Privacy and Policy
ITSector – Sistemas de Informação, S .A.
Presentation & Legal Framework
ITSECTOR – SISTEMAS DE INFORMAÇÃO, S .A., traded corporation, with its head office in Rua José Falcão, 151, 1 st /2 nd floor, 4050-317 Porto, registered in the Conservatory of the Commercial Registry of Porto, under the sole registration number and legal person 507291727, with the share capital of EUR 372.000,00, intends, by providing and complying with the present Policy Privacy, to correspond to the Regulation guidelines (UE) 2016/679, of the European Parliament and of the Council of April 27, 2016 - General Data Protection Regulation and Laws 58/2019 and 59/2019, both of August 8.
General Principals Applicable to the Processing of Personal Data
ITSector ensures that the data which is processed is:
1. Object to illicit, loyal, and transparent processing regarding the Holder;
2. Collected for specific purposes, explicit and legitimate, not being processed later in an incompatible way for those purposes;
3. Suitable, relevant, and limited to the required, relatively to the purposes to which they are processed for;
4. Exact and updated when needed, adopting appropriate measures so that the inaccurate data is deleted or rectified without delay, considering the purposes which they are processed for;
5. Preserved in a way that allows to identify the Holder, only during the required period for the purposes which they are processed for;
6. Processed in a manner that ensures its safety, including protection against unauthorized or illicit processing and against loss, destruction, or accidental damage, taking appropriate technical and organizational measures.
Lawfulness of Processing Personal Data
The processing of data by ITSector is legal when at least one of the following situations applies:
1. The Holder has given his expressive consent for the processing of Personal Data for one or more specific purposes;
2. The processing is necessary for the execution of a contract which the Holder is part of, or for pre-contractual diligences upon the Holder’s request;
3. The processing is necessary for the compliance of a legal obligation which ITSector is subjected to;
4. The processing is necessary for the defense of the Holder’s vital interests or any other natural person;
5. The processing is necessary for any legal interests sustained by ITSector or third parties (except if the Holder’s prevailing interests, rights or freedom demand the protection of personal data).
ITSector undertakes to ensure that Personal Data is processed only under the conditions listed above and with respect to the principals mentioned above.
When the processing of Personal Data is done by ITSector, based on the Holder’s consent, he has the right to withdraw his consent at any time. The consent withdrawal, nevertheless, does not comprise the lawfulness of the processing done by ITSector, based on the Holder’s previous consent.
Use and Purposes of Processing Personal Data
ITSector collects and processes Personal Data with the following aims:
1. Identification and application instructions;
2. Management of the Contractual Relation with the Holder;
3. Contact management with the Holder;
4. Invoicing and collection of the Holder;
5. Use of the Holder’s image in the scope of marketing activities, promotion, and Team building, through any support, when the image has been collected in events, parties, activities;
6. Safety of ITSector’s facilities.
The personal data collected by ITSector is not shared with third parties without their consent, except in the situations mentioned below.
In the applicable legal terms, ITSector can transmit or communicate Personal Data to other entities in case it’s necessary for the contract execution established between the Holder and ITSector, or for pre-contractual diligences requested by the holder, if it’s needed for any legal requirement which ITSector is submitted to or if it’s necessary to pursuit ITSector’s or third party’s legitimate interests (for example, in case of sale or transmission of part or the all of ITSector, or of their assets amongst detained entities by or related to ITSector).
In the context of the conclusion of employment contracts and the admission of applications, conclusion of contracts for the provision of services in which it intervenes as a Supplier or Customer, as well as in contracts for the supply of goods in which it is a Customer, and in the development of its activity in a generic manner, ITSector may request the different Entities to provide personal data, that is, information provided that allows ITSector to identify and/or contact it and that can be treated for the proper purposes. As a rule, Personal Data is requested when submission of applications, or the conclusion of contracts, either of work, of supply of goods or of the provision of services and may be requested at any time.
Collection & Processing Personal Data
Within the scope of the execution of work contracts, service provision contracts in which he intervenes as a Supplier or Client, as well as in supplying of goods contracts where it is a Client, and in its duty performance in general, ITSector may require different entities to provide personal data, in other words, information that allows ITSector to identify and/or contact and that can be processed for that purpose. As a rule, Personal Data is requested when submitting applications, or contract handling, of both work, supplying of goods or service provision.
ITSector can collect data directly from the Holder, through partner entities or third parties.
Personal Data gathered may vary according to the reason which originates its collection. In the same way, the processing will also vary depending on the purpose of its destination, as well as the period of data preservation, which in any case, will not exceed the maximum limit of 12 (twelve) years. In each case, ITSector will inform the purpose of the data that is collected.
ITSector provides detailed information about the nature of the data collected and its purpose, as well as the processing and the information mentioned in point 7 and the following, when collecting personal data.
These subcontracted entities may not transmit personal data to other entities without prior written authorization from ITSector and are also prevented from contracting other entities unless previously authorized by ITSector.
ITSector undertakes to subcontract only entities that provide sufficient guarantees for the implementation of appropriate technical and organisational measures in order to ensure the protection of the Holder’s Rights.
On the other hand, ITSector uses the services of subcontractors in the development of some specific projects. ITSector commits to regulate and communicate to such persons the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties.
When collecting personal data, ITSector provides the Holder with information about the categories of subcontracted entities that, in this case, may process data on behalf of ITSector.
Technical, Organizational & Safety Measures Implemented
To ensure personal data safety and the maximum confidentiality, we process the information that is provided to us in an absolute confidential manner, in accordance with our policies, internal safety and confidentiality procedures, which are periodically updated according to the needs, as well as in accordance with the terms and conditions legally foreseen.
According to the nature, of the scope, the context, and its purposes in processing data, as well as the resulting risks for the Holder’s rights and freedom, ITSector undertakes to apply, the necessary and adequate technical and organizational measures to protect personal data and fulfil the legal requirements. It also commits to ensure that, by default, only the necessary data is processed for each specific purpose and that this data is not available to an undetermined number of people without
Regarding general measures, ITSector takes the following:
1. Awareness and training of personnel involved in the operations of data processing;
2. Safety protocol implementation;
2.1 Pseudonymization and personal data encryption, when necessary;
2.2 Mechanisms capable of ensuring confidentiality, availability, and resiliency of information systems;
2.3 Safety procedures to ensure confidentiality and safety of the physical registers where is personal data;
2.4 Mechanisms that ensure the re-establishment of information systems and access to personal data in a timely manner in case of a physical or technical incident – backups;
Data Transfer Out of the European Union
In certain types of processing, personal data, collected by ITSector may be made available to third parties that can involve its transfer out of the European Union. In this case, ITSector undertakes to ensure that the transfer follows the applicable laws, namely in determining the adequacy of the country in relation to the protection of personal data and the applicable requirements of such transfers.
Holder's Rights (Data Holders)
In the applicable legal terms, ITSector has the duty to ensure and promote the personal data
holders’ rights, which was collected and processed by ITSector. Below are the rights:
Right to Information
Information provided to the Holder by ITSector (when the data is collected directly from the Holder):
1. The identity and ITSector’s contacts, responsible for processing and, if applicable, of its representative;
2. The purpose of the personal data processing, as well as, if applicable, the legal basis for its processing;
3. If the data processing is based on ITSector or third parties’ legitimate interests, indicating such interests;
4. If applicable, the recipients or categories of personal data’s recipients;
5. If applicable, indication that personal data will be transferred to a third country or an international organization, and an existence or non-existence decision of adequacy adopted by the Commission or a reference to appropriate transfer guarantees.
6. Personal Data storage period;
7. If the data processing is based on the Holder’s consent, the right of withdrawing it at any time, without compromising the lawfulness of the processing made with the previous given consent;
8. Indication if the communication of personal data constitutes or not a legal or contractual obligation, or a necessary
requirement to start a contract, as well as if the Holder is obliged to give personal information and the potential consequences of not providing that data;
9. If applicable, the existence of automatized decisions, including profile settings, and information related to the rationale behind, as well as the importance and consequences foreseen for the processing of the Holder’s personal data.
In the case the data is not collected directly by ITSector regarding the Holder, in addition to the information mentioned above, the Holder is informed of the categories of personal data under processing and, as well as, regarding the origin of the data, and eventually, if it is originated of publicly accessible sources.
In the event of ITSector intending to proceed to further Personal Data processing to a purpose that the data was not collected for, before this process, ITSector will provide the Holder with information about this purpose and any other relevant information, in the terms, mentioned above.
To ensure the full enjoyment of the right to information, ITSector has implemented the mechanisms (technological and procedural) to provide information before collecting personal data.
Right to Access Personal Data
ITSector guarantees the means that allow access, by the Holder, to his Personal Data.
The Holder has the right to obtain from ITSector the confirmation that the personal data which concerns him are or not object to processing and, in this case the right to access his personal data and the following information:
1. The purpose of the processing of data;
2. The personal data categories in question;
3. The recipients or recipient categories to whom the data was or will be disclosed to, namely the established recipients in third countries or belonging to international organizations;
4. The Personal Data preservation period;
5. The right to request ITSector to rectify, delete or limit Personal Data processing, or the right to oppose that processing;
6. The right to file an appeal to CNPD or any other authority of control;
7. If the data has not been collected close to the Holder, the information available regarding the origin of this data;
8. The existence of automatic decisions, including profile settings, and information related to the underlying logic, as well as the importance and foreseen consequences of such processing for the Personal Data Holder;
9. Right to be informed about appropriate guarantees related to data transfer to third countries or international organizations;
Upon request, ITSector provides the Holder, without charge, a copy of his Personal Data, which is in the processing stage. The provision of other requested copies may entail administrative costs.
Right of Personal Data Rectification
The Holder has the right to request, at any time, the correction of his Personal Data, as well as the right to add data, which is incomplete, included by an additional statement.
In case of correcting any data, ITSector informs each recipient whose data was transmitted and the related corrections, unless the communication is impossible or implies ITSector with a disproportionate effort. If the Holder requests, ITSector provides information about the referred recipients;
Right of Personal Data Deletion ("Right to be Forgotten")
The Holder has the right to obtain from ITSector, the deletion of his personal data when one of the following reasons is implied:
1. The personal is no longer necessary for the purposes which led to its collection and processing;
2. The Holder withdraws his consent in which the data processing is based, and a legal basis does not exist for the referred processing;
3. The Holder opposes the processing under the right to oppose and other legitimate interests do not justify the processing;
4. If the Personal Data is unlawfully processed;
5. If the Personal Data must be deleted to fulfil a judicial obligation that ITSector is submitted to;
6. If the Personal Data that was collected in a service offering context in the children’s information society.
In the applicable legal terms, ITSector is not obliged to delete Personal Data if the processing reveals the need to comply with a legal obligation that ITSector is submitted to or for the purpose of declaring, exercising or defense of ITSector’s rights in a judicial process.
In the event of deleting data, ITSector informs each recipient/entity to whom is concerned the respective deletion, unless such communication is impossible or implies a disproportionate effort on behalf of ITSector. If the Holder asks, ITSector provides information about the recipients referred.
When ITSector has made the Personal Data public and is obliged to delete it under the right of deletion, ITSector ensures to take the necessary measures, including in technical nature, considering the technology available and the costs implicated, to inform those responsible for the processing of Personal Data which the Holder asked to delete, as well as copies or reproductions of such Personal Data.
Right of the Limitation of Processing Personal Data
The Holder has the right to obtain from ITSector, the limitation of Personal Data, if one of the situations is applied (the limitation consists of marking the personal data that is preserved with the goal of limiting its processing in the future):
1. If he contests the accuracy of the Personal Data, during a period that allows ITSector to verify its accuracy;
2. If the processing is illicit and the Holder opposes to the deletion of the data, requesting, in contrast, the limitation of its use;
3. If ITSector no longer needs the Personal Data for processing purposes, but that data is required by the Holder for purposes of declaration, exercise, or defense of a right in a judicial process;
4. If the holder has opposed to the processing, until verifying that ITSector’s legitimate reasons prevail over the Holder’s.
5. When the Personal Data is subjected to limitation, can only be processed with the Holder’s consent, exercise, or defense to a right in a judicial process, of another natural or legal person’s defense of rights or for public interest reasons legally required;
6. The Holder that has obtained limitation in data processing, in the cases mentioned above, will be informed by ITSector before cancelling the processing limitation;
7. In the event of limiting the processing of data, ITSector will inform the limitations to each recipient whom the data has been transmitted to, unless the communication reveals to be impossible or implicates a disproportional effort for ITSector. If the Holder requests, ITSector provides information about the recipients referred.
RIGHT OF PERSONAL DATA PORTABILITY
The Holder has the right to receive personal data concerning him and that he has provided to ITSector, in a structured, commonly used, and automatic Reading format, and the right to transmit this data to another person responsible for its processing, if:
1. The processing is based on a consent or contract which the Holder is part of; and
2. The data is processed by automatic means;
3. The right to portability does not include inferred or derived data, for example personal data that is generated by ITSector as a consequence or result of the analysis of the data object to processing.
4. The Holder has the right to have personal data directly transmitted between those responsible for processing it, whenever technically possible. The exercise of the right to data portability is applied without prejudice to the right to delete data.
RIGHT TO OPPOSE THE PROCESSING
The Holder has the right to oppose at any time, in particular related reasons, the processing of personal data, which concerns him that is based on the legitimate interests maintained by ITSector or when the processing is intended for purposes which the data collected was not for, including profile settings, or when the data is processed for statistical purposes.
ITSector will cease Personal Data processing, unless legitimate and compelling reasons are presented prevail over the Holder’s interests, rights, or freedom, or for the purpose of declaring, exercising or in defense of ITSector’s rights in a judicial process.
When the personal data is processed for direct commercialization (marketing), the Holder has the right to oppose at any time, the processing of personal data, which concerns him for all intents and purposes of the referred marketing that covers profile settings which is related to direct commercialization. In the event of the Holder opposing to the processing of his data for marketing reasons, ITSector ends the processing of that purpose.
The Holder also has the right to not be submitted to any decision made, solely based on automatic processing, including profile settings, that produce effects in his judicial sphere or that significantly affect him in any similar way, unless the decision:
1. Is necessary for the conclusion or execution of the contract between the Holder and ITSector;
2. Is authorized by law that ITSector is subject to; or
3. Is based on the Holder’s explicit consent.
Right to Withdraw Consent
The Holder has the right, at any time, to withdraw the consent of processing his Personal Data.
However, note that any consent withdrawal does not damage the lawfulness of the processing conducted, based on the previous given consent.
Right to Communicate Any Infringement
The Personal Data Holder has the right to be informed of any violation to his rights, without undue delay.
Such violations may consist, namely, of improper access to Personal Data, Personal Data processing for different purposes to which was given consent or that is legally admissible, safety breaches in the systems where the data is saved, or Personal Data deletion.
Note that, in legal terms, this communication is not required in the following points:
1. In the event of ITSector having applied suitable protection measures, both technical and organizational, and those measures have been applied to Personal Data, which was affected by Personal Data’s violation, especially measures that make the data incomprehensible to any unauthorized person that accesses this data, such as encryption;
2. Where ITSector has taken subsequent measures that ensure the high risk to the Holder’s rights and freedom, that is no longer likely to consolidate; or
3. In case the communication with the Holder implies ITSector with a disproportionate effort. Then, ITSector will make a public communication or take a similar measure through which the Holder will be informed.
Right to Address a Complain
The Personal Data Holder has the right to make a complaint to a National Supervisory Authority, or, eventually, to a Judicial Authority, if he considers there was violation of his rights as a Personal Data Holder.
Procedures With the Purpose of Practicing the Rights by the Holder
The Personal Data Holder has the right to make a complaint to a National Supervisory Authority, or, eventually, to a Judicial Authority, if he considers there was violation of his rights as a Personal Data Holder.
PROCEDURES WITH THE PURPOSE OF PRACTICING THE RIGHTS BY THE HOLDER
The right of access, rectification, deletion, limitation, portability, and the right to oppose may be exercised by the Holder by contacting ITSector, or through the email email@example.com
ITSector will reply in writing (including electronic means) to the Holder’s request in the maximum period of a month upon receiving the request, except in especial or complex cases, where the period can be extended until two months.
If the Holder’s requests are unfounded or excessive, particularly due to its repetitiveness, ITSector reserves the right to charge administrative costs or to refuse to follow-up the request.
Whenever the Holder participates in an event promoted by ITSector, namely parties, sport activities or any other, and without prejudice to the right of honor, intimacy and own image, as well as the applicable law that ITSector is obliged, the processing and collection of the Holder’s image is deemed lawful, as it corresponds to a legitimate interest of commercial disclosure sustained by ITSector (the Holder’s image may be collected, according to normal use, in the scope of marketing activities, promotion and team building, including photos, images and sound), if the Holder has given his consent.
Also, within the legitimate interest of commercial disclosure, ITSector may use this data in photos or videos that are shown in its own means of communication, namely on Internet pages, Facebook pages or other social media, projectors and LCDs installed in ITSector’s facilities, etc. The Holder has the right to oppose using his image in the legal terms applied and to ask ITSector to remove his images from its media.
In case he does not consent ITSector to use his image, the Holder cannot participate in any events referred above, since ITSector cannot ensure that the Holder’s image is not collected.
Applicable Law and Venue