Data Protection Officer Contacts

Manuel Melo

Email

manuel.melo@dataprotectionofficer.help

Support

(+351) 213 243 750

(Call to national landline)

Personal Data Protection and Privacy Policy

 

1.Data Protection and Privacy Commitment

Rovensa is committed to complying with all applicable EU and national legal rules on data protection and information security.

Rovensa has implemented a Personal Data Protection System and an Information Security System, in order to ensure regulatory compliance and the demonstration or evidence of institutional responsibility for data protection and information security, implementing all necessary technical and organizational measures deemed appropriate, either to comply with the legal regime of the General Data Protection Regulation (EU Regulation 2016/679, of April 27, hereinafter referred to as GDPR), or to comply with the legal regime of the GDPR Enforcement Law (Law No. 58/2019, of August 8, hereinafter referred to as LERGPD), or the other applicable complementary legislation.

For any clarification or additional information or to exercise rights in this regard, please contact Rovensa’s Data Protection Officer at dataprotection@rovensa.com.

2.Definitions

«Personal data»

«Personal data» means information relating to an identified or identifiable natural person («data subject») – an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. Personal identifiers are, for example, a name, an identification number, location data, electronic identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

«Processing of Personal Data»

«Processing» means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

«Cookies» (Connection Testimonials)

«Cookies», designated by «Connection Testimonials» in Portuguese, are small text files with information considered relevant that the devices used for access (computers, cell phones or portable mobile devices) load, through the internet browser («browser»), when an online site is visited by the User or User.

3.Entity Responsible for Treatment

Rovensa, Legal Person with VAT 514194910, hereinafter referred to as Rovensa, is the entity responsible for the forms, online sites, systems or computerized applications, hereinafter referred to as channels or applications, through which Users, Service Recipients or Users have remote access to Rovensa services that are presented or provided, at any time, through them, being the entity considered responsible for the processing of personal data.

The use of channels, systems or applications by any User, Service Recipient or User may involve the performance of personal data processing operations, whose protection, privacy and security by Rovensa, as the entity responsible for the respective processing, is ensured, in accordance with the terms of this Data Protection and Privacy Policy.

4.Institutional Contacts of the Data Controller

For the purpose of contacting the Rovensa Data Protection Officer, please send an email to dataprotection@rovensa.com or to each of the specific addresses identified in the forms, online sites or applications, describing the subject of the request and indicating an email address, a telephone contact address or a mailing address for reply.

For any other purpose, the following general contact details of Rovensa as Controller of personal data may be used:

– Postal Address: Edifício Lumnia, Rua António Mega Ferreira, N.º 61 – 5B, 1800-424  Lisboa  – Portugal;

– General Email: info@rovensa.com;

– General Telephone: + 351 213222750;

– Website: www.rovensa.com.

5.Collection and Processing of Personal Data

Rovensa processes the personal data strictly necessary for the provision of information and the operation of its channels, according to the uses made by Users, Service Recipients or Users, either those provided for the purpose of registering requests or obtaining information, or those provided for the purpose of joining those channels, or those resulting from the use of the services provided by Rovensa through them, such as access, consultations, instructions, requests or applications, transactions and other records related to their use.

In particular, the use or activation of certain functionalities of the channels may involve the processing of various direct or indirect personal identifiers, such as name, residence address, personal contacts, device addresses or geographical location, where there is express consent from the specific User, Service Recipient or User, where this is necessary for the management of the contractual relationship or the pursuit of legitimate interests or, finally, for the purpose of complying with legal obligations.

In all cases, Users, Service Recipients or Users will always be informed of the need to access such data for the use of the functionalities of the channels in question, as well as the respective basis of legitimacy for the processing of such data.

The personal data collected by Rovensa are processed manually or, in certain cases, in an automated or computerized way, including the processing of files or the possible definition of profiles, within the scope of the management of the pre-contractual, contractual or post-contractual relationship with the Users, Recipients of the Service or Users, under the terms of the national and Community rules in force.

6.Categories of Personal Data Processed and Data Subjects

The categories or types of personal data processed are generally as follows:

– identification data;

– contact details;

– professional data;

– billing data;

– traffic and access control data.

In the different establishments of the Data Controller, biometric data may also be processed, processed through video surveillance systems or other biometric systems that are installed.

The categories or types of personal data subjects processed are generally Users, Service Recipients or Users, and may also include, in special processing situations, members of their households or visitors to the facilities of the Controller.

The detailed list of categories of personal data and categories of data subjects can be found in the Data Processing Information Sheets for each of the specific processing activities.

7.Legal Principles

All data processing operations comply with the fundamental legal principles in the field of data protection and privacy, in particular as regards its circulation, lawfulness, fairness, transparency, purpose, minimization, conservation, accuracy, integrity and confidentiality, and Rovensa is available to demonstrate its responsibility to the data subject, to the authorities or to any other third party with a legitimate interest in this matter.

8.Grounds for Legitimacy

All data processing operations carried out by Rovensa have a legitimate basis, namely, either because the data subject has given his consent to the processing of his personal data for one or more specific purposes, or because the processing is considered necessary for the performance of a contract to which the data subject is a party or for pre-contractual steps at the request of the data subject, or because the processing is necessary for compliance with a legal obligation to which the controller is subject, or in the public interest, or because the processing is considered necessary for the purposes of the legitimate interests pursued by Rovensa or by a third party – the specific ground being referred to in the specific data processing activities.

9.Purpose of Treatment

All personal data processed within the scope of Rovensa channels are intended exclusively for the provision of information to Users, the management of personal information of the Recipients of the Services considered necessary for the purposes of relationship management or communication, as well as the provision of services to Users and, in general, the management of the pre-contractual, contractual or post-contractual relationship with Users, with the Recipients of the Services or with Users.

The personal data collected may also and eventually be processed for statistical purposes, for information or promotional actions and for communication actions, namely to promote actions to publicize new features or new services, through direct communication, either by correspondence, by e-mail, messages or telephone calls or any other electronic communications service.

Always ensuring prior information and the collection of express authorization for the latter purposes, Users, Recipients of Services or Users may, at any time, exercise their right to withdraw consent or their right to object or limit the use of their personal data for other purposes that go beyond the management of the relationship with the Data Controller, namely for the pursuit of legitimate interests, for the sending of informative communications or for inclusion in lists or information services, and must send a written request addressed to the Rovensa Data Protection Officer, in accordance with the procedures indicated below.

10.Information Sheet on Data Treatment on Websites

In accordance with the principle of loyalty and transparency and to ensure compliance with the duty of information, Rovensa directly delivers or makes publicly available to all data subjects, depending on the form of collection of their personal data, the information sheets on the data processing activities carried out, these sheets being accessible for consultation at any public service unit or by request to the Data Protection Officer.

For the websites and online services, please consult the Data Processing Information Sheet for the websites, accessible at www.dataprotectionofficer.help/Rovensa/information/.

11.Data Retention Periods

Personal data will be stored only for the period necessary for the purposes for which they were collected or further processed, ensuring compliance with all applicable legal rules on archiving and specifying the specific storage period in each of the Data Processing Information Sheets.

12.Use of Cookies (Connection Testimonials)

Regarding the use of Cookies or Testimonials by Rovensa, please consult the Cookies Policy at www.dataprotectionofficer.help/Rovensa/policies/.

13.Communication of Data to Other Entities

The provision of information or the provision of services by Rovensa to its Users, Service Recipients or Users through the channels may eventually imply the use of services of third party subcontractors, Joint Controllers or other autonomous Controllers, including entities based outside the European Union, for the provision of certain services, which may imply access by these entities to such personal data.

In these circumstances and where necessary, Rovensa will only use entities that provide sufficient guarantees that they will implement appropriate technical and organisational measures in a manner that the processing meets the requirements of the applicable rules, such guarantees being formalised in a contract signed between Rovensa and each of these third parties.

14.Data Recipients

Except in the fulfilment of legal obligations, execution of contracts or pursuit of legitimate interests, in no case will there be communication of personal data of Users, Recipients of the Services or Users to third parties other than subcontractors or legitimate recipients, nor will any other communication be made for purposes other than those referred to above, without the prior express consent of the data subject.

15.International Data Transfers

Any transfer of personal data to a third country or an international organisation will only take place within the framework of compliance with legal obligations or to ensure compliance with the applicable Community and national legal rules.

16.Security measures

Taking into account the most advanced techniques, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks, of varying likelihood and severity, to Users, Recipients of Services or Users, Rovensa and all its subcontractors apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

To this end, various security measures are adopted to protect personal data against unauthorised disclosure, loss, misuse, alteration, processing or access, as well as against any other form of unlawful processing.

It is the sole responsibility of the Users, Recipients of the Services or Users to keep the access codes secret, not sharing them with third parties, and, in the particular case of computer applications used to access the channels, maintain and maintain the access devices in safe conditions and follow the security practices advised by the manufacturers and / or operators, namely regarding the installation and updating of the necessary security applications, namely, among others, antivirus applications.

In the event of the need to subcontract services to third parties that may have access to the personal data of Users, Service Recipients or Users, Rovensa subcontractors will be obliged to adopt the security measures and protocols at the organisational level and the technical measures necessary to protect the confidentiality and security of personal data, as well as to prevent unauthorised access, loss or destruction of personal data.

17. Exercising the Rights of Personal Data Subjects

Users, Recipients of the Services or Users of Rovensa may, as holders of personal data, at any time, exercise their data protection and privacy rights, namely the rights of withdrawal of consent, access, rectification, erasure, portability, limitation or opposition to treatment, under the terms and with the limitations provided for in the applicable rules.

Any request to exercise data protection and privacy rights must be addressed in writing by the data subject to the Data Protection Officer, in accordance with the procedure and contact details described below.

A Form for Exercising the Rights of Data Subjects is available at www.dataprotectionofficer.help/Rovensa/forms or at any Rovensa service point, and can also be requested by email, by requesting the Data Protection Officer, by email dataprotection@rovensa.com.

18.Complaints or Suggestions

Users, Recipients of the Services or Users have the right to lodge a complaint, either by registering the complaint in the Complaints Book or by submitting a complaint to the regulatory authorities – in the latter case, they may submit a petition or complaint directly to the National Data Protection Commission through the contacts available at www.cnpd.pt .

Users, Recipients of Services or Users may also make suggestions by email sent to the Data Protection Officer via email dataprotection@rovensa.com.

19.Reporting of Personal Data Breach Incidents

Rovensa has implemented an incident management system for data protection and information security.

If any User, Service Recipient or User wishes to report the occurrence of any personal data breach, which causes, accidentally or unlawfully, the unauthorized destruction, loss, alteration, disclosure or access to personal data transmitted, stored or subject to any other type of processing, you may contact Rovensa’s Data Protection Officer or use Rovensa’s general contacts.

A Personal Data Breach Incident Reporting Form is accessible at www.dataprotectionofficer.help/Rovensa/forms or at any Rovensa service point, and can also be requested by email, by requesting the Data Protection Officer, by email dataprotection@rovensa.com.

20.Security Permanent Contact Point

Rovensa has implemented a Permanent Contact Point for the purpose of managing information security and cyberspace security incidents.

If any User, Service Recipient or User wishes to report the occurrence of an information security incident or a cyberspace security incident, they may contact the Rovensa Permanent Contact Point through the communication channels available at www.dataprotectionofficer.help/Rovensa/security.

An Information Security or Cyberspace Security Incident Reporting Form is accessible at www.dataprotectionofficer.help/Rovensa/forms or at any Rovensa service point, and can also be requested by email, by requesting the Permanent Contact Point.

21.Whistleblower Protection

Rovensa has implemented a Whistleblowing Channel, in accordance with the legal regulations in force, guaranteeing the protection of the personal data of data subjects, under the terms of the Whistleblower Protection Policy accessible at https://www.integritycounts.ca/.

The Rovensa Whistleblower Officer can be contacted through the contact details available at https://www.dataprotectionofficer.help/rovensa/whistleblowing.

The Rovensa Whistleblowing Platform is accessible via the link available at https://www.integritycounts.ca/.

A Whistleblowing Form is accessible at www.dataprotectionofficer.help/Rovensa/forms or at any Rovensa service point and can also be requested to be sent by email by asking the Whistleblower Officer.

22.Prevention of Corruption

Rovensa has implemented a Regulatory Compliance Program in the scope of Corruption Prevention, in accordance with the legal rules in force, guaranteeing the protection of the personal data of the holders, under the terms of the Corruption Prevention Policy available at https://www.dataprotectionofficer.help/rovensa/corruption .

For the purpose of submitting complaints under the corruption prevention regime, any interested party may use

– the Rovensa Reporting Platform, accessible through the link available at https://www.dataprotectionofficer.help/rovensa/whistleblowing or

– the Whistleblowing Form, accessible at www.dataprotectionofficer.help/Rovensa/forms or at any Rovensa service point.

23.Data Protection Policies and Special Information Sheets

With a commitment to transparency and information and to ensure the adequacy of the Data Protection and Privacy Policy to the different data processing operations carried out and, above all, to the different categories of data subjects, Rovensa may develop special Data Protection Policies, such as, for example:

– the Data Protection and Privacy Policy in an Employment Context;

– the Data Protection and Privacy Policy in Application Management;

– the Data Protection and Privacy Policy for Employees of Suppliers; or

– the Cookies or Testimonial Connection Policy.

These special policies are made available directly to the respective categories of data subjects or in the context of the related processing activities and are available for consultation by request to the Data Protection Officer, by email dataprotection@rovensa.com.

The Data Protection Policies are also complemented with Data Processing Information Sheets, reinforcing transparency and information on specific data processing activities at Rovensa and these sheets are made available at the time of data collection, at any service point or by contacting the Data Protection Officer.

24.Information Sheet on Data Processing in the Relationship with Users

The Information Sheet on Data Processing in the Relationship with Users, Recipients of Services or Users is accessible at www.dataprotectionofficer.help/Rovensa/information.

25.Data Protection Officer

For any information, complaint, incident report or exercise of any type of data protection and privacy rights or for any matter concerning data protection and information security issues, Users, Service Recipients and Users who interact with Rovensa, may

– contact the Data Protection Officer directly by e-mail at dataprotection@rovensa.com, describing the subject of the request and indicating an e-mail address, a telephone contact address or a mailing address for reply, or, if they prefer,

– contact any Rovensa unit or service point, requesting communication with the Data Protection Officer.

26.Express Consent and Acceptance

The terms of the Data Protection and Privacy Policy are complementary to the terms and provisions on personal data set out in the Specific Conditions of Use of each of Rovensa’s communication channels.

The free, specific and informed provision of personal data by the respective holder implies knowledge and acceptance of the conditions contained in this Policy, considering that, by using the channels or by making their personal data available, Users, Service Recipients and Users are expressly authorizing their treatment, in accordance with the rules defined in each of the applicable channels or collection instruments.

27.Amendment of the Data Protection and Privacy Policy

In order to ensure its updating, development and continuous improvement, Rovensa may, at any time, make changes that are considered appropriate or necessary to this Data Protection and Privacy Policy, being ensured its publication in the different channels to ensure transparency and information to Users, Service Recipients and Users.

28.Versions of the Data Protection and Privacy Policy

Version of this Policy: 202306.

Date: 20230620.

To consult the previous versions of the Data Protection and Privacy Policy, please send a request by email to dataprotection@rovensa.com.