Data Handling Policy in Supplier Relations

1.Data Protection Commitment Coindu – Componentes para a Industria Automovel SA, hereinafter referred to as COINDU, a legal person with the portuguese legal person number 501998055, complies with the applicable Community and national legal rules regarding the protection of personal data, privacy and information security of data subjects, within the scope of data processing operations carried out in the relationship with suppliers – whether the data subjects are the suppliers themselves as natural persons, or the data subjects are the suppliers’ employees – in accordance with the general terms of the Data Protection and Privacy Policy, which can be accessed at www.coindu.com or at any of the service points, and the special terms of this Policy for the Processing of Personal Data in Relations with Suppliers.

2.Personal Data

COINDU collects and processes the following categories of personal data from suppliers or suppliers’ employees:

• identification data;
• contact details;
• professional data and certifications;
• traffic data and access control on the premises.

3.Data Sources

COINDU collects personal data from suppliers or suppliers’ employees by collecting it directly from them or indirectly from their employer, by filling in information registration forms.

4.Purpose of processing COINDU processes the personal data of suppliers or suppliers’ employees exclusively for the purposes of verifying the legitimacy of legal representatives, access control, safety, hygiene and occupational health and the provision of contracted services in the exercise of economic activity.

5.Legitimacy of Processing

COINDU bases the legitimacy of the processing of the personal data of suppliers or suppliers’ employees on the specific processing activity carried out, whether based on the management of the contractual relationship, the fulfillment of legal obligations or the legitimate interests of pursuing economic activity.

6.Data retention period

COINDU will keep the data for the period necessary to pursue the purposes of the processing, complying with the applicable legal deadlines, and suppliers or collaborators of suppliers may request its deletion or exercise any other right at any time, under the conditions and with the limitations provided for by law, with an additional period of one year for the retention of personal data of suppliers or collaborators of suppliers

7. Communication of Personal Data

The personal data of suppliers or suppliers’ employees is processed exclusively by COINDU’s contracting and procurement, human resources management and occupational health and safety services, and no data is communicated to third parties, except for the legally stipulated situations in which personal data must be communicated to third parties.

8. Data Processing Information Sheets

Under the terms of the principle of loyalty and transparency and to guarantee compliance with the duty to provide information, COINDU delivers directly or makes publicly available to all data subjects, depending on how their personal data is collected, information sheets on the data processing operations carried out, which are accessible for consultation at any service point or on request from the Data Protection Officer. The Information Sheet on Data Processing in Relations with Suppliers is available at www.dataprotectionofficer.help/coindu/information.

9.Rights of suppliers or their employees

COINDU facilitates the exercise of the rights of suppliers or their employees regarding the protection of personal data. In addition to always being able to lodge a complaint with the respective supervisory authority, in order to exercise any type of data protection rights, namely the rights to withdraw consent, information, access, rectification, opposition, limitation of processing or erasure, suppliers or their employees can contact the COINDU Data Protection Officer via email at dpo@coindu.com, describing the subject of the request and indicating an email address, telephone contact address or correspondence address for a reply. A Form for Exercising the Rights of Data Subjects is available at www.dataprotectionofficer.help/coindu/forms/ or at any COINDU service point.

10.Reporting Data Breach Incidents

COINDU has implemented a data protection and information security incident management system. If any Supplier or Collaborator of a COINDU Supplier wishes to report the occurrence of any personal data breach, which accidentally or unlawfully causes the unauthorized destruction, loss, alteration, disclosure or access to personal data transmitted, stored or subject to any other type of processing, they may contact the COINDU Data Protection Officer or use the general COINDU contacts. A Personal Data Breach Incident Reporting Form can be found at www.dataprotectionofficer.help/coindu/forms or at any COINDU service point, and can also be sent by email by contacting the Data Protection Officer.

11.Permanent Security Contact Point

COINDU has implemented a Permanent Contact Point for the management of information security and cyberspace security incidents. If any Supplier or Supplier Employee wishes to report an information security incident or a cyberspace security incident, they can contact the COINDU Permanent Contact Point through the communication channels available at www.dataprotectionofficer.help/coindu/security/. An Information Security or Cyberspace Security Incident Reporting Form can be found at www.dataprotectionofficer.help/coindu/forms or at any COINDU service point, and can also be sent by email on request to the Permanent Contact Point.

12.Whistleblower Protection

COINDU has implemented a Whistleblowing Channel, in accordance with the legal regulations in force, guaranteeing the protection of the personal data of data subjects, under the terms of the Whistleblower Protection Policy available at https://www.whistleblowingofficer.com/coindu/. The COINDU Whistleblower Officer can be contacted via the contact details available at www.dataprotectionofficer.help/coindu/whistleblowing/. The COINDU Whistleblowing Platform is accessible via the link available at https://www.whistleblowingofficer.com/coindu/. A Whistleblowing Form can be found at www.dataprotectionofficer.help/coindu/forms/ or at any COINDU service point, and can also be sent by email on request to the Whistleblowing Officer.

13.Prevention of Corruption

COINDU has implemented a Regulatory Compliance Program within the scope of Corruption Prevention, in accordance with the legal regulations in force, guaranteeing the protection of the personal data of the data subjects, under the terms of the Corruption Prevention Policy accessible at www.coindu.com. For the purposes of submitting complaints within the scope of the corruption prevention regime, any interested party can use, the COINDU Complaints Platform, accessible via the link available at https://www.whistleblowingofficer.com/coindu/ or the Whistleblowing Form, accessible at www.dataprotectionofficer.help/coindu/forms/ or at any COINDU service point.

14.Data Protection Policies

The Policy for the Processing of Personal Data of Suppliers or Employees of a COINDU Supplier is complemented by COINDU’s General Data Protection Policy, which can be accessed at www.coindu.com. It is also possible to consult the other specific Data Protection and Privacy Policies, either by contacting the Data Protection Officer at dpo@coindu.com; or by contacting any service point in person.

15.Versions of the Policy

This version of the Data Processing Policy for Supplier Management has been published under reference Version 202312. To ensure its updating, development and continuous improvement, COINDU may, at any time, make any changes deemed appropriate or necessary to the Data Protection Policies, and its publication in the different channels is ensured to guarantee transparency and information to Users, Service Recipients, Clients, Employees, Candidates or Suppliers. To consult previous versions of the Data Protection and Privacy Policy, please send a request by email to dpo@coindu.com.