General Data Protection Regulation Policy (GDPR)
This Policy sets forth the obligations of Aplaudiscurso Unipessoal Lda. (“the Company”) in relation to data protection and the rights of customers and business contacts (“data subjects”) in relation to their personal data under the EU Protection Regulation General Data (“GDPR”). The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to physiology. genetic, mental, economic, cultural or social identity of that natural person.
This Policy sets out the Company's obligations regarding the collection, processing, transfer, storage and disposal of personal data. The procedures and principles set forth herein must be followed at all times by the Company, its employees, agents, contractors or other parties working on the Company's behalf.
The Company is committed not only to the letter of the law, but also to the spirit of the law and attaches great importance to the correct, lawful and fair treatment of all personal data, respecting everyone's legal rights, privacy and trust. individuals you deal with.
The Data Protection Principles
This policy is intended to ensure compliance with the GDPR. The GDPR defines the following principles with which any party that handles personal data must comply. All personal data must be:
· Processed legally, fairly and transparently in relation to the subject of the data.
· Collected for specific, explicit and legitimate purposes and not processed later in a manner incompatible with these purposes. Further processing for public interest archival purposes, for scientific or historical research purposes, or for statistical purposes is not considered incompatible with the initial purposes.
· Appropriate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
· Accurate and, where necessary, updated. Every reasonable step must be taken to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
· Maintained in a way that allows the identification of data subjects for no more than what is necessary for the purposes for which the personal data is processed. Personal data can be stored for longer periods as long as the personal data is processed solely for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, subject to the implementation of the appropriate technical and organizational measures required by the GDPR. in order to safeguard the rights and freedoms of the data subject.
· Processed in a manner that ensures proper security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The rights of data subjects
· The GDPR establishes the following applicable rights to data subjects
· The right to be informed
· The right of access,
· The right of rectification,
· The right to delete (also known as the "right to be forgotten"),
· The right to restrict processing,
· The right to data portability,
· The right to object; and
· Rights regarding decision making and automated profiles.
Legal, fair and transparent data processing
The GDPR seeks to ensure that personal data is processed in a legal, fair and transparent manner, without negatively affecting the data subject's rights. The GDPR determines that the processing of personal data must be legal if at least one of the following applies:
· The data subject has given his consent to the processing of his personal data for one or more specific purposes;
· Processing is necessary for the execution of a contract to which the data subject is a party, or to take action at the request of the data subject before entering into a contract with them;
· Processing is necessary to fulfill a legal obligation to which the data controller is subject;
· Processing is necessary to protect the vital interests of the data subject or other natural person;
· Processing is necessary for the performance of a task performed in the public interest or exercising the official authority assigned to the data controller; or
· Processing is necessary for the legitimate interests pursued by the data controller or third parties, unless these interests are overridden by the fundamental rights and freedoms of the data subject that require protection of personal data, in particular when the data subject is a child.
· If the personal data in question is “special category data” (also known as “sensitive personal data”) (eg data relating to the health of the data subject), at least one of the following conditions must be met:
· The data subject has given his explicit consent to the processing of such data for one or more specific purposes (unless EU or EU Member State law prohibits them from doing so);
· Processing is necessary to protect the vital interests of the data subject or other natural person when the data subject is physically or legally unable to give his consent;
· Processing refers to personal data that are clearly made public by the data subject;
· Processing is necessary for the conduct of legal actions or whenever courts are acting in their judicial capacity;
Specified, Explicit and Legitimate Purposes
The Company collects and processes the personal data set out in this Policy.
· Personal data collected directly from the OR data subjects
· Personal data obtained from third parties.
· The Company only collects, processes and maintains personal data for the specific purposes set out in this Policy (or for other purposes expressly permitted by the GDPR).
· Data subjects are always kept informed of the purpose or purposes for which the Company uses their personal data.
Proper, Relevant and Limited Data Processing
The Company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which the data subjects have been informed (or will be informed).
Data accuracy and up-to-date data maintenance
· The Company must ensure that all personal data collected, processed and maintained by it are kept accurate and up to date. This includes, but is not limited to, the rectification of personal data at the request of a data subject.
· The accuracy of personal data must be checked when it is collected and at regular intervals thereafter. If any personal data is found to be inaccurate or out of date, take all reasonable steps will be taken without delay to correct or erase such data as appropriate.
· The Company must not retain personal data any longer than necessary in light of the purpose or purposes for which the personal data was originally collected, maintained and processed.
· When personal data is no longer needed, take all reasonable steps will be taken to delete or discard them without delay.
· For full details of the Company's approach to data retention, including retention periods for specific types of personal data held by the Company, please see our Data Retention Policy.
The Company must ensure that all personal data collected, maintained and processed are kept secure and protected from unauthorized or illegal processing and from accidental loss, destruction or damage. Further details of the technical and organizational measures that must be taken are provided later in this Policy.
Accountability and Record Keeping
The company's data protection director is Gustavo Galves
Tel: +351 215 844 617
The Data Protection Officer will be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the other policies relating to the Company's data protection and with the GDPR and other applicable data protection legislation.
· The Company must maintain internal written records of all personal data collected, maintained and processed, which must incorporate the following information:
· The name and details of the Company, its Data Protection Officer and any applicable third-party data processors;
· The purposes for which the Company collects, holds and processes personal data;
· Details of the categories of personal data collected, maintained and processed by the Company, and the categories of data subject to which such personal data relates;
· Details of any transfers of personal data to non-EEA countries, including all security mechanisms and safeguards;
· Details of how long personal data will be retained by the Company; and
· Detailed descriptions of all technical and organizational measures taken by the Company to ensure the security of personal data.
Data Protection Impact Assessments
· The Company must conduct Data Protection Impact Assessments for any and all new projects and/or new uses of personal data.
· Data Protection Impact Assessments should be overseen by the Data Protection Officer and should address the following:
1. The type(s) of personal data that will be collected, maintained and processed;
2. The purpose(s) for which the personal data are to be used;
3. the Company's objectives;
4. How personal data should be used;
5. The parties (internal and/or external) to be consulted;
6. The necessity and proportionality of data processing in relation to the
7. purpose(s) for which it is being processed;
8. Risks for data subjects;
9. Risks placed within and for the Company; and
10. Proposed measures to minimize and deal with identified risks.
Keeping data subjects informed
The Company will provide the information set forth in section (i) below for each data subject:
If personal data is collected directly from data subjects, these data subjects will be informed of its purpose at the time of collection; and when personal data is obtained from third parties, the relevant data holders will be informed of its purpose:
a) if personal data are used to communicate with the data subject, when the first communication is made; or
b) whether personal data must be transferred to another party before the transfer is
c) as soon as reasonably possible and, in any case, no later than one month after
personal data is obtained.
i) The following information must be provided:
· Company details including, but not limited to, the identity of its Data Protection Officer;
· The purpose(s) for which the personal data is being collected and will be processed (as detailed in this Policy) and the legal basis that justifies collection and processing;
· Where applicable, the legitimate interests on which the Company is justifying the collection and processing of personal data;
· When personal data is not obtained directly from the data subject, the categories of personal data collected and processed;
· When personal data must be transferred to one or more third parties, details of those parties;
· When personal data must be transferred to a third party located outside the European Economic Area (the “EEA”), details of such transfer, including but not limited to the safeguards in place,
o Data retention details;
o Details of the data subject's rights under the GDPR;
o Details of the data subject's right to withdraw his consent to the processing of the Company's personal data at any time;
o Details of the data subject's right to complain to the Information Commissioner's Office (the “oversight authority” within the GDPR);
o Where applicable, details of any legal or contractual requirement or obligation that requires the collection and processing of personal data and details of any consequences of failure to provide it; and
o Details of any automated decision making or profiling that will take place using personal data, including information on how decisions will be made, the meaning of those decisions and any consequences.
Access to data subject
· Data Subjects may make Subject Access Requests (“SARs”) at any time to obtain more information about the personal data the Company holds about them, what it is doing with that personal data and why.
· Data subjects who wish to make an SAR may do so in writing using the Company Subject Access Request Form or other written communication. SARs should be addressed to the Company's Data Protection Officer at [Aplaudiscurso Unipessoal Lda.]., [Rua Elias Garcia, 360 3ºA – Venteira – Amadora, Portugal – 2700-319 ] Tel: [+351 215-844-617] E-mail: [email@example.com]
· Responses to SARs should normally be made within one month of receipt, however this can be extended for up to two months if the SAR is complex and/or numerous requests are placed. If this additional time is required, the data subject must be informed.
· All SARs received will be handled by the company's Data Protection Officer.
· The Company does not charge a fee for handling normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been provided to a data subject and for manifestly unfounded or excessive requests, especially when such requests are repetitive.
Correction of personal data
· Data subjects have the right to demand that the Company rectify any personal data that is inaccurate or incomplete.
· The Company must rectify the personal data in question and inform the data subject of such rectification, within one month from the date in question, informing the Company of the matter. The period can be extended for up to two months for complex requests. If this additional time is required, the data subject must be informed.
· In the event that any affected personal data has been disclosed to third parties, these parties must be informed of any rectification that must be made to that personal data.
Deletion of personal data
Data subjects have the right to request that the company delete the personal data it holds about them in the following circumstances:
a) It is no longer necessary for the Company to keep such personal data in relation to the purpose(s) for which it was originally collected or processed;
b) The data subject wishes to withdraw his consent to the Company that holds and processes his personal data;
c) The data subject opposes the company that holds and processes his personal data (and there is no legitimate interest to allow the Company to continue to do so),
d) Personal data have been processed illegally;
e) Personal data must be deleted for the Company to comply with the
a particular legal obligation.
Unless the Company has reasonable reasons to refuse to delete personal data, all deletion requests must be complied with and the data subject must be informed of the deletion, within one month from the date of receipt of the data subject's request. The period can be extended for up to two months for complex requests. If this additional time is required, the data subject must be informed.
In the event that any personal data that are to be deleted in response to a data subject's request have been disclosed to third parties, those parties must be informed of the deletion (unless it is impossible or requires a disproportionate effort to do so).
Personal Data Processing Restriction
Data subjects may request that the company stop processing the personal data it holds about them. If a data subject makes such a request, the Company shall retain only the amount of personal data relating to the data subject (if any) that is necessary to ensure that the personal data in question is not processed. posteriorly.
In the event that any affected personal data has been disclosed to third parties, these parties will be informed of the applicable restrictions processing it (unless it is impossible or requires disproportionate effort).
Objections to Personal Data Processing
Data subjects have the right to oppose the company from processing their personal data based on legitimate interests, direct marketing (including profile) and processing for scientific and/or historical research and statistical purposes.
When a data subject objects to the Company processing his personal data based on its legitimate interests, the Company will cease such processing immediately, unless it is possible to demonstrate that the Company's legitimate reasons for such processing outweigh the interests, rights and freedoms of the person in question. or that processing is necessary for the conduct of legal actions.
When a data subject objects to the Company processing their personal data for direct marketing purposes, the Company will cease such processing immediately.
When a data subject objects to the Company processing his personal data for research and scientific and/or historical purposes, the data subject must, under the GDPR, “demonstrate reasons relating to his particular situation”. The Company is not obligated to comply if the research is necessary for the performance of a task performed for reasons of public interest.
Personal Data Collected, Retained and Processed
The following personal data are collected, maintained and processed for the company:
Data Ref. Data Type Purpose of Data Electronic and Printed Student Records
Data security - transfer of personal data and communications
The Company must ensure that the following measures are taken with respect to all
communications and other transfers involving personal data:
· All emails containing personal data must be encrypted using Encryption software;
· All emails containing personal data must be marked as “confidential”;
· Personal data may only be transmitted over secure networks; transmission over unsecured networks is not allowed under any circumstances;
· Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
· Personal data contained in the body of an email, sent or received, must be copied from the body of that email and stored securely. The email itself must be deleted. Any temporary files associated with them must also be deleted using the deletion software;
· When personal data must be sent by fax, the recipient must be informed before transmission and must wait for the fax to receive the data;
· When personal data is to be transferred in printed format, it must be passed on directly to the recipient or sent using Registered Mail or signed first or second class for mail; and
· All personal data to be physically transferred, whether in hard copy or on removable electronic media, must be transferred in a suitable container marked “confidential”.
Data Security - Storage
The Company must ensure that the following measures are taken with respect to the storage of personal data:
· All electronic copies of personal data must be securely stored using passwords and data encryption;
· All hard copies of personal data, together with any electronic copies stored on removable physical media, must be securely stored in a locked box, drawer, cabinet or similar;
· All electronically stored personal data must be backed up at least daily with backups stored on site. All backups must be encrypted using data encryption
Data Security - Disposal
When any personal data must be erased or disposed of for any reason (including copies already made and no longer needed), it must be deleted and safely disposed of.
Data Security - Use of Personal Data
The Company shall ensure that the following measures are taken with respect to the use of
· No personal data may be shared informally and, if an employee, agent, subcontractor or other party working on behalf of the Company requires access to any personal data to which they do not yet have access, such access must be formally requested. The data protection officer,
· No personal data may be transferred to any employees, agents, contractors or other parties, whether those parties are working on behalf of the Company or not, without the authorization of the Data Protection Officer,
· Personal data must be handled with care at all times and must not be left unsupervised or in view of unauthorized employees, agents, subcontractors or other parties at any time;
· If personal data is being displayed on a computer screen and the computer in question is left unattended for any period of time, the user must lock the computer and screen before leaving; and
· When personal data held by the Company are used for marketing purposes, it will be the responsibility of [Aplaudiscurso Unipessoal Lda.] to ensure that the appropriate consent is obtained and that no participant has opted, either directly or through a third-party service. like TPS.
Data Security - IT Security
The Company must ensure that the following measures are taken with respect to information and IT security:
· All passwords used to protect personal data must be changed regularly and must not use words or phrases that can be easily guessed or compromised. All passwords must contain a combination of upper and lower case letters, numbers and symbols;
· Under no circumstances should any passwords be recorded or shared among any employees, agents, contractors or other parties working on behalf of the Company, regardless of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
· All software (including but not limited to applications and operating systems) must be kept up to date. The Company's IT staff will be responsible for installing any and all security-related updates after the updates are made available by the publisher or manufacturer, unless there are valid technical reasons not to do so; and
· No software may be installed on any Company computer or device without Company's prior approval.
The Company must ensure that the following measures are taken with respect to the collection, possession and processing of personal data:
· All employees, agents, contractors or other parties working on behalf of the Company must be fully informed of their individual responsibilities and the Company's responsibilities under the GDPR and under this Policy, and must receive a copy of this Policy;
· Only employees, agents, subcontractors or other parties working on behalf of the Company who need access to and use of personal data to properly perform their tasks should have access to the personal data held by the Company;
· All employees, agents, contractors or other parties working on behalf of the Company who handle personal data will be properly trained to do so;
· All employees, agents, contractors or other parties working on behalf of the Company who handle personal data will be properly supervised;
· All employees, agents, contractors or other parties working on behalf of the Company who handle personal data must be asked and encouraged to exercise care, caution and discretion when discussing matters relating to working with personal data, whether in the workplace or otherwise;
· Methods of collecting, holding and processing personal data must be regularly evaluated and reviewed;
· All personal data maintained by the Company must be reviewed periodically, as set forth in the Company's Data Retention Policy;
· The performance of employees, agents, contractors or other parties working on behalf of the Company in the processing of personal data must be regularly evaluated and reviewed;
· All employees, agents, contractors or other parties working on behalf of the Company who handle personal data will be required to do so in accordance with the principles of the GDPR and this Policy by contract;
· All agents, contractors or other parties working on behalf of the Company who handle personal data must ensure that any and all of their employees involved in the processing of personal data are maintained under the same conditions as the relevant employees of the Company, arising outside this Policy and the GDPR; and
· When any agent, contractor or other party working on behalf of the Company that handles personal data fails in its obligations under this Policy, that party shall indemnify and hold the Company harmless from any costs, liabilities, damages, losses, claims or lawsuits that may arise out of that failure.
Transfer of personal data to a country outside the EEA
The Company may from time to time transfer personal data ('transfer', including making available remotely) to countries outside the EEA.
The transfer of personal data to a country outside the EEA should only take place if one or more of the following applies:
o The transfer is to a country, territory, or one or more specific sectors in that country (or an international organization), which the European Commission has determined guarantees an adequate level of protection for personal data;
o The transfer is to a country (or international organization) that provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; mandatory corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (eg Information Commissioner's Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorized by the competent supervisory authority; or provisions contained in administrative agreements between public authorities or bodies authorized by the competent supervisory authority;
o The transfer is made with the informed consent of the relevant data person(s);
o The transfer is necessary for the execution of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
o The transfer is necessary for important reasons of public interest;
o The transfer is necessary for the conduct of legal actions;
o The transfer is necessary to protect the vital interests of the data subject or other individuals to which the data subject cannot, physically and legally, give his consent; or
o The transfer is made from a registry which, under UK or EU law, is intended to provide information to the public and which is open to the general public or those who have a legitimate interest in accessing the registry .
Data Breach Notification
· All breaches of personal data must be reported immediately to the company's data protection officer.
· If a breach of personal data occurs and such breach results in a risk to the rights and freedoms of data subjects (eg financial loss, breach of confidentiality, discrimination, reputational damage or other significant social or economic harm), the Data The Protection Officer must ensure that the Information Commissioner's Office is informed of the breach without delay and, in any case, within 72 hours of becoming aware of it.
· In the event that a breach of personal data results in a high risk (ie a greater risk than described in Part 29.2) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all Affected Data Subjects are informed of the breach directly and without undue delay.
· Data breach notifications must include the following information:
o The categories and approximate number of data subjects concerned;
o The categories and approximate number of personal data records concerned;
o The name and contact details of the Company's data protection officer (or other point of contact where more information can be obtained);
o The likely consequences of the violation;
o Details of the measures taken, or proposals to be taken, by the Company to address the breach, including, where appropriate, measures to mitigate its potential adverse effects.
This Policy will be effective as of May 25, 2018 No part of this Policy will have retroactive effect and, therefore, will only apply to matters that occur as of that date.
This policy has been approved and authorized by:
Name: Gustavo Galves
Position: Manager of Applaudiscurso Unipessoal Lda.
Policy Review: 08/21/19