Saltar para o conteúdo principal

Public body responsible for quality, curricular innovation and external evaluation of learning in the Portuguese education system.

Privacy Policy

  1. Data Protection and Privacy Commitment
  2. Identification of the Data Controller
  3. Data Protection Officer
  4. Scope and Application
  5. Collection and Processing of Personal Data
  6. Treatment Activities – Summary Table
  7. Categories of Data Subjects and Categories of Personal Data
  8. Purposes of Treatment
  9. Fundamentals of Lawfulness
  10.   Data Recipients
  11.   Storage Periods
  12.   Rights of Data Subjects
  13.   Automated Decisions and Profiling
  14.   Personal Data Security Measures
  15.   Use of Cookies
  16.   Systemic Articulation
  17.   Changes to the Privacy Policy
  18.   Version and Date

This Privacy Policy describes, in full compliance with Articles 12, 13 and 14 of the General Data Protection Regulation, the processing of personal data carried out by EduQA – Instituto de Educação, Qualidade e Avaliação, IP in the context of the use of the institutional website accessible at [website address]. www.eduqa.pt.

This Policy forms part of the Institute's documentation system regarding the protection of personal data and should be read in conjunction with the General Policy on the Protection of Personal Data and the Cookie Policy, both available on the Data Protection Platform at [website address]. eduqa.protecaodedados.pt.

1. Commitment to Data Protection and Privacy

EduQA is fully committed to compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter GDPR), with Law No. 58/2019 of 8 August, which implements the GDPR in the national legal order, and with other applicable legislation on the protection of personal data, in particular Law No. 41/2004 of 18 August, with regard to data processing in the electronic communications sector.

Respect for privacy and the protection of personal data is a fundamental principle that guides all activities carried out by EduQA, including data processing operations performed through the institutional website.

2. Identification of the Data Controller

The entity identified below is responsible for processing the personal data collected through the institutional website:

Name: EduQA – Institute of Education, Quality and Evaluation, IP.
Nature: Public institute with a special regime, integrated into the indirect administration of the State.
Constitutive Decree: Decree-Law No. 105/2025, of September 12
NIPC: 519 102 622
Headquarters: Rio Building, Av. 24 de Julho, 140, 1399-025 Lisbon
General Telephone: (+351) 213 934 500
Institutional Website: https://www.eduqa.pt
Data Protection Platform: https://eduqa.protecaodedados.pt

3. Data Protection Officer

Name: Manuel Melo
Role: Data Protection Officer (DPO) at EduQA
Correio Eletrónico (EPD): manuel.melo@dataprotectionofficer.pt
Direct Line: (+351) 911 879 229
Full Data Protection Officer (DPO) profile: https://eduqa.protecaodedados.pt/p/encarregado/

4. Scope and Application

This Policy applies to the processing of personal data carried out in the context of the use of the EduQA institutional website, accessible at [website address]. www.eduqa.pt, including, in particular:

  • Anonymous visitor browsing;
  • Completing and submitting electronic contact forms available on the website;
  • Subscribing to the institutional newsletter or other mailing lists;
  • Access to authenticated restricted areas, whenever they exist;
  • Interaction with multimedia content, useful links and other features, including the Digital Helpdesk.

5. Collection and Processing of Personal Data

The collection of personal data through the institutional website occurs primarily when the data subject fills out the electronic contact forms provided, subscribes to the institutional newsletter, or uses other interactive functionalities. The personal data collected is processed in strict compliance with the principles enshrined in Article 5 of the GDPR, namely the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

Additionally, during browsing, technical and usage data is automatically collected for legitimate purposes, including IP address, security logs and cookies, in accordance with EduQA's Cookie Policy, accessible on the Data Protection Platform.

6. Treatment Activities – Summary Table

Treatment ActivityData CategoriesLegal Basis (Article 6 of the GDPR)Storage Period
Filling out electronic contact formsName and surname, organization, email address or telephone number, content of the communication.Exercise of functions of public interest (paragraph e)) and, where applicable, consent (paragraph a))The time required to process the request, plus two years for filing, unless a different legal deadline applies.
Subscribe to the institutional newsletter.First and last name, email addressFree, specific, informed and express consent (paragraph a))As long as consent is maintained; cancellation is possible at any time.
Site navigation and securityIP address, security logs, technical identifiers, session cookiesLegitimate interest of the Controller (paragraph f)) and, for cookies that are not strictly necessary, consent (paragraph a))Between six months and one year, as a rule, without prejudice to different legal deadlines.
Production of institutional statistical informationAggregated data, generally anonymized.Performance of duties in the public interest (paragraph e)), in accordance with Article 89 of the GDPR.Period consistent with statistical relevance and institutional historical record.

7. Categories of Data Subjects and Categories of Personal Data

The holders of personal data processed through the institutional website generally fall under the general category of website users, and are covered by the respective Data Processing Information Sheet – Website Users (Ref. #PEPD-0738), accessible on the Data Protection Platform.

The categories of personal data processed are, as a rule, the following:

  • Identification details – first and last name;
  • Contact details – email address, phone numbers;
  • Professional or institutional data – the educational organization or entity where the data subject works, and the capacity in which they provide this contact information;
  • Content of communications – text of messages, requests or suggestions submitted;
  • Navigation and tracking data – IP address, security logs, session and persistent cookies (as detailed in the Cookie Policy).

8. Purposes of Treatment

The personal data collected through the institutional website is intended for specific, legitimate and clearly defined purposes, in accordance with the principles of lawfulness, fairness and transparency established in the GDPR, namely:

  • Responding to requests for information, suggestions, complaints, or institutional contacts submitted through electronic forms;
  • Sending institutional informational communications subscribed to by the data subject (newsletters);
  • Ensuring the technical security of the site, preventing and detecting illegitimate uses;
  • Production of aggregated and, as a rule, anonymized statistical information, in accordance with Article 89(1) of the GDPR, to support institutional decision-making and continuous improvement of digital services.

9. Foundations of Lawfulness

The data processing operations carried out through the institutional website are based, depending on the specific purpose, on the legal bases provided for in Article 6(1) of the GDPR, namely:

  • Paragraph a) – The processing is based on the express, free, specific and informed consent of the data subject, particularly regarding subscription to the institutional newsletter and the placement of cookies that are not strictly necessary;
  • Paragraph c) – The processing is necessary to comply with legal obligations to which EduQA is subject, particularly regarding the transparency and accessibility of digital public services;
  • Paragraph e) – The treatment is necessary for the performance of duties of public interest or for the exercise of the public authority vested in EduQA, in the execution of the legal powers conferred by Decree-Law No. 105/2025, of September 12;
  • Paragraph f) The processing is necessary for the legitimate interests pursued by the Data Controller, in particular regarding site security and preventing unlawful use.

10. Data Recipients

The personal data collected through the website may be communicated to the following categories of recipients:

  • Internal EduQA services with functional competence for processing, specifically communication, information systems and customer service;
  • Subcontractors within the meaning of Article 28 of the GDPR, with a written contract concluded for this purpose, namely providers of hosting, application maintenance, electronic communications, security and analytics services;
  • Entities that are legally required to communicate this information.

As a rule, transfers of personal data to third countries or international organizations are not foreseen. Any transfers resulting from the use of services from subcontractors located outside the European Economic Area are carried out in full compliance with Chapter V of the GDPR, in particular by means of an adequacy decision, standard contractual clauses approved by the European Commission or other legally admissible appropriate safeguards.

11. Storage Periods

Personal data is kept for the period strictly necessary to fulfill the purposes that motivated its collection, in accordance with the summary table in section 6 of this Policy and with the applicable legal deadlines, in particular those arising from the archiving legislation applicable to the bodies of the Ministry of Education, Science and Innovation. Once the deadlines have expired, the data is securely deleted or subject to irreversible anonymization measures.

12. Rights of Data Subjects

Data subjects have the following rights, exercisable at any time, in accordance with Articles 15 to 22 of the GDPR:

Right of access to your personal data (article 15);
Right of rectification of inaccurate or incomplete data (Article 16);
Right to erasure (commonly known as the "right to be forgotten"), within legally permissible limits (Article 17).;
Right to limitation of the treatment (article 18);
Right to portability of the data (article 20);
Right to object to treatment (article 21);
Right not to be subject to exclusively automated individual decisions (Article 22);
Right to withdraw consent whenever the treatment is based on this basis, without retroactive effects (Article 7, paragraph 3).

O exercício destes direitos é facilitado através do Formulário próprio disponibilizado na Plataforma de Proteção de Dados em https://eduqa.protecaodedados.pt/p/formularios/ ou através do contacto direto com o Encarregado da Proteção de Dados (manuel.melo@dataprotectionofficer.pt). O pedido será objeto de resposta no prazo geral de um mês, prorrogável por mais dois meses em casos de especial complexidade, nos termos do artigo 12.º, n.º 3, do RGPD.

Data subjects retain the right, at any time, to lodge a complaint with the National Data Protection Commission, pursuant to Article 77 of the GDPR, whose contact details are available at [website address]. www.cnpd.pt.

13. Automated Decisions and Profiling

EduQA does not make exclusively automated individual decisions, nor does it carry out profiling with legal effects or significantly affecting the data subject, within the meaning of Article 22 of the GDPR, in the context of the use of the institutional website.

14. Personal Data Security Measures

The institutional website is operated with the adoption of technical and organizational measures appropriate to the risk, in accordance with Article 32 of the GDPR, namely: use of HTTPS protocol with a valid certificate; control of administrative access; encryption of data in transit; regular backups; vulnerability management; continuous monitoring of security events; and adoption of privacy measures by design and by default (Article 25 of the GDPR).

15. Use of Cookies

The use of cookies and equivalent technologies by the institutional website is governed by the current Cookie Policy, accessible on the Data Protection Platform at [website address]. https://eduqa.protecaodedados.pt/p/politicas/.

16. Systemic Articulation

This Privacy Policy is part of EduQA's documentation system regarding the protection of personal data and should be read in conjunction with the following instruments:

  • General Policy on the Protection of Personal Data (Ref. #PEPD-0728);
  • Cookie Policy (Ref. #PEPD-0732);
  • General Data Processing Information Sheet – Users, Customers and Recipients of Services (Ref. #PEPD-0733);
  • Special Data Processing Information Sheet – Website Users www.eduqa.pt (Ref.ª #PEPD-0738);
  • Other Policies and Information Sheets published on the Data Protection Platform.

17. Changes to the Privacy Policy

In order to guarantee continuous updating, development and improvement, EduQA may, at any time, make changes to this Policy that are deemed appropriate or necessary, in accordance with the evolution of the applicable regulatory framework, the processing operations carried out or the guidelines issued by the National Data Protection Commission and the European Data Protection Board. The version in force at any given time is the one published on the institutional website and referenced on the Data Protection Platform.

18. Version and Date

Version: 202605. Publication date: May 12, 2026. Next review: May 2027 or whenever a relevant change occurs. To consult previous versions, please send a request by email to [email address]. manuel.melo@dataprotectionofficer.pt.

Atualizado em May 21, 2026