waiting times

Hospital Particular Alvor


Atendimento Urgente

Hospital Particular Gambelas


Atendimento Urgente



Hospital Particular da Madeira




Atendimento Urgente

Madeira Medical Center


Atendimento Urgente

Grupo HPA Saúde

The HPA Health Group takes the necessary steps to ensure the protection of our Patient’s data, as it  processes personal data, to guarantee high quality standards when providing healthcare (in areas such as medical diagnosis, preventive medicine and the management of health services), or to comply with legal obligations, when providing the said services  in our Units,  identified here, and in compliance with European Parliament and Council Regulations  (EU) 2016/ 679 of 27th April 2016 (“General Regulation on Data Protection” or “GRDP”). We have put together in this Personal Data Protection Policy (“Policy”), the main points regarding the processing of your personal data, thus ensuring that the information we provide is concise, transparent, intelligible and easily accessible.  


Information, of any nature and regardless of its support, including sound and image, relating to an identified or identifiable person (“holder of the data”). A person who can be identified directly or indirectly is considered identifiable, namely by reference to an identification number or of more specific elements such as  physical, physiological, psychological, economic, cultural or social identity.

Personal data may be of a more sensitive nature in certain situations, which the GRDP classifies as “special categories of data”. These may relate to the holder's racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric identifiers, sex life, sexual orientation or health.

“Health-related data” is personal data relating to a person’s physical or mental health, including the provision of health services, which reveals information about their past, present or future health status.


As a rule, when a Patient goes to one of our Units (either a Hospital or Clinic – together “Unit” or “Units”), these Units that provide medical services are considered entities Responsible for the Treatment, under the terms of the GRDP.

We highlight that:

  • The Units are Responsible for Personal Data Processing for the purposes of  medical care and treatment that may be deemed necessary in  providing health services (for example, for the purposes of preventive medicine, medical diagnosis, administrative management of clinical records, appointments and exams, admission and delivery of exams, electronic prescription of medicines and complementary diagnostic exams);
  • The Units are Responsible Personal Data Processing for the purposes of administrative management of the services which are provided;
  • The Units are also responsible for data processing carried out for purposes related to internal audits and to comply with systems and processes of the various Units, protection of people and property and security of the Units' facilities (through video surveillance, if any);
  • In carrying out studies and clinical trials, the Responsible entity for the Processing of Personal Data, as a rule, will be the entity promoting the study or trial, the Unit is acting merely as a Subcontractor for the purpose of processing your personal data in this context, under the terms of the contract between the parties involved;
  • The Units, through the Marketing Department, are also responsible for data processing within the scope of [marketing products and services of the Units – such as sending direct marketing information, through the different communication channels, both physical and digital].

When seeking medical care from one of our other Units, it will not be necessary to provide your personal data once again.  Through our Integrated Information System, the Unit's health professional can consult the information collected in one of our other Units. Such a system is, of course, equipped with the necessary security measures and safeguards in terms of data protection and in accordance with the legislation in force.


We can access your data directly from various sources, from your medical file, from the  Identification Form which you have completed, when booking an appointment or exam, when you going for an appointment/undergoing an exam, when you contact us or when you use the MyHPA Mobile Application. We can access your personal data indirectly through our service providers who provide medical services on our behalf or on behalf of our associates. You can find more information on the data we share with other entities in the  “DATA COMMUNICATIONS” section below.

The treatment of your personal data may include personal data directly or indirectly related to your health. Providing personal data marked with an * is mandatory. 

Opening a patient’s file

Types of Personal Data

Full name*, date of birth*, gender*, telephone/mobile number* and TAX No.*; other identification data, for example: Passport/I.D. number, family Doctor and Health Centre, marital status, spouse's name, father's name, mother's name (if the Client is a minor), insurance policy data

Means of Collection 

When a patient’s file is opened, either in person at the reception counter of one of our Health Units or my means of telephone or computer.

Criating a Patients Profile

Types of Personal Data  

Patients File Number* (encrypted information that allows the system to recognize the user's password)

Means of data collection

When Patients’ details are collected

Appointments, Consultations & Exams

Type of Personal Data 

Information on appointments, consultations or exams and the respective Health Unit, (including the data necessary for the provision of medical and telemedicine services) 

Means of data collection

When confirming an appointment/requesting information through the various channels (E-mail, telephone, myHPA Web User Portal, HPA Health Group website and MyHPA Mobile Application)

Providing Integrated Health Care

Type of Personal Data

Information regarding your health, including: reason for consultation/procedure, personal history, family history, clinical examination, diagnoses, complementary exams, referral, alerts; medication prescribed; procedures carried out and episode description, date of beginning and end of the episode, status of the episode, type of episode, indication if there are episode results and identifying these results;

Genetic data and data relating to sexual life and sexual orientation

Means of data collection

During the course of providing integrated health care, including for the management of the Unit's systems and services

Surveys / Questionnaires

Type of Personal Data

Personal data is not collected 

Means of data collection

Personal data is not collected


Type of Personal Data

Name, date of birth, gender and Email address

Means of data collection

When the Patient has consented to the processing of data for this purpose / has subscribed to the newsletter


Websites and Mobile Applications

Type of Personal Data

Information for creating your Personal File on our websites and mobile applications (such as: full name, Email address, password, mobile number, date of birth, TAX No. and gender) as well as additional information necessary to manage and to effectively respond to requests made on these platforms.

Information on how to use the platforms, such as: [the IP of the device for access, date and time of beginning and end of the visit to the websites, user's browser history / information collected through cookies]

Means of data collection

When you use our websites and mobile applications, according to Privacy Policies and Cookie Policies respectively


Video Surveillance

Type of Personal Data 


Means of data collection

When you visit our facilities and video surveillance cameras are installed, to ensure the safety of people and property


Patients’ personal data are processed in order to provide health care, as well as for the management of systems and services of our various Units. If the Patient decides to make their personal data available for other purposes, as well as if the Units are bound to comply with legal obligations requiring the processing of personal data, the said data may need to be processed for the relevant purposes. We can therefore use your personal data for the following purposes:

  • Providing Health Care 

We use your information mentioned above for the purposes of preventive medicine, telemedicine, scheduling appointments, scheduling exams, medical diagnosis, to provide health care, for electronic prescription of medicines and complementary exams and for the management of the systems and services of our various Units.

  • Patient  relationship management

We may contact patients by letter, Email, telephone or SMS, for administrative or operational reasons (e.g. sending confirmation of appointments / payments, to inform of any changes or unforeseen circumstances regarding appointments. This information is not made for marketing purposes, they will continue to be sent even if patients have decided not to receive marketing information. We will also use your personal data to respond to requests, suggestions, contacts or complaints.

  • Informing on news of interest 

To receive marketing information, if you have consented to receive them, by having subscribed to the newsletter. If you no longer wish to receive marketing information from us, to withdraw your consent simply click on the unsubscribe link at the bottom of any marketing information you receive from us.

  • Support Activities 

We may also process your personal data for the purposes of administrative and financial purposes, the protection of people and property and the security of premises (video surveillance), for audit purposes, detection and analysis of fraud, for declarations,  exercise and defence of legal  rights in court proceedings, as well as for the development and maintenance of systems.

  • Compliance with legal obligations 

In particular, the obligation to provide your personal data to the Central Administration of the Department of Health and to other public Health entities, as well as to Law Courts, Solicitors and criminal police,  in the exercise of their duties and assignments (to learn more about the various types of recipients of your personal data, see the  “DATA COMMUNICATIONS”, section below).

LEGAL GROUNDS FOR data processing

We always process your personal data in strict compliance with the law. According to the GRDP, the controller for personal data processing must always have adequate legal grounds for doing so. Therefore, in line with applicable legislation, the processing of your personal data may be based on the following grounds:

  • Purpose

Providing health care and management of the relationship between Patients and the various Units 

  • Grounds 

To fulfil the obligation of providing the Patient with health care services,  or providing pre-contractual procedures at the request of the Patient (for example, when scheduling an appointment or clinical procedure); when the treatment concerns special categories of data, such as health data, the treatment will be based on strict requirement, for the purposes of preventive medicine, medical diagnosis and to provide health care or treatment.

  • Compliance with legal obligations To Inform patients on news of interest and improve their experience as a patient and also to send our Newsletter 

These are always carried out based on the patient’s consent. Consent may be withdrawn at any time. However, we draw attention to the fact that the withdrawal of consent does not prejudice the legal processing of data on the basis of consent previously given. For more information on Patient’s rights under the GRDB, see the  “YOUR RIGHTS”, section below.

  • Satisfaction assessment surveys

These are always carried out based on patients’ consent.  However, we draw attention to the fact that the withdrawal of consent does not prejudice the legal processing of data on the basis of consent previously given. For more information on your rights under the GRDP, see the  “YOUR RIGHTS”, section below..


Only doctors and health professionals assigned to providing health care and bound by a professional secrecy obligation can access your personal data. In cases where this is not the case, when your health data and other special data categories are accessed by employees who are not bound by obligations of professional secrecy, we ensure that such employees assume adequate confidentiality obligations and will only process your data under the responsibility and supervision of a professional subject to the obligation of professional secrecy.

In cases where administrative staff have access to  health data and other special categories of data, collected for specific purposes, namely, the processing of data for the purpose of billing health services provided, for the purpose of scheduling consultations and clinical procedures or to manage  your requests for information or complaints, in compliance with the principle of data minimization and the inherent purposes.


The period of retention of your personal data will vary according to the purpose for which they are processed. As a rule, we only process personal data for the period strictly necessary to carry out the underlying reason for its processing. However, in certain cases, there may be legal obligations to which we are bound and which oblige us to keep your data for a longer period of time. 


According to current legislation on data protection, you may, at any time, request access to your personal data, as well as its rectification, elimination, processing elimination, the transfer of your data, or you may object to its processing. You can exercise these rights through the contacts indicated below on  “CONTACT US” or personally at the reception counter of the Unit in question.

Your rights under data protection legislation consist of:

The right to information transparency, and rules to exercise your rights:  the right to know who is responsible for processing your personal data, your rights and how to exercise them, with this information provided in a concise, transparent, intelligible and easily accessible manner, using clear and simple language.

The Right to Access and to Information:  the right to confirm whether or not your personal data is being processed, as well as the right to access your personal data and certain information, including a copy of your personal data which is being processed. This right is without prejudice to the rights and freedoms of third parties, namely the business confidentiality and intellectual property rights of the controller;

The Right of Rectification:  the right to obtain the rectification of inaccurate personal data, as well as the right to complete your data, if it is incomplete;

The Right to Erase: the right to request the erasure of your data in certain cases, namely, if your personal data is no longer necessary for the purpose for which it was collected or processed. This right does not affect compliance with legal obligations of personal data retention that might affect the person responsible for personal data processing;

The Right of Data Processing Limitations: the right to request the limitation of personal data processing in certain cases, namely, if the treatment is unlawful and if you oppose the erasure of the data, requesting, in return, the limitation of its use;

The Right to Transfer Data: The right to receive the personal data which you have provided the controller, in a structured, commonly used and machine-readable format, including the right to transfer such data to another controller;

The Right of Opposition, which means that, in certain cases (for example, when your personal data is processed for the purposes of direct marketing), you can object at any time, for reasons related to your particular situation, to the processing of your data.

Under the terms of the law, you are also guaranteed the right, through the aforementioned means, to withdraw your consent to the processing of data for which consent constitutes the basis of legitimacy, which does not, however, invalidate the processing of data carried out until such date based on consent previously given.

The above applies, with the necessary adaptations, to the exercise of rights by the holder of parental responsibilities or guardian, of personal data on behalf of minors or incapable persons.

If you consider that the way we treat your data does not comply with the data protection legislation in force, we inform you that, without prejudice to any other administrative or judicial appeal, you have the possibility to file a complaint with the National Protection Data Commission or any other supervisory authority in this area.


This Privacy Policy fully applies to all users of the HPA Health Group website and mobile application. However, given the inherent specificity of its use, specific Privacy Policies were prepared and made available on the website (www.grupohpa.com) and on the mobile application.  


Units may transmit Patients’ data to each other, when this is necessary to provide the Patient with high quality health care. We may also use subcontracted entities to provide certain services, based on subcontracting agreements and in accordance with the requirements of applicable legislation. We may also transmit our Patients’ personal data to third parties when such data communications are necessary or appropriate (i) in light of applicable law, (ii) in compliance with legal obligations/court orders and (iii) to respond to requests from public or governmental authorities.

We may therefore transmit your personal data to Entidade Reguladora da Saúde, to ACSS, Serviços Partilhados do Ministério da Saúde (SPMS), to INFARMED or to  Administrações Regionais da Saúde, Courts of Law, solicitors, criminal police  or the Public Prosecutor's Office when notified for the purpose or when this is necessary to fulfil legal obligations, as legally stipulated.

In order for the services provided by the Unit to be covered by the patient’s insurance or health subsystem, personal data, including health data related to such services, may also be communicated to the Insurance Company or the health subsystem of which the patient is a beneficiary, due to the fact that they are bound by secrecy and are autonomously responsible for the processing of their client’s data.

In any of the aforementioned situations, we undertake to take all reasonable measures to ensure the effective protection of the personal data processed by us.

international Transfer of data

If the provision of services by the HPA Health Group implies the transfer of personal data to third countries (outside of the  European Union or the European Economic Area), including to foreign Insurance Companies or Insurance Brokers, the HPA Health Group will implement the necessary and appropriate measures in the light of the law to ensure the protection of personal data subject to such a transfer, strictly complying with legal procedures regarding the requirements that apply to such transfers.


Taking into account current situations, the associated implementation costs and the nature, scope, context and purpose of data processing, as well as the risks of varying probability and degree to the rights and freedoms of data holders, we have adopted the appropriate technical measures to ensure a level of security adapted to such risks, such as:

  • Pseudonymization and encryption of personal data, when possible;
  • The capability to ensure the confidentiality, integrity, availability and permanent resilience of systems and services;
  • The capability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A system for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the safety of data processing.
  • In the event of a breach of personal data and to the extent that such breach is likely to entail a high risk for the rights and freedoms of our patients, workers and/or partners, we undertake to report such breach to the National Commission for the Protection of Data, within 72 hours of becoming aware of the incident and to the respective holders of the said personal data, whenever such a breach is likely to entail a high risk for their rights. 


The HPA Health Group has appointed a Data Protection Officer. In the event of queries or suggestions regarding the Policy or personal data processing practices, please contact us by Email:  dpo@grupohpa.com or to the following address: Sítio Cruz da Bota, Lote 27, Estrada de Alvor, 8500-322, in Portimão.


We reserve the right to implement changes or update this Policy at any time. Any changes implemented by us will be duly updated on our website. If these imply a substantial change in the way patients data is to be processed, we will notify patients of such changes, through the contact details that have been made available. 


Last update:  31st May 2022