Saltar para o conteúdo principal
  • Institutional
    • Organisational structure
      • Organisational chart
      • ERS Governing Board
        • Board of Directors
        • Advisory Board
        • Satutory Auditor
    • About ERS
    • Institutional Policies
      • Data Protection and Privacy Policy
      • Management Policy
    • Contacts
    • ERS Whistleblowing Channel
  • Activities
    • Registration and Licensing
    • Inspections
    • Supervision
    • Sanctioning Intervention
    • Users' Rights and Protection
    • Economic regulation
    • Public Consultations
    • Advisory activity
    • International
    • Dispute Resolution
  • Users
    • Users' Rights and Protection
    • Frequently Asked Questions
    • Forms
      • Information Request
      • Complaints
      • Dispute Resolution
      • Access to Administrative Information
    • Complaints
  • EN PT
Entidade Reguladora da Saúde
Área Privada Pesquisa ERS
Entidade Reguladora de Saúde
EN PT
Institutional
Organisational structure
About ERS
Institutional Policies
Contacts
ERS Whistleblowing Channel
Organisational chart
ERS Governing Board
Data Protection and Privacy Policy
Management Policy
Board of Directors
Advisory Board
Satutory Auditor
Activities
Registration and Licensing
Inspections
Supervision
Sanctioning Intervention
Users' Rights and Protection
Economic regulation
Public Consultations
Advisory activity
International
Dispute Resolution
Users
Users' Rights and Protection
Frequently Asked Questions
Forms
Complaints
Information Request
Complaints
Dispute Resolution
Access to Administrative Information
Este site poderá não funcionar corretamente com o Internet Explorer. Saiba mais

Data Protection and Privacy Policy


Ouvir

1. Legal Framework

The Portuguese Health Regulatory Authority (ERS) Data Protection and Privacy Policy is fully aligned with the provisions set forth in the Constitution of the Portuguese Republic (CRP), the General Data Protection Regulation (GDPR)[1], the Data Protection Law (LPD), and other applicable legislation concerning the protection of personal data.

The protection of privacy and personal data constitutes a fundamental commitment of ERS towards all individuals with whom it interacts, including service users, healthcare providers and establishments, as well as its own staff members.

Recognising privacy as a fundamental value of natural persons, ERS bears responsibility for ensuring its protection, within the scope of its activities and in the pursuit of its mission, the fulfilment of its tasks and the exercise of its competences.

To this end, ERS has adopted this Privacy Policy, which sets out the personal data it processes, the purposes of such processing, and any possible transfers thereof.

ERS is an independent regulatory authority of a public nature. Accordingly, the processing of personal data in general, and of special categories of personal data—such as health data—carried out by the ERS is based, respectively, on the necessity for the performance of a task carried out in the public interest (Article 6(1)(e), first subparagraph, of the GDPR), and on grounds of substantial public interest (Article 9(2)(g) of the GDPR).

Additional legal bases for the processing of personal data may also apply, including the data subject’s consent, given in accordance with the GDPR, in respect of personal data or special categories of personal data.

 

2. Purposes

The processing of personal data by ERS takes place for the overarching purpose of fulfilling the tasks and functions assigned to it under its statutory mandate.

The purposes of the processing operations carried out by ERS, which must be specific, explicit and legitimate, are as follows:

  • Handling of administrative, sanctioning and dispute resolution proceedings;
  • Reorganisation of the ERS Archive and design of a new Document Management System;
  • Responding to requests for information;
  • Identification of the parties to proceedings;
  • Communication with the participants involved in proceedings;
  • Identification of contact persons within the scope of regulatory interventions in healthcare providers;
  • Verification of compliance with operational requirements by healthcare providers;
  • Mandatory communications and reporting;
  • Preparation of studies and opinions;
  • Assessment of healthcare providers within the framework of the National Health Assessment System (SINAS);
  • Monitoring of quality processes and procedures;
  • Conducting satisfaction surveys;
  • Distribution of newsletters;
  • Organisation and management of events within ERS's remit;
  • Issuance of certificates of participation;
  • Protection of persons and property;
  • Preparation, follow-up and management of contracts;
  • Accounting management;
  • Attendance and punctuality control;
  • Organisation and management of individual staff files;
  • Recruitment and selection.

 

3. Data sharing

In accordance with the provisions of the GDPR and the LPD, ERS may transmit personal data to external entities, generally of public nature, including sovereign bodies, central and local government authorities and services, independent administrative entities, regional and municipal administrations, professional public associations, and other organisational structures of various natures and scope.

 

4. Subcontractors

Personal data may be processed by ERS subcontractors, who are likewise subject to the rules established under the GDPR and the LPD.

 

5. Data subject rights

5.1. Enumeration and Description of Rights

Data subjects are granted a set of rights, enshrined in the GDPR, among which the following are particularly noteworthy:

 

Direitos

Right to Transparency (Article 12)

The controller shall take appropriate measures to provide the data subject with the information referred to in Articles 13 and 14, and any communication envisaged in Articles 15 to 22 and 34 concerning the processing, in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, particularly when the information is addressed specifically to children.
Right to Information (Articles 13 and 14)

Regardless of whether personal data have been obtained directly from the data subject or not, the controller shall provide the data subject with the required information.
Right of Access (Article 15)

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed; to access their personal data and certain information; and to request a copy of the personal data undergoing processing.
Right to Rectification (Article 16)

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them.
Right to Erasure (“Right to be Forgotten”) (Article 17)

The data subject shall have the right to obtain from the controller the erasure of their personal data.
Right to Restriction of Processing (Article 18)

The data subject shall have the right to obtain restriction of the processing of their personal data.
Right to Notification (Article 19)

The controller shall communicate any rectification, erasure, or restriction of processing to each recipient to whom the personal data have been disclosed, unless such communication proves impossible or involves disproportionate effort.
Right to Data Portability (Article 20)

The data subject shall have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance from the first controller.
Right to Object (Article 21)

The data subject shall have the right to object at any time, on grounds relating to their situation, to the processing of their personal data.
Right Not to Be Subject to Automated Decision-Making (Article 22)

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
Right to Lodge a Complaint with the National Data Protection Commission (Article 77)

The data subject shall have the right to lodge a complaint with a supervisory authority (in Portugal, the National Data Protection Commission (CNPD)), in the Member State of their habitual residence, place of work, or place where the alleged infringement occurred, if they consider that the processing of their personal data violates the provisions of the GDPR.

Notwithstanding the data subject’s entitlement to the rights set out above, such rights are not absolute and may be subject to limitations, as provided for in Article 23 of the GDPR.

 

5.2. Form for exercising certain data subject rights

To facilitate the exercise of certain rights afforded to the data subject, we provide a form to be submitted to ERS via one of the channels listed below, preferably by e-mail. ERS will process received requests with the highest level of security to ensure the fulfillment of the data subject’s rights.

Submission of a request requires verification of the requester’s identity. ERS is responsible for the protection of personal data under its processing activities. The exercise of the aforementioned rights may not be immediate, but will be carried out within the time limits established by the GDPR (one month, which may be extended in cases where the processing of the request entails significant complexity for ERS).


6. Data retention periods

ERS complies with the legally imposed data retention periods, which vary according to the category of the data.


7. Security

ERS has designed and maintains a rigorous information security policy, both organizationally and technically.

This is intended to ensure, among other objectives, the strict security of personal data for which ERS is responsible, preventing any form of unlawful or abusive processing. This requirement also applies to subcontractors who may process personal data on ERS’s behalf.


8. Updates

This Privacy Policy may be subject to updates. It is recommended that it be consulted regularly.

Personal data of data subjects are processed under the responsibility of the Board of Directors of ERS, in accordance with the GDPR. A Data Protection Officer (EPD) has also been appointed.

 

For any questions regarding personal data at ERS, please contact us through any of the following channels, preferably by email:

Email: protecaodedados@ers.pt

Phone: +351 222 092 350

Postal Address: Rua S. João de Brito, 621 L 32, 4100-455 Porto

_____________________________________________________________________________________
1 [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Law No. 58/2019 of 8 August 2019, which ensures the implementation, within the national legal system, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Callcenter
CALL CENTER ERS

309 309 309
(Calls to national landlines)
(9 a.m - 17:30 p.m.)

Telefone
Main Phone
222 092 350
Contacto
EMAIL
geral@ers.pt
Morada
Address

Rua S. João de Brito, 621 L32
4100-455 Porto

Forms

Information Request
Complaints
Dispute Resolution
Access to Administrative Information

Institutional policies

Data Protection and Privacy Policy
Management Policy

SiteMap

Whistleblowing Channel

COVID 19 Covid 19 Livro de Reclamações

Subscribe to the ERS Newsletter

I agree to the terms and conditions set out in the ERS Data Protection and Privacy Policy.
Certificação ISO 9001
Learn more
ERS na bluesky
2025 © Health Regulatory Authority (ERS). All rights reserved.
Inquérito de Satisfação da Página Eletrónica

Ajude-nos a melhorar os conteúdos. Em menos de 4 minutos, deixe-nos a sua opinião. Muito Obrigado

 Abrir

Some text in the modal.

Dora