Privacy Policy
Updated: 23-10-2024
Introduction
This policy aims to define the general principles and rules to be applied by the National Institute for the Rehabilitation of Personal Data collected by you.
It considers the applicable rules, standards and legal requirements, including a specific, explicit and informed notification about the processing of the data to its owners.
The Privacy Policy of the National Institute for Rehabilitation is effective as of October 2, 2018.
This is an exclusively internal privacy policy and applies to all Personal Data collected and processed belonging to employees of the National Institute for Rehabilitation, contractors, suppliers and other persons with whom it works and collaborates, on its premises and/or interacts with its internal systems.
This document is intended for all staff working for the Office, regardless of their employment relationship.
Description:
The National Institute for Rehabilitation collects and processes Personal Data in accordance with the following principles:
- Personal Data is processed lawfully, impartially and transparently (legality, impartiality and transparency);
- Personal Data is collected and processed for specific, explicit and legitimate purposes arising from the legislation in force and is not further processed in a way incompatible with these effects (purpose limitation principle), namely for human resources management, payroll processing, physical and logical security control of data processing resources and procurement and contract management;
- Personal Data is kept adequate, relevant and limited to what is necessary in view of the purposes for which it is processed (data minimisation principle);
- Personal Data is accurate and, where necessary, rectified and updated (principle of accuracy).
The National Institute for Rehabilitation defines appropriate technical and organizational security measures to effectively implement the principles of protection of Personal Data, complying with the legislation in force, protecting the rights and freedoms of Data Subjects.
The National Institute for Rehabilitation imposes the same level of protection of Personal Data on all its Processors (service providers, suppliers, partners, etc.) through contracts.
The National Institute for Rehabilitation has an internal Personal Data Protection Organization responsible for ensuring compliance with the rules of Personal Data Protection, supported by the Data Protection Officer, Information Security and Personal Data Protection Area and Advisory Committee for Information Security and Personal Data Protection.
Documents available for download
General principles
The National Institute for Rehabilitation undertakes to carry out an adequate management of Personal Data in accordance with the applicable rules and legislation. Therefore, it develops tools and implements actions with the aim of ensuring and monitoring the effectiveness of the protection of Personal Data.
The National Institute for Rehabilitation has several internal policies and procedures that make its employees aware of the importance of Personal Data Protection, providing them with operational guidance on how to comply with Data Protection legislation and monitor compliance with Personal Data Protection.
The National Institute for Rehabilitation establishes in this document a Privacy Notice to the holders of Personal Data that complies with the requirements of the legislation in force and guarantees a specific, explicit and informed notification to the Holders about the processing of their data. Responsibilities to notify leakages of Personal Data to the competent Supervisory Authorities are also defined.
The National Institute for Rehabilitation undertakes to carry out a training/communication program that sensitizes its employees on the subject of information security and privacy of personal data.
Privacy Notice
The National Institute for Rehabilitation collects and processes personal data with a sole and exclusive purpose, to respond to compliance with legal, contractual or legitimate interest requirements.
The holders of Personal Data may exercise, at any time, the right of access, rectification, cancellation, forgetfulness or opposition to the use of their personal data, including the revocation of consent, where applicable. To do so, they should contact the Data Protection Officer.
Data Subjects have the right to complain to the competent Supervisory Authority in case of violation of the applicable rules regarding the protection of Personal Data.
In the event of a proven leak of Personal Data, the Data Protection Officer of the National Institute for Rehabilitation will communicate it to the competent Supervisory Authorities and the data subject when justified.
Collection and Processing of Personal Data
Why and how Personal Data is collected
The National Institute for Rehabilitation collects Personal Data relating to the employment relationship with its employees; persons and/or entities contracted by it; of persons and/or entities with whom it establishes a collaboration and who have access to the systems and/or carry out work on its premises.
The information collected in this context may be processed for the purposes of relations between the National Institute for Rehabilitation and the Data Subject, in compliance with normative and / or legal obligations, to protect and defend the rights, interests, property and security of the National Institute for Rehabilitation, I.P., its employees or other persons with whom it collaborates.
What is the legal basis for the processing
The National Institute for Rehabilitation only collects and processes Personal Data if:
- the data subject has given consent to the Processing of his or her Personal Data for one or more specific purposes (where required); or
- the Processing is necessary for the performance of a contract to which you are a party, or to take action at your request before entering into a contract; or
- the Processing is necessary for compliance with a legal obligation to which the National Institute for Rehabilitation is subject; or
- Processing is necessary for the purposes of the legitimate interests of the National Institute for Rehabilitation except when these interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, which requires the protection of Personal Data.
What is the period of retention of personal data
The National Institute for Rehabilitation keeps Personal Data in accordance with the retention periods imposed by the legislation in force, in particular taking into account its activities.
The National Institute for Rehabilitation never keeps Personal Data longer than necessary in accordance with the purposes for which it was collected and is being processed, including compliance with legal obligations (e.g.: auditing, public procurement, accounting and tax obligations), settling legal disputes and/or exercising your legal rights. Circumstances may vary depending on the context and type of Personal Data.
How Personal Data is Shared
The National Institute for Rehabilitation ensures that:
- Personal Data is not provided to third parties without the prior consent of its holders, where applicable;
- Personal Data is not sold or provided free of charge to companies that use it for direct marketing purposes or to other entities that use mailing lists to advertise products and/or services
- It reserves the right to provide aggregated data (such as locality, age and others) for purposes considered to be of public utility, in particular in the context of statistical production. However, personal identification elements, such as the Name, ID Number, Citizen card or Tax Identification, or private information are not available.
- Transfers Personal Data to third parties when it receives the request from a judicial authority or public authority with legal powers to do so, in accordance with the legal rules in force.
- Ensures the confidentiality and security of Personal Data during the transfer to the aforementioned recipients.
Security measures
The National Institute for Rehabilitation follows organizational and technological security standards, and effective practices in information security management, to protect the confidentiality, integrity and availability of information, and to provide confidence in inter-organizational exchanges, namely the international standard ISO/IEC 27001, and community standards, legislation and specific national recommendations on information security.
The National Institute for Rehabilitation has all appropriate technical and organizational measures to ensure a level of security of Personal Data appropriate to the risk and, in particular, to protect Personal Data against destruction, loss, alteration, unauthorized disclosure or accidental or unlawful access.
The National Institute for Rehabilitation has the appropriate technical and organizational measures to ensure the security of Personal Data, in all information systems that process them, namely the employee and intranet portal.
The same level of protection is contractually imposed by the National Institute for Rehabilitation on its Processors.
Any employee of the National Institute for Rehabilitation who, during their work, has access to Personal Data agrees to keep them in the strictest confidentiality under the confidentiality agreements entered into.
Right of access, rectification, updating and forgetting of data
In accordance with the applicable rules regarding the protection of Personal Data, if requested, the Data Subject may exercise, at any time, their right to obtain access, rectify, forget and transfer their Personal Data and also to restrict and oppose the Processing of their Personal Data.
The exercise of the rights of the Data Subject must be carried out with the Data Protection Officer.
When the Treatment is based on the authorization of the Holder, he has the right to withdraw his authorization at any time.
In his/her own interest, the Data Subject should try to keep his/her data up-to-date and may, for this purpose, contact the Personnel Management Organization Department.
Data Subjects have the right to complain to the competent Supervisory Authority in case of violation of the applicable rules regarding the protection of Personal Data.
The Data Protection Officer
The Data Protection Officer informs and advises on the applicable requirements for the protection of Personal Data, monitors compliance with these requirements at the National Institute for Rehabilitation.
The Data Protection Officer shall cooperate and act as a contact point with the competent Supervisory Authorities and data subjects.
Changes to the Privacy Policy
The Personal Data Protection Policy may be changed by the National Institute for Rehabilitation whenever there is a need or legislative change, and a notice of such changes is published in a revised version of the current Policy and this comes into force at the time of its publication.
The National Institute for Rehabilitation will notify the Holder of Personal Data of any change to the policy by WebLetter internally and by disclosing it in the Intranet.