OUR COMMITMENT
Protecting the privacy and personal data of citizens who interact with the Caldas da Rainha City Council (users of council services, employees, suppliers, partners, companies) is a fundamental commitment.
Personal data are essential for carrying out the activities of the Caldas da Rainha City Council within the framework of its legal obligations, as well as for providing services, monitoring and improving their quality, managing human resources and complying with legal obligations.
The purpose of this Privacy Policy is to inform citizens and data subjects who interact with the City Council of Caldas da Rainha of how the council collects, processes and protects the personal data provided to it.
Our commitment is to work continuously to guarantee the best level of protection of privacy and personal data, respecting the legislation and all national and European regulations and guidelines applicable to their treatment.
PERSONAL DATA PROTECTION POLICY
The purpose of the Personal Data Protection Policy is to make known the general rules for the processing of personal data, which are collected and processed in strict compliance with the provisions of the legislation in force on the protection of personal data, namely Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation).
Caldas da Rainha City Council only collects and processes data related to the promotion and protection of the interests of the population of its council, in conjunction with the parishes and in interaction with the respective council companies, within the limits and in fulfilment of its legal obligations.
Thus, the main basis of the data processing operations carried out by the Caldas da Rainha City Council is the fulfilment of its legal obligations, with the law being the fundamental guarantee of the purpose, basis for the collection, minimisation and retention of the personal data processed.
There may also be situations in which data processing operations result from the need to comply with contracts or pre-contractual procedures in which the Caldas da Rainha City Council is involved.
Caldas da Rainha City Council is committed to the protection and confidentiality of personal data and has adopted the measures it deems appropriate to guarantee the accuracy, integrity and confidentiality of personal data, to ensure that the processing of personal data is lawful, fair, transparent and limited to the authorised purposes, as well as all other rights that support the respective data subjects.
RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
The data controller in the Caldas da Rainha City Concil is the Mayor.
Caldas da Rainha City Council is responsible for the processing, determining the purposes and means of the processing of personal data. However, it is also responsible for ensuring compliance with the Regulation by its processors. A processor is a natural or legal person, public authority, agency or any other entity that processes personal data on its behalf.
DATA PROTECTION OFFICER
The Regulation provides for the appointment of a Data Protection Officer (DPO). The main tasks of the DPO are:
- Raising awareness and informing all those who process personal data;
- Ensuring compliance with privacy and data protection policies;
- Monitor and regulate compliance with the GDPR;
- Collect information to identify processing activities;
- Monitor and follow up on the preparation of the DPA – Data Protection Impact Assessment;
- Promoting the Privacy by Design and by Default approaches;
- Carry out the assessment of the risks of data breaches and mitigate them with improvement actions;
- Collect information to identify processing activities;
- Maintain up-to-date records of data processing activities;
- Monitor compliance with written processor contracts;
- Promote training on good data protection practices;
- Being the point of contact for data subjects to clarify issues related to data processing;
- Be the point of contact with supervisory authorities;
Ensure that data processing complies with applicable laws. To this end, if the data subject needs to contact the Data Protection Officer, he/she can do so at: epd@mcr.pt.
PRINCIPLES GOVERNING THE COLLECTION AND PROCESSING OF PERSONAL DATA AND THE RIGHTS OF DATA SUBJECTS
The processing of personal data carried out by Caldas da Rainha City Council is based on the following fundamental principles:
PRINCIPLE OF LAWFULNESS
Personal data will be processed if and to the extent that at least one of the conditions of lawfulness is met, namely: when the data subject has consented, when processing is necessary for the performance and management of a contract, the fulfilment of a legal obligation or the pursuit of a legitimate interest.
PURPOSE/PRINCIPLE OF GOOD FAITH
Personal data will only be processed for the purposes for which it was collected and will only be processed for other purposes if permitted by law and if the data subject has been informed.
TRANSPARENCY PRINCIPLE
Data subjects will be informed in a clear and concise manner about the relevant aspects related to the processing of their personal data, in particular about the respective purposes of the processing and possible disclosures to third parties.
PRINCIPLE OF PROPORTIONALITY AND LIMITATION OF STORAGE
Personal data will only be processed if they are adequate, relevant, not excessive and for the strictly necessary time.
PRINCIPLE OF MINIMISATION
Only data that is strictly necessary for the purpose and reason will be requested, and only employees whose duties require it will have access to personal data.
PRINCIPLE OF CONFIDENTIALITY, INTEGRITY AND AVAILABILITY
Personal data will be processed in a manner that ensures its security, namely: protection against unauthorised or unlawful access or disclosure, protection against unauthorised or accidental modification, loss or destruction, ensuring data availability when necessary and permitted and without undue delay.
PRINCIPLE OF DATA PROTECTION BY DESIGN AND BY DEFAULT
The services of Caldas da Rainha City Council, its support systems and its internal procedures are designed to protect privacy and personal data.
CONSENT
The City Council of Caldas da Rainha collects consents to support specific processing operations, particularly those involving special categories of data or minors, processed in a school or leisure context.
Consent must be given unambiguously and at any time through a verifiable statement. Silence, pre-validated choices, or omission are not considered valid acts of consent.
DATA SUBJECTS’ RIGHTS
Caldas da Rainha City Council is committed to ensuring that the rights of data subjects are respected, namely:
The right of access to data, which the holder has the right to access at any time:
The personal data held by Caldas da Rainha City Council, whether provided by you or collected from third parties;
The purposes for which the data is processed;
The recipients of the data;
The conservation periods, if any;
Information on the existence of automated decisions, including the definition of profiles;
The right of rectification, whereby the data subject has the right to:
Has the right to obtain the rectification of his/her personal data if it is inaccurate or out of date;
The right to have incomplete data completed, including by means of an additional declaration;
There are situations of limitation of rights provided by law, in which the right of rectification may not apply;
The right to restrict processing, whereby you have the right to have your personal data deleted only in the following circumstances:
The data is no longer necessary for the purpose for which it was collected and there is no legal provision requiring it to be kept for a longer period;
You have withdrawn your consent on which the lawfulness of the processing was based;
The personal data are being processed unlawfully, for which the data subject must provide a justification;
Where you have objected to the processing of data for marketing purposes, including any profiling that may be involved;
Where you have objected to the processing of the data in accordance with Article 21(1) of the GDPR and there are no overriding legitimate interests of the controller;
The data must be deleted due to a legal obligation;
Consent to the processing of the data has been given by your legal representatives in accordance with Article 8 of the GDPR.
The right to portability, whereby the holder has the right to request from the Caldas da Rainha City Council information about the personal data concerning him/her that he/she has provided, and to receive this information in a structured, commonly used and machine-readable format, as well as the right to transmit this data to another entity.
The right to be forgotten, which gives the data subject the right to request internet search engines to remove links from the list of results displayed after a search on their name (de-listing). These links must be specified individually in the request.
There are situations in which the right of erasure as indicated above may not apply, for example when the processing is necessary for the exercise of freedom of expression and information or for reasons of public interest in the field of health or for the exercise of a right in legal proceedings. There are also other situations of limitation of rights provided by law where the right to erasure may not apply.
The right to object, whereby the data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data, where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority:
processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
the legitimate interests of the controller or of a third party;
reutilisation of the data for a purpose other than that for which they were originally collected, including profiling.
In such cases, the controller shall cease processing unless the controller has compelling legitimate grounds which override the interests, rights and freedoms of the data subject, or for the purpose of exercising a right in legal proceedings.
The data subject shall have the right to object, at any time and without justification, to the processing of his/her data for direct marketing purposes, including any related profiling.
The right to withdraw consent, whereby the data subject has the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent previously given.
The right not to be subject to individual decisions taken on a fully automated basis, including profiling, and the right to lodge a complaint, unless:
It is necessary for the conclusion or performance of a contract between the data subject and a controller;
It is authorised by Union or national law to which the controller is subject and which also provides for appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject;
is based on the data subject’s explicit consent.
The right to complain to a supervisory authority.
SECURITY OF PERSONAL DATA
Caldas da Rainha City Council respects the best practices in the field of security and protection of information and personal data, adopting logical and physical security measures that guarantee the confidentiality, integrity and availability of information.
Whenever Caldas da Rainha City Council uses subcontractors, they are required to comply with the legislation on the protection of personal data.
In the event of a personal data breach, the Data Protection Officer must be notified immediately so that measures can be taken to assess, control and mitigate any impact. The Data Protection Officer must immediately notify the data subject and the CNPD (National Data Protection Commission) within a maximum of 72 hours of becoming aware of the situation.
CONTACTS
Data subjects may, at any time and free of charge, exercise their rights of access, rectification, cancellation, opposition, restriction and portability of their data by sending an e-mail to [epd@mcr.pt] or a letter to [Praça 25 de Abril, 2500-110 Caldas da Rainha].
They may also contact the Data Protection Officer at [epd@mcr.pt].
In any case, data subjects are informed that if they consider that the City Council of Caldas da Rainha has violated or may have violated their rights under the applicable data protection legislation, they may file a complaint with the National Data Protection Commission.