1. PERSONAL DATA, PERSONAL DATA HOLDERS AND PERSONAL DATA CATEGORIES
a) What is personal data?
Personal data is any information, of any nature and regardless of its support (sound or image), relating to an identified or identifiable natural person.
An identifiable natural person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, identifiers by electronic means or one or more specific identification of this natural person.
b) Who are the holders of personal data?
The personal data holders are the natural persons – employees and customers of the Company and persons who access the Company’s website or who intervene or participate in the initiatives initiated by the Company and who provide their personal data for this purpose and who may not have any relationship with the Company.
c) What category of personal data do we treat?
Identification and contacts – name, date of birth, gender, membership, civil, tax and social security number, telephone contact or e-mail address.
Data resulting from physical identification, e.g. photographs, resulting from participation in events promoted by the Company.
2. THE DATA MANAGER AND THE DATA PROTECTION SUPERVISOR
The responsible for the collection and processing of personal data is GPR – Gastronomia do Príncipe Real, headquartered at Rua do Loreto, nº 21, R/C, 1200-241 Lisboa, with the VAT number 510 698 743, which decides what data personal data to be collected, the means of treatment and the purposes for which the data are used.
3. RATIONALE, PURPOSES AND DURATION OF THE TREATMENT OF PERSONAL DATA
a) Fundamentals for the Company to handle personal data
There is consent when the data subject expresses his/her expressed consent – in writing or orally or makes such authorization through access to the Company’s website through the validation of an option – and if such consent is free, informed, specific and unequivocal;
Examples of the need for consent are: authorization for the Company to send newsletters with messages about initiatives that promote, send communications or messages or to be able to transfer their personal data to third parties;
a.2) Compliance with legal obligations
Where the processing of personal data is necessary for the fulfillment of an obligation by the Company, such as those arising from the need to comply with notifications made by police, judicial and regulatory entities, or to comply with obligations before the tax authorities or with the social security or to provide emergency services or for the celebration and access to legally enforceable insurer’s benefits (eg personal accident insurance and/or occupational accident insurance);
a.3) Legitimate interest
Where the processing of personal data corresponds to a legitimate interest of the Company, such as the detection of fraud and where the reasons for the use of personal data should prevail over the data protection rights of the respective owner.
a.4) Consent by minors
In the case of the processing of personal data of minors, who may be subject to prior consent, such consent is only valid if it is carried out by the party proving to be the holder of parental responsibilities.
b) Purposes of the processing of personal data
The processing of personal data is carried out for the following purposes:
– Maintenance of contacts;
– Response to complaints;
b.2) Accounting, Fiscal and Administrative Management
– Accounting and billing;
– Tax and social security information, where applicable.
b.3) Litigation management
– Collection of judicial and extrajudicial debts;
– Intervention in other judicial and extrajudicial conflicts.
b.3) Fraud detection and revenue protection
– Detection of fraud and illegal practices;
– Protection and control of revenue;
– Internal audit and investigation.
b.4) Network and system management
– Support and improvement of the networks and applications that support the services provided;
– Monitoring, improvement and support of services provided.
b.5) Compliance with legal obligations
Response to judicial, regulatory, supervisory, tax and social security entities.
b.6) Information security control
– Access management, logs;
– Management of backups;
– Management of security incidents.
b.7) Physical security control
– Installation of video surveillance systems in legally permitted places.
b.8) For the purpose of disseminating initiatives and information
– Disclosure of initiatives promoted by the Company or by third parties.
4. DEADLINES FOR THE TREATMENT OF PERSONAL DATA
The Company keeps its personal data according to the purposes for which it is processed.
The data related to employees will be maintained during the term of the contractual relationship established with them.
There are cases in which, with respect to employees, the law requires that such data be kept for at least 12 years for the purpose of informing the Tax Authority and for accounting or tax purposes.
With regard to video surveillance, recordings of images and their personal data will only be kept for a period of 30 days, unless the Company is notified by a competent police or judicial entity for the maintenance of these data for a longer period.
The Company may maintain other personal data for periods longer than those mentioned above, either on the basis of the consent of the data subjects, or to ensure the duties, rights or duties related to the contracts and relations established with the owners of the personal data, or have legitimate interests that justify it, but always for the time strictly necessary for the fulfillment of the respective purposes and in accordance with the guidelines and decisions of the CNPD.
For example, contacts for the purpose of informing and promoting initiatives promoted by the Company and legal proceedings for the period in which they are pending.
5. METHOD AND TIME OF COLLECTION OF PERSONAL DATA
We collect the personal data of all those who question the Company with the intention of being informed about the initiatives promoted by the Company or enrolling in them.
6. RIGHTS OF THE PERSONAL DATA HOLDER
The rights of the holders of personal data are the following:
a) Right of access
Right to obtain confirmation of what personal data are being treated and the right to obtain information about these personal data, namely, what are the purposes of the treatment and what are the conservation periods.
b) Right of rectification
Right to obtain rectification of your personal data that is inaccurate or request incomplete personal data, such as the address, VAT number, email, telephone contacts and others.
c) Right to erase data or right to be forgotten
Right to obtain the deletion of your personal data, provided that there is no valid basis for its conservation, such as the need to comply with legal obligations of any order, such as the need to preserve the data to comply with the duty to information before the courts, police entities and the public administration.
d) Right to portability
Right to receive the data that concerns you and that you provided in a digital format of current use and automatic reading or to request the direct transmission of such data to another entity that becomes the new responsible for your personal data whenever this transmission is technically possible.
e) Right to withdraw consent and right of opposition
Right to object or withdraw their consent, at any time, to a processing of data, provided that there are no legitimate interests that prevail over their interests, rights and freedoms, such as intervention in legal proceedings or in the process of tax nature.
f) Right of limitation
Right to request the suspension of the processing of your personal data or that the scope of treatment is restricted to certain categories of data or purposes of treatment and that such limitation does not conflict with the need to fulfill legal obligations of any order.
g) Automated decisions and profile definition
The Company may outline the profile of its customers and users based, in particular, on their age or eating habits, provided that such treatment is necessary to comply with the legal obligation or stem from the consent of the holder.
If the processing of personal data, including processing for the definition of profiles, is exclusively automatic, ie without human intervention, and can have legal effects or significantly affect the holder of the personal data, he has the right not to be subject to any decision based on such automatic processing, except as provided by law, and shall have the right to have the Company take the necessary and appropriate measures to safeguard its rights and legitimate interests, including the right to have human intervention in the making of the Company’s decision and the right to express its opinion and to challenge any decision made based on the automated processing of personal data.
h) Right of complaint
The holder of personal data has the right at any time to submit a complaint to the supervisory authority, CNPD ‐ Comissão Nacional de Proteção de Dados
i) Exercise of rights by the data subject
The exercise of the rights by the holder of the personal data is free, unless it is manifestly unfounded or excessive, in which case the Company may charge a reasonable rate that covers the costs involved in the analysis and assessment of the exercise of such right.
The owners of personal data may exercise the rights inherent in these personal data by submitting a written request, to be submitted in person or by post, at the Company’s premises, or through the following email: firstname.lastname@example.org
7. THE TRANSMISSION OF PERSONAL DATA
The personal data may be transmitted to third parties for them to be treated in the name and on behalf of the Company, in which case it will take appropriate measures to ensure that such third parties are recognized as suitable entities and offer high guarantees of respect for the protection of personal data in compliance with the applicable legal and regulatory norms and of this policy and privacy.
When such a situation occurs, the Company shall take appropriate measures to ensure that the entity that has access to personal data will assume the obligation to take the necessary technical and organizational measures to protect such data against its accidental or unlawful destruction, loss accidental, unauthorized alteration, dissemination or access and any other form of illicit treatment.
In any case, the Company remains responsible for the processing of personal data.
Personal data may only be transferred outside the European Union if such transfer is expressly requested by the holder.
8. RESPONSIBILITY ON THE COMPANY’S SERVICES AND WEBSITES
9. ACCESS TO THIRD PARTY WEBSITES
The collection or processing of the personal data requested by these third parties is the sole responsibility of the Company and can not be held liable under any circumstances for the content, accuracy, veracity or legitimacy of these websites or the misuse of data collected or processed by between them.
10. PROCEDURAL MEASURES AND SAFETY TECHNIQUES
The Company is committed to ensuring the security and protection of the personal data it receives and has adopted the appropriate technical and organizational measures to this effect, namely:
a) Password protection for access to personal data;
b) Restriction of physical entry in the places where the servers that store personal data meet;
c) Restriction of physical entry to the places where the paper documents contain the personal data of employees, suppliers or customers;
The Company informs that these security measures are reviewed and updated according to the needs that will be verified.
If, for any reason, there is a breach of security that causes accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data, the Company shall provide without undue delay and, where possible, within 72 hours of becoming aware of it and in accordance with the applicable legislation, to the competent authorities.
In the same way, the Company communicates the violation of the personal data to the respective holder of the personal data, in accordance with the applicable legislation.
Nonetheless, the security measures adopted by the Company, we advise users to take additional security measures, in particular, to ensure that there is an up-to-date active firewall, antivirus and anti-spyware.