The response to computer security incidents, in particular the containment of the threat and the restoration of functionality, must take care to preserve evidence that helps determine and prove the systems and information affected by the incident.
All computer security incidents must be reported to
CSIRT.UMinho by email to csirt@uminho.pt.
All personal data breaches must be reported to the Data Protection Officer (DPO), without undue delay, for recording and assessment of the measures to be taken.
Personal data breaches that may result in a risk to data subjects must be reported to the Supervisory Authority (CNPD) within 72 hours of being detected (GDPR, article 33).
Breaches likely to entail a high risk for data subjects must be reported to them without undue delay (GDPR, article 34).
The risk assessment must be carried out in conjunction with the DPO.
Communication to the Supervisory Authority will be made via the DPO.
Communication to the DPO is made by email to protecaodados@uminho.pt, using the following form:
Data Protection Officer Personal Data Breach Notification Form
The form can be re-sent whenever more information is obtained, but the first submission should not be delayed by the collection of information that cannot be provided immediately.
When the sensitivity of the information justifies it, this document should be encrypted and the password that decrypts it sent to the DPO via a channel other than email.
Failure to notify the supervisory authority of data breaches likely to result in a
risk to data subjects and failure to notify data subjects of breaches likely to entail a
high risk to their rights and freedoms constitute serious administrative offenses, in accordance with article 38(1)(j) and (k) of Portuguese Law 58/2019 of August 8.
