Privacy Policy
MISSION AND COMMITMENT
This policy aims to define the general principles and rules to be applied by the Lisbon City Council to Personal Data collected by it, considering the applicable norms, standards and legal requirements, and a specific, explicit and informed notification about the processing of your data, allowing the application of the current legislation on Personal Data.
- The Lisbon City Council ensures an adequate management of Personal Data in accordance with the applicable rules and legislation. Therefore, it develops tools and implements actions in order to guarantee and monitor the effectiveness of the protection of Personal Data;
- The Lisbon City Council develops actions and procedures in order to raise awareness of its employees on the importance of protecting Personal Data, providing them with operational guidance on how to comply with Data Protection legislation and monitor compliance with Personal Data protection;
- The Lisbon City Council establishes in this document a Privacy Notice to the data subjects of Personal Data, which complies with the requirements of the legislation in force and guarantees a specific, explicit and informed notification to the Data Subjects regarding the processing of their data. Responsibilities for notifying leaks of Personal Data to the competent Supervisory Authorities are also defined;
- The Lisbon City Council has a training/communication program that raises the awareness of its employees;
- The Lisbon City Council has a Personal Data Protection Officer responsible for ensuring compliance with the Personal Data protection rules.
GENERAL PRINCIPLES
The Lisbon City Council collects and processes Personal Data in accordance with the following principles:
- Personal Data is processed legally, impartially and transparently (legality, impartiality and transparency);
- Personal Data is collected and processed for specific, explicit and legitimate purposes arising from current legislation and are not further processed in a manner incompatible with these effects (purpose limitation principle);
- Personal Data is kept adequate, relevant and limited to what is necessary considering the purposes for which they are processed (principle of data minimization);
- Personal Data is rigorous and, whenever necessary, rectified and updated (principle of rigor).
The Lisbon City Council defines adequate technical and organizational security measures to effectively implement the principles of protection of Personal Data, complying with current legislation, protecting the rights and freedoms of Data Subjects.
The Lisbon City Council imposes the same level of Personal Data protection to all its Processors (service providers, suppliers, partners, etc.) through data processing contracts and agreements, when applicable, and suggests consulting the terms and privacy notices available for every interaction that Lisbon City Council undertakes with residents, employees or suppliers.
COLLECTION AND PROCESSING OF PERSONAL DATA
The Lisbon City Council with headquarters in Praça do Município, 1100-038 Lisboa, Portugal. Contacts: +351 21 323 6200 or via the following email of the Data Protection Officer: dpo@cm-lisboa.pt.
The categories of data collected may vary according to the project scope and purposes and may be classified according to the purpose and typology of categories: Personal Data, Special Categories of Personal Data and Other Sensitive Personal Data, when applicable.
The transmitted and collected data points are processed exclusively internally or for the intent of its purpose, always having as a framework a previously identified and validated legal basis, and no transmission to entities other than those strictly necessary for its processing is foreseen. In this regard, it is suggested to consult the terms and privacy notices available in each interaction that we carry out with residents, employees or suppliers.
In the course of its processing activities, the Lisbon City Council may transfer personal data to third countries, identifying them in advance, as well as the legal reason that sustains it, for the knowledge of the data subject, always ensuring the assessment of the appropriate level of protection in order to guarantee the rule of law, respect for human rights and fundamental freedoms, according to the current local legislation.
When visiting our websites or the websites of entities that develop activities in partnership with the Lisbon City Council, as well as during your interaction with us, you can provide us with your Personal Data.
In this context, the Lisbon City Council collects your Personal Data through the following means:
- When browsing our websites, using cookies or similar technologies such as Google Analytics (i.e. technical information such as IP and MAC addresses), browser used, operating system and respective versions and depending on the user’s browser and origin from the navigation, the referrer (the page visited immediately before) can still be collected;
- When you subscribe to newsletters provided by the Lisbon City Council or other channels duly identified as a vehicle for communication and dissemination of initiatives and services;
- When you apply or register for roles, training, capacity building or skills management;
- When filling out forms or contacting us for the purposes of requests, clarifications, requests for intervention, complaints, suggestions or information, through the different channels;
- When you post comments or images on our social media pages;
- When you subscribe or register in one of our portals in order to enjoy the information, services or activities;
When, otherwise, you send us personal information, such as sending emails or service provision contracts, among others, the information collected may be processed for the purposes of the relationship between the Lisbon City Council and the Data Subject, in the fulfillment of contractual, normative and/or legal obligations, for the management of its suppliers or to protect and defend the rights, interests, property and safety of the Lisbon City Council, employees or other persons with whom it collaborates.
In the scope of the services it provides, the Lisbon City Council only processes personal data that are necessary for the execution of the projects to be carried out for its citizens, ensuring that any operation for processing personal data is lawful and complies with all the requirements imposed by applicable legislation on the collection, processing and protection of personal data and ensuring that such activities, where applicable, will be duly regulated through the execution of data processing agreements.
The communication of your personal data is not a legal obligation, but it may be necessary to enter into a contract for the provision of services, internship or any other activity, in which case the provision of personal data will be mandatory. In these cases, not providing your Personal Data may result in the impossibility of entering into the intended contract.
The processing operations carried out in relation to the Personal Data of the data subjects by the Lisbon City Council are based on:
- Its legitimate interest in delivering the services, protecting its activities, in better understanding the preferences and needs of its residents in order to better adapt the services in pursuit of its Mission;
- The need to execute the contracts signed with its citizens and/or suppliers and/or employees for the respective provision of services; and
- When treatment is required by applicable laws.
The Lisbon City Council also has a legitimate interest in conducting recruitment operations to manage its activities in the best possible way. In this sense, the Lisbon City Council collects the strictly necessary data on interested candidates.
The Lisbon City Council only collects and processes Personal Data if, inter alia:
- The Data Subject has authorized the Processing of their Personal Data for one or more specific purposes (when required); or
- The treatment is necessary for the performance of a contract to which they are a party, or to act at their request before entering into a contract; or
- The treatment is necessary to ensure compliance with a legal obligation to which the City Council of Lisbon is subject; or
- The processing is necessary for the purposes of the legitimate interests of the Lisbon City Council, or by third parties, unless these interests overlap with the interests or fundamental rights and freedoms of the Data Subject, which requires the protection of Personal Data, especially if the Data Subject is a minor;
The Data Subject has authorized the Processing of their Personal Data for one or more specific purposes (when required); or
- The treatment is necessary for the performance of a contract to which they are a party, or to act at their request before entering into a contract; or
- The treatment is necessary to ensure compliance with a legal obligation to which the City Council of Lisbon is subject; or
- The processing is necessary for the purposes of the legitimate interests of the Lisbon City Council, or by third parties, unless these interests overlap with the interests or fundamental rights and freedoms of the Data Subject, which requires the protection of Personal Data, especially if the Data Subject is a minor;
The Lisbon City Council keeps Personal Data in accordance with the retention periods imposed by current legislation and therefore it never keeps Personal Data longer than necessary in accordance with the purposes for which they were collected and are being processed, for: compliance with legal obligations (e.g. auditing, accounting and tax obligations), resolution of legal disputes and/or exercise of the Data Subject legal rights. Circumstances may vary depending on the context, purpose and category of Personal Data. As controller, the Lisbon City Council keeps a record of all processing activities under its responsibility, describing the deadlines for the storage and deletion of these data.
The Lisbon City Council guarantees that:
- Personal Data points are not provided to third parties without a valid, previously identified reason, including the collection of prior consent from its data subjects when applicable;
- Personal Data points are not sold or provided free of charge to companies that use them for direct “marketing” purposes or to other entities that use “mailing lists” to advertise products and/or services;
- Transfers Personal Data to third parties without observing the need to obtain explicit consent, when receiving the request from a judicial authority or public authority with legal powers to do so, in accordance with the legal rules in force.
- Ensures the confidentiality and security of Personal Data during transfer to the aforementioned recipients.
SECURITY MEASURES
The Lisbon City Council follows organizational and technological security standards, and effective practices in information security management, to protect the confidentiality, integrity and availability of information, and provide confidence in inter-organizational exchanges, namely the international standard ISO/ IEC 27001 and ISO/IEC 27701, community standards, legislation and specific national recommendations on information security.
The Lisbon City Council applies the appropriate technical and organizational measures to ensure a level of security of Personal Data that is adequate for the risk and, in particular, to protect Personal Data against destruction, loss, alteration, unauthorized disclosure or accidental or illegal access.
The same level of protection is contractually imposed by the Lisbon City Council on its Processors.
Any employee of the Lisbon City Council who, during their work, has access to Personal Data agrees to keep them in the strictest confidence within the scope of the confidentiality agreements entered into.
DATA SUBJECTS’ RIGHTS
The data subjects have the following rights:
- The data subject may request information about what data the City Council of Lisbon has about him/her, how they were collected and for what purposes they will be processed. The data subject may also request a copy of their Persona Data, subject to the protection of information from the Lisbon City Council and the rights of third parties. (Right of access)
- If personal data are intended to be transmitted to third parties, the data subject is entitled to be informed about the identity of those recipients or categories of recipients. (Right to be informed)
- If personal data are incorrect or incomplete, the data subject has the right to request their rectification or completion. (Right to rectification)
- The data subject may request the deletion of their personal data (in cases where the Lisbon City Council does not have a legal basis for its processing or, even, in cases where this legal basis has ceased to exist, for example through withdrawal of consent by the data subject). (Right to erasure, «right to be forgotten»)
- The data subject has the right to object to the processing of their personal data for reasons related to their particular situation, in cases where their interests, rights and freedoms should prevail over the legitimate interests of the Lisbon City Council and do not exist compelling and legitimate reasons prevailing on the part of the Lisbon City Council to justify this treatment. This right of opposing processing is not applicable in cases where the processing of data results from the fulfillment of a legal obligation, consent or performance of a contract to which the data subject is a party. (Right to object)
- The data subject has the right to obtain the limitation of the processing of his/her personal data by the Lisbon City Council, in the following situations:
- while the Lisbon City Council is verifying the accuracy of the personal data raised by the data subject.
- the processing is unlawful and the data subject is opposed to the deletion of the data.
- the Lisbon City Council no longer needs the data, but the data subject requests that it is kept for the purposes of declaration, exercise or defense of a right in a legal proceeding.
- the data subject objected to the processing of his/her data while the Lisbon City Council analyzes whether its interests prevail over those of the data subject.
When the processing of data is limited, the Lisbon City Council will only retain it (right to restrict processing)
The data subject has the right to obtain their data in a structured format, commonly used and automatically read. This right is only applicable when the processing of data is carried out by computerized means and the processing was based on the consent of the data subject or on the execution of a contract. In situations where the processing is carried out on paper, this right does not apply. (Right to data portability)
The exercise of any of these rights by the data subject must be carried out directly to the Data Protection Officer dpo@cm-lisboa.pt .
PRIVACY NOTIFICATION
Data Subjects have the right to file a complaint with the Portuguese Data Protection Authority (CNPD) in case of violation of the applicable rules regarding the protection of their Personal Data.
In the event of a breach of personal data, the Lisbon City Council notifies the Portuguese Data Protection Authority (CNPD), whenever possible within 72 hours of having become aware of the breach, unless the breach of personal data is not likely to result in a risk to the rights and freedoms of individuals.
Any Processor of the Lisbon City Council must notify the controller without undue delay after becoming aware of a personal data breach.