ISEG – Lisbon School of Economics and Management, Universidade de Lisboais committed to protecting and respecting the privacy of the holders of personal data, guaranteeing the confidentiality and integrity of the information, in compliance with the General Regulation for the Protection of Personal Data (GRPD) and the Portuguese Data Protection Law 58/2019 that is in force.
The processing of holders’ personal data is carried out by ISEG, within the scope of its mission as a higher education institution, with the following legitimacy and purposes:
|Category of the holders of personal data||Legitimacy or legal foundation||Purpose||Categories of those who have access to personal data|
|Student Applicants, Alumni, and Other Visitors||Consent||Information and communication||Events organisers|
|ISEG Students||Study Contract; Specific consent (for image and employability activities); Legal obligations; Defence of vital interests; Legitimate interests of ISEG (identification for security purposes)||Teaching – learning; Student satisfaction evaluation; Emergency response||Guardians and legal and official entities (including auditors and inspectors); Insurance companies; Banks (for ISEG card holders); Employability partners; Emergency Services|
|Faculty and Non Faculty Staff||Employment contract; Service provision contract; Legal obligations; Defence of the vital interests of the data holder; Public interest||Implementation of the mission, organisational objectives, and legal obligations||Guardians and legal and official entities (including auditors, inspectors, solicitors); Insurance companies, and Company doctors; Banks (for ISEG card holders)|
|HEEs and Partners||Contract/Partner agreements||Communication and joint participation in mission-related activities||Guardians and Event Organisers, Insurance companies|
|Suppliers||Contract; Legal obligations||Communication as part of the Provision of Services||Tutela e entidades legais e oficiais (incluindo auditores e inspetores)|
ISEG can process different types of personal data for various purposes, namely:
· Identification data (such as name, date of birth, identification document number), contact details (such as mobile phone, address, or e-mail);
· Qualification and professional status data (such as education, performance appraisal);
· Bank, financial, and transaction details (such as IBAN, tax identification number);
· Specific data (health, infractions, or criminal offences);
· Recorded images at events;
· CTTV surveillance images.
In accordance with ISEG‘s data retention policy, personal data will be destroyed as soon as its legitimacy and purpose ends, that is to say, within the period considered adequate and/or necessary to fulfil the objectives for its collection, in accordance with the applicable laws.
ISEG periodically evaluates the risks of breach of privacy for its holders and implements the technical and organisational measures which are considered appropriate within the organisation’s ability to prevent loss, misuse, alteration, unauthorised access, and misappropriation of the personal data which has been provided or transmitted.
When data processing is carried out by third party subcontractors (processors), a contract is established between the parties regarding GDPR compliance, in order to guarantee that the data processing meets the agreed requirements and that it ensures the defence of the rights of personal data holders.
As a holder of personal data, you are entitled to the following rights:
1. The right to obtain confirmation that your personal data are subject being processed, and, if applicable, the right to access your personal data and access the information provided for by law;
2. The right of the ISEG Services to rectify inaccurate or incomplete data about yourself, without undue delay;
3. The right to request the deletion of your data when personal data are no longer necessary for the purpose for which they were collected, without undue delay;
4. The right to request the limitation of the processing of your data in certain cases, namely, if the processing is unlawful and if you oppose the deletion of the data, whilst equally requesting the limitation of its use;
4. The right to the portability of your personal data which you provided to ISEG, in a structured format for common use and automatic reading, which also includes the right to transmit this data to another processing entity;
6. If the processing depends on your consent, you have the right to withdraw it;
7. The right to file a complaint with ISEG’s Data Protection Officer (DPO) and Universidade de Lisboa, by sending an email to email@example.com and/or the Controlling Authority — the CNPD.
In order to exercise your rights, you must submit a request in writing by email to firstname.lastname@example.org or to the official email addresses published on the ISEG website. For your security and whenever deemed necessary, the Services will request additional information to confirm your identity.
The Dean of ISEG
Professor Clara Raposo, PhD
V02 of the 22.07.2020