5. General principles
The Child Guarantee and the ISS, I.P. are engaged to process the Personal Data in accordance with the applicable rules and legislation. Therefore, they shall develop tools and implement actions aimed to ensure and monitor the effectiveness of Personal Data protection. These Social Security bodies shall have internal policies and procedures to raise their employees’ awareness on the importance of protecting Personal Data, providing them with operational guidance on how to comply with data protection legislation and monitor the compliance with the Personal Data protection rules. This includes the establishment of a training/communication programme in order to raise their employees’ awareness on the matters of information security and Personal Data privacy.
Any employee of the Child Guarantee, the ISS, I.P. or the II, I.P. who, in the course of his/her work has access to Personal Data, shall agree to keep them confidential under the established confidentiality agreements.
6. Personal Data Collection and Processing
Within the scope of the Child Guarantee information and transactional channels, the Child Guarantee may process the Personal Data required to the fulfilment of its tasks, as provided for in Council of Ministers Resolution no. 136/2021 of 1 October, with the support of the ISS, I.P., in accordance with paragraph 8 of the same Council of Ministers Resolution.
The Personal Data shall be collected by interconnection, communication of filing systems or obtained from the Data Subjects.
The Personal Data shall be stored in accordance with the periods established by the legislation in force, namely for the fulfilment of the Child Guarantee mission and tasks.
8. Security measures for Personal Data processing
The Child Guarantee, the ISS, I.P. and the II, I.P. follow organisational and technological security standards, and effective practices in information security management, to protect the confidentiality, integrity and availability of information and to ensure reliability in the exchange of Personal Data between institutions, as well as specific Community rules, national legislation and recommendations on information security to protect the rights, freedoms and guarantees of the Data Subjects.
The II, I.P also applies the international standard ISO/IEC 27001.
Within the scope of information and transactional channels, the Child Guarantee, the ISS, I.P. and the II, I.P. have all the necessary technical and organisational measures to ensure a level of security of Personal Data adequate to the risks that may occur in the Personal Data processing and, in particular, to protect Personal Data against destruction, loss, alteration, unauthorised disclosure or accidental or unlawful access.
The same level of protection is contractually imposed by the Child Guarantee to its suppliers and service providers, and to the entities with which it relates.
The Child Guarantee, the ISS, I.P. and the II, I.P. have an internal Personal Data protection organisation to ensure compliance with Personal Data protection rules, supported by Data Protection Officers.
9. Privacy Notification
The Child Guarantee, the ISS, I.P. and the II, I.P. process Personal Data lawfully, in accordance with Article 6 and 9 of the GDPR, and process Personal Data only if the situations of lawful processing provided for in the GDPR occur.
Data Subjects shall have the right to be informed about the processing of their data and shall be able to exercise, at any time, the right to information, access, rectification, erasure, update, restriction of processing, portability, as well as to object to and not be subject to automated individual decisions concerning their Personal Data, including the revocation of consent, in accordance with the GDPR or applicable law. In order to do so, they must have access to the information indicated in the contact point.
Data Subjects shall have the right to lodge a complaint with the competent supervisory authority in the event of a breach of the applicable rules on Personal Data protection.
In the event of a breach of Personal Data, the Child Guarantee and the ISS, I.P., as data controllers, shall notify it to the competent supervisory authorities and communicate it to the data subject where appropriate, in accordance with Articles 33 and 34 of the GDPR.
10. Data Subject Rights
In accordance with the applicable rules regarding Personal Data protection, the Data Subject has the right to access, rectify, forget and transfer his/her Personal Data at any time, when requested, under the terms established by Article 20 of the GDPR; he/she has also the right to restrict and oppose the processing of his/her Personal Data.
The Data Subject must exercise his/her rights before the Child Guarantee or the ISS, I.P., using the channels available in “contact details”.
When the Processing is based solely on the Data Subject consent, he/she has the right to withdraw this consent at any time.
In his/her own interest, the Data Subject must keep his/her Personal Data updated and, for this purpose, he/she must contact the competent authority.
12. Data Protection Officer
The Data Protection Officers shall inform and advise on the applicable requirements for the protection of Personal Data, and monitor compliance with those requirements.
The Data Protection Officers shall cooperate and act as contact points with the competent Supervisory Authorities and Data Subjects.
Data Subjects may submit data protection requests (exercise of rights, requests for clarification or reporting of Personal Data breach incidents) using the following contact details, including via email addresses:
- The Child Guarantee – email@example.com
- Data Protection Officer of ISS, IP (pursuant to Council of Ministers Resolution no. 136/2021 of 1 October) - ISS-EncarregadoProtecaoDados@seg-social.pt
Address: Avenida 5 de Outubro, n.º 175, 1º andar, 1069-451 Lisboa