Privacy Policy and Data Protection

This Privacy and Data Protection Policy aims to comply with the provisions of Regulation (EU) 2016/679 of the European Parliament and the Council, dated April 27, 2016 (General Data Protection Regulation – GDPR), Law No. 58/2019, of August 8, as well as the guidelines of the National Commission for Data Protection (CNPD), establishing the legal and organizational framework applicable to the processing of personal data in the context of the Artificial Intelligence Portal, accessible at https://iatesteaut.fccn.pt/en, including the artificial intelligence system integrated therein (hereinafter referred to as the "Platform").

The Platform is an initiative of the Fundação para a Ciência e a Tecnologia, I.P. (FCT), implemented through its FCCN unit, aimed at supporting scientific research, higher education, and digital transformation aligned with the principles of open science, interoperability, computational ethics, and proactive responsibility.

The Platform provides technological resources based on artificial intelligence models, designed to facilitate access to and the generation of recommendations from scientific and academic documents, targeting teachers, researchers, students, and other professionals from participating institutions.

Data Processing Controller

As the entity responsible for the processing of personal data, the FCT determines the purposes and means of processing, in accordance with Article 4(7) of the GDPR, ensuring full compliance with the principles of lawfulness, fairness, transparency, data minimization, purpose limitation, integrity, and accountability.

Contact with the FCT's Data Protection Officer team can be made via the electronic address dpo@fct.pt or at Avenida do Brasil, 101, 1700-066 Lisbon.

Purpose and Processing Activities

Purpose of the Processing of Personal Data

The purpose of processing personal data within this Platform aligns with the objectives defined by the FCT and aims at the management and development of digital infrastructures intended for the dissemination of scientific knowledge. The data processing activities are carried out with the following objectives:

  • Ensuring authenticated and federated access to Artificial Intelligence (AI) models for legitimate research, teaching, and innovation purposes;
  • Managing the institutional membership of participating entities, including associated technical and contractual aspects;
  • Monitoring the use of computational resources, allowing the optimization of available capacity and effective cost control;
  • Supporting the FCT's mission to promote best practices in AI, particularly regarding transparency, scientific reproducibility, and privacy protection in the academic environment.

Although the Platform is designed to operate on non-personal data within its scientific and academic purposes, the incidental processing of personal data may arise. This could result, for instance, from the content of processed documents containing identifiable information or from the voluntary entry of personal data in prompts submitted by users to the AI tools provided.

Whenever such processing occurs, the FCT ensures full compliance with the applicable legal framework, particularly the GDPR, guaranteeing the existence of an appropriate legal basis, the application of suitable technical and organizational measures, and, where necessary, the provision of proper information to the data subjects.

Categories of Personal Data Processed and Collection Contexts

The processing of personal data within the Platform may vary depending on the user's role, the phase of interaction, and the nature of the contents processed. In this context, the categories of personal data processed by the FCT are distinctly grouped into authentication data, voluntarily provided data, administrative data regarding institutional membership, and data potentially present in processed documents.

a) Technical Authentication Data

  • Federated identifier assigned within the RCTS/eduGAIN authentication framework (typically referred to as RCTScert, with the format username@institution.pt);
  • Institutional affiliation and academic profile (e.g.: teacher, researcher, student);
  • Institutional email address;
  • Temporary session identifier (non-persistent, automatically generated at the time of authentication). These data are processed exclusively for federated authentication, access control, permission validation, and session security within the Platform. They are used only during the active session, being discarded at the end without any form of storage or reuse.

b) Voluntarily Entered Data

  • Content freely submitted by the user, in the form of text commands ("prompts") or files, in the interaction fields with AI models.

These data are processed exclusively in memory for the purpose of automated inference and immediate response, being deleted right after processing. They are not stored, logged, transmitted to third parties, used for model training, or retained in any form.

c) Data Collected in the Institutional Membership Process

  • Name of the adhering entity;
  • Name, role, email address, and phone contact of designated representatives (institutional coordination, technical support, and communication);
  • Technical information regarding the intended use of the Platform, such as the type of resources requested, application fields, and estimated usage volume.

These data are processed exclusively for the purposes of membership application analysis, contractual management, infrastructure configuration, and operational contact between the FCCN and the adhering entity, under the terms of the signed protocol.

d) Data Contained in Processed Documents

  • Name, role, institutional affiliation, and contact address of the authors of the accessed documents;
  • Any personal data included in uploaded or consulted scientific or academic documents.

These data are not directly collected by the Platform but may be present in the contents processed through the functionalities of analysis, extraction, or automatic summarization. Their possible exposure results from the provided documents submitted by the user, who is responsible for ensuring no undue or excessive personal information is introduced. The Platform does not store, index, or reuse these data, limiting itself to processing them transiently and automatically, without logging or human intervention.

Lawful Basis for Processing

The processing of personal data carried out within the Platform finds its legal basis depending on the nature and context of the processing operation in the following provisions of Article 6(1) of the GDPR:

Point (e) – where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the FCT, as the entity responsible for the development and provision of digital research infrastructures supporting science, higher education, and technological innovation, under its legally assigned duties and public policy of open science. This legal basis supports, in particular, the processing related to access to the Platform, the use of AI models for scientific and academic purposes, and the technical monitoring and promotion of best practices in artificial intelligence.

Point (c) – where processing is necessary for compliance with a legal obligation to which the FCT is subject, including obligations related to public procurement, accountability, auditing, administrative interoperability, and responsibility in public resource management. This basis is especially applicable to the management of data of adhering entities and their representatives in the context of the membership protocol and operational interactions with the Platform.

Point (a) – in limited cases where the data subject voluntarily enters personal data in the processed contents (such as commands or files), where processing may be considered lawful on the basis of explicit consent, provided it is thoroughly informed and given freely and specifically. Although not required for access to the Platform, consent may constitute a supplementary legal basis in marginal and residual cases.

The FCT ensures in all cases that the legal framework for each processing operation is assessed in light of the principles of necessity, proportionality, and transparency, in accordance with Articles 5 and 6 of the GDPR.

Subprocessors and Security

The platform is supported by the Microsoft Azure AI Foundry infrastructure, with Microsoft acting as a subprocessor for the FCT. All data are processed within the European Economic Area (EEA) in an isolated and secure environment.

Microsoft is contractually prohibited from using the data for its own purposes, including training or commercializing AI models. The FCT employs appropriate technical and organizational measures for data protection, including access segmentation, anonymized rotating logs, containment of processed data, and encryption in transit.

International Transfers

No personal data transfers are made outside the EEA. 
All data are processed and stored in data centers located within the European Union, under contractual guarantees of GDPR compliance.

Technical Monitoring of the Platform

Resource monitoring is performed using Azure Monitor, with aggregated metrics and automated alerts. No monitoring of individual user activity is conducted, nor is there any collection of introduced content.

Automated Decisions and Profiling

In the context of the use of the FCCN Artificial Intelligence Platform, no fully automated decisions are made that produce legal effects or significantly affect the data subjects, pursuant to Article 22 of the GDPR.

Interaction with artificial intelligence models occurs in a user-assisted and controlled manner, resulting in no decisions with direct individual impact or profiles used for assessing personal aspects.

The platform does not perform any form of user profiling or automated scoring.

Consequently, the obligation to provide human review mechanisms or explanations of automated decision-making logic, as provided for in Article 13(2)(f) of the GDPR, does not apply.

Data Subject Rights

Under Articles 12 to 23 of the General Data Protection Regulation (GDPR), data subjects have the right to access, rectify, delete, restrict, object to processing, and, where applicable, request the portability of their personal data. These rights can be exercised by submitting a written request to the FCT Data Protection Officer at the email address dpo@fccn.pt.

In the context of using the platform, especially concerning the operation of artificial intelligence tools, such content is not stored or logged, being processed in memory on a transient basis. For this reason, it is technically not possible to guarantee the exercise of rights such as access, rectification, or deletion concerning these data.

Personal data processed as part of the institutional membership process, specifically data of the representatives of adhering entities, are stored and can be accessed, corrected, or deleted under the GDPR, upon a justified request and within the legally applicable limits.

Data Retention Periods

Personal data processed within the FCCN Artificial Intelligence Platform are retained only for the time strictly necessary to achieve the purposes for which they were collected, in compliance with the principle of storage limitation, as outlined in Article 5(1)(e) of the GDPR.

Concerning technical authentication data and content entered during interactions with artificial intelligence models, retention is excluded by design: they are processed transiently during usage sessions and automatically discarded after processing, with no form of retention, logging, or persistence.

The FCT implements secure data deletion and review procedures, in alignment with its internal information management policy and applicable legal and regulatory obligations.

Technical Monitoring

The FCT implements a monitoring system based on Azure Monitor, aimed at the technical and financial management of platform resources. This monitoring focuses on virtual machines, storage, and AI services and aims to optimize infrastructure usage and prevent overconsumption. No information about individual user activity is collected, nor is the content processed by the models logged.

Institutional Communication and Promotion

Promotion actions for the platform carried out by adhering entities should be institutional, scientific, and academic, aiming to inform the university community about the platform through internal channels, training sessions, or events.

These actions do not constitute direct marketing and do not involve the sending of personalized electronic communications for promotional purposes, except with prior consent or when integrated into the public functions of the entities. Personal data processed under the protocol may not be reused for other promotional, commercial, or unrelated purposes to the platform's public mission.

Notification and Complaints

Without prejudice to direct notification to the FCT through the contacts available at https://www.fct.pt/en/contactos, data subjects may lodge complaints directly with the National Commission for Data Protection (https://www.cnpd.pt), using the contacts provided by this entity for this purpose.

Changes to the Privacy Policy

This Privacy Policy may be updated, so regular consultation is recommended. Changes are deemed effective from the date of publication on this site, with express reference made to the update date.