EN

General Data Protection Regulation

(GDPR)

 

NATURE OF OUR ACTIVITY

Founded in 2001, SAPMetal - Araújo & Paredes Lda, hereinafter referred to as SAPMetal, has been operating in the metalworking sector ever since. In a constant effort to optimise the production process, we are a company that is a benchmark in the transformation processes that make up our industrial flow, with an emphasis on welding and surface treatments.

Although our main activity does not consist of the direct processing of personal data, this is ancillary to our activity which is why we guarantee that it will be processed in accordance with the obligations arising from the GDPR.

 

DATA CONTROLLER

SAPMetal has the need to collect, access and process personal data inherent to and related to its core business, which implies that in this case it assumes the position of Data Controller with all the inherent obligations and duties:

Headquarters: SAPMetal - Araújo & Paredes Lda.

Parque Industrial do Perro, Rua da Indústria N.º1

4720-319 Dornelas, Amares - Braga, Portugal

Telephone: (+351) 253 995 443

Email: info@sapmetal.com

                                   

PURPOSES AND BASIS OF PROCESSING

SAPMetal processes personal data exclusively for:

i) Execution of contracts to which the data subject is a party, or for pre-contractual steps at the request of the data subject;

 

ii) Defense of vital interests of the data subject or another natural person;

iii) Compliance with legal obligations to which the data controller is subject;

iv) The purposes of legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child;

v) If the data subject has given consent to processing for one or more specific purposes.

 

 

PERSONAL DATA PROCESSING OPERATIONS

The sole purpose of the personal data collected is to gather the information necessary to enter into the respective contracts and/or provide our services.

In the development of our activity, we collect personal data in order to enter into labour contracts, provide services, purchase and sell, recruit and select, negotiate or carry out contractual or pre-contractual steps or any other legally necessary and/or obligatory steps, the sole purpose of which is to carry out our business, complying with the respective legal and contractual obligations.

 

 

SECRECY AND CONFIDENTIALITY

All our employees are obliged to guarantee the confidentiality and protection of information as prescribed by the General Data Protection Regulation, and are obliged to maintain absolute secrecy regarding any information or knowledge of a personal, technical, business or other nature, acquired, necessarily or involuntarily, during the employment relationship or because of it, relating to SAPMetal and any other persons, whether natural or legal, who have a relationship with SAPMetal, namely other employees, customers and suppliers, unless previously authorized in writing.

Any reproduction, copying, modification, public communication, distribution or any other type of transfer, whether free or for a fee, of any documents, including computer programs, publications, information contained in databases, or any other intellectual material belonging to or relating to SAPMetal and any third party related to it, is expressly prohibited, unless previously authorized in writing.

 

 

 

 

 

SUBCONTRACTORS

Our concern with ensuring secrecy and confidentiality in the processing of personal data extends to our subcontractors, from whom we require sufficient guarantees of data processing in compliance with and compliance with the processing rules arising from the GDPR.

With this, we ensure that holders of personal data have confidence in the processing of their data, secrecy, confidentiality and in accordance with all data processing rules and this privacy policy, as well as orders, instructions and internal procedures to respect the privacy of the data holder.

 

 

SECURITY MEASURES

We use security measures, including authentication tools, to help protect and maintain the security, integrity and availability of your personal data.

We take the necessary measures to ensure the secure processing of personal data, in particular, precautionary measures to protect personal data against loss or misuse, and we use security procedures to prevent unauthorized access to such personal data.

All personal data we collect is stored on servers that offer security guarantees and we submit our systems and security policies to periodic analyses to ensure that the data is safe and protected.

We also respect the confidentiality of your information and do not sell, distribute or otherwise make your information commercially available to any third party, so we are committed to keeping your information confidential in accordance with applicable legislation.

 

 

STORAGE PERIODS

We only keep your personal data for as long as is necessary for the purpose for which it was collected and once the maximum retention period has been reached, your personal data will be securely destroyed.

 

 

DATA SUBJECT RIGHTS

1) Right of Access to Data: You have the right to know whether or not your personal data is processed and to access the information that is processed about you such as the purposes of the processing; categories of personal data processed; if the data was not collected from you, the origin of the data if available; entities acting in the name of and on behalf of the controller; third parties to whom the data is communicated; data retention period or criteria used to set the period; whether your data is subject to automated decisions and whether there is profiling; if so, what the underlying logic is, as well as the importance and consequences that the data processing may have for you; if your personal data is transferred to countries or international organisations outside the European Economic Area, what guarantees exist so that the personal data continues to enjoy an adequate level of protection after the international transfer.

2) Right to Data Rectification: You have the right to obtain the rectification of your personal data when they are inaccurate or out of date;

3) Right to Data Erasure: You have the right to obtain the erasure of your personal data only in the following circumstances: The data is no longer necessary to achieve the purpose for which it was collected and there is no legal rule requiring it to be kept for longer; you have withdrawn your consent, on which the legitimacy of the processing was based; the personal data is being processed unlawfully, which requires justification on the part of the data subject; when you have objected to the processing of data for marketing purposes, including profiling that may be associated with it; when you have objected to the processing of data, pursuant to no. You also have the right to obtain the data controller's consent to the processing of your data for marketing purposes, including profiling that may be associated with it; you have objected to the processing of your data under Article 21(1) of the GDPR, and there are no overriding legitimate interests of the controller; the data must be erased by virtue of a legal obligation; consent to the processing of your data has been given by your legal representatives under Article 8 of the GDPR.

You also have the right to have Internet search engines remove hyperlinks from the list of results displayed after a search for your name (de-listing). These hyperlinks must be specified individually in the request.

There are situations in which the right to erasure of data, as indicated, may not apply, namely when the processing of data is necessary for the exercise of freedom of expression and information or for reasons of public interest in the field of health or for the purpose of exercising a right in legal proceedings.

4) Right to Restriction of Processing: This is the right that allows you, for a certain period of time, to restrict the use of your data, i.e. ‘freeze’ it, so that it cannot be communicated to third parties, transferred internationally or deleted.

You have the right to obtain the restriction of data processing in the following situations: When you contest the accuracy of the data until the data controller has verified the quality of the data; when you have objected to the processing of data until it has been verified that legitimate interests prevail; when the data is required by the data subject for the purposes of exercising a right in legal proceedings, even if it is no longer necessary for the data controller; when the data has been processed unlawfully and the data subject does not wish it to be erased, but rather limited in its use (until such time as you eventually take legal action against the data controller).

You have the right to be informed by the controller before the restriction of processing you have requested is cancelled.

When processing is restricted, the data may only be used with your consent, for the purposes of exercising a right in legal proceedings or defending the rights of an individual or legal person or for weighty reasons of public interest.

5) Right to Data Portability: This is the right to receive your personal data from a data controller in a structured, commonly used and machine-readable format, and the right to transmit it to another data controller, only if the data processing in question is based on consent or a contract and is carried out by automated means; the right to have your data transmitted directly between data controllers, whenever technically possible, but covers only the data provided.

6) Right to Object: You have the right to object, at any time, to the processing of your personal data, on grounds relating to your particular situation, where: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority; the pursuit of the legitimate interests of the controller or of a third party; the reuse of the data for a purpose other than that for which it was initially collected, including profiling. In such cases, the controller shall cease processing unless it demonstrates compelling legitimate grounds which override the rights and freedoms of the data subject, or for the exercise of legal claims.

You have the right to object, at any time and without justification, to the processing of your data for direct marketing purposes, including associated profiling.

7) Right to withdraw consent: You have the right to, at any time, withdraw the consent you have given for the processing of your data, unless there is a legal basis that requires such processing.

8) Right not to be subject to any decision taken solely on the basis of automated processing: you have the right not to be subject to any automated individual decisions, i.e. decisions taken solely on the basis of automated processing, including profiling, which produce effects in your legal sphere or significantly affect you in a similar way. Automated individual decisions may be adopted if such decisions are necessary for the conclusion or performance of a contract between the data subject, are authorised by legislation to which SAPMetal is subject, or are based on your explicit consent.

SAPMetal does not adopt automated individual decisions, i.e. with similar legal effects or significant impacts.

9) Right to Complain: You also have the right to lodge a complaint with the Supervisory Authority: Comissão Nacional de Proteção de Dados – CNPD - Av. D. Carlos I, 134 - 1.º 1200-651 Lisbon; Tel: 351 213928400, Fax: +351 213976832 and e-mail geral@cnpd.pt or www.cnpd.pt .

 

 

EXERCISE OF DATA SUBJECT RIGHTS

1) As a data subject, you may, at any time, if you wish, exercise your rights by sending a request to the headquarters address or email identified above.

2) You must identify yourself accurately and be able to prove your identity when exercising your rights.

3) You must keep proof that you have submitted a request to exercise your rights.

4) The exercise of rights is free of charge unless the requests made by a data subject are manifestly unfounded or excessive, in particular because of their repetitive nature, in which case the controller may require payment of a reasonable fee to cover the administrative costs of providing the information or communication, or of taking the measures requested, or refuse to comply with the request.

5) Special situations:

Children - the exercise of rights in relation to children's personal data is carried out by their respective legal representatives, without prejudice to the possibility of the children themselves being able to exercise them directly, given their age and maturity and the situations in which the processing of data is already legitimised by the child's consent, as provided for in Article 8 of the GDPR and Article 16 of Law 58/2019 of 8 August.

Deceased persons - the exercise of rights in relation to the personal data of deceased data subjects, when sensitive data is involved (Article 9(1) of the GDPR) or data relating to privacy, image or communications data, is exercised by whoever has been designated for this purpose by the data subject or, failing that, by their respective heirs. Also according to article 17 of Law 58/2019, of 8 August, the data subject can leave a determination that it is impossible for third parties to exercise rights over their personal data after their death.

Co-responsibility - the exercise of rights in relation to the processing of personal data in which there is more than one controller can be realised with any of the controllers, regardless of what is agreed between the co-responsible parties.

           

 

 

CHANGE TO THE PRIVACY POLICY

SAPMetal reserves the right to change, modify, add or rectify this Privacy Policy at any time, without prior notice, and such changes will be published.