Privacy Policy

Privacy Policy

General Procedures for the Processing of Personal Data

30/10/2018

Index

1. GENERAL PART  
1.1. Controller  
1.2. Definitions and general principles  
1.3. Purposes of personal data processing  
1.4. Data collection channels

1.5. Data retention period

1.6. Security measures implemented

1.7. Data processors

 
1.8. Communication of data to third parties  
1.9. Transfer of data outside the European Union  
2. RIGHTS OF THE DATA SUBJECTS  
2.1. Right to information  
2.2. Right of access  
2.3. Right to rectification  
2.4. Right to erasure (“Right to be forgotten”)  
2.5. Right to restriction of processing  
2.6. Right to data portability  
2.7. Right to object

2.8. Right to complain to a competent authority

 
2.9. Procedures for the exercising of rights by the data subject  
2.10. Personal data breach  
3. FINAL PART  
3.1. Changes to this Privacy Policy  
3.2. Contact  
3.3. Applicable law and legal jurisdiction  
4.GLOSSARY  
   

 

 

 

  1. GENERAL PART

 

1.1. Controller

Under the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter simply referred to as the “GDPR”), the controller is the natural or legal person, which individually or jointly with others determines the purposes and means of processing personal data.

 

Espanha e Associados – Sociedade de Advogados, SP, RL, (“Espanha e Associados”), with head office at Rua Castilho no. 75, 8º Dto., 1250-068 Lisboa, legal person with the number 507.133.757, registered in the Bar Association under number 64/04, is committed to the protection and privacy of the personal data that it processes and is the responsible entity for drafting this Privacy Policy.

 

1.2. Definitions and General Principles

In the scope of its activity of providing legal services and legal advice, Espanha e Associados collects and processes information with the nature of personal data.

According to the GDPR, “personal data” means «any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person»;

There are certain categories of personal data (“special categories of personal data“) whose treatment is, by default, prohibited (personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data to identify a person unequivocally, health status data or data relating to a person’s sexual life or sexual orientation), unless there is a basis justifying the processing of such data.

On the other hand, it is considered as “processing personal data”, «any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction»;

 

 

As for general principles regarding the processing of personal data, Espanha e Associados undertakes to ensure that the personal data that it processes are:

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject;
  • Collected for specified, explicit and legitimate purposes and not further processed in any manner that runs contrary to these purposes[1];
  • Appropriate, justified and limited to what is necessary in relation to the purposes for which these data are processed;
  • Accurate and updated whenever necessary with all necessary measures being taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or corrected without delay;
  • Kept in a manner that allows the identification of the data subject only for the period necessary for the purposes for which the data are processed;
  • Handled in a manner that ensures data security, including protection against their unauthorized or illegal treatment and against their loss, destruction or accidental damage, with appropriate technical or organizational measures being taken.

 

Data processing carried out by Espanha e Associados is lawful when at least one of the following situations occurs:

  1. The data subject has given his/her explicit consent to the processing of personal data for one or more specified purposes; or
  2. Processing is necessary for the performance of a contract to which the data subject is a party, or for pre-contractual procedures at the request of the data subject; or
  3. Processing is necessary for compliance with a legal obligation to which Espanha e Associados is subject; or
  4. Processing is necessary for the purposes of the legitimate interests pursued by Espanha e Associados or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data,

 

Concerning special categories of personal data, its processing by Espanha e Associados is lawful if one of the following applies:

  1. The data subject has given explicit consent to the processing of those personal data for one or more specified purposes; or
  2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Espanha e Associados or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by law or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject; or
  3. Processing relates to personal data which are manifestly made public by the data subject; or
  4. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
  5. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR.

Espanha e Associados undertakes to ensure that the processing of special categories of personal data is only carried out under the conditions cited above and respecting the principles mentioned above.

 

The personal data collected and processed by Espanha e Associados consists in information related, namely, to name, address, e-email, landline, mobile phone, tax identification number (NIF) and necessary data for the provision of legal advice and services.

 

When a data processing is performed by Espanha e Associados based solely on the consent of the data subject, that data subject has the right to withdraw his or her consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

 

1.3. Purposes of Processing Personal Data

In general, the data collected and processed by Espanha e Associados are intended for the following purposes:

  • Management of clients and their contractual relationship;
  • Marketing, including receiving Espanha e Associados’ newsletter and general information, through any means of communication, including electronic support;
  • Management of suppliers/service providers;
  • Personnel selection and recruitment; and
  • Compliance with legal obligations to which Espanha e Associados is subject.

 

 

 

 

1.4. Data Collection Channels

Espanha e Associados may collect data directly (that is, directly from the data subject) or indirectly (that is, via clients or third parties). Such collection may be done through the following channels:

  • Direct collection: in person, by telephone, via e-mail, through paper form and through Espanha e Associados’ website. Any information or content that the data subject transmits to Espanha e Associados’ website is subject to the Legal Notice disclosed at Espanha e Associados’ website.
  • Indirect collection: through Customers and other third parties with whom Espanha e Associados has established contractual relations in the scope of legal services and/or representation.

 

1.5. Data Retention Period

The period of storage of personal data varies according to the purpose of the processing. The personal data necessary for the execution of the contractual relationship with clients, suppliers and service providers will be stored during the period of that relationship and, once the contractual relationship has terminated, for a period of 10 years. After that period, the personal data will be erased, unless there’s a pendent legal claim which imposes its storage for a longer period or laws and regulations applicable to Espanha e Associados that, depending on the nature of the data, impose that storage too.

The personal data used for marketing purposes (receipt of newsletter and general information) will be stored after obtaining the consent of the data subject for that purpose, until contrary indication by the data subject. Data subjects may, at any time, object the use of their data for marketing purposes.

Personal data used for selection and recruitment of personnel purposes will be stored for a period of 2 years, except if the data subject permits its retention for a longer period.

 

1.6. Security Measures Implemented

In order to guarantee the security of the personal data, Espanha e Associados has implemented several technical and organizational procedures which are reviewed and updated periodically as required.

Depending of the nature, scope, context and purpose of data processing, as well as the risks arising from its processing for the rights and freedoms of the natural persons, Espanha e Associados undertakes to apply, both when defining the method to process the data and at the time of the data processing itself, the technical and organizational measures necessary and appropriate for the data protection and compliance with GDPR requirements. It also undertakes to ensure that, by default, only data that are necessary for each specific purpose are processed and that such data are not made available without human intervention to an indeterminate number of people.

 

 

In terms of general measures, Espanha e Associados adopts the following:

  • Binding of the lawyers and the administrative personnel to the duty of professional secrecy;
  • Restricted access of people to the premises, through access control;
  • Use of antivirus, firewall, anti-malware and other intrusion detection mechanisms;
  • Use of VPN with information encryption;
  • Different access profiles depending on the role / position of the person accessing to the information systems;
  • Access to information systems through a personal and non-transferable user name and password;
  • Implementation of password quality rules;
  • Monthly deletion of user profiles who terminate their employment relationship, or other, with Espanha e Associados, as well as all privileges or access rights granted to such users;
  • Detection of non-customized access to information systems and premises (alarm in the premises);
  • Performance of daily periodic backups;
  • Performance of real-time intrusion testing;
  • Clean desk policy in the offices;
  • Existence of a policy for the use of computer resources and for the implementation of security measures;
  • Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems;
  • Mechanisms to ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident (in the event of a physical or technical incident, the information is recoverable by means of backup, as a general rule, on the following business day).

 

1.7. Data Processors

In the scope of the processing of personal data carried out by Espanha e Associados, this entity engages or may engage processors, which consist of natural or legal persons subcontracted by Espanha e Associados to, on its behalf and in accordance with its instructions, process personal data in strict compliance with the provisions of the law and this Privacy Policy.

These processors will not be able to transmit data subject’s personal data to other entities without a prior and in writing authorization from Espanha e Associados, being equally prevented from contracting other entities without prior authorization of Espanha e Associados.

Espanha e Associados undertakes to only subcontract entities that provide sufficient guarantees to carry out the appropriate technical and organizational measures in order to ensure the protection of the data subject’s rights. All entities subcontracted by Espanha e Associados are bound to the latter by means of a written agreement in which they regulate, in particular, the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of the data subjects and the rights and obligations of the parties.

 

1.8. Data Communication to Third Parties

Espanha e Associados will not transmit or communicate personal data to third parties, except in the following cases legally provided for by applicable law: in case of the data subject has explicitly consented or if the transmission or communication is necessary for the performance of a contract between the data subject and Espanha e Associados, or for the implementation of pre-contractual measures taken at the data subject’s request; in case it is necessary for compliance with a legal obligation to which Espanha e Associados is subject; or if it is necessary in order to protect the vital interests of the data subject or of other persons, or in case it is necessary for the pursuit of legal interests of Espanha e Associados or a third party.

 

1.9. Transfer of Data Outside the European Union

In certain types of processing, personal data collected by Espanha e Associados Associates may be made available to third parties and may involve their transfer outside the European Union. In that case, Espanha e Associados undertakes to ensure that the transfer complies with applicable legal provisions, in particular as regards the determination of the adequacy of the level protection of the country concerning data protection and the requirements applicable to such transfers.

 

 

 

  1. RIGHTS OF THE DATA SUBJECTS

Under legal the terms, the data subjects have the following rights:

 

2.1. Right to information

2.1.1. Information provided to the data subject by Espanha e Associados (where data are collected directly from the data subject):

  1. The identity and contact details of Espanha e Associados, the controller and, where applicable, of its representative;
  2. The purposes of the processing for which the personal data are intended, as well as the legal basis for the processing;
  3. Where the processing of the data is based on the legitimate interests of Espanha e Associados or a third party, indication of such interests;
  4. Where applicable, recipients or categories of recipients of personal data;
  5. Where applicable, the fact that Espanha e Associados intends to transfer personal data to a third country or an international organization, and whether or not an adequacy decision has been adopted by the Commission or a reference to suitable or appropriate transfer safeguards;
  6. The period for which the personal data will be stored or, if it is not possible, the criteria used to define that period;
  7. The right to request from Espanha e Associados access to personal data and its rectification or its erasure, the right to request the restriction of processing concerning the data subject or the right to object to processing as well as the right to data portability;
  8. Where the processing of the data is based on the data subject consent, the right to withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  9. The right to lodge a complaint with the CNPD (Comissão Nacional de Protecção de Dados [National Commission for Data Protection]) or other supervisory authority;
  10. Indication of whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  11. Where applicable, the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

 

 

Where personal data have not been not collected directly by Espanha e Associados from the data subject, in addition to the information referred to above, the data subject is also informed about the categories of personal data being processed and also about the origin of the data and eventually if they come from sources that are accessible to the public.

If Espanha e Associados intends to further process the personal data for a purpose other than that for which the personal data were obtained, Espanha e Associados will provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to above.

Under the legal terms, Espanha e Associados is not obliged to provide the data subject with the above-mentioned information when and to the extent that:

  • The data subject already has the information;
  • The provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards provided in the GDPR;
  • Obtaining or disclosure is expressly laid down by law;
  • The personal data must remain confidential subject to an obligation of professional secrecy regulated by law.

 

2.1.2. Procedures and measures implemented to fulfil the right to information:

The information referred to in paragraph 2.1.1 is provided, at no cost, in writing (including by electronic means) by Espanha e Associados to the data subject prior to the processing of the personal data in question.

 

2.2. Right of access

The data subject has the right to obtain confirmation from Espanha e Associados if his/her personal data are being processed or not and, if applicable, the right to access his/her personal data and the following information:

  1. The purposes of data processing;
  2. The categories of personal data in question;
  3. The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients based in other countries or belonging to international organizations;
  4. The period for which the personal data will be stored or, if it is not possible, the criteria used to define that period;
  5. The right to request to Espanha e Associados the rectification, the erasure, or the restriction of processing personal data, or the right to object to its processing;
  6. The right to lodge a complaint with the CNPD or other supervisory authority;
  7. Where the data has not been collected from the data subject, the available information on the source of such data;
  8. The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  9. The right to be informed about the appropriate safeguards associated with the transfer of data to third countries or international organizations.

Upon request, Espanha e Associados will provide the data subject, free of charge, with a copy of the personal data undergoing processing.

For any further copies requested by the data subject, Espanha e Associados may charge administrative costs.

 

2.3. Right to rectification

The data subject has the right to obtain, at any time, the rectification of his or her personal data by Espanha e Associados. Depending on the purposes of data processing, the data subject has the right to have incomplete personal data completed, including by means of an additional declaration.

In the event of data rectification, Espanha e Associados will inform each recipient/entity to whom the data has been transmitted of the rectification, unless such communication proves impossible or involves a disproportionate effort on behalf of Espanha e Associados. Where the data subject requests information about the referred to recipients, Espanha e Associados will provide it.

 

2.4. Right to erasure (“Right to be forgotten”)

The data subject has the right to obtain, from Espanha e Associados, the erasure of his/her data when one of the following grounds applies:

  1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  3. The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  4. The personal data have been unlawfully processed;
  5. The personal data have to be erased for compliance with a legal obligation to which Espanha e Associados is subject;
  6. The personal data have been collected in relation to an offer of information society services to a child.

Under the applicable legal terms, Espanha e Associados is under no obligation to delete personal data of the data subject to the extent that the processing proves necessary to fulfil a legal obligation to which Espanha e Associados is subject or for the purposes of declaring, exercising or defending Espanha e Associados’ rights in judicial proceedings.

In the event of the data being deleted, Espanha e Associados will inform each recipient/entity to whom the data have been transmitted of their deletion, unless such communication proves impossible or involves a disproportionate effort on behalf of Espanha e Associados. If the data subject requests information about the referred to recipients, Espanha e Associados will provide it.

When Espanha e Associados has made the personal data public and is obliged to erase it under the right to erase, Espanha e Associados, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

 

2.5. Right to restriction of processing

The data subject has the right to obtain from Espanha e Associados restriction of processing where one of the following situations occurs (the limitation consists of marking the personal data retained with the aim of limiting its processing in the future):

  1. The accuracy of the personal data is contested by the data subject, for a period enabling Espanha e Associados to verify its accuracy;
  2. The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. Espanha e Associados no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. The data subject has objected to processing until it is verified that Espanha e Associados’ legitimate reasons prevail over those of the data subject.

Where processing has been restricted, such personal data will, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for public interest reasons provided by law.

A data subject who has obtained restriction of processing in the above cases will be informed by Espanha e Associados before the restriction of processing is lifted.

In the event of restriction of processing of data, Espanha e Associados will inform each recipient/entity to whom the personal data have been disclosed, unless such communication proves impossible or involves a disproportionate effort on behalf of Espanha e Associados. If the data subject requests it, Espanha e Associados will inform the data subject about those recipients.

 

2.6. Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to Espanha e Associados, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from Espanha e Associados, if:

  1. The processing is based on consent or on a contract to which the data subject is a party; and
  2. The processing is carried out by automated means.

The right to data portability does not include inferred or derived data, that is, personal data that are generated by Espanha e Associados as a consequence of, or resulting from, analysis of the data object of processing, except in the cases exceptionally established by law.

The data subject is entitled to have his/her personal data transmitted directly between controllers, whenever this is technically and legally possible. The exercise of the right to data portability applies without prejudice to the right to data erasure.

 

2.7. Right to object

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the exercising of legitimate interests pursued by Espanha e Associados, or when the processing is carried out for purposes other than those for which personal data were collected, including profiling, or when personal data are processed for statistical purposes.

Espanha e Associados will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

When personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing of his/her personal data for direct marketing purposes, Espanha e Associados will no longer process it for such purposes.

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except if:

  • Is necessary for entering into, or performance of, a contract between the data subject and Espanha e Associados;
  • Is authorised by law to which Espanha e Associados is subject; or
  • Is based on the data subject’s explicit consent.

 

2.8. Right to complain to a competent authority    

The data subject has the right to lodge complaints with the National Data Protection Commission (CNPD) or other supervisory authority for the protection of personal data. The contact details of the CNPD are as follows: Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa, Tel: +351 213.928.400, Fax: +351 213.976.832, e-mail: geral@cnpd.pt.

 

2.9. Procedures for the exercising of rights by the data subject

The right of access, the right to rectification, the right to erasure, the right to restriction, the right to data portability and the right to object may be all exercised by the data subject through contact with Espanha e Associados in person, by telephone or by e-mail geral@espanhaassociados.pt.

Espanha e Associados will respond in writing (including by electronic means) to the data subject’s request within a maximum period of one month from the receipt of the request, except in particularly complex cases, for which this period may be extended up to two months.

If the requests submitted by the data subject are manifestly unjustified or excessive, especially due to their repetitive nature, Espanha e Associados reserves the right to charge administrative costs or refuse to comply with the request.

 

2.10. Personal data breach

In the event of data breach and insofar as such breach is likely to entail a high risk to the data subject’s rights and freedoms, Espanha e Associados undertakes to inform the data subject in question of the personal data breach within 48 hours.

At law, communication to the data subject is not required in the following cases:

  • If Espanha e Associados has applied satisfactory protection measures, both technical and organizational, and these measures have been applied to personal data affected by the personal data breach, especially measures that make the personal data incomprehensible to anyone unauthorized to access such data;
  • If Espanha e Associados has taken subsequent action to ensure that the high risk to the data subject’s rights and freedoms is no longer likely to materialize; or
  • If communication to the data subject implies a disproportionate effort on behalf of Espanha e Associados. In this case, Espanha e Associados will release a public communication or take a similar action by which the data subject will be informed.

 

  1. FINAL PART

3.1. Changes to this Privacy Policy

Espanha e Associados reserves the right to make changes to this Privacy Policy at any time. In the case of modification to the Privacy Policy, the date of the most recent change is indicated on the first page.

 

3.2. Contact

Without prejudice to clause 2.9., respecting the exercise of the rights conferred to the data subject under the legal terms, data subjects who wish to submit questions or complaints related to this Privacy Policy may do so through the email geral@espanhaassociados.pt.

 

3.3. Applicable Law and Legal Jurisdiction

The Privacy Policy as well as the collection, processing or transmission of personal data of the data subject are governed by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, dated of 27 April 2016, and by the laws and regulations applicable in Portugal.

Any litigation arising from the validity, interpretation or implementation of the Privacy Policy, or related to the collection, processing or transmission of personal data, must be submitted exclusively to the jurisdiction of the courts of Lisbon, without prejudice to mandatory legal rules.

 

  1. GLOSSARY

For the purposes of GDPR:

  • «Personal data» means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • «Processing» means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • «Restriction of processing» means the marking of stored personal data with the aim of limiting their processing in the future;
  • «Profiling» means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  • «Pseudonymisation» means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  • «Filing system» means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  • «Controller» means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • «Processor» means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • «Recipient» means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  • «Third party» means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • «Consent» of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • «Personal data breach» means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • «Genetic data» means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
  • «Biometric data» means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
  • «Data concerning health» means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
  • «Main establishment» means:
    1. As regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
    2. As regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
  • «Representative» means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
  • «Enterprise» means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
  • «Group of undertakings» means a controlling undertaking and its controlled undertakings;
  • «Binding corporate rules» means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
  • «Supervisory authority» means an independent public authority which is established by a Member State;
  • «Supervisory authority concerned» means a supervisory authority which is concerned by the processing of personal data because:
    1. the controller or processor is established on the territory of the Member State of that supervisory authority;
    2. data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
    3. a complaint has been lodged with that supervisory authority;
  • «Cross-border processing» means either:
    1. Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
    2. Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
  • «Relevant and reasoned objection» means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
  • «International organisation» means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

 

[1] Subsequent processing for the purposes of archival of public interest, or for the purposes of scientific or historical research or for statistical purposes, is not considered to be incompatible with the initial purposes, according to GDPR.