- PRESENTATION AND LEGAL FRAMEWORK
ITSCRED – INFORMATION TECHNOLOGY, S.A., traded corporation, with its head office in Rua das Oliveiras, nº 72, 1º, 4050 – 448 Porto, registered in the Conservatory of the Commercial Registry of Porto, under the no. 514829320, with the share capital of 100.000 Euros, intends, by providing and complying with the present Policy Privacy, to correspond to the Regulation guidelines (UE) 2016/679, of the European Parliament and of the Council of the 27TH of April of 2016- General Regulation on the Protection of Personal Data, and also to the assortment of the Portuguese laws which regulates the theme of the protection of personal data.
- GENERAL PRINCIPALS APLICABLE TO THE PROCESSING OF PERSONAL DATA
ITSCred ensures that the data which is processed is:
- Object to illicit, loyal and transparent processing in regard to the Holder;
- Collected for specific purposes, explicit and legitimate, not being processed later in a incompatible way for those purposes;
- Suitable, relevant and limited to the required, relatively to the purposes to which they’re processed for;
- Exact and updated when needed, adopting appropriate measures so that the inaccurate data is deleted or rectified without delay, taking into account the purposes which they’re processed for;
- Preserved in a way that allows to identify the Holder, only during the required period for the purposes which they’re processed for;
- Processed in a manner that guarantees its safety, including protection against its unauthorized or ilicit processing and against its loss, destruction or accidental damage, adopting the appropriate technical and organizational measures.
- LAWFULNESS OF PROCESSING PERSONAL DATA
The processing of data by ITSCred is legal when at least one of the following situations is complied:
- The Holder has given his expressive consent for the processing of Personal Data for one or more specific purposes;
- The processing is necessary for the execution of a contract which the Holder is part of, or for pre-contractual diligences upon the Holder’s request;
- The processing is necessary for the compliance of a legal obligation which ITSCred is subjected to;
- The processing is necessary for the defence of the Holder’s vital interests or any other natural person;
- The processing is necessary for any legal interests sustained by ITSCred or third parties (except if the Holder’s prevailing interests, rights or freedom demand the protection of personal data).
ITSCred undertakes to ensure that the processing of Personal Data is only done in the conditions listed above and with respect to the principals mentioned above.
When the processing of Personal Data is done by ITSCred, based on the Holder’s consent, he has the right to withdraw his consent at any time. The consent withdrawal, nevertheless, doesn’t comprise the lawfulness of the processing done by ITSCred, based on the Holder’s previous consent.
- USE AND PURPOSES OF PROCESSING PERSONAL DATA
ITSCred collects and processes Personal Data with the following aims:
- Identification and application instructions;
- Management of the Contractual Relation with the Holder;
- Contact management with the Holder;
- Invoicing and collection of the Holder;
- Use of the Holder’s image in the scope of marketing activities, promotion and Team building, through any support, when the image has been collected in events, parties, activities;
- Safety of ITSCred’s facilities.
The personal data collected by ITSCred isn’t shared with third parties without their consent, except in the situations mentioned below. Although, in case the holder contracts ITSCred’s services that are provided by other entities which are responsible for processing personal data (example, nutritional consultation), the data may be consulted or accessed by these entities, as far as it’s necessary to the referred services.
In the applicable legal terms, ITSCred can transmit or communicate Personal Data to other entities in case it’s necessary for the contract execution established between the Holder and ITSCred, or for pre-contractual diligences requested by the holder, if it’s needed for any legal requirement which ITSCred is submitted to or if it’s necessary to pursuit ITSCred’s or third party’s legitimate interests (for example, in case of sale or transmission of part or the all of ITSCred, or of their assets amongst detained entities by or related to ITSCred).
- COLLECTION AND PROCESSING PERSONAL DATA
In the scope of concluding work contracts, service provision contracts in which he intervenes as a Supplier or Client, as well as in supplying of goods contracts where he’s a Client, and in his duty performance in general, ITSCred may require different entities to make personal data available, in other words, information provided that allows ITSCred to identify and/or contact and that can be processed for that purpose. As a rule, Personal Data is requested when submitting applications, or contract handling, of both work, supplying of goods or service provision.
ITSCred can collect data directly from the Holder, through partner entities or third parties.
Personal Data gathered may vary according to the reason which originates its collection. In the same way, the processing will also vary depending on the purpose of its destination, as well as the period pf data preservation, which in any case, won’t exceed the maximum limit of 12 (twelve) years. In each case, ITSCred will inform the purpose of the data that is collected.
ITSCred provides detailed information about the nature of the data collected and its purpose, as well as the processing and the information mentioned in point 7 and the following, when collecting personal data.
5.2. OUTSOURCED ENTITIES
These subcontracted entities cannot transmit Personal Data to other entities or contract other entities without ITSCred’s prior written authorization.
ITSCred assumes the commitment to subcontract only the entities which present sufficient guarantees in executing appropriate technical and organizational measures, to ensure the Holder’s defence of rights.
On the other hand, ITSCred uses the service of subcontracted people, in the development of some specific projects. ITSCred assumes to regulate and communicate to those people, the object and the length of the process, the nature and purpose of the processing, the type of personal data, the categories of the holders given and the rights and duties of those parts.
When collecting personal data, ITSCred provides the Holder with information about the categories of the subcontracted entities that, in the actual case, may process data in ITSCred’s name.
- TECHNICAL, ORGANIZATIONAL AND SAFETY MEASURES IMPLEMENTED
To ensure personal data safety and the maximum confidentiality, we process the information that is provided to us in an absolute confidential manner, in accordance to our policies and internal safety and confidentiality procedures, which are periodically updated according to the needs, as well as in accordance to the terms and conditions legally foreseen.
According to the nature, of the scope, the context and its purposes in processing data, as well as the resulting risks for the Holder’s rights and freedom, ITSCred undertakes to apply, the necessary and adequate technical and organizational measures to protect personal data and fulfil the legal requirements. It also commits to ensure that, by default, only the data which is necessary is processed for each specific purpose and that this data isn’t available to an undetermined number of people without
Regarding general measures, ITSCred takes the following:
- Awareness and training the personnel implied in the operations of data processing;
- Safety protocol implementation;
- Pseudonymising and personal data encryption, when necessary
- Mechanisms capable of ensuring confidentiality, availability and resilience of the information systems;
- Safety procedures to ensure confidentiality and safety of the physical registers where is personal data;
- Mechanisms that ensure the re-establishment of information systems and the access personal data in a timely way in case of a physical or technical incident – backups;
- DATA TRANSFER OUT OF THE EUROPEAN UNION
In certain types of processing, personal data, collected by ITSCred may be made available to third parties, that can involve its transfer out of the European Union. In this case, ITSCred undertakes to ensure that the transfer follows the applicable laws, namely in determining the adequacy of the country in relation to the protection of personal data and the applicable requirements of such transfers.
- HOLDERS’ RIGHTS (DATA HOLDERS)
In the applicable legal terms, ITSCred has the duty to ensure and promote the personal data holders’ rights which was collected and processed by ITSCred. Below are the rights:
- RIGHT TO INFORMATION
Information provided to the Holder by ITSCred (when the data is collected directly from the Holder):
- The identity and ITSCred’s contacts, responsible for processing and, if applicable, of its representative;
- The purpose of the personal data processing, as well as, if applicable, the legal basis for its processing;
- If the data processing is based on ITSCred or third parties’ legitimate interests, indicating such interests;
- If applicable, the recipients or categories of personal data’s recipients;
- If applicable, indication that personal data will be transferred to a third country or an international organization, and an existence or non-existence decision of adequacy adopted by the Commission or a reference to appropriate transfer guarantees.
- Personal Data storage period;
- If the data processing is based on the Holder’s consent, the right of withdrawing it at any time, without compromising the lawfulness of the processing made with the previous given consent;
- Indication if the communication of personal data constitutes or not a legal or contractual obligation, or a necessary requirement to start a contract, as well as if the Holder is obliged to give personal information and the potential consequences of not providing that data;
- If applicable, the existence of automatized decisions, including profile settings, and information related to the rationale behind, as well as the importance and consequences foreseen for the processing of the Holder’s personal data.
In the case the data isn’t collected directly by ITSCred regarding the Holder, besides the information mentioned above, the Holder is additionally informed about the categories of personal data under processing and, as well as, in regard to the origin of the data, and eventually, if it’s originated of publicly accessible sources.
In the event of ITSCred intending to proceed to further Personal Data processing to a purpose that the data wasn’t collected for, before this process, ITSCred will provide the Holder with information about this purpose and any other relevant information, in the terms, mentioned above.
In order to ensure the full enjoyment of the right to information, ITSCred has implemented the mechanisms (technological and procedural) to provide information before collecting personal data.
- RIGHT TO ACCESS PERSONAL DATA
ITSCred guarantees the means that allow access, by the Holder, to his Personal Data.
The Holder has the right to obtain from ITSCred the confirmation that the personal data which concerns him are or not object to processing and , in this case e, the right to access his personal data and the following information:
- The purpose of the processing of data;
- The personal data categories in question;
- The recipients or recipient categories to whom the data was or will be disclosed to, namely the established recipients in third countries or belonging to international organizations;
- The Personal Data preservation period;
- The right to request ITSCred to rectify, delete or limit Personal Data processing, or the right to oppose that processing;
- The right to file an appeal to CNPD or any other authority of control;
- If the data hasn’t been collected close to the Holder, the information available regarding the origin of this data;
- The existence of automatic decisions, including profile settings, and information related to the underlying logic, as well as the importance and foreseen consequences of such processing for the Personal Data Holder;
- Right to be informed about appropriate guarantees related to data transfer to third countries or international organizations;
Upon request, ITSCred provides the Holder, without charge, a copy of his Personal Data which is in the processing stage. The provision of other requested copies may entail administrative costs.
- RIGHT OF PERSONAL DATA RECTIFICATION
The Holder has the right to request, at any time, the correction of his Personal Data, as well as the right to add data which is incomplete, included by an additional statement.
In case of correcting any data, ITSCred informs each recipient whose data was transmitted and the related corrections, unless the communication is impossible or implies ITSCred with a disproportionate effort. If the Holder asks, ITSCred provides information about the referred recipients;
- RIGHT OF PERSONAL DATA DELETION (“RIGHT TO BE FORGOTTEN”)
The Holder has the right to obtain from ITSCred, the deletion of his personal data when one of the following reasons is implied:
- The personal is no longer necessary for the purposes which led to its collection and processing;
- The Holder withdraws his consent in which the data processing is based and a legal basis doesn’t exist for the referred processing;
- The Holder opposes the processing under the right to oppose and other legitimate interests don’t justify the processing;
- If the Personal Data is unlawfully processed;
- If the Personal Data has to be deleted in order to fulfil a judicial obligation that ITSCred is submitted to;
- If the Personal Data that was collected in a service offering context in the children’s information society.
- In the applicable legal terms, ITSCred isn’t obliged to delete Personal Data as long as the processing reveals the need to comply with a legal obligation that ITSCred is submitted to or for the purpose of declaring, exercising or defence of ITSCred’s rights in a judicial process.
In the event of deleting data, ITSCred informs each recipient/entity to whom is concerned the respective deletion, unless such communication is impossible or implies a disproportionate effort in behalf of ITSCred. If the Holder asks, ITSCred provides information about the recipients referred.
When ITSCred has made the Personal Data public and is obliged to delete it under the right of deletion, ITSCred ensures to take the necessary measures, including in technical nature, considering the technology available and the costs implicated, to inform the people responsible for the processing of Personal Data which the Holder asked to delete, as well as copies or reproductions.
- RIGHT OF THE LIMITATION OF PROCESSING PERSONAL DATA
The Holder has the right to obtain from ITSCred, the limitation of Personal Data, if one of the situations is applied (the limitation consists on marking the personal data that is preserved with the goal of limiting its processing in the future):
- If he contests the accuracy of the Personal Data, during a period that allows ITSCred to verify its accuracy;
- If the processing is illicit and the Holder opposes to the deletion of the data, requesting, in contrast, the limitation of its use;
- If ITSCred no longer needs the Personal Data for processing purposes, but that data is required by the Holder for purposes of declaration, exercise or defence of a right in a judicial process;
- If the holder has opposed to the processing, until verifying that ITSCred’s legitimate reasons prevail over the Holder’s.
- When the Personal Data is subjected to limitation, can only be processed with the Holder’s consent, exercise or defence of a right in a judicial process, of another natural or legal person’s defence of rights or for public interest reasons legally required.
- The Holder that has obtained limitation in data processing, in the cases mentioned above, will be informed by ITSCred before cancelling the processing limitation;
- In the event of limiting the processing of data, ITSCred will inform the limitations to each recipient who the data has been transmitted to, unless the communication reveals to be impossible or implicates a disproportional effort for ITSCred. IF the Holder requests, ITSCred provides information about the recipients referred.
- RIGHT OF PERSONAL DATA PORTABILITY
The Holder has the right to receive personal data which concerns him and that he has provided ITSCred, in a structured way, of current use and automatic Reading, and the right to transmit this data to another person responsible for its processing, if:
- The processing is based on a consent or contract which the Holder is part of; and
- The data is processed by automatic means;
- The right to portability doesn’t include inferred or derived data, for example personal data that is generated by ITSCred as a consequence or result of the analysis of the data object to processing.
- The Holder has the right for his personal data being directly transmitted between those responsible for processing it, whenever technically possible. The exercise of the right of the data’s portability is applied without prejudice of the right to delete data.
- RIGHT TO OPPOSE THE PROCESSING
The Holder has the right to oppose at any time, in particular related reasons, the processing of personal data which concerns him that is based on the legitimate interests maintained by ITSCred or when the processing is intended for purposes which the data collected wasn’t for, including profile settings, or when the data is processed for statistical purposes.
ITSCred will cease Personal Data processing, unless legitimate and compelling reasons are presented prevail over the Holder’s interests, rights or freedom, or for the purpose of declaring, exercising or in defence of ITSCred’s rights in a judicial process.
When the personal data is processed for direct commercialization (marketing), the Holder has the right to oppose at any time, the processing of personal data which concerns him for all intents and purposes of the referred marketing that covers profile settings which is related to direct commercialization. In the event of the Holder opposing to the processing of his data for marketing reasons, ITSCred ends the processing of that purpose.
The Holder also has the right to not be submitted to any decision made, exclusively based on automatic processing, including profile settings, that produce effects in his judicial sphere or that significantly affect him in any similar way, unless the decision:
- Is necessary for the conclusion or execution of the contract between the Holder and ITSCred;
- Is authorized by law that ITSCred is subject to; or
- Is based on the Holder’s explicit consent.
- RIGHT TO WITHDRAW CONSENT
The Holder has the right, at anytime, to withdraw the consent of processing his Personal Data.
However, note that any consent withdrawal doesn’t damage the lawfulness of the processing conducted, based on the previous given consent.
- RIGHT TO COMMUNICATE ANY INFRINGEMENT
The Personal Data Holder has the right to be informed of any violation to his rights, without delay.
Such violations may consist, namely, in improper accessing of Personal Data, Personal Data processing for different purposes to which was given consent or that is legally admissible, safety breaches in the systems where the data is saved, or Personal Data deletion.
Note that, in legal terms, this communication isn’t required in the following points:
- In the event of ITSCred having applied suitable protection measures, both technical and organizational, and those measures have been applied to Personal Data which was affected by Personal Data’s violation, especially measures that make the data incomprehensible to any unauthorized person that accesses this data, such as encryption;
- In the face of ITSCred having taken subsequent measures that ensure the high risk for the Holder’s rights and freedom, that is no longer likely to consolidate; or
- In case the communication with the Holder implies ITSCred with a disproportionate effort. Then, ITSCred will make a public communication or take a similar measure through which the Holder will be informed.
- RIGHT TO ADDRESS A COMPLAIN
The Personal Data Holder has the right to make a complaint to a National Supervisory Authority, or, eventually, to a Judicial Authority, if he considers there was violation of his rights as a Personal Data Holder.
- PROCEDURES WITH THE PURPOSE OF PRACTICING THE RIGHTS BY THE HOLDER
The right of access, rectification, deletion, limitation, portability and the right to oppose may be exercised by the Holder by contacting ITSCred, or through the email firstname.lastname@example.org
ITSCred will reply in writing (including electronic means) to the Holder’s request in the maximum of a month upon receiving the request, except in especial or complex cases, which the period can be extended until two months.
If the Holder’s requests are unfounded or excessive, particularly due to its repetitiveness, ITSCred reserves the right to charge administrative costs or to refuse to follow-up the request.
Each time the Holder participates in an event promoted by ITSCred, namely parties, sport activities or any other, and without prejudice to the right of honour, intimacy and own image, as well as the applicable law that ITSCred is obliged, it’s considered that the processing and collection of the Holder’s image is legal, as they correspond to a legitimate interest of commercial disclosure sustained by ITSCred (the Holder’s image may be collected, according to normal use, in the scope of marketing activities, promotion and team building, including photos, images and sound), if the Holder has given his consent.
Also within the legitimate interest of commercial disclosure, ITSCred may use this data in photos or videos that are shown in its own means of communication, namely on Internet pages, Facebook pages or other social media, projectors and LCD’s installed in ITSCred’s facilities, etc. The Holder has the right to oppose using his image in the legal terms applied and to ask ITSCred to remove his images from its communication means.
In case he doesn’t consent ITSCred using his image, the Holder cannot participate in any events referred above, since ITSCred cannot ensure that the Holder’s image isn’t collected.
- FINAL PROVISIONS
- APPLICABLE LAW AND VENUE