In the course of its activity, Silvex collects and processes personal data pertaining to various data subjects, including clients and their representatives.
This document provides the guidelines to act with integrity and in compliance with regulatory requirements under data privacy and should be respected by all of Silvex’s employees.
II. SCOPE AND CHANGES
The present document covers any and all processing of personal data that pertains to Silvex’s clients and their representatives, as data subjects, and applies to all departments of SILVEX – Indústria de Plásticos e Papéis, S.A.
Silvex reserves the right to alter this policy when necessary and it is subject to periodic reviews to ensure conformity with applicable laws, regulations and good business practices. Changes shall be made and approved by Silvex’s Administration.
and will be posted on Silvex’s website so that the data subjects can at anytime consult the document.
The current version of this document will remain available at all times on the Internet at https://www.silvex.pt/en/privacy-policy-for-clients-personal-data- processing_174.html and will be made available to clients and their representatives before the collection of any personal data.
III. APPLICATION OF NATIONAL LAWS
The General Data Protection Regulation’s main objective is to ensure respect for the fundamental right that each person has to decide the use of his or her personal data. The GDPR covers all companies operating in the European Union and the national law of each country will take precedence over it in case of conflict or in situations where the requirements of national law are more stringent.
Silvex is responsible for ensuring compliance with this policy and the applicable laws. In the event of the detection of any conflict between the contents of this policy and any law or guideline, Silvex’s Data Processing Officers (DPOs) must be immediately informed.
The General Data Protection Regulation can be found at:
Once approved, the processing of personal data by Silvex will take this legislation in due account and may even modify the present policy in accordance with the precepts then approved.
IV. RIGHTS OF THE DATA SUBJECT
In accordance with regulatory requirements, Silvex ensures that its clients and their representatives, as data subjects, enjoy a set of rights relating to how their data is collected, processed and protected.
As for any information requests on personal data, Silvex will guarantee the security of the data by requesting authentication by the data subject. Silvex ensures a response time that is inferior to one month, save in exceptional cases for which, given the complexity of the request and/or the number of requests made, a response time of up to 2 months will be defined. If the response time is extended, Silvex will notify the data subject, within a maximum of one month from the date of receipt of the request, of the reasons for the delay in the response to the request.
All information requests will be analysed to verify compliance with regulatory requirements. Whenever there is a legal framework preventing the data subject from invoking certain rights, Silvex reserves the right to not respond to the request by informing the data subject of the reasons why his or her request will not be satisfied and of the possibility to submit a complaint to a supervisory authority and file a lawsuit. When the requests placed by a data subject are manifestly unfounded or excessive, Silvex may subject the satisfaction of the request to the payment of a fee that takes into account the administrative cost of providing the information or communication or of taking the requested action, which Silvex estimates will never be inferior to € 100.00 (one hundred euros), without preventing the right of, in alternative, refusing to follow up on the request.
The rights of the clients and their representatives, as data subjects, are listed below, noting their particularities and the means made available by Silvex so that they can invoke these rights. The preferential means of communication to invoke each right are presented. For other situations that are not contemplated, the data subject can place their request through one of the channels presented in section XV. Contacts.
a. Right to transparent communication
Silvex will inform the data subject in a clear and transparent manner about the processing of personal data, at the time of its collection, by communicating the following information:
• The purpose(s) of the processing for which the personal data is intended;
• What is the lawful basis for the treatment (legitimate interests of Silvex, legal
or contractual obligation or others), as well as the possible consequences of not providing such data;
• The categories of recipients of personal data, if applicable;
• Whether personal data is transferred to a third country or an international
organisation, should this occur;
• The period of storage of personal data or, if it is not possible, the criteria used to define this period;
• The existence of automated decision-making, if applicable;
• Your rights as the data subject (presented in this section), which include the
right to file a complaint with a supervisory authority; • Silvex’s contacts.
If the data is not obtained from the data subject and the data subject has not been informed about the collection of personal data, Silvex shall ensure that, within a reasonable time after obtaining the personal data, the data subject is informed of the above mentioned points, as well as of the following:
• The origin of the personal data;
• The category of the data that has been collected.
Silvex commits to always inform the data subject of its intention to use their data for other purposes than those previously reported.
b. Right to access
Silvex ensures the existence of means to enable the data subject to access personal data that it holds on them and the following information included in section a. Right to transparent communication.
If requested by the data subject, Silvex will send a copy of his/her personal data that is being processed, in electronic format.
If the information requested by the data subject impairs or compromises the rights and freedoms of third parties, Silvex, in accordance with regulatory requirements, will not follow-up on the request for access.
c. Right to rectification
Silvex ensures that the data subject can rectify their personal data, if it is incorrect, or to complete it, if it is incomplete.
As data subjects, Silvex’s clients, if registered on the online platform (https:// super.silvex.pt), can edit their personal data through the option 'My Account > My Data' on the website menu. If they are not registered or are not authorised to alter personal data or fall in any other situations not covered by the above points, they should request the rectification using the contacts indicated in section XV.
d. Right to be forgotten
Silvex ensures the necessary means for the data subject to request the erasure of their personal data. The requests received will be reviewed and, if considered valid in light of the regulatory requirements, Silvex commits to "forget" the data within a reasonable time, from the end of the period of the necessity of the data for the purpose for which it is intended and which necessarily legitimises the processing of the personal data of the client or their representatives. If the requests are not considered valid, Silvex will not process them and will inform the data subject of the reasons associated with that decision.
e. Right to object
Silvex ensures the necessary means so that the data subject may object to certain personal data processing for certain purposes, subject to any applicable policies or laws. If the requests are not considered valid, Silvex will not process them and will inform the data subject of the reasons associated with that decision.
f. Restriction of processing
Silvex ensures the necessary means for the data subjects to request the restriction of processing of their personal data, ensuring data accuracy and limiting the legitimate treatment to the necessary time period.
g. Right to data portability
h. Automated individual decision-making
Silvex provides the necessary means for the data subject to request a copy of their data to be sent to another entity. This data will be transmitted in a digital and structured format.
Silvex reserves the right to refuse portability requests whenever this negatively affects the rights and freedoms of others or conflicts with any legal requirement.
In any case, Silvex reserves the right to demand the payment of a fee that is equivalent to the administrative costs incurred to respond to the request and/or process it, establishing the minimum cost at 50.00 € (fifty euros).
Silvex does not make decisions regarding its clients or their representatives using automated decision-making processes.
V. PRINCIPLES FOR DATA PROCESSING
The processing of personal data by Silvex is governed by the following principles: a. Lawful,loyalandtransparent
Personal data is obtained and processed in a lawful and transparent manner, informing the data subject of the data collected, the purposes for which the data is processed, the recipients to whom it is to be communicated and the period for which the personal data will be stored.
Personal data is collected for specified, explicit and legitimate purposes and cannot be further processed in a manner that is incompatible with those purposes.
c. Integrity and confidentiality of data
The security of personal data is ensured through the adoption of measures that allow its protection against unauthorised or unlawful processing as well as its accidental loss, destruction or damage.
The accuracy and updating of the data is ensured through the provision of specific channels that allow the data subject to communicate any updates, as well as measures for revision and analysis of the quality of the data, which will guarantee that inaccurate data is erased or rectified immediately.
Data collection operations are subject to prior analysis to ensure that only relevant and strictly necessary personal data is collected, with reference to the purpose of the processing. With this in mind, information collection operations are carried out through forms with limited fields in order to guarantee that the data subject does not communicate any personal data other than that required for that situation.
f. Storage of data for no longer than is necessary for the purposes for which the personal data is processed
Personal data is stored for a predefined period, called the storage period. This time period is established by taking into consideration the time that is necessary for the completion of the purposes for which the data is processed. After the storage period, the personal data is deleted or anonymised and it will no longer be possible to relate the data to its subject.
g. Responsibility for the data
Silvex holds responsibility for the collection and processing of the data subject’s personal data, even if third party subcontractors carry out the processing.
VI. PROCEDURES FOR COLLECTING AND PROCESSING CLIENTS’ PERSONAL DATA
During its activity, Silvex collects and processes personal data belonging to clients and their representatives, for various purposes. The collection and treatment of this information has legal framework and is carried out in accordance with the regulatory and legal requirements in force, except in situations for which the consent of these data subjects is requested. The treatments performed by Silvex in this context are as follows:
a. Purpose 1: Management of established business contacts with clients and potential clients and of subsequent requests to supply products and render services, as well as processing complaints and suggestions pertaining to contacts and requests made.
Lawful Basis for Processing: contractual relationship with the client that requests a supply of products or service rendering, or a legitimate interest in promoting business relationships with clients or potential clients, regardless of them leading or not to entering into a contract.
b. Purpose 2: Compliance with the legal obligation of the Controller to keep the client's data and the request(s) they make, in accordance with applicable tax rules.
Lawful Basis for Processing: Compliance with the legal obligation to issue and maintain invoices to which the controller is subject.
c. Purpose 3: Submission of information and/or commercial communications addressed by any means - requested or unsolicited - about the products and services offered by Silvex, as well as for measuring clients’ or potential clients’ level of satisfaction regarding the same products and services.
Lawful Basis for Processing: The Controller’s legitimate interest to promote, to its clients or potencial clients, products and services that are similar to those previously provided or previously sought by them and to control the degree of clients’ and potential clients’ satisfaction regarding such products and services.
d. Purpose 4: Suitability of commercial offers to the clients’ or potential clients’ preferences, based on the study and segmentation of the personal and commercial information related to them.
Lawful Basis for Processing: The Controller’s legitimate interest in the development of a more personalised business relationship with clients and potential clients.
e. Purpose 5: Protection of people and goods at the premises of the Controller, by means of image collection through video surveillance systems.
Lawful Basis for Processing: Public interest in the prevention and deterrence of unlawful acts and the Controller’s legitimate interest to protect its own assets and the assets of its employees, suppliers and clients, as well as to protect the same people.
VII. OBLIGATION TO INDICATE CERTAIN DATA; CONSEQUENCES OF NOT PROVIDING DATA.
Personal data that is indicated as mandatory in a form (or another document) that supports the collection is necessary for the purposes for which the data processing is intended and this purpose will be compromised if such data is not provided.
Failure to provide other data requested may hinder and possibly prevent the execution of the intended purpose.
VIII. Data storage period
The personal data provided will be kept for the period of time that is necessary for the realisation of the purpose that determines the processing.
The personal data provided will be kept for the period necessary for the performance of the contract or the accessory aspects related to the contractual relationship (proof of relationship, management of complaints, management of administrative endeavours) and, as long as its erasure isn’t requested, it will be kept for a maximum period of five years since the last order.
Billing data will be kept for the legally established period, currently set at ten years.
Data referring to business contacts with potential clients that have not led to entering into a contract will be kept, as long as its erasure is not requested, for a maximum period of two years since the last business contact.
The data resulting from the video surveillance systems shall be stored for a minimum period of 30 (thirty) days and a maximum period that may reach 6 (six) months, which will be defined on a case by case basis by the corresponding authorisation or impact assessment.
The collected data shall be kept for the indicated periods as long as they prove to be appropriate and relevant for the purposes for which they are intended and its processing shall be limited to what is strictly necessary for such purposes.
Client data may be transferred to other companies in the Silvex group or to other partners to whom Silvex might resort to ensure the fulfilment of the above mentioned purposes.
Silvex retains responsibility over the suitability of the data processing, even when subcontractors carry out the processing.
Throughout this transmission of personal data, Silvex will ensure compliance with applicable regulatory requirements.
During the process of contracting these services, Silvex will verify that the entity it intends to subcontract has an adequate level of data protection. To this end, Silvex will apply a set of measures to ensure that data is only transferred to entities that present sufficient guarantees of executing technical and organisational measures that are appropriate to the processing of personal data, of complying with regulatory requirements and of ensuring the protection of the rights and freedoms of the data subjects. For this reason, data will only be transferred after entering into a contract which contains a set of pre-defined clauses that establish the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and the rights of both parties.
These contracts will stipulate that the subcontracted entities will only carry out processing that is requested by Silvex and will impose requirements to ensure the correct processing of this data, in accordance with the principles set out in section V - Principles for data processing, as well as the existence of the necessary mechanisms to enforce the rights set out in Section IV - Rights of the data subject.
Silvex will adopt the necessary measures to monitor the activities of the subcontractor.
Data is not currently transferred to third countries or to international organisations.
X. PROCESSING CONFIDENTIALITY
Silvex commits to ensure the confidentiality of the personal data that it collects and processes. The principle of minimum access is applied, according to which Silvex’s employees only have access to the data that is necessary to the correct performance of their duties. To this end, the data and documents collected by Silvex are inventoried, classified, processed and monitored according to their level of confidentiality.
The obligation of confidentiality imposed to Silvex’s employees regarding data collected by the company is obtained in the employment contract, is emphasised by the privacy policies in force in the company and will remain even after they have ceased to work in the organisation. Any unauthorised collection, processing or use of data is strictly prohibited and will be subjected to disciplinary action.
Silvex implements a number of procedural and technological measures that aim to ensure the security of the processing of personal data that is executed by Silvex or its subcontractors.
Regarding data storage, there are defined security procedures and controls in place, both physically and digitally, to ensure the integrity of the data and access control.
Access to Silvex’s physical files is limited to employees authorised for this purpose and the files are segregated by categories of processing.
Regarding the security of the information systems, Silvex establishes security controls to be applied to stored data, in particular to personal data. Access to data is segregated and limited by necessity and registration and monitoring of the access logs is performed. Wherever possible, data protection mechanisms such as encryption, anonymisation or pseudonymisation of data are applied. Procedures and rules for performing backups to the information systems are defined. Silvex also defined a business continuity plan for it and the corresponding disaster recovery plan, which allow the reduction of the risk of loss of data or of data integrity. These plans are reviewed periodically and subjected to testing.
XII. DATA PROTECTION CONTROL
Silvex performs periodic internal audits to execute controls in the context of data privacy. Among other aspects, the verification of compliance with contractually agreed requirements related to the protection of personal data that is collected and processed will take place.
XIII. DATA PROTECTION INCIDENTS
Silvex established processes and procedures to identify and treat incidents related to data privacy. Silvex provides channels for communicating alerts of potential incidents, which are made available in section XV. Contacts.
Silvex’s clients and their representatives, as data subjects, should use these channels. On the other hand, all employees are responsible for communicating any suspicions of a data breach incident to the company’s Directors, when faced with such a situation, which they have the possibility of doing anonymously.
When an incident that poses a risk to the affected data owners occurs, Silvex immediately triggers a set of measures for risk mitigation and reports the incident to the supervisory authority within a reasonable time, up to a maximum of 72 hours after its identification. If the risk to the subjects of the affected data is considered high, Silvex undertakes the commitment to inform them of the occurrence of the incident, of the potential consequences, of the measures adopted (or that shall be adopted) to repair the situation and mitigate any negative effects, as well as the name and contacts of the people responsible for following up on the incident, without undue delay.
Page 9 of 10
Silvex is responsible for processing all the data collected and processed and for the processing performed by other entities at Silvex’s request.
Silvex is subject to inspections by the supervisory authority, the National Data Protection Commission (Comissão Nacional de Proteção de Dados). Unlawful processing of personal data or other violations of data protection laws makes Silvex liable to legal action. Employees who are held liable for data protection violations are subject to disciplinary sanctions in accordance with the labor law in force and may also be held liable for civil or criminal liability.
• E-mail: email@example.com
• Address: Silvex - Industria de Plásticos e Papéis, S.A., Quinta da Brasileira, Lote 10, 2130-999 Benavente, Portugal
• Phone: +351 263 519 180
Contacts for invoking of rights by data subjects:
• E-mail: firstname.lastname@example.org
• Address: Quinta da Brasileira, Lote 10, 2130-999 Benavente, Portugal