GDPR
Privacy and data protection policy

In compliance with the General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, hereinafter “GDPR”, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Law no. º 58/2019, of August 8, which ensures the implementation of the GDPR in the national legal order, this Privacy Policy aims to inform the holders of personal data, who in any way interact with SENSORPOINT – SOLUÇÕES DE SEGURANÇA, LDA, hereinafter Sensorpoint, of the most relevant information regarding the protection of their personal data, including their rights and how these rights may be exercised. The terms “Personal Data”, “Processing”, “Data Controller”, “Processor” and “Data Protection Officer” are used in accordance with the definitions set out in the GDPR.

Data Controller – Identity and mission (Art. 24)

Sensorpoint is the Data Controller and can be contacted at the following email address: RGPD@sensorpoint.pt. Sensorpoint is a legal person governed by public law which, under the terms of the applicable legal provisions, carries out the professional activity of Electrical Installation. Through this Privacy and Data Protection Policy, Sensorpoint declares that it recognizes the need for security of the personal data it processes, guaranteeing the protection of the privacy of the respective data subjects, adopting all the technical and organizational measures necessary to ensure that the processing complies with the principles and rules of the GDPR.

Data Protection Officer (Art. 26 and 37)

Sensorpoint has appointed a Data Protection Officer who can be contacted in writing at the email address RGPD@sensorpoint.pt, or by letter addressed to the Data Protection Officer at Sensorpoint’s head office address – Rua Alfredo Rodrigues Gaspar, N.º 7, 2685-891 Sacavém.

Who are the data subjects and what data is processed?

Personal data is any information of any nature and regardless of its medium, including sound and image, relating to an identified or identifiable natural person. An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, electronic identifiers or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity. The data subject is any natural person to whom the personal data relates and who interacts in some way with Sensorpoint, such as its employees, consultants, clients, suppliers and/or other service providers, members of the governing bodies, and users of the website. In general, the processing of personal data carried out by Sensorpoint is based on the management of the relationship with its customers, suppliers, and the provision of services appropriate to their needs and interests, as well as disciplinary reasons and compliance with legal obligations. Website users are solely responsible for the personal information they provide, and Sensorpoint only collects information that is voluntarily provided by users, through their consent. Sensorpoint, as Data Controller, ensures that the personal data it accesses is (Art. 5 and 6):

i) Processed lawfully, fairly and transparently in relation to the data subject;

ii) Collected only for specified, explicit and legitimate purposes, and not further processed for purposes incompatible with those initially defined, with the exception of archiving purposes in the public interest, scientific or historical research, or statistical purposes;

iii) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

iv) Accurate and up-to-date, where necessary, taking all appropriate measures to ensure that inaccurate data, taking into account the purposes for which it is processed, is erased or rectified in a timely manner;

v) Kept for no longer than is necessary for the purposes for which they are processed;

vi) Processed in a manner that ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures.

Transmission of personal data and recipients (Art. 28)

The personal data processed, in addition to being communicated to official entities in compliance with a legal obligation, may also be processed by entities subcontracted by Sensorpoint, whenever legally required or contractually necessary, and only the data necessary to perform the required service will be provided to these entities. Sensorpoint ensures that the subcontractors it uses provide sufficient guarantees of the implementation of appropriate technical and organizational measures for the processing of personal data in accordance with the GDPR, in particular confidentiality, and that they are able to defend the rights of data subjects. In compliance with a legal obligation and for the purposes described, personal data may also be transmitted to judicial, administrative, supervisory or regulatory authorities.

Rights of data subjects

The data subject has the right to:

(i) Request from the Data Controller access to their personal data (Art. 13 and 14), rectification (Art. 16), erasure (Art. 17), objection or restriction of processing (Art. 18);

(ii) Receive the personal data concerning you that you have provided to the Data Controller in a structured, commonly used and machine-readable format and request portability (Art. 20) of the data to another Data Controller, if this is feasible and technically possible;

(iii) Withdraw the consent given at any time when the processing is based solely on that legal ground.

To this end, the data subject should send their request in writing to the Data Protection Officer at the email address RGPD@sensorpoint.pt, or to the address of Sensorpoint’s head office. The data subject may also ask the Data Protection Officer for more detailed information on the processing of personal data, as well as submit complaints about the way in which their personal data is processed, without prejudice to the right to also submit a complaint to the CNPD (National Data Protection Commission), if they consider that the processing carried out by Sensorpoint violates their rights and guarantees, as set out in the GDPR.

Security of personal data (Art. 32)

Sensorpoint adopts the appropriate and necessary security techniques and measures to protect the personal data of the data subject, protecting it against misuse or unauthorized access. Sensorpoint treats the personal data it accesses in an absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, which are periodically updated as required.

Breach of personal data (Art. 33 and 34)

In the event of a data breach and insofar as such a breach is likely to entail a high risk to the rights and freedoms of data subjects, Sensorpoint undertakes to report the personal data breach to the data subjects as well as to the National Data Protection Commission (CNPD) within 72 hours of becoming aware of the incident.

Under legal terms, communication is not required in the following cases:

– If adequate protection measures, both technical and organizational, have been applied and these measures have been applied to the personal data affected by the personal data breach, especially measures that render the personal data incomprehensible to any person not authorized to access such data, such as encryption;

– If subsequent measures have been taken to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; or

– If communication to the data subjects would involve a disproportionate effort and a public communication is therefore made.

Right to Complain (Art. 77 to 79)

All data subjects have the right to lodge a complaint with a supervisory authority.

Right to compensation and liability (Art. 82 and 83)

The GDPR establishes fines for companies that do not comply with the law.
The sanctions are based on two levels (depending on severity):

– In less serious cases, the fine could be up to 10 million euros or, in the case of a company, up to 2% of annual worldwide turnover, whichever is the higher;

– In more serious cases, the fine could be up to 20 million euros or, in the case of a company, up to 4% of its annual worldwide turnover, whichever is higher.

In the first case, the fines will apply to failures to comply with technical or organizational requirements, such as failure to report breaches of their databases, or lack of certifications.

In the second case, for the most serious cases of violation of basic principles related to data security, such as failure to respect the consent given by the user, the transfer of personal data to other countries or organizations that do not ensure a certain level of data protection.

Changes to the privacy policy

This privacy policy may be amended at any time, without prior notice, by publishing a new version on the website, with express reference to the date of the last update.

Applicable law and jurisdiction

Any disputes arising from the validity, interpretation or execution of the privacy policy, or which are related to the collection, processing or transmission of the data subject’s personal data, shall be submitted exclusively to the jurisdiction of the courts of the district of Lisbon, without prejudice to the applicable mandatory legal rules.