1. Under the European and Portuguese legislation, the regulation with regard to the processing of personal data of natural persons and on the free movement of such data;
2. Personal data means, namely, any information relating to an identified or identifiable natural person by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
3. Processing operations performed on personal data mean, namely, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure or making available, alignment or combination, restriction, erasure or destruction;
4. The present regulation covers the activity of the companies, and, within such activity, the processing of personal data from the contracts established with the company’s employees, regardless of their legal link, and also with its clients, suppliers and other service providers.
5. In light of the above, and following the provisions in Conduril’s Rules of Procedure and Code of Business Conduct, it is necessary to establish the principles regarding privacy and processing of personal data in the scope of the activity developed by the company and its participated companies.
This policy is approved as follows:
This regulation establishes the performance principles and foundations regarding privacy and processing or personal data in the scope of the activity developed by Conduril – Engenharia, S.A., hereinafter referred to as Conduril or company, and its participated companies.
2. Personal scope of data processing
2.1. Under the European and Portuguese regulations, and for the normal exercise of its activity, the company needs to process the personal data of its employees and applicants, namely the data provided by them for employment contracts celebrated with the company, as well as the personal data of clients who are natural persons, suppliers, lessors, subcontractors, designers and other service providers, as well as the personal data of all natural persons who establish contact or are bound to the company and make that data available.
2.2. The company’s employees are all the workers bound to it by an employment contract of any kind, as well as by any other contractual relation, such as the provision of services or supply.
3. Contractual clauses and information for applicants
3.1. The contracts celebrated between the company and the persons mentioned in number 2. should provide in its clauses, in general terms, the conditions in which the processing of personal data is performed, as well as the basis of its lawfulness.
3.2. When the company’s applicants present their applications, they should sign the statement consenting the processing of personal data included in their applications, using the model provided by the company on its website.
4. Lawfulness of processing
According to the law, the processing of personal data by the company is considered lawful and is justified for the regular performance of the contracts celebrated by the company with the persons mentioned in number 2. and for the compliance with the legal obligations and the legitimate interests of the employer arising from them.
5. Performance of the processing
5.1. According to the law, the processing of personal data may be performed by the company or by a processor(s) duly capable for this effect.
5.2. The processing covers, namely, the provision of the personal data before the competent entities when justified and necessary, such as Social Security, Tax and Customs Authority, courts, construction work employers, police authorities, monitoring and regulatory bodies, banks, insurance and health companies, in the case of preventive and occupational medicine.
5.3. Except as provided in the previous number, as well as all the situations that constitute the compliance with a duty and legal obligation or of clear public interest, personal data can only be processed in the scope of Conduril, including its head office, delegations, branches, temporary construction sites and other facilities, and also its participated, associated and grouped companies.
The personal data processed by the company will not be subject to portability or transfer to third parties, namely for commercial purposes, except with the express written consent or indication to this effect, by the data subject.
7. Right of access, rectification and erasure of personal data
7.1. The subjects of the personal data processed by Conduril may, at any time, request the company for access, extension and rectification of their data by e-mail to firstname.lastname@example.org or written communication to the address of the data controller, as well as lodge a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados), as the competent supervisory authority.
7.2. Regarding the erasure of personal data, the situations that constitute the compliance by Conduril with a duty and legal or contractual obligation or of clear public interest are exceptions.
8. Performance in case of data breach
If there is any situation that constitutes a personal data breach within the company, Conduril commits to, in accordance with the law, communicate such situation to the competent national supervisory authority and to the data subject, and also adopt all the necessary measures to repair the breach occurred, including the measures to mitigate the eventual negative effects of such data breach.
9. Period of storage
The personal data of the company’s employees are stored during the contract period that bound them to the company, as well as by the following period during which the company has to store them, for the compliance with a legal or contractual obligation or for the safeguarding of its rights in case of possible dispute.
10. Encryption and other means to protect personal data
10.1. The company adopts all the technical means to protect personal data, namely through its encryption, use of internal portals and restricted use, subject to the use of username and password.
10.2. All the company’s employees that, due to their duties, have knowledge and access to personal data and perform processing operations of that data, namely in the scope of computer, human resources and accounting services, are obliged to sign a privacy statement regarding the content of all the data they access and have knowledge about.
Identification and contacts:
Data controller: Conduril - Engenharia, S.A.
Address: Av. Eng. Duarte Pacheco, n.º 1835, 4445-416 Ermesinde
The Management of Conduril - Engenharia, S.A.,
Ermesinde, 21 May 2018