ļ‚¬

Personal Data Protection Policy

1.Data Protection and Privacy Commitment

COINDU is committed to complying with all applicable EU and national legal standards in the field of data protection and information security.

COINDU has implemented a Personal Data Protection System and an Information Security System in order to ensure regulatory compliance and to demonstrate institutional responsibility in terms of data protection and information security, implementing all the necessary technical and organizational measures deemed appropriate, both to comply with the legal regime of the General Data Protection Regulation (EU Regulation 2016/679, of April 27, hereinafter referred to as GDPR), and to comply with the legal regime of the GDPR Enforcement Law (Law No. 58/2019, of August 8, hereinafter referred to as LERGPD), as well as other applicable complementary legislation.

For any clarification or additional information or to exercise your rights in this regard, please contact COINDU’s Data Protection Officer at dpo@coindu.com.

2.Definitions

“Personal data”

“Personal data” means information relating to an identified or identifiable natural person (“data subject”) – an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. Personal identifiers are, for example, a name, an identification number, location data, electronic identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing of Personal Data”

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Cookies” (Connection Testimonials)

“Cookies” are small text files containing information considered to be relevant that the devices used for access (computers, cell phones or portable mobile devices) load, via the internet browser (“browser”), when an online site is visited by the User.

3.Entity responsible for processing

COINDU, a legal person with the portuguese legal person number 501998055, hereinafter referred to as COINDU, is the entity responsible for the forms, online sites, computerized systems or applications, hereinafter referred to as channels or applications, through which Users, Service Recipients or Users have remote access to COINDU services that are presented or provided, at any time, through them, being the entity considered responsible for the processing of personal data.

The use of channels, systems or applications by any User, Service Recipient or User may involve the processing of personal data, the protection, privacy and security of which is ensured by COINDU, as the entity responsible for the respective processing, in accordance with the terms of this Data Protection and Privacy Policy.

4.Institutional Contacts of the Data Controller

To contact the COINDU Data Protection Officer, please send an email to dpo@coindu.com or to each of the specific addresses identified in the forms, online sites or applications, describing the subject of the request and indicating an email address, telephone contact address or correspondence address for reply.

For any other purpose, the following general contact details of COINDU as Data Controller may be used:

Postal Address: Transversal to Rua de Rio Pele nĀŗ100 – 4770-217 Vila de Joane, Portugal;

General e-mail address: info@coindu.com;

General Telephone: + 351 252920010;

Website: www.coindu.com.

5. Collection and Processing of Personal Data

COINDU processes the personal data strictly necessary for the provision of information and the operation of its channels, in accordance with the uses made by Users, Service Recipients or Users, either those provided for the purposes of registering requests or obtaining information, or those provided for the purposes of joining those channels, or those resulting from the use of the services provided by COINDU through them, such as access, consultations, instructions, requests or feedback.

In particular, the use or activation of certain functionalities of the channels may involve the processing of various direct or indirect personal identifiers, such as name, home address, personal contacts, device addresses or geographical location, provided that there is express consent from the specific User, Service Recipient or User, provided that this is necessary for the management of the contractual relationship or the pursuit of legitimate interests or, finally, for the purposes of complying with legal obligations.

In all cases, Users, Service Recipients or Users will always be informed of the need to access such data in order to use the functionalities of the channels in question, as well as the respective grounds for legitimacy for the processing of such data.

The personal data collected by COINDU is processed manually or, in certain cases, in an automated or computerized way, including the processing of files or the possible definition of profiles, within the scope of the management of the pre-contractual, contractual or post-contractual relationship with Users, Service Recipients or Users, under the terms of the national and Community regulations in force.

6. Categories of Personal Data Processed and Data Subjects

The categories or types of personal data processed are generally as follows:

  • identification data;
  • contact data;
  • professional data;
  • billing data;
  • traffic and access control data.

At the various establishments of the Data Controller, biometric data may also be processed, processed through video surveillance systems or other biometric systems that are installed.

The categories or types of personal data subjects processed are generally Users, Service Recipients or Users, and may also include, in special processing situations, members of their households or visitors to the Controller’s premises.

A detailed list of categories of personal data and categories of data subjects can be found in the Data Processing Information Sheets for each specific processing activity.

7. Legal Principles

All data processing operations comply with the fundamental legal principles in the field of data protection and privacy, namely as regards its circulation, lawfulness, fairness, transparency, purpose, minimization, conservation, accuracy, integrity and confidentiality and COINDU is available to demonstrate its responsibility to the data subject, to the authorities or to any other third party with a legitimate interest in this matter.

8. Grounds for Legitimacy

All data processing operations carried out by COINDU have a legitimate basis, namely, either because the data subject has given their consent to the processing of their personal data for one or more specific purposes, or because the processing is deemed necessary for the performance of a contract to which the data subject is a party or for pre-contractual steps at the request of the data subject, the processing is necessary for compliance with a legal obligation to which the controller is subject, either in the public interest or because the processing is considered necessary for the pursuit of the legitimate interests pursued by COINDU or by third parties – the specific grounds being referred to in the specific data processing activities.

9. Purpose of processing

All personal data processed through COINDU channels is used exclusively to provide information to Users, to manage the personal information of Service Recipients deemed necessary for the purposes of relationship management or communication, as well as to provide services to Users and, in general, to manage pre-contractual, contractual or post-contractual relationships with Users, Service Recipients or Users.

The personal data collected may also be processed for statistical purposes, for information dissemination or promotional actions and for communication actions, namely to promote actions to disseminate new features or new services, through direct communication, whether by correspondence, e-mail, messages or telephone calls or any other electronic communications service.

Provided that prior information and the collection of express authorization for the latter purposes is always ensured, Users, Recipients of the Services or Users may, at any time, exercise their right to withdraw consent or their right to oppose or limit the use of the Services.

While prior information and the collection of express authorization for the latter purposes are always ensured, Users, Recipients of the Services or Users may, at any time, exercise their right to withdraw consent or their right to oppose or limit the use of their personal data for other purposes that go beyond the management of the relationship with the Data Controller, in particular for the pursuit of legitimate interests, for sending informative communications or for inclusion in lists or information services, by sending a written request to the COINDU Data Protection Officer, in accordance with the procedures set out below.

10. Information Sheet on Data Processing on Electronic Sites

Under the terms of the principle of loyalty and transparency and to guarantee compliance with the duty to inform, COINDU delivers directly or makes publicly available to all data subjects, depending on how their personal data is collected, information sheets on the data processing activities carried out, which are accessible for consultation at any public service unit or by request to the Data Protection Officer.

Regarding electronic sites (“Websites”) and online services (“Online”), please consult the Information Sheet on Data Processing on Electronic Sites, accessible at www.dataprotectionofficer.help/coindu/information.

11. Data retention periods

Personal data will only be stored for the period necessary for the purposes for which it was collected or subsequently processed, ensuring compliance with all applicable legal rules on archiving and specifying the specific storage period in each of the Data Processing Information Sheets.

12. Use of Cookies (Connection Testimonials)

Regarding the use of Cookies or Connection Testimonials by COINDU, please consult the Cookies Policy at www.dataprotectionofficer.help/coindu/policies/.

13. Communication of Data to Other Entities

The provision of information or the provision of services by COINDU to its Users, Service Recipients or Users through the channels may eventually imply the use of the services of third party subcontractors, Joint Controllers or other autonomous Controllers, including entities based outside the European Union, for the provision of certain services, which may imply access by these entities to such personal data.

In these circumstances, and whenever necessary, COINDU will only use entities that provide sufficient guarantees that appropriate technical and organizational measures have been taken so that the processing meets the requirements of the applicable regulations, and such guarantees will be formalized in a contract signed between COINDU and each of these third parties.

14. Data recipients

Except in the context of compliance with legal obligations, execution of contracts or pursuit of legitimate interests, under no circumstances will personal data of Users, Service Recipients or Users be communicated to third parties that are not subcontractors or legitimate recipients, nor will any other communication be made for purposes other than those referred to above, without the prior express consent of the data subject.

15. International Data Transfers

Any transfer of personal data to a third country or an international organization will only be carried out within the framework of compliance with legal obligations or to ensure compliance with the applicable Community and national legal rules.

16. Security measures

Considering the most advanced techniques, the costs of application and the nature, scope, context and purposes of the processing, as well as the risks, of varying probability and severity, to Users, Recipients of the Services or Users, COINDU and all its subcontractors apply the appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

To this end, various security measures are adopted to protect personal data against its dissemination, loss, misuse, alteration, unauthorized processing or access, as well as against any other form of illicit processing.

It is the sole responsibility of Users, Service Recipients or Users to keep access codes secret and not share them with third parties, and in the case of computer applications used to access the channels, they must maintain and keep access devices in a safe condition and follow the security practices advised by the manufacturers and/or operator.

If there is a need to subcontract services to third parties that may have access to the personal data of Users, Service Recipients or Users, COINDU subcontractors will be obliged to adopt the security measures and protocols at the organizational level and the technical measures necessary to protect the confidentiality and security of personal data, as well as to prevent unauthorized access, loss or destruction of personal data.

17. Exercising the Rights of Personal Data Subjects

Users, Service Recipients or Users of COINDU may, as holders of personal data, at any time exercise their data protection and privacy rights, namely the rights to withdraw consent, access, rectification, erasure, portability, limitation or opposition to processing, under the terms and with the limitations provided for in the applicable rules.

Any request to exercise data protection and privacy rights must be addressed in writing by the data subject to the Data Protection Officer, in accordance with the procedure and contact details described below.

A Form for Exercising the Rights of Personal Data Subjects is available at www.dataprotectionofficer.help/coindu/forms/ or at any COINDU service point and can also be sent by email by requesting the Data Protection Officer by email at dpo@coindu.com.

18. Complaints or Suggestions

Users, Recipients of the Services or Users have the right to submit a complaint, either by registering the complaint in the Complaints Book or by submitting a complaint to the regulatory authorities – in the latter case, they may submit a petition or complaint directly to the Portuguese National Data Protection Commission through the contacts available at www.cnpd.pt.

Users, Service Recipients or Users may also make suggestions by emailing the Data Protection Officer at dpo@coindu.com.

19. Communication of Personal Data Breach Incidents

COINDU has implemented a data protection and information security incident management system.

If any User, Service Recipient or User wishes to report the occurrence of any personal data breach, which accidentally or unlawfully causes the unauthorized destruction, loss, alteration, disclosure or access to personal data transmitted, stored or subject to any other type of processing, they can contact the COINDU Data Protection Officer or use COINDU’s general contacts.

A Personal Data Breach Incident Reporting Form is available at www.dataprotectionofficer.help/coindu/forms/ or at any COINDU service point and can also be sent by email by requesting the Data Protection Officer by email at dpo@coindu.com.

20. Permanent Security Contact Point

COINDU has implemented a Permanent Contact Point for the management of information security and cyberspace security incidents.

If any User, Service Recipient or User wishes to report an information security incident or a cyberspace security incident, they can contact the COINDU Permanent Contact Point through the communication channels available at www.dataprotectionofficer.help/coindu/security/.

An Information Security or Cyberspace Security Incident Reporting Form is available at www.dataprotectionofficer.help/coindu/forms/ or at any COINDU service point and can also be sent by email by requesting it from the Permanent Contact Point.

21. Protection of whistleblowers

COINDU has implemented a Whistleblowing Channel, in accordance with the legal regulations in force, guaranteeing the protection of the personal data of data subjects, under the terms of the Whistleblower Protection Policy accessible at https://www.whistleblowingofficer.com/coindu/.

The COINDU Whistleblower Officer can be contacted via the contact details available at www.dataprotectionofficer.help/coindu/whistleblowing/.

The COINDU Whistleblowing Platform is accessible via the link available at www.dataprotectionofficer.help/coindu/whistleblowing/.

A Whistleblowing Form can be found at www.dataprotectionofficer.help/coindu/forms/ or at any COINDU service point, and can also be sent by email by requesting it from the Whistleblowing Officer.

22. Corruption prevention

COINDU has implemented a Regulatory Compliance Program within the scope of the Prevention of Corruption, in accordance with the legal regulations in force, guaranteeing the protection of the personal data of data subjects, under the terms of the Prevention of Corruption Policy available at www.dataprotectionofficer.help/coindu/corruption.

For the purposes of submitting complaints within the scope of the corruption prevention regime, any interested party can use the COINDU Complaints Platform, accessible via the link available at www.dataprotectionofficer.help/coindu/whistleblowing/ or the Whistleblowing Form, accessible at www.dataprotectionofficer.help/coindu/forms/ or at any COINDU service point.

23. Data Protection Policies and Special Information Sheets

With a commitment to transparency and information and to ensure that the Data Protection and Privacy Policy is appropriate to the different data processing operations carried out and, above all, to the different categories of data subjects, COINDU may develop special Data Protection Policies, such as, for example:

  • the Data Protection and Privacy in the Workplace Policy;
  • the Data Protection and Privacy Policy in the Management of Applications;
  • the Data Protection and Privacy Policy for Employees of Suppliers; or
  • the Cookies and Testimonials Policy.

These special policies are made available directly to the respective categories of data subjects or in the context of the related processing activities and are available for consultation on request to the Data Protection Officer, by emailing dpo@coindu.com.

The Data Protection Policies are also complemented with Data Processing Information Sheets, reinforcing transparency and information on specific data processing activities at COINDU, which are made available at the time of data collection, at any service point or by contacting the Data Protection Officer.

24. Information Sheet on Data Processing in Relations with Users

The Information Sheet on Data Processing in Relations with Users, Recipients of Services or Users is available at www.dataprotectionofficer.help/coindu/information/

25. Data Protection Officer

For any information, complaint, incident report or exercise of any type of data protection and privacy rights or for any matter relating to data protection and information security issues, Users, Service Recipients and Users who interact with COINDU can contact the Data Protection Officer directly by email at dpo@coindu.com, describing the subject of the request and providing an email address, telephone contact address or correspondence address for a reply, or, if they prefer, contact any COINDU unit or service point, requesting communication with the Data Protection Officer.

26. Express Consent and Acceptance

The terms of the Data Protection and Privacy Policy are complementary to the terms and provisions on personal data set out in the Specific Conditions of Use of each of COINDU’s communication channels.

The free, specific and informed provision of personal data by the respective holder implies knowledge and acceptance of the conditions contained in this Policy, and it is considered that, by using the channels or by providing their personal data, Users, Service Recipients and Users are expressly authorizing their processing, in accordance with the rules defined in each of the applicable collection channels or instruments.

27. Changes to the Data Protection and Privacy Policy

To ensure its updating, development and continuous improvement, COINDU may, at any time, make any changes deemed appropriate or necessary to this Data Protection and Privacy Policy, and its publication in the different channels is ensured to guarantee transparency and information to Users, Service Recipients and Users.

28. Versions of the Data Protection and Privacy Policy

Version of this Policy: 2023012

Date: 20231207

To consult previous versions of the Data Protection and Privacy Policy, please send a request by email to dpo@coindu.com.