Introduction

This Privacy Policy has been developed to support Legnokaps M&C. – Cápsulas de Madeira, Lda, a company with the tax identification number 513700579, with registered office at Avenida Eng. António de Azevedo Coutinho, Nº 140 2750-644 Cascais, hereinafter Legnokaps, owner of the website www.legnokaps.pt, in adapting its activity to the General Data Protection Regulation, approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”).

This policy is complemented by others on security, which are relevant to the company’s business, collectively describing Legnokaps’ approach to information security and privacy.

This policy applies to all Professionals and Partners of Legnokaps and, when identified, to third parties accessing the company’s assets.

The terms ‘Privacy,’ ‘Data Privacy,’ and ‘Data Protection’ can be used interchangeably as they are associated with a complex set of legal requirements that apply to Personal Data, going beyond data security and confidentiality. For example, it includes requirements regarding the transparency of data usage and its conservation.

Compliance with this policy is mandatory, and therefore, all Professionals and Partners have the individual responsibility to ensure compliance with it and, if necessary, seek clarification from the leaders of their respective teams.

It is the responsibility of Legnokaps to define appropriate mechanisms to achieve compliance with this policy, with operational implementation being the responsibility of teams, supported by the Privacy Officer.

Compliance with this policy can be monitored through inspections, audits, and/or written confirmation requests of compliance, with all areas responsible for regularly assessing their compliance within their area of responsibility.

In accordance, any employee who violates this policy is subject to disciplinary action.

This policy is based on the principles established in the GDPR. However, there are national differences in the applicability of data protection and privacy for Legnokaps when processing personal data outside the EU, receiving personal data from outside the EU, or processing personal data of non-EU citizens.

In case of doubt, contact Legnokaps through the provided contacts.

Principles of Data Protection

In the scope of our activities, we process Personal Data: whether receiving personal data during our business opportunities, commitments with clients, marketing activities, or various other related and supportive activities. Data may be received directly from a Data Subject (e.g., in person, via mail, email, phone, or other sources), including our clients, partners, subcontractors, joint controllers, support service providers, and credit reference agencies.

All professionals and partners must only request personal data from a Data Subject that is relevant and necessary to fulfill a specific purpose and business task.

Legnokaps is committed to complying with the principles of personal data protection defined by the GDPR, namely:

1. Lawfulness, fairness, and transparency: We must have a legitimate reason for processing Personal Data, such as the consent of the Data Subject or compliance with a legal obligation. It also means that we must inform the Data Subject clearly about the processing.

2. Purpose limitation: We should only request Personal Data for specific, explicit, and legitimate purposes and not process them beyond the purpose for which they were requested.

3. Data minimization: The processed Personal Data should be adequate, relevant, and limited to what is necessary.

4. Accuracy: We have an obligation to ensure that Personal Data is accurate and update it whenever necessary.

5. Storage limitation: We should not retain Personal Data for a period longer than necessary for the purposes for which they are processed, although we may retain some for historical and statistical purposes.

6. Integrity and confidentiality: We must have adequate security controls in place to protect data against unauthorized and illegal processing, loss, destruction, or damage, including technical and organizational measures such as defined processes, training, and awareness.

7. Legal transfer outside the European Economic Area (EEA): We only transfer Personal Data outside the EEA when there are adequate safeguards, such as a contractual basis.

8. Data Subject’s rights: Data Subjects have various rights that we must respect (e.g., the right to access a copy of the data we hold and the right to withdraw consent given for direct marketing purposes).

Lawfulness and fairness in processing

Whenever Personal Data is collected, it is necessary to have a legal basis for the inherent processing. According to the GDPR, we must identify at least one of the following reasons for processing Personal Data:

1. Consent: The Data Subject has given consent for the data to be processed for one or more specific purposes.

2. Contractual: The processing is necessary for the performance of a contract to which the Data Subject is a party or for pre-contractual measures.

3. Legal: The processing is necessary to comply with a legal obligation to which the data controller is subject.

4. Vital interests: The processing is necessary to protect the vital interests of the Data Subject.

5. Public interest: The processing is necessary for the performance of a task carried out in the public interest.

6. Legitimate interests: The processing is necessary for the legitimate interests pursued by the data controller, except when overridden by the interests or fundamental rights and freedoms of the Data Subject.

When acting as the data controller, we must ensure that we have a legitimate basis for collecting and processing Personal Data.

In some situations, we may act as a Processor on behalf of our client, in which case it is the client’s responsibility to ensure they have a valid reason for processing Personal Data, which they should share with us. However, we must take steps to ensure that our contract is clear about our responsibilities in this regard and that if we collect Personal Data directly from Data Subjects on behalf of the client, we have the grounds to do so legitimately.

When processing Special Categories of Data, additional conditions must be met. Please contact Legnokaps for further guidance.

The GDPR requires us to provide Data Subjects with information about the processing to ensure fair and transparent treatment. Whenever we collect Personal Data, we must ensure that we appropriately explain why we need the information and how we will process it. When information is gathered through our website, this information is provided through a ‘Privacy Notice.’

Any other information to be provided when collecting personal data should also be provided online. Refer to our Privacy Policy and Cookie Policy for more information.

Processing only for specific purposes

Whenever we collect and process Personal Data, we must ensure that we only use it for the specific purposes communicated to the respective Data Subject.

Legnokaps should never process Personal Data for additional purposes that have not been communicated to the Data Subject. This way, we are clear about the purpose of the processing, and we should understand the purposes for which our clients may have collected Personal Data or contact the Privacy Officer.

Appropriate, relevant, and limited processing of Personal Data

When we collect and process Personal Data, we must follow the principle of data minimization. This means that we should only collect the minimum Personal Data necessary to perform a specific task.

Additionally, we must ensure that we have an adequate amount of Personal Data to perform a specific task properly. For example, collecting only the necessary data to identify a person.

This also applies to any sharing and other processing activities. It is important to minimize the data kept and processed; we must ensure that if we share data internally or externally or use it in activities such as testing, we should only use/share the minimum amount in each case.

Accuracy of Personal Data

We have an obligation to ensure that Personal Data is kept accurate and up-to-date. We must ensure the existence of adequate processes to keep the data accurate whenever necessary (e.g., of current and potential professionals or clients maintained by the relevant areas).

When acting as the data controller concerning a client, we will not be required to implement mechanisms to keep that data up-to-date; it will be the responsibility of the data controller, i.e., our client.

Retention of Personal Data

Personal Data should not be retained for longer than necessary. This means that we must define and apply maximum retention periods for the Personal Data we process and implement processes to delete them at the end. Therefore, the following retention periods may be applied:

(i) For as long as necessary for the relevant activity or services;

(ii) Any retention period required by law;

(iii) The end of the period in which disputes or investigations may arise in relation to the services; or

(iv) The minimum period specified in the contract.

Rights of Data Subjects

The GDPR requires us to inform people about the Personal Data we collect, the purposes and means for which they are processed. This information is provided in the form of a ‘Privacy Notice.’

a) Right of Access

The Data Subject has the right to request to see the Personal Data we have about them, the purpose of the processing, and the categories of data in question.

We must notify the Data Subject of the recipients with whom we will share their data, especially if the recipient is in another country or belongs to an international organization.

Whenever possible, we will define the data retention period to meet business objectives.

We must inform the Data Subject of the existence of the right to object to processing and their right to rectification and erasure.

We must inform the Data Subject of the existence of their right to complain to a Supervisory Authority.

When data is collected from someone other than the Data Subject, we must inform the Data Subject of the source of that data.

We must ensure that we have processes in place to identify and respond to access requests from the Data Subject without undue delay and within a maximum of one month.

b) Right to rectification

Data Subjects have the right to rectify inaccurate data, and Legnokaps must make every effort to do so immediately.

c) Right to erasure

The Data Subject has the right to obtain from the data controller the erasure of their data (‘right to be forgotten’). It is Legnokaps’ responsibility to make every effort to delete data immediately, except when there is a legal requirement for its retention. If receiving a request from a Data Subject, contact the Privacy Officer before deleting any data.

d) Rights of children

All individuals, including children, are protected by the GDPR. For children under 13 years old, we should not process their Personal Data based on their consent, except with the authorization of those holding parental responsibilities.

e) Marketing

Sometimes we may send marketing material to our clients and partners to inform them of services, upcoming events, or other activities of interest, in which case we must indicate the right to withdraw consent at any time if they do not wish to be contacted in this way. We must also ensure that we have processes to record and respect all participation preferences.

Security of Retained Data

Legnokaps will maintain the security of data by protecting the Confidentiality, Integrity, and Availability of Personal Data, where:

Confidentiality means that only authorized persons can access the data;

Integrity means that Personal Data must be accurate and suitable for the purposes inherent in processing;

Availability means that authorized users must be able to access the data if needed for authorized purposes.

Data Disclosure

All professionals and partners must avoid any inappropriate disclosure of Personal Data and comply with our general duties regarding Confidentiality.

It is allowed to:

a) Disclose Personal Data to third parties only under instruction or when there is a legitimate basis for doing so, and no restrictions are in effect.

b) Disclose Personal Data to third parties in the case of selling or buying any business or assets, or when we are joint data controllers as part of a joint venture.

c) Share Personal Data with a third party processing data on our behalf, which may include transferring data to a third country.

Generally, Personal Data may be disclosed:

a) To professionals or agents so they can perform their functions as such.

b) In cases where non-disclosure may harm the prevention or detection of crimes, the bringing of charges against offenders, or the assessment or collection of any tax or fee. Legnokaps must have adequate reasons to disclose data under this category to avoid criminal proceedings. All disclosures must be justified and documented.

For legal purposes, data may be disclosed if:

a) Required by law, statute, or court order.

b) For the purpose of obtaining legal advice;

c) In the context or for the purposes of a judicial proceeding or when necessary for the defense of a legal right.

d) To safeguard national security.

International Transfer of Personal Data

Legnokaps may transfer any Personal Data to a third country or international organization. The Personal Data we possess may also be processed by employees operating in a third country or by one of our suppliers.

We must ensure that at least one of the following conditions applies:

a) The country to which Personal Data is transferred ensures an adequate level of protection for the rights and freedoms of Data Subjects, by decision of the EU Commission.

b) Appropriate safeguards are provided (e.g., standard data protection clauses).

c) The Data Subject has given explicit consent to the transfer after being informed of the possible risks.

d) The transfer is necessary for one of the reasons set out in the GDPR, including the performance of a contract between Legnokaps and the Data Subject, or the protection of the vital interests of the Data Subject.

e) The transfer is legally required for important reasons of public interest or for the initiation of legal proceedings or defense in the same.

Log information, cookies, and web beacons

Legnokaps’ website uses cookies to distinguish its users. Legnokaps collects standard Internet log information, including the user’s IP address, browser type and language, access times, and addresses of referring websites.

To ensure that our website is well-managed and to facilitate navigation, Legnokaps or its service providers may also use cookies (small text files stored in the user’s browser) or web beacons (electronic images that allow our site to count visitors accessing a site and certain cookies) to collect aggregated data.

Professional Information

Collection and Storage

As an employer, Legnokaps collects, processes, and retains personal data from workers, contractors, consultants, and candidates. The Human Resources Department and other departments processing personal data of professionals must verify and document the legal basis for the processing they perform. Personal data of professionals should only be processed when there is a valid and legitimate purpose for it. The collection of personal data related to our employees occurs through various channels and formats, such as registration forms; electronic web forms (e.g., during the recruitment process); data records; CCTV images; team photos, including identification cards; data from other sources (e.g., previous employers); credit checks, and security checks; etc. The creation and storage of personal data related to our professionals occur through various channels and formats, such as payment receipts; evaluation records; employment contracts; emails; sickness records; etc.

Training and Awareness

We are committed to providing adequate training on the protection of personal data to all professionals. If necessary, we will provide personalized training and awareness for individuals based on their roles.

Process Design and Change

For all proposed new systems and business procedures involving Personal Data, it should be considered whether a privacy impact assessment is necessary to identify risks and controls.

Updated as of February 9, 2024.