The privacy of personal data and its due protection is of an extreme importance to the Municipality of Machico. Therefore, the Municipality of Machico complies with its legal obligations, particularly those that arose from the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, 27th of April 2016 (“GDPR”).
As a result, the Municipality of Machico is implementing a set of measures in order to strengthen its Privacy Policies. Thus, protecting the personal data of residents and individuals who interact or collaborate with the Municipality of Machico is a priority.
In full compliance with the law, the Municipality of Machico is introducing new security policies and improving their procedures with the sole purpose of pursuing the public interest and guaranteeing the security of their data.
When it comes to the processing of personal data the protection of citizens is a fundamental right, so your privacy is important to the Municipality of Machico. Therefore, we clarify which personal data we collect, for what purposes we use it, what are the main reasons for their usage and what rights the citizens/subjects of said data have.
It is with the purpose of contenting the citizens of the Autonomous Region of Madeira and those who visit or work in the Municipality of Machico. Therefore, as the data handler the Municipality of Machico:
- Ensures that the processing of personal data is carried out for the purposes of which they were collected for or for the purposes compatible with the initial proposals for which they were collected;
- Is committed to implementing the data minimization protocol, in which it only collects, uses and retains personal data strictly necessary for the development of its services and the contentment of the citizens’ interests.
Commitment from the Municipality of Machico – GDPR
Protecting your personal data
Through this Policy, the Municipality of Machico recognizes the importance of the personal data it processes and its security. Therefore, it safeguards the privacy of the subjects by not jeopardizing the personal data and its usage on the different areas in which it operates.
Regarding this policy, the Municipality of Machico also provides information concerning the rules, values and the processing of personal data entrusted to them, all in accordance with the General Data Protection Regulation (GDPR) and other applicable legislation. Therefore, the data subjects know their rights if they wish to exercise them.
Entity in charge of the data processing
Regarding its diverse areas of work, the Municipality of Machico, is in accordance with the law that establishes the framework of competencies that arose from the legal regime of the local government, Law no. 75/2013, 12th of September (“regime jurídico das autarquias, locais Lei n.º 75/2013, de 12 de setembro”), as well as the legal regime of operations, of the municipalities and civil parishes, Law no. 169/99 of 18th September (“o regime jurídico de funcionamento, dos órgãos dos municípios e das freguesias, Lei n.º169/99, de 18 de Setembro”). For that reason it is the entity in charge for the processing of personal data; and can be contacted through the following e-mail address: firstname.lastname@example.org
Data protection officer
Given the legal obligation resulting from article 37, no. 1, paragraph a) of the GDPR, the Data Protection Officer of the Municipality of Machico is responsible for ensuring, amongst other aspects, the compliance of the activities of processing and protection of personal data under the responsibility of the Municipality of Machico, according to the applicable legislation and the present Policy.
Therefore, the subjects may communicate with the Data Protection Officer, when the matter is related to the processing of personal data, using the following email address: email@example.com
Personal data is any information, of any nature and in any medium (e.g.: sound or image), related to an identified or identifiable individual (called “data subject”). The individual is considered identifiable directly or indirectly, namely through a name, an identification number, a location, an electronic identifier or other specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of said individual.
Sensitive personal data
Sensitive data is the personal data that is handled under special conditions. These include:
- Personal data that reveals racial or ethnical origin, politic views, religious or philosophical beliefs and their union membership;
- Data regarding genetics;
- The biometric data processed with the aim of identifying an individual unequivocally;
- Health-related data;
- Data related to a person’s sexual life or sexual orientation.
Any individual to whom the personal data belongs is the also subject of said data. In the context of the activities developed by the municipality of Machico, the following are data subjects:
The members of the representative entities of the municipality, the employees of the municipality or of entities owned or affiliated with the municipality (regardless of their contractual agreement), the residents of Machico, as well as all individuals who submit or authorize their data to be used by the Municipality of Machico.
Personal data categories
The Municipality of Machico processes personal data of different natures and sensitivities, bearing in mind the purposes associated with the processing of such data. For example:
- Personal identification data: name, date of birth, place of birth, gender, nationality, address, mobile number, professional qualifications, email, civil ID or passport number, tax number, driver’s license number and social security number;
- Family situation: marital status, spouse’s name, children or other dependents and/or any other information necessary to determine complementary wage allowances.
- Professional activity: work schedule, workplace, admission date, position, professional category and duration and experience of such, wage level, type of contract and vocational competency certificate(s).
- Financial information: remuneration and possible bonuses, variable and fixed amounts, allowances, holidays, attendance, leave, or any other information related to possible remuneration bonuses, amounts or rates of mandatory or optional contributions, payment methods, bank name and bank account number (NIB or IBAN), job compatibility disclaimer (where applicable);
- Special categories of personal data: degree of disability of the employee and/or of any member of his household, possible temporary disability as a result of work accidents or occupational diseases and sick leave.
Register of the processing of personal data
The Municipality of Machico has a data register regarding the data processing, in accordance with article 30 of the GDPR, in which are listed:
- The name and contact details of the person in charge of data processing, and of any other involved members, the representative of the data processor and the data protection officer;
- Purposes for which the data is used;
- The description of the categories of data subjects and the categories of personal data;
- The time foreseen for erasing the different categories of data;
- The technical and organizational measures in the field of security implemented to ensure pseudonymisation and encryption of personal data and also the ability to ensure the confidentiality, integrity and the permanent availability and resilience of the processing of systems and services.
Principles concerning the processing of personal data
Within the processing of personal data, the Municipality of Machico adheres to the following fundamental principles:
- Principle of transparency and loyalty: thepersonal data is processed in a lawful, fair and transparent way in relation to the data subject;
- The purpose limitation principle: the personal data is collected for specified, explicit and legitimate purposes and is not further handled in a way that goes against those purposes;
- The data minimization principle: personal data will be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- The accuracy principle: the personal data will be accurate and updated whenever necessary. All appropriate measures will be taken so that the inaccurate data is erased or rectified without delay;
- The principle of data storage: personal data will be kept so that it allows for the identification of the subjects but only for the needed time for which the data is used;
- The principle of integrity and confidentiality: personal data will be processed in a way that ensures its security; including protection against unauthorized or unlawful processing of the data and against its accidental loss, destruction or damage. Therefore, appropriate technical or organizational measures will be adopted.
As the entity in charge for processing the data, the Municipality of Machico is committed to ensure that the data of the subjects is processed in strict compliance with the aforementioned principles.
Legal grounds for processing personal data
The Municipality of Machico only processes personal data whenever, at least, one of the following situations occurs:
Subject’s consent: when the data subject has given his consent for the processing of his personal data, for one or more specific purposes. Consent may be obtained by any means (including electronic), having the Municipality of Machico keep a record of it, as a way to prove that the subject has given his consent to the processing of his personal data.
The data subject has the right to withdraw his consent at any time, and the withdrawal of said consent does not compromise the lawfulness of the processing carried out on the basis of the consent previously given.
- Contract enforcement or pre-contractual diligences: when the processing is necessary for the performance of a contract to which the data subject is a party, or for pre-contractual diligences at the request of the data subject.
This situation includes, for instance, the processing of personal data of workers of the Municipality of Machico in order to manage the established relationship between the parties.
- Compliance with the legal obligations: when the processing of data is needed in order to comply with a legal obligation. The processing of personal data to fulfil the duty of identification and diligence to which the Municipality of Machico is obliged, for example:
– In the reporting obligations to be performed for Civil Servants Pension Fund, Social Security, Tax Administration and the General Local Authorities Administration (“Caixa Geral de Aposentações, Segurança Social, Administração Tributária e Direção Geral das Autarquias Locais – “DGAL”);
– In the industrial licensing processes that arise from the Responsible Industry System (SIR), Decree-Law 73/2015, 11th of May (“Sistema da Indústria Responsável (SIR), Decreto-Lei n. º 73/2015, de 11 de maio”);
– In the urban licensing processes that arise from The Legal Regime of Construction and Land Development, Decree-Law 555/99, 16th of December (“Urbanização e da Edificação, Decreto-Lei n. º 555/99 de 16 de dezembro”);
– In the administrative processes for the obtainment of licenses, in accordance with the respective Municipal Regulations;
– Under the terms of the collecting, registering and updating databases for the Defence of Forest Against Fires (“Rede de Defesa da Floresta Contra Incêndios”), that arise from the legal regime of the National Defence System against Forest Fires, Decree-Law 124/2006, 28th of June (“Sistema Nacional de Defesa da Floresta contra Incêndios Decreto-Lei n. º 124/2006, de 28 de junho”);
– Under the terms of the data collection to be forwarded to the DGAL for national registration of night watch men, Law 105/2015, 25th of August (“guardas noturnos, Lei n. º 105/2015, de 25 de Agosto”);
– Under the terms of the data collected in the professional internship programs of the Local Administration, Decree-Law 18/2010, 19th of March (“Administração Local, Decreto-Lei n. º 18/2010, de 19 de março”);
– Under the anti-money laundering and anti-terrorist financing, Law 83/2017, 18th of August, (“Combate ao branqueamento de capitais e ao financiamento do terrorismo Lei n. º 83/2017, de 18 de agosto”).
- Vital interests: when the data processing is needed for the defence of the vital interests of the data subject or another individual.
- Public Concerns/public authority: when the data processing is necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority for which the Municipality of Machico is responsible for. For instance, in the implementation of misdemeanours within the scope of the duties it is responsible for.
- Legitimate interest: when the processing of data is necessary for the purpose of the legal aims sought out by the Municipality of Machico or by third parties, unless the interests or fundamental rights and freedoms of the subject that require the protection of personal data.
The Municipality of Machico may process sensitive data under the following conditions:
- If the data subject has given his explicit consent to the processing of such data, for one or more specific purposes;
- When, in accordance with European Union legislation, national legislation or a collective agreement, the data processing is necessary for the purposes of complying with obligations and enforcement of rights by the Municipality of Machico or by the data subject in respect to the labour legislation, social security and social protection;
- When the data processing is necessary to protect the vital interests of the data subject or another individual, in case the data subject is physically or legally incapable of giving his or her consent;
- If the data processing refers to personal data that has been noticeably made public by the subject;
- If the data processing is necessary for the establishment, exercise or defence of legal claims or when/whenever the courts act in the exercise of their judicial role.
- If the data processing is necessary on grounds of public interest with basis on the European Union or the National law;
- If the data processing is necessary for archival purposes regarding the public interest, scientific and historical research or statistical purposes with basis on the European Union or the National law.
As the national legislation regarding the GDPR has not yet been approved, it may impose new conditions on the processing of genetic data, biometric data or data related to health that will be duly implemented after its approval into force.
Purposes for which the personal data is processed
Taking into account the wide range of its areas of operation, the Municipality of Machico handles personal data for the following purposes:
- Financial – collection/invoice management; payment management.
- Provisioning procurement and contracting – Management of public procurement proceedings; receiving of proposals submitted in purchasing procedures and its processing; monitoring the execution of contracts for the supply of goods and services; drafting of contracts; implementation of contracts established with suppliers.
- Administrative – drafting of public-law and private-law contracts, instructing and putting into practice the administrative procedures; technical support to the licensing process; litigation; misdemeanours; executions; receiving and processing of computer support requests; creation of new IT solutions; the Municipality’s network and data management.
- Human Resources – recruitment and management of the human resources (attendance and schedule management); payroll administration; performance assessment; work safety promotion, hygiene and health; granting of social benefits to beneficiaries.
- Urban Planning and Management – urban, industrial and other licensing processes; notices; urban renewal; processes that included inspections and misdemeanours; geographical information; organization and management of works and workers; monitoring of physical accesses; alarm installations; management of vehicles and machines; CCTV and alarm systems.
- Sports, education and arts – social projects; organization of tournaments; invitations to cultural and sporting events/activities; impetus of actions for tourism growth, as with the management of the Porto de Recreio, the Bathing Complexes of Machico and the sports and cultural facilities, such as the Municipal Library and the Madeira Whale Museum.
- Environment – Licensing, registry of animals, requests for adoption of animals.
- Communication – Disclosure of internal and external communications, management of social networks, organization of events, sending of newsletters.
Period of storage of personal data
Stored personal data shall be kept only for the time necessary to achieve the purpose for which it was collected. The Municipality of Machico will comply with the storage periods legally established. However, the data may be kept for longer periods in order to meet with different purposes that may arise, such as, the enforcement of a right in a lawsuit, for archival purposes of public interest, for scientific or historical investigation purposes or for statistical purposes. Therefore, the Municipality of Machico may apply the appropriate technical and organizational
How is the personal data collected?
The Municipality of Machico may collect data directly (i.e. directly with the data subject) or indirectly (i.e. via third parties). The collecting can be done through the following channels:
- Direct collection: in person, by phone, by e-mail, through their websites and through the training field;
- Indirect collection: through any third party to or with whom the subject is associated.
Data subject’s rights concerning their data
In accordance with the applicable legislation on the protection of personal data, the Municipality of Machico assures data subjects the exercise of their rights, namely:
- The right of access: the subject has the right to obtain confirmation as to whether or not personal data concerning him is being processed and, if so, the right to access his personal data.
- The right of rectification: the subject has the right to request, at any time, the rectification of his personal data and has the right to have his incomplete personal data dully completed, including by means of an additional declaration.
- The right of erasure: the subject has the right to have his/her data erased when one of the following reasons applies: (i) the data subject’s data no longer meets the purpose for which it was collected or processed; (ii) the data subject withdraws its consent on which the data processing is based and there is no other legal basis for such processing; (iii) the data subject opposes to the processing under the right to object and there are no legitimate interests that justify the processing; (iv) if the subject’s data is processed unlawfully; (v) if the subject’s data has to be deleted in order to comply with a legal obligation to which the Municipality of Machico or sub-contractor is subjected. Under the applicable legal terms, the Municipality of Machico shall not be obliged to delete the data of the subject, to the extent that the processing is necessary for the fulfilment of a legal obligation to which the data subject is bound or for the purposes of the declaration, exercise or defence of a right in judicial proceedings.
- The right to limitation: the subject has the right to limit the processing of his data if one of the following situations applies: (i) if it contests the accuracy of the personal data, during a period that allows to verify its accuracy; (ii) if the processing is illicit and the subject opposes to the erasure of the data, requesting, in return, the limitation of its use; (iii) if the Municipality no longer needs the subject’s data for processing purposes, but such data is requested by the subject for the purpose of declaration, exercise or defence of a right in a judicial proceeding.
- The portability right: the subject has the right to receive personal data concerning him/her in a structured, commonly used and automatically readable format, and the right to convey such data to another party responsible for processing, if any: (i) the processing is based on consent or on a contract to which the data subject is a party, and (ii) the processing is carried out by automated means.
- The right of opposition: the data subject has the right to object at any time, on grounds relating to his or her individual situation, to the processing of personal data concerning him or her, based on the exercise of legitimate interests pursued or when the processing is carried out for purposes other than those for which the personal data was collected.
You hold the right to file a complaint to the Comissão Nacional de Protecção de Dados (CNPD).
The data subject’s enforcement of rights
The subject may exercise his rights by contacting the Municipality of Machico, which shall reply in writing (including by electronical means) to the subject’s request within a maximum period of one month counting from the reception of the request. However, this period may be extended up to two months in cases of special complexity and high number of requests. This can be done via the following methods:
- In person: Edifício dos Paços do Concelho Largo do Município 9200-099 Machico
- Email: firstname.lastname@example.org
Submitting a complaint to the CNPD
The data subject may complaint directly to the “Autoridade Nacional de Controlo de Dados Pessoais, a Comissão Nacional de Proteção de Dados (CNPD)”. To do so use the contacts provided by CNPD (available at www.cnpd.pt).
Taking into account the principle of proportionality and suitability, security, implementation costs and the nature, context and purposes of the processing, the Municipality of Machico applies appropriate technical and organizational security measures to ensure a level of personal data security appropriate to the risk, for example:
- The usage of firewalls and intrusion detection measures in its information systems;
- Application of access control procedures, using differentiated login profiles and based on the principle of a need-to-know basis;
- Record of actions done on information systems that contain personal data (login);
- Execution of backup plans;
- Anti-spam protection measures against corporate email receiving and sending;
- Installation, maintenance and management of antivirus and firewall systems of the Municipality of Machico’s computers.
- Pseudonymisation of personal data;
- Access control to the physical facilities of the Municipality of Machico’s equipment;
- Automatic fire and intrusion detection systems;
- Executing training activities and/or raising awareness on information security and data protection.
Transfer of data to third parties
Subcontractors and third parties
- Subcontractors: the Municipality of Machico may resort to other entities contracted by it (subcontractors) to process the data of the subject while still being in strict compliance with the terms of the GDPR, General Data Protection Regulation.
- The subcontractors may not convey the subject’s data to other entities without prior written authorization from the Municipality of Machico.
- The Municipality of Machico is committed to ensuring that these subcontractors are only entities that provide sufficient guarantees for the implementation of appropriate technical and organizational measures, in order to ensure the privacy of the subject’s data and to safeguard the defence of the subject’s rights.
- All subcontractors are bound to the Municipality of Machico by a written contract that results from the acquisition procedures under the Public Procurement Code, Decree-Law 18/2018, 29th of January, altered and republished as the Decree-Law 111-.B/2017, of the 31st of August (“Código dos Contratos Públicos, Decreto-Lei n. º 18/2008, de 29 de janeiro, alterado e republicado pelo Decreto-Lei n. º 111-. B/2017, de 31 de agosto”), which includes: the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of the data subjects, the rights and obligations of the parties, including the duty of confidentiality, and the security measures to be implemented.
- Third parties: the Municipality of Machico may also send data to third parties, namely entities to which the data must be communicated to, in accordance with the applicable legislation, such as the Tax Administration, Social Security, Civil Servants Pension Fund and the General Local Authorities Administration, insurance enterprises (“Autoridade Tributária, a Segurança Social, Caixa Geral de Aposentações, Direção Geral das Autarquias Locais, entidades seguradoras”), among others.
In the event of a personal data breach, and to the extent that such breach is likely to result in a high risk of violation to the rights and freedoms of the data subject, the Data Protection Officer of the Municipality of Machico shall notify the national supervisory authority of such breach and shall report it to the data subject within 72 hours of becoming aware of it.
Under the GDPR, communication to the subject is not required in the following cases:
- If the Municipality of Machico has applied appropriate protection measures, both technical and organizational, and these measures have been applied to the personal data affected by the breach. Especially measures that make the personal data incomprehensible to any person not authorized to access such data, such as encryption;
- If the Municipality of Machico has taken subsequent measures to ensure that the risk to the rights and freedoms of the subject is no longer likely to occur; or
- If the communication to the subject involves a disproportionate effort for the Municipality of Machico, in which case it will make a public communication or take a similar measure through which the subject will be informed.
Any breach of personal data that is processed by the Municipality of Machico, may be reported through the following means:
- By e-mail, to be sent to email@example.com
Date of last update: September 2020