ITSECTOR – SISTEMAS DE INFORMAÇÃO, S .A., traded corporation, with its head office in Rua José Falcão, no. 151, 1º/2º, 4050-317 Porto, registered in the Conservatory of the Commercial Registry of Porto, under the no. 507291727, with the share capital of 500.000 Euros, intends, by providing and complying with the present Policy Privacy, to correspond to the Regulation guidelines (UE) 2016/679, of the European Parliament and of the Council of the 27TH of April of 2016- General Regulation on the Protection of Personal Data, and also to the assortment of the Portuguese laws which regulates the theme of the protection of personal data.
ITSector ensures that the data which is processed is:
- Object to illicit, loyal and transparent processing in regard to the Holder;
- Collected for specific purposes, explicit and legitimate, not being processed later in a incompatible way for those purposes;
- Suitable, relevant and limited to the required, relatively to the purposes to which they’re processed for;
- Exact and updated when needed, adopting appropriate measures so that the inaccurate data is deleted or rectified without delay, taking into account the purposes which they’re processed for;
- Preserved in a way that allows to identify the Holder, only during the required period for the purposes which they’re processed for;
- Processed in a manner that guarantees its safety, including protection against its unauthorised or illicit processing and against its loss, destruction or accidental damage, adopting the appropriate technical and organisational measures.
The processing of data by ITSector is legal when at least one of the following situations is complied:
- The Holder has given his expressive consent for the processing of Personal Data for one or more specific purposes;
- The processing is necessary for the execution of a contract which the Holder is part of, or for pre-contractual diligences upon the Holder’s request;
- The processing is necessary for the compliance of a legal obligation which ITSector is subjected to;
- The processing is necessary for the defence of the Holder’s vital interests or any other natural person;
- The processing is necessary for any legal interests sustained by ITSector or third parties (except if the Holder’s prevailing interests, rights or freedom demand the protection of personal data).
ITSector undertakes to ensure that the processing of Personal Data is only done in the conditions listed above and with respect to the principals mentioned above.
When the processing of Personal Data is done by ITSector, based on the Holder’s consent, he has the right to withdraw his consent at any time. The consent withdrawal, nevertheless, doesn’t comprise the lawfulness of the processing done by ITSector, based on the Holder’s previous consent.
ITSector collects and processes Personal Data with the following aims:
- Identification and application instructions;
- Management of the Contractual Relation with the Holder;
- Contact management with the Holder;
- Invoicing and collection of the Holder;
- Use of the Holder’s image in the scope of marketing activities, promotion and Team building, through any support, when the image has been collected in events, parties, activities;
- Safety of ITSector’s facilities.
The personal data collected by ITSector isn’t shared with third parties without their consent, except in the situations mentioned below. Although, in case the holder contracts ITSector’s services that are provided by other entities which are responsible for processing personal data (example, nutritional consultation), the data may be consulted or accessed by these entities, as far as it’s necessary to the referred services.
In the applicable legal terms, ITSector can transmit or communicate Personal Data to other entities in case it’s necessary for the contract execution established between the Holder and ITSector, or for pre-contractual diligences requested by the holder, if it’s needed for any legal requirement which ITSector is submitted to or if it’s necessary to pursuit ITSector’s or third party’s legitimate interests (for example, in case of sale or transmission of part or the all of ITSector, or of their assets amongst detained entities by or related to ITSector).
In the scope of concluding work contracts, service provision contracts in which he intervenes as a Supplier or Client, as well as in supplying of goods contracts where he’s a Client, and in his duty performance in general, ITSector may require different entities to make personal data available, in other words, information provided that allows ITSector to identify and/or contact and that can be processed for that purpose. As a rule, Personal Data is requested when submitting applications, or contract handling, of both work, supplying of goods or service provision.
ITSector can collect data directly from the Holder, through partner entities or third parties.
Personal Data gathered may vary according to the reason which originates its collection. In the same way, the processing will also vary depending on the purpose of its destination, as well as the period pf data preservation, which in any case, won’t exceed the maximum limit of 12 (twelve) years. In each case, ITSector will inform the purpose of the data that is collected.
ITSector provides detailed information about the nature of the data collected and its purpose, as well as the processing and the information mentioned in point 7 and the following, when collecting personal data.
These subcontracted entities cannot transmit Personal Data to other entities or contract other entities without ITSector’s prior written authorization.
ITSector assumes the commitment to subcontract only the entities which present sufficient guarantees in executing appropriate technical and organizational measures, to ensure the Holder’s defence of rights.
On the other hand, ITSector uses the service of subcontracted people, in the development of some specific projects. ITSector assumes to regulate and communicate to those people, the object and the length of the process, the nature and purpose of the processing, the type of personal data, the categories of the holders given and the rights and duties of those parts.
When collecting personal data, ITSector provides the Holder with information about the categories of the subcontracted entities that, in the actual case, may process data in ITSector’s name.
To ensure personal data safety and the maximum confidentiality, we process the information that is provided to us in an absolute confidential manner, in accordance to our policies and internal safety and confidentiality procedures, which are periodically updated according to the needs, as well as in accordance to the terms and conditions legally foreseen.
According to the nature, of the scope, the context and its purposes in processing data, as well as the resulting risks for the Holder’s rights and freedom, ITSector undertakes to apply, the necessary and adequate technical and organizational measures to protect personal data and fulfil the legal requirements. It also commits to ensure that, by default, only the data which is necessary is processed for each specific purpose and that this data isn’t available to an undetermined number of people without
Regarding general measures, ITSector takes the following:
- Awareness and training the personnel implied in the operations of data processing;
- Safety protocol implementation;
- Pseudonymising and personal data encryption, when necessary
- Mechanisms capable of ensuring confidentiality, availability and resilience of the information systems;
- Safety procedures to ensure confidentiality and safety of the physical registers where is personal data;
- Mechanisms that ensure the re-establishment of information systems and the access personal data in a timely way in case of a physical or technical incident – backups;
In certain types of processing, personal data, collected by ITSector may be made available to third parties, that can involve its transfer out of the European Union. In this case, ITSector undertakes to ensure that the transfer follows the applicable laws, namely in determining the adequacy of the country in relation to the protection of personal data and the applicable requirements of such transfers.
In the applicable legal terms, ITSector has the duty to ensure and promote the personal data holders’ rights which was collected and processed by ITSector. Below are the rights:
Information provided to the Holder by ITSector (when the data is collected directly from the Holder):
- The identity and ITSector’s contacts, responsible for processing and, if applicable, of its representative;
- The purpose of the personal data processing, as well as, if applicable, the legal basis for its processing;
- If the data processing is based on ITSector or third parties’ legitimate interests, indicating such interests;
- If applicable, the recipients or categories of personal data’s recipients;
- If applicable, indication that personal data will be transferred to a third country or an international organization, and an existence or non-existence decision of adequacy adopted by the Commission or a reference to appropriate transfer guarantees.
- Personal Data storage period;
- If the data processing is based on the Holder’s consent, the right of withdrawing it at any time, without compromising the lawfulness of the processing made with the previous given consent;
- Indication if the communication of personal data constitutes or not a legal or contractual obligation, or a necessary requirement to start a contract, as well as if the Holder is obliged to give personal information and the potential consequences of not providing that data;
- If applicable, the existence of automatized decisions, including profile settings, and information related to the rationale behind, as well as the importance and consequences foreseen for the processing of the Holder’s personal data.
In the case the data isn’t collected directly by ITSector regarding the Holder, besides the information mentioned above, the Holder is additionally informed about the categories of personal data under processing and, as well as, in regard to the origin of the data, and eventually, if it’s originated of publicly accessible sources.
In the event of ITSector intending to proceed to further Personal Data processing to a purpose that the data wasn’t collected for, before this process, ITSector will provide the Holder with information about this purpose and any other relevant information, in the terms, mentioned above.
In order to ensure the full enjoyment of the right to information, ITSector has implemented the mechanisms (technological and procedural) to provide information before collecting personal data.
ITSector guarantees the means that allow access, by the Holder, to his Personal Data.
The Holder has the right to obtain from ITSector the confirmation that the personal data which concerns him are or not object to processing and , in this case e, the right to access his personal data and the following information:
- The purpose of the processing of data;
- The personal data categories in question;
- The recipients or recipient categories to whom the data was or will be disclosed to, namely the established recipients in third countries or belonging to international organizations;
- The Personal Data preservation period;
- The right to request ITSector to rectify, delete or limit Personal Data processing, or the right to oppose that processing;
- The right to file an appeal to CNPD or any other authority of control;
- If the data hasn’t been collected close to the Holder, the information available regarding the origin of this data;
- The existence of automatic decisions, including profile settings, and information related to the underlying logic, as well as the importance and foreseen consequences of such processing for the Personal Data Holder;
- Right to be informed about appropriate guarantees related to data transfer to third countries or international organizations;
Upon request, ITSector provides the Holder, without charge, a copy of his Personal Data which is in the processing stage. The provision of other requested copies may entail administrative costs.
The Holder has the right to request, at any time, the correction of his Personal Data, as well as the right to add data which is incomplete, included by an additional statement.
In case of correcting any data, ITSector informs each recipient whose data was transmitted and the related corrections, unless the communication is impossible or implies ITSector with a disproportionate effort. If the Holder asks, ITSector provides information about the referred recipients;
The Holder has the right to obtain from ITSector, the deletion of his personal data when one of the following reasons is implied:
- The personal is no longer necessary for the purposes which led to its collection and processing;
- The Holder withdraws his consent in which the data processing is based and a legal basis doesn’t exist for the referred processing;
- The Holder opposes the processing under the right to oppose and other legitimate interests don’t justify the processing;
- If the Personal Data is unlawfully processed;
- If the Personal Data has to be deleted in order to fulfil a judicial obligation that ITSector is submitted to;
- If the Personal Data that was collected in a service offering context in the children’s information society.
- In the applicable legal terms, ITSector isn’t obliged to delete Personal Data as long as the processing reveals the need to comply with a legal obligation that ITSector is submitted to or for the purpose of declaring, exercising or defence of ITSector’s rights in a judicial process.
In the event of deleting data, ITSector informs each recipient/entity to whom is concerned the respective deletion, unless such communication is impossible or implies a disproportionate effort in behalf of ITSector. If the Holder asks, ITSector provides information about the recipients referred.
When ITSector has made the Personal Data public and is obliged to delete it under the right of deletion, ITSector ensures to take the necessary measures, including in technical nature, considering the technology available and the costs implicated, to inform the people responsible for the processing of Personal Data which the Holder asked to delete, as well as copies or reproductions.
The Holder has the right to obtain from ITSector, the limitation of Personal Data, if one of the situations is applied (the limitation consists on marking the personal data that is preserved with the goal of limiting its processing in the future):
- If he contests the accuracy of the Personal Data, during a period that allows ITSector to verify its accuracy;
- If the processing is illicit and the Holder opposes to the deletion of the data, requesting, in contrast, the limitation of its use;
- If ITSector no longer needs the Personal Data for processing purposes, but that data is required by the Holder for purposes of declaration, exercise or defence of a right in a judicial process;
- If the holder has opposed to the processing, until verifying that ITSector’s legitimate reasons prevail over the Holder’s.
- When the Personal Data is subjected to limitation, can only be processed with the Holder’s consent, exercise or defence of a right in a judicial process, of another natural or legal person’s defence of rights or for public interest reasons legally required.
- The Holder that has obtained limitation in data processing, in the cases mentioned above, will be informed by ITSector before cancelling the processing limitation;
- In the event of limiting the processing of data, ITSector will inform the limitations to each recipient who the data has been transmitted to, unless the communication reveals to be impossible or implicates a disproportional effort for ITSector. IF the Holder requests, ITSector provides information about the recipients referred.
The Holder has the right to receive personal data which concerns him and that he has provided ITSector, in a structured way, of current use and automatic Reading, and the right to transmit this data to another person responsible for its processing, if:
- The processing is based on a consent or contract which the Holder is part of; and
- The data is processed by automatic means;
- The right to portability doesn’t include inferred or derived data, for example personal data that is generated by ITSector as a consequence or result of the analysis of the data object to processing.
- The Holder has the right for his personal data being directly transmitted between those responsible for processing it, whenever technically possible. The exercise of the right of the data’s portability is applied without prejudice of the right to delete data.
The Holder has the right to oppose at any time, in particular related reasons, the processing of personal data which concerns him that is based on the legitimate interests maintained by ITSector or when the processing is intended for purposes which the data collected wasn’t for, including profile settings, or when the data is processed for statistical purposes.
ITSector will cease Personal Data processing, unless legitimate and compelling reasons are presented prevail over the Holder’s interests, rights or freedom, or for the purpose of declaring, exercising or in defence of ITSector’s rights in a judicial process.
When the personal data is processed for direct commercialization (marketing), the Holder has the right to oppose at any time, the processing of personal data which concerns him for all intents and purposes of the referred marketing that covers profile settings which is related to direct commercialization. In the event of the Holder opposing to the processing of his data for marketing reasons, ITSector ends the processing of that purpose.
The Holder also has the right to not be submitted to any decision made, exclusively based on automatic processing, including profile settings, that produce effects in his judicial sphere or that significantly affect him in any similar way, unless the decision:
- Is necessary for the conclusion or execution of the contract between the Holder and ITSector;
- Is authorized by law that ITSector is subject to; or
- Is based on the Holder’s explicit consent.
The Holder has the right, at anytime, to withdraw the consent of processing his Personal Data.
However, note that any consent withdrawal doesn’t damage the lawfulness of the processing conducted, based on the previous given consent.
The Personal Data Holder has the right to be informed of any violation to his rights, without delay.
Such violations may consist, namely, in improper accessing of Personal Data, Personal Data processing for different purposes to which was given consent or that is legally admissible, safety breaches in the systems where the data is saved, or Personal Data deletion.
Note that, in legal terms, this communication isn’t required in the following points:
- In the event of ITSector having applied suitable protection measures, both technical and organizational, and those measures have been applied to Personal Data which was affected by Personal Data’s violation, especially measures that make the data incomprehensible to any unauthorized person that accesses this data, such as encryption;
- In the face of ITSector having taken subsequent measures that ensure the high risk for the Holder’s rights and freedom, that is no longer likely to consolidate; or
- In case the communication with the Holder implies ITSector with a disproportionate effort. Then, ITSector will make a public communication or take a similar measure through which the Holder will be informed.
The Personal Data Holder has the right to make a complaint to a National Supervisory Authority, or, eventually, to a Judicial Authority, if he considers there was violation of his rights as a Personal Data Holder.
The right of access, rectification, deletion, limitation, portability and the right to oppose may be exercised by the Holder by contacting ITSector, or through the email firstname.lastname@example.org
ITSector will reply in writing (including electronic means) to the Holder’s request in the maximum of a month upon receiving the request, except in especial or complex cases, which the period can be extended until two months.
If the Holder’s requests are unfounded or excessive, particularly due to its repetitiveness, ITSector reserves the right to charge administrative costs or to refuse to follow-up the request.
Each time the Holder participates in an event promoted by ITSector, namely parties, sport activities or any other, and without prejudice to the right of honour, intimacy and own image, as well as the applicable law that ITSector is obliged, it’s considered that the processing and collection of the Holder’s image is legal, as they correspond to a legitimate interest of commercial disclosure sustained by ITSector (the Holder’s image may be collected, according to normal use, in the scope of marketing activities, promotion and team building, including photos, images and sound), if the Holder has given his consent.
Also within the legitimate interest of commercial disclosure, ITSector may use this data in photos or videos that are shown in its own means of communication, namely on Internet pages, Facebook pages or other social media, projectors and LCD’s installed in ITSector’s facilities, etc. The Holder has the right to oppose using his image in the legal terms applied and to ask ITSector to remove his images from its communication means.
In case he doesn’t consent ITSector using his image, the Holder cannot participate in any events referred above, since ITSector cannot ensure that the Holder’s image isn’t collected.