A. GENERAL PART
This document is an integral part of Algardata’s personal data protection regulatory body, taking into account the General Data Protection Regulation (2016/679), hereinafter GDPR.
Each time this document is updated, a new version will be made available immediately after its approval.
Monitoring compliance with this standard will be ensured by measuring control assessment indicators and/or audits (internal or external) at regular time intervals or when significant changes occur.
Scope and objective
Algardata undertakes to respect the best practices in the field of security and protection of personal data, having to this end approved a demanding program, capable of safeguarding the protection of the data made available to us by all those who in some way relate to Algardata.
Settings – All information relating to an identified or identifiable natural person; a natural person who can be identified, directly or indirectly, such as a name, identification number, location data, electronic identifiers, or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person is considered identifiable.
Special Categories of Personal Data – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or the trade union membership of a natural person, as well as the processing of genetic data, biometric data to identify a person unequivocally, health data or data relating to sexual life or sexual orientation.
Processing– Is the operation or a set of operations carried out on personal data or on sets of personal data, by automated or non-automated means, such as the collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, dissemination by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, deletion or destruction.
Controller – It is the natural or legal person, the public authority, agency or other body that, individually or in conjunction with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria applicable to his appointment may be provided for by Union or Member State law.
Violation of Personal Data – It is a breach of security that causes, accidentally or unlawfully, the destruction, loss, alteration, disclosure, or access, unauthorized, to personal data transmitted, stored, or subject to any other type of processing.
Processor– It is a natural or legal person, the public authority, agency, or other body that treats personal data at the behest of the controller.
Third party – The natural or legal person, public authority, service, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
COLLECTION AND PROCESSING OF THE DATA HOLDER
In the context of Algardata’s activity, there is the collection, registration, organization, storage, use and consultation of personal data. Other operations or set of operations may also occur which, under the General Data Protection Regulation, are called “processing of personal data”.
The personal data collected relates not only to employees but also to suppliers, candidates and customers /users.
Algardata collects personal data, in particular, the data necessary for recruitment/admission, billing or service delivery processes.
When collecting personal data, Algardata provides data subjects with detailed information about the nature of the data collected and the purpose and processing that will be carried out in relation to personal data, as well as the information mentioned in the clause on the right of access to personal data.
These subcontracted entities may not transmit the the holder’s to other entities without Algardata having given, in advance and in writing, authorization to do so, and are also prevented from contracting other entities without the prior authorization of Algardata.
Algardata undertakes to subcontract only entities that provide sufficient guarantees for the implementation of appropriate technical and organizational measures, in order to ensure the protection of the rights of the holder. All entities subcontracted by Algardata are bound to the latter by a written contract in which the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties are regulated.
At the time of the collection of personal data, Algardata provides the data subject with information about the categories of subcontracted entities that, in the present case, may process data on behalf of Algardata.
DATA COLLECTION CHANNELS
Algardata may collect data directly (i.e., directly from the holder) or indirectly (i.e., through partner entities or third parties). Collection can be done through the following channels:
Direct collection: in person, by phone, or by e-mail;
Indirect collection: through Algardata’s partners or companies and official entities.
GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
In terms of general principles regarding the processing of personal data, Algardata undertakes to ensure that the personal data processed by the company is:
- Subject of a lawful, loyal and transparent treatment in relation to the data subject;
- Collected for specific, explicit, and legitimate purposes and subsequently not treated in a manner incompatible with those purposes;
- Appropriate, relevant, and limited to what is necessary for relation to the purposes for which they are processed;
- Accurate and up-to-date whenever necessary, and all appropriate measures are taken so that the inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;
- Kept in a way that allows the identification of the data subject only for the period necessary for the purposes for which the data is processed;
Treated in a way that guarantees the data subject’s safety, including protection against your unauthorized or unlawful treatment and against accidental loss, destruction or damage, and appropriate technical or organizational measures are adopted.
The processing of data carried out by Algardata is lawful when at least one of the following occurs:
- The data subject has given his explicit consent to the processing of the data subject’s data for one or more specific purposes;
- The processing is necessary for the performance of a contract to which the data subject is a party, or for pre-contractual due diligence at the request of the data subject;
- The processing is necessary for the fulfillment of a legal obligation to which Algardata is subject;
- The processing is necessary for the defense of the vital interests of the data subject or another natural person;
- The processing is necessary for the purposes of the legitimate interests pursued by Algardata or third parties (unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail).
Algardata undertakes to ensure that the processing of the data of the holder is only done under the conditions listed above and with respect to the above-mentioned principles.
Where the processing of the data of the holder is carried out by Algardata on the basis of the consent of the data subject, the data subject has the right to withdraw his consent at any time. The withdrawal of consent, however, does not compromise the lawfulness of the processing carried out by Algardata on the basis of the consent previously given by the data subject.
The length of time during which the data is stored varies according to the purpose for which the information is processed.
In fact, there are legal requirements that require you to retain the data for a minimum period of time. Thus, and where there is no specific legal requirement, the data will be stored only for the minimum period necessary for the purposes that motivated its collection or subsequent processing, after which they will be deleted.
USE AND PURPOSES OF THE PROCESSING OF THE HOLDER’S DATA
In general terms, Algardata uses the data of the data subject for various purposes, namely the billing and collection to the holder of the personal data, for marketing purposes, and for the management of human resources and recruitment of employees.
The data of the data subjec collected by Algardata is not shared with third parties without the holder’s consent, except for the situations referred to in the following paragraph. However, in the event that the holder hires Algardata’s services that are provided by other entities responsible for the processing of personal data, the data of the holder may be consulted or accessed by those entities, to the extent that this is necessary for the provision of such services.
TECHNICAL, ORGANIZATIONAL AND SAFETY MEASURES IMPLEMENTED
To ensure the security of the data holder and maximum confidentiality, Algardata treats the information you have provided to us in an absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, which are updated periodically according to the needs, as well as in accordance with the terms and conditions legally provided.
Depending on the nature, scope, context, and purposes of the processing of the data, as well as the risks arising from the processing of the rights and freedoms of the holder, Algardata undertakes to apply, both at the time of definition of the means of processing and at the time of the processing itself, the technical and organizational measures necessary and appropriate to the protection of the data of the data subject and compliance with legal requirements.
It also undertakes to ensure that, by default, only the data that is necessary for each specific purpose of the processing is processed and that such data is not made available without human intervention to an indeterminate number of individuals.
In terms of general measures, Algardata adopts the following:
- Regular audits to assess the effectiveness of the technical and organizational measures implemented;
- Awareness-raising and training of staff involved in data processing operations;
- Mechanisms capable of ensuring the permanent confidentiality, availability, and resilience of information systems;
- Mechanisms that ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident;
DATA TRANSFER OUTSIDE THE EUROPEAN UNION
Personal data collected and used by Algardata is not made available to third parties established outside the European Union. If this transfer occurs in the future, Algardata undertakes to ensure that the transfer complies with the applicable legal provisions, in particular as regards the determination of the suitability of that country with regard to data protection and the requirements applicable to such transfers.
B. RIGHTS OF DATA SUBJECTS
RIGHT TO INFORMATION
Information provided to the holder by Algardata (when the data is collected directly from the data subject):
- The identity and contact details of Algardata, which is responsible for the processing and, where applicable, of its representative;
- The purposes of the processing for which the personal data are intended, as well as, if applicable, the legal basis for the processing;
- If the processing of the data is based on the legitimate interests of Algardata or a third party, an indication of such interests;
- Where applicable, recipients or categories of recipients of personal data;
- Where applicable, an indication that personal data will be transferred to a third country or an international organization, and whether or not an adequacy decision adopted by the Commission or the reference to appropriate or appropriate transfer guarantees;
- Time for the retention of personal data;
- The right to request Algardata access to personal data, as well as their rectification, deletion, or limitation, the right to owe the processing, and the right to data portability;
- If the processing of the data is based on the consent of the data subject, the right to withdraw consent at any time, without compromising the lawfulness of the processing carried out on the basis of the consent previously given;
- The right to lodge a complaint with the CNPD or other supervisory authority;
- Indication whether or not the communication of personal data constitutes a legal or contractual obligation, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of not providing such data;
- Where applicable, the existence of automated decisions, including profiling, and information relating to the underlying logic, as well as the expected importance and consequences of such processing for the data subject.
- In the event that the data of the data subject is not collected directly by Algardata from the data subject, in addition to the information referred to above, the data subject is additionally informed about the categories of personal data processed and, as well, about the origin of the data and, where appropriate, if they come from sources accessible to the public.
- If Algardata intends to further process the holder’s data for a purpose other than that for which the data was collected, Algardata shall provide the data subject with information on that purpose and any other relevant information in the above-mentioned terms.
The above information is provided in writing (including by electronic means) by Algardata to the data subject prior to the processing of the personal data concerned. Under applicable law, Algardata is under no obligation to provide the data subject with this information when and to the extent that the data subejct is already aware of it.
The information is provided by Algardata free of charge.
RIGHT OF ACCESS TO PERSONAL DATA
Algardata guarantees the means that allow the data subject to access to his/her personal data.
The data subject has the right to obtain from Algardata confirmation that the personal data concerning him/her are or are not processed and, where appropriate, the right to access his/her personal data and the following information:
- The purposes of data processing;
- The categories of personal data in question;
- Recipients or categories of recipients to whom personal data has been or will be disclosed, in particular, recipients established in third countries or belonging to international organizations;
- The period of retention of personal data;
- Right to request Algardata to rectify, delete or limit the processing of personal data, or the right to objects to such processing;
- Right to lodge a complaint with the CNPD or other supervisory authority;
- If the data have not been collected from the data subject, the information available on the origin of such data;
- The existence of automated decisions, including profiling, and information on the underlying logic, as well as the importance and expected consequences of such processing for the data subject;
- Right to be informed of the appropriate safeguards associated with the transfer of data to third countries or international organizations.
Mediante solicitação, a Algardata fornecerá ao titular dos dados, a título gratuito, uma cópia dos seus dados que se encontram em fase de tratamento. O fornecimento de outras cópias solicitadas pelo titular poderá acarretar custos administrativos.
RIGHT TO RECTIFICATION OF PERSONAL DATA
The data subject has the right to request, at any time, the rectification of his/her personal data and, as well, the right to complete his/her incomplete personal data, including by means of an additional statement.
In the event of data rectification, Algardata shall communicate it to each recipient to whom the data has been transmitted to the respective rectification unless such communication proves impossible or involves a disproportionate effort for Algardata.
RIGHT TO THE DISPOSAL OF PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)
The data subject has the right to obtain from Algardata the deletion of his/her data when one of the following reasons applies:
- The data is no longer necessary for the purpose that motivated its collection or processing;
- The data subject withdraws the consent on which the processing of the data is based and there is no other legal basis for such processing;
- The data subject shall oppose the processing under the right of opposition and there are no prevailing legitimate interests justifying the processing;
- The data of the data subject is processed unlawfully;
- The data of data subject must be deleted in order to comply with a legal obligation to which Algardata is subject;
In the event of data deletion, Algardata shall communicate to each recipient/entity to whom the data has been transmitted to, unless such communication proves impossible or involves a disproportionate effort for Algardata.
Algardata has made the data of the data subject public and is obliged to delete them under the right to erasure, Algardata undertakes to ensure the reasonable measures, including technical measures, taking into account the available technology and the costs of its application, to inform those responsible for the actual processing of the personal data that the data subject has requested the deletion of the links to such personal data, as well as copies or reproductions thereof.
RIGHT TO LIMITATION OF THE PROCESSING OF PERSONAL DATA
The data subject has the right to obtain, from Algardata, the limitation of the processing of the data if one of the following applies (the limitation is to insert a mark in the personal data retained in order to limit its processing in the future):
- If you dispute the accuracy of the personal data, for a period that allows Algardata to verify its accuracy;
- If the processing is unlawful and the data subject opposes the deletion of the data, requesting, on the other hand, the limitation of its use;
- If Algardata no longer needs the data of the data subject for processing purposes, but such data is required by the data subject for the purposes of the declaration, exercise, or defense of a right in judicial proceedings;
- If the data subject has opposed the processing until it is found that Algardata’s legitimate motives prevail over those of the holder.
If the personal data is subject to limitation, it may, with the exception of retention, be processed only with the consent of the data subject or for the purposes of the declaration, exercise, or defense of a right in judicial proceedings, the defense of the rights of another natural or legal person, or for reasons of public interest legally provided for.
The data subject who has obtained the limitation of the processing of his/her data in the above cases will be informed by Algardata before the limitation to the processing is annulled.
In the event of a limitation of the processing of the data, Algardata shall communicate to each recipient to whom the data have been transmitted the respective limitation unless such communication proves impossible or involves a disproportionate effort for Algardata.
RIGHT OF PORTABILITY OF PERSONAL DATA
The data subject has the right to receive the personal data concerning him and which he has provided to Algardata, in a structured format, of current use and automatic reading, and the right to transmit such data to another controller, if:
- The treatment is based on consent or a contract to which the holder is a member of;
- The treatment is carried out by automated means.
The right of portability does not include inferred data or derived data, i.e., personal data that is generated by Algardata as a consequence or result of the analysis of the data processed.
The data subject has the right to have personal data transmitted directly between those responsible for the processing, where technically possible.
RIGHT OF OPPOSITION TO TREATMENT
The data subject has the right to object at any time, for reasons relating to his/her particular situation, to the processing of personal data concerning him/her based on the exercise of legitimate interests pursued by Algardata or when the processing is carried out for purposes other than those for which the personal data were collected, including profiling, or when personal data are processed for statistical purposes.
Algardata will cease processing the data of the data subject unless it presents compelling and legitimate reasons for such processing that prevail over the interests, rights and freedoms of the holder, or for the purpose of declaration, exercise, or defense of a right of Algardata in judicial proceedings.
When the data of the data subject is processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of the data concerning him/her for the purposes of such marketing, which includes the definition of profiles insofar as it relates to direct marketing. If the data subject objects to the processing of his/her data for the purposes of direct marketing, Algardata shall cease the processing of the data for that purpose.
The data subject shall also have the right not to be subject to any decision taken solely on the basis of automated processing, including profiling, which has effects in his/her legal sphere or affects him/her significantly in a similar manner, unless the decision:
- Is necessary for the conclusion or performance of a contract between the holder and Algardata;
- Is authorized by legislation to which Algardata is subject; Or
- Is based on the explicit consent of the data subject.
PROCEDURES WITH A VIEW TO EXERCISING THE RIGHTS BY THE DATA SUBJECT
The right of access, the right of rectification, the right of deletion, the right to limitation, the right of portability, and the right to opposition may be exercised by the data subject by contacting Algardata and filling out the respective form.
Algardata will respond in writing (including by electronic means) to the data subject’s request within a maximum of one month from receipt of the application, except in cases of particular complexity, where that period may be extended up to two months.
If the requests made by the data subject are manifestly unfounded or excessive, in particular, because of their repetitive nature, Algardata reserves the right to charge administrative costs or refuse to comply with the request.
PERSONAL DATA BREACHES
In the event of a data breach and to the extent that such breach is likely to entail a high risk to the rights and freedoms of the data subject, Algardata undertakes to report the personal data breach to the CNPD within 72 hours of knowledge of the incident.
Under legal terms, communication to the data subject is not required in the following cases:
- Algardata has applied appropriate protection measures, both technical and organizational, and such measures have been applied to personal data affected by the breach, especially measures that make personal data incomprehensible to any person not authorized to access such data, such as encryption;
- Algardata has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize; Or
- The communication to the data subject implies a disproportionate effort for Algardata. In this case, Algardata will make a public communication or take a similar measure by which the data subject will be informed.
APPLICABLE LAW AND FORUS