I. Introduction and General Considerations
II. Definitions of Relevant Concepts in terms of Data Protection
To better understand the content of this policy, it is important to recall the definition of some of the more relevant concept in the area of data protection:
a) Personal Data: Any information regarding a physical personal, identified or identifiable, through which his/her identity can be directly or indirectly determined, such as: name, telephone number, civil identification number, date of birth, etc.
b) Categories of Personal Data: Personal data can be grouped in different categories, such as: data on identification, qualifications, education, financial information, banking, professional information, health, biometrics, etc.
c) Processing: An operation or a set of operations carried out on personal data or sets of personal data, by automated means or otherwise, such as collection, recording, organisation, structuring, retention, adaptation or alteration, recovery, checking, use, disclosure, transmission, broadcast or any other way of making them available, comparison or connection, limitation, erasure or destruction.
d) Data Subject: Any individual whose personal data are subject to processing.
e) Data Controller: Any individual or legal person that, alone or in conjunction with others, determines the purposes and the means of personal data processing.
f) Data Processor: Any individual or legal person that processes personal data on behalf of the Data Controller.
III. Personal Data Processing Assurances
1. Personal data processing at AGS is carried out transparently and in strict compliance with the right to privacy, as well as with the fundamental rights, freedoms and guarantees of the data subjects.
2. Personal data are collected directly form the data subjects, through personal contact or in writing (e-mail or by post), for the express and legitimate purposes determined and they may not later be processed in a way incompatible with these purposes.
3. If personal data are collected from third parties, the data subject will be informed of such collection and of his/her rights as data subject.
IV. Personal Data Processing
1. AGS assures that access to the personal data collected is limited to that strictly necessary for the purposes defined.
2. All AGS users who access the data are contractually obliged to the duties of confidentiality, which include non-disclosure of the information on the data subjects.
3. The data collected by the AGS may also be shared with:
I. Receiving entities and/or third parties.
II. Entities that provide services to AGS in their capacity as data processors.
III. Entities that belong to the AGS network, under the scope of their activities, in countries outside of the European Union where and adequate protection level is assured.
IV. Competent authorities to which AGS is legally obliged to disclose information during the course of legal or administrative proceedings or if technical and/or security issues are detected.
V. Entities indicated by data subject, at his/her request.
V. Rights of data subjects
1. Data subjects are assured the right of access. This means that data subjects are entitled to receive confirmation from AGS that their personal data are subject to processing, or not, that they have the right to access these, to keep them up to data, to receive a copy of them and to receive the following information on the processing of their data:
- I. Purposes of data processing;
- II. Categories of personal data;
- III. Data recipients or categories of data recipients;
- IV. The transfer of data to a country outside of the European Union;
- V. If possible, the period of time the personal data are expected to be retained.
2. Data subjects are also assured of the following rights over the data:
- I. Rectification of personal data that is inaccurate or incomplete;
- II. Erasure of the data (a) when they are no longer necessary for the purpose, (b) when they are unlawfully processes, (c) when the data subject withdraws his/her consent (and the processing is dependent on that consent), (d) when the data subject objects to the processing (and there are no legitimate interests that prevail over that objection).
- III. Data limitation (a) when the accuracy of the data is challenged, (b) when the processing is unlawful and the data subject requests the limitation of their processing instead of erasure, (c) when AGS no longer needs the data but the data subject asks for them to be kept for other purposes, (d) when the data subjects objects and while the legitimacy of the processing is being assessed.
- IV. Objection to processing when the processing is based on a legitimate interest of AGS or when it has been used for purposes other than those they were collected for.
- V. Lodging a complaint with the data controller and the supervisory authority if you disagree with the way your data were processed.
- VI. Information on the source of the data if the data were not collected from the data subject.
- VII. Portability, when the data have been processed automatically; the data subject should receive the data in a structured format that is commonly use and can be read automatically, or he/she can request these data be sent to another data controller.
- VIII. Withdrawal of consent when the processing was based on the consent of the data subject, provided this does not compromise the lawfulness of the processing carried out up to that date based on the consent previously provided.
- IX. Lodging of complaints with AGS on the way your personal data are processed, via e-mail to firstname.lastname@example.org and to the Supervisory Authority, the National Data Protection Commisiona, via e-mail to email@example.com.
3. AGS will provide data subjects with information on the measures taken on presentation of a request under the terms of Articles 15 to 20 of the GDPR within one month of the data of receipt of the request. This period may be extended to two months, when necessary, bearing in mind the complexity of the request and the number of requests. AGS will inform the data subjects of any extension and the reasons for the delay within one month of receipt of the request.
VI. Categories of Personal Data, Categories of Data Subjects and Purposes of Processing
Under the scope of its activities, AGS collects and processes personal data in the following categories: identification data, contact data, data on qualifications, professional data, financial data, banking data, image data, location data and biometric data. The data collected and processed refer to the personal data of employees, company members, service providers, customers and third parties with a relationship with the activities of AGS. The personal data collected and processed are sued for purposes related to the following management activities: human resources, administrative and financial, procurement, legal, quality, environment and safety, engineering, IT, concession projects.
VII. Data Retention
All personal data are retained by AGS while the existing relationships with the data subjects continue, either for the legal retention period or while the purpose they were collected for continues, in order to allow the data subjects to be identified until these relationships or obligations have permanently ceased. The data collected will be destroyed when they longer serve the purposes they were collected for, without prejudice to the existence of other grounds justifying the retention of the data.
VIII. Communication of Data to other Entities (Recipients, Third Parties and Processors)
Under the scope of its activities, AGS uses other entities to provide certain services. These entities are recipients, third parties or processors. When this happens, AGS takes the appropriate steps to ensure that the entities that have access to the data offer the highest security assurances, which, in the case of processors, is duly enshrined and safeguarded contractually.
IX. Transfer of Personal Data
The provision of certain services and the management of the actual activities of AGS imply the transfer of personal data outside of Portugal, including to countries outside of the European Union, specifically to Japan, Brazil, the Philippines and Chile. In such cases, AGS will scrupulously comply with the applicable legal provisions, particularly as to the determination of the suitability of the receiving country/countries in terms of personal data protection and the requirements applicable to such transfers including, where applicable, appropriate contractual instruments that assure and respect the legal requirements in force.
X. Technical and Organisational Measures adopted by AGS
1. AGS has defined and implemented a set of appropriate and necessary technical and organisational measures to assure and prove that all personal data processing carried out is in compliance with the Personal Data Protection legislation. The measures adopted also make it possible to ensure the confidentiality and the integrity of the data and to prevent their destruction, loss and accidental or unlawful alterations or disclosure of or unauthorised access to the data.
2. Data subjects are duly informed that no security system can guarantee absolute protection. However, AGS is always available for any issues regarding the confidentiality and security of the data processed.
XI. Security Breaches
AGS has defined and adopted internal procedures, as well as processing procedures where necessary, to intervene in the event of personal data breaches, particularly in the detection, identification and investigation of the circumstances, and to notify the Competent Authority within the legal time periods set in the cases where there is found to be a risk to the rights and freedoms of the data subjects and a high risk to the actual holders.
XII. Contacts for the purposes of this Policy
In order to exercise the aforementioned rights, particularly rights of access, rectification and erasure and right of limitation and objection to processing, data subjects must address their postal communications to AGS – Administração e Gestão de Sistemas de Salubridade, S.A., Quinta da Fonte Office Park – Edifício Q54 D. José – Piso 2, 2770-203 Paço de Arcos, or by e-mail to firstname.lastname@example.org.
XIII. Other Information
Any additional information regarding personal data protection may be obtained from CNPD - Comissão Nacional de Proteção de Dados - Rua de São Bento n.º 148-3º 1200-821 Lisboa - Tel.: + 351 213928400 - Fax: +351 213976832 - e-mail: email@example.com.
Paço de Arcos, revised in 2019.