1. Introduction
2. Responsible entity
2.1. Identification
2.2. Exercise of rights
3. Definitions
3.1. Personal data
3.2. Identifier
3.3. Special personal data
3.4. Processing of personal data
3.5. Personal data subjects
4. General
4.1. Collection of personal data
4.2. Fundamentals for the processing of personal data
4.3. Processing of personal data
4.4. Purpose of collecting and processing personal data
4.5. Sharing and transmitting personal data
4.6. Data retention period
5. Rights of the personal data subjects and response to requests from data subjects
5.1. Right of access
5.2. Right of rectification
5.3. Right of data portability
5.4. Right of opposition
5.5. Right to withdraw consent
5.6. Right to be forgotten
5.7. Right to restriction of processing
5.8. Right to not be subjected to any automated decision
6. Procedural and technical security measures
7. Use of the website
7.1. Content and information
7.2. Link to and from other websites
8. Final provisions
8.1. Privacy and Data Protection Policy Update
8.2. Applicable Legal Order and Competent Forum
We present below the Privacy and Data Protection Policy adopted by Alfratrix, Lda. (hereinafter also referred to as "Alfratrix" or "the Company"), making known to all interested parties their rights, as well as the procedures implemented by the Company regarding the collection and the use of the personal data, that it may be provided with.
At Alfratrix, we are committed to using the data that are provided to us, or that are obtained through access to databases, or even those from any source of public information, strictly for the purposes that are clearly identified.
In order to ensure this objective, the Company has adopted various security measures, of a technical and organizational nature, so as to protect the personal data collected against its disclosure, loss, misuse, alteration, unauthorized processing or access, as well as against any other form of unlawful processing.
Finally, it should also be noted and ensured that the work carried out by Alfratrix in the pursuit of its corporate purpose does not materialise in the collection and/or processing of personal data, including those under protection and special protection by Regulation (EU) 2016/679 of the European Parliament and the Council of April 27th, 2016 – hereinafter mentioned as "General Data Protection Regulation" or, abbreviated as "GDPR". However, for situations related to the good, effective and relevant communication that is necessary to carry out in order to develop the services requested by the Company, it may be necessary to use personal data and, only in exceptional situations, the use of sensitive personal data.
Alfratrix, Lda. has its head office at Rua General Massano Amorim, nr. 11 A, 1300-270 Lisbon, Ajuda parish, Lisbon municipality, and also an office at Av. do Brasil, nr. 43 – 3rd Drt., 1700-062 Lisbon, Campo Grande parish, Lisbon municipality, is registered in the Commercial Registry Office of Lisbon under the single registration and corporate taxpayer number 508.827.078, and is the responsible entity for the correct protection and maintenance of the privacy of the personal data in its possession.
The personal data subject, or his/her legal representative with powers for such purpose, may exercise his/her rights free of charge, unless this is a manifestly unfounded or excessive request, in which case a reasonable fee may be charged taking into account the costs incurred and/or generated by the request.
Alfratrix shall endeavour to respond to all and any requests within a maximum period of 30 days, except in cases that are manifestly complex.
The above-mentioned rights may be exercised by the following means:
§ By letter sent to the following address:
Alfratrix, Lda.
Av. do Brasil, nr. 43 – 3rd Drt.
1700-062 Lisboa
§ By email to: geral@alfratrix.pt
Nevertheless, if the rights’ holder, following the exercise of any or some of his/her rights, is not satisfied with Alfratrix's response, he/she is entitled to file a complaint before the National Data Protection Commission (CNPD – “Comissão Nacional de Proteção de Dados”) about matters pertaining the processing of his/her personal data.
‘Personal data' within the meaning of the GDPR, are all and any information relating to a natural person ('data subject') that is identified or identifiable, directly or indirectly, in particular by reference to an 'identifier'.
An 'identifier' can be, for example, a name, an identification number, any location data, any electronic identifiers, or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of the 'data subject'.
Under the GDPR, 'special personal data' are the ones that disclose racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union affiliation, genetic information, biometric data leading to the unambiguous identification of a person, health data, and data relating to sexual life or sexual orientation, unless there is a legitimate basis for the collection and processing of such data or information.
"To process", "process", "processing" or "processed" shall mean any operation or set of operations performed by automated or non-automated means, involving personal data, including, without limitation, accessing, collecting, recording, organizing, structuring, preserving, storing, adapting or altering, retrieving, consulting, using, disclosing, disseminating or otherwise making available, aligning, combining, blocking, limiting, erasing and destroying personal data, as well as any other identical definition or definitions provided for in the GDPR, in case of those being more comprehensive than this definition.
The 'personal data subjects' are the customer or the potential natural person customer, or the representatives of a legal person to whom the personal data refers to, and who enjoys, or intends to enjoy, the products and/or services made available by Alfratrix.
This document aims at establishing and making known to all interested parties the rules for guaranteeing the privacy of personal data received and kept on file by Alfratrix, following the contacts established and related to the products marketed by it and/or the services provided by it.
Throughout this document, it is mentioned the control and guarantee mechanisms implemented in order to achieve the highest possible level of privacy on personal data, as well as in order to inform interested parties as to their rights.
Personal data may be, inter alia, directly (i.e., in direct contact with any employee from Alfratrix) or indirectly (i.e., collected by any another person in the context of further professional and commercial relations) collected by Alfratrix, in the following circumstances:
§ For the purpose of drawing up a business proposal, placing products with customers, awarding services, supporting the conclusion and execution of contracts;
§ In person, by telephone, by letter or by other written means on its website (www.alfratrix.pt) when the Company is asked, inter alia, any of the following requests for:
ü Issuing a business proposal;
ü Scheduling a meeting;
ü Answering technical and non-technical queries or questions; or
ü Filling out surveys;
§ When the person agrees to receive our regular communications, having given us his/her consent to that effect, as a result of a direct request, or as a result of the absence of a request to remove contacts from our database;
§ When a person participates in events organized by our partners and/or customers and, with express consent, that person’s data are made available to us for the purposes indicated in the request for consent.
For all due purposes, and pursuant to the legislation in force and this Privacy and Data Protection Policy, it is regarded that the personal data processed by Alfratrix are deemed lawful when at least one of the following occurs:
§ the data subject, or his/ her legal representative empowered for such, has given his/her explicit consent;
§ if the data collected are necessary for the provision of services or the performance of contracts in which the data subject is an interested party;
§ the data are necessary for the Company to comply with obligations or legal responsibilities to which it is, or will be, linked and/or bound by;
§ when acquired, directly or indirectly, from public databases, Alfratrix assumes for this purpose that the originating entity holding these data is in full compliance with the legislation in force in what concerns the collection and processing of personal data.
The personal data subject has the right, at any time, to withdraw the consent previously given with respect to the processing of the data collected, and such action does not compromise the lawfulness of the processing carried out on the data up to that time.
The personal data collected and processed by Alfratrix will not be of a special nature and may include:
ü Name;
ü Address;
ü Email address;
ü Land and mobile phone numbers;
ü Taxpayer number;
ü Other data that prove necessary for the proper and correct execution of the services that are requested and awarded to Alfratrix and/or, where applicable, for the invoicing of the inherent service rendering fees.
The fundamentals that legitimise the processing of personal data are as follows:
§ Consent: personal data may be processed by the freely, express, informed and explicit expression of will, in which the user accepts, by means of an unequivocal positive statement or act, that his/her personal data will be processed for the purposes indicated;
§ Pre-contractual steps and/or execution of a service contract: personal data may be necessary for the clarification of doubts, presentation of a proposal, and/or for the conclusion, execution and management of the services contracted or to be contracted;
§ Compliance with a legal obligation: personal data may be necessary for the fulfilment of a legal obligation to which the responsible entity is subjected;
§ Legitimate interest: personal data may also be used to improve and monitor the quality of the services provided, e.g., the analysis and processing of information concerning the quality and performance of the various means and processes of providing the services, the management of complaints and/or the fulfilment of a legal obligation imposed on the Company.
In the event of a client being a legal person, and in order to be able to fulfil its contractual obligations, Alfratrix will or may need to collect some personal data (name, email address and telephone / mobile phone) from the representative(s) or from the employee(s) of that client, for the sole purpose of allowing the proper execution of the corresponding contract.
In such circumstances, the said legal person shall ensure that the data collected from its representative(s) / employee(s) are lawfully transmitted to Alfratrix and shall confer on personal data subjects – its representative(s) or employee(s) – the right to information with regards to the processing and retention of such data.
It is our commitment that all data to be legitimately collected and processed by Alfratrix will be:
§ Lawfully, fairly and transparently processed;
§ Collected and processed exclusively for purposes that are agreed or previously stated;
§ Kept adequately and securely, allowing the identification of data subjects, for a period compatible with the purpose for which they are intended.
Furthermore:
§ Data that are inaccurate and/or outdated will be removed from the database or rectified as soon as this is perceived and/or communicated to us;
§ The processing and storage of personal data will be carried out in compliance with adequate levels of protection, avoiding the access, consultation, processing, copying or any other unauthorized or unlawful action, as well as its accidental loss and/or destruction.
Alfratrix’s purposes in collecting and processing personal data are as follows:
§ Customer and customer’s contractual position management;
§ Sending of regular technical communications;
§ Management of supplier relations;
§ Selection and recruitment of human resources; and
§ Compliance with obligations and legal responsibilities to which the Company is, or will be, bound by.
Alfratrix undertakes not to transmit or communicate any personal data to third parties without obtaining proper authorization from the respective subject, or from his/her duly mandated legal representative.
Alfratrix transmits personal data only when necessary and for the purposes described above, in particular with a view to providing the services requested.
Suppliers and/or service providers subcontracted / to be subcontracted by Alfratrix are / will be subjected to the same terms and conditions of processing of personal data.
Accordingly, they are / will be expressly prohibited from using, processing, transferring, disclosing or recording the personal data of the subject for any purpose other than that for which they were specifically (sub)contracted, whether or not the express consent of the respective subject applies, depending on whether or not the processed data is subject to the consent regime.
In its field of business, Alfratrix may be obliged to comply with certain legal duties that imply the processing of personal data without the consent of the respective subject. In this context, compliance with such legal obligations may imply the need to process personal data, such as:
§ Compliance with legal, regulatory and/or administrative provisions;
§ Compliance with legal obligations relating to the reporting or response to public authorities, or agencies in charge of the pursuit of public functions;
§ Compliance with obligations related to statistical purposes;
§ Prevention and the fight against fraud and/or money laundering and financial crime.
The personal data that may be collected by Alfratrix will be kept throughout the contractual or commercial relationship that is established with the customer. Once that relationship or contractual relationship has ceased, the data obtained shall be deleted after a period of 10 years, unless another time limit of an imperative nature results out of the law or if there are any ongoing judicial proceedings concerning those data.
However, Alfratrix may retain personal data for periods longer than the duration of the service contracts established, on the basis of the user’s consent, in order to ensure rights and duties related to situations in which Alfratrix has a legitimate interest, while always respecting the period necessary to pursuit the purpose for which they were collected.
Personal contact details (name, address, telephone / mobile phone and email address) will be kept after the end of the contractual or commercial relationship for statistical purposes and in order to send regular technical communications until the respective subject or legal representative asks for them to be removed.
Personal data obtained in other situations not included above will be kept for a maximum period of 3 years.
Once the maximum retention period has been reached, personal data will be irreversibly anonymised (anonymised data may be stored) or destroyed in a safe manner.
Alfratrix guarantees the applicability and enforcement of all the rights of the personal data subjects provided for in the GDPR and other applicable legislation in force.
Whenever a communication that may involve the collection and processing of personal data by Alfratrix is initiated, the other party shall be informed of the Privacy and Data Protection Policy in force in the Company, and such knowledge may be carried out through one of the following means:
• Verbally;
• Through this document, in its printed or digital form;
• With reference to the Alfratrix website on which this document remains available.
Furthermore, it is assumed that the other party is aware of the laws that apply with respect to the protection of personal data (notably, the GDPR), so that the failure to make this document available cannot be understood as malevolent, nor will that result in the possibility of imputation of any responsibilities or burdens to Alfratrix or any of its collaborators, by third parties.
The respective subject has the right to obtain confirmation from Alfratrix whether his/her personal data are, or not, processed and, where applicable, the subject has the right to access his/her personal data and the information relating to the processing of such.
The subject also has the right to obtain from Alfratrix, without undue delay, the rectification of inaccurate personal data concerning him/her, having also the right to correct and/or complete his/her personal data.
Whenever the processing of personal data is based on the express consent of their subject, or whenever it is carried out with a view to the performance of a contract, or when it is carried out by automated means, the personal data subject has the right to receive the personal data concerning him/her and which he/she has provided to Alfratrix, in a structured, commonly used and automatic reading format. He/she has also the right to transmit such data to another controller (if technically possible).
The personal data subject has the right to object, at any time, to the processing of his/her personal data, when there are no compelling and legitimate reasons for the processing that prevail over his/her interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
It should also be noted that the subject has the right to object, at any time, to the processing of his/her personal data for direct marketing purposes, including the definition of profiles related to such marketing and/or direct marketing. In this case, Alfratrix undertakes to cease the processing of the data for such purpose.
The personal data subject may, at any time, change his/her consent, limit it to certain types of processing or even withdraw it. However, the withdrawal of consent does not compromise the lawfulness of the treatment previously performed on the basis of the consent previously provided. Thus, if the data subject decides to withdraw his/her consent, Alfratrix will no longer be able to process his/her personal data, unless, under the law, there is another basis that can validly justify such processing.
The data subject is entitled to have his/her data deleted by Alfratrix and without undue delay, provided that:
§ the personal data are no longer necessary for the purpose that motivated their processing
§ whenever consent is withdrawn and there are no other valid grounds for their retention;
§ whenever there is opposition to the processing and there are no prevailing legitimate interests that justify it, which situation is to be assessed on a case-by-case basis;
§ under a legal or contractual obligation to which Alfratrix is subject or bound, the personal data must be erased;
§ personal data have been unlawfully processed;
§ as well as in other cases legally set out.
The right to be forgotten does not apply where the processing of personal data is necessary:
§ to the exercise of freedom of speech and information; or
§ to the compliance with a legal obligation requiring processing of data; or
§ for reasons of public health interest; or
§ for the purposes of public interest, scientific, historical research or statistical purposes, whenever the exercise of the right to erasure the data is likely to seriously and irreversibly jeopardise or undermine the achievement of the objectives of such processing; or even
§ for the establishment, exercise or defence of legal claims.
In certain situations, the personal data subject has the right to obtain from Alfratrix the limitation of the processing of his/her data, specifically and in particular:
§ if he/she disputes the accuracy of his/her personal data for a period that allows Alfratrix to verify their accuracy;
§ if the processing is unlawful and the data subject opposes the erasure of personal data and requests only the limitation of their use;
§ whenever personal data are no longer necessary for the purposes of the processing, but are required by the subject for the purpose of the establishment, exercise or defence of legal claims; and
§ whenever the personal data subject objects to the processing (until it is proved that the reasons for Alfratrix's legitimate interest prevail over his/her own), as well as in any other cases legally provided for.
The personal data subject has the right not to be subject to any decision taken solely by the automated processing of his/her personal data, including the definition of profiles that have effects in his/her legal sphere and/or that significantly affect him/her in a similar way.
Alfratrix uses physical, technological and organisational security measures appropriate to the protection of personal data in order to ensure their protection against any misuse, accidental or unlawful destruction, accidental loss, alteration, disclosure, dissemination or unauthorized access, in particular where the processing involves their transmission over the network, as well as against any other form of unlawful processing.
Alfratrix has a computer system capable of resisting, with a high level of trust, accidental events or malicious or unlawful actions aimed at compromising the availability, integrity and confidentiality of personal data stored or transmitted.
On its website, Alfratrix uses cookie technology to locate the routes followed to its website, in order to help record the user’s activity and to evaluate and improve its website.
Information about individual users is not recorded using this technology. In the Internet browser, users of our website can always pre-set the non-acceptance of cookies or a warning in case cookies are sent.
The measures adopted include:
ü All staff bound by the obligation of strict professional secrecy;
ü The use of antivirus, firewall, anti-malware and other data encryption software;
ü The use of encrypted and dual-validated remote accesses;
ü The use of individual access profiles for each employee;
ü The access to information systems through unique and non-transferable credentials
ü The implementation of active password quality rules
ü The performing of regular backups;
ü A clean desk policy in our facilities.
As regards the use of any content on the Alfratrix website, as well as the information, texts, images or graphics contained therein, these may solely be used for personal use, and never for commercial purposes.
All data, trademarks, and all general content on the Alfratrix website are the property and for the exclusive use of Alfratrix, and are protected under the general terms of law as well as under the national and international intellectual property protection laws, including those relating to Copyright and Related Rights, and Industrial Property Rights.
As mentioned above, reproduction for personal use is allowed. However, unauthorized modifications, imitations, reproductions, publications, loans, rentals, transmission and/or the sale of any content, in its whole or in part, of the Alfratrix website, without the Company’s prior written consent, are prohibited.
All rights not expressly granted by Alfratrix constitute reserved rights. In this context, all texts, images, illustrations, photographs, advertising, trademarks and other elements of the website are protected by law, and any copy, reproduction, dissemination or transmission, use, modification, sale, publication, distribution or any other use, in whole or in part, by whatever means, is expressively prohibited. The free usages authorised by law, in particular the right to quote, are the exception of this prohibition, provided that the respective source is clearly identified.
Authorization is granted for the use of documents (such as press releases, communications or other information) from the Alfratrix website, provided that the copyright notice appears in all copies thereof. The use of these documents shall be used exclusively for informational and non-commercial or personal purposes, and may not be copied or placed on any network computer or disseminated via any other means of communication, and provided that no modifications are made to the documents. The infringers will be subject to competent judicial proceedings.
Despite the personal data that may be provided to Alfratrix through its website is covered by what is defined in this Privacy and Data Protection Policy, we understand that all information communicated to us through the Internet (including suggestions, material or ideas) will be our sole property and use, although restricted. Such information will not have to be treated by us as confidential.
Some parts of the website may contain images that are subject to their owners’ copyright.
Regarding the use and risk of its use, Alfratrix specifically disclaims any liability for direct, indirect, accidental, consequential or special damages arising from or, in any way, associated with the access to or the use of the Alfratrix website, which may affect any computer equipment, or the confidence in the information obtained through the aforementioned website.
Information on the Alfratrix website should be seen as informative. Notwithstanding Alfratrix's efforts to keep content up to date and reliable, it may contain inaccuracies, typographical errors or outdated contents, and these may be altered at any time without Alfratrix having an obligation to give prior notice of such facts or circumstances.
We warn that Alfratrix is not responsible for the privacy practices of third parties whose websites have, or may have, a link to our website, and Alfratrix cannot therefore guarantee or be liable, in any way, for the (in)accuracy or authenticity (or lack thereof) of the information contained therein. We cannot guarantee the quality of these websites, nor do we assume any responsibility either for their content or themes, or for the management of any of their features. We therefore advise you to read the privacy policies of these websites attentively.
Alfratrix does not guarantee the accuracy, completeness or authenticity of the information contained in any other portal, including any website that has given access to its portal or access to it through its portal. The personal data entered on other websites that are linked to the Company's website, by mere accessibility, will be the sole responsibility of the data subject or the owner of the relevant website.
Alfratrix reserves the right to update this policy at any time, in accordance with the legal requirements and/or needs of its commercial activity or any other. The user is, therefore, invited to visit our website to confirm our privacy and data protection policy in force at any given time.
This Alfratrix Privacy and Data Protection Policy was updated for the last time on September 2nd, 2019.
In the event of a dispute arising out of this Privacy and Data Protection Policy, in particular as regards its validity, interpretation, application and enforcement, or any questions related to the collection, processing or transmission of personal data, this shall be analysed and/or resolved in light of the aforementioned legislation, which complements the information presented herein.
If it proves necessary to resort to the courts of law for the resolution of eventual conflicts, the courts of the District of Lisbon are henceforth defined as competent, with express waiver of any other courts, unless a different solution results from the rules of territorial jurisdiction set forth in the civil procedural law.