1. Who is responsible for processing your data
The entity responsible for processing your personal data (the controller) is Clínica de Ressonância Magnética do Algarve, Lda. (CRMA), with registered office at Rua Dona Teresa Ramalho Ortigão, 31A R/c, 8000-314 Faro, Portugal, with NIPC 503 051 497 and licensed by the Portuguese Health Regulator (Entidade Reguladora da Saúde, ERS) under no. E102030.
For any matter relating to data protection, you can contact us:
- Email: dpo@crmalgarve.pt
- Phone: +351 289 892 100 (cost of a call to the national fixed-line network)
- Post: to the address given above
2. Data Protection Officer (DPO)
The Data Protection Officer is the person responsible for overseeing compliance with data-protection rules and for receiving requests from data subjects. CRMA has appointed Dra. Ana Paula Duarte to this role.
3. What personal data we process
3.1. Data collected on the website
When you complete a form on the website (general enquiry, exam booking, online safety questionnaire or job application), we may collect:
- Identification and contact details — name, phone number, email.
- Data about the exam you want — type of exam, medical referral (if you attach it) and the funding entity (subsystem, insurer or the SNS).
- Health data in the online safety questionnaire (only if you choose to complete it — it is optional) — your date of birth, weight and the answers to the questions on the official questionnaire for your exam (for example, implants and devices, allergies, medication, pregnancy). This is special category data, processed as described in section 3.3.
- Professional data (job applications only) — CV, education and experience.
- Technical data — server logs, including the IP address, processed for the security and operation of the website; and aggregate, anonymous visit statistics (see section 10).
3.2. Data collected through other channels
If you contact us by phone, email or in person, we may record the same types of data as above and also the content of the communication, in order to reply to you and keep a history of our relationship.
3.3. Health data (special category)
Health data are a special category of data, with enhanced protection (Article 9 GDPR). CRMA may process health data when it receives a referral, when the patient voluntarily shares clinical information — including in the answers to the safety questionnaire, if you choose to complete it online —, and when it carries out an exam and produces the corresponding report.
The answers to the online safety questionnaire are not stored on the website: they are sent over an encrypted connection (HTTPS) and forwarded by email to the CRMA team, already laid out in the format of the official form, solely for safety screening and the preparation of your exam. The questionnaire is always reviewed and signed in person, at the clinic — and, for exams with contrast, the authorisation is decided and signed in person. The confirmation email you receive does not include your answers.
Exam reports and images are processed in CRMA's clinical management system (C2S), with specific security measures. This policy describes mainly the processing of data carried out through the website and the administrative channels.
4. For what purposes and on what legal basis we process data
| Purpose | Legal basis (GDPR) |
|---|---|
| Respond to requests for information or bookings | Pre-contractual steps / performance of a contract — Article 6(1)(b) |
| Carry out the safety screening for the exam based on the safety questionnaire completed online (optional) | Explicit consent — Article 9(2)(a); the screening and the questionnaire signed at the clinic are based on the provision of health care — Article 9(2)(h) |
| Carry out and report imaging exams | Provision of health care — Article 9(2)(h), in conjunction with Article 6(1)(b) |
| Communicate with you about your scheduled exam | Performance of a contract — Article 6(1)(b) |
| Invoice and charge for the services provided | Legal obligation (tax and accounting) — Article 6(1)(c) |
| Comply with legal obligations (health, ERS, tax) | Legal obligation — Article 6(1)(c) |
| Assess job applications | Pre-contractual steps — Article 6(1)(b) |
| Measure use of the website, in aggregate and anonymous form (without cookies) | Legitimate interest — Article 6(1)(f) |
| Defend CRMA's rights in the event of a dispute | Legitimate interest — Article 6(1)(f) |
5. Who we share your data with
CRMA does not sell your personal data and does not transfer it to third parties for marketing purposes. Where necessary, we may share data with:
- Referring doctors — so that they can access their patients' reports and images, subject to due authorisation.
- Subsystems, insurers and the SNS — where the exam is co-funded, for invoicing and validation.
- Technical processors — companies that provide services to CRMA, bound by contract to confidentiality and security (see the list below).
- Competent authorities — whenever required by law (ERS, IGAS, the Tax Authority, judicial authorities, among others).
Main processors
| Service | Provider |
|---|---|
| Microsoft 365 (Microsoft) | |
| Clinical management system | C2S |
| Website visit statistics | Plausible Analytics (hosted in the EU; without cookies) |
| Website hosting and delivery of form emails | PTisp (Portugal) |
| Processing of the website forms | Handled in an environment managed by CRMA; the data you submit — including any referral attachment or the answers to the safety questionnaire, laid out in the format of the official form — are forwarded to us by email, without using external form services. Nothing is stored on the website. |
6. International transfers
CRMA gives preference to providers located in Portugal or the European Economic Area (EEA). If any processor processes data outside the EEA (for example, Microsoft group services), we make sure that the safeguards required by the GDPR are in place — an adequacy decision of the European Commission or Standard Contractual Clauses.
7. How long we keep your data
| Type of data | Period |
|---|---|
| Requests via form/contact without a booking | Up to 12 months after the last contact |
| Safety-questionnaire answers submitted online | They serve to prepare the exam; the questionnaire reviewed and signed at the clinic becomes part of the clinical record (next row). If the exam does not take place, they are deleted up to 12 months after the last contact. |
| Clinical records, exam reports and images | For the period required by the health legislation applicable to imaging — as a rule no less than 10 years, and possibly longer. |
| Accounting and tax documents | 10 years (tax legislation) |
| Speculative job applications | Up to 12 months, unless consent is given for a longer period |
| Website browsing data | We do not use analytics cookies; server logs are kept for short periods, for security. |
Once the applicable period has elapsed, the data are securely deleted or anonymised.
8. Your rights
As a data subject, you have the right to access your data, rectify inaccurate data, request erasure ("the right to be forgotten"), restrict or object to processing, exercise portability and withdraw consent where the processing is based on it (without affecting earlier processing).
Erasure and portability do not apply where retention is required by law — for example, the clinical records and tax documents that we must keep for the statutory periods.
How to exercise your rights
You can exercise these rights by email, by post to CRMA's address, or in person at reception. To help us act quickly, please provide: your identification (full name) and a validating detail; the right you wish to exercise; and your preferred form of reply. For security — especially where the request involves health data — we may ask for proof of identity.
We reply within a maximum of one month of receiving the request, extendable by up to a further two months in complex cases, with reasons given.
Complaint to the supervisory authority
If you consider that the processing of your data does not comply with the law, you may complain to the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, CNPD): Av. D. Carlos I, 134, 1.º — 1200-651 Lisboa, Portugal · +351 213 928 400 · geral@cnpd.pt · www.cnpd.pt. We ask, nonetheless, that you contact us first — we can often resolve the matter directly.
9. Security of your data
CRMA applies appropriate technical and organisational measures to protect your data against unauthorised access, loss or alteration:
- Access restricted by professional profile and individual authentication in the clinical systems.
- Website communications encrypted with HTTPS (TLS).
- Up-to-date systems and regular backups.
- Staff awareness of data protection.
- In the event of a data breach with risk to data subjects, notification to the CNPD within 72 hours and, where applicable, to the data subjects themselves.
10. Cookies and similar technologies
10.1. What cookies are
Cookies are small files that a website places on your device to "remember" information from your visit (for example, the language you chose). Similar technologies — web beacons, pixels, local storage — perform equivalent functions; when this policy refers to "cookies", it also includes those technologies.
10.2. Which cookies we use
The CRMA website was designed to work with the fewest cookies possible:
- We do not use advertising or marketing cookies.
- To measure visits we use Plausible Analytics, which does not set cookies and does not collect personal data. For this reason, this website does not display a cookie consent banner.
- Technical audit (July 2026): the website does not set any cookies, whether first-party or third-party. Should strictly necessary cookies (for operation or security) ever be introduced, this section will be updated.
As of now, the website does not use cookies that require your prior consent. Should that change, a banner will appear allowing you to accept, refuse or customise — on an equal footing — before any non-essential cookie is activated.
10.3. Third-party content
The fonts and the map library (Leaflet) are served directly by the website's hosting — when they load, your IP address is not disclosed to Google, Cloudflare or other providers. There is only one third-party resource that, by operating over the Internet, may receive your IP address in order to deliver the content:
- Location map (map images provided by OpenStreetMap/CARTO) on the Contact page, to show you how to get here.
This service does not set marketing cookies; it receives only the technical data needed to display the map.
10.4. How to manage and block cookies
You can block or delete cookies in your browser settings: Chrome (Settings → Privacy and security → Cookies), Firefox (Settings → Privacy & Security), Safari (Settings → Privacy), Edge (Settings → Cookies and site permissions). If you block all cookies, some elements — such as the forms — may stop working correctly.
11. Changes to this policy
This policy may be updated to reflect changes in the law or in how CRMA operates. The version in force is always the one published on this page, with the date of the last update shown at the top.
12. Contacts
For matters concerning services, bookings or exams, please use the Contact page.