With this policy we explain the fundamental information and rules about the processing of personal data in our activities. To facilitate your understanding, we present this policy in the form of questions and answers:
Who is responsible for the processing?
COFICAB Portugal LDA with registered office at LOTE 46 INDUSTRIAL ESTRADA NACIONAL 18.1 KM 2.5 6300-230 VALE DE ESTRELA Portugal, Tax Identification Number PT503062928, is responsible for the processing of personal data, which may be contacted through contacts available on the website or by email firstname.lastname@example.org.
What is personal data?
Personal data is information relating to an identified or identifiable natural person (“data subject”), whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, electronic identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What is sensitive personal data?
Sensitive personal data is information relating to a natural person on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data enabling an unambiguous identification of a person, data concerning health, data concerning sex life or sexual orientation.
What principles do we respect when processing personal data?
In processing personal data we respect the following principles:
- Principle of lawfulness: personal data may be processed only under the conditions laid down by law;
- Principle of fairness and transparency: the processing of personal data should always be carried out fairly and transparently towards the data subjects;
- Principle of purpose limitation: personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with the purposes for which they were collected;
- Principle of minimisation: only personal data that are adequate, relevant and necessary for the purpose of the processing should be collected and processed;
- Principle of accuracy: Data should be accurate and up-to-date. Inaccurate data must be rectified without delay;
- Principle of limited storage: personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
- Principle of completeness and confidentiality: personal data shall be processed in a manner that ensures the security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures;
- Principle of accountability: the controller must comply with all the stated principles and be able to demonstrate this compliance.
When may we process personal data?
Whenever any of the following circumstances arise:
- Consent: by freely given, specific, informed and explicit statement of will, by which the data subject agrees, by a declaration or unequivocal positive act, that personal data concerning him/her may be processed;
- Contracts: Processing is necessary for the performance of a contract to which the data subject is party, or for pre-contractual steps at the request of the data subject;
- Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject (legal powers and duties);
- Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject require protection of personal data, in particular where the data subject is a minor.
When may we process sensitive personal data?
Whenever any of the following circumstances arise:
- Consent: by freely given, specific, informed and explicit indication of will, by which the data subject signifies his/her agreement to sensitive personal data relating to him/her being processed by means of a statement or an unambiguous affirmative act;
- Compliance with obligations and the exercise of specific rights: processing necessary for compliance with obligations and the exercise of specific rights of the controller or the data subject in matters of employment law, social security and social protection;
- Processing required for preventive medicine or occupational medicine: for assessment of the employee’s ability to work, medical diagnosis, the provision of health care or treatment.
What are the rights of the personal data subjects?
We will facilitate the exercise of the following rights by data subjects:
- Confirmation that personal data are processed: right to obtain information on whether and which data are processed;
- Right of access to personal data: consult and obtain a copy of the data processed;
- Right to rectify data: rectify and update the data processed;
- Right to restriction of processing: under certain conditions, the right to restrict the processing of your personal data;
- Right to lodge a complaint: You have the right to lodge a complaint with the competent supervisory authority, the National Commission for Data Protection – CNPD, if you consider that the processing carried out on your personal data breaches your rights and/or the applicable data protection laws. You may do so through the website www.cnpd.pt.
- Right to erasure of data (“right to be forgotten”): under certain conditions, request the erasure of your personal data;
- Right to data portability: obtain and transmit personal data in a structured, commonly used and machine-readable format;
- Right to object to processing: to object at any time, on grounds relating to your particular situation, to the processing of personal data;
- Right to withdraw consent: in the same way as you have given consent, you can withdraw it without compromising the lawfulness of the processing already carried out;
The exercise of these rights, under the terms and conditions provided for by law, may vary depending on the grounds for the data processing.
For assistance in exercising these rights, it will be sufficient to contact us through the contacts indicated above.
When do we process personal data and for what purposes?
We process personal data when:
- Data subjects submit applications to us for employment opportunities, or spontaneous applications or applications for work placements;
- Data subjects submit resumes to us in selection and hiring processes for professionals including for project development with our customers;
- Data subjects submit proposals to us or request other pre-contractual steps to negotiate contracts for the provision of services;
- Subject to prior consent of the data subjects, data may be shared with customers with a view to approval of the professional profile for placement of professionals in outsourcing;
- Contracts are entered into, including employment contracts with employees, service contracts with service providers, contracts with suppliers and contracts with customers;
- In contracts with service providers, suppliers and customers, we may process personal data of natural persons who are sole traders or legal representatives and employees of legal persons for the performance of the contract;
- Legislation requiring or permitting the processing of personal data, namely labour law, social security, tax and occupational medicine and for the purposes laid down in that legislation;
- Personal data may be transmitted to third parties, public and private entities in compliance with legal obligations or execution of contracts;
- Data subjects give their consent to the processing of personal data, in particular in the collection of images or other data, in events promoted by COFICAB;
- In the case of sensitive data, they shall be processed in a limited manner and only where provided for by law and for the purposes laid down therein;
- Data subjects make contact through electronic communication, telephone communication or on the website;
- Data subjects accessing our website; the registration of very limited and reduced “cookies” that do not require consent may occur.
How do we meet transparency obligations?
Whenever we collect personal data we provide the following information:
- The identity and contact details of the controller;
- The purposes and grounds for processing;
- The recipients or categories of recipients;
- Whether transmission to third countries will take place and under what conditions;
- The period or criteria used to define the storage period;
- The rights of the data subjects already mentioned above;
- Whether or not the provision of the data constitutes a legal or contractual obligation or a requirement necessary to enter into a contract;
- Whether the data subject is obliged to provide the data and the possible consequences of not doing so;
- The existence of automated decisions including profiling, the rationale behind, the significance and the consequences of such processing.
Who processes your personal data?
As a rule, data is processed exclusively by COFICAB, which applies the appropriate and necessary technical and organisational measures to carry out the processing in accordance with the law, applying policies suitable for the protection of personal data.
It may happen that data processing is carried out by COFICAB in conjunction with other entities in which both are responsible for the processing or other entities carry out the processing on behalf of COFICAB, if this happens COFICAB will enter into an agreement with the other entities involved in the processing. whether they are joint controllers or subcontractors, in which the conditions, responsibilities and obligations of each entity in the processing of data are established in order to ensure compliance with legal obligations and the rights of data subjects.
COFICAB enters into confidentiality and personal data protection agreements with all persons or entities that have contact with information about or process personal data.
For how long do we keep the data?
The storage period of personal data shall be the necessary for the fulfilment of the purposes of data processing plus the period legally provided for the storage of documents where the data is recorded.
What are the security measures for personal data?
COFICAB adopts technical and COFICABal measures for the security of personal data in accordance with the following benchmarks:
- The recommendations for physical and electronic security of personal data published by the National Commission for Personal Data Protection;
- The information security reference requirements and controls including personal data provided for in the Information Security Management System in accordance with ISO 27001;
- For cybersecurity, in accordance with the National Cybersecurity Framework published by the National Cybersecurity Centre;
- The provisions on security of processing of the General Data Protection Regulation, Article 32 as appropriate:
o Pseudonymisation and encryption of personal data;
o The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
o The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;
o A process to regularly test, assess and evaluate the effectiveness of technical and organisational measures to ensure the safety of processing.
What do we do in case of a personal data breach?
if there is an accidental or unlawful incident resulting in the destruction, loss, alteration, unauthorised disclosure of or access to personal data:
- We will notify the CNPD supervisory authority if the data breach is likely to result in a risk to the rights, freedoms and guarantees of individuals;
- We will document any personal data breaches, with the facts, effects, and remedies;
- We will notify data subjects if the breach is likely to result in a high risk to the rights, freedoms and guarantees of natural persons.
When do we carry out data protection impact assessments and prior consultation?
Where we carry out processing operations likely to result in high risks to the rights and freedoms of natural persons, in particular those provided for in the CNPD list, we will carry out an impact assessment of those processing operations prior to such processing. If the impact assessment results in an indication of high risk in the absence of measures taken, the supervisory authority will be consulted prior to processing.
How will we transfer personal data to third countries (outside the EU)?
We will only transfer personal data outside the EU if any of the following conditions are met:
- There is an adequacy decision by the European Commission;
- The transfers are subject to appropriate safeguards;
- There are binding corporate rules;
- They are fulfillable under the conditions of the specific derogations.
This policy may be subject to changes or updates always in compliance with the legislation in force.
You can obtain further information by contacting us.