General Procedures for the Processing of Personal Data
|1. GENERAL PART|
|1.2. Definitions and general principles|
|1.3. Purposes of personal data processing|
|1.4. Data collection channels
1.5. Data retention period
1.6. Security measures implemented
1.7. Data processors
|1.8. Communication of data to third parties|
|1.9. Transfer of data outside the European Union|
|2. RIGHTS OF THE DATA SUBJECTS|
|2.1. Right to information|
|2.2. Right of access|
|2.3. Right to rectification|
|2.4. Right to erasure (“Right to be forgotten”)|
|2.5. Right to restriction of processing|
|2.6. Right to data portability|
|2.7. Right to object
2.8. Right to complain to a competent authority
|2.9. Procedures for the exercising of rights by the data subject|
|2.10. Personal data breach|
|3. FINAL PART|
|3.3. Applicable law and legal jurisdiction|
Under the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter simply referred to as the “GDPR”), the controller is the natural or legal person, which individually or jointly with others determines the purposes and means of processing personal data.
1.2. Definitions and General Principles
In the scope of its activity of providing legal services and legal advice, Espanha e Associados collects and processes information with the nature of personal data.
According to the GDPR, “personal data” means «any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person»;
There are certain categories of personal data (“special categories of personal data“) whose treatment is, by default, prohibited (personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data to identify a person unequivocally, health status data or data relating to a person’s sexual life or sexual orientation), unless there is a basis justifying the processing of such data.
On the other hand, it is considered as “processing personal data”, «any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction»;
As for general principles regarding the processing of personal data, Espanha e Associados undertakes to ensure that the personal data that it processes are:
Data processing carried out by Espanha e Associados is lawful when at least one of the following situations occurs:
Concerning special categories of personal data, its processing by Espanha e Associados is lawful if one of the following applies:
Espanha e Associados undertakes to ensure that the processing of special categories of personal data is only carried out under the conditions cited above and respecting the principles mentioned above.
The personal data collected and processed by Espanha e Associados consists in information related, namely, to name, address, e-email, landline, mobile phone, tax identification number (NIF) and necessary data for the provision of legal advice and services.
When a data processing is performed by Espanha e Associados based solely on the consent of the data subject, that data subject has the right to withdraw his or her consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
1.3. Purposes of Processing Personal Data
In general, the data collected and processed by Espanha e Associados are intended for the following purposes:
1.4. Data Collection Channels
Espanha e Associados may collect data directly (that is, directly from the data subject) or indirectly (that is, via clients or third parties). Such collection may be done through the following channels:
1.5. Data Retention Period
The period of storage of personal data varies according to the purpose of the processing. The personal data necessary for the execution of the contractual relationship with clients, suppliers and service providers will be stored during the period of that relationship and, once the contractual relationship has terminated, for a period of 10 years. After that period, the personal data will be erased, unless there’s a pendent legal claim which imposes its storage for a longer period or laws and regulations applicable to Espanha e Associados that, depending on the nature of the data, impose that storage too.
The personal data used for marketing purposes (receipt of newsletter and general information) will be stored after obtaining the consent of the data subject for that purpose, until contrary indication by the data subject. Data subjects may, at any time, object the use of their data for marketing purposes.
Personal data used for selection and recruitment of personnel purposes will be stored for a period of 2 years, except if the data subject permits its retention for a longer period.
1.6. Security Measures Implemented
In order to guarantee the security of the personal data, Espanha e Associados has implemented several technical and organizational procedures which are reviewed and updated periodically as required.
Depending of the nature, scope, context and purpose of data processing, as well as the risks arising from its processing for the rights and freedoms of the natural persons, Espanha e Associados undertakes to apply, both when defining the method to process the data and at the time of the data processing itself, the technical and organizational measures necessary and appropriate for the data protection and compliance with GDPR requirements. It also undertakes to ensure that, by default, only data that are necessary for each specific purpose are processed and that such data are not made available without human intervention to an indeterminate number of people.
In terms of general measures, Espanha e Associados adopts the following:
1.7. Data Processors
These processors will not be able to transmit data subject’s personal data to other entities without a prior and in writing authorization from Espanha e Associados, being equally prevented from contracting other entities without prior authorization of Espanha e Associados.
Espanha e Associados undertakes to only subcontract entities that provide sufficient guarantees to carry out the appropriate technical and organizational measures in order to ensure the protection of the data subject’s rights. All entities subcontracted by Espanha e Associados are bound to the latter by means of a written agreement in which they regulate, in particular, the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of the data subjects and the rights and obligations of the parties.
1.8. Data Communication to Third Parties
Espanha e Associados will not transmit or communicate personal data to third parties, except in the following cases legally provided for by applicable law: in case of the data subject has explicitly consented or if the transmission or communication is necessary for the performance of a contract between the data subject and Espanha e Associados, or for the implementation of pre-contractual measures taken at the data subject’s request; in case it is necessary for compliance with a legal obligation to which Espanha e Associados is subject; or if it is necessary in order to protect the vital interests of the data subject or of other persons, or in case it is necessary for the pursuit of legal interests of Espanha e Associados or a third party.
1.9. Transfer of Data Outside the European Union
In certain types of processing, personal data collected by Espanha e Associados Associates may be made available to third parties and may involve their transfer outside the European Union. In that case, Espanha e Associados undertakes to ensure that the transfer complies with applicable legal provisions, in particular as regards the determination of the adequacy of the level protection of the country concerning data protection and the requirements applicable to such transfers.
Under legal the terms, the data subjects have the following rights:
2.1. Right to information
2.1.1. Information provided to the data subject by Espanha e Associados (where data are collected directly from the data subject):
Where personal data have not been not collected directly by Espanha e Associados from the data subject, in addition to the information referred to above, the data subject is also informed about the categories of personal data being processed and also about the origin of the data and eventually if they come from sources that are accessible to the public.
If Espanha e Associados intends to further process the personal data for a purpose other than that for which the personal data were obtained, Espanha e Associados will provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to above.
Under the legal terms, Espanha e Associados is not obliged to provide the data subject with the above-mentioned information when and to the extent that:
2.1.2. Procedures and measures implemented to fulfil the right to information:
The information referred to in paragraph 2.1.1 is provided, at no cost, in writing (including by electronic means) by Espanha e Associados to the data subject prior to the processing of the personal data in question.
2.2. Right of access
The data subject has the right to obtain confirmation from Espanha e Associados if his/her personal data are being processed or not and, if applicable, the right to access his/her personal data and the following information:
Upon request, Espanha e Associados will provide the data subject, free of charge, with a copy of the personal data undergoing processing.
For any further copies requested by the data subject, Espanha e Associados may charge administrative costs.
2.3. Right to rectification
The data subject has the right to obtain, at any time, the rectification of his or her personal data by Espanha e Associados. Depending on the purposes of data processing, the data subject has the right to have incomplete personal data completed, including by means of an additional declaration.
In the event of data rectification, Espanha e Associados will inform each recipient/entity to whom the data has been transmitted of the rectification, unless such communication proves impossible or involves a disproportionate effort on behalf of Espanha e Associados. Where the data subject requests information about the referred to recipients, Espanha e Associados will provide it.
2.4. Right to erasure (“Right to be forgotten”)
The data subject has the right to obtain, from Espanha e Associados, the erasure of his/her data when one of the following grounds applies:
Under the applicable legal terms, Espanha e Associados is under no obligation to delete personal data of the data subject to the extent that the processing proves necessary to fulfil a legal obligation to which Espanha e Associados is subject or for the purposes of declaring, exercising or defending Espanha e Associados’ rights in judicial proceedings.
In the event of the data being deleted, Espanha e Associados will inform each recipient/entity to whom the data have been transmitted of their deletion, unless such communication proves impossible or involves a disproportionate effort on behalf of Espanha e Associados. If the data subject requests information about the referred to recipients, Espanha e Associados will provide it.
When Espanha e Associados has made the personal data public and is obliged to erase it under the right to erase, Espanha e Associados, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
2.5. Right to restriction of processing
The data subject has the right to obtain from Espanha e Associados restriction of processing where one of the following situations occurs (the limitation consists of marking the personal data retained with the aim of limiting its processing in the future):
Where processing has been restricted, such personal data will, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for public interest reasons provided by law.
A data subject who has obtained restriction of processing in the above cases will be informed by Espanha e Associados before the restriction of processing is lifted.
In the event of restriction of processing of data, Espanha e Associados will inform each recipient/entity to whom the personal data have been disclosed, unless such communication proves impossible or involves a disproportionate effort on behalf of Espanha e Associados. If the data subject requests it, Espanha e Associados will inform the data subject about those recipients.
2.6. Right to data portability
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to Espanha e Associados, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from Espanha e Associados, if:
The right to data portability does not include inferred or derived data, that is, personal data that are generated by Espanha e Associados as a consequence of, or resulting from, analysis of the data object of processing, except in the cases exceptionally established by law.
The data subject is entitled to have his/her personal data transmitted directly between controllers, whenever this is technically and legally possible. The exercise of the right to data portability applies without prejudice to the right to data erasure.
2.7. Right to object
The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the exercising of legitimate interests pursued by Espanha e Associados, or when the processing is carried out for purposes other than those for which personal data were collected, including profiling, or when personal data are processed for statistical purposes.
Espanha e Associados will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
When personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing of his/her personal data for direct marketing purposes, Espanha e Associados will no longer process it for such purposes.
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except if:
2.8. Right to complain to a competent authority
The data subject has the right to lodge complaints with the National Data Protection Commission (CNPD) or other supervisory authority for the protection of personal data. The contact details of the CNPD are as follows: Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa, Tel: +351 213.928.400, Fax: +351 213.976.832, e-mail: firstname.lastname@example.org.
2.9. Procedures for the exercising of rights by the data subject
The right of access, the right to rectification, the right to erasure, the right to restriction, the right to data portability and the right to object may be all exercised by the data subject through contact with Espanha e Associados in person, by telephone or by e-mail email@example.com.
Espanha e Associados will respond in writing (including by electronic means) to the data subject’s request within a maximum period of one month from the receipt of the request, except in particularly complex cases, for which this period may be extended up to two months.
If the requests submitted by the data subject are manifestly unjustified or excessive, especially due to their repetitive nature, Espanha e Associados reserves the right to charge administrative costs or refuse to comply with the request.
2.10. Personal data breach
In the event of data breach and insofar as such breach is likely to entail a high risk to the data subject’s rights and freedoms, Espanha e Associados undertakes to inform the data subject in question of the personal data breach within 48 hours.
At law, communication to the data subject is not required in the following cases:
3.3. Applicable Law and Legal Jurisdiction
For the purposes of GDPR:
 Subsequent processing for the purposes of archival of public interest, or for the purposes of scientific or historical research or for statistical purposes, is not considered to be incompatible with the initial purposes, according to GDPR.