The scope of this Regulation is: The Processing of Personal Data.
These Regulations cover the processing of personal data of employees, trainees, candidates, clients and suppliers (natural persons).
- Scope of Application.
The company complies with the legal rules on the protection of the personal data of its employees, job applicants, trainees, clients and suppliers (natural persons), in particular those arising from national legal provisions and the decisions of the National Data Protection Commission.
- Employees’ personal data
The processing of employees’ personal data, within the scope of the employment relationship, stems from both the contractual content and the fulfilment of legal obligations vis-à-vis the AT, Social Security, ACT and other official entities.
The processing of employees’ personal data is reserved solely for the data controller designated at any given time and with limited access duly justified under the terms of the law and, in any case, safeguarding confidentiality.
At any time, employees may, at their request, access their protected data and ask for it to be amended or corrected if it is inaccurate or incomplete.
In accordance with the law, employees have the right to information, access and opposition to the processing of their personal data. In order to exercise these rights of access and opposition, they must submit a written request to the Data Controller, Mr Hermes Batista.
Employees may, under the terms of the law, exercise their right to have their personal data forgotten, except in the cases provided for the fulfilment of legal obligations.
The processing of employees’ medical data complies with the rules on the processing of sensitive data and is therefore exclusively accessible to the company doctor or certified medical team, with the employee having access to it as long as they previously request it directly from the occupational doctor.
With the conclusion of the contract, and during its execution, the employee gives his consent for his personal data to be stored in secure digital form, processed and accessed under the terms previously specified or specified from time to time.
2.1 Purpose of processing employees’ personal data
Employees’ personal data may be collected and processed by the Company for the following purposes:
– A) Administrative management;
– B) Calculation and payment of salaries, benefits, allowances and subsidies;
– C) Calculation and withholding of compulsory or optional deductions from remuneration arising from legal provisions;
– D) Enforcement of a court decision or judgement, as well as handling requests made by employees;
– E) Handling other matters relating to remuneration, benefits, allowances or subsidies;
– F) Issuing training certificates by the employer and/or external training organisations;
– G) Issuing travel tickets, visas and/or other documents arising from the employee’s need to travel;
– H) Records and control of attendance and/or access;
– Compliance with legal obligations in the field of occupational health and safety.
2.1 Categories of personal data to be collected
For the above-mentioned purposes, the organisation may collect and process personal data, as well as the original and copies of the respective documents, which fall into the following categories:
– A) Identification Data ;
– B) Family situation ;
– C) Data relating to professional activity ;
– D) Remuneration data;
– E) Other data necessary to fulfil the provisions of the previous article.
2.3 Data retention period
For the purposes of administrative management of employees, training certificates and documents necessary for issuing travel tickets and/or visas, data may be kept for a legal period after termination of the employment relationship, and other accounting and tax obligations.
For the purposes of workers’ salaries, benefits and perks, data may be kept for a maximum period laid down by law;
The period of the respective data may be extended for reasons of legal action, after the data has been transferred to the judicial institutions or the judgement has become final.
For the purposes of pensions, social security or the payment of subsequent supplementary benefits due after the termination of the employment relationship, the data strictly necessary to prove the status of worker, length of service and change in remuneration may be kept for the legal periods corresponding to each purpose.
2.4 Recipients of employees’ personal data
2.4.1- Any recipients of personal data are:
- A) Organisations to whom the data must be communicated by virtue of a legal provision or at the request of the data subject;
- B) The financial institutions that manage the organisation’s accounts for the payment of workers’ wages;
- C) Pension fund or pension scheme management entities;
- D) Insurance companies with whom the contract for accidents at work or personal accidents is concluded;
- E) Training organisations for issuing training certificates;
- F) Travel agencies or transport companies for issuing travel documents;
- G) The Accounting/HR department for the purposes of processing salaries or obligations;
- H) Auditing bodies (internal or external) within the scope of certification processes;
- I) External consultancy organisations within the scope of their consultancy services;
- J) Entities which, within the scope of occupational health and safety, ensure that the company fulfils these obligations at all times;
The entities that ensure IT management in the processing of personal data.
2.4.2- External entities (Subcontractors) to whom workers’ personal data is provided under these regulations are contractually bound to comply with the legal obligations in terms of data protection that are attributed to the Data Controller.
It is forbidden to photograph, film or make any kind of recording or other process of copying and/or reproduction of personal documents without the consent of the data subject, except in the cases provided for by law or duly authorised by the competent authority for this purpose.
- Personal data of job applicants
The company guarantees to safeguard the right to data protection of job applicants who are voluntarily authorised by the data subject, who will be treated confidentially under the terms of the law in force.
- Personal data of trainees, trainers and candidates
The processing of the personal data of trainees and trainers stems both from contractual content and from the fulfilment of legal obligations vis-à-vis official entities.
The processing of trainees’ and trainers’ personal data is reserved solely for the data controller designated at any given time, with limited access duly justified under the terms of the law, in any case safeguarding confidentiality.
At any time, trainees/trainers may, at their request, access their protected data and ask for it to be amended or corrected in the event of errors or incompleteness.
In accordance with the law, trainees/trainers have the right to information, access and opposition to the processing of their personal data. In order to exercise these rights of access and opposition, they must submit a written request to the Data Controller, Mr Hermes Batista.
Trainees/trainers may, under the terms of the law, exercise their right to have their personal data forgotten, except in the cases provided for the fulfilment of legal obligations.
With the conclusion of the training contract, and throughout its execution, the trainee/trainer gives their consent for their personal data to be stored in digital, secure form, processed and accessed under the terms previously specified or specified from time to time.
In terms of data protection, trainees and trainers shall be subject to the rules laid down in these regulations for employees, in terms of processing, collection, purpose of processing, category of data to be collected, retention period, recipients of the data, as laid down for employees’ personal data, with the necessary adaptations and if applicable.
- Personal data of customers and suppliers
The company collects, uses and retains personal data provided by customers and suppliers, under the terms permitted by the applicable legislation, in an appropriate manner for the performance of the contractual relationship with them and for the use and billing of services.
The customer and supplier, within the scope of the contractual, commercial relationship and also in the legitimate interest and pursuit of the activity of the data controller, authorise the entry of their personal data in a company file and its disposal by the company to third parties, located in the European Union, for processing within the scope of the purpose of this contract, as well as for commercial or other marketing purposes, customer satisfaction surveys and information about the company’s products and services.
The client/supplier must notify the company immediately if there are any changes to the personal data that affect the contractual relationship or the invoicing of services.
The data necessary for the execution of the contract and invoicing of the services may be stored and used by the company even after the end of the process or contract, under the legal terms and until the invoicing and legal obligations arising from the commercial and/or contractual relationship are completed.
- Use of the Company Website
If you are a user of our website through the user registration process and by “User Name – Password”, your data will be stored in a specific user control database. You can request its deletion at any time by writing to our official address on our website. If you delete your data, you will no longer be able to use the website in registered mode.
If you use our website in an unregistered mode and contact us via contact forms, the data requested in those forms may be stored. You can also request its deletion and continue to use our website as normal.
- Final Provisions – Personal data protection obligations
The company or organisation that individually or jointly with another (subcontractor) determines the purposes and means of data processing is the “data controller” and must therefore, among other things, ensure that:
¬ Personal data is collected for specific, explicit and legitimate purposes and is not further proc
essed in a way that is incompatible with the purposes for which it was collected;
¬ Only personal data that is appropriate, relevant and not excessive in relation to the purposes of collection is collected;
¬ The personal data collected is accurate and up-to-date;
¬ Personal data is only kept for the period necessary to fulfil the purposes of collection/processing (ensuring compliance with the applicable CNPD resolutions and applicable legislation and specific legislation applicable to certain sectors of activity);
¬ The data subject is provided with all the information related to the processing carried out, granting them the right to access, rectify and delete their data, as well as to object to their processing, under the terms of the law;
¬ Data subjects can request the exercise of their rights from the company’s Data Controller using a special form.
- The data subject’s consent is obtained for the processing of data, in the cases where this is required:
¬ The data processing is duly notified to the CNPD (if applicable) and, when legally required, the respective prior authorisation is obtained or duly regulated in legal terms;
¬ That employees authorised to access personal data are bound by the duty of confidentiality;
¬ That written contracts to safeguard confidentiality and privacy have been signed with the entities that process the personal data of our data subjects;
¬ That appropriate technical and organisational measures have been implemented to protect personal data against accidental or unlawful destruction, alteration, unauthorised access and disclosure and against any form of unlawful processing.
¬ that a register of personal data processing activities is kept in accordance with the law.
This Regulation enters into force on 25 May 2018.