Privacy Policy Agência de Gestão da Tesouraria e da Dívida Pública, IGCP, E.P.E. 1. Background of IGCP, E.P.E. Agência de Gestão da Tesouraria e da Dívida Pública – IGCP, E.P.E. (hereinafter, "Agency” or "IGCP, E.P.E.”), is a legal person under public law with a business nature whose purpose is the integrated management of the State’s cash balances, financing and direct public debt, integrating in it the debt of the public sector entities whose financing is guaranteed through the State Budget. It also coordinates the financing of funds and services with administrative and financial autonomy. In addition to its main purpose, IGCP, E.P.E. can also carry out:
IGCP, E.P.E. pursues its mission in compliance with the General Scheme for the Issuance and Management of Direct Government Debt (Law No. 7/98, of 3 February), ensuring, in each year, the satisfaction of the government’s financing needs according to five structuring principles of its action, namely:
According to the respective by-laws, IGCP, E.P.E . is essentially responsible for:
In the exercise of its powers, IGCP, E.P.E., namely:
With the entry into force of the new corporate public sector regime (approved by Decree-Law 133/2013, of 3 October), the Agency began to intervene in the process of controlling the indebtedness of its member entities and assumed the competence to manage the financial derivative portfolios of EPR (State-owned companies within General Government). 2. Purpose of the Privacy Policy of IGCP, E.P.E. Personal data means information relating to an identified or identifiable natural person – "data subject” – where a person is considered identifiable, directly or indirectly, by reference to an identifier, namely a name, civil or fiscal identification number, location data, identifiers by electronic means, or other specific elements of physical, physiological, genetic, mental, economic, cultural or social identity of the natural person. This Privacy Policy describes the purposes for which personal data are collected by IGCP, E.P.E., how they are processed and stored, with whom they are shared, for how long they are kept and what the rights of the data owners are. Data relating to legal persons are excluded from this Privacy Policy. This Privacy Policy is not an exhaustive description of all data processing operations performed by IGCP, E.P.E. and will be updated whenever significant changes are made to processing operations. This document is further complemented by specific policies aimed at certain operations and procedures that are interrelated with the data processing operations described herein. In order to comply with the duty of transparency imposed by the General Data Protection Regulation(GDPR)[1] , this Privacy Policy will be incorporated by reference in various forms used by the Agency in the collection of personal data. 3. IGCP, E.P.E. as the controller IGCP, E.P.E. processes personal data in three types of circumstances:
IGCP, E.P.E. may also process personal data if it has a legitimate interest to do so, provided that in such cases that interest is not exceeded by the interests or fundamental rights and freedoms of the data subject that require the protection of such data. Outside the circumstances described above, IGCP, E.P.E. only treats personal data if it has obtained the consent of the owner of said data to do so for specific, explicit and legitimate purposes. IGCP, E.P.E. is responsible for the processing of personal data which it collects, processes and stores, in the sense in which such expressions are defined by the GDPR. 4. Grounds for lawfulness As the controller, IGCP, E.P.E. bases the lawfulness of the processing of personal data on Article 6 (1) (b), (c) and (e) of the GDPR, and may also act under subparagraph (f) of the same provision of the GDPR which legitimises the processing necessary for the exercise of tasks of public interest or the exercise of public authority. The data processing operations carried out by IGCP, E.P.E. have as a primary basis of lawfulness the fulfilment of their duties and competences as provided in the respective by-laws and other applicable legislation and only residually the consent of data owners. 5. Rights of Data Subjects Through the means of contact indicated below in number 10, data subjects may:
Restriction of the processing of personal data means that they can only be processed, stored or used:
In this situation, IGCP, E.P.E. will cease to process the personal data concerned unless it establishes the existence of legitimate grounds which prevail over the legitimate interests, rights and freedoms of the data subject. 6. Information security IGCP, E.P.E. implements and ensures the maintenance of adequate means of protection, so that its internal procedures for the security of personal data are in conformity with the regulations in force. IGCP, E.P.E. also undertakes all necessary efforts to ensure contractually that third parties with whom it collaborates, as partners or service providers, guarantee adequate protection of the personal data to which they have access. IGCP, E.P.E. limits the access to personal data to specific employees, always within the scope of their functions and only when the contact with such personal data is justified. IGCP, E.P.E. takes the necessary measures to ensure the safe handling of personal data, seeking to protect them against loss or abuse and implementing security procedures to prevent unauthorised access to such personal data. 7. Sharing and Transferring Personal Data IGCP, E.P.E. shares data with third parties when this is due to legal determination and/or in the context of the activity that is pursued similar to that of credit institutions, namely, in the context of the management of the State’s cash balances and the issuance of retail public debt instruments. IGCP, E.P.E. may also transfer data to service providers or other public entities in cases where such entities act exclusively under their guidance or support and where technical and organisational measures equivalent to those required by the Agency are required. 8. Retention of Personal Data IGCP, E.P.E. only stores the personal data for the period necessary to fulfill the purposes for which it was collected. The deadlines for the retention of the generality of the personal data processed by IGCP, E.P.E. derive from the law, the regulations governing the activities of IGCP, E.P.E., or the agreements it enters into with customers, suppliers and partners. Only exceptionally does IGCP, E.P.E. collect and process data on the basis of its legitimate interest or of the consent of the data subject. 9. Cookies IGCP, E.P.E. uses session cookies and log browsing data, namely the IP address, the item accessed and the user’s user agent. This data can be used for anonymous statistical purposes. Cookies are deleted when the user leaves the site. Users have the option to prevent cookies from being generated by selecting the corresponding option in their web browser 10. Information and Complaints For questions related to their personal data, data subjects may contact IGCP, E.P.E. via the e-mail address info@igcp.pt or via a letter addressed to the Data Protection Officer to the address:
The Data Protection Officer can also be contacted through the following e-mail address: Data subjects may also choose to contact the Control Authority which, in Portugal, is exercised by the Portuguese Data Protection Authority, sending their message to: geral@cnpd.pt------- [1] Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016
|