Privacy policy

The personal data requested from you will be processed in accordance with the rules defined in this Privacy policy and personal data protection

Mision and commitment

This policy establishes general principles and rules to be applied by Lisbon City Council for all personal data collected by it, considering the applicable norms, standards and legal requirements in a specific, explicit and informed communication about data processing, allowing the implementation of the current legislation on personal data.

  • The Lisbon City Council guarantees an appropriate personal data management in accordance with the applicable rules and legislation.  Therefore, develops tools and implements actions to ensure and monitor the the effectiveness of the protection of personal data;
  • The Lisbon City Council develops actions and procedures focused on the awareness among its employees regarding the significance of the personal data protection, providing operational guidelines in order to comply with the data protection legislation and to promote compliance with the personal data protection;
  • The Lisbon City Council establishes in this document a privacy Information to the data subjects of personal data, by applying the current legislation, guaranteeing to data subjects a specific, explicit and informed communication, regarding his or her data processing. Herein are also established the responsibilities to report personal data breaches to the competent supervisory authorities;
  • The Lisbon City Council has a training and communication program that raises the awareness of its employees;
  • The Lisbon City Council has a Data Protection officer responsible for guaranteeing compliance with personal data protection regulations.

General principles

The Lisbon City Council collects and processes personal data according to the following principles:

  • Personal data are lawfully, fairly and transparently processed (lawfulness, fairness and transparency);
  • Personal data are collected and processed for specified, explicit and legitimate purposes resulting from the current legislation and cannot be further processed in an incompatible way with those purposes (purpose limitation);
  • Personal Data is kept adequate, relevant and limited to the strict necessary, according to intended processing purposes (data minimisation);
  • Personal Data are accurate, and where necessary, rectified and up to date (accuracy).

The Lisbon City Council establishes appropriate technical and organisational security measures to effectively implement personal data protection principles, complying with the applicable legislation, safeguarding the rights and freedoms of data subjects.

The Lisbon City Council enforces the same level of personal data protection to all its Processors (service providers, suppliers, partners, etc) through data processing contracts and agreements, where applicable, and suggests privacy terms and information available for each interaction between the Lisbon City Council and its residents, employees or suppliers. 

Personal data collection and processing

The Lisbon City Council main location is at Praça do Município, 1100-038 Lisboa, Portugal. Contacts: +351 213 236 200 or by email to Data Protection Officer: dpo@cm-lisboa.pt

The categories of collected personal data may differ according to the scope of the project and its purposes and may be classified in accordance with the purpose and the types of categories: Personal data, special categories of personal data and other sensitive personal data, where applicable.

Provided and collected data are exclusively processed internally for its intended purpose, always within lawfulness basis framework, previously identified and validated, not being foreseen any provision to other entities except the strictly necessary for its processing.

In this regard, it is suggested to consult the terms and privacy notices available in each interaction that we carry out with residents, employees or suppliers.

While processing activities, the Lisbon City Council may transfer personal data to previously identified third countries, based on processing lawfulness, for the subject’s knowledge, always guaranteeing adequate protection level, to ensure the rule of law, the human rights respect and fundamental freedoms and comply with applicable legislation.

Visiting our websites or entities websites that develop their activities in partnership with the Lisbon City Council, as well as during your interaction with us, you can provide us your personal data.

In this context, the Lisbon City Council collects your personal data through the following means:

  • While visiting our websites, through cookies or other similar technologies, like Google Analytics (such as technical information, with IP and MAC addresses, used browser, operating system and its versions, depending on the user's browser and source of navigation, may still be collected the “refereer”, as the immediately before visited page);
  • Where you subscribe newsletters supplied by the Lisbon City Council or other channels properly identified as a mean of communication and initiatives and services divulgation;
  • Where you apply or register for training actions, capacity building or skills management;
  • Where you submit a form or contact us for requests, explanations, intervention requests, complaints, suggestions or information, through multiple channels;
  • Where you post comments or images on our social media pages;
  • Where you subscribe or register in one of our portals in order to enjoy the information, services or activities.

Where, otherwise, you send us personal information, in particular, sending emails or services delivery contracts, among other forms, the collected information may be processed for connections between the Lisbon City Council and the data subject, complying with the regulatory and/or legal contractual obligations, in order to manage its suppliers or to protect and defend the rights, the interests, the property and the security of the Lisbon City Council, its employees or other people with who it collaborate.

In the scope of the services it provides, the Lisbon City Council only processes personal data that are necessary for the execution of the projects to be carried out, ensuring that any operation for processing personal data is lawful and complies with all the requirements imposed by applicable legislation on collection, processing and protection of personal data and ensuring that such activities, where applicable, will be duly regulated through the execution of data processing agreements.

Your personal data communication isn't a legal obligation, but it may be necessary for completing a service delivery contract, an internship contract, or any other matter in which data provision is mandatory. In these cases, non providing your personal data may result in the impossibility of entering the intended contract. 

Subjects personal data processing operations by the Lisbon City Council, are based on:

  • Legitimate interest pursuing services execution, its activities protection, preferences knowledge improvement and the needs of its activities recipients, such as its residents, to better suit its services in the pursuit of its Mission;
  • To accomplish contracts fulfilment with its residents, and/or its suppliers and/or its employees to the related provided services;
    and
  • Legal obligations required by applicable law.

The Lisbon City Council has also a legitimate interest carrying out recruitment operations in order to manage its activities in the best way possible. In that regard, the Lisbon City Council collects strictly necessary data about interested candidates.

The Lisbon City Council collects and processes personal data specially where:

  • Data subject has authorised personal data processing, for one or more specific purposes (where applicable);
    or
  • Processing is necessary for the execution of a contract in which is a party, or to take measures at his or her request prior to the concluded contract;
    or
  • Processing is necessary to ensure compliance with a legal obligation the Lisbon City Council is subjected to;
    or
  • Processing is necessary for the legitimate interests of the Lisbon City Council purposes, or third parties, unless those interests overlap data subject interest or rights and fundamental freedoms, which requires personal data protection, specially if data subject is a minor.

The Lisbon City Council keeps personal data according to the retention period imposed by applicable law, considering its activities, never kept longer than necessary in accordance with the purposes for which they were collected and are being processed, to: comply with legal obligations (such as: audit, accounting and fiscal obligations), legal disputes resolution and/or exercising its legal rights. The circumstances may differ according to the context, purpose and personal data category. As controller, the Lisbon City Council stores recording of any processing activity under its responsibility, proceeding to the description of the applicable storage and erasure periods.

The Lisbon City Council guarantees that:

  • Personal data are not provided to a third party without a valid previously identified legal reason, including prior consent collection of its subjects, where applicable;
  • Personal Data are neither sold, nor freely disclosed to companies for direct marketing purposes or to any other entities using mailing lists for advertising their products and/or services;
  • Transfers personal data to a third party without observing the need to explicit previous consent, where requested by a judicial authority or a public authority legally empowered to do so, according to the applicable law;
  • Ensures confidentiality and security during the transfer of personal data to the above-mentioned receivers. 

Security measures

The Lisbon City Council complies with data organisational and technological to confidentiality, integrity and availability protection, and trust provision in interorganisational exchanges, especially the international standard ISO/IEC 27001 and ISO/IEC 27701, European Community standards, legislation and specified national recommendations on data security matters.

The Lisbon City Council applies the appropriate technical and organizational measures to ensure a level of security of personal data that is adequate for the risk and, in particular, to protect personal data against destruction, loss, alteration, unauthorized disclosure or accidental or illegal access.

Processors are contractually obligated to the same level of protection by the Lisbon City Council.

Any employee of the Lisbon City Council, with access to personal data, during his or her work, must keep strict confidentiality. 

Rights of data subject

Personal data subjects have the following rights:

The data subject may request information about his or her own data held by the Lisbon City Council, how it was collected and for what purposes it will be processed. Him or her may also request a copy of the data, subject to the Lisbon City Council data protection policy and the rights of third parties. (Right of access);

If personal data are intended to be transmitted to a third party, it is the subject right to be informed about the identity of the recipients or the recipients’ categories. (Right to be informed);

If personal data are inaccurate or incomplete, the subject has the right to request its rectification. (Right to rectification);

The data subject may request the erasure of its personal data (where the Lisbon City Council doesn’t have legal basis for its processing or, where the legal basis is no longer applicable, such as the subject withdrawal of the consent). (Right to erasure, «right to be forgotten»);

The data subject has the right to object to his or her data processing, for related purposes to his or her particular situation, to the cases in which his or her interests, rights or freedoms must prevail over the legitimate interests of the Lisbon City Council, and no imperative and legitimate reasons are overridden by the Lisbon City Council justifying processing. This right to object is not applicable where processing results from a legal obligation compliance, consent or contract enforcement in which the subject is a party. (Right to object);

The data subject has the right to restriction processing his or her personal data by the Lisbon City Council. Where processing is restricted, the Lisbon City Council solely proceed to its storage. (Right to restriction of processing);

The data subject has the right to obtain his or her data in a structured format, commonly used and machine-readable. This right is applicable where data processing is carried out by computerised means and where processing was based on subject consent or on a contract enforcement. This right is not applicable where processing is carried out on paper. (Right to data portability);

The exercise of any of these rights by the data subject must be carried out directly to the Data Protection Officer by the email address dpo@cm-lisboa.pt or submitting the form to exercise the rights of subject personal data.

Privacy notification

Data subjects have the right to lodge a complaint to the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD) in case of violation of the applicable rules regarding the protection of their personal data.

In case of a personal data breach, the Lisbon City Council notifies the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD), whenever possible within 72 hours of having become aware of the personal data breach, unless the personal data breach is not likely to result in a risk to the rights and freedoms of individuals.

Any Processor of the Lisbon City Council must notify the controller without undue delay after becoming aware of a personal data breach.

Contacts of the Data Protection Officer of the Lisbon City Council:

  E-mail: dpo@cm-lisboa.pt

  Telephone number: +351 213 236 200


Last update: 14 april 2025