Privacy Policy

Personal data protection policy 

1.02 version from 2018-06-29

 

1. Scope and objectives

Unipartner, as an information systems and technologies services company established in Portugal and primarily aimed at European markets, ensures the protection of personal data as a key aspect of its activity, present and future, and identifies it as a differentiator and business generator, not only because of the importance that the trust of employees, partners and customers has in its activity, but also because this practice constitutes an offer area, part of its portfolio of products and services. 

This personal data protection policy was developed with the aim of making Unipartner's customers, employees, subcontractors and contacts aware of the principles, rights and obligations to be fulfilled in terms of personal data protection and how they should be complied with in the context of any business activities in which the processing of personal data takes place and regardless the role of Unipartner (responsible, joint responsible or subcontractor) in such processing. 

The policy is based on the aforementioned legal and technical standards, of which the GDRP stands out, due to its specificity in the field of personal data protection and the transversality of its application, both material and territorial. 

The adoption of the provisions of these standards takes into account their applicability to the activities carried out by Unipartner, the risk assessments made, and the strategic options taken, safeguarding the rights of their holders, the sustainability of Unipartner and its customers and its differentiation in an increasingly demanding, global and technological market context. Regarding the technical standards identified, Unipartner will continue to formalize certification in cases where the markets in which it operates require it or where this factor is perceived as a differentiator, naturally not failing to adopt the good practices it deems relevant and appropriate for the protection of personal data. 

The policy resulted from a diagnosis involving all internal areas, the most relevant external partners and subcontractors, having established a set of specific provisions, which is an integral part of this policy and aims to standardize the operationalization of the general provisions contained in the legal diplomas and the technical standards, and an implementation plan for the measures identified, an operational instrument to be maintained independently of this policy. The incremental implementation of the identified measures does not affect the fulfillment of Unipartner's obligations, but it contributes to the operationalization of measures and the evolution in the maturity of the practices to be made more effectively. 

 

1.1.What is personal data protection  

The protection of natural persons regarding the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (Charter) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) establish that everyone has the right to the protection of personal data that concern them. 

The principles and rules in this matter aim to respect the fundamental rights and freedoms of natural persons regardless of nationality or place of residence and contribute to freedom, security and justice, to economic and social progress, to the consolidation and convergence of economies. within the European internal market and for the well-being of natural persons. 

Unipartner is responsible for complying with all legal obligations regarding the processing of personal data in which it participates, to the extent of such participation (level of responsibility established individually for each processing of personal data). 

Unipartner subcontracts personal data processing activities to partner companies. These companies may also act as joint responsible, if they intervene in defining the purposes and/or means of processing personal data. 

Unipartner processes personal data as a subcontractor of client companies. It may also act as a joint responsible, if it intervenes in defining the purposes and/or means of processing personal data. Unipartner is responsible for any violations of the binding rules applicable to companies committed by entities involved that are not established in the EU, except when the fact that caused the damage is not attributable to Unipartner.

​

1.2.Characterization and main processing of personal data 

1.2.1. External Perspective

Unipartner, within the scope of the services it provides and the projects it develops with its partners and for its customers, may process personal data of any category of holders, of any type (including special categories and convictions/offences) and for any purpose, provided that all legal requirements are complied with, in strict accordance with established contracts and with the level of responsibility assumed (generally, as a subcontractor). 

 

1.2.2. Activities not covered by the GDRP 

Unipartner does not carry out, from an internal perspective, any activity outside the material scope of the GDRP, namely activities not subject to EU law, common foreign and security policy or investigation, detection and prosecution of infractions and execution of criminal sanctions. 

However, due to the nature of the services it provides, it may intervene in the processing of personal data that fall within these exceptions, in the context of the business activities of its partners and customers. The provisions of this policy also apply in these cases, as long as they do not contravene the specific regimes to which these processing of personal data are subject. 

​

1.2.3. Purposes for processing personal data 

Given the importance of defining the purposes of treatment for the effectiveness of all systems in complying with the provisions, in particular the universality of interpretation and application in the different contexts of the activity and life of partners/clients and owners, Unipartner adopts an approach based on the following principles: 

• Functional: the purposes of processing personal data correspond to the purposes of the business processes in the context of which these treatments take place; for analysis and communication purposes, these (specific) purposes can be aggregated into (generic) purposes corresponding to the business functions in which the processes fit (a process fits into a single function); 

• Organizational supra: the purposes are seen in the same way regardless of the type of intervention that the organization has in the processes (ex: client or provider); the same organization can play different roles in different instances/occurrences of the same process and, in all these cases, defines the purposes in the same way.

As it is aligned with all these principles, Unipartner adopts the consolidated list of business processes (LC), integrated in the functional macrostructure (MEF), defined by the Portuguese State, as a reference for defining the purposes of processing personal data. In this sense, each of the processes/purposes will correspond to a single business process in the LC. 

​

1.2.4. Transfer and provision of personal data to third countries and international organizations 

Unipartner respects and enforces the legal provisions relating to the protection of personal data in data transfers to third countries and international organizations, namely with regard to the European Commission's decision regarding the suitability of that country(ies) with regard to the protection of data or, not their absence, as to the adequacy of the guarantees for the exercise of enforceable rights and effective corrective legal measures of that(these) country(ies). 

• Commission adequacy decision (rule of law, independent supervisory authorities, international commitments); 

• Adequate guarantees (without permission: legally binding instrument, binding rules, standard clauses, code of conduct, certification; with authorization: contractual clauses, provisions in administrative agreements). 

 

1.2.5. Registration of personal data processing 

Unipartner has records of personal data processing activities in which it intervenes, containing the following elements: 

• Purpose of personal data processing (business process); 

• Period of conservation, form of counting and final destination of the information; 

• Categories of holders, personal data and recipients (if any); 

• Joint responsible/responsible and subcontractors [subcontractors] (if any); 

• Personal data transfers and adequate safeguards (where applicable); 

• Prior risk assessment and reference for impact assessment and prior consultation with the control authority (where applicable); 

• Technical and organizational measures appropriate to the risks. 

 

1.2.6. Internal Perspective

From an internal perspective, Unipartner maintains data on: 

• Workers: Individuals with a contract established directly with Unipartner; 

• Subcontractors: individual persons subcontracted to Unipartner partners, mainly involved in the delivery of projects and services, but also capable of supporting other activities in the organization; 

• Partners: individuals who perform functions in partner companies, with a direct relationship with Unipartner; 

• Clients: individual persons who perform functions in client companies, with a direct relationship with Unipartner; 

• Contacts: individual people who, not fitting into the previous categories, may in the future fall into one of these categories (ex: candidate, potential client). 

Unipartner does not currently provide services directly to individual customers nor, consequently, does it provide information society services to children (under 16 years of age). 

The processing of personal data carried out in this perspective mainly results from: 

• Legal obligation: compliance with legal provisions with public bodies and services; 

• Contract execution: formation and execution of contracts with workers, subcontractors, partners and customers; 

• Legitimate interest: institutional communication, marketing of products and services. 

There are also treatments based on vital interests and consent. 

Unipartner maintains and only processes personal data that are adequate, pertinent and limited to what is necessary for the purposes. Unipartner does not process data from special categories or convictions/offences, except in the following cases: 

• Racial or ethnic origin, insofar as this can be identifiable through the image (ex: photograph) of the holder; 

• Biometric data (identifying), used exclusively to control access to the facilities and to control attendance (when applicable) by Unipartner and/or its partners/customers; 

• Health data, when required by legal obligation, by the vital interest of the owner or third parties or treated under consent; 

• Convictions/offences, when required by legal obligation or treated under consent. 

Unipartner develops activities with partners and customers established outside the EU, respecting and enforcing the provisions applicable to each particular case. 

 

1.3. Rights of the holders

The rights of holders to be safeguarded within the scope of the protection of personal data are as follows: 

• Information: inform the holder about those responsible, purposes, categories, recipients, guarantees, deadlines, rights, automated decisions and sources, if they have not yet been aware of it and save a disproportionate effort; 

• Access: indicate if there is data to be processed; if so, give access to the data being processed and inform about purposes, categories, recipients, guarantees, deadlines, rights, automated decisions; if requested, deliver other copies (may be subject to payment); 

• Rectification: rectify inaccurate or incomplete data being processed, without undue delay; 

• Erasure: erase data, without undue delay, when not necessary, without consent, opposition, tort, legal obligation and information society services, except freedom of expression and information, legal obligation, public health, public interest file, investigation scientific/historical, statistical or declaration, exercise or defense of rights in legal proceedings; inform those responsible if data transmitted or made public, taking reasonable measures, except for a disproportionate effort; 

• Portability: deliver to the holder or other responsible data provided by the holder in a structured format, in current use and automatically read, if automated and consented treatment; does not apply to treatment of public interest or authority; 

• Consent: treat or stop treatment; consent must be free, informed, specific and express; if a child and an information society service, it requires the consent or authorization of the holder of parental rights, taking into account the available technology; 

• Limitation: limit treatments to conservation, consent, declaration, exercise or defense of rights in legal proceedings or public interest in case of inaccuracy, illicit, unnecessary or opposition; notify recipients if data transmitted, save disproportionate effort; 

• Opposition: cessation of treatments due to the holder's particular situation when justified by public interest or authority, legitimate interest or compatibility, including direct marketing, except for compelling reasons or declaration, exercise or defense in a legal process; if scientific/historical or statistical investigation, public interest is still reserved; 

• Non-exclusive subjection: ensure human intervention in an automated decision with effects in the legal or similar sphere of the holder, except for the execution of a contract, authorized by the law of the Member State or Union or with consent; if special categories, except consent and public interest; 

• Complaint: claim the supervisory authority over the person in charge/subcontractor; 

• Legal action: take legal action on supervisory authority or responsible/subcontractor. 

​

1.4. Data conservation and complementary treatments

The retention of personal data and the additional treatments to which such data may be subject result from specific aspects of the business context in which they were primarily processed. The protection of personal data at these stages requires a systematic approach, which can be applied consistently by all entities that have participated in these main processes or that have had access to them as recipients. 

​

1.4.1. Approach to information management 

The information captured/produced in the context of the business activities of Unipartner and partners/customers, in which Unipartner intervenes, is managed according to common rules, defined based on criteria: 

• Functional, according to the business process in the context of which the information is captured/produced, as well as the context in which this business process is integrated; therefore, thematic, typological and/or organic criteria are excluded which, despite being commonly used, are based on specific points of view or are more ephemeral than the processes carried out by the organization; 

• Supra organizational, insofar as they apply equally regardless of the type of intervention the organization has in the processes (eg, client or provider); 

• Values, establishing for each phase of the information life cycle (continuum) its primary and secondary values; It aims to ensure that valuable information is preserved, while non-value information is eliminated, ensuring an efficient application of resources and greater effectiveness in managing the underlying risks. 

Personal data are an integral part of this information, being (generally) maintained for the periods established for the processes to which they relate, as they are considered necessary taking into account the respective main processing purposes, which justified their collection, and complementary, when rights, freedoms, obligations and/or responsibilities arising from the main treatments prevail (includes declaration, exercise or defense of rights in legal proceedings). 

Personal data may be retained for longer periods if required for archival purposes of public interest, scientific or historical research or statistical purposes. 

​

1.4.2. Information life cycle 

Therefore, the following phases in the information lifecycle are considered: