The Social Security Bodies shall process Personal Data in accordance with the following principles established in Article 5(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the General Data Protection Regulation (GDPR):
• Lawfulness, Fairness and Transparency
• Purpose Limitation
• Data minimisation
• Storage Limitation
• Integrity and Confidentiality
The Social Security Bodies shall define the appropriate technical and organizational security measures to effectively implement the Personal Data protection principles, complying with the legislation in force, and protecting the rights, freedoms and safeguards of the Data Subjects.
The Social Security Bodies shall impose the same level of Personal Data protection to all their suppliers or service providers through the conclusion of specific contracts for this purpose.
The Social Security Bodies shall have an internal Personal Data Protection Organisation to ensure compliance with the Personal Data protection rules, supported by Data Protection Officers.
General principles General principles
The Social Security Bodies are engaged to process the Personal Data in accordance with the applicable rules and legislation. Therefore, they shall develop tools and implement actions aimed to ensure and monitor the effectiveness of Personal Data protection.
Social Security Bodies shall have several internal policies and procedures to raise their employees’ awareness on the importance of protecting Personal Data, providing them with operational guidance on how to comply with the Data Protection legislation and monitor the compliance with the Personal Data protection rules.
The Social Security Bodies are engaged to carry out a training/communication programme in order to raise their employees’ awareness on the matters of information security and Personal Data privacy.
Privacy Notice Privacy Notice
The Social Security Bodies shall process Personal Data in a lawful manner, under the terms of Articles 6 and 9 of the GDPR.
The Data Subjects shall have the right to be informed about the processing of their data and to the access, rectification, erasure, update, restriction of processing, portability of the data, at any time, as well as to the objection and non-submission to automated individual decision-making on their Personal Data, including the revocation of consent, in accordance with the GDPR or the applicable law. To this end, they shall have access to the information indicated in the contact point.
Data Subjects have the right to lodge a complaint with the competent Supervisory Authority in case of infringement of the applicable rules concerning Personal Data protection.
In the event of a breach of Personal Data, the data controller (the Social Security Bodies) shall notify the breach to the competent Supervisory Authorities and communicate it to the Data Subject when justified, in accordance with Articles 33 and 34 of the GDPR.
Why and how are Personal Data collected? Why and how are Personal Data collected?
The Social Security Bodies process the Personal Data required to the fulfilment of their tasks, through their information and transactional channels.
The Personal Data are collected by interconnection, communication of filing systems or obtained from the Data Subjects.
What is the legal basis for the Processing? What is the legal basis for the Processing?
Social Security Bodies only process Personal Data in the situations provided for in the GDPR.
What is the storage period of Personal Data? What is the storage period of Personal Data?
The Social Security Bodies shall store the Personal Data in accordance with the periods established by the legislation in force, namely for the fulfilment of their missions and tasks.
The Social Security Bodies shall never store Personal Data for a period longer than necessary. These data are stored to fulfil the purposes for which they were collected and are being processed, namely for the fulfilment of legal duties (e.g.: archiving purposes, auditing, public procurement, accounting and tax duties), and resolution of legal disputes. Circumstances may vary depending on the context and type of Personal Data.
How are Personal Data shared? How are Personal Data shared?
The Social Security Bodies shall ensure that:
- Personal Data are not made available to third parties without the prior consent of the Data Subjects whenever this is legally necessary;
- Personal Data are not made available, free of charge or on a cost basis, for purposes such as direct marketing, including mailing lists for advertising products and/or services.
- The processing of aggregated data (such as locality, age and other data) for purposes considered to be of public interest, namely in the context of statistical production, is lawfully carried out in accordance with Article 89 of the GDPR. In this context, personal identification elements such as the Name, ID Number, Citizen Card or Taxpayer Number, or private information are not made available.
- Personal Data are made available only upon request by a legal or public authority with legal powers to do so, in accordance with the legislation in force.
- The confidentiality and security of Personal Data is ensured while it is made available to the above-mentioned recipients.
Security Measures Security Measures
The Social Security Bodies follow organizational and technological security standards, and effective practices in information security management, to protect the confidentiality, integrity and availability of information, as well as to ensure reliability in the exchange of Personal Data between institutions.
The Information and Technology Institute P.I applies the international standard ISO/IEC 27001, Community standards and legislation, as well as specific national recommendations on information security.
The Social Security Bodies shall have all the necessary technical and organisational measures to ensure a level of security of Personal Data adequate to the risks that may occur in the Personal Data processing and, in particular, to protect Personal Data against destruction, loss, alteration, unauthorised disclosure or accidental or unlawful access.
Within the scope of information and transactional channels, the Social Security Bodies have established appropriate technical and organizational measures to ensure the security of Personal Data.
The same level of protection is contractually imposed by the social security bodies to their suppliers and service providers.
Data Subject Rights Data Subject Rights
In accordance with the applicable rules regarding Personal Data protection, the Data Subject has the right to access, rectify, forget and transfer his/her Personal Data at any time, when requested, under the terms established by Article 20 of the GDPR; he/she has also the right to restrict and oppose the processing of his/her Personal Data.
For this purpose, the Data Subject must submit the form available in the Contacts tab.
When the Processing is based solely on the Data Subject consent, he/she has the right to withdraw this consent at any time.
In his/her own interest, the Data Subject must keep his/her Personal Data updated and, for this purpose, he/she must contact the competent authority.
Data Subjects have the right to lodge a complaint with the competent Supervisory Authority in case of a breach of the applicable rules in relation to the protection of Personal Data.
The Data Protection Officer The Data Protection Officer
Data Protection Officers shall inform and advise the controller or the processor and the employees who carry out the processing, on the applicable requirements for the protection of Personal Data, and monitor compliance with these requirements.
The Data Protection Officers shall cooperate and act as contact points with the competent Supervisory Authorities and Data Subjects.
FAQ — Frequently Asked Questions FAQ — Frequently Asked Questions
1 - What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation entered into force on 25 May 2018 through Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. It is aimed to respond to the challenges arising from the technological developments over the last decades and to better protect Personal Data, the rights of EU citizens and the free movement of data.
THE GDPR is aimed to:
1. Reconcile the data privacy laws of the EU Member States;
2. Protect and strengthen the privacy of all EU citizens;
3. Restructure the way organisations address data privacy.
2- What is Personal Data?
It is information relating to an identified or identifiable natural person (‘Data Subject’); a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, identifiers by electronic means or to one or more elements specific of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3 - What are the special categories of Personal Data?
Special categories of Personal Data based on the GDPR, or sensitive data, are Personal Data that reveal ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic and biometric data for the purpose of uniquely identifying a natural person, health data or data related to a person’s sexual life or sexual orientation.
4 - To whom does the General Data Protection Regulation (GDPR) apply?
The GDPR applies to all natural and legal persons that process Personal Data on EU residents, even if they are based outside the EU.
5 - Data Subjects
5.1 - What are the Data Subjects rights under the GDPR?
• Right to information and access to his/her personal data;
• Right to restriction of processing;
• Right not to be subject to automated decision-making;
• Right of portability;
• Right to transparency;
• Right to notification;
• Right to rectification, erasure and opposition.
5.2 - How can the Data Subjects exercise their rights?
6 - Consent
6.1 - Is the Data Subject required to give consent for the processing of his/her Personal Data, in order to be entitled to Social Security benefits?
No. According to Article 6(1) of the GDPR, the processing of Personal Data by the Social Security (Bodies) is lawful when it is necessary for the performance of a task carried out in the public interest (subparagraph e) and for the compliance with a legal duty to which the Social Security body is subject (subparagraph c) under the terms established by law.
6.2 - Do Social Security employees (Bodies), in the performance of their duties, need the consent of the Data Subject to carry out the processing of Personal Data?
The Social Security employees, in the pursuit of the Social Security (Bodies) mission and in the fulfilment of their legally foreseen duties, do not need the Data Subjects consent to carry out the processing of their Personal Data, provided that the processing is only carried out to comply with legal duties.
6.3 - How to report an(a) incident/breach of Personal Data within the scope of the Social Security (Bodies) competences
6.4 - How can a citizen request for clarification or ask information on Personal Data within the scope of the Social Security (Bodies) competences?
7 - Profile and tasks of the Data Protection Officer
The Data Protection Officer (DPO) is designated by the Social Security bodies according to his/her profile and shall carry out the following specific tasks:
7.1 - Tasks of the Data Protection Officer
- To inform and advise the controller or the processor and the employees who carry out the processing of Personal Data on the respective duties, in accordance with the Data Protection Law;
- To monitor the compliance with all the legislation on Data Protection by the respective Body, namely in audits (periodic or unscheduled audits), awareness raising activities and training of the staff involved in processing operations;
- To provide advice whenever a Data Protection Impact Assessment (DPIA) has been carried out and monitor its implementation;
- To act as the contact point for requests from individuals regarding the processing of their Personal Data and the exercise of their rights;
- To cooperate with the Supervisory Authority and act as the contact point on issues concerning the processing of Personal Data.
7.2 - Duty of secrecy and confidentiality
The Data Protection Officer shall be bound by a special duty of professional secrecy in the performance of the respective tasks, in accordance with Article 38(5) of the GDPR. This duty must continue to be fulfilled by the Data Protection Officer after the tasks that gave rise to the processing of the data have been concluded. In addition to the professional secrecy duty laid down by law, the Data Protection Officer shall also be bound by the duty of confidentiality.
8 - Data protection
8.1 - How do the Social Security bodies guarantee the protection of citizens' data?
In this context, the Social Security (Bodies) are committed to:
Process the data lawfully and fairly, collecting only the information necessary and relevant to the purpose for which it is intended;
• Use the collected data only for the purposes explained at the time of the data collection and not interconnect the Personal Data, unless there is a legal authorisation for that, or an express consent given by the Data Subject;
• Keep the data accurate and, where appropriate, up to date;
• Ensure, when requested by the Data Subject, the exercise of the right of access, rectification, erasure and opposition;
• Have security systems that prevent unauthorised access to Personal Data or misuse of the Personal Data entrusted to them;
• Process the data in compliance with the professional secrecy duty;
• Keep Personal Data only for the minimum period necessary for the purposes for which they were collected, without prejudice to situations that may justify their retention for longer periods (for archiving purposes in the public interest, scientific or historical research or for statistical purposes) subject to appropriate technical and organisational measures.
8.2 - Secrecy and confidentiality
Data controllers, including processors, and all persons involved in any data processing shall be bound by the duty of confidentiality in addition to the professional secrecy duty laid down by law.
9 - Data processing
9.1 What is data processing?
Data processing is an operation or a set of operations carried out on Personal Data or on sets of Personal Data, by automated or non-automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9.2 - What are the fundamental principles for the processing of Personal Data?
- Principle of lawfulness, fairness and transparency – Personal Data are processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
- Purpose limitation principle – Personal Data are collected for specific, explicit and legitimate purposes and cannot be further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes.
- Data minimisation principle – Personal Data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Principle of accuracy — Personal Data are accurate and, when necessary, kept up to date; all necessary measures must be taken to ensure that Personal Data that are considered to be inaccurate, taking into account the purposes for which they were processed, are erased or rectified without delay.
- Storage limitation principle – Personal Data are stored in a way that allows the identification of Data Subjects only during the period necessary for the purposes for which they are processed; Personal Data may be stored for longer periods, provided that they will be processed solely for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures.
- Principle of integrity and confidentiality - Personal Data are processed in a way that ensures their appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
- Accountability principle - The controller shall be responsible for the compliance with the principles relating to the processing of Personal Data and must be able to demonstrate it.
9.3 - Which categories of data are processed by the Social Security (Bodies)?
In addition to general Personal Data, some special categories of Personal Data are also processed. In any of these situations, the processing is limited to a specific, explicit and legally foreseen purpose, which gives the Social Security (Bodies) the legitimacy for the respective treatment.
9.4 - How does the duty of cooperation between public authorities laid down by the Portuguese Administrative Procedure Code (CPA – Código do Procedimento Administrativo) and the data protection duty laid down in the GDPR coexist?
The duty of cooperation between public entities laid down in the CPA remains in force; however, any and all transmission of Personal Data between public entities for purposes other than those determined by the data collection is of an exceptional nature and must be duly substantiated in order to ensure the pursuit of the public interest that otherwise cannot be safeguarded, as provided for in Article 6(1)(e), Article 6(4) and Article 9(2)(g) of the GDPR.
9.5 - What kind of information can be provided to other public bodies?
Outside the scope of each Social Security Body mission, in liaison with other Bodies, the existence of a legal basis for the processing of Personal Data carried out by these Bodies must be ensured. In the specific case of individual requests made by other public bodies, what legitimates the request is not the body in question, or the position of the person making the request [for example, an agent from the Public Security Police (PSP – Polícia de Segurança Pública) or a member of the Republican National Guard (GNR – Guarda Nacional Republicana), a lawyer, etc.], but the reasons given for the specific request, which must be examined in accordance with the purpose and the legal basis invoked.
9.6 - How does the right to information and transparency of public administration may coexist with the right to data protection?
In the absence of absolute rights, the laws themselves can mitigate certain rights and prevent them from being exercised in certain circumstances (for example, the “right to be forgotten” will have little application in the context of Social Security). Thus, in specific situations that raise doubts about the possibility of coexistence of certain rights, the competent authorities shall examine and decide which of the rights must prevail.
From the balance between the right to transparency of the Public Administration of the Commission for Access to Administrative Documents (CADA – Comissão de Acesso aos Documentos Administrativos) and the right to data protection under the GDPR, a proper balance between the public interest and the legitimate interests of the Social Security Entities must be ensured, and the right to privacy - where the duty to protect the Personal Data of individuals is particularly relevant.
10 - Collected Data
10.1 - What are the time limits for the processing and storage of Personal Data?
The time limits for the storage of Personal Data vary according to the purpose for which the information is processed.
Whenever there are no specific legal requirements, the data will be stored and kept only for the minimum period necessary to pursue the purposes for which they were collected or further processed, as defined by law.
10.2 - What should I do if I become aware that the data entrusted to Social Security (Bodies) are in the possession of third parties?
The GDPR has established very clear measures for these cases. There are time limits to communicate this information to the Data Protection Officer, who in turn will have to inform the National Data Protection Commission within a maximum period of 72 hours, after becoming aware that the data have been compromised. If the infringement of the GDPR is likely to significantly affect the Data Subject, it may be also necessary to inform the person concerned.
10.3 - How to delete the Personal Data
Personal data are stored and kept according to the purpose for which the information is processed.
Whenever there is no specific legal requirement, the data will be stored and kept only for the minimum period necessary for the pursuit of the purposes for which they were collected or further processed, as defined by law.
The GDPR does not make any distinction between paper and digital supports. In all cases, it is necessary to ensure the effective destruction of the data. If the data are kept on paper, a paper destroyer should be used. If the data are kept on digital media like, for example, CDs/DVDs, these supports must also be effectively destroyed. If the data are stored on a computer, after being deleted, it is important to ensure that the files stored in the Recycle Bin are also destroyed.
10.4 - Are Social Security bodies allowed to process special categories of Personal Data?
The Social Security bodies are allowed to process special categories of data, when necessary to comply with legal duties to which they are subject.
Contacts/“Data Protection Form” Contacts/“Data Protection Form”
The Data Subjects may submit requests within the scope of Personal Data protection (to exercise their rights, to request information or to report an incident/breach on Personal Data) to the Social Security Bodies and the Information and Technology Institute, P.I (II, I.P.), namely through the following email addresses:
- Instituto da Segurança Social, I.P. (ISS, I.P.)
(The Social Security Institute)
Data Protection Officer of the ISS, I.P.
Avenida 5 de Outubro, n.º 175, 1069-451 Lisboa
E-mail address: ISS-EncarregadoProtecaoDados@seg-social.pt
- Instituto da Segurança Social – Açores, I.P.R.A
(Social Security Institute of the Azores)
Data Protection Officer of ISSA, IPRA
Avenida Tenente Coronel José Agostinho, 9700-108 Angra do Heroísmo
E-mail address: ISSA-EncarregadoProtecaoDados@seg-social.pt
- Instituto da Segurança Social – Madeira, I.P-RAM
(Social Security Institute of Madeira)
Data Protection Officer of ISSM, IP-RAM
Rua Elias Garcia, N.º 14, 3º Andar, 9054-503 Funchal
E-mail address: ISSM-EncarregadoProtecaoDados@seg-social.pt
- Instituto de Gestão Financeira da Segurança Social, I.P (IGFSS, I.P.)
(Social Security Financial Management Institute, P.I.)
Data Protection Officer of the IGFSS, IP
Avenida Manuel da Maia, n.º 58, 1049-002 Lisboa
E-mail address: IGFSS-EPD@seg-social.pt
- Instituto de Gestão de Fundos de Capitalização da Segurança Social, I.P. (IGFCSS, IP)
(Social Security capitalisation Fund Management Institute)
Data Protection Officer of IGFCSS, IP
Av. Fernão Magalhães, 1862 – 3º, Edifício Torre das Antas, 4350-158 Porto
E-mail address: IGFCSS.EPD@seg-social.pt
- Instituto de Informática, I.P. (II, IP)
(Information and Technology Institute)
Data Protection Officer of II, IP
Av. Prof. Dr. Cavaco Silva, no. 17 — Taguspark, 2740-120 Porto Salvo
Email address: II-EPD@seg-social.pt