PRR - Plano de Recuperação e Resiliência
EUDRES
Data Protection Policy – IPS – Instituto Politécnico de Setubal
Back

Data Protection Policy

ABOUT THE POLYTECHNIC UNIVERSITY OF SETÚBAL

The Polytechnic University of Setúbal (IPS), with legal entity identification number 503720364, has the mission of developing quality education, valuing people, transferring knowledge to society, the region, the country and the world, supported by applied research, innovation and partnerships, in accordance with Article 2 of the IPS Statutes, approved by Regulatory Order 13/2019, Diário da República, 2nd series, no. 78, of 22 April 2019.

IPS is an institution committed to the matters regulated and obligations imposed by the new European legislation on data protection, namely Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, hereinafter referred to as the GDPR.

ABOUT THE PERSONAL DATA PROTECTION POLICY

The present IPS Personal Data Protection Policy aims to reinforce the commitment to and respect for privacy and personal data protection rules, being directly applicable to all operations involving exclusively the processing of personal data, carried out within the scope of the activities pursued by all its services and organisational units.

IPS recognises the right to protection of personal data of all those who interact with the institution and entrust it with their data, ensuring that they are informed of the purpose and process of processing the information provided, as well as their rights in this regard and how to exercise them, under the terms and in accordance with the provisions of the GDPR.

IPS establishes this Personal Data Protection Policy with a view to facilitating the effective application of the GDPR within the framework of its own characteristics and specificities as a public higher education institution, informing the academic community and other users of the general rules on privacy and the processing of personal data that it collects and processes in a lawful, fair and transparent manner, in strict compliance with the general framework for Personal Data Protection in force in the Portuguese legal system.

Thus, procedures are defined for duly authorised requests for access to, rectification or erasure of personal data. Mechanisms have been created to facilitate the exercise of the right to restriction of processing, the right to portability and the right to object, as well as rules that complement the provisions on the protection and processing of personal data. In accordance with the governance model for organisations established by the GDPR, IPS has appointed a Data Protection Officer.

PERSONAL DATA

For the purposes of this Personal Data Policy, ‘Personal Data’ means information relating to an identified or identifiable natural person (‘data subject’). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

CONSENT

The consent of the data subject consists of a free, specific, informed and explicit expression of will, through which they accept, by means of a statement or unequivocal positive action, that personal data concerning them will be processed.

DATA CONTROLLER

The entity responsible for collecting and processing personal data is IPS, which, in its context, decides what data is collected, the means of processing, the retention period, and the purposes for which it is used.

TYPES OF PERSONAL DATA COLLECTED

Within the scope of its activities, IPS collects and processes the personal data necessary to carry out its mission and duties, in accordance with the Legal Framework for Higher Education Institutions (Law No. 62/2007, of 10 September) and its Statutes (approved by Normative Order 13/2019, Diário da República, 2nd series, No. 78, of 22 April 2019).

COLLECTION OF PERSONAL DATA

IPS collects personal data in person, by telephone, in writing or through computer systems. The personal data collected is processed either by non-automated means (e.g. manual files) or by computer, in strict compliance with personal data protection legislation, and is stored in specific databases created for this purpose. The data collected will not be used for any purpose other than that for which consent has been given by the data subject or the condition of legitimacy of the processing.

ON THE LAWFULNESS OF PERSONAL DATA PROCESSING

At IPS, the processing of personal data depends on the verification of conditions of legitimacy and the verification of the lawfulness of the purpose of such processing, as well as compliance with the principle of proportionality in the broad sense. Specifically, all processing of personal data at IPS will only occur provided that:

  • It is necessary for the pursuit of legitimate interests and the data subject has unequivocally given their consent;
  • It is necessary for the performance of a contract or for compliance with a legal obligation to which the controller is subject;
  • It is necessary for the protection of the vital interests of the data subject or another natural person;
  • It is necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller;
  • It is necessary for the pursuit of legitimate interests of the controller or of a third party to whom the data are disclosed, provided that the interests or rights, freedoms and guarantees of the data subject do not prevail.

ABOUT THE PURPOSES OF PERSONAL DATA PROCESSING

Information about the processing of personal data is provided to the data subject at the time of collection or, if the personal data has been obtained from another source, within a reasonable period of time, depending on the circumstances. When collecting data, IPS provides the data subject with more detailed information about how the information will be used, namely:

  1. The identity and contact details of the data controller;
  2. Contact details of the data protection officer;
  3. The purposes for which personal data is processed, as well as the basis for such processing;
  4. The recipients or categories of recipients of the personal data;
  5. The rights of the data subject;
  6. The data retention period or the criteria used to define this period;
  7. Which data must you provide and which is optional.

The transfer of personal data processed by IPS to another recipient will only occur with the consent of the individual concerned.

PERSONAL DATA RETENTION PERIOD

The period during which data is stored and retained varies according to the purpose of its processing. IPS will retain the personal data of all its students and employees in compliance with its institutional responsibilities. The personal data of employees and third parties who provide it for specific purposes will be kept for as long as they may be required to fulfil any type of responsibility arising from a legal relationship, the execution of a contract or the application of pre-contractual measures. Where there is no specific legal requirement, the data will be stored and retained only for the period necessary to fulfil the purposes for which it was collected and processed or for the period authorised by the Supervisory Authority (National Data Protection Commission, CNPD), after which it will be deleted.

The IPS, when processing data for public interest archiving purposes, or for scientific or historical research purposes, or for statistical purposes, may retain the data for longer periods, without prejudice to applying the appropriate safeguards, in accordance with the legislation in force, for the rights and freedoms of the data subject. These safeguards involve the adoption of technical and organisational measures to ensure, in particular, compliance with the principle of data minimisation.

RIGHTS OF DATA SUBJECTS

Under the terms of the current legal framework on Personal Data Protection and the IPS Code of Ethics and Conduct, the Institute guarantees data subjects the right to access, update, rectify or erase their personal data, upon written request addressed to the Data Protection Officer.

Data subjects may request that their personal data be erased when one of the following situations occurs:

  1. Personal data is no longer necessary for the purpose for which it was collected or processed;
  2. You withdraw the consent on which the data processing is based and there is no other legal basis for it;
  3. You object to the processing of the data and there are no prevailing legitimate interests, to be assessed on a case-by-case basis, that justify the processing;
  4. The personal data must be erased under a legal obligation to which IPS is subject;
  5. The personal data has been collected in the context of IPS offering its services.

The right to erasure does not apply where processing is necessary for the following purposes:

  1. Compliance with legal obligations that require processing and apply to IPS;
  2. Exercise of freedom of expression and information;
  3. Reasons of public interest in the area of public health;
  4. Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as the exercise of the right to erasure would seriously impair the achievement of the objectives of that processing;
  5. Establishment, exercise or defence of legal claims.

Under the terms of Article 4 of Law No. 93/2021 of 20 December, the reporting or public disclosure of offences that have been committed, are being committed or can reasonably be expected to be committed, as well as attempts to conceal such offences, the injured party may, if they so wish, also use the Reporting Channel available on the IPS website, particularly when the protection of privacy and personal data and the security of the network and information systems are at stake.

RIGHT TO RESTRICT PROCESSING

The restriction of processing allows the data subject to request IPS to restrict access to their personal data or to suspend processing activities. The restriction of personal data processing may be requested in the following cases:

  1. Contesting their accuracy, during a period of time that allows IPS to verify them;
  2. If IPS no longer needs the personal data for processing purposes, but if such data is necessary for the purposes of declaring, exercising or defending a right in legal proceedings;
  3. If you have objected to the processing, until it is verified that the legitimate interests of IPS prevail over yours.

RIGHT TO PORTABILITY

The data subject may request IPS to deliver, in a structured, commonly used and machine-readable format, the personal data provided by them. They also have the right to request IPS to transmit this data to another controller, provided that this is technically feasible.

The right to portability only applies:

  1. When the processing is based on express consent or the performance of a contract; and
  2. When the processing in question is carried out by automated means.

In such cases, IPS will cease to process the respective personal data, unless it has legitimate reasons for doing so and these reasons prevail over your interests.

RIGHT TO WITHDRAW YOUR CONSENT

IPS enables data subjects to withdraw their consent to the use of their personal data at any time.

ABOUT SECURITY MEASURES

IPS seeks to protect users’ personal data through various appropriate technical and organisational measures, using encryption, pseudonymisation, federated authentication, and other available mechanisms, with the aim of ensuring the confidentiality, integrity, availability, and resilience of personal data. With a view to the security of personal data, IPS has implemented the following measures:

  • Restrictions on access to personal data, based on the criterion of ‘need to know’ as well as on the competences and duties of those who access it, applied in strict compliance with the communication to the data subject at the time of collection;
  • The transfer of personal data via encrypted communication channels;
  • Special category data is stored in encrypted form, as are the respective backups;
  • Protection of technological infrastructures with technical and organisational mechanisms to prevent unauthorised access;
  • Monitoring of technological infrastructures at various levels, such as access control, misuse, and abnormal traffic, with the aim of preventing, detecting, and stopping unauthorised access to personal data.

ABOUT THE COMMUNICATION OF PERSONAL DATA TO OTHER ENTITIES (THIRD-PARTY SUBCONTRACTORS)

Within the scope of its duties, IPS may use subcontractors to provide certain services, but IPS remains responsible for the personal data it makes available. When data processing is carried out by a subcontractor or third party to whom data is transferred, IPS shall verify that the latter provides sufficient guarantees of the implementation of appropriate technical and organisational measures, so that the processing meets the requirements of the legislation in force and ensures the protection of the rights of the data subject, who shall be informed in advance. Processing under these terms is regulated by contract or other normative act, which binds the subcontractor or third party to the guidelines established by IPS, as the entity responsible for data processing, and defines the object and duration of such processing, its nature and purpose, the type of personal data and categories of data subjects, and the obligations and rights of the data controller. The contract stipulates, in particular, that the subcontractor or third party:

  1. Only process personal data transmitted on documented instructions from the IPS, including data transfers to third countries or international organisations, unless required to do so by Union or Member State law to which it is subject, in which case it shall inform the controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest;
  2. Ensures that persons authorised to process personal data undertake a confidentiality commitment or are subject to appropriate legal confidentiality obligations;
  3. Adopt the most appropriate safety measures;
  4. Delete or return all personal data to IPS after completion of the provision of services related to processing, deleting existing copies, unless the retention of data is required under Union or Member State law;
  5. Provides IPS with all information necessary to demonstrate compliance with the obligations set out in this article and facilitates and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller;
  6. The subcontractor may not hire another subcontractor without IPS authorisation, and the request must be sent to the data controller.

ABOUT THE TRANSFER OF PERSONAL DATA OUTSIDE PORTUGAL

The performance of certain tasks by IPS may involve the transfer of your data outside Portugal. IPS checks in advance that the country or territory to which it transfers the data guarantees an adequate level of data protection or has been the subject of an adequacy decision by the European Union. If this is the case, IPS will strictly comply with the applicable legal provisions, and the data subject will be informed in advance.

ABOUT THE ONLINE PORTALS OF THE POLYTECHNIC INSTITUTE OF SETÚBAL

IPS respects the right to privacy and does not store any personal information on its websites without the consent of the data subjects or in an unlawful manner. With regard to the collection and use of technical information, the websites may use cookies, namely session cookies. Cookies are used to store certain types of information relating to browsing on the website and do not allow the user to be identified, meaning they will never contain personal data. Users may choose not to receive cookies or to be informed about their installation by configuring their browser for this purpose. However, IPS is not responsible for the fact that disabling cookies may prevent the pages from functioning properly. Technical information will only be used for statistical purposes. By using the IPS portals, users agree to:

  • Do not interrupt or interfere with the security of the portal;
  • Not to interrupt or interfere with the services, system resources, accounts, servers or networks connected to or accessible through the portals;
  • Accessing an unauthorised area/account and its information;
  • Do not use or attempt to use the account, service or system of third parties without IPS’s authorisation, nor create or use a false identity on these portals;
  • Not to transmit, through these portals, unwanted advertising, chain letters, inappropriate mail or any other type of unsolicited mass mail to persons or entities that have not agreed to be recipients of such mail messages;
  • Do not disclose your username or password to third parties, either online or offline;
  • Do not attempt to gain unauthorised access to the portals or to parts of the portals that are restricted to general access.

PORTAL PRIVACY POLICY

All texts, content and images on the IPS portal belong to the Institute, unless expressly stated otherwise. These may only be downloaded or copied without prior authorisation from IPS if they are intended for teaching, administration and research purposes by the Institute itself or for personal, non-commercial use. IPS reserves the right to increase, eliminate or alter the conditions of use of its portals at any time, without prior notice, in order to adapt them to any changes in the legislation in force or to guarantee or improve the quality and effectiveness of the portals.

Use of the portal is free of charge and implies compliance with the privacy policy and legal notices contained therein, as well as applicable Portuguese legislation.

IPS is not liable for any damages arising from improper access to and/or use of its portals. Similarly, IPS is not liable for any errors, outdated information or damages that may arise from accessing and/or using the portals or links to which it refers, as it has no control over their content. IPS is also not liable for any damage resulting from viruses that may infect the user’s computer or network due to accessing the portal or downloading content from the portal to the user’s computer or network.

All disputes that may arise as a result of using the portals of the Polytechnic Institute of Setúbal shall be resolved in accordance with the legislation in force in Portugal and shall be subject to the jurisdiction and competence of the courts of the district of Setúbal, expressly waiving any other venue or jurisdiction.

DATA PROTECTION OFFICER

IPS has appointed a Data Protection Officer, nominated by order of the President of IPS, as disclosed on the website of this Policy. The Data Protection Officer can be contacted via the following email address: protecaodados@ips.pt.

CHANGES TO IPS’ PERSONAL DATA POLICY

IPS reserves the right to make adjustments or changes to this Personal Data Protection Privacy Policy at any time, and such changes will be duly publicised.

QUESTIONS AND SUGGESTIONS

To learn more about how IPS handles your personal data, or to clarify any questions, submit a complaint or comment on matters relating to Privacy and Personal Data Protection, you may send a request to protecaodados@ips.pt.

Documents

Order No. 228/President/2022 – IPS Data Protection Policy
Order No. 17/President/2025 – Appointment of Data Protection Officer – Appointment of Data Protection Officer

Content updated in 05/11/2025 12:38

CONTACTS

Campus de Setúbal
Serviços Centrais
Campus do IPS, Estefanilha
2910-765 Setúbal, Portugal
t. +351 265 548 820
e. info@ips.pt
Academic Services: suporte.ips.pt
See on Map

Campus do Barreiro
Escola Superior de Tecnologia do Barreiro
Rua Américo da Silva Marinho
2839-001 Lavradio, Portugal
t. +351 212 064 660
e. info@estbarreiro.ips.pt
Academic Services: suporte.ips.pt
See on Map

LINKS

Courses
Campus life
E³UDRES²

POLYTECHNIC PORTALS

Académico (NONIO)
Research
Dinamiza

HIGHER EDUCATION INSTITUTIONS

School of Education
Setúbal School of Technology
School of Business and Administration
Barreiro School of Technology
School of Health

© 2025 Polytechnic University of Setúbal – Politécnico de Setúbal. All rights reserved.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.