Privacy policy of the Faculty of Medicine of the University of Lisbon

1. General Framework

The Faculty of Medicine of the University of Lisbon ("FMUL") is a collective person under public law, part of the University of Lisbon ("University" or "ULisboa"), endowed with statutory, scientific, cultural, pedagogical, administrative, financial and patrimonial autonomy in accordance with the law and the Statutes of the University of Lisbon.

Its mission is the training of doctors, teaching and researching of Medicine and the Sciences essential to health promotion, prevention, diagnosis, treatment and rehabilitation of illness through the creation, transmission and dissemination of science, technology and culture, with respect for intellectual freedom and ethics, recognition of merit and sense of service to the community.

As part of the exercise of its functions, it makes available on its institutional website a set of information concerning the missions it carries out, with the aim of disseminating it to the academic community, society, and other parties interested in the information.

The privacy and the protection of personal data represent a firm commitment for FMUL, which acts in compliance with its legal obligations, particularly those resulting from the application of the new General Data Protection Regulation (GDPR), Regulation 2016/679, of 27 April 2016 ("GDPR") and the Data Protection Law, Law 58/2019, of 8 August.

Thus, FMUL has been implementing a set of measures in order to reinforce its Privacy Policy. Protecting the personal data of the University community and of those who interact or collaborate with us is our priority.

FMUL, to the extent that it processes personal data in its different areas of action, whether through its multiple facilities or through its online platform, guarantees the protection of personal data, the processing of which is carried out under the applicable legislation and this Privacy Policy.

In strict compliance with the law, the University of Lisbon has introduced new security practices and improved its internal procedures with the ever present objective of guaranteeing the security of the data to which it has access, applying to each School, research unit and other units, structures and services that make up the University a harmonised data processing policy with the implementation of joint measures through a network to create common practices for the processing, protection and security of personal data, while respecting the autonomy and responsibility of each of these entities in the processing of personal data.

The protection of Personal Data is a fundamental right, so your privacy is important to the Faculty of Medicine of the University of Lisbon. We therefore clarify the personal data we collect, for what purposes, the principles that guide this use and what rights that the holders of these data have.

It is for the purpose of safeguarding data protection that as the Responsible for Data Controlling:

It ensures that Personal Data are processed within the scope of the purpose(s) for which they were collected or for purposes compatible with the original purpose(s) for which they were collected;
It is committed to implementing a culture of Data minimisation, in which only the personal data strictly necessary for the development of its activity are collected, used and kept.

To this end, we advise you to read the privacy policy in order to become aware of your rights, the conditions under which you provide your personal data, authorise its collection, use and disclosure.

2. Faculty of Medicine of the University of Lisbon Commitment

Protecting your personal data

Through this Policy, the Faculty of Medicine of the University of Lisbon recognises the importance of personal data security it processes, and ensures the protection of the privacy of their respective holders without prejudicing the object and full achievement of the different areas in which it operates.

In this Policy, it also provides further information about the rules, principles and good practices observed in the processing of personal data entrusted to it, in compliance with the General Data Protection Regulation (GDPR) and other applicable legislation, and about the means available to the data subjects to exercise their respective rights.

3. Responsible for Data Processing

Within the scope of its activity in different areas, the University of Lisbon is the entity responsible for the processing of personal data, and may be contacted through the following e-mail address: rgpd@ulisboa.pt

Within the scope of its activity in different areas, the Faculty of Medicine of the University of Lisbon is responsible for the processing of personal data to which it has access, so requests for information and the exercise of rights regarding the treatment of such data should be addressed to the FMUL through the following e-mail address: protecaodados@medicina.ulisboa.pt

4. Data Protection Officer

Given the legal obligation resulting from paragraph a) of paragraph 1 of article 37 of the GDPR, the University of Lisbon has appointed a Data Protection Officer, responsible for ensuring, among other things, the compliance of the processing activities and protection of personal data under its control, in accordance with applicable legislation and this Policy.

Among other duties, it is Data Protection Officer responsibility to:

Monitor the compliance of data processing with applicable standards;
Serve as a contact point for clarification of questions regarding data processing;
Cooperate with the National Comission of Data Protection (CNPD), as a supervisory authority;
Provide information and advise the University of Lisbon, or the subcontracted entities on their obligations in terms of privacy and data protection.

Thus, the holders of personal data, if they wish so, may address a communication to the Data Protection Officer, concerning matters related to the processing of personal data, using, for this purpose, the following email address: rgpd@ulisboa.pt

5. Changes to the Privacy Policy

The Faculty of Medicine of the University of Lisbon reserves the right to make changes to this Privacy Policy, and these changes will be duly publicised on the University website and/or other channels it considers appropriate.

6. Cookies policy

Session cookies are used on this website only to analyse web traffic patterns or to allow us to identify problems and provide a better browsing experience.

All browsers allow the user to accept, refuse or delete cookies, namely by selecting the appropriate settings in the respective browser. Cookies can be configured in the "options" or "preferences" menu of the user's browser.

Please note, however, that by disabling cookies the user may prevent some web services from working properly, affecting website navigation in whole or in part.

To learn more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org which includes information on how to manage your settings for various browser providers.

For more information about the cookies policy please see the ULisboa institutional website.

Acceptance of these terms

By having voluntarily and expressly accepted on our website the cookies policy, you have agreed to the collection and use of your information as set out in this Cookies Policy.

7. The 360° privacy policy

The Faculty of Medicine of the University of Lisbon has developed and implemented a 360° Privacy Policy that includes a wide range of measures to protect its personal data. The implementation of this policy resulted from the identification of personal data under its responsibility, the assessment of data quality, the development of a data processing register, the definition of security controls, data protection and monitoring and, finally, the subsequent implementation of new procedures. The present information intends to present in a structured and simplified way the respective privacy policy for a greater transparency on how we treat personal data.

8. Personal data

Personal data are any information of any nature and in any medium (e.g. sound or image) concerning an identified or identifiable individual person (referred to as "data subject"). An identifiable individual person is one who can be identified, directly or indirectly, in particular by name, identification number, location data, electronic identifier or other specific physical, physiological, genetic, mental, economic, cultural or social identity characteristics of that individual person.

9. Sensitive personal data

Sensitive data are all personal data subject to specific processing conditions. This includes:

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership;
Genetic data;
Biometric data processed for the purpose of uniquely identifying a person;
Data concerning health;
Data concerning a person's sex life or sexual orientation.

10. Data holders

The data holder is any individual person to whom the personal data concern. In the context of the activity carried out by the Faculty of Medicine of the University of Lisbon, the following are data holders:

The members of the university bodies, teachers, researchers, non-teaching staff, regardless of their contractual relationship, and other service providers, users of the university stadium, elements that collaborate directly or indirectly with the University of Lisbon, as well as all individual persons who send their data or authorize the University of Lisbon to use their data.

11. Categories of personal data processed by the Faculty of Medicine of the University of Lisbon

The Faculty of Medicine of the University of Lisbon processes personal data of different nature and sensitivity, as well as the purpose associated with the processing of these data, such as, for example:

Personal identification data: name, date of birth, place of birth, sex, nationality, address, telephone number, academic and professional qualifications, e-mail, civil identification number and/or passport, taxpayer number, driving licence number and social security number;
Family status: marital status, name of spouse, children or dependent persons and/or any other information necessary to determine the salary supplements;
Professional activity: working hours, place of work, date of admission, position, professional category and length of experience in the category, salary level, type of contractual tie, and certificate(s) of academic and professional qualifications;
Financial information: remuneration, additional remuneration, variable or fixed amounts, allowances, holidays, attendance, leave, or other information related to additional remuneration, amount or rates of compulsory or optional contributions, payment methods, bank name and bank account number (NIB or IBAN), declaration of compatibility of functions (when applicable);
Special categories of personal data: degree of disability of the employee and/or any member of his/her household, possible temporary incapacity as a result of an accident at work or occupational disease, and sickness leave.

12. Record of data processing

The Faculty of Medicine of the University of Lisbon has the data processing record, in accordance with article 30 of the GDPR, in which are identified:

The name and contact details of the controller and, where applicable, of any joint controller, the controller's representative and the data protection officer;
The purposes of the processing;
The description of the categories of data subjects and of the categories of personal data;
The deadlines forseen for the deletion of the different categories of data;
The technical and organisational security measures implemented to ensure pseudonymisation and encryption of personal data and the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services.

13. Principles in the processing of personal data

Within the scope of personal data processing, the Faculty of Medicine of the University of Lisbon observes the following fundamental principles:

Principle of loyalty, lawfulness and transparency: personal data are processed lawfully, fairly and transparently in relation to the data holder;
Principle of purpose limitation: personal data shall be collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
Principle of data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Principle of accuracy: personal data shall be accurate and updated when necessary, and every reasonable step shall be taken to ensure that inaccurate data, in regard to the purposes for which they are processed, are erased or rectified without delay;
Principle of limited storage: personal data shall be stored in a form which allows the identification of data holders for no longer than the necessary for the purposes for which the data are processed;
Principle of integrity and confidentiality: personal data shall be processed in a manner that ensures their security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, and appropriate technical or organisational measures shall be taken.

As the responsible for the processing, the Faculty of Medicine of the University of Lisbon undertakes to ensure that the processing of the holders' data is carried out in strict compliance with the aforementioned principles, ensuring the conditions to prove compliance with them.

14. Grounds for processing personal data

The Faculty of Medicine of the University of Lisbon only processes personal data when at least one of the following situations occurs:

a) Consent of the data subject: when the data holder has given his/her consent to the processing of his/her personal data, for one or more specific purposes, through express consent, which indicates a free, specific, informed and unequivocal expression of will that the data holder consents the processing of his/her data. Consent may be obtained by any means (including electronic), and the Faculty of Medicine of the University of Lisbon shall keep a record of it, as a way of proving that the holder has given his/her consent to the processing of his/her personal data.

The data holder has the right to withdraw his/her consent at any time, and the withdrawal of consent does not compromise the lawfulness of the processing carried out on the basis of the consent previously given.

b) Execution of a contract or pre-contractual diligences: when the processing is necessary for the execution of a contract in which the data holder is a party, or for pre-contractual diligences at the request of the data holder.

This situation includes, as an example, the processing of personal data of teaching staff, employees and service providers of the Faculty of Medicine of the University of Lisbon within the scope of the management of the established employment relationship or the respective service providers within the scope of the contractual relationship.

c) Compliance with legal obligation: when the processing is necessary to comply with a legal obligation. This situation includes, for example, the processing of personal data for compliance with legal obligations resulting from declaratory obligations to Social Security, Tax Administration or other Administrative Authorities, including the competent Ministry.

d) Vital interests: when processing is necessary in order to protect the vital interests of the data subject or of another individual person, for example in the event of a medical emergency.

e) Public interest/public authority: when processing is necessary for the performance of functions of public interest. For example, in the need to alert the Directorate-General for Health.The Faculty of Medicine of the University of Lisbon is a public entity and the educational activity is driven by the public interest, so that much of the activity has this justification even though it must be evaluated in each processing action..

f) Legitimate interest: when processing is necessary for the purposes of the legitimate interests pursued by the Faculty or a third party, except if the interests or fundamental rights and freedoms of the data holder that require protection of personal data prevail.

15. Sensitive data

The Faculty of Medicine of the University of Lisbon may process sensitive data under the following conditions:

When the data holder has given his/her explicit consent to the processing of such personal data for one or more specific purposes;
When, under European Union law, national law or a collective agreement, processing is necessary for the purposes of carrying out obligations and exercising specific rights of the Faculty of Medicine of the University of Lisbon or the data holder in terms of employment legislation, social security and social protection;
When processing is necessary to protect the vital interests of the data holder or of another individual person when the data holder is physically or legally incapable of giving consent;
If the processing relates to personal data which have been manifestly made public by the data holder;
If the processing is necessary for the establishment, exercise or defence of legal claims or when the courts are acting in their judicial role;
If processing is necessary for reasons of substantial public interest based on European Union or national law;
If the treatment is necessary for the purposes of preventive medicine or occupational medicine, the assessment of the employee's capacity for work, medical diagnosis, the provision of health or social care or treatment or the management of health or social welfare systems and services, on the basis of European Union or national law or under a contract with a health professional;
If processing is necessary for reasons of public interest in the area of public health on the basis of European Union or national law;
If processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes on the basis of European Union or national law.

16. Purposes of processing personal data

Considering the diversity of its areas of activity, the Faculty of Medicine of the University of Lisbon processes personal data for the following purposes:

Financial data – For the payment of salaries of its employees and the acquisition of services; payment management; reception and processing of proposals submitted in procurement procedures; execution of contracts established with suppliers;
Contractual procedures – Elaboration of contracts, partnerships, protocols of national and international matter, instructing and practicing the inherent technical procedures. Reception and treatment of requests for computer support. Development of new computer solutions for the academic community;
Human Resources – Human resources management (attendance and time management); salary processing; performance evaluation; promotion of health and safety at work; attribution of social benefits to employees;
Activities undertaken – Organisation of events within the scope of its principles and statutes, insurance of events with insurance companies, participation in international events, cooperation with other similar Universities.

17. Period of conservation of personal data

Personal data is only kept for the period of time necessary to fulfil the purposes for which they are processed.

The Faculty of Medicine of the University of Lisbon complies with the maximum retention periods legally established. However, the data may be conserved for longer periods, for purposes of public interest, compliance with distinct purposes that may subsist, such as, for example, the exercise of a right in legal proceedings, archiving purposes of public interest, scientific or historical research purposes or statistical purposes, applying – in this case – all the appropriate technical and organizational measures to safeguard the personal data.

These guarantees involve the adoption of technical and organisational measures to ensure, in particular, the respect for the principle of data minimisation and data pseudonymisation.

18. How are personal data collected?

The Faculty of Medicine of the University of Lisbon may collect data directly (i.e. directly from the data holder) or indirectly (i.e. through third parties). The collection may be done through the following channels:

Direct collection: in person, by telephone, by e-mail, through its platforms (example: Fénix Platform and through the training area);
Indirect collection: through its partners (e.g. Universities or Partner Schools).

19. Holders' rights

The Faculty of Medicine of the University of Lisbon guarantees the data subjects the exercise of their rights under the terms of the applicable legislation on the protection of personal data, namely:

Right of access: the data subject has the right to obtain confirmation as to whether or not personal data concerning him/her are being processed and, when appropriate, the right to access his/her personal data.
Right of rectification: the data holder has the right to request at any time the rectification of his/her personal data as well as the right to have his/her incomplete personal data completed, including by means of an additional declaration.
Right to erasure: the data holder shall have the right to obtain the deletion of his/her data when one of the following grounds applies: (i) the holder's data are no longer necessary for the purpose for which they were collected or processed; (ii) the data holder withdraws the consent on which the data processing is based and there is no other legal ground for such processing; (iii) the data holder opposes the processing under the right to object and there are no prevailing legitimate interests justifying the processing; (iv) if the holder's data are processed unlawfully; (v) if the holder's data have to be erased for the fulfilment of a legal obligation to which FMUL or the processor are subject. Under the applicable legal terms, FMUL has no obligation to erase the holder's data as the processing is necessary for compliance with a legal obligation to which it is subject or for the purposes of the declaration, exercise or defence of a right in legal proceedings.
Right to limitation: the data holder shall have the right to obtain the limitation of the processing of his/her data if one of the following situations applies: (i) if he/she contests the accuracy of the personal data, for a period enabling their accuracy to be verified; (ii) if the processing is unlawful and the data holder opposes the deletion of the data and instead requests the limitation of their use; (iii) if the the data are no longer needed for processing purposes, but such data are required by the data holder for the establishment, exercise or defence of a right in legal proceedings.
Right of portability: the data holder shall have the right to receive personal data concerning him/her in a structured, commonly used and machine-readable format and the right to transmit such data to another responsible for processing if: (i) the processing is based on consent or on a contract to which the data holder is a party and (ii) the processing is carried out by automated means.
Right to object: the data subject has the right to object at any time, on grounds relating to his/her particular situation, to processing of personal data concerning him/her which is based on the exercise of legitimate interests pursued or where the processing is carried out for purposes other than those for which the personal data were collected.

You also have the right to present a complaint to the National Commission for Data Protection (CNPD).

20. Exercise of rights by the holder

The rights may be exercised by the titleholder through contact with the Faculty of Medicine of the University of Lisbon, which will reply in writing (including by electronic means) to the holder's request within a maximum period of one month from receipt of the request, except in cases of special complexity and high number of requests, in which case this period may be extended to two months, through the following means:

Mail or in person, at the following address:

Faculty of Medicine of the University of Lisbon

Avenida Professor Egas Moniz

1649-028 Lisbon

Through e-mail: protecaodados@medicina.ulisboa.pt

21. Submission of complaints to the CNPD

The data subject may complain directly to the National Authority for the Control of Personal Data, the National Commission for Data Protection (CNPD), using the contacts provided by this entity for this purpose (at www.cnpd.pt).

22. Safety measures

Taking into account the principle of proportionality and appropriateness, security, costs of implementation and the nature, scope, context and purposes of the processing, as well as the likely risks, the Faculty of Medicine of the University of Lisbon applies appropriate technical and organisational security measures to ensure a level of security of personal data according to the risk, such as:

Use of firewall and intrusion detection systems in its information systems;
Application of access control procedures, using differentiated access profiles and based on the need-to-know principle;
Registration of actions carried out on the information systems that contain personal data (login);
Execution of a backup plan;
Anti-spam protection for receiving and sending corporate emails;
Installation, maintenance and management of the antivirus and firewall systems in the University computers;
Pseudonymisation of personal data;
Access control to physical facilities;
Automatic fire and intrusion detection system;
Implementation of training and/or awareness-raising activities on information security and data protection.

23. Transfer of data to third parties

Subcontractors and third parties

Subcontractors: The Faculty of Medicine of the University of Lisbon may use other entities contracted by it (subcontractors) to process the holder's data on behalf of the FMUL and in accordance with the instructions given by the latter, in strict compliance with the provisions of the GDPR, the national legislation on the protection of personal data and this Policy.
The subcontractors cannot transmit the holder's data to other entities without the FMUL's prior written authorisation, and they are also forbidden from contracting other entities without the FMUL's prior authorisation.
The FMUL undertakes to ensure that these subcontractors will only be entities that present sufficient guarantees of implementation of adequate technical and organisational measures, so as to ensure the privacy of the holder's data and the defence of their rights.
All processors are bound to FMUL by a written contract that includes the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data holders, the rights and obligations of the parties, including the duty of confidentiality, and the security measures to be implemented.
Third Parties: The Faculty of Medicine of the University of Lisbon is bound by law and by compliance with administrative procedures and, to that extent, obliged to transmit data, including personal data to other entities, namely, among others, to:
- Tax Authority
- Social Security and/or Caixa Geral de Aposentações;
- Embassies;
- Professional bodies;
- Research institutions
- Insurance companies;
- Other public institutions;
- Higher Education accrediting bodies;
- Organisations within the framework of Social Support in Higher Education;
- Partner Universities for the purposes of the Erasmus programme, or equivalent;
- Funding Agencies / Partner Institutions that submit applications for national or community funding.

Whenever personal information is shared with one of these entities, the Faculty of Medicine of the University of Lisbon will assess the need to obtain, when necessary, the respective consent and will take all necessary measures and/or actions to confirm that they will perform their functions in accordance with the principles of the GDPR.

24. Data breach

In the event of a personal data breach, and insofar as such breach is likely to result in a high risk to the rights and freedoms of the data subject, the Data Protection Officer shall notify the breach to the national supervisory authority, and communicate the breach to the data holder not later than 72 hours after having become aware of it.

Under the GDPR, communication to the data subject is not required in the following cases:

In case FMUL has applied appropriate protection measures, both technical and organisational, and those measures have been applied to the personal data affected by the personal data breach, especially measures that render the personal data unintelligible to any person not authorised to access it, such as encryption;
In case the FMUL has taken subsequent measures ensuring that the high risk to the rightholder's rights and freedoms is no longer likely to materialise; or
If the communication to the holder involves a disproportionate effort for the FMUL, in which case the FMUL will make a public communication or take a similar measure by which the holder will be informed.

Any violation of personal data, the processing of which is the responsibility of the Faculty of Medicine of the University of Lisbon, may be reported through the following means:

Through email, to be sent to protecaodados@medicina.ulisboa.pt

Final note

We recommend that you periodically consult our privacy policy to stay informed of how the Faculty of Medicine of the University of Lisbon protects your Personal Data, and is kept up to date with the information and rights you are entitled to.

Date of last update: April 2021

news@fmul

Contacts and Location