1.Data Protection and Privacy Commitment
Borgstena is committed to complying with all applicable EU and national legal standards in the field of data protection and information security.
Borgstena has implemented a Personal Data Protection System and an Information Security System in order to ensure regulatory compliance and to demonstrate institutional responsibility in terms of data protection and information security, implementing all the necessary technical and organizational measures deemed appropriate, both to comply with the legal regime of the General Data Protection Regulation (EU Regulation 2016/679, of April 27, hereinafter referred to as GDPR), and to comply with the legal regime of the GDPR Enforcement Law (Law No. 58/2019, of August 8, hereinafter referred to as LERGPD), as well as the other applicable complementary legislation.
For any clarification or additional information or to exercise your rights in this regard, please contact Borgstena’s Data Protection Officer at email@example.com.
«Personal data» means information relating to an identified or identifiable natural person (“data subject”) – an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier. Personal identifiers are, for example, a name, an identification number, location data, electronic identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
«Processing of Personal Data»
«Processing» means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
«Cookies» (Testemunhos de Conexão)
«Cookies», designados por «Testemunhos de Conexão» em português, são pequenos ficheiros de texto com informação considerada como relevante que os dispositivos utilizados para o acesso (computadores, telemóveis ou dispositivos móveis portáteis) carregam, através do navegador de internet («browser»), quando um sítio em linha é visitado pelo Utente ou Utilizador.
3. Entity Responsible for Processing
Borgstena, Legal Person with VAT number 502355409, hereinafter referred to as Borgstena, is the entity responsible for the forms, online sites, systems or computerized applications, hereinafter referred to as channels or applications, through which Users, Service Recipients or Users have remote access to Borgstena services that are presented or provided, at any time, through them, and is the entity considered responsible for the processing of personal data.
In order to contact Borgstena’s Data Protection Officer, please send an e-mail to firstname.lastname@example.org or to each of the specific addresses identified in the forms, online sites or applications, describing the subject of the request and indicating an e-mail address, a telephone contact address or a correspondence address for reply.
For any other purpose, the following general contact details of Borgstena as Data Controller may be used:
– Postal address: EN 234 – km 87,7 (Chão do Pisco) Apartado 35 – 3521 – 909 Nelas;
– General e-mail address: email@example.com;
– General Telephone: + 351 232427660;
– Website: www.borgstena.com.
5. Collection and Processing of Personal Data
Borgstena processes the personal data strictly necessary for the provision of information and the operation of its channels, according to the uses made by Users, Service Recipients or Users, either those provided for the purpose of registering requests or obtaining information, or those provided for the purpose of joining those channels, or those resulting from the use of the services provided by Borgstena through them, such as access, queries, instructions, requests or applications, transactions and other records relating to their use.
In particular, the use or activation of certain functionalities of the channels may imply the processing of various direct or indirect personal identifiers, such as name, residence address, personal contacts, device addresses or geographical location, provided that there is express consent from the specific User, Service Recipient or User, where this is necessary for the management of the contractual relationship or the pursuit of legitimate interests or, finally, for the purposes of complying with legal obligations.
In all cases, Users, Service Recipients or Users will always be informed of the need to access such data in order to use the functionalities of the channels in question, as well as the respective grounds of legitimacy for processing such data.
The personal data collected by Borgstena is processed manually or, in certain cases, in an automated or computerized way, including the processing of files or the possible definition of profiles, within the scope of the management of the pre-contractual, contractual or post-contractual relationship with the Users, Recipients of the Service or Users, under the terms of the national and community regulations in force.
6.Categories of Personal Data Processed and Data Subjects
The categories or types of personal data processed are generally as follows:
– identification data;
– contact details;
– professional data;
– billing data;
– traffic and access control data.
At the various establishments of the Data Controller, biometric data may also be processed, processed through video surveillance systems or other biometric systems that are installed.
The categories or types of personal data subjects processed are generally Users, Service Recipients or Users, and may also include, in special processing situations, members of their households or visitors to the Controller’s premises.
The detailed list of categories of personal data and categories of data subjects can be found in the Data Processing Information Sheets for each of the specific processing activities.
All data processing operations comply with the fundamental legal principles in the field of data protection and privacy, namely with regard to their circulation, lawfulness, fairness, transparency, purpose, minimization, conservation, accuracy, integrity and confidentiality, and Borgstena is available to demonstrate its responsibility to the data subject, to the authorities or to any other third party with a legitimate interest in this matter.
All data processing operations carried out by Borgstena have a legitimate basis, namely, either because the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes, or because the processing is considered necessary for the performance of a contract to which the data subject is a party or for pre-contractual measures at the request of the data subject, or because the processing is necessary for compliance with a legal obligation to which the controller is subject, or in the public interest, or because the processing is considered necessary for the pursuit of the legitimate interests pursued by Borgstena or by a third party – the specific ground being referred to in the specific data processing activities.
All personal data processed through Borgstena’s channels is used exclusively to provide information to Users, to manage the personal information of Service Recipients deemed necessary for the purposes of relationship management or communication, as well as to provide services to Users and, in general, to manage the pre-contractual, contractual or post-contractual relationship with Users, Service Recipients or Users.
The personal data collected may also be processed for statistical purposes, for information dissemination or promotional actions and for communication actions, namely to promote actions to disseminate new features or new services, through direct communication, whether by correspondence, e-mail, messages or telephone calls or any other electronic communications service.
While prior information and the collection of express authorization for the latter purposes are always ensured, Users, Recipients of the Services or Users may, at any time, exercise their right to withdraw consent or their right to oppose or limit the use of their personal data for other purposes that go beyond the management of the relationship with the Data Controller, namely for the pursuit of legitimate interests, for the sending of informative communications or for inclusion in lists or information services, by sending a written request to Borgstena’s Data Protection Officer, in accordance with the procedures set out below.
Pursuant to the principle of loyalty and transparency and to ensure compliance with the duty to provide information, Borgstena delivers directly or makes publicly available to all data subjects, depending on how their personal data is collected, information sheets on the data processing activities carried out, which are accessible for consultation at any public service unit or by request to the Data Protection Officer.
With regard to electronic sites (“Websites”) and online services (“Online”), please consult the Information Sheet on Data Processing on Electronic Sites, accessible at www.dataprotectionofficer.help/borgstena/information/.
Personal data will only be stored for the period necessary for the purposes for which it was collected or subsequently processed, ensuring compliance with all applicable legal rules on archiving and specifying the specific storage period in each of the Data Processing Information Sheets.
The provision of information or the provision of services by Borgstena to its Users, Service Recipients or Users through the channels may eventually imply the use of the services of third party subcontractors, Joint Controllers or other autonomous Controllers, including entities based outside the European Union, for the provision of certain services, and this may imply access by these entities to such personal data.
In these circumstances and whenever necessary, Borgstena will only use entities that provide sufficient guarantees that the appropriate technical and organizational measures will be implemented in such a way that the processing meets the requirements of the applicable rules, such guarantees being formalized in a contract signed between Borgstena and each of these third parties.
Except in the context of compliance with legal obligations, execution of contracts or pursuit of legitimate interests, in no case will personal data of Users, Recipients of Services or Users be communicated to third parties other than subcontractors or legitimate recipients, nor will any other communication be made for purposes other than those referred to above, without prior express consent of the data subject.
Any transfer of personal data to a third country or an international organization will only be carried out within the framework of compliance with legal obligations or to ensure compliance with the applicable Community and national legal rules.
Considering the most advanced techniques, the costs of application and the nature, scope, context and purposes of the processing, as well as the risks, of varying probability and severity, for Users, Recipients of Services or Users, Borgstena and all entities that are its subcontractors apply the appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
To this end, various security measures are adopted in order to protect personal data against its dissemination, loss, misuse, alteration, unauthorized processing or access, as well as against any other form of illicit processing.
It is the sole responsibility of Users, Service Recipients or Users to keep their access codes secret and not share them with third parties, and in the particular case of the computer applications used to access the channels, they must keep and maintain the access devices in a secure condition and follow the security practices advised by the manufacturers and/or operators, particularly as regards the installation and updating of the necessary security applications, including, among others, antivirus applications.
If there is a need to subcontract services to third parties that may have access to the personal data of Users, Service Recipients or Users, Borgstena’s subcontractors will be obliged to adopt the security measures and protocols at the organizational level and the technical measures necessary to protect the confidentiality and security of personal data, as well as to prevent unauthorized access, loss or destruction of personal data.
Users, Service Recipients or Users of Borgstena may, as holders of personal data, at any time, exercise their data protection and privacy rights, namely the rights to withdraw consent, access, rectification, erasure, portability, limitation or opposition to processing, under the terms and with the limitations provided for in the applicable rules.
Any request to exercise data protection and privacy rights must be addressed in writing by the data subject to the Data Protection Officer, in accordance with the procedure and contact details described below.
A Form for Exercising the Rights of Personal Data Subjects is available at www.dataprotectionofficer.help/borgstena/forms or at any Borgstena service point, and can also be requested by email by contacting the Data Protection Officer at firstname.lastname@example.org.
Users, recipients of the Services or Users have the right to submit a complaint, either by registering the complaint in the Complaints Book or by submitting a complaint to the regulatory authorities – in the latter case, they can submit a petition or complaint directly to the National Data Protection Commission through the contacts available at www.cnpd.pt .
Users, Service Recipients or Users can also make suggestions by emailing the Data Protection Officer at email@example.com.
Borgstena has implemented an incident management system for data protection and information security.
If any User, Service Recipient or User wishes to report the occurrence of any personal data breach, which accidentally or unlawfully results in the unauthorized destruction, loss, alteration, disclosure of or access to personal data transmitted, stored or otherwise processed, they may contact Borgstena’s Data Protection Officer or use Borgstena’s general contact details.
A Personal Data Breach Incident Report Form is available at www.protecaodedados.com/borgstena/formularios or at any Borgstena service point, and can also be requested by email by contacting the Data Protection Officer at firstname.lastname@example.org.
Borgstena has implemented a Permanent Contact Point for the management of information security and cyberspace security incidents.
Should any User, Service Recipient or User wish to report the occurrence of an information security incident or a cyberspace security incident, they may contact Borgstena’s Permanent Contact Point via the communication channels available at www.dataprotectionofficer.help/borgstena/security/.
An Information Security or Cyberspace Security Incident Reporting Form can be found at www.dataprotectionofficer.help/borgstena/forms or at any Borgstena service point, and can also be sent by email on request to the Permanent Contact Point.
Borgstena has implemented a Whistleblowing Channel, in accordance with the legal regulations in force, guaranteeing the protection of the personal data of data subjects, under the terms of the Whistleblower Protection Policy accessible at http://borgstena.protecaodedenunciantes.com.
The Whistleblower Officer at Borgstena can be contacted via the contact details available at www.dataprotectionofficer.help/borgstena/whistleblowing.
Borgstena’s Whistleblowing Platform is accessible via the link available at www.dataprotectionofficer.help/borgstena/whistleblowing. A Whistleblowing Form can be found at www.dataprotectionofficer.help/borgstena/forms or at any Borgstena service point, and can also be sent by email by contacting the Whistleblowing Officer.
Borgstena has implemented a Regulatory Compliance Program within the scope of the Prevention of Corruption, in accordance with the legal regulations in force, guaranteeing the protection of the personal data of data subjects, under the terms of the Prevention of Corruption Policy available at www.dataprotectionofficer.help/borgstena/corruption.
For the purposes of submitting complaints within the scope of the corruption prevention regime, any interested party can use
– Borgstena’s Whistleblowing Platform, accessible via the link available at www.dataprotectionofficer.help/borgstena/whistleblowing or
– the Whistleblowing Form, available at www.dataprotectionofficer.help/borgstena/forms or at any Borgstena service point.
– the Cookies and Testimonials Policy.
These special policies are made available directly to the respective categories of data subjects or in the context of the related processing activities and are available for consultation on request to the Data Protection Officer, by emailing email@example.com.
The Data Protection Policies are also complemented with Data Processing Information Sheets, reinforcing transparency and information on specific data processing activities at Borgstena, which are made available at the time of data collection, at any service point or by contacting the Data Protection Officer.
The Information Sheet on Data Processing in Relations with Users, Recipients of Services or Users is available at www.dataprotectionofficer.help/borgstena/information.
For any information, complaint, incident report or exercise of any type of data protection and privacy rights or for any matter relating to data protection and information security issues, Users, Service Recipients and Users who interact with Borgstena may
– contact the Data Protection Officer directly by e-mail at firstname.lastname@example.org, describing the subject of the request and providing an e-mail address, a telephone contact address or a correspondence address for reply, or, if they prefer,
– contact any Borgstena unit or service point, requesting communication with the Data Protection Officer.
The free, specific and informed provision of personal data by the respective holder implies knowledge and acceptance of the conditions contained in this Policy, and it is considered that, by using the channels or by providing their personal data, Users, Service Recipients and Users are expressly authorizing their processing, in accordance with the rules defined in each of the applicable collection channels or instruments.
Version of this Policy: 202306.