Data Protection and Privacy Commitment

EPDSI complies with all applicable EU and national legal standards regarding data protection, privacy, and information security.

EPDSI has implemented a Personal Data Protection System and an Information Security System to ensure regulatory compliance and demonstrate institutional responsibility in matters of data protection and information security, implementing all necessary technical and organizational measures deemed appropriate, both to comply with the general legal regime of the current Data Protection Law and to comply with the special legal regime of the General Data Protection Regulation, applicable since May 25, 2018.

For any clarification or additional information, or to exercise your rights in this area, please contact the EPDSI Data Protection Officer via email at protecaodedados@epdsi.pt .

Definitions

“Personal Data”

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. Personal identifiers include, for example, a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing of Personal Data”

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Cookies”

“Cookies” are small text files containing relevant information that devices used for access (computers, mobile phones or portable mobile devices) load, through the internet browser, when a website is visited by the Client or User.

Data Officer

EPDSI – Prestação de Serviços a Empresas, Lda, a legal entity with Tax Identification Number 504 526 146, hereinafter referred to as EPDSI, is the entity responsible for the online sites, systems or computerized applications, hereinafter referred to as channels or applications, through which Users, Service Recipients or Clients have remote access to EPDSI services that are presented or provided, at any time, through them, and is considered the entity responsible for the processing of personal data.

The use of the channels, systems or applications by any User, Service Recipient or Client may involve the processing of personal data, the protection, privacy and security of which is ensured by EPDSI, as the entity responsible for the respective processing, in accordance with the terms of this Data Protection Policy.

Contact details of the Data Controller

For contact with the Data Protection Officer of EPDSI, please send an email to protecaodedados@epdsi.pt  or to each of the specific addresses identified on the websites, describing the subject of the request and indicating an email address, a telephone contact number or a postal address for reply.

For any other purpose, the following general EPDSI contact details may be used:

– Postal Address: Apartado 45, Entre as Águas, Estrada Nacional 255, s/n, 7860-909 Moura, Portugal;

– General Email: secretariado@epdsi.pt ;

– General Telephone: +351 213 243 750;

– General Fax: +351 213 243 759;

– Website: epdsi.pt.

Collection and Processing of Personal Data

EPDSI processes personal data strictly necessary for providing information and operating its channels, according to the uses made by Users, Service Recipients, or Clients. This includes data provided for registering requests or obtaining information, data provided for subscribing to those channels, and data resulting from the use of services provided by EPDSI through them, such as access, consultations, instructions, transactions, and other records related to their use.

In particular, the use or activation of certain channel functionalities may involve the processing of various direct or indirect personal identifiers, such as name, home address, contact details, device addresses, or geographic location, whenever there is express consent from the User, Service Recipient, or Client, whenever this is necessary for managing the contractual relationship or pursuing legitimate interests, or finally, for the purpose of complying with legal obligations.

In all cases, Users, Service Recipients or Clients will always be informed of the need to access such data for the use of the functionalities of the channels in question.

The personal data collected by EPDSI is processed electronically, in certain cases in an automated way, including file processing or profiling, and within the scope of managing the pre-contractual, contractual or post-contractual relationship with Users, Service Recipients or Clients, in accordance with current national and EU regulations.

Categories of Personal Data Processed and Data Subjects

The categories or types of personal data that are processed are generally the following:

– Identification data;

– Contact data;

– Professional data;

– Billing data;

– Traffic and access control data.

In the Data Controller’s various establishments, biometric data may also be processed, collected through video surveillance systems or other installed biometric systems.

A detailed list of personal data categories and data subject categories can be found in the Data Processing Information Sheets.

Legal Principles

All data processing operations comply with the fundamental legal principles of data protection and privacy, particularly regarding data circulation, lawfulness, fairness, transparency, purpose limitation, data minimization, data retention, accuracy, integrity, and confidentiality. EPDSI is available to demonstrate its accountability to the data subject or any other third party with a legitimate interest in this matter.

Foundations of Legitimacy

All data processing operations carried out by EPDSI have a legitimate basis, namely, either because the data subject has given their consent to the processing of their personal data for one or more specific purposes, or because the processing is considered necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, or because the processing is necessary for compliance with a legal obligation to which the controller is subject, or for purposes of public interest, or because the processing is considered necessary for the purposes of the legitimate interests pursued by EPDSI or by third parties.

Purpose of Treatment

All personal data processed within the EPDSI channels is exclusively intended for providing information to Users, managing the personal information of Service Recipients deemed necessary for relationship management or communication purposes, as well as providing services to Clients and, in general, managing the pre-contractual, contractual or post-contractual relationship with Users, Service Recipients or Clients.

The personal data collected may also, and eventually, be processed for statistical purposes, for disseminating information or promotional actions, and for communication actions, namely to promote the dissemination of new features or new services, through direct communication, whether by mail, email, messages or telephone calls or any other electronic communication service.

Provided that prior information and express authorization are always obtained for these latter purposes, Users, Service Recipients or Clients may, at any time, exercise their right to withdraw consent or their right to object to the use of their personal data for purposes other than managing the relationship with the Data Controller, namely for the pursuit of legitimate interests, for sending informational communications or for inclusion in informational lists or services, and must, for this purpose, send a written request addressed to the Data Protection Office of EPDSI, in accordance with the procedures indicated below.

Data Processing Information Sheets

In accordance with the principles of loyalty and transparency, and to guarantee compliance with the duty to inform, EPDSI directly delivers or makes publicly available to all holders of personal data, depending on how their personal data was collected, information sheets on the data processing operations carried out. These sheets are accessible for consultation at any public service unit or with the Data Protection Officer.

Data Retention Periods

Personal data will only be kept for the period necessary for the purposes that motivated its collection or subsequent processing, ensuring compliance with all applicable legal standards regarding archiving, and specifying the concrete retention period in each of the Data Processing Information Sheets.

Use of Cookies

EPDSI may use two main categories of cookies: cookies for online sites and cookies for direct electronic communication channels. Users or Clients are always guaranteed the option to disable cookies in either category.

EPDSI uses cookies on its online sites to improve the performance and browsing experience of Users and Clients, increasing the speed and efficiency of response and eliminating the need to repeatedly enter the same information.

The use of cookies helps online sites recognize Users’ and Clients’ devices the next time they visit, and in some cases, is essential for their operation.

The cookies used by EPDSI, across all its channels, do not collect personal information that allows the identification of Users or Clients, only storing generic information, such as the method or geographical location of access and how they use the channels, among other things. The cookies only retain information related to the preferences of Users and Clients, and no personal identifiers are recorded.

Users, Service Recipients, and Clients may, at any time, through the computer application they use to browse the internet (“browser”), decide to be notified about the receipt of “cookies,” as well as to block their entry into their system.

Regarding the type of intended purposes, EPDSI may, whenever justified, use three different types of “cookies,” according to the following specifications:

(i) essential “cookies” – some “cookies” are essential to access specific areas of online channels, allowing navigation and use of their applications, such as access to secure areas of the sites, through user registration – without these “cookies,” the services that require them cannot be provided;

(ii) Functional cookies – Functional cookies allow us to remember user preferences regarding navigation on online sites, thus eliminating the need to reconfigure and personalize them each time they visit;

(iii) Analytical cookies – These cookies are used to analyze how users use online sites, allowing us to highlight articles or services that may be of interest to users, monitor site performance, as well as identify the most popular pages, the most effective method of linking between pages, or determine why some pages are receiving error messages – these cookies are used only for statistical creation and analysis purposes, never collecting personal information.

For these purposes, EPDSI can provide a high-quality experience to Users, Service Recipients, or Clients, personalizing information and offers and identifying or correcting any problems that may arise in the context of their use.

Regarding the type of validity, there are two types of cookies:

(i) Permanent cookies – these are cookies that are stored on the devices used to access the channels (computers, mobile phones, etc.), at the level of the computer application used to browse the internet (“browser”), and are used whenever Users or Clients visit any channel again – in general, they are used to direct navigation according to the User’s or Client’s interests, allowing EPDSI to provide a more personalized service;

(ii) Session cookies – these are temporary cookies, which are generated and are only available until the session ends, since the next time the Client/User accesses their internet browser (“browser”) the cookies will no longer be stored – the information obtained allows managing sessions, identifying problems and providing a better browsing experience.

Users, Service Recipients, or Clients may disable some or all cookies at any time – to do so, they should follow the instructions available in each of the computer applications used to browse the internet (“browser”). However, disabling cookies may result in the loss of access to some website functionalities.

EPDSI, within the scope of direct electronic communication channels, may also use cookies when opening different electronic communications sent, such as newsletters and emails, for statistical purposes – allowing it to know if these communications are opened and to track clicks through links or advertisements within those communications.

Also in this category of cookies, Users, Service Recipients, or Clients always have the option to disable the sending of electronic communications through the specific option in the footer of those communications.

Data Communication to Other Entities

The provision of information or services by EPDSI to its Users, Service Recipients, or Clients through its channels may eventually involve the use of services from subcontracted third-party entities, including entities based outside the European Union, for the provision of certain services. This may imply access to personal data by these entities.

In these circumstances, and whenever necessary, EPDSI will only use subcontracted entities that provide sufficient guarantees of implementing appropriate technical and organizational measures in a way that ensures the processing meets the requirements of applicable regulations. These guarantees will be formalized in a contract signed between EPDSI and each of these third-party entities.

Data Recipients

Except in the context of fulfilling legal obligations, executing contracts, or pursuing legitimate interests, under no circumstances will personal data of Users, Service Recipients, or Clients be communicated to third parties other than subcontractors or legitimate recipients, nor will any other communication be made for purposes other than those mentioned above.

​International Data Transfers

Any transfer of personal data to a third country or international organization will only be carried out in compliance with legal obligations or with the guarantee of conformity with applicable Community and national legal standards in this matter.

Security Measures

Taking into account the most advanced techniques, the costs of application, and the nature, scope, context, and purposes of the processing, as well as the risks, of varying probability and severity, for Users, Service Recipients, or Clients, EPDSI and all entities subcontracted by it apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

To this end, various security measures are adopted to protect personal data against its dissemination, loss, misuse, alteration, unauthorized processing or access, as well as against any other form of unlawful processing.

It is the sole responsibility of Users, Service Recipients, or Clients to keep their access codes secret, not sharing them with third parties. Furthermore, in the particular case of computer applications used to access the channels, they must maintain and keep the access devices secure and follow the security practices advised by manufacturers and/or operators, particularly regarding the installation and updating of necessary security applications, including, among others, antivirus applications. If it becomes necessary to subcontract services to third-party entities that may have access to the personal data of Users, Service Recipients, or Clients, EPDSI’s subcontractors will be obliged to adopt the security measures and protocols at the organizational level and the technical measures necessary to protect the confidentiality and security of personal data, as well as to prevent unauthorized access, loss, or destruction of personal data.

Exercising the Rights of Personal Data Holders

Users, Service Recipients, or Clients of EPDSI, as holders of personal data, may at any time exercise their data protection and privacy rights, including the rights of access, rectification, erasure, portability, restriction of processing, or objection to processing, under the terms and with the limitations provided for in the applicable regulations.

Any request to exercise data protection and privacy rights must be addressed in writing by the respective holder to the Data Protection Officer, in accordance with the procedure and contact described below.

Complaints or Suggestions

Users, Service Recipients, or Clients have the right to file a complaint, either by registering the complaint in the Complaints Book or by submitting a complaint to the regulatory authorities – in the latter case, they may submit a petition or complaint directly to the National Data Protection Commission through the contacts available at www.cnpd.pt .

Users, Service Recipients, or Clients may also submit suggestions by email to the Data Protection Officer at protecaodedados@epdsi.pt .

Incident Communication

EPDSI has implemented an incident management system within the scope of data protection, privacy, and information security.

If any User, Service Recipient, or Client wishes to report any personal data breach that accidentally or unlawfully results in the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, they may contact the Data Protection Officer or use EPDSI’s general contact information.

Changes to the Data Protection Policy

In order to guarantee its updating, development and continuous improvement, EPDSI may, at any time, make changes to this Data Protection Policy that are considered appropriate or necessary, ensuring its publication through various channels to guarantee transparency and information to Users, Service Recipients and Clients.

Express Consent and Acceptance

The terms of the Data Protection Policy are complementary to the terms and provisions regarding personal data set forth in the Specific Terms of Use of each of EPDSI’s channels.

The free, specific, and informed provision of personal data by the respective owner implies knowledge and acceptance of the conditions contained in this Policy. By using the channels or providing their personal data, Users, Service Recipients, and Clients expressly authorize its processing, in accordance with the rules defined in each of the applicable channels or collection instruments.

Special Data Protection Policies

With a commitment to transparency and information, and to ensure the adequacy of the Data Protection Policy to the different data processing operations carried out and, above all, to the different categories of data subjects, EPDSI may develop special Data Protection Policies, such as, for example:

– the Data Protection Policy in the Workplace;

– the Data Protection Policy in Application Management; and

– the Data Protection Policy for Supplier Employees.

These special policies are made available directly to the respective categories of data subjects and are available for consultation upon request to the Data Protection Officer.

Data Protection Officer

To exercise any type of data protection and privacy rights, or for any matter relating to data protection, privacy and information security, Users, Service Recipients and Clients who interact with EPDSI may contact the Data Protection Officer via email at protecaodedados@epdsi.pt , describing the subject of the request and indicating an email address, a telephone contact address or a postal address for a response.

Versions of the Data Protection Policy

Version of this Policy: Version 3.0.

Date: 20210425.

To consult previous versions of the Data Protection Policy, please send a request by email to protecaodedados@epdsi.pt .