Privacy Policy

1. Framework and Commitment to Data Protection

The Foundation for Science and Technology, I. P. (FCT), through its digital services unit FCCN, in the exercise of its legal responsibilities in promoting scientific, technological and innovation research, is firmly committed to the protection of personal data, ensuring its processing in a lawful, fair, transparent and secure manner, pursuant to Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and Law No. 58/2019 of 8 August.

In the context of promoting Open Science, FCT ensures the development and operation of the RCAAP Portal (Open Access Scientific Repository of Portugal), accessible at https://www.rcaap.pt, which enables access to, searching and dissemination of scientific content made available in open access.

The RCAAP Portal constitutes a digital infrastructure for the aggregation of scientific information, integrating content from institutional repositories, scientific journals and other sources through interoperability mechanisms, contributing to the visibility, accessibility and reuse of scientific knowledge produced within the scientific and technological system.

This Privacy Policy aims to inform users, in a clear and accessible manner, about the conditions under which personal data are processed within the RCAAP Portal, namely:

  • The categories of personal data processed;
  • The purposes and legal bases for processing;
  • The ways in which data are used, shared and retained;
  • The rights of data subjects and the means of exercising those rights.

2. Data Controller

The Foundation for Science and Technology, I. P. (FCT), headquartered at Av. D. Carlos I, 126, 1249-074 Lisbon, is the entity responsible for the processing of personal data in connection with the operations required for the technical and operational functioning of the RCAAP Portal.

FCT determines the purposes and means of processing with regard to the activities of indexing, aggregating, making available and maintaining the Portal's technological infrastructure.

For any questions related to the protection of personal data, data subjects may contact the Data Protection Officer at: dpo@fct.pt.

The entities managing the institutional repositories, scientific journals or other information sources integrated in the RCAAP Portal act as independent data controllers for the personal data contained in the content they make available, being responsible for its collection, processing, lawfulness and accuracy.

FCT does not exercise editorial control over the indexed content, nor does it verify the accuracy, lawfulness or compliance of the personal data included therein.

FCT merely provides the technological infrastructure for aggregation and access, and is not responsible for the personal data contained in scientific content, except as provided for by law.

3. Collection and Processing of Personal Data

FCT processes personal data exclusively to the extent necessary to ensure the operation, security and continuous improvement of the RCAAP Portal.

Access to the RCAAP Portal may be carried out freely and anonymously; no registration or authentication is required to consult the available content.

However, there may be restricted areas or specific functionalities with access limited to authorised users (namely for administration or content management purposes), in which case only the personal data strictly necessary for authentication, access management and permission control will be processed.

The content available on the RCAAP Portal is obtained through automated interoperability mechanisms with external systems, in particular through the harvesting of metadata from institutional repositories and other scientific information sources.

In this context, FCT does not directly collect personal data from data subjects in relation to scientific content, limiting itself to its indexing, aggregation and dissemination.

3.1. Categories of data processed

a) Usage data and technical data

  • IP address
  • Browsing and interaction data with the portal
  • Access logs
  • Technical identifiers and cookies

These data are processed to ensure the operation, security and performance of the system.

b) Data provided by the user (where applicable)

  • Email address
  • Usage preferences
  • Data required for access management in restricted areas

c) Data contained in scientific metadata

The RCAAP Portal may index metadata that includes:

  • Author names
  • Institutional affiliation
  • Information associated with scientific publications

These data are made publicly available by the originating entities and processed as part of their dissemination in open access.

4. Purposes of Personal Data Processing

The personal data processed within the RCAAP Portal are intended for the purpose of Management and Development of Digital Infrastructures for the Dissemination of Scientific Knowledge, exclusively for the following activities:

  • Ensuring access to, searching and retrieval of scientific content in open access;
  • Aggregating and indexing scientific information from multiple interoperable sources;
  • Ensuring the security, integrity, availability and performance of the technological infrastructure;
  • Monitoring the use of the service and improving its quality and functionality;
  • Producing aggregated and anonymised usage statistics.

Further processing for scientific research, statistical or public interest archiving purposes may occur pursuant to Article 89 of the GDPR, with appropriate safeguards in place, including data minimisation and, where possible, anonymisation.

5. Legal Bases for Processing

The processing of personal data within the RCAAP Portal is based on the following legal grounds:

  • Article 6(1)(e) of the GDPR – processing necessary for the performance of a task carried out in the public interest, in the context of promoting Open Science and the dissemination of scientific knowledge;
  • Article 6(1)(c) – compliance with legal obligations applicable to FCT;
  • Article 6(1)(f) – legitimate interests of FCT, namely to ensure the security, stability and operation of the system.

Where applicable, the consent of the data subject will be requested, in particular for the use of non-essential cookies or additional functionalities.

6. Data Retention

Personal data are retained only for the period necessary to fulfil the purposes for which they were collected and processed, in accordance with the principles of storage limitation and data minimisation.

In particular:

  • Technical data and access logs are retained for limited and proportionate periods, generally up to 6 months, for security and monitoring purposes;
  • Contact data are retained for as long as necessary for the specific purpose that justified their collection;
  • Scientific metadata are maintained for as long as relevant for open access, preservation and dissemination of scientific knowledge.

Wherever possible, data are anonymised or securely and irreversibly deleted.

7. Rights of Data Subjects

Under applicable legislation, data subjects have the right to:

  • Access their personal data and obtain information about its processing;
  • Request the rectification of inaccurate or incomplete data;
  • Request the erasure of data, where applicable;
  • Request the restriction of processing;
  • Object to processing, under certain circumstances;
  • Request data portability, where applicable.

These rights may be exercised by contacting the Data Protection Officer at: dpo@fct.pt.

Data subjects also have the right to lodge a complaint with the National Data Protection Commission (www.cnpd.pt).

8. Sharing of Personal Data

Within the RCAAP Portal, personal data may be made available or transmitted:

  • To national and international search engines and scientific platforms, in the context of open access dissemination;
  • To interoperable scientific aggregation infrastructures and services;
  • To subcontractors providing technological services to FCT.

Data sharing is limited to what is strictly necessary and carried out with appropriate data protection safeguards.

9. Subcontractors

Personal data may be processed by subcontractors acting on behalf of FCT in the context of providing technological services and infrastructure support.

In such cases, FCT ensures the conclusion of contracts establishing specific data protection obligations, guaranteeing that subcontractors implement appropriate technical and organisational measures and act exclusively in accordance with FCT's instructions.

10. Transfer of Data to Third Countries

No transfers of personal data outside the European Economic Area are foreseen.

Should such transfers exceptionally occur, FCT will ensure the application of appropriate data protection mechanisms pursuant to the GDPR, in particular through the use of standard contractual clauses or other legally provided instruments.

11. Security Measures

FCT implements appropriate technical and organisational measures to ensure the protection of personal data against destruction, loss, alteration, disclosure or unauthorised access.

These measures include, in particular:

  • Access control and appropriate authentication;
  • Continuous system monitoring and incident detection;
  • Backup and recovery mechanisms;
  • Protection of communications and systems against unauthorised access.

Measures are periodically reviewed and updated, taking into account technological developments and the risks associated with processing.

12. Notification and Complaints

For any questions related to the processing of personal data, users may contact FCT through the available institutional channels.

Without prejudice to other means of redress, data subjects may lodge a complaint with the National Data Protection Commission (www.cnpd.pt).

13. Changes to the Privacy Policy

This Privacy Policy may be updated whenever justified, in particular due to legal, regulatory or technological changes.

The most recent version will always be available on the RCAAP Portal, with the date of the last update indicated.

Last updated: 29 March 2026