Commitment to Data Protection and Privacy

The Directorate-General for Natural Resources, Safety and Maritime Services (DGRM) complies with all applicable EU and national legal standards in the field of data protection, privacy and information security.

The DGRM is implementing a Personal Data Protection System and an Information Security System in order to ensure regulatory compliance and the demonstration or disclosure of institutional responsibility for data protection and information security, implementing all the necessary technical and organisational measures, both to comply with the general legal regime of the current Data Protection Law in force and to comply with the special legal regime of the General Regulation on Data Protection, applicable from May 25, 2018.

For further clarification or additional information or for the exercise of rights in this area, you should contact the Data Protection Officer of the DGRM by email epd@dgrm.mm.gov.pt.

 Definitions:

“Personal data” means information relating to an identified or identifiable natural person (“data subject”); an identifiable person is a natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. Personal identifiers are, for example, a name, an identification number, location data, electronic identifiers or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means an operation or set of operations carried out upon personal data or sets of personal data by automated or non-automated means, such as collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of availability, comparison or interconnection, limitation, erasure or destruction.

“Cookies” are small text files with information deemed relevant that the devices used for access (computers, mobile phones or portable mobile devices) carry, through the Internet browser, when an online site is visited by a citizen or user.

 Responsible Entity for Processing

The DGRM, located in Av. de Brasília, 1449-030 Lisbon, the central office of the State's direct administration with administrative autonomy and legal entity no. 600084973, hereinafter referred to as DGRM, is the entity responsible for the websites www.dgrm.mm.gov.pt and for the computerised applications, hereinafter referred to as channels or applications, through which clients or citizens have remote access to DGRM´s services that are presented, marketed or provided, at any time, through them.

The use of the channels or applications by any client or citizen may imply the performance of personal data processing operations, whose protection, privacy and security by the DGRM, as the entity responsible for the respective processing, is guaranteed, in accordance with the terms of this Data Protection and Privacy Policy.

 Contacts of the Data Protection Officer

For the purpose of contacting the Data Protection Officer of the DGRM, please use the email address epd@dgrm.mm.gov.pt; you shall describe the subject of the request and provide an email address, a telephone number or a mailing address.

 Collection and Processing of Personal Data

The DGRM processes personal data strictly necessary for the provision of information and the operation of its channels, in accordance with the uses made by the clients or citizens, whether they are provided by clients for the purpose of registering requests or obtaining information, or those resulting from the use of the services provided by the DGRM, such as access, consultations, instructions, transactions and other records related to their use.

In particular, the use or activation of certain channel functionalities may involve the processing of various direct or indirect personal identifiers, such as name, address, contacts, device addresses or geographical location, whenever express consent is given. In any case, clients or citizens will always be informed of the need to access such data for the use of the functionalities of the channels concerned.

Personal data collected by the DGRM are processed electronically, in certain cases in an automated way, including file processing or profiling, and under management of pre-contractual, contractual or post-contractual relations with clients or citizens, in accordance with the national and European rules in force.

 Categories of Personal Data Processed

The categories or types of personal data of clients that are processed are the following: name, surname, sex, date of birth, address (number and floor), town/city, postal code, country, landline phone, mobile phone, e-mail, photograph and medical certificate.

 Legal Principles

All data processing operations comply with the fundamental legal principles in the scope of data protection and privacy policy, namely as regards its use, purpose, minimisation, conservation, accuracy, integrity and confidentiality, in accordance with the principles of lawfulness, loyalty and transparency, and the DGRM is available to demonstrate its responsibility to the data subject or any other third party that has a legitimate interest in this matter.

 Fundamentals of Legitimacy

All data processing operations carried out by the DGRM are based on legitimacy, in particular because the data subject has given his consent to the processing of his personal data for one or more specific purposes, because the processing is considered necessary for the performance of a contract in which the data subject is a party, or for pre-contractual arrangements at the request of the data subject, on the grounds that the processing is necessary for compliance with a legal obligation to which the controller is bound for the purposes of the public interest and on the grounds that the processing  is deemed necessary for the legitimate interests pursued by the DGRM or by third parties.

 Purpose of Processing

All personal data processed within the scope of the DGRM´s channels are intended exclusively for the provision of information to clients, for the management of personal information of the clients deemed necessary for the purpose of relationship management or communication, as well as for the provision of services to citizens and, in general, to the management of pre-contractual, contractual or post-contractual relations with clients or citizens.

The personal data collected may also be processed for statistical purposes, for information or promotional dissemination  actions and for communication actions, namely, to promote actions to disseminate new functionalities or new services through direct communication, whether by correspondence or by electronic means, messages or telephone calls, or any other electronic communications service.

Provided that the prior information and the collection of the express authorization for this latter purposes are always assured, clients or citizens may, at any time, exercise their right to oppose the use of their personal data for other purposes that go beyond the management of the relationship with the DGRM, in particular, for the purpose of pursuing public interest, sending information communications or inclusion in lists or information services, by sending a written request to the Data Protection Officer of the DGRM, in accordance with the procedures indicated below.

 Deadlines for Data Retention

Personal data shall be preserved only for the period necessary for the purposes for which they were collected or further processed, ensuring compliance with all applicable legal rules on archiving.

 Use of Cookies

The DGRM may possibly use two main categories of “cookies”: “cookies'” within the context of online websites and “cookies” within the scope of direct electronic communication channels, being guaranteed the respective deactivation in any of the categories.

The DGRM uses “cookies” on its websites to improve the performance and browsing experience of clients and citizens, while increasing a swift and efficient response and removing the need for repeatedly enter the same information. The use of “cookies” helps websites to recognize clients’ and citizens' devices the next time they visit them, and in some cases is also essential for their operation.

The “cookies” used by the DGRM, in all its channels, do not collect personal information that allows the identification of clients or citizens, keeping  only  generic information, such as the form or geographical location of access and how they use the channels, among others. The “cookies” only retain information related to the preferences of clients and citizens and no personal identifiers are registered.

Clients and citizens can, at any time, through the computer application they use to navigate the internet ("browser"), make the decision to be notified of the receipt of cookies and to block the respective entry into their system.

For this purpose, the DGRM may, where appropriate, use three different types of cookies in accordance with the following specifications:

i. Essential “cookies” - some “cookies” are essential to access specific areas of online channels, allowing navigation and use of applications, such as access to secure areas of websites through user registration - without these “cookies”, services that require them cannot be provided;

ii. Functionality “cookies” - Functionality “cookies” allow you to remember your preferences for browsing websites, so you do not need to reconfigure and customize the site each time you visit it;

iii. Analytical “cookies” - these cookies are used to analyse how clients use websites, to highlight articles or services that may be of interest to clients, to monitor site performance and to know which pages are most popular, which page linking method is most effective or to determine why some pages are receiving error messages - these cookies are used for statistical purposes only and never to collect personal information.

For these purposes, the DGRM can provide a high quality experience to clients or citizens, by personalising information and offers and identifying or correcting any issues that may arise in connection from their use. Regarding the type of validity, there are two types of “cookies”:

i. Permanent “cookies” - These are “cookies” that are stored on the devices used to access channels (computers, mobile phones, etc.) at the level of the computer application used to surf the internet ('browser') and are used whenever clients or citizens revisit any channel - usually used to direct navigation according to client or citizen interests, allowing the DGRM to provide a more personalised service;

ii. Session “cookies” - These are temporary “cookies” that are generated and only available until the end of the session, since the next time the citizen/client accesses their internet browser, the “cookies” will no longer be stored - the information  obtained allows the sessions to be managed, identifies problems and provides a better browsing experience.

 Clients or citizens may disable some or all of the cookies at any time. For that purpose, they must follow the instructions available in each of the web browser applications, although they may lose access to some of the site´s functionalities upon deactivation.

In the context of direct electronic communication channels, the DGRM may also use “cookies” to open different electronic communications sent, such as “newsletters” and electronic mail, for statistical purposes - allowing to know whether such communications are open and check the clicks through links or advertisements within those communications. Also in this category of “cookies”, the clients or citizens can always disable the sending of electronic communications through the specific option in the footer of them.

 Reporting Data to Other Entities

The provision of information or the provision of services by the DGRM to its clients or citizens through the channels may eventually involve the use of services from third party, subcontractors, including entities with headquarters outside the European Union, as well as partners with whom the DGRM has signed agreements and/or protocols for the provision of certain services, which may entail the access by these entities, to personal data of clients or citizens. In these circumstances, and whenever necessary, the DGRM will use entities that provide sufficient guarantees to implement appropriate technical and organisational measures so that the treatment meets the applicable standards, being such guarantees legally formalized between the DGRM and each of these third entities.

 Recipients of data

Except within the scope of compliance with legal obligations, under no circumstances will there be communication of personal data of clients or citizens to third parties other than subcontractors, to partners with whom they have entered into agreements and/or protocols or legitimate recipients, nor will any other communication be made for purposes other than those referred above.

 International Data Transfers

Any transfer of personal data to a third country or an international organisation shall only take place in the framework of fulfilment of legal obligations or guaranteed compliance with the relevant European and national legislation.

  Security measures

Taking into account the most advanced techniques, implementation costs, nature, scope, context and purposes of the processing, as well as the risks for clients or citizens, the DGRM and all entities that are its subcontractors, as well as the partners with whom the DGRM has entered into agreements and/or protocols, apply the technical and organisational measures adapted to ensure a level of security appropriate to the risk. To this purpose, various security measures are used to protect personal data against their dissemination, loss, misuse, alteration, processing or unauthorized access, as well as against any other form of unlawful processing.

It is the sole responsibility of clients or citizens to keep access codes secret and not sharing them with third parties and, in the particular case of computer applications used to access channels, to retain and maintain access devices in a safe and secure manner, following the security practices advised by manufacturers and/or operators, namely, regarding the installation and updating of the necessary security applications, among others, antivirus applications.

If there is a need for subcontracting services to third parties who may have access to personal data of clients or citizens, DGRM's subcontractors, as well as partners with whom the DGRM has entered into agreements and or protocols, will be obliged to adopt the organization´s security measures and protocols and the technical measures necessary to protect the confidentiality and security of personal data, as well to prevent unauthorized access, loss or destruction of personal data.

 Exercise of the Rights of Personal Data Holders

The DGRM` s clients or citizens may, as holders of personal data, at any time exercise their rights to data protection and privacy, including the rights of access, rectification, deletion, portability, limitation or opposition to processing, under the terms and with the limitations set out in the applicable rules.

Any request for the exercise of data protection and privacy rights shall be addressed, in written form, by the respective holder to the Data Protection Officer, in accordance with the procedure and contact described below.

 Complaints or Suggestions and Incident Reporting

The DGRM`s clients or citizens have the right to submit a complaint, in person, by filing the complaint in the Complaints Book or by submitting a complaint to the regulatory authorities. The DGRM`s clients or citizens may also make suggestions via email sent to the Data Protection Officer.

 Incident Reporting

The DGRM has implemented an incident management system for data protection, privacy and information security. If any client or citizen wishes to report the occurrence of any situation  of personal data violation that causes accidental or  illicit destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, retained or subject to any other type of processing, they may contact the Data Protection Officer.

 Change of Privacy Policy

In order to ensure its updating, development and continuous improvement, the DGRM may, at any time, make any changes to this Data Protection and Privacy Policy that are considered appropriate or necessary, and its publication in the different channels is assured to ensure its transparency and information to clients and citizens.  

 Express Consent and Acceptance

The terms of the Data Protection and Privacy Policy are complementary to the terms and provisions on personal data set out in the General Conditions of Use of the DGRM´s channels. The free, specific and informed availability of personal data by the respective holder implies knowledge and acceptance of the conditions contained in this Policy, considering that, by using the channels or by making their personal data available, the clients and citizens are expressly authorizing their processing in accordance with the rules defined in each of the applicable channels or collection instruments.

 Data Protection Officer

For the exercise of any right to data protection and privacy or for any matter concerning data protection, privacy and information security issues, clients and citizens that interact with the DGRM may contact the Data Protection Officer at epd@dgrm.mm.gov.pt, describing the subject matter of the request and providing an email address, a telephone contact or an address for correspondence.

Data Protection Officer´s Contacts:

Full name: Carla Gonçalves.

E-mail address: epd@dgrm.mm.gov.pt

Phone number: + 351 213 035 800

Hours of attendance: 10am - 12pm and 2pm - 4:30 pm (Lisbon)