PRIVACY POLICY – CUSTOMERS AND SUPPLIERS

PRIVACY POLICY – CUSTOMERS AND SUPPLIERS

1. OBJETIVE

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, designated as GDPR – General Data Protection Regulation, established new and demanding rules on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and the current national legal framework established by Law No. 67/98, of October 26th, amended by Rectification Declaration No. 22/98, of November 28th and altered by Law No. 103/2015, of August 24 – Personal Data Protection Law.
Valinox – Indústrias Metalomecânicas S.A respects your preferences regarding the collection and use of your personal data. This privacy policy aims to inform about the general rules of privacy and treatment of the personal data collected and processed by Valinox in strict respect and compliance with national and community legislation for the protection of personal data. It is intended for Valinox Customers and Suppliers, so that they understand how the company handles and protects personal data.
Applicable law prevails over this Policy if, and to the extent that it exceeds the standards of this policy, imposes stricter requirements or provides a greater degree of protection. In cases where this Policy provides a greater degree of protection than the applicable law or provides additional safeguards and rights for Data Subjects, this policy will apply.
This policy is further complemented by some forms.

2. DATA CONTROLLER

The responsible for the colleting of personal data within the scope of the GDPR, is Valinox – Insdústrias Metalomecanicas S.A., headquartered in the Zona Industrial da Farrapa AP 401, 4540-267 Chave, Arouca, Portugal, identification number holder 501167250.

3.CATEGORIES OF PERSONAL DATA PROCESSED BY VALINOX

In the development of its activities, Valinox proceeds to treatment of Personal Data from a significant number of categories of Data Subjects.
The Personal Data that Valinox collects depend on the nature of the relationship, but may include the following:

PERSONAL DATA CATEGORY IDENTIFICATION AND CONTACT DATA
Identification and contact data Name, citizen card number, Social Security Identification Number, address, phone or mobile number, fax number, e-mail address and/or other similar contact information.
Demographic data Country, gender, age and data of birth, language, general education and professional history (CV).
Commercial data for the provision of products and services Data arising from information in the context of answering any questions, requests or complains, data resulting from the collection of opinion, evaluation of the products provided, and the services provided.
Payment data Tax Identification number, account number, payment dates, due amounts or payments received and/or other related invoicing information.
Account data Invoicing history, works produced and services rendered.
Identification and contact data in access control to facilities Data associated with access, such as the time of entry into Valinox, name, company to which it belongs, mobile phone number and time of exit.

4. PURPOSES FOR PROCESSING PERSONAL DATA

O desenvolvimento e a realização das várias atividades praticadas pela Valinox significam a existência de um conjunto relevante de finalidades específicas, explícitas e legítimas para o tratamento de Dados Pessoais, tais como:

PURPOSES PURPOSES OF TREATMENT (EXAMPLES)
Accounting, Tax and Administrative management Customers management
Suppliers management
Administrative management
Economic and accounting management
Commercial activity Contacts management
Customers management
Customers opinion surveys
Access control management Access control to ensure the protection of people and property
Analise of statistic information Improvement of services and products provided.
Compliance with Legal and/or contractual obligations Data transfer to third parties for fraud prevention and security

5. LAWFULNESS OF PROCESSING AND CONDITIONS APPLICABLE TO CONSENT

By reference to the “Principle of Lawfulness” mentioned above, in development and carryings of its activities, Valinox may only process personal data when there is a valid lawful basis that legitimizes such processing, namely:

GROUNDS FOR LAWFULNESS WHAT THEY CONSISTE FOR
Consent Valinox will only process Personal Data when the data subject has given his consent to the processing of his personal data for one or more specific purposes
Pre-contractual due diligence or for the execution of a contract Valinox may process Personal Data if it is necessary, without limiting, for the performance of a contract to provide services and/or supply products to which it’s a party as a collaborator, customer, supplier and/or partner, or to carry out pre-contractual diligence at your request.
Fulfillment of a legal obligation Valinox may process Personal Data to secure and ensure compliance with legal obligations to which it is subject.
Defense of vital interests of the data subject Valinox may process Personal Data to ensure the defense of your vital interests, particularly when such processing is essential to your life.
Legitimate interests Valinox, others responsible parties or third parties may process your Personal Data provided that such processing does not override your interests or fundamental rights and freedoms.

6. SHARING OF PERSONAL DATA

Personal Data may only be transferred to other entities if such transfer is in compliance with the principles of Data Protection and other rules set out in this policy and the applicable Data Protection laws and deliberations. As such, this transfer may only occur if it is in accordance with the purpose for which the data was collected and if the transfer is necessary for that purpose.

ENTITIES WITH WHICH VALINOX SHARES PERSONAL DATA WHY PERSONAL DARA ARE SHARED
Customers In case of subcontracting and in accordance with the guidelines of the Subcontracting Law and the current labor legislation, the worker’s data (including pay slips, identification data, aptitude for work sheets, professional training certificates, professional cards, curriculum and the like) may also be communicated to client companies, in accordance with the subcontracting relationships of works and services subscribed by the company, whenever they are essential to the pursuit of the legitimate interests of the employer, including the provision of the service contracted with the client company.
Other Responsible Parties and/or Third Parties In compliance with legal and/or contractual obligations, Personal Data may be transmitted to judicial, administrative, supervisory, or regulatory authorities.

7. CONSERVATION OF PERSONAL DATA

Personal data collected by Valinox will be stored only as long as necessary to fulfill the purposes described in this Privacy Policy or as otherwise determined by current labor law guidelines.
Regarding contact data, we will keep the personal data as long as we keep in touch. If data subjects do not contact us for four years, we will delete such personal data after that period.

8. RIGHTS OF THE DATA SUBJECT

As the Holder of the Personal Data processed by Valinox, it has the right of information, access, rectification, limitation, portability, erasure and the right to object to the Processing of Personal Data, in certain circumstances, which may be exercised in accordance with this chapter of the Data Protection and Privacy Policy.

DATA SUBJECT RIGHTS WHAT IT CONSIST OF
Information (Articles 12 and 14 of the GDPR) The data subject has the right to be informed about all aspects relative of the processing of their personal data. This obligation must be fulfilled by the controller when data are collected from the data subject.
Access (Article 15 of the GDPR) The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information as to the purposes of processing, the categories of data processed, the recipients to whom the data have been or will be disclosed, the duration of storage, their rights, and the existence of automated decisions, including profiling.
The controller must provide the data subject, free of charge, with a copy of the personal data being processed.
Rectification (Article 16 of the GDPR) The data subject has the right to obtain the rectification, without delay, of inaccurate data as well as the right to request, through an additional declaration, that incomplete data be completed.
Erasure “Forgotten” of Data (Article 17 of the GDPR) The data subject has the right to have their data erased and, consequently, no longer processed in the situations provided for in the GDPR (Article 17 nº1 of the GDPR). There are exemptions provided by law to the duty to erase data (Article 17 nº3 of the GDPR).
Restriction of Processing (Article 18 of the GDPR) The data subject may demand that the controller restricts the use of his or her data in the cases provided for in the GDPR (Article 18.1 of the GDPR).
During the period of limitation of processing, data may be processed only with the consent of the data subject or for the establishment, exercise or defense of legal claims or the rights of another natural or legal person or for reasons of important public interest.
Data portability (Article 20 of the GDPR) The right of portability includes the right to receive the data you have provided to the controller in a structured, commonly used and computer-readable (machine-readable) format and the right to transmit them to another controller.
Object (Article 21 of the GDPR) The data subject has the right to object to certain types of processing, on grounds relating to his or her particular situation, at any time during the processing. For the purposes of legitimate grounds, Valinox – Indústrias Metalomecânicas SA may continue to process this data if it can provide evidence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
File a complaint The data subject has the right to lodge a complaint with the competent supervisory authority, the Nacional Commission for Data Protection – CNPD, if it considers that the processing of your Personal Data violates your rights and/or the applicable data protection laws

The General Data Protection Regulation (« GDPR ») predicts that Valinox, as the controller, must ensure compliance with the obligations relating to the rights of the holders of personal data: information, access, rectification, erasure of data (« forgetting »), restriction of processing, portability and objection to processing. (Articles 12 to 22 of the RGPD)
In cases Valinox acts as a processor, it shall provide the controller with all assistance to ensure compliance with these obligations.
Information provided under the GDPR (Articles 13 to 14 of the GDPR) and any communications or steps taken to comply with the rights of access, rectification, erasure, limitation, portability and objection are provided free of charge.
The data subject may at any time, ask questions and exercise the rights defined in the Personal Data Protection Act and other applicable legislation, in person, by registered letter, or by e-mail to:

protecao.dados@valinox.pt

Valinox will occasionally update this policy, we ask that you periodically review this document to stay current.

Data: 13/05/2019