Mon–Fri 08:00–19:00 · Sat 08:00–13:00· Faro· +351 289 892 100· geral@crmalgarve.pt PTENFR
CRMA
Privacy

Privacy Policy & Cookies.

This policy explains how CRMA collects, uses and protects your personal data when you contact the clinic or use the crmalgarve.pt website. It is organised by topic, so you can easily find what you are looking for.

Last updated: 10 July 2026

This is a translation of the Portuguese policy of 10 July 2026. In the event of any divergence, the Portuguese version prevails.

1. Who is responsible for processing your data

The entity responsible for processing your personal data (the controller) is Clínica de Ressonância Magnética do Algarve, Lda. (CRMA), with registered office at Rua Dona Teresa Ramalho Ortigão, 31A R/c, 8000-314 Faro, Portugal, with NIPC 503 051 497 and licensed by the Portuguese Health Regulator (Entidade Reguladora da Saúde, ERS) under no. E102030.

For any matter relating to data protection, you can contact us:

  • Email: dpo@crmalgarve.pt
  • Phone: +351 289 892 100 (cost of a call to the national fixed-line network)
  • Post: to the address given above

2. Data Protection Officer (DPO)

The Data Protection Officer is the person responsible for overseeing compliance with data-protection rules and for receiving requests from data subjects. CRMA has appointed Dra. Ana Paula Duarte to this role.

Email: dpo@crmalgarve.pt

3. What personal data we process

3.1. Data collected on the website

When you complete a form on the website (general enquiry, exam booking, online safety questionnaire or job application), we may collect:

  • Identification and contact details — name, phone number, email.
  • Data about the exam you want — type of exam, medical referral (if you attach it) and the funding entity (subsystem, insurer or the SNS).
  • Health data in the online safety questionnaire (only if you choose to complete it — it is optional) — your date of birth, weight and the answers to the questions on the official questionnaire for your exam (for example, implants and devices, allergies, medication, pregnancy). This is special category data, processed as described in section 3.3.
  • Professional data (job applications only) — CV, education and experience.
  • Technical data — server logs, including the IP address, processed for the security and operation of the website; and aggregate, anonymous visit statistics (see section 10).

3.2. Data collected through other channels

If you contact us by phone, email or in person, we may record the same types of data as above and also the content of the communication, in order to reply to you and keep a history of our relationship.

3.3. Health data (special category)

Health data are a special category of data, with enhanced protection (Article 9 GDPR). CRMA may process health data when it receives a referral, when the patient voluntarily shares clinical information — including in the answers to the safety questionnaire, if you choose to complete it online —, and when it carries out an exam and produces the corresponding report.

4. For what purposes and on what legal basis we process data

PurposeLegal basis (GDPR)
Respond to requests for information or bookingsPre-contractual steps / performance of a contract — Article 6(1)(b)
Carry out the safety screening for the exam based on the safety questionnaire completed online (optional)Explicit consent — Article 9(2)(a); the screening and the questionnaire signed at the clinic are based on the provision of health care — Article 9(2)(h)
Carry out and report imaging examsProvision of health care — Article 9(2)(h), in conjunction with Article 6(1)(b)
Communicate with you about your scheduled examPerformance of a contract — Article 6(1)(b)
Invoice and charge for the services providedLegal obligation (tax and accounting) — Article 6(1)(c)
Comply with legal obligations (health, ERS, tax)Legal obligation — Article 6(1)(c)
Assess job applicationsPre-contractual steps — Article 6(1)(b)
Measure use of the website, in aggregate and anonymous form (without cookies)Legitimate interest — Article 6(1)(f)
Defend CRMA's rights in the event of a disputeLegitimate interest — Article 6(1)(f)

5. Who we share your data with

CRMA does not sell your personal data and does not transfer it to third parties for marketing purposes. Where necessary, we may share data with:

  • Referring doctors — so that they can access their patients' reports and images, subject to due authorisation.
  • Subsystems, insurers and the SNS — where the exam is co-funded, for invoicing and validation.
  • Technical processors — companies that provide services to CRMA, bound by contract to confidentiality and security (see the list below).
  • Competent authorities — whenever required by law (ERS, IGAS, the Tax Authority, judicial authorities, among others).

Main processors

ServiceProvider
EmailMicrosoft 365 (Microsoft)
Clinical management systemC2S
Website visit statisticsPlausible Analytics (hosted in the EU; without cookies)
Website hosting and delivery of form emailsPTisp (Portugal)
Processing of the website formsHandled in an environment managed by CRMA; the data you submit — including any referral attachment or the answers to the safety questionnaire, laid out in the format of the official form — are forwarded to us by email, without using external form services. Nothing is stored on the website.

6. International transfers

CRMA gives preference to providers located in Portugal or the European Economic Area (EEA). If any processor processes data outside the EEA (for example, Microsoft group services), we make sure that the safeguards required by the GDPR are in place — an adequacy decision of the European Commission or Standard Contractual Clauses.

7. How long we keep your data

Type of dataPeriod
Requests via form/contact without a bookingUp to 12 months after the last contact
Safety-questionnaire answers submitted onlineThey serve to prepare the exam; the questionnaire reviewed and signed at the clinic becomes part of the clinical record (next row). If the exam does not take place, they are deleted up to 12 months after the last contact.
Clinical records, exam reports and imagesFor the period required by the health legislation applicable to imaging — as a rule no less than 10 years, and possibly longer.
Accounting and tax documents10 years (tax legislation)
Speculative job applicationsUp to 12 months, unless consent is given for a longer period
Website browsing dataWe do not use analytics cookies; server logs are kept for short periods, for security.

Once the applicable period has elapsed, the data are securely deleted or anonymised.

8. Your rights

As a data subject, you have the right to access your data, rectify inaccurate data, request erasure ("the right to be forgotten"), restrict or object to processing, exercise portability and withdraw consent where the processing is based on it (without affecting earlier processing).

How to exercise your rights

You can exercise these rights by email, by post to CRMA's address, or in person at reception. To help us act quickly, please provide: your identification (full name) and a validating detail; the right you wish to exercise; and your preferred form of reply. For security — especially where the request involves health data — we may ask for proof of identity.

We reply within a maximum of one month of receiving the request, extendable by up to a further two months in complex cases, with reasons given.

Complaint to the supervisory authority

If you consider that the processing of your data does not comply with the law, you may complain to the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, CNPD): Av. D. Carlos I, 134, 1.º — 1200-651 Lisboa, Portugal · +351 213 928 400 · geral@cnpd.pt · www.cnpd.pt. We ask, nonetheless, that you contact us first — we can often resolve the matter directly.

9. Security of your data

CRMA applies appropriate technical and organisational measures to protect your data against unauthorised access, loss or alteration:

  • Access restricted by professional profile and individual authentication in the clinical systems.
  • Website communications encrypted with HTTPS (TLS).
  • Up-to-date systems and regular backups.
  • Staff awareness of data protection.
  • In the event of a data breach with risk to data subjects, notification to the CNPD within 72 hours and, where applicable, to the data subjects themselves.

10. Cookies and similar technologies

10.1. What cookies are

Cookies are small files that a website places on your device to "remember" information from your visit (for example, the language you chose). Similar technologies — web beacons, pixels, local storage — perform equivalent functions; when this policy refers to "cookies", it also includes those technologies.

10.2. Which cookies we use

The CRMA website was designed to work with the fewest cookies possible:

  • We do not use advertising or marketing cookies.
  • To measure visits we use Plausible Analytics, which does not set cookies and does not collect personal data. For this reason, this website does not display a cookie consent banner.
  • Technical audit (July 2026): the website does not set any cookies, whether first-party or third-party. Should strictly necessary cookies (for operation or security) ever be introduced, this section will be updated.

10.3. Third-party content

The fonts and the map library (Leaflet) are served directly by the website's hosting — when they load, your IP address is not disclosed to Google, Cloudflare or other providers. There is only one third-party resource that, by operating over the Internet, may receive your IP address in order to deliver the content:

  • Location map (map images provided by OpenStreetMap/CARTO) on the Contact page, to show you how to get here.

This service does not set marketing cookies; it receives only the technical data needed to display the map.

10.4. How to manage and block cookies

You can block or delete cookies in your browser settings: Chrome (Settings → Privacy and security → Cookies), Firefox (Settings → Privacy & Security), Safari (Settings → Privacy), Edge (Settings → Cookies and site permissions). If you block all cookies, some elements — such as the forms — may stop working correctly.

11. Changes to this policy

This policy may be updated to reflect changes in the law or in how CRMA operates. The version in force is always the one published on this page, with the date of the last update shown at the top.

12. Contacts

Email: dpo@crmalgarve.pt
Phone: +351 289 892 100
Address: Rua Dona Teresa Ramalho Ortigão, 31A R/c · 8000-314 Faro, Portugal

For matters concerning services, bookings or exams, please use the Contact page.