Sign In

Privacy Policy

​​Privacy and data protection policy

The General Secretariat of the Ministry of Internal Administration, with headquarters at Rua S. Mamede n.º 23, 1100-533 Lisboa, legal person n.º 600014665, hereinafter referred to as SGMAI, in the context of providing access to the websites or service portals it manages, may need to collect and process personal data from its users, which it does under the terms of this Privacy and Data Protection Policy.

1. Object

a) The protection of privacy and personal data is a priority for SGMAI.

b) SGMAI aims to ensure a high and consistent level of protection for the processing of personal data relating to natural persons, regardless of their nationality or place of residence.

c) This document establishes SGMAI's privacy policy in terms of data protection, under the terms of the General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the implementation of which in the national legal order is ensured by Law no. 58/2019 of 08 April 2019. 58/2019, of August 8, adopting the right technical and organisational measures to ensure the processing of data following the applicable legislation, as well as to deal with cases of personal data breaches.

d) It therefore sets up the internal rules and procedures for the protection of personal data to ensure that it is processed following legal requirements, also setting out the technical and organisational measures implemented to protect such data against accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorised access and any other form of unlawful processing.

2. Scope of application

a) This policy applies to the processing of personal data by totally or partially automated means, as well as to the processing by non-automated means of personal data contained in files or intended for them.

b) Data processed by SGMAI is covered, namely data relating to all citizens who contact with SGMAI, those registered on the electoral register, those elected to Local Government Bodies, SGMAI managers and employees, as well as external service providers and organisations that use SGMAI's facilities and resources.

3. Principles

Under the terms of Article 5 of the GDPR, SGMAI undertakes to ensure that the personal data it processes is:

a) Processed following the law, fairly and transparently.

b) Collected for specific, objective, and legitimate purposes and not further processed in a manner contrary to those purposes.

c) Adequate, justified and limited to what is necessary in relation to the purposes for which they are processed.

d) Accurate and updated whenever necessary, with all necessary measures being taken to ensure that inaccurate data, considering the purposes for which they are processed, are erased, or corrected without delay.

e) Kept in a form that allows the identification of the data subject for no longer than is necessary for the purposes for which the data are processed.

f) Processed in a manner that ensures their security, including protection against unauthorised or unlawful processing and against their loss, destruction, or unforeseen damage, and right technical or organisational measures are taken.

4. Lawfulness of processing personal data

The processing of personal data by SGMAI is lawful in the following cases, depending on the purposes of each processing operation.

a) Compliance with a legal obligation.

b) Consent of the data subject for one or more specific purposes.

c) Defence of the vital interests of the data subject or another natural person, following Article 6(1)(d) of the GDPR.

d) Execution of a contract to which the data subject is a party, or for pre-contractual steps at the request of the data subject.

e) Exercise of functions in the public interest.

5. Data controller

The data controller is the General Secretariat of the Ministry of Internal Administration (SGMAI).

6. Data Protection Officer

By the Article 37(1)(a) of the GDPR, a Data Protection Officer has been appointed and can be contacted at

7. Data collection and processing

a) Accessing and browsing the portals and websites managed by SGMAI does not necessarily imply the provision of personal data.

b) SGMAI collects data from users of the portals and websites managed by SGMAI, through interactions with them and through the services provided by those portals or websites.

c) The data may be supplied directly by the users of the portals and websites managed by SGMAI, or its collection may result from the users' interactions and use of the services. The data collected in this context depends on the context of user interactions with the portals and websites managed by SGMAI and on the choices made by users.

d) Data processing is carried out in compliance with the security measures and confidentiality guarantees required by the legislation currently in force on the protection of personal data.

e) SGMAI is the entity responsible for the collection and processing of personal data used in the context of the use of the websites it manages.

f) SGMAI collects and processes, in particular, the personal data of the data subject provided at the time of using the functionalities of the websites it manages, such as civil identification number, full name, date of birth, email, mobile phone number and others legally supported.

8. Receiver(s) of personal data

a)  As a rule, SGMAI does not communicate the personal data of the data subject to third parties.

b) SGMAI will communicate the personal data of the data subject, following the law, to the legally competent and qualified entities.

(c) In the provision of online services, SGMAI may use subcontractors to:

i.    Provision of electronic communications services.

Ii.     Provision of development, hosting, and platform provision services.

Iii.     Provision of resilience services and availability of platforms.

9. Personal data retention period

a) Without prejudice to legal or regulatory provisions to the contrary, data will only be kept for the minimum period necessary for the purposes for which it was collected or subsequently processed.

b) The retention periods may be altered in accordance with the associated public interest, for historical, scientific or statistical reasons that justify it, with SGMAI undertaking to adopt the appropriate conservation and security measures.

10. Rights of personal data subjects

a) Data subjects are informed that they have the right to request from SGMAI access to personal data concerning them, as well as its rectification or erasure, and the limitation of processing insofar as it concerns the data subject, or the right to object to processing, as well as the right to data portability, in legally admissible cases, under the terms of articles 12 et seq. of the GDPR.

b) When data processing is based on consent, the data subject has the right to withdraw that consent at any time, without jeopardising the lawfulness of the processing carried out based on the consent previously given.

c) The data subject also has the right to lodge a complaint with a supervisory authority, or the right to take legal action against the supervisory authority, controller, or processor, under the terms of Articles 77, 78 and 79 of the GDPR.

d) The exercise of the rights is carried out through direct contact with SGMAI via the e-mail address

11. Processing of personal data as a corollary of an employment or similar relationship

a) The processing of personal data for the purposes of an employment or similar relationship is strictly necessary for the performance of the employment contract, under the terms of Article 6(1)(b) of the GDPR.

12. Subcontractors

a) All contracts involving access to personal data under SGMAI's responsibility are preceded by an analysis of the guarantees of compliance with the GDPR and the implementation of security measures.

b) Contracts concluded or to be concluded include specific data protection clauses, under the terms and for the purposes of Article 28 of the GDPR, which limit the processing of data to the execution of the contract and SGMAI's instructions, as well as enshrining data protection measures on the part of the subcontractor.

c) Upon termination of the contract, the subcontractor is obliged to destroy all copies of the personal data, except for cases in which there is a legal or contractual obligation to keep them.

d) When SGMAI uses subcontractors to process personal data on its behalf and in accordance with its instructions, the inherent contract clearly defines the duration of the service, the nature and purposes of the processing of personal data, the type of personal data, the categories of data subjects, the obligation to notify a personal data breach, as well as indicating the obligations of the subcontractor with regard to information security and confidentiality.

e) These entities may not pass on personal data to other entities without SGMAI's prior written authorisation.

13. Security measures

a) SGMAI is committed to guaranteeing the security of the personal data made available to it, implementing right technical and organisational measures to protect personal data against destruction, loss, alteration, dissemination, unauthorised access, or any other form of accidental or unlawful processing, under the terms of the legislation currently in force on data protection.

b) SGMAI uses a set of security technologies and procedures that are suitable for protecting the personal data of the respective owners, protecting unauthorised access and disclosure, namely:

i. Physical security measures, namely access control for employees, collaborators, and visitors to SGMAI premises.

ii. Logical security measures, namely by implementing systems for controlling and tracking access to systems.

c) Data transmission between applications is encrypted, using private, unique keys. In addition, secure connections (HTTPS) are used. The transmission of this data is also protected using TLS (Transport Layer Security) protocols.

d) Without prejudice to the security measures adopted, SGMAI recommends that the data subject should use a computer with an operating system and an internet browser that is up to date in terms of security updates and that is properly configured to access the websites and portals provided by SGMAI and should always check the authenticity of the websites and portals they visit.

14. Use of cookies

SGMAI uses cookies on the portals and websites it manages whenever it is necessary to guarantee their correct functioning, within the scope of the provision of services explicitly requested by users, and no personal information is collected other than that necessary for the use of the websites, such as the IP address.

15. Statistical log files

a) SGMAI records the IP addresses of all links to its websites or service portals, information that will be used exclusively for statistical purposes, in an aggregated and anonymised form, or to implement measures for the continuous improvement of said websites. The data used does not have personally identifiable or private information.

b) The analyses carried out based on the aggregated statistical information are used to interpret the portal's usage patterns and to continuously improve service levels and user satisfaction. The aggregate statistical information resulting from the analyses carried out may be disclosed to third parties or publicly.

c) This website uses the Google Analytics tool, a network analysis service provided by Google. Cookies are stored that supply information on the use and browsing of the Site, including the User's IP address, which is transmitted to Google's servers. However, the data collected is not linked to any other data held by Google.

d) The User can deactivate the tool by downloading and installing a browser add-on available from Google:

16. Release from Liability

a) SGMAI shall not be held liable for any losses or damages in terms of civil liability (including, but not limited to, consequential damages, loss of profits and moral damages, caused directly or indirectly), arising as a result of the correct or incorrect use of its websites and their contents by the user, or access to the user's computer and computer system by third parties.

b) The websites may have links to sites operated by third parties over which it has no control and for which it assumes no responsibility.

c) The visualisation of legal provisions on this site does not dispense with consulting the legal rules in force, officially approved, published in the original editions and media (namely the Diário da República or the Official Journal of the European Union).

17.   Changes to the privacy policy

a) SGMAI may amend this Privacy and Data Protection Policy at any time.

b) These changes will be duly publicised on SGMAI's website at

18.   Validity

a) If any part or provision of this Policy is considered invalid, illegal, or unenforceable, the validity, legality and enforceability of the remaining provisions shall not be affected or jeopardised.

19.   National Data Protection Commission (CNPD)

a) The CNPD is the national supervisory authority with powers to monitor compliance with existing legal provisions on the protection of personal data, in order to defend the rights, freedoms and guarantees of natural persons with regard to the processing of personal data.

b) Any citizen has the right to lodge a complaint with the CNPD regarding the processing of data to which they are subject.

To clarify any doubts, the data subject may also contact the Data Protection Officer at or at SGMAI Data Protection Officer, Rua S. Mamede n. º 23, 1100-533 Lisboa.

Data Protection Officer

Carlos Manuel Afonso Bode Dias Torres

​​​​​​​​​​​​​​​Lisbon, 05 April 2021