The University of Coimbra (UC) is a legal entity governed by public law, which performs a plurality of functions, conferred by law and regulations, within the fields of teaching, scientific research, dissemination of knowledge, science and culture, and which, due to the relations and articulations it establishes with society in the fulfillment of its mission, needs to treat citizens’ personal data.
The UC is committed to the six principles underlying the General Data Protection Regulation (GDPR), the Portuguese Data Protection Law and all other relevant standards relating to the protection of individuals’ rights and freedoms.
The UC treats personal data for the purposes of management, administration, research, or other purposes required by law, as well as for the execution of statutory and regulatory requirements.
All processing of personal data by the UC comply with this Policy, with the guidance of the national supervisory authority - the Comissão Nacional de Proteção de Dados (National Data Protection Commission/CNPD), as well as the recommendations and guidance of the UC Data Protection Officer.
In accordance with Article 15 of the GDPR, the UC fully recognizes data subjects' "right of access" to any personal data and does not restrict such access except as provided by law. The UC also recognizes all the other rights granted to individuals under personal data protection legislation and are committed to meeting the requests of those wishing to exercise those rights.
 – Our commitment
i. Protect the security and privacy of personal data;
ii. Communicate transparently about the personal data we manage and under what conditions;
iii. Provide appropriate mechanisms for the exercise of the rights of data subjects;
iv. Respect the provisions of (EU) Regulation 2016/679 of the European Parliament and of the 27th April 2016 Council - GDPR - and other applicable legislation, including national legislation supplementing the GDPR.
All contents of this website, unless otherwise indicated, are owned by the UC and may not be reproduced or modified without its express permission, except in cases of free use, namely for teaching or research purposes or for personal use. In these cases their ownership shall be mentioned.
The guidelines, recommendations and information contained on our website aim a better understanding of data protection rules and may not under any circumstances, be used to create legal rights or expectations. Since these guidelines reflect the state of the art at the time of their preparation, they should be considered as an “evolutionary instrument” open to improvement and contents’ updating.
The access to the UC website implies full acceptance of the various notices contained therein, and that you agree to use the UC website lawfully and in no way cause any harm to the rights or interests of the UC or any third party.
By accessing this web site, users assume to know and accept the following terms and conditions, that we recommend reading.
 - Reservation of right of disposal
 - Responsible for the processing of personal data
For the purposes of GDPR Articles 4 and 24, the data controller is the UC, based in Paço das Escolas, 3004-531 Coimbra, since it is the entity that decides which data are collected, the material and human means used in the treatment, the storage period and their purpose.
 – Collection of personal data (object)
Data may be provided directly by the data subject, may be collected within the relationship established with the data subject and may also be requested and processed with the data subject's consent. The UC collects personal data in person, by telephone, in writing or through computer systems, including, in particular, when Users visit our website, subscribe to newsletters, respond to surveys, fill out forms or other features or resources available on the website. All data collected through forms contain their protection clauses, which comply with the provisions of the data protection regulations, and in all cases the UC only treats personal data deemed appropriate, relevant and not excessive, in order to comply with the specific, explicit and legitimate purposes for which they are intended.
 - Collection of personal data (types)
The UC, in the scope of its activities, collects and treats personal data, necessary for the accomplishment of its attributions, according to the terms of the Legal Regime of the Higher Education Institutions, Law no. 62/2007, September 10th (RJIES), of the Statutes (Normative Order No. 8/2019, of March 19th) and other legal and administrative obligations.
Accordingly, the collection and processing of personal data will be determined by the purposes underlying each of the UC's areas of activity, and the following categories of personal data will be collected and processed:
- Identification data, including image for the protection of people and assets;
- Family life data, social or financial circumstance;
- Education, training and employment data;
- Attendance and disciplinary data.
The processing of special category data is performed in limited circumstances, always in accordance with the law, and with the prior and explicit consent of their holders. This data may be:
- Racial or ethnic;
- Political opinions or trade union membership;
- Religious or philosophical beliefs;
- Sexual life or orientation;
- Health, genetic or biometric data for the purpose of person identification;
Respecting the principle of minimization, the personal data requested are those strictly necessary to comply with the legal provisions that the UC must comply with.
 – Processing of personal data (object)
The processing of personal data includes, but is not limited to, the collection, registration, consult, use, adaptation, alteration, storage and destruction of data.
 – Data processing (Information to be provided to the holder)
The information about the processing of personal data is provided to the data subject at the time of data collection or, if the personal data was obtained from another source, within a reasonable period of time, depending on the circumstances.
Given the diversity of situations that entail the collection and processing of personal data, at the time of collection, the UC provides the holder of the personal data detailed information on the use that will be made of the information, namely:
I. Unambiguous identification of the data controller and processor, if applicable;
II. DPO’s contact (EPD-UC).
III. The purpose(s) for which personal data are intended, as well as the legal basis for their processing.
IV. The recipient(s) or categories of recipients of personal data (if applicable).
V. Identification of the data subject’s rights.
VI. The data retention period or the criteria used to define this period.
 – Processing of personal data (lawfulness)
The legal basis for the processing of personal data is based on the performance of a contract to which the data subject is a party (with the UC) or pre-contractual due diligence at the request of the data subject, as applicable. Thus, and in compliance with the GDPR recommendations, the processing of personal data depends on the verification of legitimacy conditions and verification of lawfulness, loyalty and transparency in relation to the data subject.
The processing is lawful if at least one of the following situations (GDPR paragraph 1, article 6) occur:
I. the data subject has given prior consent – In certain cases, the UC will only process data if the data subject consents, for example, to the processing of “special categories” of data or personal data of minors (point. a));
II. is necessary for the performance of a contract – the UC will process the data to comply with its contractual requirements in which the data subject is an interested party (point. b));
III. is necessary for compliance with a legal obligation – in cases that the UC has a legal obligation to process or provide personal data to other entities, for example Ministry of Tutela (Guardianship) (point. c));
IV. is necessary in order to protect the vital interests of the data subject or of another person - in extreme circumstances, the UC may have to provide information to protect the interests of the holder or the interests of others, for example in medical emergencies (point. d));
V. is necessary for the performance of a task carried out in the public interest or in the exercise of official authority – the UC is a teaching establishment and its educational activity, in particular, is conducted by the public interest (including its interest and the interest of others, point. e));
VI. is necessary for the purposes of the legitimate interests - which is generally in the interest of the UC (or others) to provide or support higher education provision to its students (point. f)).
 - Processing of personal data (purposes)
The use of the collected data and its processing aims: the rendering of services to the holder; to provide support; to administer; to facilitate and manage the path of the data subject as a community member; to complement or support the missions of the institution and to meet the statutory and supervisory requests. It is also intended, with the prior consent of the holder, to provide information on products, services, marketing activities, campaigns, statistics and personalized content. Data processing is aimed at:
- Emergency situations;
- Research, investigation and archive;
- Granting direct and indirect social support;
- Promotion and dissemination of the UC activities;
- Official and regulatory reports, as well as accounting/financial reports;
- Administrative purposes, including academic, financial and human resource management, as well as administration of access to facilities or services and attendance;
- Higher Education Statistics Agencies and other entities with legal authority to process data relating to higher education matters, in Portugal or in the European Economic Area.
 - Security measures
As responsible for the processing of personal data and information, the UC ensures that it implements and promotes appropriate and effective technical and organizational measures to comply with data protection principles, with the aim of ensuring permanent confidentiality, integrity, availability and resilience of their processing systems and services.
The widespread use of computer systems for data processing does not exclude the possibility that under certain circumstances the UC will use other media for data collection and processing. In any case, the UC ensures administrative, technical and organizational measures against possible misuse or unauthorized access.
However, it is the responsibility of the users/holders to ensure and guarantee that their computers are adequately protected against harmful software, computer viruses and worms (self-replicating programs mostly for the purpose of uploading backdoors on computers). In addition, they should take other security measures such as the safe configuration of the navigation program or the use of software to create a security barrier.
 – Limitation of Liability
The UC reserves the right to adjust its website using conditions at any time and is not liable for any damages resulting from access to the website, even if they result from access to outdated contents or from virus contact by accessing different networks.
 - Cookies
 - Retention period of personal data
The retention period of personal data is that set by law or guidelines or, in its absence, it shall be the necessary period for the pursuit of the purpose that motivated its collection and processing, after which the personal data are deleted.
However, for the purpose of data processing for public interest archives, for scientific or historical research purposes or for statistical purposes, the UC may retain some of the data for longer periods, without prejudice to the application of the appropriate protection of the rights and data subject's freedoms, in accordance with the applicable law.
These guarantees imply the adoption of technical and organizational measures designed to ensure, among others, respect for the principle of data minimization and pseudonymisation.
 - Data subjects' rights of access, alteration and erasure ‘right to be forgotten’
Upon verification of the legally provided conditions, the UC guarantees to data subjects the right to access, update, rectify, delete, limit or opposition to the processing of personal data concerning them.
The right of access can be exercised through in-person contact, the contact indicated at the time of data collection or by e-mail epd(at)uc.pt.
 - Subcontractors and transfer of data to third parties
The UC, within its competence, may use subcontractors to provide services. When data processing is performed by a subcontractor or third party to whom data are transmitted, the UC shall verify if they provide guarantees on appropriate technical and organizational measures, so that the processing complies with the GDPR requirements and safeguards the data subject’s rights.
In these cases, the processing is regulated by contract or other normative instrument, which binds the subcontractor or the third party to the UC (data controller) guidelines, as the data controller entity. The contract with the subcontractor states:
- The data location;
- The nature and purpose of data processing;
- The obligations and rights of each party;
- Object definition and processing duration;
- Identification of the subcontractor's DPO, if applicable;
- The type of personal data and categories of the data subjects;
- Security and privacy measures, applicable European standards;
- The subcontracting conditions and the subcontractor's confidentiality policy;
- The densification of the subcontractor's obligations to notify personal data breaches;
- The provisions concerning the non-transfer of data to countries outside the EU, or, if the transfer is necessary, to invoke which are the suitability decisions pursuant to GDPR Articles 44 to 50 and points 101 to 116;
The UC is bound to law and administrative procedures and is therefore obliged to provide information to other entities, namely:
- Professional entities;
- Insurance companies;
- Research Institutions;
- Other public institutions;
- Higher Education Accreditation Entities;
- Organizations in the framework of Social Action in Higher Education;
- Partner universities for Erasmus program or equivalent;
- Financing Agencies / Partner Institutions submitting applications for national or community funding.
When sharing personal information with one of these entities, the UC will take all necessary measures and/or actions to confirm that they will perform their duties in accordance with GDPR principles.
 - Data Protection Officer (DPO)
Pursuant to GDPR article 37, the UC has nominated a DPO who can be contacted by e-mail epd(at)uc.pt.
Among other functions, the DPO is responsible for:
i. Monitoring the compliance of data processing according to the applicable standards;
ii. Being a point of contact for the clarification of issues related to data processing
iii. Cooperating with the CNPD as supervisory authority;
iv. Provide information and advise the UC, or subcontractors, on their privacy and data protection obligations.
 – Supervisory authority
The supervisory authority is the CNPD, located in Rua de São Bento n.º 148-3.º, 1200-821 Lisboa.
|Now that you have read our commitment, be sure to lock the screen whenever you leave your computer.|