This document establishes the Privacy and Personal Data Protection Policy (hereinafter the “Policy”) of the API Next consortium, formed by the Portuguese Press Association (API), the Protocol Centre for Professional Training for Journalists (CENJOR), and the Aveiro Media Competence Center (AMCC).

Hereinafter referred to as “API Next”, as the entity responsible for processing personal data under the General Data Protection Regulation (Regulation No. 2016/679 of the European Parliament and of the Council, of 27 April – “GDPR”).

This Policy aims to inform and ensure the security, protection, and transparency of the data processing practices and mechanisms under the responsibility of API Next and all entities that comprise or are contracted by it, reaffirming its commitment to full compliance with the applicable legislation.

Processing of Personal Data

The processing of personal data is carried out in accordance with the general principles set out in the GDPR, namely:

• Personal data shall be processed lawfully, fairly, and transparently (“Lawfulness, fairness and transparency” principle);
• Data shall be collected for specific, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (“Purpose limitation” principle);
• Only adequate, relevant, and limited data shall be processed to what is strictly necessary for the purposes for which they are processed (“Data minimisation” principle);
• Reasonable measures shall be taken to ensure that inaccurate data, considering the purposes for which they are processed, are erased or rectified without delay (“Accuracy” principle);
• Data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which they are processed (“Storage limitation” principle);
• Data shall be processed securely, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage, using appropriate technical and organisational measures (“Integrity and confidentiality” principle).

What Personal Data We Process

In the context of API Next’s activities, data subjects include, but are not limited to:
training candidates and trainees; trainers and trainer applicants; clients, former clients, and potential clients; partners; job applicants; employees and former employees; employees of partners; suppliers and service providers and their employees; applicants and complainants; visitors; and any individual maintaining a relationship with API Next.

API Next does not knowingly or voluntarily collect personal data from minors. If API Next discovers that it has inadvertently collected data from a person under 18 years of age, it will immediately delete such records.

Depending on the nature of the interaction, the personal data processed may include:
name, address, contact details (mobile phone, telephone, email), civil identification data (citizen card/identity card) or residence permit/passport (for non-Portuguese citizens), tax identification number, social security number, nationality, place of birth, academic and professional qualifications, employment status, date of birth, gender, household information, identification of the legal guardian (for minors), and curriculum vitae.

Service-related data for contractual execution or legal compliance may also be processed, such as billing data, payment details, account balances, transaction history, and support records.
Information shared on social networks during interactions with API Next may also be processed, in accordance with the relevant privacy policies.

You are not required to share your personal data with API Next. However, refusal to provide certain data may prevent API Next from delivering the requested services, ensuring specialised features, or responding effectively to your inquiries.

Purposes of Data Processing

The information collected by API Next is used for the following contractual purposes, which do not require the prior consent of the data subject under Article 6 of the GDPR:

• Registering data subjects for API Next courses and activities;
• Managing information requests, registrations, and training processes;
• Managing the full documentation and training process, including candidate selection, course delivery, evaluation, payments, and communication within API Next;
• Drafting training or service provision contracts;
• Registering trainees in the Integrated Information and Management System for Educational and Training Offer (SIGO), coordinated by the Directorate-General for Education and Science Statistics (DGEEC), in compliance with Decree-Law No. 14/2017 of 26 January and Ordinance No. 474/2010 of 8 July;
• Issuing Certificates/Diplomas to trainees;
• Issuing experience declarations and annual income statements for trainers (for tax purposes);
• Providing web-based services (e.g., registration and application management);
• Providing data to official entities as required by law, regulations, or binding protocols;
• Sending trainees information related to their participation and API Next activities;
• Managing technical and operational aspects of the website (including troubleshooting, statistics, testing, and research);
• Detecting and preventing fraudulent activities or misuse of the website;
• Complying with regulatory, legal, and administrative requirements;
• Executing public authority decisions;
• Protecting individual security;
• Defending API Next in court.

The information collected by API Next may also be used for institutional communication purposes, with the prior consent of the data subject under Article 7 of the GDPR:

• Sending institutional communications, updates (via email, phone, SMS/MMS, postal mail, social networks, or newsletters) related to API Next services;
• Sending information about events or initiatives organised by or in collaboration with API Next;
• Conducting training needs assessments, satisfaction surveys, and statistical or market studies.

Providing data for these purposes is optional. However, refusal to provide the necessary data may prevent the delivery of certain services. Consent for marketing or statistical processing is entirely optional.

Data Retention Period

Personal data will be retained only as long as necessary to fulfil the purposes for which they were collected or to comply with legal obligations.
Where processing is based on consent, data will be retained until consent is withdrawn. Once no longer necessary, API Next will securely delete the data.

Processing of Personal Data by Third Parties

Personal data collected will be processed by API Next as the Data Controller. Processing may be performed by authorised employees and consultants involved in:

• Customer support and IT system management;
• Training, financial, administrative, or accounting departments.

API Next may subcontract service providers to perform specific processing operations in accordance with its instructions and this Policy, including:

• Public institutions or professional associations;
• Marketing or quality-related service providers;
• IT system management, maintenance, and hosting service providers.

All processors act under contractual commitments ensuring data confidentiality and compliance with the GDPR.
Personal data may also be shared with judicial, administrative, supervisory, or regulatory authorities where legally required.

Cross-Border Data Transfers

API Next does not transfer personal data outside the European Economic Area (EEA).

Data Subject Rights

As a data subject whose personal data are processed by API Next, you have the right to:

• Information: Obtain clear and transparent details on how your data are used and your rights.
• Access: Know whether API Next processes your data and obtain relevant information.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure (“Right to be forgotten”): Request deletion of your data where no legitimate reason exists for continued processing.
• Restriction: Block or limit processing in certain circumstances.
• Portability: Obtain and reuse your personal data for your own purposes across different services.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: At any time, where processing is based on consent.
• Lodge a complaint: With the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados – CNPD) at www.cnpd.pt.

Contact for Questions or Exercising Rights

If you have any questions or wish to exercise your rights, please contact:
📧 [email protected]

You may be asked to provide proof of identity. Exercising your rights is free of charge, except when a request is manifestly unfounded, excessive, or repetitive.

Security and Confidentiality

Personal data are processed by API Next using appropriate technical and organisational measures to ensure their availability, confidentiality, and integrity, and to prevent unauthorised access, loss, or damage.

While data transmission over the Internet cannot be fully secure, API Next takes all reasonable steps to protect your information.

API Next does not sell, rent, or commercially distribute personal data to third parties, except to service providers acting under contract.

All processing is carried out in compliance with this Policy and the applicable laws.

Changes to This Privacy Policy

This Policy may be amended or updated at any time.
Any changes will be published and communicated via:
🔗 https://mediainnovationprogram.com/

Approval Date: 10/11/2025