The collection and processing of personal data are necessary for the exercise of the public-interest functions entrusted to Caixa Geral de Aposentações, I.P. (CGA, I.P.), and are indispensable to the administrative procedures related to the granting, maintenance, and control of the benefits it provides (Decree-Law No. 131/2012, of 25 June).
The privacy and security policy regarding personal data processed by CGA, I.P. complies with Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (GDPR), Article 35 of the Constitution of the Portuguese Republic, the Personal Data Protection Act (Law No. 58/2019, of 8 August), the Electronic Communications Privacy Act (Law No. 41/2004, of 18 August), the Data Retention Act (Law No. 32/2008, of 17 July), and the Electronic Communications Act (Law No. 16/2022, of 16 August).
The data collected shall only be made available to:
- Employers or entities responsible, fully or partially, for the financial burden of the benefits granted by CGA, I.P., either within the management of the contributory relationship or within administrative procedures for the granting, maintenance, and control of such benefits (Decree-Law No. 498/72, of 9 December, and supplementary legislation; Decree-Law No. 142/73, of 31 March, and supplementary legislation).
- Mandatory or voluntary social protection schemes, national or foreign, to which the data subject has been or is affiliated, for purposes of coordination with the CGA, I.P. scheme, including for granting, maintaining, and controlling benefits (Decree-Law No. 361/98, of 18 November; Regulation (EC) No. 883/2004, of 29 April 2004; Regulation (EC) No. 987/2009, of 16 September; and bilateral social security agreements).
- The Government, for legislative planning and statistical purposes.
- Courts, the Public Prosecutor’s Office, and the Judicial Police, within the scope of judicial proceedings.
- The Ombudsman, within the scope of its legally assigned duties (Law No. 9/91, of 9 April, as amended by Law No. 30/96, of 14 August; Law No. 52-A/2005, of 10 October; and Law No. 17/2013, of 18 February).
- The Tax Authority, particularly for fulfilling the tax obligations of the data subject and for the supervision, maintenance, or suspension of benefits dependent on income verification (Law No. 26/84, of 3 July; Decree-Law No. 316/2002, of 27 December; Decree-Law No. 414-A/86, of 15 December, among others).
- The Portuguese Data Protection Authority (CNPD), in the context of its supervisory duties and audits.
- Other entities, where required for compliance with legal obligations, lawful orders from administrative or judicial authorities, or within the scope of legal representation.
The data subject has the right to access, consult, rectify, restrict processing, and update their personal data, without any charges. These rights may be exercised in writing to the address of CGA, I.P., or in person at the CGA public service offices.
The data provided will not be deleted, as their retention is necessary for maintaining the benefits granted or to be granted, as well as for recording and justifying operations carried out.
The rights to erasure, portability, and objection to processing do not apply to CGA, I.P. users, as their data are necessary for compliance with a legal obligation and for the exercise of public-interest functions in the field of social security.
CGA, I.P. does not perform automated processing of personal data based on profiling intended to evaluate personal aspects of an individual, including analysis or prediction of professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
CGA, I.P. promotes the implementation of advanced techniques in data processing to effectively apply data protection principles and ensure appropriate safeguards, protecting the rights of data subjects.
In the course of its activities, CGA, I.P. may engage third parties – subcontractors - to provide certain services, which may involve access to personal data. CGA ensures that, in these situations, appropriate technical and organizational measures are adopted, guaranteeing that processors comply with applicable legal requirements and provide adequate data-protection safeguards.
The data subject has the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) regarding any processing that violates the GDPR.
CGA, I.P. has appointed a Data Protection Officer (DPO), who may be contacted concerning personal data protection matters through the following means:
- By email: epd@cga.pt
- By postal mail: addressed to the headquarters of CGA, I.P.
CGA, I.P. may update or adjust this Privacy Policy, and any amendments will be duly publicized.