Privacy and Personal Data Protection Policy
Privacy and Personal Data Protection Policy
The DNS.PT Association, hereinafter referred to as .PT, is committed to the protection of personal data and to respecting the privacy of data subjects.
In the course of its activities, and in particular within the scope of the management of the .pt top-level domain and the associated domain name registration system, .PT processes personal data in accordance with applicable legislation and data protection principles.
.PT ensures compliance with the principles applicable to the processing of personal data, guaranteeing the protection of the rights and freedoms of data subjects.
For this purpose, .PT provides adequate mechanisms for the exercise of the rights of personal data subjects in strict compliance with applicable legislation, specifically, the provisions of Article 35 of the Constitution of the Portuguese Republic, Regulation (EU) 2016/679, of the European Parliament and of the Council, of April 27, 2016, (General Data Protection Regulation – GDPR), Law No. 58/2019, of August 8, which ensures the execution in the national legal order of the GDPR and Law 59/2019, of August 8, and other applicable legislation regarding personal data protection.
This Privacy and Personal Data Protection Policy applies to the processing of personal data by .PT by fully or partially automated means, as well as by non-automated means contained in files or intended for them.
For the purposes of this Policy, "personal data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, electronic identifiers or one or more specific elements of that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.
"Processing of personal data" means an operation or set of operations carried out on personal data or sets of personal data, by automated means or not, namely the collection, registration, organization, structuring, conservation, adaptation, recovery, consultation, use, disclosure, dissemination, comparison, interconnection, limitation, erasure or destruction of data.
In order to ensure a holistic, systematized and clear view of the policies adopted by .PT in terms of privacy and personal data protection, the following are considered linked to this Privacy Policy:
Data Controller
.PT is the entity responsible for the processing of personal data, its headquarters are located at Rua Eça de Queiroz 29, 1050-095 Lisbon.
As data controller, .PT intends to ensure the compliance of the best practices in the security and protection fields of personal data, from the concept ("Privacy by Design") and by default ("Privacy by Default") ensuring that:
- Before starting any personal data processing, it ensures that the latter is carried out within the purposes for which the personal data will be collected or for purposes compatible with those;
- The collection, use and conservation is restricted only to the personal data necessary for the purpose in question;
- It does not proceed to any transmission of personal data for commercial or advertising purposes;
- The processing is carried out for legally provided purposes.
.PT follows technical and organizational measures aligned with the compliance of the GDPR and applicable legislation regarding privacy and personal data protection, ensuring that the processing of these data is lawful, fair, transparent and limited to duly authorized purposes.
Data Protection Officers
.PT has appointed a Data Protection Officer whose contact should be made directly through the email address epd@pt.pt for all questions related to the processing of personal data and the exercise of their rights by their holders.
Among other functions, the Data Protection Officer monitoring the compliance of data processing with the applicable standards, ensuring compliance with privacy and data protection policies, being one of the points of contact for clarification of questions related to the processing of personal data.
Purpose of Processing
.PT processes personal data for a set of purposes, related to the pursuit of its activity and, as well, to its functioning as a legal entity.
Within the scope of its activities, .PT processes personal data for the following purposes:
Within the scope of its activities, .PT processes personal data for the following purposes:
- Management of domain name registry;
- Human resources management;
- Financial management;
- Infrastructure and system management;
- Legal management;
- Management of the security of people, goods and facilities.
Grounds for Lawful Processing
Under Article 6 of the GDPR, the processing of personal data by .PT may be based, in particular, on the following legal grounds:
- a)Performance of a contract or pre-contractual steps – when processing is necessary for entering, performing or managing contractual relationships to which the data subject is a party, or for carrying out pre-contractual measures at the request of the data subject. This includes processing related to the provision of services associated with the registration of domain names under the .pt top-level domain, as well as the management of relationships established with users, partners or other entities.
- b)Consent of the data subject – when processing is carried out on the basis of the freely given, specific, informed and unambiguous consent of the data subject, namely in the context of participation in events, training sessions or other initiatives promoted by .PT, and such consent may be withdrawn at any time under the terms of applicable legislation.
- c)Pursuit of legitimate interests of .PT – when processing is necessary for the purposes of the legitimate interests pursued by .PT or by third parties, provided that the rights and freedoms of the data subject do not prevail. This includes processing related to the security of people, assets and facilities, the security, stability and resilience of networks and information systems, as well as the improvement and development of the services provided.
- d)Compliance with legal obligations – when processing is necessary for compliance with legal obligations to which .PT is subject, namely in tax, labor or administrative matters, as well as obligations applicable to the management and operation of the domain name registration system, including processing related to fraud prevention and detection, network and information security management, and cooperation with competent public authorities.
Personal data processed
Within the scope of its activity and for the purposes identified in this Privacy Policy, .PT processes the personal data strictly necessary for the pursuit of its duties and the development of its institutional, technical, administrative and operational activities.
The personal data processed by .PT may concern, in particular, persons responsible for domain names registered under the .pt top-level domain, users of services provided by .PT, employees and candidates in recruitment processes, members of corporate bodies, service providers, suppliers, institutional partners or other natural persons who interact with .PT within the scope of its activity.
Personal data may be collected directly from the respective data subjects, through the use of services provided by .PT, interaction with its systems and digital platforms, participation in initiatives or events promoted by .PT, completion of forms, sending of communications or entering into contractual relationships.
Personal data may also be collected indirectly, where transmitted to .PT by entities with which it interacts within the scope of its activity, namely partners, service providers or other entities involved in the provision of services or compliance with legal obligations.
In the specific context of the management of the domain name registration system under .pt, certain personal data may be collected by entities accredited to provide domain name registration services (registrars), which collect such data from data subjects at the time of the registration request and transmit it to the central registration system managed by .PT.
Additionally, .PT may process personal data resulting from the use of its websites and digital platforms, namely browsing data or technical data associated with access to its systems, under the terms defined in the respective Cookies Policy.
Within the scope of its activities, .PT may process different categories of personal data:
- personal identification data, such as name, identification number or other equivalent identifiers;
- contact data, such as address, email address or telephone number;
- professional data, such as role, employer or elements related to professional activity;
- financial or billing data, where necessary for the management of contractual relationships or compliance with legal obligations;
- image data, when collected within the scope of events, institutional initiatives or security systems;
- other data strictly necessary for the pursuit of the processing purposes identified in this policy.
.PT ensures that the personal data processed is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, in accordance with the data minimisation principle provided for in the GDPR.
Rights of Data Subjects
Under applicable legislation on personal data protection, personal data subjects may exercise, within the legally established limits, the following rights regarding their personal data:
- right of access: the data subject has the right to obtain from .PT (data controller) the confirmation of the processing of their personal data, as well as an access to these data and request information about their processing.
- right of rectification: the data subject has the right to obtain the rectification of inaccurate personal data and to complete those that are incomplete.
- right to erasure: the data subject has the right to obtain the erasure of their personal data, without prejudice to the established conservation periods.
- right to restriction of processing: the data subject has the right to obtain the restriction of processing.
- right to portability: where applicable, the data subject has the right to receive the personal data concerning them in a structured, commonly used and machine-readable format, as well as the right to transmit that data to another controller.
- right to object: the data subject has the right to object, at any time, on grounds relating to their particular situation, to the processing of personal data concerning them, where the processing is based on the legitimate interests of the controller. .PT shall cease processing the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
- right to withdraw consent: where processing is based on the data subject’s consent, the data subject has the right to withdraw their consent at any time, without this affecting the lawfulness of processing carried out on the basis of the consent previously given.
- right to lodge a complaint: the data subject has the right to lodge a complaint with the National Commission for the Protection of Personal Data (CNPD), as the competent supervisory authority, if they consider that the processing of their personal data infringes applicable legislation.
Processors and Recipients
Within the scope of the pursuit of its activities and for the purposes identified in this policy, .PT may communicate or make personal data available to recipient entities whenever necessary or legally required.
Such entities may include, in particular, entities accredited to provide domain name registration services (registrars), judicial authorities, ARBITRARE - Arbitration Center for Industrial Property, Domain Names, Firms and Denominations, as well as other public authorities to which the law grants powers of investigation, supervision or prevention of non-compliance with legislation, namely in the areas of consumer protection, intellectual property, communications, (cyber)security, public health or commercial practices.
The communication of personal data to these entities is limited to the data strictly necessary for the pursuit of the purposes justifying its transmission and is carried out in accordance with applicable legislation on personal data protection.
Whenever external entities process personal data on behalf of .PT, they shall act as processors and shall be bound, under Article 28 of the GDPR, to provide sufficient guarantees regarding the adoption of appropriate technical and organisational measures ensuring the protection of personal data and respect for the rights of data subjects.
In certain situations, entities receiving personal data may act as independent controllers, namely where they process the data for their own purposes within the scope of their legal powers or contractual relationships with data subjects.
Sharing and disclosure of personal data
Within the scope of the pursuit of its activities and the fulfilment of its duties, .PT may share or disclose personal data whenever necessary for compliance with legal obligations, safeguarding the security and integrity of networks and information systems, or ensuring the regular functioning of the domain name registration system under the .pt top-level domain.
The sharing of personal data may occur, in particular, with public authorities, entities with legal powers of supervision, investigation or inspection, entities responsible for the prevention of or response to cybersecurity incidents, as well as with other entities that demonstrate legal legitimacy to access such data.
In the specific context of the functioning of the domain name registration system, certain data associated with the registration may also be made available or communicated under the terms defined in the policies applicable to the .pt top-level domain, namely the .pt WHOIS Policy and other relevant regulatory instruments.
Where applicable, the sharing of personal data is carried out in accordance with the GDPR and applicable cybersecurity legislation, including obligations arising from the European legal framework on the security of networks and information systems.
In any case, .PT ensures that the communication or making available of personal data is limited to what is strictly necessary for the purpose justifying it, respecting the principles of data minimisation, proportionality and security of processing.
Data transfer
Within the scope of the provision of its services and the pursuit of its activities, .PT may, in certain circumstances, transfer personal data to recipients located outside the European Economic Area (EEA) or to international organizations.
Whenever this occurs, .PT ensures that such transfers are carried out in accordance with Chapter V of the GDPR and only where the legally established conditions for that purpose are met.
In particular, .PT ensures that transfers of personal data to third countries or international organizations are only carried out where there is an adequacy decision by the European Commission or where appropriate data protection safeguards are in place, namely through the conclusion of standard contractual clauses approved by the European Commission or other mechanisms provided for in applicable legislation.
Retention period
.PT retains personal data only for the period necessary to fulfil the purposes for which they were collected or processed, in accordance with the storage limitation principle provided for in the GDPR.
Retention periods may vary depending on the nature of the data and the purposes of processing, and data may be retained for longer periods where necessary for compliance with legal obligations, for the establishment, exercise or defence of legal claims, or to safeguard .PT’s legitimate interests.
In particular, personal data may be retained under the following general terms:
- a)Data associated with the registration of .pt domain names: during the period of validity of the registration and, after its termination, for the time necessary to comply with legal obligations, manage incidents, prevent abuse, resolve disputes or defend rights. Given the nature of the domain name registration system and the need to ensure the traceability and historical integrity of the registry, certain data may also be retained for additional periods or permanently for historical, statistical, technical or archiving purposes, in accordance with applicable legislation on personal data protection.
- b)Data associated with contractual relationships with service providers, partners or suppliers: during the term of the contractual relationship and, subsequently, for the legal period applicable to compliance with tax, accounting or administrative obligations, which may be up to 10 years.
- c)Personal data of employees and candidates in recruitment processes: during the period necessary for the management of the employment relationship or recruitment process and for the legally required periods in labor and social security matters.
- d)Data collected through contact forms or communications sent to .PT: during the period necessary to process the request or manage the communication, and may be retained for an additional period where necessary for follow-up or recording of the interaction.
- e)Data associated with the security of facilities, systems and infrastructures, including technical or access logs: during the period necessary for security management and incident prevention, without prejudice to any legal retention obligations.
- f)Data resulting from browsing .PT websites: for the period defined in the respective Cookies Policy.
Once the applicable retention period has expired, personal data will be securely deleted or anonymised, without prejudice to its retention where required by law or necessary for the purposes of exercising or defending rights in legal proceedings.
.PT adopts a set of appropriate technical and organizational measures aimed at ensuring a level of security appropriate to the risk associated with the processing of personal data, in accordance with Article 32 of the GDPR, with international best practices in information security, namely the Cybersecurity Legal Framework, approved by Decree-Law No. 125/2025, of December 4, and other applicable legislation.
For this purpose, .PT implements and maintains an integrated quality and information security management system, aligned with recognised international standards and frameworks, namely ISO 9001 and ISO/IEC 27001, which establishes policies, procedures and controls aimed at ensuring the protection of information and personal data processed within the scope of its activities.
Within the framework of this management system, .PT applies a set of measures aimed at ensuring the confidentiality, integrity, availability and resilience of processing systems and services, including, in particular, access control mechanisms based on the principle of least privilege, protection and encryption of communication channels, safeguarding data integrity, as well as the use of anonymisation or pseudonymisation techniques whenever appropriate.
.PT also ensures that individuals who, in the performance of their duties, have access to personal data are subject to confidentiality obligations and internal information security procedures, and measures are adopted to prevent unauthorised access, use, disclosure or alteration of personal data.
The security measures implemented are subject to periodic monitoring, assessment and review, with a view to ensuring the continuous improvement of security systems, the adequacy of the measures adopted to technological developments, and the response to emerging risks and threats in the field of cybersecurity.
Responsibility of personal data subjects
Data subjects are responsible for providing .PT with complete, accurate and up-to-date information, as well as for using the services provided by .PT in accordance with the applicable rules and with respect for the rights of third parties.
Data subjects are also responsible for the use of usernames, passwords, access codes and any other elements used to access the services provided by .PT, which are personal and non-transferable, and they must ensure their confidentiality and prevent their use by third parties.
Data subjects must also adopt diligent behaviour when using .PT’s digital services, namely by ensuring that the equipment and applications used to access such services are adequately protected and updated in terms of security.
Notification and complaint
Without prejudice to sending direct notification to .PT, through the contacts indicated below, you can complain directly to the National Commission for the Protection of Personal Data (www.cnpd.pt), using the contacts provided by this entity for this purpose.
Contacts
Media and .pt website issues: rp@pt.pt;Processing of personal data issues: epd@pt.pt;
.pt Domain Registration issues: request@pt.pt;
Security issues: abuse@pt.pt
Questions related to illegal digital content and/or requests for information arising from ongoing investigations by entities legally competent for that purpose: legal@pt.pt.
DNS.PT Association
Rua Eça de Queiroz, n.º 29
1050-095 Lisboa - Portugal
Last update: July 1, 2026