Privacy and Personal Data Protection Policy
Commitment
At EGEAC, we strive to guarantee the security and confidentiality of your data, which are requested and processed exclusively for their intended purpose, in accordance with the principles and rules enshrined in the General Data Protection Regulations and other applicable legislation, as well as the EU Charter of Fundamental Rights.
Therefore, the information provided to us is handled responsibly and respectfully and is not shared with other entities. It may only be shared with third parties in strict compliance with applicable legal requirements or for other legally-defined reasons. In these cases, EGEAC provides the same level of personal data protection for all those who process their personal data under EGEAC’s responsibility (service providers, suppliers, partners, etc.) through contracts and data processing agreements where applicable, and ensuring the prior consent of the data subjects is given when applicable.
EGEAC aims to ensure appropriate technical and organisational security measures are implemented in order to comply with the principles of personal data protection provided for in the GDPR and related legislation and, whenever possible, to improve them through monitoring processes, so that we can ensure the confidentiality of information and the right to privacy of everyone who interacts with us.
General principles
EGEAC collects and processes personal data in accordance with the principles enshrined in the GDPR and related legislation, namely:
Personal data are processed lawfully, fairly, impartially, and transparently (principles of lawfulness, fairness, impartiality, and transparency);
Personal data are collected and processed for specific, explicit, and legitimate purposes arising from the current legislation and are not further processed in a manner incompatible with these purposes (principle of purpose limitation);
Personal data are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimisation);
Personal data are accurate and, where necessary, rectified and updated (principle of accuracy);
Personal data are kept for the period necessary for the purposes for which they are processed and may be retained for longer periods only in cases provided for by law (principle of storage limitation).
Legal Basis for Processing
The data processing operations carried out by EGEAC on natural persons, as a general rule, arise from the following situations:
The carrying out of its duties in the public interest with which it is entrusted, in particular fulfilling the mission, objectives and services assigned to it by the Municipality;
The implementation of these services and the protection of the activities and assets under its management, as well as the improvement of its communication with and knowledge of its target audience (namely the residents of Lisbon), with the aim of better understanding their needs and preferences and aligning the services we provide to our mission;
The execution of contracts signed with the Municipality, citizens, institutional and other partners, service providers, suppliers and workers;
EGEAC only collects and processes personal data if:
The data subject has given consent for the processing of their personal data for one or more specific purposes (when required); or
The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at their request prior to entering into a contract; or
The processing is necessary to ensure compliance with a legal obligation to which EGEAC is subject; or
The processing is necessary for the purposes of the legitimate interests pursued by EGEAC or by third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, especially if the data subject is a minor;
Purposes of Personal Data Collection
Guided by the general principles and legal bases already outlined, the purposes of personal data collection carried out by EGEAC can be multiple and must always be declared to the data subject from the outset.
EGEAC is a municipal company which promotes culture (operating under the name Lisboa Cultura) and, as such, has a social purpose. Therefore, the most frequent situations and means by which we collect personal data in our day-to-day interactions with our diverse audiences are as follows:
Subscription to newsletters provided by EGEAC, the cultural spaces under its management, or other channels duly identified as being our vehicles for communication and publicising initiatives and services;
Enrolment or registration, by email or form, in activities promoted by our educational services;
Enrolment or registration, by email or form, in training, capacity-building or skills-management courses run by EGEAC;
Enrolment or registration, on our portals or by email or form, in EGEAC-run contests or events, particularly those featuring on our calendar of public-space events and activities (such as the Festas de Lisboa, Marchas Populares, Concurso das Sardinhas, Tronos de Santo António, among other festivals and events);
Enrolment or registration in EGEAC-run contests or events at the monuments and museums managed by EGEAC;
Filling in forms or making contact with EGEAC to make requests, ask for clarifications, make complaints or suggestions or to request information, via the different channels made available to the public;
Posting comments or images on our social media pages;
Subscription or registration on any of our portals/sites to access information, services or activities;
Participation in certain activities promoted in our cultural spaces where the format of the initiative requires capturing image and sound of the participants;
Browsing our websites (the institutional one and those of our cultural spaces) through cookies or similar technologies, such as Google Analytics (i.e., technical information related to the devices accessing the websites, IP and MAC addresses, the browser used, the operating system and its versions; depending on the user’s browser and browsing source, other information may also be collected);
As part of its administrative and financial management activities, EGEAC also processes personal data by sending/receiving information in emails, service contracts and other multi-purpose information, always in compliance with contractual, regulatory and/or legal obligations aimed at protecting and defending the rights, interests, property and security of EGEAC and/or the Municipality, its employees or other people with whom it establishes collaborative/partnership relationships.
Under no circumstances may the personal data collected by EGEAC be sold or given free of charge to companies that use it for direct marketing purposes or to other entities that use mailing lists to publicise products and/or services;
Data subject rights of natural persons:
In accordance with the definitions provided by the GDPR, natural persons have the following rights over personal data concerning them:
[1] to be brought before EGEAC: right to information; right of access; right to rectification of inaccurate data; right to erasure; right to restriction of processing; right to data portability; right to object to processing; right not to be subject to exclusively automated decisions, including profiling; in situations of consent, right to withdraw consent at any time, without jeopardising the lawfulness of the processing carried out on the basis of the consent previously given;
[2] to be brought before EGEAC’s Data Protection Officer (by email to encarregadaprotecaodados@egeac.pt or by letter to Avª Engº Duarte Pacheco, nº26, 4º, 1070-110, Lisbon): the right to make representations on all matters relating to the processing of your personal data and to exercise the rights conferred on you by the GDPR and related legislation;
[3] To be brought before the supervisory authority (Comissão Nacional de Proteção de Dados): the right to lodge a complaint in the event of a breach of the rules applicable to the protection of your personal data.
Privacy Notification
In case of a personal data breach, EGEAC will notify the Comissão Nacional de Proteção de Dados (CNPD), whenever possible within 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Any subcontractor of EGEAC is required to notify the data controller without undue delay upon becoming aware of a personal data breach.
This policy may be revised whenever deemed necessary and will be published at www.egeac.pt
Last updated on: 4 June, 2024.