Privacy Policy

Startup Portugal Privacy Policy

Startup Portugal’s privacy policy

General Framework

The protection of Personal Data is a fundamental right, so your privacy is important to Startup Portugal – Portuguese Association for the Promotion of Entrepreneurship (“SPAPPE”) in particular with regard to the processing of personal data carried out through the platform(s):

  • WordPress
  • Typeform
  • MailChimp
  • Eventbrite
  • Meta (Facebook e/ou Instagram)

We therefore clarify the Personal Data we collect, for what purposes, the principles that guide this use and the rights of the holders of this data. It is for the purpose of safeguarding data protection that you, as the Data Controller, are responsible:

  • Ensures that the processing of Personal Data is carried out within the scope of the purpose(s) for which it was collected, and in strict compliance with the Law;
  • It is committed to implementing a culture of data minimization, in which it only collects, uses and retains Personal Data that is strictly necessary and that results from legal imperatives.

To this end, we advise you to read the privacy policy so that you are aware of your rights, the conditions under which you make your personal data available and authorize its collection, use and disclosure.

SPAPPE Commitment

Protecting your personal data

Through this Policy, SPAPPE recognizes the importance of the security of the personal data it processes and ensures the protection of the privacy of the respective data subjects without jeopardizing the purpose and full realization of the different areas in which it operates. In this Policy, it also provides information on the rules, principles and good practices that it observes in the processing of personal data entrusted to it, in accordance with the General Data Protection Regulation (GDPR) and other applicable legislation, and on the means that data subjects have at their disposal to exercise their rights.

Data Controller

Within the scope of its activities in its different areas of activity, SPAPPE is the entity responsible for processing personal data and can be contacted at the following e-mail address: contact@startupportugal.com.

Data Protection Officer

In view of the legal obligation arising from Article 12(2)(h) of the GDPR, SPAPPE has appointed a Data Protection Officer, who is responsible for ensuring, among other things, that the processing and protection of personal data under his/her responsibility complies with the applicable legislation and this Policy. Among other duties, they are responsible for:

  • Monitor compliance of data processing with applicable standards;
  • To act as a point of contact for clarifying issues relating to data processing;
  • Cooperate with the CNPD, in its capacity as supervisory authority;
  • Providing information and advising SPAPPE or subcontractors on their obligations in the field of privacy and data protection.

Therefore, the holders of personal data, if they so wish, can address a communication to the Data Protection Officer regarding matters related to the processing of personal data, using the following email address: contact@startupportugal.com.

Changes to the Privacy Policy

SPAPPE reserves the right to make changes to this Privacy Policy, and such changes will be duly publicized on its website and/or other channels it deems appropriate.

Cookie Policy

Session cookies are only used on this website to analyze web traffic patterns or to identify problems and provide a better browsing experience. All browsers allow the user to accept, refuse or delete cookies, namely by selecting the appropriate settings in their browser. Cookies can be configured in the “options” or “preferences” menu of the user’s browser. It should be noted, however, that by disabling cookies, the user may prevent some web services from working properly, partially or totally affecting navigation on the website. To find out more about cookies, including how to see what cookies have been created and how to manage and delete them, visit www.allaboutcookies.org which includes information on how to manage your settings for the various browser providers.

SAPPE’s 360º Privacy Policy

SPAPPE has developed and implemented a Privacy Policy that includes a wide range of measures to protect your personal data. The implementation of this policy resulted from the identification of the personal data for which it is responsible, the assessment of data quality, the definition of security controls, data protection and monitoring. This information is intended to present the respective privacy policy in a structured and simplified manner, in order to provide greater transparency on how we process personal data.

Personal data

Personal data is any information, of any nature and on any medium (e.g. sound or image), relating to an identified or identifiable natural person (referred to as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by means of a name, an identification number, location data, an electronic identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive personal data

Sensitive data is all personal data that is subject to specific processing conditions. This includes:

  • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership;
  • Biometric data processed for the purpose of uniquely identifying a person;
  • Health-related data;
  • Data relating to a person’s sex life or sexual orientation.

Data subjects

A data subject is any natural person to whom the personal data relates. In the context of the activity carried out by SPAPPE and collected by the platform(s) mentioned in point 1 above, all personal data collected in order to comply with legal obligations, as well as all natural persons who submit their data or authorize SPAPPE to use their data, are data subjects. We would like to clarify that access to personal data is carried out in a differentiated manner, with different levels of access to information having been established and the need to access it having been substantiated, and it is carried out in an autonomous manner, with access being limited to the technician responsible for it and to its head. Categories of personal data processed by SPAPPE SPAPPE processes personal data of different natures and sensitivities, as well as the purpose associated with the processing of such data, such as, for example:

  • Personal identification data: name, date of birth, place of birth, gender, nationality, address, telephone number, professional qualifications, e-mail address, civil identification number and/or passport, tax number, driving license number and social security number;
  • Sensitive data – Only and exclusively data that is formally required by tax obligations. Family status: marital status, name of spouse, children or dependents and/or any other information necessary to determine salary supplements and respective tax obligations;
  • Professional data: course and level of education, professional status, professional experience, certifications and place of work.

Data processing register

SPAPPE has a data processing register in accordance with Article 30 of the GDPR, as required by the CNPD, which includes:

  • The name and contact details of the controller and, where applicable, any joint controller, the representative of the controller and the data protection officer;
  • The purposes of the data processing;
  • A description of the categories of data subjects and categories of personal data;
  • The time limits for erasing the different categories of data;
  • The technical and organizational security measures implemented to ensure pseudonymization and encryption of personal data and the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

Principles for processing personal data

When processing personal data, SPAPPE observes the following fundamental principles:

  • Principle of fairness, lawfulness and transparency: personal data is processed lawfully, fairly and transparently in relation to the data subject;
  • Principle of purpose limitation: personal data is collected for specific, explicit and legitimate purposes and is not further processed in a way that is incompatible with those purposes;
  • Principle of data minimization: personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Principle of accuracy: personal data will be accurate and updated whenever necessary, and all appropriate measures will be taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;
  • Principle of limited storage: personal data will be stored in a way that allows the identification of data subjects for no longer than is necessary for the purposes for which the data is processed;
  • Principle of integrity and confidentiality: personal data will be processed in a way that guarantees their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, with the adoption of appropriate technical or organizational measures.

As the data controller, SPAPPE undertakes to ensure that the processing of data subjects’ data is carried out in strict compliance with the aforementioned principles, and that it is in a position to prove compliance with them.

Grounds for processing personal data

SPAPPE only processes personal data when at least one of the following situations applies:

  1. Consent of the data subject: when the data subject has given their consent to the processing of their personal data, for one or more specific purposes, through express consent, which indicates a free, specific, informed and unequivocal expression of will that the data subject consents to the processing of their data. Consent may be obtained by any means (including electronically), and SPAPPE will keep a record of this through a physical record or technological platform, as a means of proving that the data subject has given their consent to the processing of their personal data. The data subject has the right to withdraw their consent at any time, and the withdrawal of consent does not compromise the lawfulness of the processing carried out on the basis of the consent previously given.
  2. Execution of a contract or pre-contractual steps: when processing is necessary for the execution of a contract to which the data subject is a party, or for pre-contractual steps at the request of the data subject. This situation includes, by way of example, the processing of the personal data of SPAPPE’s employees and contractors within the scope of the management of the established employment relationship or the respective service providers within the scope of the contractual relationship.
  3. Compliance with a legal obligation: there are a wide range of situations in which the data is necessary to comply with a legal obligation to which SAPPE is subject to processing it, namely, by way of example, the elements that make it possible to assess the fulfillment of requirements for the certification of a Startup, through Law no. 21/2023, of May 25.
  4. Vital interests: when processing is necessary for the protection of the vital interests of the data subject or another natural person, for example, in the case of medical emergencies or the safety of the data subject.Public interest/public authority: when processing is necessary for the performance of a task carried out in the public interest. For example, when there is a need to alert regulatory and supervisory bodies. SPAPPE is a private association of public interest and its activity is conducted in the public interest, so a large part of the activity has this rationale, which must be assessed in each processing process.
  5. Public interest/public authority: when processing is necessary for the performance of a task carried out in the public interest. For example, when there is a need to alert regulatory and supervisory bodies. SPAPPE is a private association of public interest and its activity is conducted in the public interest, so a large part of the activity has this rationale, which must be assessed in each processing process..

Sensitive Data

SPAPPE may process sensitive data under the following conditions:

  • If the data subject has explicitly consented to the processing of such personal data for one or more specific purposes;
  • When, under European Union law, national law or a collective agreement, processing is necessary for the purposes of fulfilling obligations and exercising specific rights of SPAPPE or the data subject in matters of employment law, social security and social protection;
  • When processing is necessary to protect the vital interests of the data subject or another natural person, in the event that the data subject is physically or legally incapable of giving consent;
  • If the processing relates to personal data that has been manifestly made public by the data subject;
  • If processing is necessary for the establishment, exercise or defense of legal claims or when the courts are acting in their judicial capacity;
  • If processing is necessary for reasons of substantial public interest, on the basis of European Union law or national law;
  • If the treatment is necessary for the purposes of preventive or occupational medicine, the assessment of the employee’s working capacity, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of European Union or national law or pursuant to a contract with a health professional;
  • If processing is necessary for reasons of public interest in the field of public health, on the basis of European Union or national law;
  • If processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, on the basis of European Union or national law

Purposes for processing personal data

Considering the diversity of its areas of activity, SPAPPE processes personal data for the following purposes:

  • Financial data – For paying staff salaries and purchasing services; managing payments; receiving and processing tenders submitted in procurement procedures; executing contracts with suppliers.
  • Contractual procedures – Drawing up contracts, instructing and carrying out the inherent technical procedures. Receiving and processing requests for IT support; Developing new IT solutions for the Portuguese entrepreneurship ecosystem, including for the national network of incubators;
  • Human Resources – Human resources management (attendance and timetable management); salary processing; performance appraisal; promoting safety, hygiene and health at work; granting social benefits to employees;
  • Activities carried out – Organizing events within the scope of its principles and statutes, insuring events with insurance companies, participating in international events, cooperating with other similar entities or those that are part of the national entrepreneurship ecosystem.

Personal data retention period

Personal data is only kept for as long as is necessary to fulfill the purposes for which it is processed. SPAPPE complies with the maximum retention periods established by law. However, data may be kept for longer periods, for purposes of public interest, compliance with different purposes that may persist, such as the exercise of a right in legal proceedings, archiving purposes of public interest or statistical purposes, applying – in this case – all appropriate technical and organizational measures to safeguard personal data. These guarantees imply the adoption of technical and organizational measures aimed at ensuring, in particular, respect for the principle of data minimization and pseudonymization.

How is personal data collected?

SPAPPE can collect data directly (i.e. directly from the data subject) or indirectly (i.e. through users). Collection can be done through the following channels: Direct collection: in person by the user; Indirect collection: through third party information provided by the user.

Holders’ rights

In strict compliance with the law, SPAPPE guarantees the holders of personal data the exercise of their respective rights, under the terms of the applicable legislation on the protection of personal data, namely:

  • Right of access: the data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed and, where appropriate, the right to access their personal data. Right to rectification: the data subject has the right to request the rectification of their personal data at any time, as well as the right to have incomplete personal data completed, including by means of an additional declaration.
  • Right to erase: the data subject has the right to have their data erased when one of the following reasons applies:
    1. the data subject’s data is no longer necessary for the purpose for which it was collected or processed;
    2. the data subject withdraws the consent on which the processing of the data is based and there is no other legal basis for said processing;
    3. the data subject objects to the processing under the right to object and there are no overriding legitimate interests justifying the processing;
    4. if the data subject’s data is processed unlawfully;
    5. if the data subject’s data must be erased in order to comply with a legal obligation to which SPAPPE or its subcontractor is subject. Under the applicable legal terms, SPAPPE is under no obligation to delete the data subject’s data insofar as the processing proves necessary to comply with a legal obligation to which it is subject or for the purposes of declaring, exercising or defending a right in legal proceedings.
  • Right to restriction: the data subject has the right to obtain restriction of the processing of their data if one of the following situations applies:
    1. if they dispute the accuracy of the personal data, for a period that allows their accuracy to be verified;
    2. if the processing is unlawful and the data subject opposes the erasure of the data, requesting instead the restriction of its use;
    3. if the data subject no longer needs the data for processing purposes, but the data is required by the data subject for the purposes of declaring, exercising or defending a right in legal proceedings.
  • Right of portability: the data subject has the right to receive personal data concerning him or her in a structured, commonly used and machine-readable format and the right to transmit this data to another controller if:
    1. the processing is based on consent or on a contract to which the data subject is a party and
    2. the processing is carried out by automated means.
  • Right to object: the data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them that is based on the exercise of legitimate interests pursued or when the processing is carried out for purposes other than those for which the personal data were collected.

You also have the right to lodge a complaint with the National Data Protection Commission (CNPD).

Exercise of rights by the holder

Rights may be exercised by the holder by contacting SPAPPE, which will respond in writing (including by electronic means) to the holder’s request within a maximum of one month from receipt of the request, except in cases of particular complexity and a large number of requests, where this period may be extended by up to two months. By e-mail: contact@startupportugal.com.

Filing a complaint with the CNPD

The data subject can complain directly to the National Authority for the Control of Personal Data, the National Data Protection Commission (CNPD), using the contacts provided by this entity for this purpose (at www.cnpd.pt).

Security measures for the technological platforms managed by SPAPPE

Taking into account the principle of proportionality and adequacy, security, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the likely risks, SPAPPE implements appropriate technical and organizational security measures to ensure a level of security of personal data appropriate to the risk, such as:

  • Limited, differentiated and traceable access to personal data: Each user will only have access to the minimum set of information necessary for their job, professional category and responsibility, according to the access matrix defined and validated by SPAPPE;
  • No horizontal access (i.e. one user cannot modify another user’s data, unless they belong to the same function and organization);
  • No vertical access (i.e. an analyst looking at top-down aggregated case data should not have access to confidential details);

The above-mentioned mechanisms will be implemented in both the front-end and the back-end to guarantee the isolation of information.

  • Platform authentication mechanisms that oblige:
    1. authentication with a verified Portuguese national identification system,
    2. secure communications, information transmitted encrypted (in addition to https encryption, the messages themselves need to have encrypted passwords),
    3. users who repeatedly fail to log in should be gray-listed for a limited period of time;
    4. Users who are unable to log in after being gray-listed should be blacklisted, the limited administrator role is required to reopen the account.
      • Use of firewalls and intrusion detection systems in its information systems;
      • Application of access control procedures, using differentiated access profiles and based on the need-to-know principle;
      • Recording actions taken on information systems containing personal data (login);
      • Implementation of a backup plan;
      • Anti-spam protection for receiving and sending corporate emails; Installation, maintenance and management of antivirus and firewall systems on SPAPPE computers;
      • Pseudonymization of personal data;
      • Access control to physical facilities;
      • Automatic fire detection and intrusion detection systems;
      • Training and/or awareness-raising activities on information security and data protection.

Data breach

In the event of a personal data breach, and insofar as such breach is likely to result in a high risk to the rights and freedoms of the data subject, the Data Protection Officer shall notify the national supervisory authority of such breach and shall communicate the breach to the data subject within 72 hours of becoming aware of it. Any breach of personal data, the processing of which is the responsibility of SPAPPE, may be reported by the following means: e-mail to contact@startupportugal.com.

Final Note

We recommend that you periodically consult our privacy policy to stay informed about how SPAPPE protects your Personal Data and keep up to date with the information and rights you have. Date last updated: November 2023