General Data Protection Regulation
The General Data Protection Regulation (GDPR) aims to strengthen the protection rules regarding the treatment of personal data of individuals. Therefore, PARTTEAM & OEMKIOSKS, carrying out the treatment of personal data of employees, clients, suppliers and partners, complies with the GDPR.
Personal Data - Definition
Personal data refers to information concerning an individual that identifies him/her or allows him/her to be identified, in a direct or indirect way.
In the course of its professional activity and following various interactions, PARTTEAM & OEMKIOSKS uses personal data provided by its clients, employees, partners and suppliers concerning other data subjects to fulfill its contractual obligations. This data includes:
- Taxpayer Identification Number;
- Phone number and SOS number.
However, other data can be collected:
- Identification data, such as date of birth, place of birth, filiation, sex, nationality, academic qualifications, identity card number and social security number;
- Possible degree of incapacity or temporary disability;
- Place and form of payments to be made by PARTTEAM & OEMKIOSKS;
- Bank account number;
- Identification of the institution.
Data is handled by PARTTEAM & OEMKIOSKS in compliance with all legal obligations.
Sensitive Personal Data
Data covering racial or ethnic origin, religious beliefs, trade union membership, political choices, health information, genetic information or information concerning sexual orientation is considered sensitive data. As a rule, PARTTEAM & OEMKIOSKS does not request such data.
Personal data holder
The individuals identified by the personal data may be, for example, the following:
- Subscribers of PARTTEAM & OEMKIOSKS newsletters.
Handling of personal data
The procedures for collecting, storing, consulting, editing, disclosing, making available or destroying personal data are considered modes of processing personal data.
The principles of data processing
The processing of personal data must, indeed, be rigorous, transparent and fair. So, it must only occur for the purposes determined at the time of data collection. They may not, therefore, be used subsequently for other purposes, even if compatible.
The data, which must be limited and used by PARTTEAM & OEMKIOSKS only when really necessary, must be accurate, up-to-date and kept securely and only for the period reserved for the purpose of the treatment.
Legal grounds for data processing
The legal grounds for data processing cover:
- Contractual relations;
- Compliance with legal obligations;
- The legitimate interest of the organization;
- The consent of the data subject.
The data holder must give consent in a clear manner. It is not a valid consent if it is obtained by omission or through pre-validated options.
PARTTEAM & OEMKIOSKS, in turn, must demonstrate that this consent has been obtained according to the standards of the GDPR. This, because any organization must obtain the consent of the data subject in order to be able to develop direct marketing actions for services and products.
Nevertheless, the data subject may, at any time, withdraw consent.
Transparency of information on the collection of personal data
The data subject must be informed when collecting his/her personal information of the following points:
- People in charge of data processing;
- Contact details for the Data Protection Officer (DPO);
- Duration of data storage;
- Purposes of processing;
- Legal basis;
- Recipients of the personal data;
- Occurrence of data transfer to a country outside the European Union;
- Rights of the data subjects;
- Security measures established by the organization;
- Existence of processing for automated individual decisions;
- Right to lodge a complaint with the National Commission for Data Protection.
In view of its activity, PARTTEAM & OEMKIOSKS processes clients' personal data, used for contractual execution or for the fulfillment of legal obligations. The objective is to manage the contractual relationship, which may include sending communications through marketing actions (if there is client consent), by mail, telephone, email or other means. It may also include the management and collection of payments, fees or charges.
This data is, as a general rule, provided by the owners within the scope of a contractual bond or legal obligation to which PARTTEAM & OEMKIOSKS is subject to. There are certain situations in which PARTTEAM & OEMKIOSKS may keep the data of the owners after this bond. However, the holder will be informed, at the time of collection, about the retention periods and the criteria according to which they can be identified.
When signing the contract, collaborators, suppliers or service providers sign a confidentiality agreement, undertaking to safeguard all the information to which they have access during the contractual bond with PARTTEAM & OEMKIOSKS and to comply with this policy, according to the applicable terms.
Actually, PARTTEAM & OEMKIOSKS carries out, on its own initiative, several confidentiality agreements with partners, clients and suppliers, even before any contract is carried out.
Other entities with whom we share personal data
PARTTEAM & OEMKIOSKS may resort to other persons and/or companies for the provision of certain services, which implies, in some cases, access by third parties to personal data of data subjects. However, when this is the case, measures are adopted to ensure that the subcontracted entities strictly comply with the applicable legal requirements.
PARTTEAM & OEMKIOSKS may also have to transmit personal data to public and private entities, by legal imposition, such as the Social Security Institute, the Tax and Customs Administration, Insurance Institutions, accounting offices, among others.
This data may also be disclosed to the following entities:
- Professional consultants, banks, auditors, insurance companies, financial organizations and administrators;
- Providers of certain services, such as IT and system administration services, hosting and cloud storage services and other software;
- The government or other public authorities or national regulatory authorities, when PARTTEAM & OEMKIOSKS is obliged to do so under applicable laws.
Holders' rights - Access
The data holder has the right to access, at any time, the data held by PARTTEAM & OEMKIOSKS, as well as the purposes of the data, its recipients, retention periods and information on the existence of automated decisions and profiling.
Holders' rights - Limitation of processing
The data subject has the right to request the restriction of processing in conditions such as the following: when the processing of the data is unlawful; when the data is no longer accurate; when the data subject has objected to the processing and has not obtained any response.
Holders' rights - Opposition to processing
The data holder may object to the processing of his/her data if, for example, PARTTEAM & OEMKIOSKS performs direct marketing of services or products, including profiling for this purpose.
Holders' rights - Forgetting or erasing
The data holder may request the erasure or deletion of his/her data when situations such as the following occur: the data is no longer accurate for the purposes for which it was collected; consent has been withdrawn; the data subject has objected to the processing of the data; the data has been processed unlawfully.
Holders' rights - Portability
The data holder has the right to receive and consult personal data in an organized, structured, machine-readable and commonly used form. In addition, he/she may request the right to transmit such data to another entity/organization.
Data handler and subcontractor
PARTTEAM & OEMKIOSKS takes responsibility for the processing of data, clarifying the purposes and the means used for such processing, ensuring that subcontractors comply with the GDPR.
Contracts with suppliers that access or process personal data include specific GDPR clauses.
Data Protection Officer (DPO)
The Data Protection Officer (DPO) has the following duties:
- Cooperate with supervisory bodies;
- Control the risks of the data processing procedures;
- Inform and advise the controller or processor of their obligations;
- Ensure that the controller's policies are in compliance with the regulation;
- Being the point of contact with data subjects regarding the regulation.
PARTTEAM & OEMKIOSKS is aware of the cases in which the appointment of a DPO is mandatory and which are foreseen in art. 37 of the GDPR. However, PARTTEAM & OEMKIOSKS assumes that it hasn't made the appointment of this DPO for not fitting into the cases described in art. 37. Nevertheless, PARTTEAM & OEMKIOSKS has appointed some employees who are responsible for ensuring compliance with the data protection guidelines. These employees have the task of informing, advising, sensitizing and training company officers and other employees on this matter and to take the necessary measures to ensure compliance with these guidelines.
Personal Data Breach
A personal data breach occurs when a company/organization suffers a security incident concerning the data for which it is responsible, which results in a breach of confidentiality, availability and integrity of the data.
When the breach occurs, and if it constitutes a risk to someone's rights and freedoms, the company/organization, in this case PARTTEAM & OEMKIOSKS, must notify the supervisory authority (within 72 hours after becoming aware of the breach). If the notification is not transmitted within 72 hours, it must be accompanied by the reasons for the delay.
PARTTEAM & OEMKIOSKS has an internal document that informs on the procedures to be taken in the event of a data breach.
PARTTEAM & OEMKIOSKS keeps personal data in strict compliance with the legal regulations, aiming at satisfying the purpose that motivated its collection and treatment.
PARTTEAM & OEMKIOSKS complies, therefore, with all legal obligations in what concerns the conservation and updating of personal data.
Also the storage and deletion of data is carried out in an extremely safe way.
If there is a need to use someone's personal data for another purpose, not covered by the present document, PARTTEAM & OEMKIOSKS will send a notification to the person with the reasons and conditions of the processing.
Security of personal data
PARTTEAM & OEMKIOSKS will demonstrate that it has taken all necessary measures to ensure an adequate level of security of personal data. These measures may be as follows: encryption of data; backups and recovery of information systems and clear screen and clear desk policies.
In effect, PARTTEAM & OEMKIOSKS guarantees the security of all personal data, as well as compliance with all legal obligations in the event of a security breach.
Accountability and sanctions
The people in charge of the processing must assess all the risks inherent to the collection and processing of the data, namely by putting in place measures to mitigate the risks.
PARTTEAM & OEMKIOSKS holds some personal data, namely for the management of the contractual relationship. This means that we are responsible to the person that has provided us with his/her data for the treatment of the same.
PARTTEAM & OEMKIOSKS will handle all data confidentially and in accordance with the applicable regulations and standards.
Data Protection Impact Assessment (DPIA)
In some cases, and before the collection and processing of personal data begins, the regulation provides a risk assessment and the definition of measures regarding the security of the processing.