Cookies Policy

Introduction

A connection token (cookie), within the scope of the HTTP communication protocol, is a small file containing alphanumeric information stored by the browser in the device's local storage when the user accesses a website. Each time the user visits a website, the browser returns the cookie with information about the user's activity.

The University of Coimbra (UC) website uses cookies, mainly to improve the browsing experience of users within its website, eliminating the need to repeatedly enter the same information, such as the language in which the website is displayed, increasing the speed and efficiency of response, thus providing a better browsing experience.

The cookie law, the common name given to the European e-Privacy Directive (Directive 2002/58/EC), adopted in Portugal through Law No. 41/2004 of 18 August, with new wording given by Law No. 46/2012 of 30 August on the ‘Protection of personal data and privacy in telecommunications’, reinforced the protection of users of electronic communications networks and services by requiring informed consent before storing information or accessing it through the user's (or subscriber's) terminal equipment.

This requirement applies to all types of information stored or accessible on the user's terminal equipment, including the use of cookies.

In this context, the Article 29 Working Party (WP29), in its Opinion 4/2012, considers that the protection of these users should provide for two exceptions to the requirement of information and consent for the use of cookies:

- When its purpose is indispensable for communication to take place via an electronic communications network, “at least 3 elements that can be considered as strictly necessary for communications to take place over a network between two parties:

1) The ability to route the information over the network, notably by identifying the communication endpoints.

2) The ability to exchange data items in their intended order, notably by numbering data packets,

3) The ability to detect transmission errors or data loss.”

-When its purpose is strictly necessary for the provision of an information service expressly requested by the user, two conditions must be met simultaneously:

“1) The information society service has been explicitly requested by the user: the user (or subscriber) did a positive action to request a service with a clearly defined perimeter.

2) The cookie is strictly needed to enable the information society service: if cookies are disabled, the service will not work.”

Cookies – Data controller

Cookies can be classified according to their ownership (responsibility) as follows:

first-party cookies – processed by the entity responsible for the website (domain);

third-party cookies – processed by an entity other than the one responsible for the website.

This classification differs from that used by internet browsers, since they consider third-party cookies to be those sent by a domain other than their own, as is the case with Google Analytics cookies, although many consider them to be first-party cookies if the code is loaded directly into the domain. However, even in this case, it is Google that defines the purpose and means of processing, so it will always be a third-party cookie (CJEU, judgment of 16 July 2020 – Schrems II case, C-311/18, made it clear that the website owner cannot use the technical argument to excuse itself from this responsibility).

First-party cookies used strictly for statistical purposes, which only collect aggregate data, although consent is required, have no significant impact on user privacy. On the contrary, third-party cookies take on a global expression, with the ability to discreetly and intrusively track users on the various interests they signal on the internet (active or passive digital footprint), with a view to building profiles, and with these being able to direct content to them in line with their preferences.

Cookies – duration

Cookies can be collected and stored locally on the device through:

session cookies – these only work for one session, collecting user preferences such as language, or to maintain authenticated user sessions, and are automatically deleted when the browser is closed;

persistent cookies – collect information needed between sessions, such as indicating that the user has already read the privacy policy, remaining on the device for a specific period or until deleted by the

Cookies – purpose

Cookies may be collected and stored locally on your device through:

essential cookies – these collect information necessary for the website to function and to provide services requested by the user, allowing, for example, access to secure areas. Acceptance of these cookies is a condition for using the websites;

functional cookies – collect preferences and personalise functionality to help ‘remember’ the user's preferences for browsing the website, thus avoiding the need to reconfigure or personalise it each time it is used. Accepting these cookies allows, for example, consistent information to be verified, or to ‘remember’ the possibility of registering on a form. This type of cookie can be controlled by the user through the browser settings, and this restriction may have an impact on browsing functionality;

analytical cookies – collect statistical information about the use of the website, to measure the number of visits and their origin, thus helping to identify the most visited contents and allowing to send contents to be tailored to users' preferences (audience statistical measurement tool for websites);

social media cookies – these are set by a range of social media services to enable users to share content on their social media accounts. They can track a user’s browsing on other websites and build up a profile of their interests. This may affect the content and messages users see on other websites they visit;

advertising cookies – advertising target based on the user's interests.

Cookies - examples

User input cookies – necessary to ensure information services expressly requested by the user, they are usually associated with a session identifier (a unique temporary and random number) that is deleted when the session ends. These cookies retain the data entered by the user following an exchange of messages with the service provider (e.g. forms or shopping baskets);

Authentication cookies - necessary to allow users to authenticate themselves on a service expressly requested by them, on successive visits to a website, in order to gain access to authorised content from the moment they log in, without this authentication being used for other secondary purposes, such as non-consensual advertising. The preservation of the cookie beyond the end of the session (persistent cookie - memorise the cookie), for subsequent automatic recognition, must have the user's consent;

Cookies used to enhance the security of a service expressly requested by the user (user-centric security cookies) may persist beyond the session, to the extent necessary to fulfil the purpose, such as detecting unsuccessful attempts to log in to a website. However, this exemption does not apply to cookies related to website security or to third-party services that have not been expressly requested by the user;

Multimedia player session cookies (flash cookies - Adobe technology) – strictly necessary for the presentation of audio or video content, they are deleted at the end of the session;

Load-balancing cookies – necessary for associating the session with the respective server, with a duration no longer than the session itself. This type of cookie is necessary to distribute the processing of requests from a web server across a group of machines, rather than just one (load balancer). The information contained in the cookie is used solely to identify the ends of the communication chain;

User interface customisation cookies (UI customisation cookies) – used to remember preferences set by the user, such as language. These cookies may be session or persistent cookies, but their perpetuation must be decided by the user.

Cookies exempt from consent

essential, for the duration of a session, for the proper functioning of the website;

authentication, for the duration of a session, used to provide authenticated services;

security, for a limited or persistent duration, user-centred and used to detect authentication abuse;

created by a media player, for the duration of a session;

created to balance the load during a session;

third-party cookies for sharing content between members connected to a social network.

The recommendations of the WP29 (WP 259_rev01, 10 April 2018) should be taken into account, namely that ‘consent does not legitimise the collection of data that is not necessary for the specific purpose of the processing’.

Cookies NOT exempt from consent

The obligation to obtain consent does not depend on whether or not the cookie collects personal data, but rather on the fact that it poses a risk to the user's privacy, namely by installing identifiers on their device that subsequently do so without their knowledge. Therefore, cookies that are not strictly necessary for the provision of an information service may only be used with the user's prior and explicit consent.

In this case, the use of cookies must be accompanied by the provision of information to the user, namely their purposes, their lifetime and the identification of the person responsible for their processing (Article 5(3) of Directive 2002/58/EC, as amended by Directive 2009/136), leaving open the possibility of consent being specific for each purpose, without dispensing with intelligible, clear and simple information, and allowing the user to easily revoke consent by creating an on/off button).

This consent requirement covers:

social media extension cookies for tracking users, both members and non-members, generally for the purpose of behavioural advertising, analysis or market research;

third-party cookies used in behavioural advertising, including testimonials for the purposes of frequency capping, financial history and advertising affiliation, click fraud detection, market research and analysis, product improvement and debugging, as none of these purposes relate to the product or to service functionality of the information society expressly requested by the user (Do Not Track) – [According to Opinion 2/2010 and Opinion 16/2011 of the GT29, advertising network providers must implement data retention policies that ensure the automatic deletion of information collected each time a cookie is read, after a justified period of time (necessary for the purposes of processing)];

analytical cookies, as an audience statistical measurement tool for measuring the number of unique visitors, for detecting search engine keywords that lead to a website, or for other aspects of navigation. Although this tool is often considered ‘strictly necessary’ for website operators, it is not, to provide a functionality expressly requested by the user (the GT29 considered that first-party analytics cookies are not likely to create a risk to privacy when they are limited to aggregate statistics and when they are used by websites that provide clear information about these cookies, as well as privacy safeguards, such as the use of easy-to-use mechanisms to exclude any data collection and make the data completely anonymous).

Cookies in external website link content

To support content publication, images from other websites, such as YouTube or Flickr, are sometimes included. Visits to these websites are subject to cookie policies over which UC has no control.

Cookies created by sharing tools

UC websites include ‘share’ buttons that allow users to easily share content across various networks. These are subject to other cookie policies over which UC has no control.

Disabling cookies

You can block the creation of cookies by activating a browser setting that will allow you to refuse all or some cookies. Below you will find links to help pages for the main internet browsers. However, blocking all cookies (including session cookies) may limit or prevent access to some content on the UC website.

Microsoft Edge

Internet Explorer

Firefox

Chrome

Safari

Opera

Safari iOS

Cookies used

UC websites use different cookie settings, depending on the purposes of data processing, as defined by those acting on behalf of the entity, as the controller of personal data. In this regard, we can characterise these types of cookies into five levels:

The first group refers to cookies that are common to the www.uc.pt portal, which include:

^Name	^Duration	^{Type of cookie}	^Description
^SAPISID	^Persistent	^Essential	^{Service for storing user preferences, e.g. language and browser preferences.}
^{SEARCH_SAMESITE}	^Persistent	^Essential	^{Prevention service browsers to prevent cookies from being sent to other websites.}
^SOCS	^Persistent	^Essential	^{Service that stores information about user behaviour through continuous observation of their browsing habits.}
^SIDCC	^Session	^Essential	^{Identification provision service,}
^ucpagess	^Session	^Essential	^{Service to maintain the proper functioning of the website.}
^_shibsession	^Session	^Essential	^{Federated authentication/session platform.}
^SID	^Persistent	^Functional	^{YouTube video playback service embedded in the website.}
^{__Secure-1PAPISID}	^Persistent	^Analytical	^{Website user profile building service to provide personalised Google advertising deemed relevant.}
^{__Secure-1PSID}	^Persistent	^Analytical	^{Website user profile creation service, to provide personalised Google advertising deemed relevant.}
^{__Secure-3PAPISID}	^Persistent	^Analytical	^{Website user profile creation service, to provide personalised Google advertising deemed relevant.}
^{__Secure-3PSID}	^Persistent	^Analytical	^{Website user profile creation service, to provide personalised Google advertising deemed relevant.}
^{__Secure-3PSIDCC}	^Persistent	^Analytical	^{Website user profile creation service, to provide personalised Google advertising deemed relevant.}
^{__Secure-3PSIDTS}	^Persistent	^Analytical	^{Website user profile creation service, to provide personalised Google advertising deemed relevant.}
^AEC	^Persistent	^Analytical	^{Service to ensure that requests in a session are made by the user and not by third parties.}
^APISID	^Persistent	^Analytical	^{Service for playing YouTube videos embedded in the website and collecting video location information to integrate into Google Maps.}
^ar_debug	^Persistent	^Analytical	^{Service used by Google Ad Service to debug advertisements.}
^DSID	^Persistent	^Analytical	^{Service used to identify users browsing non-Google websites, storing information about ad preferences.}
^DV	^Persistent	^Analytical	^{Personalised advertisement delivery service.}
^HSID	^Persistent	^Analytical	^{Fraud prevention service.}
^IDE	^Persistent	^Analytical	^{Personalised advertisement provision service.}
^SSID	^Persistent	^Analytical	^{Service for collecting digitally signed and encrypted records of the user's Google account ID and last login time.}
^{VISITOR_INFO1_LIVE}	^Persistent	^Analytical	^{Bandwidth estimation service used on websites with embedded YouTube videos.}
^{VISITOR_PRIVACY_METADATA}	^Persistent	^Analytical	^{Cookie consent status storage service for the current domain.}
^{__Secure-1PSIDCC}	^Session	^Analytical	^{User profile identification service to provide personalised advertising from Google.}
^{__Secure-1PSIDTS}	^Session	^Analytical	^{User authentication service, session preference storage, and security measures implementation.}
^YSC	^Session	^Analytical	^{YouTube service for storing user browsing history.}
^{Google Analytics, _ga e _utm(a,…z)}	^Session	^Analytical	^{Counts the number of visits and origin of accesses so that we can assess and improve the website's performance.}

^{(updated on 01/08/2025)}

The second group relates to websites managed by SGSIIC, supporting the authentication or supporting the platforms that use cookies such as:

^Name

^Duration

^{Type of cookie}

^Description

^idp.uc.pt

^{idpsaml.uc.pt}

^Session

^Essential

^{Supports single sign-on functionality (federated authentication – UC email and password).}

^{DirectAdmin - website hosting system}

^da.ci.uc.pt

^{KT - Document management system}

^dms.ci.uc.pt

^Session

^Essential

^{Applications supporting applications, access to repositories and hubs (control panels) of pages and other services.}

^{(updated on 02/12/2024)}

The third group, directly related to management applications administered by SGSIIC, which include:

^Name

^Duration

^{Type of cookie}

^Description

^{NONIO – Academic management system}

^{inforgestao.uc.pt}

^{inforestudante.uc.pt}

^{infordocente.uc.pt}

^{Lugus - Process management system}

^lugus.uc.pt

^{UC identification card management system}

^{humpback.ci.uc.pt}

^{RT – Hekpdesk system}

^{suporte.uc.pt}

^{MAILMAN - mailing list system}

^ml.ci.uc.pt

^ml2.ci.uc.pt

^{LimeSurvey - Survey generation system}

^{surveys.uc.pt}

^{Apps - Personnel management hub}

^apps.uc.pt

^Session

^Essential

^{Support for basic features that require user authentication.}

^{(updated on 01/08/2025)}

The fourth group refers to Digital Building websites developed and maintained by UCFramework:

^Name	^Cookies	^Description
^www.uc.pt; ^{ucpages.uc. pt.}	^ucpages	^{Session cookie}
^www.uc.pt; ^MyUC; ^{ucpages.uc. pt;} ^{UC Apply;} ^{UC Competitions;} ^{UC Energy.} ^{UC Meetings;} ^{UC SocialSupport;} ^{UC Spaces;} ^{UC Teacher;} ^{UC Tasks;} ^{UC Student;}	^{AWSALB.* (AWSALB, AWSALBCORS, AWSALBTG, AWSALBTGCORS);} ^{Localstorage:} ^{aws_waf_referrer;} ^{aws_waf_token_challenge_attempts;} ^{awswaf_token_refresh_timestamp.}	^{Infrastructure/session cookies, for LoadBalancer control (WebAPI server controller), connection to the UCPAGES API, to obtain data on UC courses and news.} ^{Local storage: definition of various session keys/local configuration of platforms to the browser. Firewall and web application tokens, protection against bots and resource-consuming exploits.}
^www.uc.pt	^{aws-waf-token}	^{Session cookie / security check against bots (captcha for humans).}

^{(updated on 02/12/2024)}

The fifth group refers to websites, regardless of whether they are hosted on SGSIIC or not, but which have their own cookie policy.

Other Information

Last revised in October 2025.

Do you accept the use of cookies?

Cookies Policy