Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR)[1], applicable since 25 May 2018, lays down the rules that apply to the processing of personal data by companies and public authorities in order to ensure that the fundamental rights and freedoms of natural persons are defended, and in particular that their personal data are protected.

What are personal data?

Personal data are all personal information relating to an identified or identifiable natural person, the data subject.

What is meant by "processing"?

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

ANI – National Innovation Agency,  S.A. (ANI), as a public undertaking, is implementing the technical and organizational measures necessary to comply with the GDPR in order to ensure the confidentiality, integrity, security and accuracy of any personal data transmitted to it.

In what situations is data processing carried out?

In order to carry out its activity, the ANI processes personal data under the terms laid down in the GDPR, when this is necessary for

• the execution of contracts to which it is a party,
• complying with legal obligations to which it is bound,
• performing functions of public interest,
• pursuing a legitimate interest not overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data.

Outside the aforementioned cases, ANI will ask you for your consent to the processing of your personal data.

How are personal data processed?

Personal data is processed by ANI in accordance with the principles of transparency and loyalty towards the data subject.

Personal data are collected for specific given purposes, which will be explicitly and legitimately communicated to the data subject, and data may not be used for purposes incompatible with the purpose for which its collection was authorized.

Only personal data that are appropriate and relevant to the purposes of the processing will be requested.

Personal data shall be accurate and kept up to date where necessary, and appropriate measures shall be taken to ensure that any inaccurate data, having regard to the purposes for which they are processed, are erased or rectified as soon as possible.

Personal data shall be kept for as long as is necessary to achieve the purpose for which they are intended.
ANI will take technical and organizational measures to ensure the security of personal data and to prevent accidental loss, destruction or damage, as well as unlawful or unauthorized processing.

Withdrawal of Consent
Whenever personal data are collected and processed based on the consent of the data subject, the data subject may withdraw his/her consent at any time.
To do so, it will only be necessary to inform the ANI of the withdrawal of consent, by means of a communication addressed to the Data Protection Officer, by email to the address epd@ani.pt, or a letter sent by simple post.

Rights of the data subject
The data subject has the

• Right to be informed about relevant aspects of the processing;
• Right of access to his/her data;
• Right to rectify his/her data;
• Right to restrict the processing of his/her data;
• Right to delete/erase data;
• Right to data portability (where technically possible);
• Right to object to treatment.

In order to exercise these rights, the data subject will only have to make a request by means of a communication addressed to the Data Protection Officer, by e-mail to the address epd@ani.pt or a letter sent by simple post.

By making personal data available to ANI, its owner acknowledges and accepts that it is processed in accordance with the provisions of this "Privacy and Personal Data Processing” document.

Data Protection Officer
The role of the Data Protection Officer is, among others, to ensure the relationships between ANI and the personal data subjects in matters covered by the GDPR and related legislation.
The Data Protection Officer at ANI will provide any clarifications requested of him/her in relation to personal data protection, will receive requests relating to exercising the rights of the data subjects, as well as complaints submitted in this context.


National Data Protection Commission
The National Data Protection Commission is responsible for monitoring the application of the GDPR for the purpose of defending the fundamental rights and freedoms of natural persons with regard to processing and facilitating the free movement of data within the European Union.
Data subjects may submit any complaints regarding our privacy policy and the processing of personal data by ANI to the National Data Protection Commission.

[1] Corrected by Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.