Data Protection and Privacy at Work Policy
1. Contact details of the Data Controller
Borgstena establishes the following contacts for the purpose of applying the rules of the GDPR as Data Controller:
General email address: firstname.lastname@example.org;
General telephone: + 351 232427660;
Email address of the Data Protection Officer: email@example.com.
2. Personal data processed
- The Employer, within the strict limits of the purposes and legal grounds specified below, processes, by itself or on its behalf, Employees’ personal data, namely name, marital status, civil, tax, social security and health user identification numbers, age, date of birth, place of birth, academic, technical and professional qualifications, telephone numbers, composition and identification of members of the respective household, training data and professional performance data.
- The Employer, on the grounds of the exception provided for in Article 9 of the General Data Protection Regulation and in strict compliance with the provisions of the aforementioned article, in particular with regard to the obligation of professional secrecy, also processes the following special categories of personal data: trade union membership, biometric data and health data.
3. Purpose of processing
- Employees’ personal data is processed for the purposes inherent in the performance of the employment contract, including compliance with related legal obligations, namely planning and organization of work, equality and diversity in the workplace, health and safety at work, protection of the Employer’s assets and for the purposes of the exercise and enjoyment, individually or collectively, of employment-related rights and benefits, as well as for the purposes of termination of the employment relationship.
- Without prejudice to the above purposes, special categories of personal data are processed for the following specific purposes:
a) trade union membership – for compliance with legal obligations and/or at the request of Workers;
b) biometric data – for access control to facilities and/or attendance control and for the protection of persons and property;
c) health data – for the purposes of preventive and occupational medicine and for assessing the working capacity of Workers, by subcontractors legally qualified for the purpose, and under strict obligation of professional secrecy.
4. Legal basis for treatment
4.1. The processing of the aforementioned personal data is necessary for:
i) the performance of the employment contract,
ii) the fulfillment of legal obligations to which the Employer is subject by virtue of applicable national or Community legislation,
iii) the effect of the legitimate interests pursued by the Employer, namely the exercise of its management powers and the corresponding optimization of its operational organizational processes.
4.2. Outside of these cases, the Employer may process data collected from Employees for other specific, explicit and legitimate purposes, expressly obtaining the corresponding and legitimate consent of the Employees at the time of collection.
5.1. Within the scope and context of the employment relationship and for the purposes and on the grounds specified above, the Employer may communicate the Employees’ personal data to other entities, namely subcontractors for the provision of occupational medicine, management consultancy, human resources, accounting, tax, legal or other services, banking entities, insurance entities, the Tax Authority, Social Security Services, the Working Conditions Authority, the Employment and Professional Training Institute, judicial entities, enforcement agents, the National Data Protection Commission and other entities as determined by law or in compliance with judicial orders.
5.2. The Employer, in accordance with the provisions of the General Data Protection Regulation, will formalize the corresponding contracts with its subcontractors, ensuring that they adopt the technical and organizational protection measures required to protect the personal data they process.
6. Retention period
6.1 Without prejudice to personal data being kept for the period strictly necessary to achieve the specific purposes in question, and compliance with other applicable legal time limits depending on the special categories of personal data processed, Employees’ personal data will be kept, by default, for a period of two years from the termination of the employment contract binding the Parties, under the terms of Article 337(1) of the Labor Code.
6.2 Employees are informed that this period may be extended when this becomes necessary for the declaration, exercise or defense of the Employer’s rights in legal proceedings.
7. Rights of the Personal Data Subject
7.1. Employees, as holders of personal data, have the right of access, rectification, erasure, limitation, opposition and data portability, under the conditions and with the exceptions provided for by law.
7.2 In the event of a breach of their personal data, the Data Subject may also lodge a complaint with a supervisory authority, namely the National Data Protection Commission.
7.3 In cases where the legal basis for the processing of their personal data is consent, Employees also have the right to withdraw their consent at any time, without this affecting the lawfulness of the processing carried out until then on that basis.
8. Exercising the rights of the Data Subject
8.1. To exercise any type of data protection and privacy rights or for any matter relating to data protection, privacy and information security, Employees may contact the Data Protection Officer at firstname.lastname@example.org, describing the subject of the request and indicating an e-mail address, a telephone contact address or a correspondence address for reply.
8.2 A Form for Exercising the Rights of Personal Data Subjects is available to Employees at www.dataprotectionofficer.help/borgstena/forms or at any of the Employer’s work service points, and can also be requested by emailing the Data Protection Officer.
9. Obligations of Employees with regard to the protection of personal data
Employees are obliged to act in accordance with the legal rules applicable to the protection of personal data and with the internal rules in force in this area, namely the procedures, internal regulations and work instructions in the area of data protection and information security, and are expressly aware of the terms of the Data Protection Policies and Information Security Policies approved by the Data Controller, accessible on the Data Protection Officer’s Documentation Platform at www.dataprotectionofficer.help/borgstena.
10. Duty of secrecy and confidentiality
11. Duty to report a personal data breach
11.1 Employees must be aware of and comply with the rules of the personal data and information security incident management system in force at the Employer.
11.2 In the event of a personal data breach, Employees must notify the Employer without undue delay and, where possible, within 12 hours of becoming aware of it, unless the personal data breach is not likely to result in a risk to the rights and freedoms of natural persons. If the notification is not transmitted within 12 hours, it must be accompanied by the reasons for the delay.
11.3 A Personal Data Breach Incident Reporting Form is available to Employees at www.dataprotectionofficer.help/borgstena/forms or at any of the Employer’s work service points, and can also be sent by email by requesting it from the Data Protection Officer.
12. Permanent Security Contact Point
12.1 Employees are informed that the Employer has set up a Permanent Contact Point for the management of information security and cyberspace security incidents, in accordance with the legal regulations in force, and that they are obliged to report the occurrence of any information security incident or cyberspace security incident as soon as they become aware of it, by contacting the Permanent Contact Point without undue delay via the communication channels indicated at www.dataprotectionofficer.help/borgstena/security.
12.2 Employees must use the Information Security or Cyberspace Security Incident Reporting Form, which can be accessed at www.dataprotectionofficer.help/borgstena/forms or at any workplace service point, and can also be sent by email by contacting the Permanent Contact Point.
13.1. Os Trabalhadores estão informados de que a Entidade Empregadora implementou um Canal de Denúncias, acessível através da hiperligação disponível em https://borgstena.protecaodedenunciantes.com, em conformidade com as normas jurídicas em vigor, garantindo a proteção dos dados pessoais dos titulares de dados.
13.2. Um Formulário de Comunicação de Denúncias está acessível aos Trabalhadores em www.protecaodedados.com/borgstena/denuncias ou em qualquer ponto de atendimento laboral, podendo ser também solicitado ao Responsável pelas Denúncias na Entidade Empregadora o seu envio por correio eletrónico, através dos contactos disponíveis naquela hiperligação.
14. Whistleblower protection
13.1 Employees are informed that the Employer has implemented a Whistleblowing Channel, accessible via the link available at https://borgstena.protecaodedenunciantes.com, in accordance with the legal regulations in force, guaranteeing the protection of data subjects’ personal data.
13.2 A Whistleblowing Form is available to Employees at www.dataprotectionofficer.help/borgstena/whistleblowing or at any workplace service point, and the Whistleblowing Officer at the Employer may also be asked to send it by email, using the contact details available at that link.
15. Data Processing Information Sheets
Employees can consult all of the Employer’s Data Processing Information Sheets on the Data Protection Officer Platform, accessible at www.dataprotectionofficer.help/borgstena/information, or in person at any employment service point.
16. Changes to Internal Data Protection Procedures, Policies or Standards
16.1. In order to ensure their updating, development and continuous improvement, Employees are informed that the Employer may, at any time, make any changes that are deemed appropriate or necessary to the Procedures, Policies or Internal Data Protection Standards, and that they are published in the various internal channels to ensure transparency and information for Employees.
16.2 Employees are informed that they can consult the applicable updated versions of the Procedures, Policies or Internal Data Protection Standards on the Data Protection Officer’s Documentation Platform, accessible at www.dataprotectionofficer.help/borgstena/ or in person at any workplace service point and can also consult the document history by emailing a request to email@example.com.
17. Support from the Data Protection Officer
To request intervention or request technical and regulatory assistance or support in the field of data protection or privacy, Employees should contact the Employer’s Data Protection Officer by email at firstname.lastname@example.org. The functional description, procedures and contact details are available on the Data Protection Officer’s Support Platform, accessible to Employees at www.dataprotectionofficer.help/support.
Version of this Policy: 202306.
To consult previous versions of the Data Protection and Privacy in the Workplace Policy, Employees can send a request by email to email@example.com.