Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Record of all systems or contexts in which personal data is processed by the company.
a) This policy applies to all personal data processed by the Managing Entity.
b) This policy applies to all professionals and partners and any third parties who have or may have access to personal data processed by the Managing Entity.
c) The Data Protection Officer shall assume responsibility for the ongoing compliance of the Managing Entity with this policy.
The Managing Entity is committed to processing personal data in accordance with the requirements of the GDPR.
Article 5 of the GDPR requires that personal data be:
a) Processed lawfully, fairly and in a transparent manner in relation to the data subject;
b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes;
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject; and
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
a) To ensure that data processing is carried out lawfully, fairly and transparently, the Managing Entity maintains a GDPR Management System.
b) The Managing Entity is required to ensure that personal data are accurate and up to date. Where necessary, considering the legal basis under which the data are processed, measures will be adopted to ensure data are kept current.
c) Data subjects have the right to access, rectify, port and erase their personal data. They also have the right to restrict processing and to lodge a complaint with the supervisory authority, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados – CNPD).
d) Any requests made to the Managing Entity must be handled in a timely manner.
a) Data must be processed in accordance with one of the following legal bases: consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest, or legitimate interests.
b) The Managing Entity shall record the applicable legal basis for each data processing activity.
c) When consent is used as the legal basis for processing data, evidence of such consent must be retained with the personal data.
d) When communications are sent to data subjects based on their consent, a clear option to withdraw consent must be made available, and the GDPR Management System must ensure that such withdrawal is accurately reflected in the records of the Managing Entity.
a) The Managing Entity ensures that personal data processed are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
b) As part of its operations, it collects data for the following purposes:
(i) As an employer, it collects, processes and retains personal data of employees, contractors, consultants and job applicants.
(ii) Within its business activities:
• For the promotion and development of internal projects, it collects, processes and retains personal data of contractors; and
• In the development of partnerships with third-party entities for the purpose of promoting training projects, business consulting and service provision, it collects, processes and retains personal data of clients and their employees.
a) All professionals and partners must avoid any inappropriate disclosure of personal data and comply with general confidentiality obligations.
b) Data may be disclosed to third parties where there is a legitimate basis for doing so or where the third party is processing data on our behalf, under a contract that defines the security and organisational measures for the processing and specifies that the third party acts only under the instructions of the Managing Entity.
c) Data may also be disclosed if required to comply with a legal obligation, statute, or court order; to obtain legal advice; in connection with or for the purpose of the exercise or defence of a legal right in legal proceedings; or when necessary for the protection of national security.
No data will be transferred outside the European Union.
Personal data will be retained only for the time strictly necessary for the purpose of its processing, with respect to each process in which the personal data is handled.
a) The Managing Entity shall maintain data security by protecting the confidentiality, integrity and availability of personal data.
b) To ensure data security, the Managing Entity has adopted technical and organisational measures to prevent unauthorised use or access, unlawful or accidental modification or destruction, accidental loss, backups and disaster recovery procedures.
c) Access to personal data is controlled and restricted to professionals who need access in accordance with the information security policy, and appropriate security measures have been adopted to prevent unauthorised sharing of information.
d) Data is deleted securely, ensuring it is irretrievable.
In the event of a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Managing Entity shall assess the risk to the rights and freedoms of the data subjects and, if appropriate, notify the CNPD (Portuguese Data Protection Authority).
(For additional information, please consult the Portuguese version of this document.)