This Privacy Policy and Personal Data Protection Policy details the terms under which Grupo Sousa Investimentos SGPS Lda. processes Customers’ personal data, as well as the rights they may exercise, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council – the General Data Protection Regulation (GDPR) – and other applicable national legislation on privacy and data protection, in particular Law No. 58/2019, of August 8, which ensures the implementation of that regulation in the national legal framework.
Through this privacy policy, Grupo Sousa Investimentos SGPS Lda. aims to transparently inform all Clients about the specific, explicit, and legitimate purposes for which their personal data is collected and processed, as well as the legal basis for the processing carried out by Grupo Sousa Investimentos SGPS Lda.
Data Controller
Grupo Sousa Investimentos SGPS Lda. is a legal entity is part of Grupo Sousa, with registered office at Avenida do Mar e das Comunidades Madeirenses, No. 21, 3rd floor, 9000-054 Funchal, with Tax Identification Number (NIPC) 511034750.
Grupo Sousa Investimentos SGPS Lda. is the data controller under the GDPR. Its Data Protection Officer can be contacted via the following e-mail: rgpd@gruposousa.pt.
Processing
This privacy policy applies to all personal data collected and processed by Porto Santo Line – Atividades Turísticas, Lda., in the context of its business activity, ensuring a high level of protection when processing the personal data of vulnerable data subjects, especially children.
For the pursuit of specific processing purposes, Grupo Sousa Investimentos SGPS Lda. collects and processes, depending on the context and the established commercial relationship, the personal data of the following data subjects:
1. Clients and their respective representatives;
2. Service users;
3. Individual suppliers and their respective representatives;
4. Other individual partners and their respective representatives;
5. Employees and collaborators.
Consequently, the personal data collected by Condomínio do Aparthotel Luamar Sito no Sitio da Ponta through the website, the concluded contract, or other collection methods may include, among others, the following: name, citizen card, date of birth of dependents, date of birth, e-mail, marital status, job functions performed, educational qualifications, age, identification of the spouse, place of birth, address, nationality, names of dependents, tax identification number, IBAN, passport number, telephone number, image, photograph, criminal record, employee number, and biometric data.
The collection and processing, whether manual or automated, of the personal data mentioned above by Grupo Sousa Investimentos SGPS Lda. is intended exclusively for the following specific purposes:
1. Provision of its products and contracted services;
2. Compliance with legal obligations, in which case Grupo Sousa Investimentos SGPS Lda. may have to transmit the data to public entities whenever legally required;
3. Safeguarding the legitimate interests of Grupo Sousa Investimentos SGPS Lda., namely video surveillance for the protection of persons and property;
4. Formation and execution of employment and service contracts;
5. Proposal and award of public and private tenders;
6. Management of customer contacts.
Legal Bases for Data Processing
Personal data is processed for the specific, explicit, and legitimate purposes mentioned above and may not subsequently be processed in a manner incompatible with these purposes.
In this context, data subjects are provided with their respective information obligations.
1. Grupo Sousa Investimentos SGPS Lda. processes the personal data necessary for the formation, execution, and management of contracts in which the data subject is a party or for pre-contractual procedures at the request of the data subject.
Examples
Registering invoices – accounts payable; Creating records of customers, suppliers and employees; Salary processing; Opening and maintaining bank accounts.
2. Grupo Sousa Investimentos SGPS Lda. processes the personal data necessary to ensure compliance with various legal obligations – both national and European – to which it is subject.
Examples
Fulfilment of legal obligations (executions); Register of working time; Claims for seizure from suppliers; VAT refunds.
3. Grupo Sousa Investimentos SGPS Lda. processes the personal data necessary to safeguard its legitimate interests or those of third parties.
Examples
Audit and internal control; Back-ups; Investment subsidy; Provision and maintenance of servers.
4. Grupo Sousa Investimentos SGPS Lda. may carry out other processing of personal data when it has obtained the prior, free, explicit, and informed consent of the data subject.
Examples
Spontaneous applications; Candidate database management; Photograph for employee portal.
The processing of personal data of children under 13 years of age, within the scope of the direct provision of information society services, is preceded by consent given by the person who can prove to be the holder of the corresponding parental responsibilities.
Principles Observed in Data Processing
Grupo Sousa Investimentos SGPS Lda. processes data in accordance with the principles of lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity; confidentiality; and accountability.
Rights of the Data Subjects
In addition to the right to be informed, Grupo Sousa Investimentos SGPS Lda. ensures that data subjects may exercise their rights, namely:
(i) Directly, through the data subjects;
(ii) Through the holders of parental responsibilities when it concerns children under 13;
(iii) Through the heirs, in the case of deceased persons.
Data Subject Right Description
In accordance with the law, data subjects may exercise the rights mentioned above by submitting a written request to Grupo Sousa Investimentos SGPS Lda., using the provided GDPR Form, sent to the following e-mail address: rgpd@gruposousa.pt.
Data Retention
Grupo Sousa Investimentos SGPS Lda. retains personal data for the time necessary and as long as the legitimate purposes for which the data is processed persist, in compliance with the legal, regulatory, and contractual obligations to which it is subject.
Grupo Sousa Investimentos SGPS Lda. adheres to the legal requirements regarding the retention periods of personal data, and may retain such data:
a) Up to ten years after the termination of the contractual relationship;
b) As long as there are obligations arising from the contractual relationship;
c) As long as a claim may be made against Grupo Sousa Investimentos SGPS Lda.
Data Sharing
Grupo Sousa Investimentos SGPS Lda. may transmit data to companies within Grupo Sousa, ensuring data confidentiality, compliance with the implemented privacy policy according to the applicable legal requirements, and its use in accordance with the corporate purpose of the Grupo Sousa companies, and always in a manner compatible with the processing purposes.
Grupo Sousa Investimentos SGPS Lda. may also transmit personal data in compliance with legal obligations and/or judicial orders, especially under legal duties to cooperate with public institutions and authorities.
Subcontractors
In the performance of its activities, Grupo Sousa Investimentos SGPS Lda. may use third parties – Subcontractors – to provide certain services, which may involve those third parties accessing personal data of the clients, employees, collaborators, and suppliers of Grupo Sousa Investimentos SGPS Lda.
Grupo Sousa Investimentos SGPS Lda. ensures that, in these circumstances, appropriate technical and organizational measures are adopted to guarantee that the subcontracted entities comply with applicable legal requirements and provide adequate guarantees regarding data protection.
Thus, any subcontractor of Grupo Sousa Investimentos SGPS Lda. will process personal data on behalf of and for the account of Grupo Sousa Investimentos SGPS Lda., in strict compliance with the instructions contractually stipulated by Grupo Sousa Investimentos SGPS Lda.
Security Measures
Grupo Sousa Investimentos SGPS Lda. guarantees adequate levels of security and protection for the personal data of data subjects. For this purpose, it adopts various technical and organizational security measures to protect personal data against loss, dissemination, alteration, unauthorized processing or access, as well as against any other form of unlawful processing, namely:
• Data is transferred only in an encrypted manner;
• Permanent monitoring of access to information technology systems is carried out to prevent, detect, and inhibit the misuse of personal data;
• Physical security systems are used for data stored on paper;
• A procedure for data destruction is adopted after the expiration of the respective legal retention period;
• Traceability of data stored in digital folders is ensured through the creation of profiles accessible by user and password;
• A policy of daily, tri-daily, and monthly backups is maintained;
• Regular audits are conducted to assess the effectiveness of the adopted technical and organizational measures;
• Regular awareness and training actions on personal data protection are promoted for employees;
• Mechanisms are adopted to ensure the confidentiality, integrity, and availability of personal data and the resilience of the information systems in which such data is processed;
• Mechanisms are in place to guarantee the rapid restoration of information systems and access to personal data in the event of a physical or technical incident;
• It is ensured that the processing of children’s personal data is preceded by consent from someone who can prove to be the holder of parental responsibilities and the provision of clear and simple information;
• Compliance is guaranteed for the processing of deceased persons’ data, and it is ensured that the respective rights are exercised by person designated by the deceased or by the respective heirs.
Personal Data Breach
Grupo Sousa Investimentos SGPS Lda. will notify data subjects in the event of a breach that poses a high risk to their rights and freedoms, undertaking to do so within 72 hours from the occurrence of the incident.
Data Protection Officer (DPO)
Grupo Sousa Investimentos SGPS Lda. has appointed a Data Protection Officer, to whom any questions regarding the protection of personal data may be addressed via e-mail at rgpd@gruposousa.pt.
Changes to the Privacy Policy
Grupo Sousa Investimentos SGPS Lda. may update or adjust this Privacy Policy, and any such changes will be duly published.
GDPR Form – Request for the Exercise of Rights – Processing of Personal Data