PRIVACY POLICY

2. Entity responsible for data processing

The “responsible for processing” is the natural or legal person who, individually or jointly, determines the purposes and means for a given personal data processing operation.

With regard to this privacy policy, the Data Controller (RT) is the Agrupamento de Escolas de Mafra with the following contact details:

Mafra School Group
Headquarters: Mafra Basic School
Rua Santa Casa da Misericórdia, no. 7
2640-528 Mafra
Telephone: 261 815 468
Email: protecao.dados@aemafra.edu.pt

3. Concepts and definitions

• “Responsible for treatment ” is the natural or legal person who, individually or jointly, determines the purposes and means for a given personal data processing operation.
  
• “Subcontractor ” is the natural or legal person who processes personal data on behalf of the person responsible for the processing. It is, therefore, an entity that provides a service and that to some extent intervenes in the process of processing personal data.
  
• “Data Holder ” is a natural person who can be identified, directly or indirectly, and whose data is subject to processing by the controller or subcontractor.
  
• “Recipients ” are natural or legal persons who receive communications of personal data. Thus, the recipients can simply be students, holders of parental responsibility, employees of the Mafra School Group, visitors, or external entities, both private and public.
  
• “Personal data ” is information relating to an identified or identifiable natural person (data subject). A person who can be directly or indirectly identified is considered identifiable.
  
• “Enriched personal data ”, as opposed to original (raw) personal data, is data generated by the controller or subcontractor or resulting from an analysis or deduction about the raw data.
  
• “Treatment ” is an operation or set of operations carried out on personal data, by automated means or not, such as collection, registration, organization, disclosure, conservation, erasure, or others.
  
• “Personal Data Breach ” is a security breach that causes, accidentally or unlawfully, the unauthorized destruction, loss, alteration, disclosure or access to personal data.
  

4. What personal data is collected and processed

4.1. Personal data categories

The Mafra School Group and its subcontracting entities process the following categories of personal data:

4.2. About special categories of personal data

In many situations, the Mafra School Group is legally obliged to process data from special categories and sensitive data, such as health data, ethnicity, religion, sexuality and biometric data. Sometimes information regarding the safeguarding of children is received and processed and may be subject to a confidentiality regime. It is also possible that, in some specific circumstances, it may be necessary to process data relating to criminal convictions and offences.

Thus, some of the situations include:

• Protect the welfare of students and provide appropriate (and, if necessary, medical) assistance, and take appropriate action in the event of an emergency, incident or accident, including disclosing details of a person's medical condition or other relevant information and the the individual's own interest - for example, for medical advice, social protection, safeguarding and cooperation with the police or social services, for insurance purposes or for suppliers or school trip organizers who need to be informed about diet or medical monitoring needs;
  
• Provide educational services in the context of any specific educational needs of a student;
  
• Provide education in the context of religious beliefs, according to available options;
  
• In relation to teaching and non-teaching staff, for example, criminal record, welfare, trade union membership or retirement details;
  
• As part of any internal or external complaint, disciplinary or investigation process involving this category of data, for example, if it includes elements of specific health or protection needs;
  
• For legal and regulatory purposes (e.g. child protection, diversity monitoring, health and safety) and to comply with your legal obligations and duties of care.
  

4.3. Means of collecting information

In fulfilling its objectives, the Mafra School Group collects personal data in several ways:

• Enrollment and enrollment renewal bulletins;
  
• Other data forms filled out by parents, guardians and/or students throughout the school year;
  
• Data collected by educational agents in the context of the teaching and learning process and participation in school and extracurricular activities (enriched data);
  
• Receiving data by internal transfer from students' previous schools;
  
• Information about students from certain medical services and health centers, as well as the respective local authorities and regulatory bodies.
  

The public website of the Mafra School Group at the address www.aemafra.edu.pt does not request or collect identification from visitors (such as username, email or other data). However, information relating to tracking data and cookies is only used for automatic and statistical processing of access to the website, referring to the number of accesses to the website, search terms, type of access, according to the operating system and browser, and are not linked to individual profiles. None of this data is transmitted to third parties.

Even so, if you wish to enter the reserved access area of other platforms made available by the Mafra School Group (Examples: Moodle, Student Management Platform, etc.) your username, email or other data may be subject to collection and treatment.

5. How personal data is processed

The collection of personal data is intended for purposes mainly related to activities relating to students, holders of parental responsibility, teaching staff and non-teaching staff. It covers data on minor students, represented by the guardian who provides the data necessary for the provision of school services during the student's stay in the education and teaching establishments of the Mafra School Group. This data is incorporated into the files owned by the school establishment.

The Mafra School Group, in compliance with legal provisions, collects the necessary and appropriate personal data to:

• Enrollment and registration of students;
  
• Individual Student Process;
  
• Teaching activities;
  
• Management and processing of students’ school careers;
  
• Change of school establishment;
  
• Certification of qualifications;
  
• Provision of other educational services;
  
• Participation in national or other assessments;
  
• Publication of public examination results or other achievements of students at school;
  
• Psychology and Guidance Service;
  
• Accounting, tax and administrative services;
  
• Canteen and buffet service and information regarding dietary restrictions;
  
• Salaries;
  
• School Social Action;
  
• Security and Civil Protection;
  
• Attendance Record;
  
• Issuance and management of identification cards for students, teaching and non-teaching staff;
  
• Management of School Libraries;
  
• Registration in extracurricular activities;
  
• School insurance and personal accident insurance;
  
• Organization of trips, school transport and excursions;
  
• Contact agenda;
  
• Students' association;
  
• Self-assessment of the school group;
  
• Assessment of teaching and non-teaching staff;
  
• Correspondence with teaching and non-teaching staff, parents and guardians and students;
  
• Monitoring the performance of the school establishment, intervening or helping in the event of an incident;
  
• Management planning and forecasting;
  
• Statistical research and analysis, including that imposed or provided for in legislation;
  
• Protect the well-being of students and provide appropriate assistance;
  
• Carry out or cooperate with any school or external grievance, disciplinary or investigative process.
  

This data is stored in computerized form, in the databases of student management applications, school social support, salaries, reprography, libraries and services.

Data relating to the students' household, assessment history, attendance and health are archived in the student's individual file, in a specific folder in compliance with the duties of secrecy and confidentiality, with prior definition of administration and access permissions and respective registration of access, in strict compliance with the duties inherent to the functions performed.

Data relating to the personal identification of teachers, biographical records, training certificates and qualifications are archived in the teacher's individual file, in a specific folder, in compliance with the duties of secrecy and confidentiality, with prior definition of administration and access permissions and respective access registration, in strict compliance with the duties inherent to the functions performed.

Personal data necessary for the interoperability of public IT networks and systems and within the scope of Public Administration may also be collected.

6. Consent

The Mafra School Group requests the express consent of the person in charge of education to carry out the following processing of the student's personal data and respecting the right to image:

• Portraits, photographs and image capture during curricular and extracurricular school events, projects or activities;
  
• Publicity of school initiatives on the website of the Mafra School Group or its education and teaching establishments;
  
• Production of yearbooks and publications, in paper or electronic form, of the Mafra School Group or one of its education and teaching establishments;
  
• Newsletter from the Mafra School Group;
  
• Maintain relationships with alumni and the school community;
  
• Use of electronic cloud applications outside of educational platforms.
  

The Mafra School Group requests the express consent of those in charge of education, other family members of the minor and other people involved, whenever photography and filming of events, projects or school activities aimed at disseminating these initiatives within the school community and in which participants (individuals of legal age, guardians or not), their children or legal representatives.

The Mafra School Group declares that it is not responsible in the case of abusive use of photographs and images by third parties.

The data of the guardian is incorporated into files held by the Mafra School Group for the following purposes:

• Enrollment management;
  
• Management and processing of the student's academic career;
  
• Management of school social action;
  
• Mandatory notifications and other communications considered relevant to the school community;
  
• Association of Parents and Guardians;
  
• Contact agenda;
  
• Sending Newsletters and information.
  

The treatments mentioned above have one of the following reasons:

• Obtaining consent for the processing of personal data for one or more specific purposes;
  
• Execution of a contract for the provision of educational services;
  
• Legitimate interest of the school establishment;
  
• Compliance with legal obligations.
  

7. Rights of the holder of personal data

All people are recognized with the following rights:

• Right of access to personal information held by you or your legal representative.
  
• Right to rectification if personal data is incomplete or inaccurate.
  
• Right to withdraw your consent, at any time, in cases where this is the basis of lawfulness.
  
• Right to erasure, through which you can request that your personal data be erased when one of the following situations occurs:
  

- Personal data are no longer necessary for the purpose for which they were collected or processed;

- Withdraw the consent on which the data processing is based and there is no other legal basis for it;

- Present opposition to the processing of data and there are no prevailing legitimate interests, to be assessed on a case-by-case basis, that justify the processing;

- Personal data has been processed unlawfully;

- Personal data must be erased under a legal obligation.

The right to refuse data deletion requests is reserved if the deletion of information interferes with, or makes it impossible, the provision of services or the exercise of educational activities, in accordance with legal terms. Requests for erasure and deletion of data that make administrative and pedagogical management of students and administrative management of teachers impossible are not considered for the purposes of the right to be forgotten.

Through the right to limitation of processing, you can request the limitation of the processing of your personal data, if you consider that the processing is unlawful or if you consider that the processing of the data is no longer necessary.

Right to portability. The data subject may request delivery, in a structured, commonly used and machine-readable format, of the personal data provided. You also have the right to request that the School transmit this data to another data controller, as long as this is technically possible. Please note that the right to portability only applies in the following cases:

• When processing is based on express consent or the execution of a contract;
  
• When the processing in question is carried out by automated means.

Access and portability of student data can only be requested by the parent or legal representative.

7.1. Right to lodge complaints with the supervisory authority

If you wish to lodge a complaint regarding matters related to the processing of your personal data, you can do so with the National Data Protection Commission. For more information you should access www.cnpd.pt .

The holder of personal data has the right to be informed in the event of an incident affecting their personal data (loss or misplacement of data and documents, inappropriate publications, computer incidents and cyber attacks) whenever there is a high risk to their rights. and freedoms, in accordance with the General Data Protection Regulation (GDPR).

7.2. How to exercise these rights

You can exercise your rights through the following channels:

• Email, to the email address info@aemafra.edu.pt .
  
• Mail, via letter, addressed to the Mafra School Group, Rua Santa Casa da Misericórdia, n.º 7, 2640-528 Mafra.
  

For any clarification, the Mafra School Group provides a data protection officer who can be contacted using the following contact details:

• E-mail: protecao.dados@aemafra.edu.pt
  

8. Storage of personal data
All data processing operations and respective activity records are previously defined by the Data Processing Officer (RT) of the school establishment.

Personal data is retained for different periods of time, depending on the purpose for which it is intended, taking into account legal criteria, as well as the need and minimization of the respective retention time, without prejudice to the legally defined deadlines for the conservation of certain documents and data.

Personal data on digital media are stored in databases of the respective management applications, are internal, hosted on a dedicated server, with a guarantee of anonymization and maintenance of the ability to ensure the confidentiality, integrity, availability and permanent resilience of systems and of processing services, the ability to restore availability of and access to personal data in a timely manner in the event of a physical or technical incident and a process to regularly test, assess and evaluate the effectiveness of technical and organizational measures to ensure the security of processing and in accordance with user policies for the school establishment's internal network domain.

Students' personal data for managing exams and assessment tests are stored in the databases of the PAEB, ENEB and ENES programs.

Personal data on physical media are kept in a specific location, in compliance with appropriate security measures and previously approved by the Data Controller (RT), guaranteeing their confidentiality.

9. Data Interconnection
Personal data, in compliance with legal regulations or in the provision of public educational services, may have to be communicated to the following public entities:

• Ministry of Education and respective services and bodies;
  
• Finance Ministry;
  
• Ministry of Labor, Solidarity and Social Security;
• Ministry of Health;


• Justice ministry;


• Ministry of Internal Affairs;


• Ministry of State Modernization and Public Administration;


• Local authority.

• Quantitative and qualitative assessments;


• Registration of quantitative and qualitative assessments in the student management application;


• Statistical processing of enrollment and assessment data;


• Personal data specific to a user, upon legally justified request, such as child and youth protection committees, social security services, courts, Judicial Police and guardianship.

• Advertising only data and information that are strictly necessary for specific purposes and, preferably, on platforms that guarantee individual private access;




• Not publishing identifying elements, specifically names, portraits, photographs and images, in institutional digital publications of the Mafra School Group (electronic website, school library pages, blogs or social media profiles of projects developed in the group's education and teaching establishments or directly linked to them).

• After assessing the risk for the protection of the holder's personal data, after consulting the data protection officer, in conjunction with proponents and group bodies;




• After verification and proof that the proponents comply with the legal requirements set out in the GDPR;




• The obligation of proponents to provide copies of the informed consent statements for filing at the school establishment has been met.

• Respect the confidentiality of personal data to which they have access in the performance of their functions and after termination of their functions, when applicable;




• Respect the security policies when using the group's computer networks, using secure passwords and respecting the access level defined in this Privacy Policy, relating to student data and other elements of the school;




• Communicate to the Data Controller and the data protection officer any losses, attacks, data transmitted illegally or irregularly, detailing which data, who was affected, and in what context to comply with the formalities set out in the General Data Protection Regulation;




• Use encrypted communications, using only institutional email for any communication relating to school group matters;




• Ensure that remote access via VPN and access to online platforms are duly approved by the Data Controller;




• Avoid public conversations or discussions that potentially disclose information about the personal data of students or other users;




• Store documentation in physical formats securely;




• Exclusively use institutional email for communications relating to all matters relating to work in the group and at the school, as this system is encrypted and auditable;




• Validate data interconnections with the Data Controller.




• Check permissions and consents for portraits, photographs and image collection within educational establishments;




• When advertising activities, do not include information that identifies children, such as names, photos, video and audio records.

• Use exclusively the institutional email address;




• Avoid shared folders on the internal network with public permissions to store student information;




• Always use your personal account on school computers, logging out after using them;




• Use cloud storage services, after checking whether they guarantee privacy and data encryption;




• Use shared folders in a Cloud storage service after making sure that they are only accessible in the individual user profile;




• Encrypt evaluation record grids with a password known only to members of the class council.

• The personal password is non-transferable, must be complex and consist of, for example, uppercase and lowercase letters, numbers and symbols (such as “!” or “*”). You must not repeat letters or numbers, nor alphabetical, numeric or keyboard sequences.




• Never, under any pretext, should passwords be provided to third parties (whether personal for accessing a user profile or for computer administration);




• Reinforce care with passwords;




• Use double-factor authentication in institutional email, whenever justified or possible.