Privacy Policy
Since May 25th, 2018, the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) has applied, which established new rules on protection, processing and free movement of personal data of natural persons.
Santa Casa da Misericórdia de Lisboa, insofar as it handles personal data within the scope of the activity it develops in its different areas of action, in accordance with the organization’s statutory purposes, provided for in Decree-Law no. 235/2008, of December 3rd, guarantees the protection of those data, whose processing is carried out under the applicable legislation and this Privacy Policy.
SANTA CASA COMMITMENT
Through this policy, the institution undertakes, namely, to recognize the security of the personal data it processes and to ensure the protection of the privacy of the data subjects as fundamental dimensions of the organization’s activity, crucial for the full realization of the its different areas of mission.
Misericórdia de Lisboa also provides information on the rules, principles and good practices that the organization observes in the processing of personal data entrusted to it, in accordance with the General Regulation on Data Protection (GDPR) and other legislation applicable, and on the means that data subjects have at their disposal to exercise their rights.
DATA PROCESSING CONTROLLER
Within the scope of the activity that it develops in its different areas of activity, in accordance with the statutory purposes of the organization, Santa Casa da Misericórdia de Lisboa – a legal person governed by private law and administrative public utility, with single legal person number 500 745 471 – is a data processing controller entity, and can be contacted through the following channels:
Data processing controller
213 235 000
Address
Largo Trindade Coelho
1200-470 Lisboa
DATA PROTECTION OFFICER
As some of the organization’s main activities presume the processing of a large volume of data from special categories, Santa Casa has appointed a Data Protection Officer, responsible for ensuring, among other aspects, the compliance of the processing and protection activities of personal data under the institution’s responsibility, in accordance with applicable law and this policy.
Thus, the data subjects, if they so wish, can send a communication to the Data Protection Officer, regarding matters related to the processing of personal data, using, for this purpose, the following channels:
DATA PROTECTION
OFFICER
Address
Largo Trindade Coelho
1200-470 Lisboa
E-mail
dadospessoais@scml.pt
PRIVACY POLICY MODIFICATIONS
Santa Casa has the right to carry out, at any time, readjustments or modifications to this Privacy Policy, such modifications being duly publicized on the SCML website and/or in other channels deemed appropriate.
COOKIES POLICY
On this website, session cookies are used only to analyze web traffic patterns, which allows us to identify problems and provide a better browsing experience.
All browsers allow the user to accept, refuse or delete cookies, namely by selecting the appropriate settings in the respective browser. Cookies can be set in the “options” or “preferences” menu of the user’s browser.
Note, however, that by disabling cookies, the user may prevent some web services from working correctly, affecting, partially or totally, navigation on the website.
PRIVACY POLICY
Personal data means any information, of any nature or support (sound, image), relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive data are all personal data that are subject to specific processing conditions. Some examples:
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and union membership;
- Genetic data;
- Biometric data processed in order to unequivocally identify a person;
- Health-related data;
- Data relating to the person’s sexual life or sexual orientation.
Any natural person to whom the personal data is related to.
In the context of the activity developed by SCML, the following subjects can be data subjects, among others:
- Users/operators of the social action services (which include responses for the general population; responses for the family, childhood and youth; responses for the elderly/dependent population; disability support responses; therapeutic follow-up responses; emergency responses);
- Users/operators of the health services (which include users of the Santa Casa Health Units, the Closer Health Program, the Alcoitão Rehabilitation Medicine Center, the Sant’Ana Hospital, the Continuous Care Unit Members Maria José Nogueira Pinto, from the Pousal Social Work and from the Calouste Gulbenkian Cerebral Palsy and Rehabilitation Center);
- SCML volunteers;
- High education students (Alcoitão College of Health);
- The players and mediators of the Jogos Santa Casa;
- SCML’s benefactors;
- The lessees of SCML’s properties;
- Users of SCML’s cultural services;
- The organization’s Human Resources.
SCML handles personal data of different nature and sensitivity, depending on each area of activity, as well as the purpose associated with the processing of such data, such as, for example, identification data (name, civil and tax identification numbers), contact details (address, telephone, email address), bank details (IBAN), financial/tax data, training and professional data, family data, and also, at the level of sensitive data, genetic and biometric data, data relating to health, credit and solvency data, minors data.
In the context of the processing of personal data, SCML undertakes to observe the following fundamental principles:
- Principle of loyalty, lawfulness and transparency: personal data will be processed lawfully, loyally and transparently in relation to the data subject;
- Principle of limitation: personal data will be collected for specific, explicit and legitimate purposes, and will not be further processed in a way that is incompatible with those purposes;
- Principle of data minimization: personal data will be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- Principle of accuracy: personal data will be accurate and updated whenever necessary, with all appropriate measures being taken so that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;
- Principle of limitation of retention: personal data will be stored in a way that allows the identification of the data subject only for the period necessary for the purposes for which the data are processed;
- Principle of integrity and confidentiality: personal data will be treated in a way that guarantees its security, including protection against its unauthorized or unlawful processing and against its accidental loss, destruction or damage, with technical or organizational measures being adopted suitable.
As the controller, SCML undertakes to ensure that the processing of data of the data subjects is only carried out in compliance with the aforementioned principles, and that it is in a position to be able to prove compliance with them (“Principle of demonstrated responsibility”).
SCML will only process personal data whenever at least one of the following situations occurs:
- Consent of the data subject: when the data subject has given his consent to the processing of his personal data, for one or more specific purposes, by means of a positive act, which indicates a free, specific, informed and unequivocal expression of free will that the subject consents to the processing of their data, using SCML, in obtaining such consent, in clear, simple and intelligible language. The consent is obtained in writing (including by electronic means, namely through the validation of an option), keeping the SCML a record of it, as a way to prove that the subject has given his consent to the processing of his personal data. The data subject has the right to withdraw his consent at any time, and the withdrawal of consent does not compromise the lawfulness of the processing carried out based on the consent previously given. Whenever consent is required for the processing of personal data of children under the age of 16, with regard to the direct offer of information society services to these children, it will be obtained from the person who holds the parental responsibilities. Consent will not, however, be required in the context of preventive or counseling services offered directly to a child.
The data subject’s consent will be obtained by SCML, for example, prior to sending marketing communications. - Execution of contract or pre-contractual measures: when processing is necessary for the execution of a contract to which the data subject is a party, or for pre-contractual measures at the request of the data subject.
This situation includes, for example, the processing of personal data of SCML workers within the scope of the management of the employment relationship established with SCML. - Compliance with a legal obligation: when the processing is necessary for the fulfillment of a legal obligation to which SCML is subject.
This situation includes, for example, the processing of personal data in order to comply with the duty of identification and diligence to which SCML is obliged, under the terms of the law on fighting money laundering and the financing of terrorism (Law no. 83/2017, of August 18th). - Vital interests: when processing is necessary to defend the vital interests of the data subject or other natural person.
In the context of the activity developed by SCML, this situation may occur in the context of providing care to a user of SCML’s health services, in case he is physically or legally incapable of giving his consent. - Public interest/public authority: when the processing is necessary for the exercise of public interest functions or for the exercise of public authority in which SCML is invested.
This situation includes, for example, the processing of administrative offenses within the competence of the SCML Games Department, pursuant to Law no. 30/2006, of July 11th. - Legitimate interest: when processing is necessary for the purpose of legitimate interests pursued by SCML or by third parties, unless the interests or fundamental rights and freedoms of the subject that require the protection of personal data prevail, especially if the subject is a child.
This situation includes, for example, the processing of data that is necessary to ensure the security of the network and information of SCML’s computer systems.
SCML can also process sensitive data under the following conditions:
- If the data subject has given his explicit consent to the processing of such personal data, for one or more specific purposes;
- When, under the terms of European Union law, national law or a collective agreement, the processing is necessary for the purposes of fulfilling obligations and exercising specific rights of SCML or the data subject in matters of labor law, social security and social protection;
- When processing is necessary to protect the vital interests of the data subject or other natural person, in case the data subject is physically or legally incapable of giving his consent;
- If the processing refers to personal data that have been clearly made public by the data subject;
- If processing is necessary for the declaration, exercise or defense of a right in a judicial process or whenever the courts act in the exercise of their jurisdictional function;
- If processing is necessary for reasons of relevant public interest, based on European Union law or national law;
- If processing is necessary for the purposes of preventive medicine or work, for the assessment of the employee’s work capacity, medical diagnosis, the provision of health care or processing or social action or the management of health systems and services or social action, based on European Union law or national law or pursuant to a contract with a healthcare professional;
- If processing is required for reasons of public interest in the field of public health, based on European Union law or national law;
- If processing is necessary for archival purposes of public interest, for scientific or historical research purposes or for statistical purposes, based on European Union law or national law.
Under the GDPR, national legislation may impose new conditions regarding the processing of genetic data, biometric data or health-related data.
Considering the diversity of its areas of activity, SCML handles personal data, namely, with the following purposes:
Social Action
Examples of purposes (Not exhaustive)
- Screening and registration of users for social assistance;
- Management of applications/registrations in social responses;
- Management of the allocation of cash benefits;
- Reception and processing of applications for professional training of users;
- Attribution of support products;
- Complaints and compliments management.
Health
Examples of purposes (Not exhaustive)
- User registration;
- Scheduling appointments/complementary diagnostic and therapeutic exams;
- Prescription of drugs and support products;
- Pharmacovigilance;
- Conducting clinical/scientific studies;
- Complaints and compliments management.
Social Games
Examples of purposes (Not exhaustive)
- Registration of bets on the State Social Games;
- Payment of prizes;
- Management of interactions and complaints and compliments;
- Selection of mediators of the State Social Games.
Quality and Innovation
Examples of purposes (Not exhaustive)
- Reception and processing of applications for funding scientific research projects;
- Registration of participants in social responsibility initiatives.
Economics and Social Entrepreneurship
Examples of purposes (Not exhaustive)
- Reception and processing of applications for social entrepreneurship programs.
Culture
Examples of purposes (Not exhaustive)
- Dissemination of cultural activities/programming;
- Register of users of the Historical Library and Archive.
Education and Training
Examples of purposes (Not exhaustive)
- Reception and processing of student applications for high education and postgraduate courses.
Transversals
Examples of purposes (Not exhaustive)
- Human Resources: recruitment and selection of human resources; human resources management (attendance, schedule management, etc.); wage processing; performance evaluation; promotion of safety and health at work; attribution of social benefits to workers;
- Procurement: reception and processing of proposals presented in procurement procedures; execution of contracts established with suppliers;
- Financial Management: collection/billing management; payment management;
- Communication and Marketing: diffusion of internal and external communications; sending newsletters;
- Information technologies: reception and processing of requests for IT support;
- Physical security: physical access control; video surveillance of facilities;
- Transport: car fleet management;
- Studies, planning and management support: assessment of the degree of customer/user satisfaction; statistical processing of data for activity monitoring;
- Legal: litigation; administrative offenses; legal support to organizational units;
- Audit: execution of internal audits;
- Volunteering: reception and selection of volunteer applications.
Personal data are kept only for the period of time necessary to carry out the purposes for which they are processed, SCML complying, whenever applicable, with the retention periods legally established.
Without prejudice, the data may be kept for longer periods, for the fulfillment of different purposes that may subsist, such as, for example, the exercise of a right in a legal proceeding, archival purposes of public interest, purposes of scientific or historical research or statistical purposes, applying the appropriate technical and organizational measures to SCML.
SCML may collect data directly (i.e., directly from the data subject) or indirectly (i.e., through third parties). The collection can be done through the following channels:
- Direct collection: in person, by phone, by email, through their websites and through customer areas;
- Indirect collection: through partners and other third parties, including official entities.
SCML assures data subjects the exercise of their rights, under the terms of the applicable legislation in the scope of personal data protection.
Right to information
The data subject has the right to be informed by SCML, prior to the processing of their data, about:
- The identity and contact details of SCML and, if applicable, its representative;
- Contacts of the Data Protection Officer;
- The purposes of the processing for which the personal data are intended, as well as the legal basis for the processing;
- The legitimate interests of SCML or a third party, if the processing of data is based on these legitimate interests;
- The recipients or categories of recipients of personal data, if applicable;
- The transfer of personal data to a third country or an international organization, and whether or not there is an adequacy decision adopted by the European Commission or reference to appropriate or adequate transfer guarantees and the means of obtaining a copy of them, if applicable;
- The period of retention of personal data or, if this is not possible, on the criteria used to define this period;
- The right to request SCML to access personal data concerning it, as well as its rectification, erasure or limitation, the right to object to the processing and the right to data portability;
- The right to withdraw consent at any time, without compromising the lawfulness of the processing carried out on the basis of the consent previously given, if the processing of data is based on the consent of the data subject;
- The right to file a complaint with the national supervisory authority or other supervisory authority;
- Whether or not the communication of personal data constitutes a legal or contractual obligation, or a necessary requirement to enter into a contract, as well as whether the subject is obliged to provide personal data and the possible consequences of not providing such data;
- The existence of automatic decisions, including profiling, and information regarding the underlying logic, as well as the importance and expected consequences of such processing for the data subject, if applicable.
In case the data of the data subject are not collected directly by SCML, in addition to the information mentioned above, the data subject is also informed about the categories of personal data being processed and, as well, about the origin of the data (especially when they come from publicly accessible sources) and, in these situations, information is provided:
- Within a reasonable period after obtaining the personal data, not exceeding one month;
- At the latest at the time of the first communication to the data subject, if the personal data are to be used for communication purposes with the data subject;
- No later than at the moment of the first disclosure of personal data to another recipient, if such disclosure is foreseen.
Regardless of whether or not the data is collected from the data subject, and under the terms of the applicable legislation, SCML is not obliged to provide the information when and to the extent that the data subject is already aware of it.
Right of access
The data subject has the right to obtain from SCML confirmation that the personal data concerning him or her are or are not the object of processing and, if applicable, the right to access their personal data and the information provided for in the Right to Information.
Upon request of the data subject, SCML will provide, free of charge, a copy of the data subject’s data that are being processed. Providing other copies requested by the data subject may incur a reasonable fee, taking into account the associated administrative costs.
Right to rectification
The data subject has the right to obtain from SCML, upon request, the rectification of their personal data, as well as the right to have their incomplete personal data completed, including by means of an additional statement.
In case of data rectification, SCML communicates the rectification to each recipient to whom the data has been transmitted, unless such communication proves to be impossible or implies a disproportionate effort for SCML. If the data subject so requests, SCML shall provide information about the recipients.
Right to erasure of personal data (“Right to be forgotten”)
The data subject has the right to obtain, from SCML, the erasure of their data when one of the following reasons applies:
- The data of the data subject is no longer necessary for the purpose that motivated its collection or processing;
- The data subject withdraws the consent on which the data processing is based and there is no other legal basis for such processing;
- The data subject opposes the processing under the right of opposition and there are no prevailing legitimate interests that justify the processing;
- If the data of the data subject is processed unlawfully;
- If the data of the data subject has to be erased in order to comply with a legal obligation to which SCML is subject;
- If the data of the data subject has been collected in the context of an offer of services of information to children.
Under the terms of applicable legislation, SCML has no obligation to erase the data of the data subject to the extent that the processing proves to be necessary for:
- The exercise of freedom of expression and information;
- The fulfillment of a legal obligation that requires processing, provided for by the Union law or law of a Member State to which SCML is subject, to the exercise of public interest functions or the exercise of the public authority of which SCML is invested;
- For reasons of public interest in the field of public health;
- For archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as the right to erasure is likely to make it impossible or seriously harm the achievement of the objectives of such processing;
- For the purposes of statement, exercise or defense of a right in a legal procedure.
In the event of data erasure, SCML informs its erasure to each recipient/entity to whom the data has been transmitted, unless such communication proves to be impossible or implies a disproportionate effort for SCML. If the data subject so requests, SCML provides information on those recipients.
When SCML has made the data of the data subject public and is obliged to erase it under the right to erasure, SCML undertakes to ensure reasonable measures, including technical ones, taking into account the available technology and the costs of its application, to inform those responsible for the effective processing of personal data that the data subject has asked them to delete the links to such personal data, as well as copies or reproductions thereof.
Right to limitation of processing
The data subject has the right to obtain, from SCML, the limitation of the processing of the data, if one of the following situations applies:
- In case of dispute of the accuracy of the personal data, for a period that allows SCML to verify its accuracy;
- If the processing is illegal and the data subject opposes the erasure of the data, requesting, in return, the limitation of its use;
- If SCML no longer needs the data subject’ data for processing purposes, but these data are required by the data subject for the purposes of statement, exercise or defense of a right in a legal procedure;
- If the data subject has opposed the processing, until it is verified that the legitimate reasons of the SCML prevail over those of the data subject.
When the data of the data subject is subject to limitation, they may only, with the exception of conservation, be processed with the consent of the data subject or for the purposes of statement, exercise or defense of a right in a legal procedure, defense of the rights of another natural person or collective, or for reasons of public interest provided for by law.
The data subject who has obtained a limitation on the processing of his/her data in the above-mentioned cases will be informed by SCML before the limitation on processing is cancelled.
In case of limitation of data processing, SCML will communicate the limitation to each recipient to whom the data has been transmitted, unless such communication proves to be impossible or implies a disproportionate effort for SCML. If the data subject so requests, SCML provides information about the recipients.
Right to data portability
The data subject has the right to receive the personal data concerning him/her and which he/she has provided to SCML, in a structured, commonly used and machine-readable format, and the right to transmit this data to another data controller, if:
- The processing is based on consent or a contract to which the data subject is a party; and
- The processing is carried out by automated means.
- The data subject has the right to have personal data transmitted directly between the data controllers, whenever this is technically possible.
The exercise of the right to data portability applies without prejudice to the right to erase the data, not applying to the processing necessary for the exercise of public interest functions or to the exercise of public authority in which SCML is invested, and does not prejudice, under no circumstances, the rights and freedoms of third parties.
Right to object to decisions based on profiling
The data subject has the right to object, at any time, for reasons related to his/her particular situation, the processing of personal data concerning him/her that is based on the exercise of legitimate interests pursued by SCML or when the processing is carried out for purposes other than those for which personal data has been collected, including profiling, or where personal data is processed for statistical purposes.
SCML will cease processing the data of the data subject, unless it presents compelling and legitimate reasons for such processing that prevail over the interests, rights and freedoms of the data subject, or for the purposes of statement, exercise or defense of a right in a legal proceeding.
When the data of the data subject is processed for the purposes of direct marketing (marketing), the data subject has the right to object at any time to the processing of data concerning him/her for the purposes of said marketing, which includes the definition of profiles in the insofar as it is related to direct marketing. If the data subject objects to the processing of their data for the purposes of direct marketing, SCML will cease processing the data for this purpose.
The data subject also has the right not to be subject to any decision taken solely on the basis of automated processing, including the definition of profiles, that produce effects in its legal sphere or that affect it significantly in a similar way, unless the decision:
- Is necessary for the execution of a contract between the data subject and SCML;
- Is authorized by legislation to which SCML is subject, and in which adequate measures are also foreseen to safeguard the rights and freedoms and legitimate interests of the data subject; or
- Is based on the explicit consent of the data subject.
In cases where the automated decision is necessary for the execution of a contract with the data subject or is based on his/her explicit consent, SCML will apply appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, guaranteeing their right to obtain human intervention in the decision by SCML, express their point of view and contest the decision.
If the data subject has given his/her explicit consent to the processing of special or sensitive data, for one or more specific purposes, or if the processing of such data is necessary for reasons of important public interest, and appropriate measures are applied to safeguard the rights and freedoms and legitimate interests of the data subject, automated decisions by SCML may be based on that special or sensitive data.
SCML will provide information and communicate with the data subject in a concise, transparent, intelligible and easily accessible manner, using clear and simple language, especially when the information is specifically aimed at children.
The right of access, the right of rectification, the right to erase data, the right to limit processing, the right to data portability and the right to object and not subject to automated individual decisions can be exercised with SCML, through of the following means:
- In person, at any SCML establishment, by filling out the form available there;
- By email, to be sent to dadospessoais@scml.pt
- By post, to the address Largo Trindade Coelho, 1200-470 Lisboa.
If the data subject submits the request by electronic means, the information is, whenever possible, provided by the same means, unless otherwise requested by the data subject.
SCML will respond in writing (including by electronic means) to the requests of the data subjects within a maximum period of one month from the date of receipt thereof, which may be extended up to two months, when necessary, taking into account the complexity and the number of requests, being SCML responsible for informing the data subjects of any extension and the reasons for the delay within a period of one month, also from the date of receipt of the requests.
If, for any reason, SCML does not comply with the request submitted by the data subject, it informs him without delay and, at the latest, within one month from the date of receipt of the request, of the reasons that led him to failure to take action and the possibility to lodge a complaint with the national supervisory authority or other supervisory authority and to take legal action.
Within the scope of exercising the right to information and at the request of the data subject, SCML may respond orally, provided that the identity of the data subject is proven by other means.
When SCML has reasonable doubts as to the identity of the individual submitting the request, it may request that it be provided with the additional information necessary to confirm the identity of the data subject.
The information is provided by SCML free of charge, except when the requests submitted are manifestly unfounded or excessive, in particular due to their repetitive nature, in which case SCML reserves the right to demand the payment of a reasonable fee, taking into account the administrative costs of providing the information or communication, or taking the requested measures, or refusing to comply with the requests, it being up to SCML to demonstrate the manifestly unfounded or excessive nature of the requests.
Without prejudice to the exercise of the aforementioned rights, the data subject may complain directly to the national supervisory authority – the National Data Protection Commission (CNPD) -, using the contacts provided by this entity for this purpose (at www.cnpd.pt).
Taking into account the most advanced techniques, the application costs and the nature, scope, context and purposes of the processing, as well as the risks, of variable probability and severity, SCML applies appropriate security measures (technical and organizational), to ensure a level of security of personal data appropriate to the risk, for example:
- Use of firewalls and intrusion detection systems in its information systems;
- Application of access control procedures, using differentiated access profiles and based on the need to know principle;
- Recording of actions taken on information systems that contain personal data (logging);
- Execution of a structured backup plan;
- Encryption of portable equipment and external storage;
- Management of critical and security patches and updates for SCML’s computer operating systems;
- Anti-spam protection for receiving and sending corporate emails;
- Protection against malicious links and attachments in corporate emails;
- Installation, maintenance and management of antivirus and firewall systems on SCML computers;
- Centralized management of software distribution for SCML computers;
- Pseudonymization of personal data;
- Control of access to the physical facilities of SCML;
- Existence of a disaster recovery center in an alternative location;
- Video surveillance system;
- Automatic fire detection and intrusion detection system.
Execution of training and/or awareness actions in information security and data protection.
Subcontractors and Third Parties
- Subcontractors: SCML may resort to other entities contracted by it (subcontractors), to, on behalf of SCML, and in accordance with the instructions given by it, process the data of the data subject, in strict compliance with the provisions of the GDPR, in national law on the protection of personal data and in this Policy. Subcontractors may not transmit the data subject’ data to other entities without SCML having previously given written authorization, and are also prevented from contracting other entities without SCML’s prior authorization. SCML undertakes to ensure that these subcontractors will only be entities that provide sufficient guarantees for the execution of the appropriate technical and organizational measures, in order to ensure the privacy of the data of the data subjects and the defense of their rights. All subcontractors are bound by SCML through a written contract which regulates, namely, the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, the rights and obligations of the parties, including the duty of confidentiality, and the security measures to be implemented. Under the terms of the right to information, SCML will provide the data subject with information about the categories of subcontractors that, in the specific case, may carry out data processing on behalf of SCML.
- Third Parties: SCML may also transmit data to third parties, namely entities to which the data must be communicated in accordance with the legislation, such as, for example, the Tax Authority, Social Security, insurance entities, among others.
Data transfer outside the European Union
In certain types of processing, the data subject’s personal data may be made available by SCML to third parties, which may involve its transfer outside the European Union, either to third countries or international organizations. In this case, SCML undertakes to ensure that the transfer complies with the applicable legal provisions, in particular regarding the determination of the suitability of such third countries or international organizations with regard to data protection and the requirements applicable to such transfers.
In case of data breach, and to the extent that such breach is likely to result in a high risk to the rights and freedoms of the data subject, SCML will notify the national supervisory authority of such, as well as communicate the breach to the data subject, up to 72 hours after becoming aware of it.
Under the terms of the GDPR, communication to the data subject is not required in the following cases:
- If SCML has applied adequate protection measures, both technical and organizational, and these measures have been applied to personal data affected by the breach of personal data, especially measures that make the personal data incomprehensible to any person not authorized to access such data, such as encryption;
- If SCML has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize; or
- If communication to the data subject implies a disproportionate effort for SCML, in which case it will make a public communication or take a similar measure whereby the data subject will be informed.
Any breach of personal data, whose processing is the responsibility of SCML, may be reported through the following means:
- By email, to be sent to dadospessoais@scml.pt;
- By post mail, to the following address Largo Trindade Coelho, 1200-470 Lisboa.