Rovensa, S.A., legal person with NIPC 514194910, with registered office at Edifício Lumnia, Rua António Mega Ferreira, N.º 61 – 5B
1. Contact details of the Data Controller
Rovensa establishes the following contacts for the purpose of applying the rules of the GDPR as Data Controller:
General email address: email@example.com;
General telephone: + 351 213222750;
Email address of the Data Protection Officer: firstname.lastname@example.org.
2. Personal data processed
2.1. The Employer, within the strict limits of the purposes and legal grounds specified below, processes, by itself or on its behalf, personal data of Employees, namely, name, marital status, civil, tax, social security and health user identification numbers, age, date of birth, place of birth, academic, technical, professional qualifications, telephone numbers, composition and identification of members of the respective household, training data and professional performance data.
2.2. The Employer, on the grounds of exception provided for in Article 9 of the General Data Protection Regulation and in strict compliance with the provisions of that article, in particular with regard to the obligation of professional secrecy, also processes the following special categories of personal data: trade union membership, biometric data and health data.
3. Purpose of processing
- Employees’ personal data are processed for the purposes inherent in the performance of the employment contract, including compliance with related legal obligations, namely planning and organization of work, equality and diversity in the workplace, health and safety at work, protection of the Employer’s assets and for the purpose of exercising and enjoying, individually or collectively, employment-related rights and benefits, as well as for the purpose of terminating the employment relationship.
- Without prejudice to the above purposes, special categories of personal data are processed for the following specific purposes:
- a) trade union membership – for compliance with legal obligations and/or at the request of Employees;
- b) biometric data – for access control to the premises and/or attendance control and for the protection of persons and property;
- c) health data – for the purposes of preventive and occupational medicine and for the assessment of Workers’ working capacity, by subcontractors legally qualified for this purpose, and under strict obligation of professional secrecy.
4. Legal basis for treatment
4.1. The processing of the above-mentioned personal data is necessary for:
- the performance of the employment contract,
- the fulfillment of legal obligations to which the Employer is subject by virtue of applicable national or Community law,
- the effect of the legitimate interests pursued by the Employer, namely the exercise of its management power and the corresponding optimization of its operational organizational processes.
- Outside these cases, the Employer may process data collected from Employees for other specific, explicit and legitimate purposes, expressly obtaining, at the time of collection, the corresponding and legitimate consent of the Employees.
5.1. Within the scope and context of the employment relationship and for the purposes and on the grounds specified above, the Employer may communicate the personal data of the Employees to other entities, namely subcontractors for the provision of occupational medicine, management consulting, human resources, accounting, tax, legal, or other services, banking entities, insurance entities, Tax Authority, Social Security Services, Authority for Working Conditions, Institute for Employment and Vocational Training, judicial entities, enforcement agents, National Data Protection Commission and other entities as determined by law or in compliance with judicial orders.
5.2. The Employer, in accordance with the provisions of the General Data Protection Regulation, will formalize the corresponding contracts with its subcontractors, ensuring that they adopt the technical and organizational protection measures adjusted to the protection of the personal data processed by them.
6. Storage period
6.1. Without prejudice to the personal data being kept for the period strictly necessary to achieve the specific purposes in question, and compliance with other applicable legal deadlines depending on the special categories of personal data processed, the personal data of the Employees will be kept, by default, for a period of two years from the termination of the employment contract that binds the Parties, under the terms provided for in Article 337(1) of the Labor Code.
6.2. The Employees are informed that this deadline may be extended when this becomes necessary for the declaration, exercise or defense of the Employer’s rights in legal proceedings.
7. Rights of the Personal Data Subject
7.1. Employees, as the holder of personal data, have the rights of access, rectification, erasure, limitation, opposition and portability of data, under the conditions and with the exceptions provided by law.
7.2. In the event of a breach of their personal data, the Data Subject may also submit a complaint to a supervisory authority, namely the National Data Protection Commission.
7.3. In cases where the legal basis for the processing of their personal data is consent, Employees also have the right to withdraw consent at any time, without prejudice to the lawfulness of the processing hitherto carried out on that basis.
8. Exercise of the rights of the Data Subject
8.1. For the exercise of any kind of data protection and privacy rights or for any matter concerning data protection, privacy and information security issues, Employees may contact the Data Protection Officer via email@example.com, describing the subject of the request and providing an email address, a telephone contact address or a mailing address for reply.
8.2. A Form for Exercising the Rights of Personal Data Subjects is accessible to Employees at www.dataprotectionofficer.help/Rovensa/forms or at any employment service point of the Employer, and may also be requested to be sent by email, by requesting the Data Protection Officer.
9. Obligations of Workers in the field of personal data protection
Employees are obliged to act in accordance with the applicable legal rules in the field of personal data protection and the internal rules in force in this regard, namely the procedures, internal regulations and work instructions in the field of data protection and information security, expressly knowing the terms of the Data Protection Policies and Information Security Policies approved by the Data Controller, accessible on the Data Protection Officer Documentation Platform, at www.dataprotectionofficer.help/Rovensa/.
10. Duty of secrecy and confidentiality
11. Duty to notify a personal data breach
11.1. Employees shall be aware of and comply with the rules of the personal data incident management and information security system in place at the Employer.
11.2. In the event of a personal data breach, Employees shall notify the Employer without undue delay and, where possible, no later than 12 hours after becoming aware of it, unless the personal data breach is not likely to result in a risk to the rights and freedoms of natural persons. If the notification is not transmitted within 12 hours, it shall be accompanied by the reasons for the delay.
11.3. A Personal Data Breach Incident Reporting Form is accessible to Employees at www.dataprotectionofficer.help/Rovensa/forms/ or at any of the Employer’s work service points, and may also be requested to be sent by email, upon request to the Data Protection Officer.
12. Permanent Security Contact Point
12.1. The Employees are informed that the Employer has implemented a Permanent Contact Point for the management of information security incidents and cyberspace security incidents, in accordance with the legal regulations in force, having the obligation to report, as soon as they become aware of it, the occurrence of any information security incident or cyberspace security incident, contacting, without undue delay, the Permanent Contact Point through the communication channels indicated at www.dataprotectionofficer.help/Rovensa/security/.
12.2. Employees must use the Information Security or Cyberspace Security Incident Reporting Form accessible at www.dataprotectionofficer.help/Rovensa/forms/ or at any workplace service point, and may also request that it be sent by email by contacting the Permanent Contact Point.
13. Whistleblower Protection
13.1. Employees are informed that the Employer has implemented a Whistleblowing Channel, accessible through the link available at www.integritycounts.ca/org/rovensa, in compliance with the legal regulations in force, guaranteeing the protection of the personal data of the data subjects.
13.2. A Whistleblowing Form is accessible to Employees at www.dataprotectionofficer.help/rovensa/whistleblowing/ or at any labor service point, and can also be requested from the Whistleblowing Officer at the Employer to be sent by email, through the contacts available at that link.
14. Prevention of Corruption
14.1. Employees are informed that the Employer has implemented a Regulatory Compliance Program for the Prevention of Corruption, in accordance with the legal rules in force, ensuring the protection of the personal data of the data subjects.
14.2. For the purpose of submitting complaints under the corruption prevention regime, Employees are informed that they should, depending on their preference, use the Employer’s Whistleblowing Channel accessible at www.integritycounts.ca/org/rovensa, contact in person any labor service point or send an email to the Regulatory Compliance Officer through the contacts available at www.dataprotectionofficer.help/rovensa/whistleblowing/.
15. Data Processing Information Sheets
Employees can consult all the Employer’s Data Processing Information Sheets on the Data Protection Officer Platform, accessible at www.dataprotectionofficer.help/rovensa/information/, or in person at any employment service point.
16. Changes to Internal Data Protection Procedures, Policies or Standards
16.1. In order to ensure their updating, development and continuous improvement, Employees are informed that the Employer may, at any time, make any changes deemed appropriate or necessary to the Procedures, Policies or Internal Data Protection Standards, and their publication in the different internal channels is ensured to ensure transparency and information to employees.
16.2. Employees are informed that they can consult the applicable updated versions of the Procedures, Policies or Internal Data Protection Standards on the Data Protection Officer’s Documentation Platform, accessible at www.dataprotectionofficer.help/rovensa/ or, in person, at any workplace service point, and can also consult the documentary history by email request to firstname.lastname@example.org.
17. Support from the Data Protection Officer
To request intervention or request technical and regulatory assistance or support in the field of data protection or privacy, Employees should contact the Employer’s Data Protection Officer, via email email@example.com, and the functional description, procedures and contacts are available on the Data Protection Officer Support Platform, accessible to Employees at www.dataprotectionofficer.help/support/ .
Version of this Policy: 202306.