Privacy Policy

Personal data protection policy 

1.02 version from 2018-06-29

 

1. Scope and objectives

Unipartner, as an information systems and technologies services company established in Portugal and primarily aimed at European markets, ensures the protection of personal data as a key aspect of its activity, present and future, and identifies it as a differentiator and business generator, not only because of the importance that the trust of employees, partners and customers has in its activity, but also because this practice constitutes an offer area, part of its portfolio of products and services. 

This personal data protection policy was developed with the aim of making Unipartner's customers, employees, subcontractors and contacts aware of the principles, rights and obligations to be fulfilled in terms of personal data protection and how they should be complied with in the context of any business activities in which the processing of personal data takes place and regardless the role of Unipartner (responsible, joint responsible or subcontractor) in such processing. 

The policy is based on the aforementioned legal and technical standards, of which the GDRP stands out, due to its specificity in the field of personal data protection and the transversality of its application, both material and territorial. 

The adoption of the provisions of these standards takes into account their applicability to the activities carried out by Unipartner, the risk assessments made, and the strategic options taken, safeguarding the rights of their holders, the sustainability of Unipartner and its customers and its differentiation in an increasingly demanding, global and technological market context. Regarding the technical standards identified, Unipartner will continue to formalize certification in cases where the markets in which it operates require it or where this factor is perceived as a differentiator, naturally not failing to adopt the good practices it deems relevant and appropriate for the protection of personal data. 

The policy resulted from a diagnosis involving all internal areas, the most relevant external partners and subcontractors, having established a set of specific provisions, which is an integral part of this policy and aims to standardize the operationalization of the general provisions contained in the legal diplomas and the technical standards, and an implementation plan for the measures identified, an operational instrument to be maintained independently of this policy. The incremental implementation of the identified measures does not affect the fulfillment of Unipartner's obligations, but it contributes to the operationalization of measures and the evolution in the maturity of the practices to be made more effectively. 

 

1.1.What is personal data protection  

The protection of natural persons regarding the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (Charter) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) establish that everyone has the right to the protection of personal data that concern them. 

The principles and rules in this matter aim to respect the fundamental rights and freedoms of natural persons regardless of nationality or place of residence and contribute to freedom, security and justice, to economic and social progress, to the consolidation and convergence of economies. within the European internal market and for the well-being of natural persons. 

Unipartner is responsible for complying with all legal obligations regarding the processing of personal data in which it participates, to the extent of such participation (level of responsibility established individually for each processing of personal data). 

Unipartner subcontracts personal data processing activities to partner companies. These companies may also act as joint responsible, if they intervene in defining the purposes and/or means of processing personal data. 

Unipartner processes personal data as a subcontractor of client companies. It may also act as a joint responsible, if it intervenes in defining the purposes and/or means of processing personal data. Unipartner is responsible for any violations of the binding rules applicable to companies committed by entities involved that are not established in the EU, except when the fact that caused the damage is not attributable to Unipartner.

1.2.Characterization and main processing of personal data 

1.2.1. External Perspective

Unipartner, within the scope of the services it provides and the projects it develops with its partners and for its customers, may process personal data of any category of holders, of any type (including special categories and convictions/offences) and for any purpose, provided that all legal requirements are complied with, in strict accordance with established contracts and with the level of responsibility assumed (generally, as a subcontractor). 

 

1.2.2. Activities not covered by the GDRP 

Unipartner does not carry out, from an internal perspective, any activity outside the material scope of the GDRP, namely activities not subject to EU law, common foreign and security policy or investigation, detection and prosecution of infractions and execution of criminal sanctions. 

However, due to the nature of the services it provides, it may intervene in the processing of personal data that fall within these exceptions, in the context of the business activities of its partners and customers. The provisions of this policy also apply in these cases, as long as they do not contravene the specific regimes to which these processing of personal data are subject. 

1.2.3. Purposes for processing personal data 

Given the importance of defining the purposes of treatment for the effectiveness of all systems in complying with the provisions, in particular the universality of interpretation and application in the different contexts of the activity and life of partners/clients and owners, Unipartner adopts an approach based on the following principles: 

  • Functional: the purposes of processing personal data correspond to the purposes of the business processes in the context of which these treatments take place; for analysis and communication purposes, these (specific) purposes can be aggregated into (generic) purposes corresponding to the business functions in which the processes fit (a process fits into a single function); 

  • Organizational supra: the purposes are seen in the same way regardless of the type of intervention that the organization has in the processes (ex: client or provider); the same organization can play different roles in different instances/occurrences of the same process and, in all these cases, defines the purposes in the same way.

As it is aligned with all these principles, Unipartner adopts the consolidated list of business processes (LC), integrated in the functional macrostructure (MEF), defined by the Portuguese State, as a reference for defining the purposes of processing personal data. In this sense, each of the processes/purposes will correspond to a single business process in the LC. 

1.2.4. Transfer and provision of personal data to third countries and international organizations 

Unipartner respects and enforces the legal provisions relating to the protection of personal data in data transfers to third countries and international organizations, namely with regard to the European Commission's decision regarding the suitability of that country(ies) with regard to the protection of data or, not their absence, as to the adequacy of the guarantees for the exercise of enforceable rights and effective corrective legal measures of that(these) country(ies). 

  • Commission adequacy decision (rule of law, independent supervisory authorities, international commitments); 

  • Adequate guarantees (without permission: legally binding instrument, binding rules, standard clauses, code of conduct, certification; with authorization: contractual clauses, provisions in administrative agreements). 

 

1.2.5. Registration of personal data processing 

Unipartner has records of personal data processing activities in which it intervenes, containing the following elements: 

  • Purpose of personal data processing (business process); 

  • Period of conservation, form of counting and final destination of the information; 

  • Categories of holders, personal data and recipients (if any); 

  • Joint responsible/responsible and subcontractors [subcontractors] (if any); 

  • Personal data transfers and adequate safeguards (where applicable); 

  • Prior risk assessment and reference for impact assessment and prior consultation with the control authority (where applicable); 

  • Technical and organizational measures appropriate to the risks. 

 

1.2.6. Internal Perspective

From an internal perspective, Unipartner maintains data on: 

  • Workers: Individuals with a contract established directly with Unipartner; 

  • Subcontractors: individual persons subcontracted to Unipartner partners, mainly involved in the delivery of projects and services, but also capable of supporting other activities in the organization; 

  • Partners: individuals who perform functions in partner companies, with a direct relationship with Unipartner; 

  • Clients: individual persons who perform functions in client companies, with a direct relationship with Unipartner; 

  • Contacts: individual people who, not fitting into the previous categories, may in the future fall into one of these categories (ex: candidate, potential client). 

Unipartner does not currently provide services directly to individual customers nor, consequently, does it provide information society services to children (under 16 years of age). 

The processing of personal data carried out in this perspective mainly results from: 

  • Legal obligation: compliance with legal provisions with public bodies and services; 

  • Contract execution: formation and execution of contracts with workers, subcontractors, partners and customers; 

  • Legitimate interest: institutional communication, marketing of products and services. 

There are also treatments based on vital interests and consent. 

Unipartner maintains and only processes personal data that are adequate, pertinent and limited to what is necessary for the purposes. Unipartner does not process data from special categories or convictions/offences, except in the following cases: 

  • Racial or ethnic origin, insofar as this can be identifiable through the image (ex: photograph) of the holder; 

  • Biometric data (identifying), used exclusively to control access to the facilities and to control attendance (when applicable) by Unipartner and/or its partners/customers; 

  • Health data, when required by legal obligation, by the vital interest of the owner or third parties or treated under consent; 

  • Convictions/offences, when required by legal obligation or treated under consent. 

Unipartner develops activities with partners and customers established outside the EU, respecting and enforcing the provisions applicable to each particular case. 

 

1.3. Rights of the holders

The rights of holders to be safeguarded within the scope of the protection of personal data are as follows: 

  • Information: inform the holder about those responsible, purposes, categories, recipients, guarantees, deadlines, rights, automated decisions and sources, if they have not yet been aware of it and save a disproportionate effort; 

  • Access: indicate if there is data to be processed; if so, give access to the data being processed and inform about purposes, categories, recipients, guarantees, deadlines, rights, automated decisions; if requested, deliver other copies (may be subject to payment); 

  • Rectification: rectify inaccurate or incomplete data being processed, without undue delay; 

  • Erasure: erase data, without undue delay, when not necessary, without consent, opposition, tort, legal obligation and information society services, except freedom of expression and information, legal obligation, public health, public interest file, investigation scientific/historical, statistical or declaration, exercise or defense of rights in legal proceedings; inform those responsible if data transmitted or made public, taking reasonable measures, except for a disproportionate effort; 

  • Portability: deliver to the holder or other responsible data provided by the holder in a structured format, in current use and automatically read, if automated and consented treatment; does not apply to treatment of public interest or authority; 

  • Consent: treat or stop treatment; consent must be free, informed, specific and express; if a child and an information society service, it requires the consent or authorization of the holder of parental rights, taking into account the available technology; 

  • Limitation: limit treatments to conservation, consent, declaration, exercise or defense of rights in legal proceedings or public interest in case of inaccuracy, illicit, unnecessary or opposition; notify recipients if data transmitted, save disproportionate effort; 

  • Opposition: cessation of treatments due to the holder's particular situation when justified by public interest or authority, legitimate interest or compatibility, including direct marketing, except for compelling reasons or declaration, exercise or defense in a legal process; if scientific/historical or statistical investigation, public interest is still reserved; 

  • Non-exclusive subjection: ensure human intervention in an automated decision with effects in the legal or similar sphere of the holder, except for the execution of a contract, authorized by the law of the Member State or Union or with consent; if special categories, except consent and public interest; 

  • Complaint: claim the supervisory authority over the person in charge/subcontractor; 

  • Legal action: take legal action on supervisory authority or responsible/subcontractor. 

1.4. Data conservation and complementary treatments

The retention of personal data and the additional treatments to which such data may be subject result from specific aspects of the business context in which they were primarily processed. The protection of personal data at these stages requires a systematic approach, which can be applied consistently by all entities that have participated in these main processes or that have had access to them as recipients. 

1.4.1. Approach to information management 

The information captured/produced in the context of the business activities of Unipartner and partners/customers, in which Unipartner intervenes, is managed according to common rules, defined based on criteria: 

  • Functional, according to the business process in the context of which the information is captured/produced, as well as the context in which this business process is integrated; therefore, thematic, typological and/or organic criteria are excluded which, despite being commonly used, are based on specific points of view or are more ephemeral than the processes carried out by the organization; 

  • Supra organizational, insofar as they apply equally regardless of the type of intervention the organization has in the processes (eg, client or provider); 

  • Values, establishing for each phase of the information life cycle (continuum) its primary and secondary values; It aims to ensure that valuable information is preserved, while non-value information is eliminated, ensuring an efficient application of resources and greater effectiveness in managing the underlying risks. 

Personal data are an integral part of this information, being (generally) maintained for the periods established for the processes to which they relate, as they are considered necessary taking into account the respective main processing purposes, which justified their collection, and complementary, when rights, freedoms, obligations and/or responsibilities arising from the main treatments prevail (includes declaration, exercise or defense of rights in legal proceedings). 

Personal data may be retained for longer periods if required for archival purposes of public interest, scientific or historical research or statistical purposes. 

1.4.2. Information life cycle 

Therefore, the following phases in the information lifecycle are considered: 

MicrosoftTeams-image (2).png

1.4.3. Criteria for defining conservation deadlines and final destinations

The deadlines for administrative conservation and the final destination (ex: disposal, conservation) to be applied to the information are defined in the LC, with the following adaptations: 

  • Deadlines defined based on direct or indirect legal criteria (ex: forfeiture of rights, limitation of liability) apply directly, not observing within this period the right to erasure of personal data; 

  • Any extensions to these deadlines defined based on criteria of administrative or management utility do not affect the exercise of the right to the deletion of personal data, when expressly requested by the holder; 

  • Information with no secondary value, with final disposal destination, will be deleted after the defined administrative conservation period; 

  • Information with secondary value, with final destination of conservation, will be kept, in which case additional measures may be applied. 

 

1.4.4. Application of measures 

In cases where the need to preserve personal data is verified and if the holder expressly requests the exercise of the right to limit the processing or erase personal data, the following measures may be applied: 

  • Limitation of processing to conservation, aiming at the declaration, exercise or defense of rights in legal proceedings and/or archival purposes of public interest, scientific or historical research or statistical purposes; 

  • Pseudonymization: processing of personal data in such a way that they can no longer be attributed to a specific holder without resorting to additional information, keeping this additional information separately and subject to appropriate technical and organizational measures. 

In cases where the need for the conservation of personal data is not verified, the following measures may be applied: 

  • Anonymization: processing of personal data in such a way that they can no longer definitively be attributed to a specific owner; 

  • Deletion: permanent deletion of personal data. 

Given the need to maintain evidence on the execution of these operations, including for declaration, exercise or defense of rights in administrative or judicial proceedings, anonymization and deletion may give rise to or require the maintenance of the holder's personal data. 

 

1.4.5. Preservation of digital information 

Digital information to be preserved for a period exceeding 7 years (threshold of obsolescence), as well as the information systems that maintain it, will be analyzed within the scope of a digital preservation plan, to be carried out according to: 

  • The recommendations of DGLAB in this matter; 

  • The ISO 16363 standard, relating to trusted digital repositories (when applicable).

 

1.5. Data and treatment security 

Unipartner has implemented the necessary and appropriate technical and organizational measures to protect the personal data under its responsibility against its dissemination, loss, misuse, unauthorized access or any other unlawful processing. 

As for third parties that intervene in the processing of personal data under its responsibility, namely subcontractors and partners, Unipartner verifies, in relation to these entities, the provision of sufficient guarantees for the execution of technical and organizational measures appropriate to the risks of such processing. 

This analysis includes the following activities: 

  • Define responsibility and link joint responsible/subcontractor [subcontractor] to the provisions applicable to the treatments in which they intervene; 

  • Establish object, duration, nature, purpose, categories of data and the holders and rights of the person responsible; 

  • Document instructions for carrying out the processing of personal data; 

  • Verify confidentiality commitment or legal obligation of persons authorized to process personal data; 

  • Check adoption of appropriate technical and organizational measures. 

These activities result in a contract or other normative act which, in addition to the previous points, also states: 

  • Establishes the rules to be applied to personal data after the completion of the provision of services. 

  • Additionally, if it is a subcontractor [subcontractor]: 

  • That processes personal data only upon instructions from the person in charge (when applicable); 

  • That only hires another subcontractor [subcontractor] with the written authorization of the person in charge and applying the same data protection obligations. 

Unipartner undertakes to subcontract only entities that provide sufficient guarantees for the execution of technical and organizational measures adequate to comply with the legal provisions relating to the protection of personal data, as well as those provided for in this privacy policy. 

1.6. Links policy, "Cookies" and their management 

1.6.1 Links policy

The website may contain links to other websites with privacy policies different from this one. Unipartner is not responsible for the content or practices of the linked websites and the user is recommended to read the privacy policy of any website accessed through this website in detail. 

1.6.2 “Cookies” and their management

The cookies used on the Unipartner website are only associated with anonymous users and with your computer, without being able to provide, by themselves, their personal data. Cookies per se, do not collect personal information that allows the identification of a specific user. 

This file will give you greater security, ease and speed in accessing the Unipartner website. 

Most browsers accept these files (Cookies), but the Owner may delete them or automatically set their blocking. However, if you do not allow the use of cookies, there may be some features on the website that you will not be able to use. 

 

 

1.7. Structure and contacts 

Unipartner is a private company, established in Portugal, owned by individual shareholders and without holdings and/or control over other companies, being represented by its board of directors. 

For matters or the exercise of rights directly related to the protection of personal data and/or Unipartner's privacy policy, you can contact us at any time via email gdpr@unipartner.com or by registered letter with acknowledgment of receipt to Rua das Lagoas Pequenas 5B – 5th, 2740 - 245 Porto Salvo. 

 

1.8. Changes to the Privacy Policy 

Unipartner reserves the right, at any time, to change this Privacy and Personal Data Protection Policy, and these changes are duly made available to the holder, in an accessible manner, through the company's various communication channels, namely in its internet page.