I – PRIVACY AND THE PROTECTION OF PERSONAL DATA
The privacy and protection of the personal data of all users of services provided by A Padaria Portuguesa CQ Actividades Hoteleiras, Lda., (hereinafter “A Padaria Portuguesa”), clients, suppliers, partners, collaborators, owners, tenants, etc. (“Data Subjects”), at all times, constitutes an essential aspect in the way that this company acts and is organised.
Therefore, A Padaria Portuguesa seeks to ensure that all Data Subjects are aware, at all times, of the rules and principles relating to the protection and processing of personal data, by making all possible efforts to ensure the safety of such data, in accordance with the standards and procedures defined in applicable legislation, specifically the General Data Protection Regulation and the Law on Personal Data Protection (Law no. 67/98 of 26 October).
To this end, the company adopts best technical and organisational practices to protect the personal data of the Data Subjects against loss, accidental or unlawful removal and undue alteration, as well as against integrity breaches, or unauthorised access or disclosure.
A Padaria Portuguesa also recommends that its Data Subjects adopt additional security measures, such as keeping equipment and programmes duly updated and configured, using protection against malicious software and firewall, and not browsing on websites for which they do not have the appropriate guarantees of authenticity.
II – WHAT ARE PERSONAL DATA?
Personal data are information, of any type, regardless of medium, including sound and images, relating to a single identified or identifiable natural person. An identifiable person is considered as one who may be identified directly and indirectly, specifically by reference to an identification number or to one or more specific elements of their physical, physiological, psychological, economic, cultural or social identity.
III – PURPOSES OF PROCESSING AND LEGAL GROUNDS
The data processed by A Padaria Portuguesa are collected within the scope of recruitment and management of human resources, provision of vehicles, invoicing, marketing, provision and supply of services and goods; in particular, property search and marketing, client representation, the undertaking of architectural and specialised projects, licencing studies, project management, monitoring, inspection, and management of works, and the preparation of valuation reports and market studies.
These data may include identification details, such as numbers and validity of identity documents – or duly authorised copies of these; personal tax and social security numbers, the quality and capacity in which they act, signatures, names, email addresses, phone numbers, addresses, roles, details of other family members, marital status, academic qualifications, IBANs and information on clients’ contractual interests and objectives.
With regard to the business relationships it establishes, A Padaria Portuguesa may carry out different activities involving the processing of personal data for the following purposes, among other legally admissible ends:
Administrative, commercial, labour, tax and accounting or invoicing management; management of complaints / suggestions; making and signing contracts, specifically the sending of relevant information to a counterparty in a business relationship, including information about changes to contracts, products or contracted services; requests for authorisation, payment for services; requests for the issuing of documentation to public and/or private bodies; projections for new supplies or services relating to those above; the undertaking of studies which will enable improvements in supplies or services carried out; the sending of information on new products or services which are similar to others contracted previously or which may be of interest to clients, by any means including electronic, even after the business relationship with the counterparty has ended;
Compliance with legal obligations to maintain and store documents which fall to A Padaria Portuguesa; promoting and issuing invitations for initiatives, conferences and other events relating to activities of A Padaria Portuguesa in which the Data Subjects may have an interest, on the basis of the previously existing contractual relationship with A Padaria Portuguesa. Upon accepting the contractual/business relationship, Data Subjects agree to the processing of their data for the purposes described, without prejudice to any rights which may be applicable to them.
The processing of such data will always be done with the prior consent of the Data Subjects, except where A Padaria Portuguesa has a legal obligation to do so.
IV – CONTROLLER RESPONSIBLE FOR COLLECTING AND PROCESSING PERSONAL DATA
A Padaria Portuguesa is the Data Controller responsible for collecting and processing the personal data of the Data Subjects, under the terms of Article 4(7) of the General Data Protection Regulation; it falls to the former to decide, within the context of the service-providing relationship established with the Data Subject, which personal data are collected, the methods of processing the collected data, and the purposes for which they are used.
V – RESPONSIBILITY FOR DATA COMMUNICATED TO THIRD PARTIES
A Padaria Portuguesa may, in the exercise of its activity and within the scope of the services it provides, subcontract third parties to pursue the purposes discussed above and develop and manage its information systems; this may mean that the personal data of its Data Subjects needs to be accessed by these organisations. Where this is the case, A Padaria Portuguesa will take the appropriate measures to ensure that organisations which have access to such data offer the highest technical, organisational and human guarantees in this area.
As such, Third Parties subcontracted by A Padaria Portuguesa shall be obliged, by law as well as by virtue of the agreement signed with A Padaria Portuguesa, to put into practice the appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, dissemination, alteration, disclosure, unauthorised access and any other type of unlawful processing; and shall furthermore be bound to special duties of professional secrecy and confidentiality.
Other than in such cases as these, A Padaria Portuguesa will only transmit the personal data of its Data Subjects to Third Parties when:
- it is obliged to do so by virtue of law and then only insofar as is strictly necessary in terms of its obligations; or
- in cases where the law expressly permits this, if the Data Subject expressly and specifically authorises such transmission and is appropriately informed, in writing, of the destination of the personal data and the end use of the transmitted data.
In either of these cases, A Padaria Portuguesa remains responsible for the personal data made available by the Data Subjects.
The provision of specific services by A Padaria Portuguesa may mean that your personal data is transferred outside of Portugal. In this event, the company declares that it will comply strictly with regard to determining the suitability of the destination country in terms of personal data protection and of the requirements applicable to such transfers, under the terms established by law.
VI – CONDITIONS OF PERSONAL DATA COLLECTION
A Padaria Portuguesa only collects and processes the personal data of Data Subjects with their express consent, in accordance with each of the specific end uses for the processing in question, under the terms established by the General Data Protection Regulation and the Law on Personal Data Protection.
Data Subjects may withdraw their consent at any time, without financial penalty.
Data Subjects are also aware that they may, in the event of the latter, always exercise their rights relating to the personal data processed by A Padaria Portuguesa by contacting the National Data Protection Commission (CNPD).
However, some personal data are essential in order for A Padaria Portuguesa to provide its services (obligatory data); Data Subjects must be duly and previously informed of this need and of the consequences of not providing the stated data.
If those personal data considered essential are not provided by Data Subjects, or if they are found to be insufficient, incorrect or deactivated, A Padaria Portuguesa will not be able to provide the subscribed Service(s) and the Data Subjects in this case will assume full and exclusive responsibility for the insufficiency or incorrectness of the transmitted data.
VII – PERIOD FOR WHICH THE PERSONAL DATA WILL BE KEPT
A Padaria Portuguesa will only keep Data Subjects’ personal data for the period strictly necessary to allow:
- provision of the Service(s);
- compliance with legal obligations to which A Padaria Portuguesa is subject;
- the pursuit of the purposes for the collection and/or processing;
- the exercising of Data Subjects’ rights and compliance with the corresponding obligations.
Where the National Data Protection Commission (CNPD) authorises Data Subjects’ personal data to be kept for periods which exceed the duration of the contract for the provision of services in order to meet the specific end-purpose of the processing in question, the Data Subject shall be duly informed, in a timely manner, of this purpose and of the period for which the data will be kept.
Once the period for keeping/storing the data has ended, under the terms above, the Data Subjects’ personal data will be permanently deleted by A Padaria Portuguesa.
VIII – DATA SUBJECTS’ RIGHTS WITH REGARD TO THEIR PERSONAL
In accordance with the provisions of the General Data Protection Regulation and the Law on Personal Data Protection, as the owners of the personal data, Data Subjects are guaranteed the right to access, correct, update and delete their personal data at no cost to themselves.
In any of the cases above, the Data Subject may exercise their legitimate rights by sending written notification via email to: email@example.com.
IX – UNSOLICITED EMAILS FOR DIRECT
The Data Subject’s contact details may be used by A Padaria Portuguesa, where expressly authorised by the former, as part of direct marketing activities and to promote the services which it provides, as prescribed by law.
Where a Data Subject is a legal person, A Padaria Portuguesa may send unsolicited communications for direct marketing purposes relating to goods and services provided by them or by a company in the same Group, except where the Data Subject expressly opts out of receiving this type of communication in the future and appears on the national register of legal persons who have expressly stated that they do not wish to receive unsolicited communication for direct marketing purposes; it is the responsibility of the General Consumer Directorate (DGC) to keep this updated.
In any of the above cases, the Data Subject has the right to oppose, expressly and free from any cost, the sending by A Padaria Portuguesa of electronic communications for direct marketing purposes, by sending written notification via email to: firstname.lastname@example.org
X – COOKIE DATA
WHAT ARE COOKIES?
Cookies are small pieces of text which are stored in the Data Subject’s computer via the browser, which just store information relating to the user’s preferences (generic information); they do not contain any of their personal data.
The cookies used by A Padaria Portuguesa observe the principles of anonymity and confidentiality, and their only purpose is to recognise the user. They are not used in any way to collect information which could identify the user, or for direct marketing purposes.
The cookies help A Padaria Portuguesa’s website to recognise the user’s device the next time they visit.
At any time, the user may choose to be notified, via their browser, of the receipt of cookies, and will be able to block them from entering their system.
The user is notified that if they refuse to accept the cookies, they may not be able to gain access to some areas of the website and/or receive personalised information.
WHAT ARE COOKIES USED FOR?
Cookies are used to determine the usefulness, interest and number of times the A Padaria Portuguesa website is used. They enable faster and more efficient web browsing, and eliminate the need to repeatedly enter the same information.
WHAT TYPE OF COOKIES ARE USED BY A PADARIA PORTUGUESA?
The cookies used by A Padaria Portuguesa have different functions and differ in the following ways:
- Cookies which are strictly necessary (essential): these enable users to browse the website and use its applications, as well as to gain access to secure areas of the website. Without these cookies, it would not be possible to provide the Service(s) to which the Data Subject has subscribed. Some cookies are essential in order to access specific areas of the A Padaria Portuguesa website.
- Analytics cookies: these are performance cookies, used to find out more about which are the most popular pages, which link between the pages is most effective, or to determine why certain pages may be receiving error messages. These cookies are used only to create and analyse statistics, and no personal information is collected.
- Functionality cookies: these save the user’s preferences when they use the website, so that they do not need to configure the website again and again at each visit.
Cookies may be:
Permanent: they remain stored, for varying lengths of time, in the internet browser on the access devices, and are used every time the user revisits the website. They are usually used to assist the browser according to the user’s specific interests, and enable us to provide a more personalised service.
Session Cookies: These are temporary; the cookies remain in the browser until the user leaves the website. The information obtained helps to identify problems and provide a better browsing experience.
HOW TO MANAGE COOKIES
All browsers allow the user to accept, refuse or switch off cookies, by selecting the appropriate settings in the respective browser.
XI – PROCESSING METHODS AND SECURITY TECHNIQUES
A Padaria Portuguesa applies all of the necessary technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific processing purpose are collected from the Data Subjects; these are periodically reviewed and updated by the department responsible.
A Padaria Portuguesa has also implemented necessary and appropriate technical, physical, organisational and safety measures to protect personal data from accidental or unlawful destruction, accidental loss, alteration, disclosure, unauthorised access and any other form of unlawful processing.
To this end, A Padaria Portuguesa has adopted different security mechanisms and procedures, following best practice in terms of information security in the systems which support the services it provides and which hold the data of its Data Subjects; in particular, the use of firewalls and intrusion detection systems, the existence of restricted access – both physical and logistic, logging, and the respective monitoring and auditing, collection and transmission of personal data via secure methods.
Personal data collected by A Padaria Portuguesa remain securely stored in its systems which, in turn, are held in a data centre belonging to the same company which covers all physical and logical security measures that are essential for the protection of personal data.
Whenever it is necessary to communicate Data Subjects’ personal data to Third Parties, A Padaria Portuguesa will be responsible for the personal data in question and undertakes that:
- the sharing of personal information will abide by current legal standards in force;
- transmission is made securely, specifically via the use of encryption protocols, and
- all Third Parties are contractually obliged to abide by duties of confidentiality and secrecy and to ensure the security of personal data which, for this effect, are communicated to it. It may not use such data for any other purpose, for its own benefit or that of third parties, or correlate it with other data which it may find available.