Privacy Policy

1. Framework and Commitment to Data Protection

The Institute for Education, Quality and Evaluation, IP (EduQA, IP), created by Decree-Law No. 105/2025 of September 12, is an indirect state administration body with pedagogical, scientific, administrative and financial autonomy, under the supervision of the Ministry of Education, Science and Innovation (MECI).

EduQA, IP, has the mission of ensuring the implementation of educational policies in the field of the pedagogical and didactic component of education from 0 to 6 years of age, basic and secondary education, including specialized artistic education and vocational education, adult education and extracurricular education, promoting student learning and improving educational quality and providing technical support for its formulation, in accordance with the principles of legality, transparency, good administration and the protection of personal data.

This Privacy Policy applies exclusively to the institutional website of EduQA, IP, hereinafter referred to as the "website," and is intended to inform users about the conditions under which their personal data is collected, processed, stored, and protected, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR) and Law No. 58/2019 of 8 August, which ensures the application of the GDPR in Portugal within the national legal order.

The EduQA, IP website is intended for the public dissemination of institutional and service information, as well as for providing channels of contact with citizens and entities within the education system, including the use of electronic forms and mechanisms for subscribing to informational communications.

Respect for privacy and the protection of personal data is a fundamental principle in all activities carried out. by EduQA, IP..

2. Data Controller

EduQA, IP, legal entity no. 519102622, with registered office at Travessa das Terras de Santana nº 15, 1250-269, in Lisbon, is the entity responsible for processing personal data on this website.

3. Data Protection Officer

EduQA, IP has appointed a Data Protection Officer, who should be contacted directly via email. manuel.melo@dataprotectionofficer.pt for all questions relating to the processing of personal data handled under this Privacy Policy.

4. Collection and Processing of Personal Data

The collection of personal data through the website will occur when the user fills out the provided electronic contact forms and/or subscribes to the institutional newsletter.

When filling out electronic contact forms, the following personal data is collected: First and last name; Organization; email address or telephone number; and content of the communication. This data is intended to allow EduQA, IP. to respond quickly, accurately, and personally to requests for information, suggestions, complaints, or institutional contacts addressed to it.

In turn, when subscribing to the institutional newsletter service, the following personal data is collected: First and last name; email address. This collection is always based on the prior, free, informed and spontaneous consent of the data subject, which may be withdrawn at any time, without prejudice to the lawfulness of the processing previously carried out.

Furthermore, while browsing the website, technical and usage data is automatically collected for legitimate purposes, including IP address, security logs, and session cookies.

This data is processed exclusively to ensure the proper functioning of the service, improve the user experience, and guarantee the integrity and security of the system, in strict accordance with the principles of purpose limitation and data minimization.

5. Categories of Data Subjects

Personal data processed by EduQA, IP, through the website, These relate to the following categories of data subjects: Users.

6. Categories of Personal Data Processed

The personal data collected and processed through the website is classified into the following categories of personal data:
i) Common Data (Civil Identification);
ii) Contact Information (email address);
iii) Academic and Professional Data (Organization);
iv) Navigation and Tracking Data (IP address, security logs, session cookies).

7. Purpose of Personal Data Processing

The personal data processed through the website is used for specific, legitimate, and clearly defined purposes, in accordance with the principles of lawfulness, fairness, and transparency established in the General Data Protection Regulation (GDPR). In particular, personal data is processed exclusively to support the purpose of managing institutional communication.

In some cases, personal data (anonymized) may be subsequently used for statistical purposes. This subsequent processing is considered compatible with the initial purposes, as provided for in Article 89(1) of the GDPR, and adequate safeguards are ensured to protect the rights and freedoms of data subjects.

8. Fundamentals of Lawfulness of Treatment

The processing of personal data carried out through the website complies with the legal requirements of lawfulness established in Article 6 of the GDPR.

The main legal bases that justify this treatment are:

• Paragraph a) – The processing is based on the express, free and informed consent of the data subject;
• Paragraph e) – The treatment is necessary for the performance of functions of public interest, insofar as it is necessary for the execution of the legal and administrative powers attributed to EduQA, IP within the scope of the education system and public policies under the supervision of the Ministry of Education, Science and Innovation (MECI).

These principles ensure that the processing of personal data is carried out legally, transparently, and in line with the powers conferred on EduQA, IP as a state body.

9. Storage Period

Personal data processed through the website is kept only for the period necessary to fulfill the purpose for which it was collected.

Additionally, certain data may be retained for longer periods when its subsequent processing is intended for the following purposes:

• Archive of public interest;
• Scientific or historical investigation;
• Production of statistics.

In these cases, EduQA, IP guarantees the application of appropriate technical and organizational measures to safeguard the rights and freedoms of data subjects, in accordance with Article 89 of the GDPR. These measures include, in particular:

• Minimizing the amount of data processed;
• Pseudonymization or separation of identifiable data whenever possible;
• Limiting access based on the principle of need.

When the maximum retention period is reached — or the legal grounds for processing cease to exist — the personal data will be:

• Irreversibly anonymized, if it is necessary to preserve the information for statistical or archival purposes; or
• Safely disposed of, if they are no longer needed for any legitimate purpose.

10. Rights of Data Subjects

Individuals whose personal data is processed through this website have the right, at any time and in accordance with the GDPR, to request the exercise of the following rights:

• Right of access: to obtain confirmation as to whether your data is being processed and to access the relevant information;
• Right of rectification: Request the correction of inaccurate or incomplete data;
• Right to erasure: Request the deletion of your personal data, in cases legally provided for;
• Right to restriction of treatment: to request the restriction of treatment in certain circumstances;
• Right to object: to object to the processing of data for reasons related to your particular situation;
• Right to portability: Receive your data in a structured and machine-readable format, or request its direct transmission to another entity;
• Right to withdraw consent: When treatment is based on consent, consent may be withdrawn at any time;
• Right to lodge a complaint with the National Data Protection Commission (CNPD): through the website www.cnpd.pt.

11. Limitations on the Right to Erasure

Although the GDPR (General Data Protection Regulation) recognizes the right to erasure of personal data, this right is not absolute and may not apply in all situations.

Data erasure may not be possible in the following cases: i) Its retention is required by legal or regulatory obligations; ii) The processing falls within the exercise of functions of public interest assigned to EduQA, IP.

12. Third-Party Entities

EduQA, IP is an independent entity responsible for the collection and processing of data on the website and holds no responsibility for the processing of personal data contained in the materials entered when filling out the contact form.

The personal data processed in the context of filling out contact forms may be made available to other institutional entities in order to fulfill the communications contained therein. In this context, in addition to the duties stipulated in the GDPR and other applicable legislation, those responsible for processing personal data, as well as all persons who, in the exercise of their functions, become aware of such data, are strictly bound by the duty of professional secrecy, even after the termination of their functions.

Only strictly necessary personal data will be communicated and transferred. Other systems (“third-party systems”) that access personal data at the data subject's instruction are not covered by this privacy policy.

13. Subcontractors

The personal data collected may be transmitted to subcontractors who process it on behalf of and for EduQA, IP. In such cases, EduQA, IP will implement the necessary contractual measures to ensure that subcontractors respect and protect the personal data of the data subjects.

Subcontractors responsible for processing personal data on behalf of EduQA, IP are required to provide sufficient written assurances that they are implementing appropriate technical and organizational measures to comply with current legislation on privacy and personal data protection. These assurances, intended to protect the rights of data subjects, will be formalized in a contract signed between EduQA, IP and each of these third-party entities.

14. Data transfer to third countries

Within the scope of the processing of personal data carried out by EduQA, IP and for the purposes set out in this Privacy Policy, no transfer of personal data outside the European Economic Area (EEA) takes place.

All data is stored and processed in infrastructures located within national or European territory, ensuring compliance with data protection standards defined by the GDPR.

15. Personal Data Security Measures

EduQA, IP applies rigorous measures to protect personal data processed within the scope of its services, including its website. These measures follow nationally and internationally recognized standards and are applied to all individuals and entities legally authorized to access this data.

To guarantee the confidentiality, integrity, and security of information, EduQA, IP adopts, among others, the following practices:

• Data protection through encryption and, whenever possible, anonymization;
• Access control, ensuring that only those who truly need the data to perform their duties have access to it;
• Constant monitoring of system security and regular updating of protection policies and measures;
• Strengthening defenses against new digital threats through the continuous implementation of improvements and preventative measures.

In addition to the measures adopted by EduQA, IP, it is also essential that each user contributes to information security. To this end, the following is recommended:

• Use up-to-date devices and browsers;
• Always have an active antivirus and a firewall;
• Avoid sharing passwords and only access platforms on secure networks.

Data protection is a shared responsibility — and everyone's collaboration is essential to ensuring a secure digital environment.

16. Changes to the Privacy Policy

This Privacy Policy may be updated whenever necessary, for example, as a result of legislative changes, technological developments, or improvements in how EduQA, IP handles personal data.

The most recent version will always be available on this website, with the date of the last update clearly indicated. Regular consultation is advised so that all users remain informed about how their data is handled.