PRIVACY POLICY

1. Introduction

a. This page reflects InovarSaúde Portal’s Privacy Policy.

b. The InovarSaúde portal is a centralized space dedicated to health and digital revolution, exploring the latest trends and technological advances that are transforming how we manage our health.

c. It aims to be a unique chanel for data submission and sharing of innovative ideas among researchers, healthcare professionals, and higher education students, with the goal of improving public health services provided to users of the National Health Service (NHS).

d. The Portal was developed and is maintained by SPMS, E.P.E. – Shared Services of the Ministry of Health, which is commited to promote best practices in security, privacy, and protection of users’ personal data, adopting various technical and organizational measures to ensure that the information reflects an adequate level of security appropriate to the facing risk.

e. Through this page, SPMS, E.P.E. informs you, as a user and data subject, of the privacy policy of the InovarSaúde Portal, aimed at informing you of your rights and clarifying how your personal data is processed within the portal, in compliance with Articles 13 and 14 of the General Data Protection Regulation (GDPR).

f. Using the services provided by the InovarSaúde portal, as well as filling out any forms available therein, and providing data, whether directly or indirectly, implies knowledge of the information defined in this policy.

2. Controller of Personal Data

a. SPMS, E.P.E. – Shared Services of the Ministry of Health, is the entity responsible for the processing of your personal data within the scope of the InovarSaúde portal, located at Avenida da República, 61, 1050-189 Lisbon and Rua do Breiner, 121, 4050-124 Porto, telephone (+351) 211 545 600.

3. Data Protection Officer

a. SPMS, E.P.E. has appointed and notified the Portuguese Data Protection Authority (CNPD) of a Data Protection Officer.

b. The Data Protection Officer of SPMS, E.P.E. can be contacted by any data subject regarding all matters related to personal data processing and the exercise of rights conferred by applicable law, via the following email address: dpo@spms.min-saude.pt.

c. Without prejudice to complaints submitted to the Data Protection Officer, data subjects may also lodge complaints with the CNPD – Portuguese Data Protection Authority.

4. Information on Legal Concepts

What are personal data?

a. Under applicable law, “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier. Examples of identifiers include a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

What are special categories of data?

a. Special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for uniquely identifying a person, data concerning health, or data concerning a person’s sex life or sexual orientation.

What is data processing?

a. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

What is a personal data breach?

a. A personal data breach is an infringement to security leading to an accidental or unlawful use, destruction, loss, modification, unauthorized disclosure of, or access to, personal data sharing, stored, or otherwise processed.

5. Data Collection and Processing

a. In providing our services, we may collect your information through various channels, namely:

1. By telephone;
2. Through the InovarSaúde Portal;
3. In writing, via email.

b. Please note that you can browse and use the portal without providing any personal information, without prejudice to navigation data necessary for its proper management. However, the use of certain features may require providing personal data. The personal data we process is strictly necessary for our services.

c. The personal data we process are strictly necessary for the provision of our services, adhering to the principle of data minimization as outlined in the GDPR.

d. Accordingly, we only process personal data that is adequate, relevant, and limited to what is necessary for the purposes informed in this Policy.

e. Within the services and channels provided by the InovarSaúde portal, the following types of personal data may be collected:

Category of Data Processed	Examples
Personal Identification Data	Such as name, surname, date of birth, address, postal code, phone number, email address.
Digital Data	Such as language, time zone, portal access history, device type, browser type, IP address, cookies information.
Data for Requests Management	Such as registration ID, registration type, contact details, date and time, details of submitted request, analysis status.
Professional Data	Such as your position, roles, company where you work.
Academic and Professional Experience Data	Such as your education, qualifications, certifications, languages, curriculum.

f. When we process special categories of personal data (“sensitive data”), such as health data, this will only occur based on the exceptions provided in Article 9(2) of the GDPR. Such processing will always be proportionate and aligned with the purpose, respecting the essence of the right to personal data protection. Adequate and specific measures are in place to safeguard fundamental rights and your interests as the data subject.

6. Purpose and Lawfulness of Data Processing

a. Within the services provided by the InovarSaúde portal, SPMS, E.P.E. processes your personal data for the following purposes:

• To communicate and manage our relationship with you: SPMS, E.P.E. may contact you by telephone, email, or SMS for administrative or operational reasons. Your data will also be processed based on SPMS, E.P.E.’s legitimate interests to respond to your requests, complaints, suggestions, or contacts, thereby improving our services and your user experience.
• For management, auditing, and continuous improvement of services: Personal data processed within the InovarSaúde portal is used by SPMS, E.P.E. for purposes such as fraud detection and analysis, statistical studies, or development and maintenance of information systems.
  The lawful basis for this data processing is the pursuit of SPMS, E.P.E.’s legitimate interests.
• To comply with legal obligations: Data may be processed to fulfill obligations to provide information to other entities within the Ministry of Health and Public Administration, as well as to courts and law enforcement agencies, in the exercise of their respective duties and powers.
  The processing of your data is based on compliance with these legal obligations.

b. If the lawful basis for processing your personal data is consent or legitimate interest, you have the right to withdraw consent or object to processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

c. If you withdraw consent or express objection, we will immediately cease processing your personal data for that purpose, unless there is a legal or contractual obligation requiring such processing.

7. Retention Period of Personal Data

a. The personal data of users of the InovarSaúde portal are processed in accordance with applicable law and stored in databases specifically created for this purpose. This data is retained in a format that allows identification of data subjects only for the period necessary to fulfill the purposes for which it is processed.

b. In the absence of a legal obligation requiring data retention for a specific period, SPMS, E.P.E. will retain the data only for the time necessary to fulfill the purposes for which it was collected, adhering to the principle of storage limitation.

c. There are legal requirements that oblige us to retain data for a minimum period, and in such circumstances, SPMS, E.P.E. is required to comply with these retention periods for as long as legally stipulated.

8. Subprocessors

a. Subprocessors are contractually bound to SPMS, E.P.E. under Article 28 of the GDPR and may only process your personal data for the purposes specified therein. They are prohibited from using, transferring, disclosing, or recording the data for any other purpose than that for which they were specifically contracted, and they operate strictly in accordance with SPMS, E.P.E.’s instructions.

b. If subcontracting occurs, SPMS, E.P.E.’s commitment to the data subject includes:

• We carefully select our subprocessors and conduct a prior assessment, documented, to determine whether they comply with the GDPR and other applicable laws, with this assessment serving as an aid in the contracting process;
• We ensure that they provide sufficient and adequate guarantees regarding the implementation of technical and organizational measures to protect your personal data, and that they operate strictly according to our documented instructions;
• Finally, based on these criteria, we enter into a written contract with our subprocessors that reflects all legal requirements of Article 28 of the GDPR, ensuring that the processing of your personal data is carried out in strict compliance with the law.

c. Within the services provided by the InovarSaúde portal, SPMS, E.P.E. may also engage with third parties, as defined in Article 4(10) of the GDPR, which implies that these entities, whether individuals or legal entities, may access personal data of users.

d. SPMS, E.P.E. may disclose personal data collected through the InovarSaúde portal to third parties when:

• Consent has been obtained from the data subject for such disclosure, in accordance with current data protection legislation;
• The disclosure is made to comply with a legal provision or court order, a decision of the National Data Protection Commission (CNPD), or a legitimate and substantiated request from entities within the Ministry of Health or the Public Administration.

9. Rights of Data Subjects

a. SPMS, E.P.E. ensures respect for the rights of data subjects, in accordance with the limits and provisions set forth in current data protection legislation:

Right of access (Article 15 GDPR)	This is the right to confirm whether your personal data is being processed and, if so, to access your personal data and information regarding the data we process and the purposes for which it is processed.
Right to erasure (“right to be forgotten”) (Article 17 GDPR)	You have the right to request the erasure of your personal data without undue delay if certain conditions under Article 17 GDPR are met.
Right to restriction of processing (Article 18 GDPR)	You can request restriction of processing of your personal data in specific circumstances, such as contesting the accuracy of your data.
Right to data portability (Article 20 GDPR)	You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit those data to another controller, where technically feasible and based on consent.
Right to rectification (Article 16 GDPR)	You have the right to rectify inaccurate personal data concerning you without undue delay and to have incomplete data completed, considering the purposes of the processing.
Right to object (Article 21 GDPR)	You can object to the processing of your personal data based on legitimate interests or public interest, unless there are compelling legitimate grounds for the processing that override your interests, rights, and freedoms.
Right not to be subject to automated decision-making (Article 22 GDPR)	You have the right not to be subject to decisions based solely on automated processing, including profiling, unless certain exceptions apply.
Right to withdraw consent (Article 7(3) GDPR)	If processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint with a supervisory authority (Article 77(1) GDPR)	You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes data protection regulations.
Right to mandate a not-for-profit organization (Article 80 GDPR)	You have the right to mandate a not-for-profit organization to exercise your rights on your behalf.
Right to compensation and liability (Article 82 GDPR)	You have the right to claim compensation for damages resulting from a GDPR infringement.

b. In accordance with the applicable legislation, you can exercise your rights directly by contacting us via email at dpo@spms.min-saude.pt. We will respond to your requests within 30 days, or within 60 days in complex cases, taking into account the complexity of the request and the number of requests, as provided in Article 12(3) GDPR.

10. Security Measures

a. SPMS, E.P.E. is committed to ensuring the confidentiality and security of personal data of users of the InovarSaúde portal.

b. To achieve this, SPMS, E.P.E. implements the necessary technical and organizational measures to protect such data against any unauthorized or unlawful processing, and against accidental loss or destruction.

c. SPMS, E.P.E. establishes and updates procedures for preventing unauthorized access and preventing accidental loss or destruction of personal data.

d. SPMS, E.P.E. regularly conducts training for employees on personal data protection, ensuring they have the necessary legal and technical knowledge when dealing with personal information. This training follows recognized best practices and fully respects the internally defined and implemented procedures. These measures underscore SPMS, E.P.E.’s commitment to safeguarding personal data and complying with data protection standards, aiming to protect the privacy and security of individuals using the InovarSaúde portal.

11. Disclaimer

a. All information provided through the InovarSaúde portal, including text, results, graphics, images, videos, or advice, serves exclusively informational purposes.

b. Considering the frequent changes in information, the clarifications provided on the InovarSaúde portal should not be considered comprehensive or exhaustive, nor should they serve as a basis for carrying out treatments or recommendations to any individual.

12. Are there cookies on the InovarSaúde portal?

a. Cookies are important in the activity of SPMS, E.P.E. and in the context of the functionality of the InovarSaúde portal, ensuring a smooth, efficient, and functional browsing experience.

b. SPMS, E.P.E. is completely transparent regarding the cookies it uses, requesting your consent whenever the type of cookies requires it. Additionally, it allows you to easily withdraw consent on the Inovar Saúde portal, thereby fulfilling your right to withdraw consent as legally provided.

c. In SPMS, E.P.E.’s Cookie Policy, you can obtain various information, including which cookies are used, their categories, how you can manage them in your browser, the duration of cookies, and whether they are accessible by third parties.

d. SPMS, E.P.E.’s Cookie Policy is always available and accessible here.

13. Hyperlinks and Social Media

a. SPMS, E.P.E. may provide hyperlinks to other websites of interest or partners, without assuming responsibility for the privacy policy, cookie policy, or terms of use of these sites, which are entirely the responsibility of those entities. Users are recommended to read them beforehand.

b. When accessing other websites through the provided hyperlinks, the entities responsible for those websites may collect personal information concerning you as a user, which will be processed for their own purposes.

c. When you choose to follow SPMS, E.P.E. on social media, interact, or access the InovarSaúde portal through these platforms, your personal data may be processed by the social media managers or the functionalities provided, according to their respective privacy policies, which we recommend reading.

14. International Transfers of Personal Data

a. The data of the data subject will, in principle, be processed within the European Economic Area, and we choose, if necessary and preferably, providers located within this geography.

b. Should SPMS, E.P.E. transfer personal data to third countries or international organizations outside the European Economic Area, it will strictly comply with applicable legal provisions, refraining from making international transfers of personal data to entities that do not provide guarantees for maintaining the level of protection required by the GDPR without the appropriate legal safeguards.

15. Data Communication

a. In the scope of the services provided by SPMS, E.P.E., data communication is a requirement to send you communications. The lack of this information naturally constitutes an obstacle to such sending, being the only resulting consequence.

16. Competent Forum

a. For the resolution of any disputes arising from the interpretation or application of this privacy policy, the parties agree that the competent forum, expressly waiving any other, shall be the Court of Lisbon.

17. Update and Version

a. This Privacy Policy may be revised and updated at any time, with such changes being duly advertised by SPMS, E.P.E. on the InovarSaúde portal, with an explicit mention of the date of update.

Version 1.0 – March 22, 2024