I. Introduction and General Considerations
II. Definitions of Relevant Concepts in terms of Data Protection
To better understand the content of this policy, it is important to recall the definition of some of the more relevant concept in the area of data protection:
a) Personal Data: Any information regarding a physical personal, identified or identifiable, through which his/her identity can be directly or indirectly determined, such as: name, telephone number, civil identification number, date of birth, etc.
b) Categories of Personal Data: Personal data can be grouped in different categories, such as: data on identification, qualifications, education, financial information, banking, professional information, health, biometrics, etc.
c) Processing: An operation or a set of operations carried out on personal data or sets of personal data, by automated means or otherwise, such as collection, recording, organisation, structuring, retention, adaptation or alteration, recovery, checking, use, disclosure, transmission, broadcast or any other way of making them available, comparison or connection, limitation, erasure or destruction.
d) Data Subject: Any individual whose personal data are subject to processing.
e) Data Controller: Any individual or legal person that, alone or in conjunction with others, determines the purposes and the means of personal data processing.
f) Data Processor: Any individual or legal person that processes personal data on behalf of the Data Controller.
III. Personal Data Processing Assurances
1. Personal data processing at AQUASIS is carried out transparently and in strict compliance with the right to privacy, as well as with the fundamental rights, freedoms and guarantees of the data subjects.
2. Personal data are collected directly form the data subjects, through personal contact or in writing (e-mail or by post), for the express and legitimate purposes determined and they may not later be processed in a way incompatible with these purposes.
3. If personal data are collected from third parties, the data subject will be informed of such collection and of his/her rights as data subject.
IV. Personal Data Processing
1. AQUASIS assures that access to the personal data collected is limited to that strictly necessary for the purposes defined.
2. All AQUASIS users who access the data are contractually obliged to the duties of confidentiality, which include non-disclosure of the information on the data subjects.
3. The data collected by the AQUASIS may also be shared with:
I. Receiving entities and/or third parties.
II. Entities that provide services to AQUASIS in their capacity as data processors.
III. Entities that belong to the AQUASIS network, under the scope of their activities, in countries outside of the European Union where and adequate protection level is assured.
IV. Competent authorities to which AQUASIS is legally obliged to disclose information during the course of legal or administrative proceedings or if technical and/or security issues are detected.
V. Entities indicated by data subject, at his/her request.
V. Rights of data subjects
1. Data subjects are assured the right of access. This means that data subjects are entitled to receive confirmation from AQUASIS that their personal data are subject to processing, or not, that they have the right to access these, to keep them up to data, to receive a copy of them and to receive the following information on the processing of their data:
I. Purposes of data processing;
II. Categories of personal data;
III. Data recipients or categories of data recipients;
IV. The transfer of data to a country outside of the European Union;
V. If possible, the period of time the personal data are expected to be retained.
2. Data subjects are also assured of the following rights over the data:
I. Rectification of personal data that is inaccurate or incomplete;
II. Erasure of the data (a) when they are no longer necessary for the purpose, (b) when they are unlawfully processes, (c) when the data subject withdraws his/her consent (and the processing is dependent on that consent), (d) when the data subject objects to the processing (and there are no legitimate interests that prevail over that objection).
III. Data limitation (a) when the accuracy of the data is challenged, (b) when the processing is unlawful and the data subject requests the limitation of their processing instead of erasure, (c) when AQUASIS no longer needs the data but the data subject asks for them to be kept for other purposes, (d) when the data subjects objects and while the legitimacy of the processing is being assessed.
IV. Objection to processing when the processing is based on a legitimate interest of AQUASIS or when it has been used for purposes other than those they were collected for.
V. Lodging a complaint with the data controller and the supervisory authority if you disagree with the way your data were processed.
VI. Information on the source of the data if the data were not collected from the data subject.
VII. Portability, when the data have been processed automatically; the data subject should receive the data in a structured format that is commonly use and can be read automatically, or he/she can request these data be sent to another data controller.
VIII. Withdrawal of consent when the processing was based on the consent of the data subject, provided this does not compromise the lawfulness of the processing carried out up to that date based on the consent previously provided.
IX. Lodging of complaints with AQUASIS on the way your personal data are processed, via e-mail to firstname.lastname@example.org and to the Supervisory Authority, the National Data Protection Commission, via e-mail to email@example.com.
3. AQUASIS will provide data subjects with information on the measures taken on presentation of a request under the terms of Articles 15 to 20 of the GDPR within one month of the data of receipt of the request. This period may be extended to two months, when necessary, bearing in mind the complexity of the request and the number of requests. AQUASIS will inform the data subjects of any extension and the reasons for the delay within one month of receipt of the request.
VI. Categories of Personal Data, Categories of Data Subjects and Purposes of Processing
Under the scope of its activities, AQUASIS collects and processes personal data in the following categories: identification data, contact data, data on qualifications, professional data, financial data, banking data, image data, location data and biometric data. The data collected and processed refer to the personal data of employees, company members, service providers, customers and third parties with a relationship with the activities of AQUASIS. The personal data collected and processed are sued for purposes related to the following management activities: human resources, administrative and financial, procurement, legal, quality, environment and safety, engineering, IT, concession projects.
VII. Data Retention
All personal data are retained by AQUASIS while the existing relationships with the data subjects continue, either for the legal retention period or while the purpose they were collected for continues, in order to allow the data subjects to be identified until these relationships or obligations have permanently ceased. The data collected will be destroyed when they longer serve the purposes they were collected for, without prejudice to the existence of other grounds justifying the retention of the data.
VIII. Communication of Data to other Entities (Recipients, Third Parties and Processors)
Under the scope of its activities, AQUASIS uses other entities to provide certain services. These entities are recipients, third parties or processors. When this happens, AQUASIS takes the appropriate steps to ensure that the entities that have access to the data offer the highest security assurances, which, in the case of processors, is duly enshrined and safeguarded contractually.
IX. Transfer of Personal Data
The provision of certain services and the management of the actual activities of AQUASIS imply the transfer of personal data outside of Portugal, including to countries outside of the European Union, specifically to Japan, Brazil, Phillipines, Mexico, Angola, Mozambique, Guiné – Bissau, São Tomé and Príncipe and Chile. In such cases, AQUASIS will scrupulously comply with the applicable legal provisions, particularly as to the determination of the suitability of the receiving country/countries in terms of personal data protection and the requirements applicable to such transfers including, where applicable, appropriate contractual instruments that assure and respect the legal requirements in force.
X. Technical and Organisational Measures adopted by AQUASIS
1. AQUASIS has defined and implemented a set of appropriate and necessary technical and organisational measures to assure and prove that all personal data processing carried out is in compliance with the Personal Data Protection legislation. The measures adopted also make it possible to ensure the confidentiality and the integrity of the data and to prevent their destruction, loss and accidental or unlawful alterations or disclosure of or unauthorised access to the data.
2. Data subjects are duly informed that no security system can guarantee absolute protection. However, AQUASIS is always available for any issues regarding the confidentiality and security of the data processed.
XI. Security Breaches
AQUASIS has defined and adopted internal procedures, as well as processing procedures where necessary, to intervene in the event of personal data breaches, particularly in the detection, identification and investigation of the circumstances, and to notify the Competent Authority within the legal time periods set in the cases where there is found to be a risk to the rights and freedoms of the data subjects and a high risk to the actual holders.
XII. Contacts for the purposes of this Policy
In order to exercise the aforementioned rights, particularly rights of access, rectification and erasure and right of limitation and objection to processing, data subjects must address their postal communications to Aquasis – Sistemas de Informação, S.A (doravante Aquasis), com sede em Quinta da Fonte Office Park – Edifício Q54 D. José – Piso 2, 2770-203 Paço de Arcos, or by e-mail to firstname.lastname@example.org.
XIII. Other Information
Any additional information regarding personal data protection may be obtained from CNPD - Comissão Nacional de Proteção de Dados - Rua de São Bento n.º 148-3º 1200-821 Lisboa - Tel.: + 351 213928400 - Fax: +351 213976832 - e-mail: email@example.com.