Data Protection and Privacy Policy

1. Introduction


The services offered through the website of D. Anna de Sommer Champalimaud e Dr. Carlos Montez Champalimaud (“Champalimaud Foundation”) are guided by the highest quality standards. We apply the same standards to the processing of personal data. This Data Protection and Privacy Policy applies to Champalimaud Foundation website (hereinafter "Privacy Policy") and has been prepared in accordance with current national and European legislation on the protection of individuals, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR"), as well as other legal provisions, regulatory and good practices. This Privacy Policy describes our privacy practices with respect to the information collected, processed and used, as well as the rights of the website users and how to exercise them.

This Privacy Policy aims to help users understand what personal information we collect, how and why we use it, to whom we disclose it, and how we protect users' privacy when using the services or visiting the Champalimaud Foundation website.

2. Definitions


Consent of the data subject – means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Special Categories of Personal Data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited;

Personal Data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Data Protection Officer (“DPO”) – any person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling. The DPO does not receive any instructions regarding the exercise of its tasks and shall directly report to the highest management level of the controller or the processor;

Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Personal Data Breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Third Party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

Supervisory Authority – means an independent public authority, which is established by a Member State, concerned with the application of the Regulation, to defend the fundamental rights and freedoms of data subjects, and, where applicable, the free flow of personal data within the Union. In Portugal, the supervisory authority will be the National Data Protection Commission ("CNPD");

Data Subject – an identified or identifiable natural person to whom the data relates;

Pseudonymisation – means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

International data transfers – transfers of personal data that are or will be processed after a transfer to a third country (not located in the European Union) or to an international organization, where transfer may occur between two or more controllers or between and subcontractors.

3. Principles relating to processing of personal data


In terms of principles regarding the Processing of Personal Data, Champalimaud Foundation undertakes to ensure personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject;

  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.


4. Controller


The Controller for the Processing of Personal Data collected through the website is Champalimaud Foundation, headquartered at Avenida Brasília 1400-038. For privacy issues, you may contact Champalimaud Foundation through its data protection officer at the following email address dpo@fundacaochampalimaud.pt

5. Data Protection Officer


Champalimaud Foundation has appointed a Data Protection Officer, responsible for data protection matters, which can be contacted via email dpo@fundacaochampalimaud.pt

6. Purposes and lawfulness of processing collected personal data


Champalimaud Foundation only treats the users' personal data when it is duly authorized to do so. The GDPR requires, for the processing of personal data to be lawful, that there should be an adequate legal basis for each specific treatment.

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  3. processing is necessary for compliance with a legal obligation to which the controller is subject;

  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;

  5. processing is necessary for the purposes of the legitimate interests pursued by the Champalimaud Foundation or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject). The data collected through the website refer to the following categories of personal data subjects: candidates for prizes, professional candidates, patients and users in general, who wish to communicate with Champalimaud Foundation through the contacts made available.

Champalimaud Foundation collects and processes personal data of its users through its website for the following purposes:

  1. Contact management with Champalimaud Foundation;

  2. Event registration;

  3. Applications for prizes;

  4. Schedule of medical consultations / examinations through fhe Champalimaud Clinical Centre;

  5. Recruitment.

  1. Contact management – To contact the user, for administrative or operational reasons, for example, in order to confirm appointments or payments or in response to any questions, applications, suggestions or requests for information. To this end, Personal Data related to the contact / given information is processed. This Processing is lawful to the extent that it is necessary for the purposes of legitimate interests.

  2. Event registration – For registration at events held by / or in partnership with Champalimaud Foundation, data are collected from the users that register, namely contact data and identification data. This Processing is lawful to the extent that it is necessary for the purposes of legitimate interests.

  3. Applications for prizes – In the context of prizes awarded by Champalimaud Foundation, data are collected from the candidates to the respective prizes. This Processing is lawful to the extent that it is necessary for the purposes of legitimate interests.

  4. Schedule of medical consultations / examinations through the Champalimaud Clinical Centre – The personal data collected on the website through the Champalimaud Clinical Centre is for the purpose of scheduling medical consultations, medical examinations, medical diagnosis, in order to provide health care, for the management of the systems and services of Champalimaud Foundation. Such personal data may be collected directly, in particular, when the patient registers an appointment / examination, or indirectly through the doctors who provide services on behalf of Champalimaud Foundation or its partners. When an appointment is scheduled through the website of the Champalimaud Clinical Centre, contact details and identification data are collected: Name, date of birth, telephone / mobile phone number, address and taxpayer number, time of appointment and contact of the patient and any optional comments that the patient wishes to make. This Processing is lawful to the extent that it is necessary to enter into a contract and for the purposes of legitimate interests. The Champalimaud Clinical Centre may also use your personal data to respond to the patient's comments in the request for schedule consultation / examination.

  5. For purposes of recruitment – Through the Champalimaud Foundation website the user can apply for a professional position at Champalimaud Foundation by sending his/her contact, identification details and relevant information regarding professional qualifications, habits or personal characteristics. In this case, this Processing is lawful to the extent that it is necessary to enter into a contract and for the purposes of legitimate interest of Champalimaud Foundation.

The fact that the Data Subject withdraws his consent for a Processing does not compromise the lawfulness of the Processing effected based on the prior consent given.

7. Special Categories of Personal Data


Under the regulation, data concerning health are considered Special Category of Personal Data. To this extent, there are increased requirements for the Processing of such Personal Data. This Processing can only take place when determined by law.

Champalimaud Foundation only treats health data under the responsibility of professionals subject to the obligation of professional secrecy, to the necessary extent of the provision of health care. Thus, the processing of health data carried out by Champalimaud Foundation employees who have access to the website users' communication with Champalimaud Foundation or by the schedule of consultations / examinations is lawful to the extent that it is necessary for the management of the systems and services of the Champalimaud Foundation and the Champalimaud Clinical Centre, for the activities of Champalimaud Foundation and due to the fact that the processing is necessary for the purposes of preventive medicine, medical diagnosis and the provision of health care.

8. Personal Data Storage Period


The personal data collected from users through Champalimaud Foundation website are processed in strict compliance with the applicable legislation and are stored in specific databases created for this purpose. Such data shall be kept in a format which enables the Data Subject to be identified only for the period necessary for the purposes for which they are processed.

The time for which data is stored varies according to the purpose for which the information is used. However, there are legal requirements that require keeping data for a certain period. Thus, and where there is no specific legal requirement, data will be stored and kept only for the minimum period necessary for the purposes that led to their collection or subsequent processing, after which they will be eliminated.

9. Data Sharing with third parties


The Personal Data of the Data Subject collected through Champalimaud Foundation website shall not shared with third parties without prior consent of the Data Subject, except in cases where such transmission or communication is necessary for the performance of the contract between the Data Subject and Champalimaud Foundation, for pre-contractual procedures at the request of the Data Subject and in case it is necessary for the fulfillment of a legal obligation to which Champalimaud Foundation is subject.

Champalimaud Foundation may also communicate or allow access to user data to third parties, such as external consultants, cooperation partners or service providers in support of medical diagnosis, clinical analysis and / or information technology. The Champalimaud Foundation guarantees that each of these third parties ensures the confidentiality of Personal Data, entering into data processing agreements with those entities.

10. Transfer of Data outside de European Union


Personal Data collected through the website and used by Champalimaud Foundation is not available to third parties established outside the European Union. If, in the future, this transfer occurs, the Champalimaud Foundation undertakes to ensure that the transfer complies with the applicable legal provisions, in particular as regards the determination of the suitability of the country of final destination, as regards data protection and the requirements applicable to such transfers.

11. Technical and Organizational Security measures


In order to ensure the security of personal data of the Data Subject and the maximum confidentiality, Champalimaud Foundation treats the information that the user has provided in an absolutely confidential way, in accordance with its internal policies and procedures of security and confidentiality, which are updated periodically according to the needs , as well as in accordance with the terms and conditions legally established.

Depending on the nature, scope, context and purpose of data processing and the risks arising from the processing for the rights and freedoms of the Data Subject, Champalimaud Foundation undertakes to apply, at the time of defining and applying the processing, the technical and organizational measures necessary and adequate for data protection and compliance with legal requirements.

In general terms, Champalimaud Foundation adopts the following security measures:

  • Investigations in the form of data protection audits to evaluate the efficiency of the technical and organizational security measures;

  • Assignment of responsibilities, awareness-raising and training of staff involved in processing operations;

  • The pseudonymisation and encryption of personal data;

  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.


12. Rights of the Data Subject


  1. Access to Personal Data

  2. Champalimaud Foundation guarantees the access, by the Data Subject, to his Personal Data.

    Where personal data relating to a data subject are collected from the data subject, Champalimaud Foundation shall, at the time when personal data are obtained, provide the data subject with all of the following information:

    • the purposes of the processing for which the personal data are intended;

    • the categories of personal data concerned;

    • the recipients or categories of recipients of the personal data, if any;

    • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

    • the existence of the right to request from Champalimaud Foundation access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

    • the right to lodge a complaint with a supervisory authority, namely, CNPD;

    • the existence of automated decision-making, including profiling, as well as the significance and the envisaged consequences of such processing for the data subject;

    • where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.


  3. Right to rectification

  4. The data subject shall have the right to obtain, without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall also have the right to have incomplete personal data completed.

    In case of rectification of data, Champalimaud Foundation shall notify each addressee to whom the data have been forwarded for rectification, unless such communication proves impossible or involves a disproportionate effort for Champalimaud Foundation.

  5. Right to erasure (‘right to be forgotten’)

  6. The data subject shall have the right to obtain from Champalimaud Foundation the erasure of personal data concerning him or her where one of the following grounds applies:

    • Othe personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

    • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

    • the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

    • the personal data have been unlawfully processed;

    • the personal data have to be erased for compliance with a legal obligation to which Champalimaud Foundation is subject.


    In case of erasure of data, Champalimaud Foundation shall notify each addressee/entity to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort for Champalimaud Foundation.

  7. Right to restriction of processing

  8. The data subject shall have the right to obtain from Champalimaud Foundation restriction of processing where one of the following applies:

    • the accuracy of the personal data is contested by the data subject, for a period enabling Champalimaud Foundation to verify the accuracy of the personal data;

    • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

    • Champalimaud Foundation no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defensef of legal claims;

    • The data subject has objected to processing pending the verification whether the legitimate grounds of Champalimaud Foundation override those of the data subject.


    A data subject who has obtained restriction of processing shall be informed by Champalimaud Foundation before the restriction of processing is lifted.

  9. Right to data portability

  10. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to Champalimaud Foundation, in a structured, commonly used and machine-readable format. The right to portability does not include inferred data or derived data, i.e. personal data that are generated by Champalimaud Foundation, as a consequence or result of the analysis of the data being processed.

    The data subject shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

    The communication of the Personal Data constitutes a contractual obligation and a necessary requirement for Champalimaud Foundation to pursue the purposes referred to in this Privacy Policy. To this extent, the Personal Data Holder is obliged to provide the Personal Data requested, otherwise Champalimaud Foundation will not be able to follow up on its requests made through the website.

  11. Right to object

  12. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is based on the legitimate interests pursued by Champalimaud Foundation where the processing is carried out for purposes not related with those for which personal data has been collected, including profiling or personal data processed for statistical purposes.

    Champalimaud Foundation shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

  13. Modalities for the exercise of the rights of the data subject

  14. The right of access, the right of rectification, the right of erasure, the right of restriction, the right of portability and the right to object may be exercised by the data subject by means of a written request addressed to the e-mail dpo@fundacaochampalimaud.pt

    Champalimaud Foundation shall respond in writing (including by electronic means) to the request of the Data Subject within a maximum of one month from the receipt of the request, except in cases of special complexity, where this period can be extended by up to two months.

    If the requests submitted by the Data Subject are manifestly unfounded or excessive, in particular because of their repetitive nature, Champalimaud Foundation reserves the right to charge administrative costs or refuse to comply with the request.

  15. Personal Data Breach

  16. In the case of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, Champalimaud Foundation shall notify the data subject concerned without undue delay the personal data breach.

    The communication to the data subject shall not be required if any of the following conditions are met:

    • Champalimaud Foundation has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;

    • Champalimaud Foundation has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;

    • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.



13. Changes to Privacy Policy


Champalimaud Foundation reserves the right to change this Privacy Policy at any time. In case of modification of the Privacy Policy, the date of the last update, available at the top of this page, is also updated. If the change is substantial, a notice will be posted on the website.

14. Applicable Law and Jurisdiction


The Privacy Policy, as well as the collection, processing or transmission of data of Data Subject, are regulated by the Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016 and by the applicable legislation and regulations in Portugal.

Any disputes arising from the validity, interpretation or execution of the Privacy Policy, or that are related to the collection, processing or transmission of Personal Data of the Data Subject shall be settled exclusively by the Judicial courts of Lisbon, without prejudice to the mandatory laws, with express waiver of any other.



Last updated on: August 3rd 2018