its undertakings, may subcontract third entities (as defined in number 8 of article 4 of the GDPR) to process personal data on IPN´s behalf. In order to comply with the GDPR requisites, IPN shall require the previous and mandatory consent to the data subject for this specific processing.
10. IPN´S Duty of Protection
IPN complies with the drafting, approval and implementation of all formal and technical proceedings needed for the security of data processing, as well as to assure the accurate and timely record of all processing activities. In addition, a prior assessment will be made with regard to all future data processing activities to be launched by IPN in the future, assuring that they will be fully RGPD compliant.
IPN will perform its best efforts to assure the proper operation of all available technical means to avoid the loss, improper use, unauthorized access and unlawful appropriation of personal data, regardless of the likelihood of failure of part of the Internet security measures in force.
IPN assumes no liability for any damages and losses suffered by any individuals due to illegitimate access to personal data transmitted by any data subject through IPN´s Internet portal and/or through IPN´s remaining informatic infrastructure.
Nevertheless, IPN shall notify CNPD according to the rules defined in article 33º of the GDPR, if and when acknowledges any event which constitutes a violation of personal data, as defined in number 12 of article 4 of the GDPR.
Data subject can exercise his/her rights of rectification, modification or cancelling of his/her personal data or request any information related with said data under written form, directed to IPN to the address indicated above in I. or through the following specific email address: firstname.lastname@example.org.
12. Final Dispositions
IPN is entitled to change this Policy without any prior notice, namely due to the need of its compliance with new legislation or CNPD recommendations. In the event of any change to thus Policy, IPN will immediately publicize said changes through its public Internet portal.