Escola Superior Náutica Infante D. Henrique, hereinafter referred to as ENIDH, respects the best practices in the field of security and protection of personal data, having for this purpose taken the necessary technical and organisational measures in order to comply with the RGPD, ensuring that the processing of personal data it carries out is lawful, fair, transparent and limited to the authorised purposes, in pursuit of its legitimate interests derived from its corporate purpose.
ENIDH has always been committed to the protection and confidentiality of personal data and has now adopted the measures it considers appropriate to ensure the accuracy, integrity and confidentiality of personal data, guaranteeing all the rights of data subjects.
Framework
Personal Data: Any information of any nature and regardless of its medium, including sound and image, relating to a person (the data subject), which identifies them or makes them identifiable, directly or indirectly, in particular with reference to identifiers such as name, an identification number, location data, online identifiers such as logins and other access credentials, or other factors, namely physical, psychological, genetic, economic, cultural or social.
Personal Data Subjects: Natural persons - students, teachers and non-teaching staff at ENIDH or who take part or participate in the initiatives organised by ENIDH and who provide their personal data for this purpose and who may not have any contractual relationship with ENIDH.
Processing of Personal Data: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data processed: identification and contact details - name, date of birth, gender, affiliation, address, civil, tax, social security and student identification numbers, telephone contact or email address; data resulting from physical identification, namely photographs from participation in events promoted by ENIDH, as well as data relating to health when, exceptionally and on their own initiative, the student, teacher or employee, because they need specific monitoring or to fulfil legal obligations, transmit them to ENIDH.
Cookies: these are small text files with information considered relevant that devices (computers or portable mobile devices) store through the internet browser, retaining basic information such as IP addresses and preferences on languages, colours, trends, etc. However, on portals such as Gmail and Hotmail, the user's name and email password are also part of the cookies.
Data Controller and Data Protection Officer
The data controller is Escola Superior Náutica Infante D. Henrique, which decides which personal data should be collected, the means of processing and the purposes for which the data is used.
The contact details for this organisation are:
Postal address: Av. Engenheiro Bonneville Franco, 2770-058 Paço de Arcos
Email address:
protecaodados@enautica.ptGeneral phone number: 214460010
Pursuant to Article 37(1)(a) of the RGPD, a Data Protection Officer has been appointed who is responsible for ensuring compliance with the data protection rules and guaranteeing that the organisation that appointed him/her complies with them. The Data Protection Officer liaises with the data protection authority, provides information and advises the data controller on their obligations in the field of privacy and data protection, and ensures that the rights of personal data subjects are exercised.
He can be contacted by email at
protecaodados@enautica.pt or by post at Av. Engenheiro Bonneville Franco, 2770-058 Paço de Arcos.
Data Collection and Processing
ENIDH collects and processes the personal data that is strictly necessary for the provision of information and the operation of its channels in accordance with the uses made of them by the recipients of the service, students, teachers, non-teaching staff or other citizens, either those provided by these users for the purposes of registering requests or obtaining information, or those provided by users for the purposes of joining those channels, or those resulting from the use of the services provided by ENIDH through them, such as access, queries, instructions, transactions and other records relating to their use.
The data processing referred to in the previous point is lawful to the extent that:
I. The processing is necessary for the performance of a contract to which the data subject is a party, or for pre-contractual steps at the request of the data subject:
Therefore, the processing of student data that is necessary for the conclusion, execution and management of the student's academic career is justified, namely, the verification and storage of documents that make it possible to assess whether students fulfil the legal requirements for admission to the study cycles taught at ENIDH and that allow the recording of their academic progression, for the purposes of interaction with the educational institution, through the ENIDH website, through the use of an individual and non-transferable password, namely, to know the grades obtained by the student in the assessment tests they take.
II. The processing is necessary for the fulfilment of a legal obligation to which ENIDH is subject.
Data processing is also justified when it is necessary to fulfil legal obligations arising from the conclusion of employment or service contracts, as well as for ENIDH to fulfil legal obligations arising from compliance with notifications from police, judicial and regulatory bodies or to fulfil obligations to the tax authorities, social security or to conclude insurance contracts (personal or professional accidents/work) or to access legally required benefits from insurers and to ensure emergency services.
There are also grounds for ENIDH to process personal data whenever the institution's legitimate interests are at stake.
III. The data subject has given their consent to the processing of their data for one or more specific purposes;
For the processing of personal data whose lawful basis is the provision of consent by the data subject, this shall always be given in advance, in an express, explicit, free and informed manner.
Consent exists when the data subject expresses his or her free, specific, informed and explicit will and accepts, by means of a declaration or an unequivocal positive act, that the personal data concerning him or her will be processed.
If the student informs ENIDH, complying with the requirements identified above, that he/she has a health problem and requests differentiated treatment for attending classes or taking assessment tests, he/she is authorising this data to be passed on to the teachers of the curricular units he/she is attending, since only by providing this information will the student be able to obtain what he/she wants and exercise his/her rights.
The processing of the personal data of underage students, when subject to prior consent, is dependent on the consent given by whoever legally holds parental responsibility for the minor.
These consents can be withdrawn at any time, under the terms of the legislation currently in force on data protection, without any penalty.
Purpose of data processing
The personal data collected by ENIDH will be processed, in particular, for the following purposes:
I. Student management:
a) Enrolment and registration in the study programmes offered at ENIDH;
b) Issuing the student card;
c) Registering and certifying their academic progression;
d) Provision of information, namely information on the grades obtained in the assessment tests taken by the student, which will be done using the personal, non-transferable password that will be assigned to the student for this purpose;
e) Responding to complaints, requests or requests for information in general made by the student;
f) Managing payments of tuition fees and emoluments due;
g) Publicising initiatives promoted by ENIDH or third parties;
h) Maintaining contacts.
II. Administrative, Accounting, Tax and Financial Management:
a) Human resources;
b) Accounting and invoicing;
c) Revenue protection and control.
III. Legal and litigation management:
a) Response to police, judicial, regulatory, supervisory, tax and social security organisations;
b) Internal audits and investigations;
c) Detection of fraud and illicit practices.
IV. Information and physical security control:
a) Access and backup management;
b) Management of security incidents;
c) Checking the video surveillance system.
Transmission of personal data
As part of its activity, ENIDH may use third parties to provide certain services. Sometimes, the provision of these services implies that these entities have access to personal data. When this happens, ENIDH takes the appropriate measures to ensure that the entities that have access to the data (Subcontractors) are reputable and offer the highest guarantees at this level, which is duly enshrined and contractually safeguarded between ENIDH and the service provider. Thus, any subcontractor will process the personal data of students, teachers, non-teaching staff or any other natural persons in the name and on behalf of the subcontractor and will adopt the necessary technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorised access and against any other form of unlawful processing.
Personal data may only be transferred outside the European Union if such transfer is expressly requested and/or authorised by the data subject.
Data retention period
Without prejudice to legal or regulatory provisions to the contrary, data will only be kept for the minimum period necessary for the purposes for which it was collected or subsequently processed.
Personal data relating to students and their academic career must, under the terms of the law, be kept for an unlimited period of time, so that ENIDH can, at any time, certify, at the request of the student, the competent administrative body or a judicial or police body, their enrolment at ENIDH, their academic career and the qualifications obtained.
Data subjects' rights
a. Data subjects are informed that they have the right to request from ENIDH access to personal data concerning them, as well as their rectification or erasure, and the limitation of processing insofar as it concerns the data subject, or the right to object to processing, as well as the right to data portability, in legally admissible cases, under the terms of articles 16 et seq. of the GDPR.
b. When the processing of data is based on consent, the data subject has the right to withdraw that consent at any time, without jeopardising the lawfulness of the processing carried out on the basis of the consent previously given.
c. The data subject also has the right to lodge a complaint with a supervisory authority (National Data Protection Commission), or the right to take legal action against the supervisory authority or ENIDH, under the terms of articles 77, 78 and 79 of the GDPR.
d. The above rights may be exercised by contacting ENIDH directly via the Data Protection Officer by e-mail at
protecaodados@enautica.pt or at the address Av. Engenheiro Bonneville Franco, 2770-058 Paço de Arcos.
Security measures
a. ENIDH undertakes to guarantee the protection of the security of the personal data made available to it, implementing appropriate technical and organisational measures to protect personal data against destruction, loss, alteration, dissemination, unauthorised access or any other form of non-accidental or unlawful processing, under the terms of the legislation currently in force on data protection.
b. Data transmission is carried out using secure connections, with software system protection.
Changes to the Privacy Policy
ENIDH reserves the right to change this Data Protection and Privacy Policy at any time, and such changes will be duly publicised on the website and at the educational establishment.
After the aforementioned publicity, continued use of our website, applications, services and resources offered will be considered as agreement with such changes.
Validity
If any part or provision of these Terms of Use is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not be affected or impaired.
Applicable law and jurisdiction
a. This Data Protection and Privacy Policy is governed by Portuguese law.
b. To settle all questions and disputes that may arise from the application of this Policy, the District Court of Lisbon West shall have exclusive jurisdiction, expressly waiving any other jurisdiction.
In order to clarify any issue related to the processing of their personal data, the data subject should contact the Data Protection Officer, through the contacts indicated above.
Publication