Privacy policy data processing and protection
GRUPNOR – ELEVADORES DE PORTUGAL, LDA, hereinafter designated GRUPNOR is particularly committed to protecting the privacy of the personal data of its Employees and Clients, potential Clients, Partners and potential Partners to which the company lawfully accesses and whose processing is made under its professional activity always pursuant to the General Data Protection Regulation (GDPR) approved by Regulation (EU) 2016/679 of the European Parliament and of the Council, dated April 27th, 2016, hereinafter designated “GDPR”.
By means of this policy, GRUPNOR, in the capacity of data controller, intends to describe its commitment and implemented rules, namely in regard to all personal data collected, their processing, purpose and method(s) of use following the principles of lawfulness, loyalty, transparency and limitation.
1. PERSONAL DATA
According to the GDPR, “personal data” is any and all information regarding a natural person that can be directly or indirectly identified or identifiable by means of an identifier such as a name, identification number, location data, electronic identifier and/or more specific elements of their physical, physiological, genetic, mental, economic, cultural or social identity.
2. DATA CONTROLLER
2.1. The data controller is GRUPNOR.
2.2. If this information is not satisfactorily clarifying and/or transparent or if you deem relevant, please contact GRUPNOR to the e-mail: comunicacao@grupnor.pt.
3. TYPES OF PERSONAL DATA COLLECTED
GRUPNOR collects and processes all personal data strictly required for the functioning/execution of its services, pursuant to its operation.
4. WHEN AND HOW PERSONAL DATA ARE COLLECTED/PROCESSED
4.1. GRUPNOR may collect personal data whenever the Client or potential Client makes contact in the scope of pre-contractual proceedings (for instance, when there is a request for a quotation regarding works/maintenance) and/or for purposes of entering into a contract and other events in the scope of company operation.
4.2. GRUPNOR may collect its Clients or potential Clients’ personal data via face-to-face contact; telephone; postal mail; electronic mail; website and by other means in the scope of company operation.
5. LEGAL BASIS FOR PERSONAL DATA COLLECTION AND PROCESSING
Clients or potential Clients’ personal data may be collected and processed:
a) Whenever such collection and processing are required for the execution of/compliance with a contract in which one of the Parties is the data subject or for the execution of pre-contractual proceedings requested by the data subject in the scope of company operation.
b) Whenever such collection and processing are required for the compliance with a legal obligation to which GRUPNOR, as data controller, and/or of the data subject are subject.
c) Whenever data subject has given their consent for the processing of their data in the scope of one or more specific purposes.
6. PERSONAL DATA PROCESSING PURPOSES
The purposes of Clients or potential Client’s personal data collection by GRUPNOR are:
a) Further commercial operation of GRUPNOR as a company legally qualified to operate in civil and public works and in the provision of services of maintenance and technical assistance to lifting gear;
b) Accomplishment/execution of services requested by its Clients or potential Clients;
c) Execution of internal statistic processing;
d) Potential offer of new services that consider the satisfaction of its Clients or potential Clients’ needs and interests;
e) Other purposes arising from company operation.
7. RETENTION PERIOD
All personal data collected by GRUPNOR will be retained and kept for the term of the established service provision and/or contractual relationship and after the termination of such relationship for the period required for the compliance with GRUPNOR’s legal obligations, with such period being variable pursuant to the above purposes.
8. PERSONAL DATA PROCESSING SECURITY
8.1. All personal data collected by GRUPNOR will be processed by and kept in computerised forms and in paper.
8.2. GRUPNOR is responsible for ensuring the security and protection of all collected personal data by adopting all technical and organizational measures fit for that purpose that prevent any loss, destruction, alteration or non-authorized access and use, pursuant to technological conditions available at the moment, the nature of collected data and the potential risks to which such data are exposed.
8.3. At the moment of the drafting of this Privacy Policy, the implemented measures were:
- Password protection;
- Use of digital certifications;
- Restrictions regarding physical entrance in sites where personal data storage servers are located;
8.4. All security measures above will be reviewed and updated as per the needs and requirements of their respective matters.
8.5. In the event of a security breach resulting in the accidental or unlawful destruction, loss, alteration or non-authorized disclosure of or access to personal data, GRUPNOR undertakes to inform the relevant authorities of this event, pursuant to the applicable legislation, without any undue delay and whenever possible, within a period of 72 hours after becoming aware of such breach.
9. PERSONAL DATA PROCESSING CONFIDENTIALITY
GRUPNOR has adopted a personal data confidentiality policy thereby ensuring the secrecy of all collected data and restricting access and use of such data to their employees who are also bound by a secrecy and confidentiality obligation.
10. RIGHT TO ACCESS, RECTIFICATION, ELIMINATION, PROCESSING LIMITATION AND RIGHT TO PERSONAL DATA PORTABILITY
10.1. GRUPNOR assures that data subjects have the right to access, rectify, eliminate, transfer, limit and/or oppose to the processing of their personal data.
10.2. Particularly in regard to the right of elimination, data subjects are entitled to get the data controller to eliminate their personal data and data controllers are obliged to eliminate such personal data whenever one of the following scenarios are applicable:
(i) Data are no longer needed for the purpose for which they were collected or processed:
(ii) Data subject withholds their consent in the cases where consent if the legal basis for data collection or data subject opposes to processing and there are no prevailing legitimate interests that justify keeping such data;
10.3. Data subjects may exercise any of these rights by contacting GRUPNOR in writing to its registered office address or to the e-mail: comunicacao@grupnor.pt
11. RIGHT TO FILE A COMPLAINT WITH THE SUPERVISORY AUTHORITY
Data subjects may file all complaints deemed fit with the relevant supervisory authority (in Portugal, such supervisory authority is CNPD – Comissão Nacional de Proteção de Dados – www.cnpd.pt).
12. COMMUNICATION OF PERSONAL DATA TO OTHER ENTITIES
12.1. In the scope of its operation, GRUPNOR may subcontract third parties for the provision of some services (inside or outside the European Union) which, in some cases, may lead to such parties accessing data subjects’ personal data.
12.2. In such cases, GRUPNOR undertakes to adopt all required and proper measures to ensure that all entities accessing such personal data are reputable and operate under the highest standards in this regard, which shall be duly established and safeguarded by the written contract to be entered into between GRUPNOR and any third party.
12.3. Any entity subcontracted by GRUPNOR shall process personal data on their behalf under the obligation of adopting all required technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, dissemination or non-authorized access and against any and all means of unlawful processing.
12.4. In any case, GRUPNOR shall remain the data controller.
12.5. Whenever required and in the scope of GRUPNOR’s use of subcontractors, personal data may be transferred to outside the European Union under the terms and conditions allowed by the applicable laws.
13. RIGHT TO AMEND PRIVACY POLICY
GRUPNOR reserves the right to amend or change this Privacy Policy at any time with the goal of adapting it such policy to its reality and/or to potential legislative amendments that would require so.
This version is the version that is currently in effect.
June 1st, 2018