Privacy Policy

Our commitment

The Energy Services Regulatory Entity (ERSE) is firmly committed to respecting the privacy and rights of the holders of personal data, acting in accordance with the provisions of the General Data Protection Regulation (GDPR), the national implementing law and other applicable standards.

ERSE, as the data controller, implements the technical and organisational measures considered to be most appropriate to ensure an adequate level of security.


What is Personal Data

It means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


What is “processing”

It means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


Data protection principles

ERSE is committed to complying with the personal data protection principles laid down in the GDPR, namely:

Lawfulness, fairness and transparency: there must be a legitimate reason for processing personal data, such as the data subject’s consent, compliance with a legal obligation to which we are subject. It also means that we must inform the data subject about the processing in a clear, concise, easy and plain manner;

Purpose limitation: we must request personal data only for specified, explicit and legitimate purposes and not process it beyond the purpose for which it was requested;

Data minimisation: personal data that are processed must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

Accuracy: obligation to ensure that personal data are accurate and, where necessary, kept up to date;

Storage limitation:  personal data must not be stored for longer than is necessary for the purposes for which they are processed, although we may retain some for historical and statistical purposes;

Integrity and confidentiality: appropriate security controls are required to protect data against unauthorised and unlawful processing, loss, destruction or damage, including technical and organisational measures such as defined processes, training and awareness-raising.


Rights of the data subject

Right of access - The data subject has the right to obtain from ERSE (the controller) confirmation as to whether or not personal data concerning him or her are being processed, as well as access to such data and to information on the processing of such data. The data subject may also obtain a copy of the personal data undergoing processing.

Right to rectification - The data subject has the right to obtain the rectification of inaccurate personal data concerning him or her and the completion of incomplete personal data.

Right to be forgotten - The data subject has the right to obtain the erasure of personal data, in certain situations. There are cases in which this right is limited, such as, for example, in the context of legal proceedings, or when it is necessary for the fulfilment of legal obligations by ERSE.

Right to restriction of processing - The data subject has the right to obtain a restriction of processing, in case he/she contests the accuracy of his/her personal data, for a period enabling ERSE to verify the accuracy of the personal data, or where the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.

Right to data portability - The data subject has the right to receive the personal data concerning him or her, which he or she has provided to ERSE, in a structured, commonly used and machine-readable format. He/she has also the right to have those data transmitted directly to other controllers.

Right to object - The data subject has the right to object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, including profiling. ERSE no longer processes the personal data unless the Authority can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Right not to be subject to a decision based solely on automated processing – ERSE does not adopt decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her.

Right to withdraw consent - The data subject has the right to withdraw consent at any time, provided that the processing of the data is based on consent and provided that there is no other legal ground for such processing.

Exercise of rights

Rights may be exercised free of charge through the following channels:


Registered letter with acknowledgement of receipt: Rua Dom Cristóvão da Gama, Edifício Restelo, n.º 1 – 3.º andar, 1400-113 Lisboa

Data security

ERSE will maintain the security of personal data, protecting their Confidentiality, Integrity and Availability.

Confidentiality - only authorised persons may access the data;

Integrity – personal data must be accurate and appropriate for the purposes of processing;

Availability – access to the data must be ensured for authorised purposes.

To this end, several technical and organisational security measures have been adopted in order to protect personal data against disclosure, loss, misuse, alteration, unauthorised processing or access, as well as any other form of unlawful processing.

Data storage

Personal data shall be stored by ERSE for the period strictly required for the processing, according to the respective purpose.

Supervisory Authority

Complaints regarding matters relating to data protection may be lodged with Comissão Nacional de Proteção de Dados (the National Data Protection Commission).

Policy updates

The “Privacy Policy” may be subject to updates, so we recommend that you check it on a regular basis.

Amendments are deemed to take effect as from the date of publication on this website, with specific reference to the date of the update.


Your Europe – Data protection under GDPR

European Data Protection Board

European Data Protection Supervisor

European Commission – Data Protection

Council of Europe – Data Protection

You may also wish to check the Privacy Policy paper.

4 October 2019