Data Protection Policy and Terms of Use



The University of Madeira recognizes the importance of personal data, making all the necessary efforts to protect the privacy of the personal data of its students, professors, staff and visitors. This policy describes the personal information collected from uma.pt and its sub-domains, as well as their use.

Personal Data Protection Policy

All the personal data holders who entrust to the University of Madeira, hereinafter referred to as UMa, and to their Social Welfare Services, hereinafter referred to as SASUMa, the treatment of their personal data, are aware not only of its purpose, but also of the holder’s rights in this scope, in accordance with Article 8, number 1, of the Charter of Fundamental Rights of the European Union (“the Charter”), of the Article 16, number 1 of the Treaty on the Functioning of the European Union (TFEU) and of the General Data Protection Regulation (GDPR), making entities recognize, therefore, the right of citizens to data protection.

Bearing in mind that a solid data protection policy depends on a combination of responsible users, adequate technology and safe processes, UMa has set this Personal Data Protection Policy according to Article 24 number 2 of GDPR (“General Data Protection Regulation”), and in strict compliance with the legal requirements described on Article 136 number 1, and article 136 number 4 of the Administrative Procedure Code (approved by the decree-law number 4/2005 of 5th of January), aiming at effectively applying GDPR within the framework of its specific characteristics and specificities as a Public Higher Education Institution.

As such, procedures are defined to allow the access, correction or erasure of personal data. Mechanisms are created to facilitate the exercise of the right of treatment limitation, of the portability right, of the right of opposition and of the new rules that complement the regulations on the protection and treatment of personal data. These regulations are provided in the Terms and Conditions that regulate the offer of several products and services, being publicized in their respective services in which the academic community and other users resort to.

The University of Madeira informs the academic community and its users about the rules of general privacy and personal data treatment in a lawful, loyal and clear manner, in strict compliance with the Data Protection Policy in force in the Portuguese legal system.

UMa, as responsible for the personal data treatment activities, carries out and promotes correct and effective technical and organizational measures to comply with the GDPR principles. The University of Madeira takes into consideration the scope, nature, purpose, the context of the treatment of information, as well as the failure risks of right protection of individuals.

Thus, UMa promotes, in a clear and extensive manner, this Personal Data Protection Policy, and recommends the academic community and all users to read it carefully and responsibly.

In compliance with what has been established by the GDPR, the University of Madeira has chosen a Data Protection Officer, from now on designated as DPO.

Context

The personal data protection policy of University of Madeira and its social welfare services only applies to the treatment of personal data performed by these entities.

Personal Data

“Personal Data” includes any piece of information that identifies an individual (“data holder”).

According to the Article 4, nr. 1 of the Regulation 2016/679 of the European Parliament, and of the Council of 27th of April on personal data protection and on their free circulation, revoking the directive 95/46/CE (General Data Protection Regulation), “an individual is considered as identifiable as long as he/she could be directly or indirectly identified by reference to an identifiable element, such as names, identification numbers, location data, electronic identifiers or to one or more specific elements of physical, physiological, genetic, mental, economic, cultural or social identity of that individual.”

The personal data indicated through our sites, like name and e-mail, either through application forms and/or inquiries will only be used within the terms described on those pages. Data could solely be used for subsequent communications if authorized by the user at the time of registry and data introduction. Personal Data will never be licensed, sold and/or negotiated with third parties.

The submission of personal data by electronic means presupposes the user’s agreement in the data processing done by UMa’s Employees, solely for purposes related to the university’s regular activity. The user may, at any time, declare his/her intention not to receive further communications from University of Madeira, either through information within messages (For example, “Unsubscribe” links), and/or in page specific configurations. The University reserves the right to send the messages it is legally bound to, such as information related to academic activities, among others.

What is not considered as Personal Data

Any information that, regardless of its content, cannot be associated to an individual.

Collection of Personal Data

    In UMa and its Social Welfare Services (“SASUMa - Serviços de Ação Social da Universidade da Madeira”), personal data can be collected in several ways:
  • - On site;
  • - By phone;
  • - In writing;
  • - Through computer systems;

The treatment of personal data is done either via non-automated mediums (such as written files), or via automated mediums, in strict compliance with the GDPR (General Data Protection Regulation). Data are stored in internal computer applications, and housed in physical structures, with controlled and limited access.

The gathered data are only used for the purposes that the University and its Social Welfare Services are legally bound, and in no case will be used for any other purposes without explicit and informed consent from data holders.

Responsible entity for Data treatment in the University

The university of Madeira is the entity responsible for the gathering and treatment of personal data. Within the entity’s duties, the University decides which data to collect, how their treatment will be done, their retention period and the purposes for which they are used, in strict compliance with the applicable legislation.

Alterations to the University’s Personal Data Protection Policy

The university of Madeira reserves the right of, at any time, readjust or modify the present privacy policy, with these alterations being properly advertised.

About Safety measures

UMa seeks to protect its users’ personal data through adequate technical and organizational measures, using cryptographic mechanisms, pseudonymisation, federated authentication, access control, among other available mechanisms, in order to guarantee the confidentiality, integrity, availability and resilience of personal data.

Seeking the safety of personal data, University of Madeira implements the following measures:

  • - Access restrictions to personal data, based on the “need-to-know" criteria, as well as on the competences and duties of who accesses them, applied in conformity with what has been communicated to the personal data holder at the time of their collection;
  • - Personal data transfer through encrypted channels;
  • - Protection of technological infrastructures with technical and organizational mechanisms, in order to avoid non-authorized access;
  • - Monitoring technological infrastructures at various levels, such as access control, security cameras, control of improper use and undue traffic, with the purpose of preventing, detecting and stopping non-authorized access to personal data.
About the Online Portals of the university

UMa presents in its online portals a declaration regarding the privacy practices related to the website. It includes the identification of the collected data, technical information, as well as safety guarantees, confidentialities required by law and by the remaining rights of data holders.

UMa respects the right to privacy and does not store in its websites any personal information illegally, or without the personal data holders’ consent.

a) Authentication

Some domains of the University of Madeira are only available for registered users, such as students, professors and staff. For certain projects, there could be other users. The authentication will always be done with secure connections (https). Some of those platforms use cookies to identify users and to maintain work sessions. Cookies are erased as soon as the session ends, or when it exceeds the session time limit. Registries will be stored of every session, including time and date and the user’s identifier, and will only be used for diagnostic purposes and troubleshooting.

Activity Registry (logs)

The university’s Web platforms save information of every request, including the IP address. This is a common activity within any internet server environment, and, like authenticated registry accesses, these data are only used for diagnostic purposes and troubleshooting.

c) Cookies and Data Analysis

The identification of the accessed pages is done through Cookies and through Google analysis service (Google Analytics). The analysis of the gathered data allows a better understanding of how information is consulted in UMa’s Websites, thus improving the user experience of our websites (for example, identify users’ most frequent searches). The information collected is used for statistical analysis and could be publicly announced. Cookies are accepted by browsers by default. Individual users can configure the authorisation level for cookies in their browsers.

Reading and navigating in the uma.pt domains and subdomains presupposes the user’s consent with the use terms described earlier. UMa might be required to provide some existent information in its servers and services according to the Portuguese law, namely in the enforcement of judicial orders.

Technical information will only be used for statistical purposes.

Lawfulness of personal data processing

The treatment of personal data in University of Madeira will only occur if:

  • - It is necessary for the pursuit of legitimate interests, and if the user has given his/her consent;
  • - It is necessary for processing contracts or for the compliance with any legal obligation in which the data holder is attached to;
  • - It is necessary for the protection of the vital interests of the data holder or of any other individual;
  • - It is necessary for the practice of functions of public interest, or in the exercise of public authority in which the data treatment responsible person is invested;
  • - It is necessary for the pursuit of legitimate interests of the data treatment responsible person or a third party to whom the data are communicated, as long as the interests, rights, freedom and guarantees of the data holders are maintained.
What are the “special categories of personal data”?

Article 9 of the GDPR applies restrictions when it comes to the treatment of special categories of personal data. These can be described as “personal data that reveal the racial or ethnic origin, political believes, religious or philosophical convictions, union membership, as well as genetic data treatment, biometric data to identify someone in an unequivocal manner, health related data or data related to sexual life or sexual orientation of an individual”. All these data have additional treatment restrictions; thus, it is recommended to read carefully the GDPR sections.

Genetic Data are defined as “personal data related to the genetic, inherited or acquired characteristics of an individual that give out unique information about this person’s physiology or health, and that directly results from an analysis of a biological sample from the individual” (GDPR, Article 4, nr.13)

Biometric data are defined as “personal data resulting from a specific technical treatment related to physical, physiological or behavioural characteristics of an individual, that confirm the individual’s identification, namely facial images or dactyloscopic data” (GDPR, article 4, nr. 14)

Health related data are defined as “personal data related to the physical or mental health of an individual, including the provision of health services that unveil information about the individual’s health condition” (GDPR, Article 4, nr.15)

The purpose of personal data treatment

    University of Madeira, as the entity responsible for personal data treatment, informs its users in detail, at the time of collection, about the data collection’s use and purpose. However, if personal data have been obtained from other sources, and within a reasonable period of time, the data holder will be informed, in detail, about:
  • - The responsible person for its data treatment, if applicable;
  • - The contacts and identity of the data protection officer, if applicable;
  • - The purpose of personal data treatment, as well as its legal basis;
  • - The rights of data holders;
  • - The expiration date of data or the criteria used to define that period;
  • - What data should be compulsorily provided and what data are optional.

Personal Data managed by UMa may be lawfully transmitted to third parties when it has been verified the fulfilment of purposes directly related to the functions of the data owner or of the responsible person for data treatment. However, every time there is a lawful transference of data to other parties, the data holder will be informed and, when justified, data holders may request for their data not to be transferred, as long as it does not affect the vital and legitimate interest of any of the parties or of the public interest.

Every time UMa intends to use personal data for any other means than the ones initially planned, UMa gives the data owner all the information about its intentions.

The University of Madeira should inform and give more information to the data owner about the provenance of the personal data UMa holds, even if resulted from different sources.

Storage period of Personal Data

University of Madeira can store personal data for as long as it is required for any liability arising from legal relations, from contract processing, or from the application of legal and/or pre-contractual measures. Every time there is no specific legal requirements, data will be stored only for the necessary period to fulfil the purposes for which it was collected, or for a time period authorized by the Control Authority, after which data shall be deleted.

The legal period for the preservation of archival documents will be respected. Data may be used for purposes strictly necessary to the legal obligations to which UMa is subject to, to statistic reports, to historical and scientific research without any time limit, as long as these data are properly anonymised so that they are not considered as personal data thus ensuring adequate measures according to the ruling law, and protecting the rights and freedom of data holders.

These measures involve technical and organizational measures to ensure that the principles of personal data treatment are respected.

Rights of data holders

According to the ruling legislation about personal data protection, UMa must provide its data holders with all the information they are entitle to, and ease the exercise of the data holders’ rights mentioned in the GDPR upon written request addressed to the data protection officer.

Communication of Personal Data to other entities (outsourced third parties)

As a rule, in University of Madeira the regular exchange of personal data should be communicated to the Personal Data Officer, even when there is a legal obligation involved or when the data holder has given his/her permission. Generally, all personal data sent for national statistic enquiries (for example, RAIDES; REBIDES; RENATES; CGA, ADSE, among others) are legally mandatory. Data exchange between units and internal services of the University should continue as usual, as long as they are directly related to the functions and activities of their employees.

Within the scope of its powers, UMa may resort to third parties/outsourced employees to provide some of its services. Therefore, UMa must ensure that the third party or outsourced employee to whom the data are being transmitted, presents enough performance guarantees, either technical or organizational, so that the personal data treatment meets the requirements of the legislation in force, and ensuring the rights of the data holder, as stated in the General Data Protection Regulation. Within those terms, the personal data treatment is regulated by contract or similar, bounding the third party to the rules established by UMa as the entity responsible for data treatment, and establishes the purpose and duration of that treatment, the type of personal data and the data holder’s categories, as well as the legal obligations and rights of the person responsible for the treatment.

Transparency of personal data outside Portugal

Some attributions and activities carried out by UMa may imply the transfer of personal data outside Portugal. UMa checks in advance if the country or territory where data are being transferred to have an adequate level of data protection, or whether they have been addressed by the European Union. As such, UMa will comply with the ruling legislation and with the guidelines given by its competent bodies.

Other situations

University of Madeira, in strict compliance with the General Protection Data Regulation, has its own Data Protection Officer (DPO).

For more information, comments, questions, claims or suggestions related to the Privacy and Personal Data Protection Policy of University of Madeira, contact directly the DPO – epd@mail.uma.pt, or by mail to UMa’s institutional address (Edifício da Reitoria, Colégio dos Jesuítas – Rua dos Ferreiros, 9000-039 Funchal – Portugal), mentioning DPO (“EPD” in Portuguese) in the recipient.

Terms of Use

The terms described in this page should be read before visiting UMa’s Website. These conditions could be altered by UMa, without previous warning, being UMa responsible for updating this page as soon as possible.

The texts, images and other content published in the domain uma.pt and its sub-domains, belong to UMa and have reserved rights. Its use outside these domains could only be done upon UMa’s explicit permission. These data may be used exceptionally for educational or journalistic purposes, maintaining credits and the source of the content retrieved. UMa cannot be held accountable for the information present in external domains, that could be referenced in UMa’s content.

UMa makes an effort to keep the content of its websites updated and without errors. There is no guarantee that the information in this site is complete, exhaustive and accurate. The e-mail address website@mail.uma.pt can be used to send comments, suggestions or identify errors.

Terms of Use, University of Madeira, May/2018

GDPR Declaration Templates

Download here the documents templates of compliance with the General Data Protection Regulation (GDPR). These documents (or similar) are of compulsory filling in case of personal data collection/treatment. After being filled in and signed by all the parties involved, a copy of these documents should be sent to the Data Protection Offices of University of Madeira (with exception of the document “Declaration of commitment of honour and compliance with legislation” - in Portuguese “Declaração de compromisso de honra e cumprimento da legislação”. In this case, the original document should be sent), to the e-mail address epd@mail.uma.pt.

Information notice 1/EPD/2018
Declaration of commitment of honour and compliance with legislation

- Download PDF Version

- Download Editable Text File - Word

- Download Editable File - LaTeX

Informed, Clarified and Free Consent for Participation in Research Studies
Minors Consent Declaration

For the files in LaTeX format, it is necessary to download UMa’s logo.