Personal Data Protection Policy

Index

  • 1. Purpose and scope
  • 2. Concepts and principles
    • 2.1 Key concepts
    • 2.2 Principles governing the processing of personal data
  • 3. Lawful grounds, methods of collection and types of data and subjects
    • 3.1 Grounds inherent to data processing by AIM Cancer Center
    • 3.2 Purposes for which AIM Cancer Center processes personal data
    • 3.3 Methods of collection
    • 3.4 Types of data subjects
    • 3.5 Categories of personal data processed by AIM Cancer Center
  • 4. Rights of data subjects
    • 4.1 Information duties
    • 4.2 How information duties are provided
    • 4.3 Exercise of rights
    • 4.4 How data subjects exercise their rights
  • 5. Processing of personal data
    • 5.1 Guidelines
    • 5.3 Storage media
      • 5.3.1 Paper
      • 5.3.2 Digital
    • 5.4 Physical access
    • 5.5 Logical access to personal data
    • 5.6 Collection forms
    • 5.7 Documentation and compliance records
    • 5.8 Database compliance guidelines
    • 5.9 Use of information systems
  • 6. Internal personal data flows
  • 7. Data retention
  • 8. Subcontracted and Third-Party Entities
  • 9. AIM Cancer Center employees
  • 10. Data breach
  • 11. Data Protection Impact Assessments (DPIA)
  • ANNEX I – ANNEX XI
    • ANNEX I: Procedure for exercising data subject rights
    • ANNEX II: Procedure for forms collecting personal data
    • ANNEX III: Procedure for documentation and records of personal data processing
    • ANNEX IV: Procedure for internal personal data flows
    • ANNEX V: Procedure regarding personal data retention
    • ANNEX VI: Procedure for subcontracted and third-party entities
    • ANNEX VII: Processing of personal data of AIM Cancer Center employees
    • ANNEX VIII: Procedure in case of Data Breach
    • ANNEX IX: Procedure for Data Protection Impact Assessment (DPIA)
    • ANNEX X: Personal Data Protection Procedure to be adopted by staff
    • ANNEX XI: Personal Data Protection Procedure to be adopted by Human Resources

1. Purpose and scope

AIM LIFE, Lda. (AIM Cancer Center) values privacy and the protection of personal data, adopting practices and tools in the field of data security and protection, and ensures compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data – General Data Protection Regulation (GDPR) – and with Law no. 58/2019 of 8 August, which ensures the GDPR’s implementation in Portuguese law.

AIM Cancer Center applies appropriate technical and organisational security measures to ensure that the processing of personal data is lawful, fair, transparent and limited to authorised purposes, and that the security level is appropriate to the risk, in compliance with the GDPR.

Accordingly, this procedures manual and its annexes define the general principles and rules to be applied by AIM Cancer Center as the Controller of the personal data it collects.

The personal data protection policy now being implemented is associated with a set of procedures and aims to clarify and regulate how AIM Cancer Center, its staff and collaborators must comply with the legal provisions mentioned.

Managers of each area must ensure that their activity and processes comply with AIM Cancer Center’s data protection policy, by training their staff, who must follow and comply with all established procedures as an inseparable obligation of their duties.

Compliance with the personal data protection policy is mandatory for all AIM Cancer Center employees, for management, as well as for all those who collaborate with AIM Cancer Center.

This Policy forms part of a broader set of AIM Cancer Center’s privacy and data protection documents. It must be read in conjunction with the Privacy Policy, the Cookies Policy, the Terms and Conditions, the existing data processing subcontracting agreements, and AIM Cancer Center’s Joint Responsibility and Subcontracting Policy.

In case of doubt, clarifications must be requested from AIM Cancer Center.

2. Concepts and principles

2.1 Key concepts

a. Personal data: information relating to an identified or identifiable natural person. A person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier. Examples include:

  • Name;
  • Address or email address;
  • CV;
  • Social Security number or Tax ID;
  • Vehicle registration;
  • Location data;
  • CCTV recordings;
  • Payslips;
  • Business cards.

b. Special data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for unique identification, health data or data relating to a person’s sex life or sexual orientation.

c. Processing of personal data: any operation or set of operations performed on personal data, whether by automated or non-automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, transmission, interconnection, restriction, erasure or destruction.

d. Controller: the entity (public or private) which, alone or jointly with others, determines the purposes and means of processing personal data. In AIM Cancer Center’s context, it usually acts as Controller of the data it collects, but may also act as Processor or Joint Controller in specific cases.

e. Processor: the entity (public or private) that processes personal data on behalf of the Controller;

f. Third party: an entity (public or private) that is neither the data subject, the Controller nor the Processor, but is authorised to process personal data;

g. Responsible area: the AIM Cancer Center area responsible for each operation involving personal data processing, i.e. the area defining the purposes and means of that processing;

h. Third area: an AIM Cancer Center area that is not responsible but requires access to data processed by another area;

i. Data Breach: a personal data breach resulting from a security failure (physical or logical) that compromises confidentiality, integrity or availability (i.e. destruction, loss, alteration, unauthorised access or disclosure);

j. Data Protection Impact Assessment (DPIA): a prior procedure to be carried out whenever processing, particularly involving new technologies and considering its nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of natural persons.

k. Data Protection Officer (DPO): designation and functions disclosed through Service Order and notified to the national data protection authority.

2.2 Principles governing the processing of personal data

In collecting and processing personal data entrusted to them, AIM Cancer Center staff and collaborators must comply with the following principles:

  • Transparency, lawfulness, fairness: processing must be lawful, fair and transparent;
  • Data minimisation: processing must be adequate, relevant and limited to what is necessary;
  • Purpose limitation: data must be processed for specified, explicit and legitimate purposes only, and retained only as long as necessary or required by law;
  • Accuracy: only accurate and up-to-date data should be processed;
  • Data protection by default: by default, only data necessary for each purpose should be processed (amount, scope, retention, access);
  • Data protection by design: at the time of defining processing means and during processing, appropriate technical and organisational measures must be applied to guarantee these principles and the exercise of rights, ensuring confidentiality, integrity and availability. Processing must also be documented for accountability.

3. Lawful Grounds, Methods of Collection and Types of Data and Subjects

3.1 Grounds inherent to data processing by AIM Cancer Center

All data collected and processed by AIM Cancer Center are based on one of the following lawful grounds:

  • Consent: when collection and processing are preceded by the data subject’s explicit, specific, free and informed consent, in writing or online. For example, consent is obtained when a data subject provides personal data for a proposal or subscription to direct marketing. Where processing relies on consent, it must expressly mention the purpose and refer to AIM Cancer Center’s Privacy Policy;
  • Performance of a contract or pre-contractual steps: when processing is necessary for executing a contract to which AIM Cancer Center and the data subject are party, or for pre-contractual steps. This includes supply or service contracts;
  • Compliance with legal obligations: when processing is required to fulfil a legal obligation, e.g. communicating data to public bodies (national or EU), tax, police or judicial authorities;

Legitimate interest: when processing is necessary for AIM Cancer Center’s or third parties’ legitimate interests, provided data subjects’ rights and freedoms are not overridden.

3.2 Purposes for which AIM Cancer Center processes personal data

Data collected are only processed for specific, explicit and legitimate purposes, identified at the time of collection. Main purposes include:

  • Drafting, negotiating and executing contracts with clients, staff, service providers, suppliers, users and others;
  • Managing events organised by AIM Cancer Center;
  • Sending newsletters;
  • Physical security of premises and people;
  • For initiating or defending legal proceedings;
  • For preventing fraud or unlawful activity (e.g. IT attacks).

3.3 Methods of collection

AIM Cancer Center only collects adequate, relevant and limited data necessary for the purposes. Collection may be on paper (forms/contracts), or digitally (email, messaging, WhatsApp, links, social media), according to annexed procedures. Generally, data are collected directly from the subject.

3.4 Types of data subjects

Data may be collected and processed from:

  • Clients and their staff;
  • Users;
  • Service providers and their staff;
  • Applicants and interns;
  • Event participants;
  • Visitors to AIM Cancer Center premises.

3.5 Categories of personal data processed by AIM Cancer Center

Depending on purpose (3.2), AIM Cancer Center may collect:

  • Identification data (e.g. name, place of birth, ID card, date of birth);
  • Physical characteristics (e.g. height, weight, age, gender);
  • Behavioural data (e.g. eating or exercise habits);
  • Medical and health data (e.g. conditions, treatments, test results);
  • Personal situation (e.g. household composition, dependants’ ages);
  • Contact data (e.g. phone, address, email);
  • Education and professional data (e.g. qualifications, CV);
  • Banking/financial/transaction data (e.g. IBAN, tax number);
  • Location data (e.g. IP address);
  • Images from CCTV, subject to applicable law.

4. Rights of data subjects

4.1 Information duties

By law, AIM Cancer Center must provide data subjects with information on how their data are processed, at collection or within a reasonable time if collected from another source, in line with transparency. Information includes:

  1. Identity and contacts of the Controller (AIM Cancer Center);
  2. DPO contact details;
  3. Processing purpose(s);
  4. Lawful basis;
  5. Legitimate interests (if applicable);
  6. Recipients or categories of recipients;
  7. Transfers outside the EU (if applicable);
  8. Retention period or criteria;
  9. Existence and exercise of rights (access, rectification, erasure, objection, restriction, portability);
  10. If based on consent, right to withdraw it anytime without affecting previous lawful processing;
  11. Right to lodge a complaint with a supervisory authority.

4.2 How information duties are provided

This information is in AIM Cancer Center’s publicly accessible Privacy Policy on its website. All collection forms/contracts must reference it. Updates are published online.

4.3 Exercise of rights

Data subjects can exercise rights at any time:

  • Access: know how data are processed;
  • Rectification: correct inaccurate/incomplete data;
  • Erasure (“right to be forgotten”): delete data when no valid grounds for retention exist, if legally allowed;
  • Restriction: suspend or limit processing; data kept but not used without consent or overriding grounds;
  • Portability: request digital copy or transfer to another controller (only if based on consent/contract and automated);
  • Objection: object to certain processing (e.g. marketing), except where overriding legitimate interests exist;
  • Withdrawal of consent: when consent is the only legal basis.

Right to lodge a complaint with CNPD (supervisory authority).

4.4 How rights are exercised

ANNEX I describes the procedure for exercising rights and processing requests, including deadlines.

5. Processing of personal data

5.1 Guidelines

Disclosure of personal data is prohibited, including informal sharing. Access requiring specific profiles must follow established procedures. Data must be regularly reviewed/updated and deleted if no longer needed, unless legal grounds prevent deletion. All processes must be documented and known by the Operations Director. International transfers require special safeguards and Operations Director approval. Approved templates must be used for contracts/legal texts involving data.

Queries on data protection must be referred to the Operations Director.

5.2 Storage media

5.2.1 Paper

Documents with personal data must be stored in restricted areas.

Controls:

  • a) Control access to files/documents containing personal data, especially sensitive data;
  • b) Ensure no documents are left exposed; use shredders for disposal.

5.2.2 Digital

Digital data must be protected against unauthorised access, accidental deletion or cyberattacks.

Controls:

  • a) Use robust authentication and access profiles;
  • b) Encrypt portable/removable devices;
  • c) Store devices securely;
  • d) Save all data to central systems, avoid local storage;
  • e) Encrypt data for transfers outside AIM Cancer Center;
  • f) Securely erase information from decommissioned equipment.

5.3 Physical access

External access to AIM Cancer Center premises must be controlled, especially where data are processed.

5.4 Logical access

Data must be protected with credentials and validated profiles. Logging must prove effectiveness. Data cannot be accessed/modified without authorisation.

5.5 Collection forms

Collection via forms must follow procedure in ANNEX II.

5.6 Documentation and compliance records

To demonstrate compliance, responsible areas must follow procedures in ANNEX III.

5.7 Database compliance

All databases containing personal data must comply with this Policy.

5.8 Use of information systems

Use of systems must follow procedures; encryption with access control is strongly recommended.

6. Internal personal data flows

Internal data flows mean transfer of data between AIM Cancer Center areas. One area may need data from another to complete a process. Such transfers must be regulated and documented, following procedures in ANNEX IV.

7. Data retention

The processing of personal data must comply with the principle of storage limitation, i.e., data must be retained only until the purpose for which they were collected has been fulfilled; once that period has ended, and if there are no other grounds justifying longer retention, the defined procedures must be carried out, e.g., deletion or anonymisation.

The procedures and principles applicable to data retention are set out in ANNEX V.

8. Subcontracted and Third-Party Entities

This section addresses how personal data processing must be framed under the applicable legislation in the relationships that AIM Cancer Center establishes with other entities.

This framework involves identifying the type of entity (Processor or Third Party), formalising contracts or other legal agreements that include specific, validated clauses on personal data processing, as well as how the transfer of such data will be carried out (including identifying whether this transfer occurs to third countries outside the European Union).

The procedures to be followed by responsible areas in dealings with other entities within the scope of personal data protection are set out in ANNEX VI.

9. AIM Cancer Center staff

The processing of personal data of AIM Cancer Center employees and collaborators shall always comply with the legal and regulatory provisions applicable to personal data protection.

The procedures and principles applicable to the processing of employees’ and collaborators’ personal data are set out in ANNEX VII.

10. Data breach

A ‘data breach’ is considered to be a personal data breach arising from a security failure resulting in unauthorised disclosure of personal data or their destruction/alteration.

A ‘data breach’ may potentially have a number of significant adverse effects on data subjects, which may result in material or non-material damage.

It is therefore essential to adopt not only preventive measures to avoid personal data breaches, but also corrective measures that ensure immediate remediation and minimisation of the effects of a data breach.

The procedures and principles applicable to the prevention and handling of a data breach are set out in ANNEX VIII.

11. Data Protection Impact Assessments (DPIA)

Whenever there are new situations likely to entail high risks to the rights and freedoms of natural persons, a Data Protection Impact Assessment (DPIA) must be carried out. The purpose of a DPIA is to assess and identify the risks of a particular operation for personal data protection, allowing, on the one hand, the anticipation of potential constraints and, on the other, the adoption of measures that minimise or eliminate the risks identified.

The procedures and principles applicable to conducting a DPIA are set out in ANNEX IX.

 

ANNEX I: Procedure for exercising data subject rights

1. Purpose and scope:

Data subjects must be able to exercise their rights in accordance with national and EU legislation on this matter. This procedure regulates how the request is collected and handled through to completion.

2. Intended audience:

  • a) Data subjects;
  • b) Staff who receive requests from data subjects;
  • c) Areas responsible for executing such requests.

3. Method:

All data subject requests must be submitted in writing through the formal channel provided for this purpose, i.e., whenever a data subject wishes to exercise their rights, they must be advised and directed to AIM Cancer Center’s website page on the privacy policy. On that page, the data subject can consult all relevant information on this topic and access the contact for the OPERATIONS DIRECTOR, to whom the requester may submit their request.

4. Request handling:

Receipt and management of data subject requests are centralised with the OPERATIONS DIRECTOR, who then forwards them to the responsible areas for execution.

Execution of the request must cover all repositories containing that data subject’s personal data and comply with the set deadlines (see 5. below). Execution may be legally constrained in certain situations. In case of doubt, seek support from the OPERATIONS DIRECTOR.

Once the request has been executed, the responsible area must inform the OPERATIONS DIRECTOR of all actions taken and provide any clarifications deemed necessary.

The request is concluded by the OPERATIONS DIRECTOR, who then notifies the data subject.

5. Legal deadlines:

Data subject requests must be executed within a maximum of 30 days (counted from the date of entry into AIM Cancer Center’s system to the date of response to the data subject).

After this period, AIM Cancer Center is in breach of a legal provision; therefore, in case of doubt or if for any reason it is not possible to respond within the deadlines, the OPERATIONS DIRECTOR of AIM Cancer Center must be contacted and informed of the reason for non-compliance.

ANNEX II: Procedure for forms collecting personal data

1. Purpose and scope:

This procedure regulates the collection of personal data through electronic forms defined by AIM Cancer Center.

2. Intended audience:

  • a) The areas responsible for the forms, i.e., those that define their content and/or request their publication online or otherwise, are responsible for ensuring these recommendations are implemented. They must coordinate with the competent areas or entities tasked with their technical implementation.
  • b) The areas or entities competent for the technical implementation of the forms.

3. Prerequisites:

Use of tools within AIM Cancer Center’s information services.

The use of external platforms requires prior analysis and written regulation (formal agreements / contracts / data processing agreements) to certify their compliance with national and EU personal data protection laws.

4. Rules for building forms that process personal data:

Typically, a web page supporting a form includes an introductory information text describing the objective and reasons for collecting the information. This text must include, in a specific paragraph, a description of the specific, legitimate and explicit purposes for which the personal data are collected/processed.

The collection of personal data must follow the principle of data minimisation, i.e., only the data strictly necessary for the intended processing should be requested.

Abstract example of a form:

<Information Text>

<Form:

Field 1 [ ) *

Field 2 ( ]

Field 3 ( ) >

Where a form collects personal data, the following mandatory field must be added at the end regarding the request for consent (GDPR):

[ ] I authorise the processing of the personal data collected in this form for the purposes described above. I acknowledge having read AIM Cancer Center’s privacy policy.

 

NOTES:

  • There must be a hyperlink in the words “privacy policy” to the corresponding page on AIM Cancer Center’s website;
  • The GDPR tick-boxes for these specific questions must not be pre-ticked. The data subject must take a positive, informed and unambiguous action;

The GDPR field text reproduced here must only be altered where there is a positive opinion from the OPERATIONS DIRECTOR for that purpose.

5. Optional consents:

Optional consent requests must be itemised and allow the data subject to refuse any they wish.

Example:

[ ] I agree to receive newsletters or other information related to AIM Cancer Center’s activity.

6. Transfer of data to third countries:

Whenever there is, or may be, a transfer of personal data to third countries (outside the European Union), the following text must be included in the description of purposes (or a similar version, following consultation with the OPERATIONS DIRECTOR):

“There may be a transfer of your personal data to all entities involved in managing the programme in question, even if located in third countries; in the latter case, this transfer may entail risks to your rights due to a lack of safeguards in those countries compared to EU and national personal data protection rules.”

7. Technical implementation of forms:

  • Double Opt-In: The “Double Opt-In” concept must be implemented whenever the legal basis is the direct electronic collection of the data subject’s explicit and informed consent. For example, in cases of periodic email communications.
  • Proof record: All forms must have associated records enabling AIM Cancer Center to prove that consent was given by the data subject. Such records must include:
    • Description of the purpose for processing the personal data;
    • All form fields; for GDPR consent fields, store the exact text associated with each tick-box;
    • Date and time of registration;
    • When using “Double Opt-In”, the IT system should record, preferably in a database, the various interactions with the data subject, store copies of emails sent and the data subject’s acceptance/consent. Since the final acceptance is generally by clicking a URL or button, the system may generate an internal control email with the date/time of consent and store it together with the emails sent;
    • The AIM Cancer Center area responsible for the form;
    • Final data retention date (after which deletion will take place);
    • Other data serving as proof of consent;
    • All proof elements must be appropriately safeguarded with access controls.

8. Documentation:

Each personal data processing activity must be minimally documented. See the specific procedure in ANNEX III for more information.

9. Data retention period:

Personal data must be deleted after the stipulated period.

The area responsible for the processing shall ensure compliance with the retention/deletion deadlines as established.

For more information, see ANNEX V.

ANNEX III: Procedure for documentation and records of personal data processing

1. Purpose and scope:

This procedure regulates the documentation and record of evidence associated with each personal data processing activity.

Entities are required to keep a record of all personal data processing under their responsibility, which must include:

  • Type of data processed;
  • Purposes;
  • Description of categories of data subjects and recipients;
  • Security measures;
  • Retention period;
  • Legal basis (consents, contracts, others).

2. Intended audience:

Areas responsible for personal data processing

3. Method – Digital:

Each area must request support from the IT area so that, within the area’s network directory (“File system”) in the “GDPR” folder of AIM Cancer Center, a subfolder is created with the name of that area. The request must indicate which staff will have access and must be copied to the OPERATIONS DIRECTOR.

3.1. Contents of the digital folder:

Each area responsible for processing must organise by type of processing.

Each processing activity should be documented succinctly and objectively, as per point 1.

Examples of possible contents:

  • Documentation of the various personal data processing activities existing in each area;
  • Evidence of consent where not obtained by automated means (previously validated by the OPERATIONS DIRECTOR);
  • Processor contracts;
  • Procedures associated with personal data processing.

3.2 Consent:

Whenever processing is based on consent, it is extremely important for AIM Cancer Center to retain the elements that evidence such consent.

If consent is recorded digitally via applications adapted for this requirement, the proof is automatically stored in AIM Cancer Center’s systems (in case of doubt, seek clarification from IT or the OPERATIONS DIRECTOR).

For other situations, all elements constituting proof must be placed in the folder referred to in point 3 above, including any paper consents, with originals stored in a protected and secure location and a scanned copy in the folder.

3.3 Processor contracts:

Whenever a new contract is entered into with Processor-type entities (see ANNEX VI), originals must be stored in a protected and secure location, with a scanned copy in the folder.

ANNEX IV: Procedure for Internal Personal Data Flows

1. Purpose and scope:

This procedure regulates the internal flow of personal data between AIM Cancer Center areas, i.e., transfer of personal data between areas.

Certain processes may require personal data to be completed (for example, arranging health insurance for AIM Cancer Center employees, where the area responsible for the contracting process needs HR to provide certain personal data of AIM Cancer Center employees).

2. Intended audience:

All AIM Cancer Center areas that may need access to personal data stored in repositories to which they do not have access.

3. Responsible area:

Each repository/database has at least one responsible area, which determines the purposes and means of such processing.

4. Operationalisation:

The area needing access to personal data submits a request to the area responsible for those data. This request must include the following mandatory information:

  • Identification of the requesting area;
  • Identification of the staff in that area requiring access;
  • Type of repository/database to be accessed;
  • Type of personal data requested (e.g., name, address, Tax ID, date of birth, among others);
  • Purpose of access (explain why access to those data is needed);
  • Data retention period (state the time period during which the data will be processed, committing to delete them once the period ends).

The area responsible for the personal data analyses the request and validates it on the basis of the following criteria:

  • Adequacy: assess the adequacy of the purpose for which the data are requested by the third area;
  • Necessity: assess whether, in light of the stated purpose, there is an actual need for full or partial access to the personal data requested;
  • Proportionality: beyond necessity, verify whether access is proportionate considering potential risks to data subjects’ rights and freedoms.

The response from the responsible area must include:

  • Approval or refusal of access;
  • Reasoning for the decision;

If approved, it must also state:

  • Period during which the shared data may be used;
  • Any limitations or restrictions.

Where approved, access may be granted by one of the following means:

  1. Granting application access to the staff listed in the request, auditable and limited to the strictly necessary personal data and for the necessary time only.
  2. Sending a file with that information to the requesting area, via a shared logical folder in AIM Cancer Center’s information system, accessible only to the staff named in the request by the third area.
  3. Sending the file by email; in this case, the file must be encrypted and the password communicated by another channel, e.g., telephone.

Sending unencrypted files containing personal data by email should be avoided (to prevent possible data breaches).

Use of a Ticketing System by Data-Responsible Directorates is recommended to support and document these requests. Otherwise, all documentation must be kept in accordance with ANNEX III.

5. Situations requiring involvement of the OPERATIONS DIRECTOR:

Depending on the type of data, the purpose for which access is required, or the period during which the third area intends to retain them, it may be necessary to seek an opinion from the OPERATIONS DIRECTOR. The responsible area must make this assessment and, in case of doubt, request the opinion.

The OPERATIONS DIRECTOR must also be consulted if there is any doubt about the mandatory documentation to be retained for each request.

ANNEX V: Procedure regarding retention of personal data

1. Purpose and scope:

All documents containing personal data must respect the storage limitation principle regarding their retention period.

Data must be retained until the end of the purpose for which they were collected, until the end of legally imposed retention periods for such data, or until the conclusion of legal proceedings justifying their retention.

Each area must identify, for each personal data processing activity, the maximum retention periods and create procedures to execute when those periods are reached. In case of doubt, AIM Cancer Center’s legal area must be consulted.

2. Intended audience

All AIM Cancer Center areas.

3. Retention/Archiving periods (guidance)

Retention periods are defined by law or by internal procedures.

The following points serve as guidance and must always be validated with the responsible entities (e.g., programme managing authorities, internal legal area, …):

  • Commercial, financial and tax documentation:
    Must be retained for 10 years after the end of the commercial relationship. Where personal data of company contacts are not necessary to substantiate accounting records, there is no legitimacy to retain them after termination of the contract, and they must therefore be deleted upon the end of the contractual relationship.
  • Employment documentation:
    In light of limitation periods and various legal provisions, the following retention periods should be observed for AIM Cancer Center staff documentation:

    • Biometric data: retain only for the period necessary to pursue the processing purposes (attendance control) and destroy after termination of the employment relationship or if the worker is transferred to another workplace (Article 18(3) of the Labour Code);
    • Contractual and social security documentation: (e.g., employment contract, documents related to termination, holiday records, working time schedules, individual employee records, disciplinary sanction records, training plans and proof of training actions, annual staff consultation on occupational safety, hygiene and health matters, notifications of hiring and termination) must be retained for at least 5 years after termination of the employment contract;
    • Documentation required for tax purposes: (e.g., payslips, withholding tax, Tax Authority reports) must be retained for 10 years after termination of the employment contract;
    • Occupational safety and health documentation: AIM Cancer Center must keep available for the competent supervisory entities, for 5 years after the end of the employment relationship, the records relating to occupational safety and health activities (e.g., results of professional risk assessments, list of sick leave situations and number of days of absence to be provided by HR; in the case of occupational diseases, the list of reported cases; list of measures, proposals or recommendations issued by the safety and health at work service).
    • Recruitment processes: (CVs, application assessments, interviews) must be retained for 5 years after the end of the recruitment process;
    • Other personal data of AIM Cancer Center staff: not covered by the above categories (e.g., family members’ data, driving licence or others) must be anonymised or deleted within a maximum of 10 years after the end of the contractual relationship.
  • Video surveillance:
    Images collected by a lawfully installed CCTV system must be retained for a maximum of 30 days, after which they are destroyed, and may only be used under criminal and criminal procedural law.
  • Data relating to training, missions or catalogues:
    Where there is no specific legislation determining retention periods, and applying a necessity/proportionality assessment, such personal data of guests and participants must be retained for as long as necessary to fulfil the purposes for which the data were requested (unless there is another purpose requiring a longer retention period, namely documentation needed for tax purposes);
  • Data relating to AIM Cancer Center’s general purposes: (newsletters, website, company contact files):
    Data may be retained for as long as the purpose for which they were collected persists, on the understanding that the right to erasure or withdrawal of consent must always be guaranteed.

ANNEX VI – Procedure for Processors and Third Parties

1. Purpose and scope:

Entities that interact with AIM Cancer Center, as the controller of personal data, can be of two types:

  • Processors: a public or private entity that processes personal data on behalf of AIM Cancer Center (the controller) and for the purposes defined by it;
  • Third Parties: a public or private entity that processes personal data to fulfil purposes arising from the exercise of its own activity, with AIM Cancer Center not determining the means or the purposes of that processing.

The essential difference between these two types of entities is that a processor processes personal data in the name and on behalf of AIM Cancer Center and according to its instructions. AIM Cancer Center must only engage processors that provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the GDPR’s requirements for the security, integrity and confidentiality of data and ensures the protection of data subjects’ rights. This specificity requires that the relationship with processors must be governed by a written contract that sets out how the processing is carried out and which measures the processor adopts to ensure the security and confidentiality of the processed data. Processors may not appoint another processor (sub-processor) without AIM Cancer Center’s prior written specific or general authorisation. A general authorisation may be granted, in which case the processor must inform AIM Cancer Center in writing of the identification of such further processors (thereby giving AIM Cancer Center the opportunity to object to a proposed appointment).

With regard to third parties, although they may have access to AIM Cancer Center’s personal data, they process such data to accomplish purposes arising from the exercise of their own activity, with AIM Cancer Center not determining the means or the purposes of such processing.

2. Identification of related entities by type

In line with the distinction established above, below is a (non-exhaustive) list of the types of entities to whom AIM Cancer Center communicates personal data, and the respective purpose of such communication:

  • Processors:
    • External consultants (for audit or advisory purposes);
    • Occupational health provider (for the provision of occupational health services);
    • Insurance broker (for managing personal accident insurance for employees);
    • Travel agency (for managing and booking travel and accommodation);
    • Recruitment entities;
    • Law firms (representation in legal proceedings);
  • Third parties:
    • Social Security (for registration with district centres);
    • Labour Compensation Funds (FGCT and FCT registration);
    • Works Council (for statutory functions);
    • Courts and enforcement agents (management of wage garnishment notifications);
    • Training entities (for training and issuing training certificates);
    • Airlines and hotels (for direct purchase of flights and accommodation);
    • Police authorities (PSP and/or GNR) (for managing administrative offence proceedings);

If you have any doubt about an entity’s type, contact AIM Cancer Center’s OPERATIONS DIRECTOR.

3. Contracting

Contracts with entities that may, by any means or medium, access personal data—processors or third parties—must use approved templates defined for this purpose (see templates provided by the Legal Department).

Templates for processors require greater detail and must include clauses addressing:

  • Object of processing (specification of the services provided);
  • Nature and purpose of processing (specification of the purposes);
  • Categories of data subjects;
  • Types of personal data (identification data, contact details, financial situation, qualifications, etc.);
  • Technical and organisational measures to be used by the processor, namely measures for access control, storage, transmission and deletion.

Each responsible area must ensure the appropriate templates are used.

Whenever contracts with processors are concluded as defined above, they must be digitised in accordance with ANNEX III and disclosed to the OPERATIONS DIRECTOR.

4. Transmission of personal data to Third Parties

4.1 Request

Each responsible area must analyse any requests for information that involve transmitting personal data from AIM Cancer Center repositories/databases.

This analysis must follow these points:

  • Upon receiving the access request, the responsible area must verify that the following mandatory information has been provided:
    • Identification of the Third Party;
    • Type of personal data for which access is sought (description of the categories—e.g., name, email, Tax ID, etc.);
    • Purpose (justification) and legal basis for access: compliance with a legal obligation (stating the specific legal basis); public interest; or the Third Party’s legitimate interest;
  • If the mandatory information has not been provided, the responsible area must request it from the Third Party. If it is not provided, access must not be granted;
  • Once the mandatory information is received, the responsible area must assess the request based on the following criteria:
    • Lawfulness: confirm the existence of one of the conditions for lawful access/communication: (i) legal obligation (stating the legal basis); (ii) public interest; (iii) legitimate interest of the Third Party;
    • Necessity: assess whether, in light of the purpose, there is an actual need for full or partial access to the requested personal data.

If the request is granted, the following message must accompany the transmission:

“The information hereby provided is intended for [insert purpose]. To the extent that it contains personal data, such data may only be used for the purpose stated above and not for different purposes (for the benefit of the recipient or any other Third Party). The data must be processed in accordance with national and EU legislation governing the processing of personal data.”

All requests for access/information and respective responses must be recorded in accordance with ANNEX III.

4.2 Outside the European Union

Communications of data to entities located in third countries (outside the EU/EEA) require a stricter procedure, and AIM Cancer Center may only transfer data to third countries or international organisations that provide adequate safeguards under the GDPR.

Each responsible area must identify such situations (transfers to third countries) and, in case of doubt, consult the OPERATIONS DIRECTOR.

As a rule, data transfers to third countries should only take place if:

  • The country is subject to an adequacy decision by the European Commission;
  • There are binding corporate rules applicable to companies within the same Group;
  • There is a contract between the entities with Standard Contractual Clauses adopted/approved by the European Commission.

If none of the above can be fulfilled (as occurs in many situations), data may only be transferred if:

  • The data subject has given explicit consent to the transfer after being informed of the possible risks due to the lack of an adequacy decision and appropriate safeguards;
  • The transfer is necessary for the performance of a contract between the data subject and AIM Cancer Center, under the terms of that contract;
  • The transfer is necessary for the conclusion or performance of a contract concluded in the data subject’s interest, under the terms of that contract.

4.3 Method of transmission

The method of communicating personal data to other entities is especially relevant, since sending information/data through insecure means, or to the wrong recipients, may compromise the security and confidentiality of personal data and constitute a personal data breach (see ANNEX VIII).

Therefore, each employee must take maximum care when communicating personal data to external entities, always prioritising the method that ensures the highest possible level of data security.

To mitigate security risks when communicating with other entities, follow these recommendations:

  • Whenever possible, transmit data through the entities’ official portals (e.g., Tax Authority or Social Security portals);
  • If transmission via portals is not possible, files containing personal data must be sent in encrypted form with a password, according to the IT department’s recommendations.

ANNEX VII – Processing of AIM Cancer Center Employees’ Personal Data

1. Purpose and scope

This annex explains how AIM Cancer Center processes employees’ personal data. For this document, “employees” refers to workers (regardless of the type of employment contract: fixed-term, secondment, secondment of service) and interns. The controller of your personal data is AIM Cancer Center and, as such, it will always follow the applicable laws and regulations on personal data protection.

2. Legal grounds for processing by AIM Cancer Center

AIM Cancer Center will process employees’ personal data as necessary for the performance of their employment contract and to comply with legal obligations arising from that contract (e.g., reporting data to tax authorities or to occupational health and safety providers), as well as based on AIM Cancer Center’s legitimate interests in managing the contractual relationship (e.g., attendance and safety control).

3. Purposes for which AIM Cancer Center processes personal data

Personal data collected by AIM Cancer Center are processed for specific, explicit and legitimate purposes, used solely for the purposes identified at the time of collection. AIM Cancer Center mainly collects and uses these personal data to manage the performance of the employment contract (including career management, training management, managing and contracting insurance and other benefits, payroll, access management to AIM Cancer Center facilities and equipment, organising business travel, and complying with health and safety at work obligations).

AIM Cancer Center may also process these personal data to comply with legal obligations (e.g., communications to tax and social security entities) and court orders, as well as to exercise or defend AIM Cancer Center’s legitimate rights in court or within project support that includes hiring personnel.

4. Methods of collection

AIM Cancer Center only collects personal data that are adequate, relevant and limited to what is necessary for the purposes for which they are processed. Data collection may be oral or written (namely via the curriculum vitae, the employee’s individual file, identification documents, and the employment contract).

As a rule, AIM Cancer Center collects personal data directly from each employee, but data may also be collected from third parties, namely medical fitness certificates issued by occupational health and safety providers, as provided by law.

5. Categories of personal data processed by AIM Cancer Center

To carry out the above purposes, AIM Cancer Center processes the following types of personal data:

  • Identification data, such as name, photo, gender and date of birth;
  • Identification documents, such as ID card, passport, details regarding visa applications, driver’s licence, Tax ID (NIF) and Social Security number (NISS);
  • Contact details, such as address, mobile number, email, and contact details of emergency contacts and/or next of kin;
  • Details related to the role performed, such as job title, professional category, work location(s), schedule, seniority, evaluations, disciplinary records, absences and holidays;
  • Information regarding academic and professional qualifications;
  • Financial data, such as salary level, withholdings and bank details;
  • Information regarding pensions and other benefits, such as pension contributions, allowances, insurance and equipment provided or funded by AIM Cancer Center;
  • Information related to the use of systems, facilities and equipment provided by AIM Cancer Center, such as your computer ID and/or other device IDs, information on access to AIM Cancer Center facilities and CCTV recordings;
  • Information regarding health and safety, such as records of occupational accidents, medical certificates and medical reports assessing fitness for work.

6. With whom AIM Cancer Center shares employees’ personal data

AIM Cancer Center only allows access to employees’ personal data to those who need it to carry out tasks and duties associated with contractual or legal obligations, as well as to third parties that have a legitimate purpose for accessing such data.

Whenever access to personal data is granted, appropriate measures are adopted to ensure access only to strictly necessary data, as well as their integrity and confidentiality.

Internally, in addition to the Human Resources area (responsible for managing employees’ data), these personal data are only shared with other areas of AIM Cancer Center to the extent necessary (e.g., for payroll, to manage business trips or travel to fairs or other events).

Externally, certain personal data are made available to suppliers/processors that provide services to AIM Cancer Center, on a need-to-know basis and in accordance with applicable legislation. For example, personal data are shared with third parties or processors for managing employee travel, contracting insurance, archiving solutions (physical and digital), and occupational health and safety services.

Personal data may also be disclosed to third parties for other legitimate reasons, such as:

  • To comply with legal obligations, including when necessary to comply with a legal requirement or court order (e.g., transmission of data to tax and social security authorities, as well as to courts and enforcement agents or to AIM Cancer Center’s Works Council);
  • When necessary for AIM Cancer Center’s or third parties’ legitimate interests (including public and ministerial bodies);
  • When transmission arises from obligations inherent to duties under the employment contract.

For additional information on these third parties or processors, contact the area responsible for providing the data or, in case of doubt, the Human Resources area.

7. Data retention period

AIM Cancer Center will retain employees’ personal data for up to one year after termination of the employment relationship, except for data which, by legal requirement, must be retained for longer periods. AIM Cancer Center seeks to ensure that employees’ personal data are maintained and, where applicable, deleted or destroyed securely, in accordance with existing policies, guidelines and rules on personal data retention.

8. Data subject rights

See the Personal Data Protection Policy, Exercise of Rights.

ANNEX VIII – Procedure in case of Personal Data Breach (“Data Breach”)

1. Purpose and scope

A “data breach”—for GDPR purposes—is a personal data breach, intentional or accidental, that can lead to the destruction, loss, alteration, or unauthorised disclosure of personal data. It also encompasses situations where the confidentiality, integrity or availability of such data is compromised.

The following examples constitute actual or potential “data breaches”:

  • Unauthorised disclosure of data by hackers or due to protection/security failures;
  • Sending an unencrypted file containing various personal data of a set of AIM Cancer Center employees (for this document, includes workers and interns) to an incorrect recipient;
  • Theft or loss of a device containing repositories of personal data that is not encrypted;
  • Obsolete/waste material leaving AIM Cancer Center premises without having ensured that personal data contained on digital or paper media has been rendered unreadable may lead to a “data breach”.

2. Intended audience

All AIM Cancer Center employees.

3. Procedure to follow

How should an employee proceed in case of a “Data Breach” or suspicion of a “Data Breach”?

Whenever an employee becomes aware of or suspects such an incident (see point 1), they must follow these steps:

  1. Keep, whenever possible, all supporting documentation or other evidence of the detected breach, as well as any exchange of communications on the subject (IT logs, email exchanges, screenshots, etc.);
  2. Report the incident to the OPERATIONS DIRECTOR within 24 hours, using the form at the end of this document. Describe the detected breach as accurately as possible and which personal data may be involved. Indicate whether any corrective measures have already been taken and, if so, specify which;
  3. Send the form and any information deemed relevant to the OPERATIONS DIRECTOR at [email protected], and establish telephone contact after sending it to ensure the necessary urgency, given the short legal deadlines involved.

If the incident constitutes a personal data breach:

  1. Within 48 hours of detecting the breach, Management or its legal representative will determine that the AIM Cancer Center areas involved, together with the OPERATIONS DIRECTOR, must identify the failures and the risks to data subjects’ rights and freedoms.
  2. AIM Cancer Center (the controller) must immediately implement measures to remedy the existing failures and minimise potential harm to data subjects’ rights and freedoms.
  3. If it is concluded that the breach affects data subjects’ rights and freedoms, the OPERATIONS DIRECTOR must report the incident to the CNPD within 72 hours, via the online form available at www.cnpd.pt.
  4. If it is concluded that the breach does not affect data subjects’ rights and freedoms, AIM Cancer Center is exempt from notifying the CNPD of the incident, being required only to record it internally (as well as the corrective measures adopted and expected outcomes).

4. Communication to Data Subjects

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, AIM Cancer Center shall communicate the incident to the affected data subjects without undue delay, providing at least the following information:

  • The name and contact details of the data protection officer and/or another contact point from which more information can be obtained;
  • The likely consequences of the personal data breach;
  • The measures taken or proposed by AIM Cancer Center to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.



ANNEX IX – Data Protection Impact Assessment (DPIA) Procedure

1. Purpose and scope:

A Data Protection Impact Assessment (DPIA) is a process intended to establish and demonstrate compliance with data protection principles. These assessments replace the prior authorisations issued by the CNPD under Law 67/98, of 26 October (LPDP) for certain types of personal data processing. DPIAs are provided for in Articles 35 and following of the GDPR.

Whenever a certain type of processing uses new technologies and, taking into account its nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of natural persons, AIM Cancer Center shall carry out a DPIA for the operations in question.

A DPIA must be conducted before the processing of personal data begins, and requires a detailed description of the planned processing so that the necessity and proportionality of the processing can be assessed.

When conducting a DPIA, the controller must seek the opinion of the Data Protection Officer (DPO).

2. Intended audience

All AIM Cancer Center areas.

3. When must a DPIA be carried out?

There is an obligation to carry out a DPIA only when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1) GDPR).

A DPIA is mandatory, at least, in the following cases:

  • When a systematic and extensive evaluation of personal aspects relating to natural persons is carried out, based on automated processing, including profiling;
  • When special categories of data (data concerning health, data revealing political opinions, religious or philosophical beliefs, trade union membership, biometric data, etc.), or personal data relating to criminal convictions and offences, are processed on a large scale;
  • When systematic monitoring of publicly accessible areas is carried out on a large scale.

Other operations may, however, require a DPIA. It is therefore essential to detect and analyse the following situations in order to conclude whether a given operation may represent a high risk to the rights and freedoms of natural persons:

  • Processing aspects related to job performance, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of the data subject.
  • Generating automated decisions (i.e., without human intervention) that produce legal effects or significantly affect the data subject.
  • Systematic monitoring of data, involving observation, tracking or monitoring of data subjects, including data collected through networks, or “systematic monitoring of publicly accessible areas”.
  • Processing of special data or highly personal data, such as data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning sexual life or sexual orientation, as well as personal data relating to criminal convictions and offences.
  • Large-scale processing operations, considering the following factors as determinants of large scale:
    • The number of data subjects involved, either by a specific number or as a percentage of the relevant population;
    • The volume and/or variety of different data processed;
    • The duration of the processing activity or its permanence;
    • The geographical scope of the processing activity.
  • Processing data relating to vulnerable data subjects, understood as data subjects who are not able to consent or to oppose, easily and freely, to the processing of their data or to exercise their rights.
  • Use of innovative solutions or application of new technological or organisational solutions that may involve new ways of collecting and using the personal data collected.
  • Situations in which the processing itself prevents data subjects “from exercising a right or using a service or a contract”.
  • Matching or combining datasets that exceed the data subject’s reasonable expectations.

Having analysed all the criteria above, the greater the number of criteria met by the processing operation in question, the greater the likelihood that it represents a high risk to the rights and freedoms of data subjects and, therefore, that it requires a DPIA, regardless of the security measures adopted by the controller.

In case of doubt, the OPERATIONS DIRECTOR of AIM Cancer Center should be consulted.

Points to be detailed in a DPIA:

A DPIA should begin by analysing the following items in detail:

  • a) A systematic description of the processing operation and its type, highlighting:
    • The purpose of the processing;
    • The legal grounds for such processing (for example, performance of a contract, compliance with a legal obligation, or the controller’s legitimate interests);
    • The duration of the operation;
    • The media (physical or digital) through which the data may circulate;
    • The area(s) responsible for the operation.
  • b) An assessment of the necessity and proportionality of the processing operations in relation to the objectives (explain why the processing of data is necessary, making a necessity and proportionality judgement);
  • c) An assessment of the risks to the rights and freedoms of data subjects—analysis of how the principles of confidentiality, integrity and availability of the personal data to be processed are ensured and the risks that they may not be ensured;
  • d) The measures envisaged to mitigate risks, including safeguards, security measures and procedures designed to ensure the protection of personal data and to demonstrate compliance with the principles of confidentiality, integrity and availability of data, taking into account the rights and legitimate interests of data subjects and other persons concerned.

ANNEX X – Personal Data Protection Procedure to be Adopted by Employees

  • Automatic passwords must be changed by the employee so that only they know them. They must be as complex as possible and changed frequently, even on systems that do not force it;
  • Passwords are personal and non-transferable; they must not be shared or written down in accessible places;
  • The same passwords must not be used for organisational systems and personal systems;
  • The employee must lock the computer whenever leaving the room;
  • Applications and platforms with personal data must not be left open on screen if not in use;
  • Data storage devices (USB sticks, external drives) must not be left connected to the computer or in accessible places if not in use;
  • Documents with personal data must not be left by the printer and must not be torn by hand; they should be shredded using a paper shredder;
  • The employee must not leave documents with personal data accessible on their desk. These must be kept inside folders/files or in locked cabinets, preventing access by third parties;
  • If the employee loses their computer or work documents containing personal data, or suspects that a third party has accessed them, they must immediately notify the Data Protection Officer.

ANNEX XI – Personal Data Protection Procedure to be Adopted by the Human Resources Area

  1. Access to each employee’s individual file is only granted to the employee themselves;
  2. Employees’ individual files are stored in locked cabinets with restricted access;
  3. Mail received by AIM Cancer Center is handled by a specific employee and subsequently distributed and/or filed on paper in a dedicated cabinet and digitally in a restricted-access folder;
  4. AIM Cancer Center prefers to send correspondence containing personal data by registered mail with return receipt.


Still have questions?


WhatsApp