Privacy Management Policy
A&T, Lda.
PRIVACY MANAGEMENT POLICY
1. Scope
The Privacy Management Policy presents A&T, Lda.'s commitments in relation to managing the privacy of holders' personal data, as well as compliance with the General Data Protection Regulation, identified as REGULATION (EU) 2016 /679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL of 27 April 2016.
Taking into account the inventory of personal data that A&T, Lda. keeps updated, all data that is considered private and/or sensitive is managed in accordance with the requirements of the General Data Protection Regulation in order to ensure compliance with rights of their respective holders.
2. Confidentiality and Privacy of Personal Data
Corporate customers by contract, customers through Web tools, internal employees and suppliers and service providers (subcontractors) are considered holders of personal data.
Personal and/or sensitive data placed in the custody of A&T, Lda. are accessed by employees formally authorized to carry out such tasks.
The data is only used for activities that were previously authorized by the holders of personal data through prior, informed and free consent.
Therefore, within the framework of the commitment to guarantee the privacy of personal data, the respective confidentiality is also guaranteed.
The guarantee of confidentiality is carried out through the celebration, with employees of the A&T, Lda. , of agreements to protect personal data that they access and process in the course of their professional activities.
3. Identification of the Person Responsible for Processing Personal Data
The person responsible for processing personal data is A&T, Lda. , with registered office at Rua Delfim Lima 2310, 4410-230 Canelas, Vila Nova de Gaia, Portugal, mobile phone +351 910 986 757.
4. Collection, Processing, Sharing and Retention of Personal Data
4.1 Collection of Personal Data
4.1.1 Situations that do not involve Web tools
Personal data is collected directly, through the following sources: filling out forms on the website A&T, Lda. , responding to job offers by sharing the Curriculum Vitae , filling out paper forms, capturing images and videos, biometric data, email or telephone.
Personal data can also be collected indirectly by importing the content of the Curriculum Vitae into the internal candidate management platform.
No other method of indirect collection of personal data will be carried out.
The collection of sensitive personal data will only be carried out in cases strictly necessary and justifiable by current legislation, namely, and as an example, in the case of occupational medicine.
4.1.2 Situations involving Web tools
Personal data is collected directly through official web tools of A&T, Lda. , namely online shopping websites, or indirectly through marketing automation tools and online advertising from duly authorized subcontracting partners and in full compliance with the company's privacy management policy. A&T, Lda. .
The cookie management policy complements this theme, presenting the “opt-in” and “opt-out” options that are available on the official website of the A&T, Lda. .
The holder of personal data may also opt-out of online advertising services on the company's social tools. A&T, Lda. , namely Facebook, Instagram and Google Ads.
A A&T, Lda. assumes that under no circumstances will a manual or computerized form have options pre-filled. All alternatives are selected by the data subject.
The collection of personal data will always be minimized to activities strictly necessary for the legitimate commercial interest of the Company. A&T, Lda. .
4.2 Processing of Personal Data
The personal data authorized by the holders will be used by A&T, Lda. for the strict objective of supporting its commercial activities and the resulting legal obligations.
4.2.1 Situations that do not involve Web tools
Activities included:
|
Justification |
Purpose of Treatment |
Rationale |
|
Job Applicant Management |
CV analysis and selection for interview |
Management of the life cycle of hiring an employee |
|
Export of Curriculum Vitae data to internal candidate management platform |
||
|
Contact with the candidate at various stages of the process |
||
|
Communication of data to the candidate in case of selection |
||
|
Data conservation for future opportunities |
||
|
Contact with the candidate for new opportunities and to update data |
||
|
Human resource Management |
Administrative management of human resources Salary processing |
Operational management of the organization's support area |
|
Creation of the employee card and placement in the company's contact and access directory |
||
|
Physical Security |
Access control Video surveillance image capture Attendance record |
Control of the physical security of buildings |
|
Internal and External Communication |
Publication of news, testimonials, images and videos on the company website, internal newsletter and social networks |
Promotion of the company and the events in which it participates |
|
Commercial management |
Customer registration in the ERP and customer file Registration and archive of commercial proposals |
Management of the commercial relationship with the customer |
|
Financial management |
Billing and collections Sharing information with the external accounting service |
Operational management of the support area |
|
Purchasing Management |
Supplier registration in ERP and supplier form Supplier contact query and activity record |
|
|
Technical assistance |
Registration in the technical assistance ERP Marking the start and end point of the technicians’ journey to record the distance covered |
Operational management of the support area |
|
Information Systems Management |
Account management of email systems and related services |
Access control |
|
Preparation of machines for delivery to the employee Retention of employee data for the previous purpose |
Provision of service to the employee |
|
|
Querying partner contacts |
Management of relationships with partners |
|
|
Consultation and custody of customer databases |
Provision of application software maintenance service |
Data will not be used for the purposes of creating and using sales profiles or indicators of products, regions or trends.
4.2.2 Situations involving Web tools
Activities included:
|
Justification |
Purpose of Treatment |
Rationale |
|
eCommerce |
User registration in the online store or marketplaces |
Legitimate interest to provide web customer service |
|
Online order management on websites |
||
|
Communication with the user/customer at various stages of the ordering process |
||
|
Data transfer to logistics and freight transport providers |
||
|
Conservation of registered customer data for new purchases |
||
|
Data transfer to the platform for sending promotional digital marketing newsletters |
||
|
Data transfer for online advertising on social networks |
||
|
Customer support service (“online” or by telephone) |
4.3 Sharing of Personal Data
4.3.1 Situations that do not involve Web tools
The sharing of personal data will be done, for the purposes strictly necessary and authorized by the holders of personal data, in support of the development of the activities of the A&T, Lda. , including:
|
Share Destination |
Data to Share |
Rationale |
|
Portuguese Legal Authorities |
Name, address, tax identification number, social security user number, date of admission, citizen card number |
Social security registration. Communication with the tax authority, customs or other legal entities. |
|
Portuguese Supervisory Authority for the Protection of Personal Data |
Name, address, email address, telephone number, citizen card number |
Reporting complaints or privacy violations Communication with the EPD |
|
Medicine at work |
Name, date of birth, date of admission, social security number |
Registration in the Occupational Medicine service Creation of the medical fitness form |
|
Insurers |
Name, tax identification number, address, date of birth, date of admission |
Enrollment in employee accident insurance policies |
|
Banking Entities |
Name, international bank account number |
Salary processing and expense payment |
|
Accounting Service Provider(s) |
Name, tax identification number, address, citizen card number |
Compliance with tax obligations and management of company accounting |
|
Legal Service Provider(s) |
Name, tax identification number, address, citizen card number |
Conflict management Conclusion of contracts |
|
IT Service Providers |
Name, professional history |
Presentation of candidates for the outsourcing service |
Any and all additional needs will be subject to a supplementary request for informed consent from the respective personal data holders.
This data sharing will be carried out entirely within the European Union.
Taking these principles into account, personal data can thus be transmitted to subcontractors, who, through the formalization of a specific agreement for each case, undertake to comply with the necessary security controls in accordance with the determinations of the company's privacy management policy. A&T, Lda. .
4.3.2 Situations involving Web tools
The sharing of personal data will only be done with subcontracting partners who have signed the security management agreement for this data in accordance with the determinations of the company's privacy management policy. A&T, Lda. .
|
Share Destination |
Data to Share |
Rationale |
|
Marketing Automation |
Gender, age and date of birth |
Carrying out personalized campaigns for the client |
|
Sending Newsletters and/or SMS |
Name, email address, address, date of birth, telephone number |
Sending personalized news, campaigns and offers to the customer |
|
“Online” Advertising |
|
Google Ads, Facebook and Instagram Advertising |
|
Logistics and Delivery |
Email address, name, telephone number, shipping and billing address, date of birth, payment method, tax identification number |
Operational needs in interconnection with Chronopost, CTT and DHL |
|
Online payment |
Bank card number and ATM reference (if applicable) |
Operational needs when interconnecting with HiPay and Paypal |
There is room for sharing data with formally authorized subcontractors for digital marketing purposes. The personal data involved in these shares are subject to consent by the respective holder, with the possibility of opting out at any time.
In cases of segmentation of digital marketing campaigns with intercontinental subcontracting partners, these shares may result in data transfers outside the European Union.
In these cases, the A&T, Lda . will take care to implement appropriate security controls for each identified risk situation, as well as ensuring the holder is guaranteed the unconditional enforcement of their rights and all the requirements of the General Data Protection Regulation.
4.4 Retention of Personal Data
A A&T, Lda. , for each processing purpose presented, retains the personal data collected for the maximum periods indicated below:
|
Conservation Objective |
Retention time |
Rationale |
|
Legal Documents |
10 years |
Current legal requirements |
|
Data related to job applications |
5 years |
|
|
Data related to human resources |
1 year |
|
|
Data related to occupational medicine |
5 years |
|
|
Biometric Data |
Until change of role or end of contract |
|
|
Video surveillance |
1 month |
|
|
Communication publications containing personal data of employees |
Until end of contract |
Depending on the organization's operational needs and communication strategy |
|
Communication publications containing personal data |
3 years |
|
|
Data related to Contract Customer Orders |
3 years |
Depending on the operational needs of the organization |
|
Data related to Web Customer Orders |
3 years |
Depending on the operational needs of the organization |
|
Data related to Marketing and Advertising |
Until “opt-out” is made |
Include cookies”, “newsletters” and SMS sending |
|
Privacy complaints and violations |
5 years |
Support of legal processes if necessary |
|
Audit Records and Evidence |
5 years |
Support of legal processes if necessary |
Retention means the secure storage of data, in digital or paper format, in resource(s) under the responsibility of the A&T, Lda. , ensuring conditions of longevity and use according to the defined time.
5. Rights of Holders
A A&T, Lda. ensures that all data subjects will be able to exercise their rights, provided for and described in the General Data Protection Regulation, and for this purpose a Data Protection Officer (EPD) has been appointed.
The holder has the following rights:
5.1. Right to be informed:
The holder has the right to obtain clear, transparent and understandable information about how the A&T, Lda. uses your personal data. It is for this purpose that this Privacy and Cookies Policy is made available.
5.2. Right of access:
In addition to the right to information, the holder may access their personal data processed and stored by A&T, Lda. . In these cases, the A&T, Lda. will provide you with a copy of the personal data that is subject to processing.
5.3. Right to rectification:
The holder has the right to rectify their personal data if they are incorrect, out of date or if they wish to complete them. To do this, you can contact the A&T, Lda. , or, alternatively, if you have registered on the website, by going to your “customer area”.
5.4. Right to erasure/right to be forgotten:
The holder may request the A&T, Lda. that your data be deleted, however, this is not an absolute right, as there may be legal grounds or other legitimate interests for retaining your personal data.
The deletion of personal data is irreversible, which means it cannot be recovered.
5.5. Right to object, including direct marketing:
The holder can unsubscribe from the Newsletter A&T, Lda. or choose to be removed from other direct marketing communications at any time, as well as object to the processing of your personal data. The holder may remove themselves directly from the Newsletter by clicking on “Remove”, change their consent to notifications via email and/or SMS in their customer area or contact the A&T, Lda. requesting the desired changes. You may also object, at any time, to the creation of your profile and the use of your data for market research or other advertising actions.
5.6. Right to withdraw your consent to data processing at any time:
The holder may withdraw his consent to data processing when said processing is based on his consent. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.
5.7. Right to lodge a complaint with the regulatory authority:
If a breach of privacy is identified, the holder may communicate via this same method or directly with the control authority they select.
Following complaints or violations of privacy, the A&T, Lda. ensures the execution of a communication procedure with the holder, informing him in a timely manner and in accordance with the provisions of the General Data Protection Regulation, at each step of the processing of his complaint, and in strict compliance with deadlines and conditions defined by the regulation.
5.8. Right to data portability:
The holder has the right to move, copy or transfer data from our database to another.
5.9. Right to limit processing:
The holder has the right to request the restriction of the processing of their data in the following situations: if they contest the accuracy of the data, if the processing is unlawful and they do not want to delete their data, but just limit it, if the data is no longer necessary The A&T, Lda. , but necessary to the customer or if you have exercised the right of opposition referred to above, during the period of time in which the A&T, Lda. analyzes whether or not your legitimate reasons for processing prevail over that right.
Any holder, to exercise their rights and/or present any question related to this topic, namely the presentation of complaints, must put their request in writing using the email address info@neovida.pt .
6. Roles and Responsibilities
The top management of A&T, Lda. 's role is to ensure that the Privacy Management Policy is aligned with the company's strategy, as well as ensuring its continuous improvement.
The Data Protection Officer's role is to ensure compliance with the requirements of the General Data Protection Regulation in a continuous and systematic manner, that all holders' rights are being fulfilled and that appropriate security controls are operationalized to ensure these objectives.
All employees of A&T, Lda. , as well as its subcontractors, are responsible for complying with and enforcing the commitments of the Privacy Management Policy.
7. Continuous Review and Improvement
The Privacy Management Policy will be reviewed annually, or whenever there are significant changes in the inventory of personal data and/or in the computer or documentary media that support the guarantee of the holders' rights.
Each revision will result in a new version of the Privacy Management Policy.
8. Disclosure and Publication
The Privacy Management Policy will be disclosed to all holders of personal data who interact with the A&T, Lda. and will be available whenever requested, as the information it contains is classified as publicly accessible.
The Privacy Management Policy is available on the Website, in Internet business support tools and also on social networks where the A&T, Lda. has a presence.