Privacy policy

1. Objective

This Privacy Policy within the scope of the General Data Protection Regulation (GDPR) is aimed to define the general principles and rules to be applied to the Personal Data processed through the information and transactional channels used by the Child Guarantee and the Social Security Institute (ISS, I.P. – Instituto da Segurança Social, I.P.), as controllers, and the Information and Technology Institute, P.I. (II, I.P.), as processor.

The Child Guarantee, the ISS, I.P. and II, I.P. establish, through this policy, a Privacy Policy for Personal Data Subjects, which complies with the requirements of the legislation in force and ensures specific, explicit and informed communication about the processing of their data.


2. Scope

This Privacy Policy applies to all the collected and processed Personal Data from the users of the Child Guarantee information and transactional channels.

3. Recipients

The Privacy Policy is aimed at the users of the Child Guarantee information and transactional channels, the Personal Data Subjects, the Child Guarantee, including the Child Guarantee Local Centres, the ISS, I.P. and the II, I.P.

4. Description

Personal Data shall be processed in accordance with the principles established in Article 5(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – General Data Protection Regulation (GDPR), which are the following:
Lawfulness, Fairness and Transparency
Purpose Limitation
Data Minimisation
Storage Limitation
Integrity and Confidentiality

5. General principles

The Child Guarantee and the ISS, I.P. are engaged to process the Personal Data in accordance with the applicable rules and legislation. Therefore, they shall develop tools and implement actions aimed to ensure and monitor the effectiveness of Personal Data protection. These Social Security bodies shall have internal policies and procedures to raise their employees’ awareness on the importance of protecting Personal Data, providing them with operational guidance on how to comply with data protection legislation and monitor the compliance with the Personal Data protection rules. This includes the establishment of a training/communication programme in order to raise their employees’ awareness on the matters of information security and Personal Data privacy.

Any employee of the Child Guarantee, the ISS, I.P. or the II, I.P. who, in the course of his/her work has access to Personal Data, shall agree to keep them confidential under the established confidentiality agreements.


6. Personal Data Collection and Processing

Within the scope of the Child Guarantee information and transactional channels, the Child Guarantee may process the Personal Data required to the fulfilment of its tasks, as provided for in Council of Ministers Resolution no. 136/2021 of 1 October, with the support of the ISS, I.P., in accordance with paragraph 8 of the same Council of Ministers Resolution.

The Personal Data shall be collected by interconnection, communication of filing systems or obtained from the Data Subjects. 

The Personal Data shall be stored in accordance with the periods established by the legislation in force, namely for the fulfilment of the Child Guarantee mission and tasks.


7. Confidentiality

In the context of the Child Guarantee Local Centres activity, and by the very nature and objectives of the interactive services allocated to them, users are required to provide information that may be considered personal information. Only the data necessary for these services provision will be requested and collected, according to the explicit information on the website and to the user’s choices.
The Child Guarantee, the ISS, I.P. and the II, I.P. shall ensure to all their users that:
No Personal Data will be made available to third parties without the prior consent of the data subject;
None of the data entrusted to these bodies will be made available, free of charge or for commercial purposes, to direct marketing companies or other entities using mailing lists to advertise their products and/or services.
The Child Guarantee reserves the right to provide or publish aggregated data for purposes considered of public interest, namely in the context of statistical production. However, personal identification elements, such as the Name, ID number, Citizen Card or Taxpayer Number, or private information will never be made available.

8. Security measures for Personal Data processing

The Child Guarantee, the ISS, I.P. and the II, I.P. follow organisational and technological security standards, and effective practices in information security management, to protect the confidentiality, integrity and availability of information and to ensure reliability in the exchange of Personal Data between institutions, as well as specific Community rules, national legislation and recommendations on information security to protect the rights, freedoms and guarantees of the Data Subjects.

The II, I.P also applies the international standard ISO/IEC 27001.

Within the scope of information and transactional channels, the Child Guarantee, the ISS, I.P. and the II, I.P. have all the necessary technical and organisational measures to ensure a level of security of Personal Data adequate to the risks that may occur in the Personal Data processing and, in particular, to protect Personal Data against destruction, loss, alteration, unauthorised disclosure or accidental or unlawful access.

The same level of protection is contractually imposed by the Child Guarantee to its suppliers and service providers, and to the entities with which it relates.

The Child Guarantee, the ISS, I.P. and the II, I.P. have an internal Personal Data protection organisation to ensure compliance with Personal Data protection rules, supported by Data Protection Officers.


9. Privacy Notification

The Child Guarantee, the ISS, I.P. and the II, I.P. process Personal Data lawfully, in accordance with Article 6 and 9 of the GDPR, and process Personal Data only if the situations of lawful processing provided for in the GDPR occur.

Data Subjects shall have the right to be informed about the processing of their data and shall be able to exercise, at any time, the right to information, access, rectification, erasure, update, restriction of processing, portability, as well as to object to and not be subject to automated individual decisions concerning their Personal Data, including the revocation of consent, in accordance with the GDPR or applicable law. In order to do so, they must have access to the information indicated in the contact point.

Data Subjects shall have the right to lodge a complaint with the competent supervisory authority in the event of a breach of the applicable rules on Personal Data protection.

In the event of a breach of Personal Data, the Child Guarantee and the ISS, I.P., as data controllers, shall notify it to the competent supervisory authorities and communicate it to the data subject where appropriate, in accordance with Articles 33 and 34 of the GDPR.


10. Data Subject Rights

In accordance with the applicable rules regarding Personal Data protection, the Data Subject has the right to access, rectify, forget and transfer his/her Personal Data at any time, when requested, under the terms established by Article 20 of the GDPR; he/she has also the right to restrict and oppose the processing of his/her Personal Data.

The Data Subject must exercise his/her rights before the Child Guarantee or the ISS, I.P., using the channels available in “contact details”.

When the Processing is based solely on the Data Subject consent, he/she has the right to withdraw this consent at any time.

In his/her own interest, the Data Subject must keep his/her Personal Data updated and, for this purpose, he/she must contact the competent authority.

11. Privacy Policy Amendments

This Privacy Policy may be amended whenever it is necessary or when there is a change in the regulatory framework and a notice of such amendments shall be published in a revised version of the current Policy, which enters into force at the time of its publication or on a date specified therein.

12. Data Protection Officer

The Data Protection Officers shall inform and advise on the applicable requirements for the protection of Personal Data, and monitor compliance with those requirements.

The Data Protection Officers shall cooperate and act as contact points with the competent Supervisory Authorities and Data Subjects.

Data Subjects may submit data protection requests (exercise of rights, requests for clarification or reporting of Personal Data breach incidents) using the following contact details, including via email addresses:

Address: Avenida 5 de Outubro, n.º 175, 1º andar, 1069-451 Lisboa