Personal Data Protection Policy | Visabeira I&D

Latest update: 13/01/2025

Introduction and Goal 
Visabeira I&D, hereinafter referred to as the Organisation, in compliance with its legal obligations, has made every effort to inform employees, partners and the general public in a transparent manner about the way in which it processes the personal data of the different people it deals with in the course of its business.

To this end, it has published this Data Protection Policy, which aims to establish the guiding principles for processing personal data carried out by the Organisation, aiming to provide the information necessary to understand how the personal data of various data subjects is processed.

The terms and notions used in this Policy should be read as referring to the equivalent terms provided for in the General Data Protection Regulations, approved by EU Regulations 2016/679 of the European Parliament and of the Council of the 27th of April 2016, abbreviated as GDPR, and related legislation.

If you have any doubts or questions regarding the processing of data by the Organisation, you can contact our Data Protection Officer “DPO” at the following email address: dpo@grupovisabeira.com

Personal data processor
The data processor is Visabeira Investigação e Desenvolvimento, S.A., based at Palácio do Gelo Shopping, n.º 1, Piso 3, 3500-606 Viseu, Portugal.

Personal data categories
The Organisation is a Grupo Visabeira company focused on creating value by carrying out research, development and innovation activities, within the ICT technical and scientific areas, for Grupo Visabeira companies as well as for external public or private companies.

Research, development and innovation activities aim at the development, growth and digital transformation of organisations, through digital or technological solutions which promote:

  • Better management, decision making support and competitive intelligence.
  • Better communication, based on optimising the interaction and involvement of the workforce throughout the operations lifecycle.

Within the scope of its activity and in order to manage the various legal relationships -labour, commercial and others -, the Organisation needs to process the following categories of personal data, among others:

  1. Identification data: e.g. first name and surname, identification document number, tax identification number, date of birth, photograph, household make-up;
  2. Contact details: e.g. email address, landline and mobile phone number, address, business address;
  3. Socio-economic data: e.g. academic background, profession, data on professional certifications and qualifications, membership in professional organisations;
  4. Contractual data: e.g. data contained in contracts signed with the Organisation;
  5. Bank details: e.g. bank account numbers, IBAN, SWIFT and any data necessary for processing payments or receipts;
  6. Health data: pe.g. necessary for insurance subscriptions for employees and other service providers, where applicable;
  7. Biometric data: e.g. fingerprint matrix, facial image, when necessary for access control;
  8. Sound and image data: e.g. photographs, video, sound at events;
  9. Internet browsing data: e.g. IP address; user ID; browser used; session cookies; user cookies.

Titulares, finalidades e fundamentos de tratamento

Data subjectData categoriesPurposes of processing personal dataGround for lawfulness
Candidates-Identification data;
-Contact data;
-Socio-economic data
-Assessment and possible selection to perform duties in the Organisation.DPre-contractual enquiries.
 
Employees-Identification data;
-Contact data;
-Socio-economic data;
-Bank details;
-Health data;
-Biometric data;
-Image and voice.
-Labour contract registration and management, including attendance control and access to facilities;
-Occupational accident insurance contract;
-Legal obligations inherent to the labour relationship;
-Video surveillance to protect people and property;
-Corporate events.
Contract execution;
Compliance with legal obligations;
Legitimate interest;
Consent.
Suppliers-Identification data;
-Contact data;
-Bank details;
-Image and voice
-Celebration and management of supply and service contracts;
-Access management when necessary to carry out the contract;
-Corporate events.
Contract execution;
Compliance with legal obligations;
Legitimate interest;
Consent.
Clients-Identification data;
-Contact data;
-Bank details;
-Image and voice.
-Celebration and management of supply and service contracts; 
-Access management when necessary to carry out the contract;
-Corporate events.
Contract execution;
Compliance with legal obligations;
Legitimate interest;
Consent.
Employees and partners 
of public and private entities
-Identification data;
-Contact data;
-Socio-economic data;
-Bank details.
-When necessary for contracting financing and applying for public or private subsidies.Precontractual due diligence/
Execution of the contract
Website visitors and newsletter subscribers-Browsing data;
-Identification data;
-Contact data.
-Statistical analysis and management of website traffic;
-Sending Information and Advertising.
Consent
Visitors to the Organisation’s Premises-Identification data.-Access control;
-Protection of people and property.
Legitimate interest

In specific situations, it might be necessary to process your data for other reasons, and in these cases the data subjects will be informed of the processing that will be carried out in that specific situation, as well as of all the relevant details for understanding the operations that will be carried out.

Data sharing and transfer, and recipients
Within the scope of the various personal data processing operations necessary for the purposes listed above, the organisation may need to share and transfer data to various entities, namely:

  1. Subcontractors -Third parties that carry out part of the data processing activity;
  2. Authorised personnel -individuals who have been designated to carry out data processing tasks;
  3. Customers and suppliers -within the scope of the company’s commercial activity, for example, providing services provision;
  4. Supervisory bodies or supervisory authorities, within the scope of participation in projects financed by European funds and in other situations;
  5. Public authorities and legal authorities -when required by law (e.g. for tax purposes).

As a rule, the Organisation does not transfer personal data to countries outside the European Economic Area (EEA). The Organisation will only transfer personal data outside the EEA in accordance with the following measures in case this is absolutely necessary for the stated processing purposes:

  • Where the transfer is carried out to a location or by a method or in circumstances that the European Commission considers to ensure adequate protection of personal data;
  • Where it has implemented standard contractual data protection clauses approved by the European Commission or a competent supervisory authority; or
  • Where none of the above applies, but the law nevertheless authorizes such a transfer, for example if it is necessary for the establishment, exercise or defense of legal claims.

Retention Period
The Organisation will retain the personal data in accordance with its use and the legal requirements, as described below:

Types of useRetention period
Employee’s process5 years after the termination of the employment contract.
Accidents at work5 years after the termination of the employment contract; or
Until the end of the limitation period for any rights and obligations, including civil liability.
Biometric data for attendance and access controlUntil the end of the employment contract.
Record of Social Security contributions under the employment contract5 years after the date on which the obligation should have been fulfilled.
Assistance in rebuilding the career pathNo time limit.
Tax and accounting obligations arising from contracts, including labour contracts.10 years after the termination of the contract.
Evaluation of budgets and other pre-contractual activities.6 months after receiving the budget.
Contract management and executionUntil the end of the contract;
Until the end of the limitation period for any
rights and obligations, arising from the contract, 
including civil liability.
Tax and accounting obligations arising from contracts, including labour contracts.10 years after the termination of the contract.
Prevention of money laundering and terrorist financing7 years after the termination of the contract.
Visitor access controlOnce the purpose has been exhausted.
Complaints management3 years.
Advertising purposesUntil revocation of consent (note that revocation
of consent does not affect the lawfulness
of past data processing).

Rights of data subjects

The personal data subjects being processed by the Organisation have the following legally established rights:

Information on how their personal data is being used:

Data subjects have the right to be informed about how their personal data is used and shared.

Right of access:

Data subjects have the right to know what personal data is being processed and for what purpose and may request access to it at any time.

Right to rectification:

Data subjects have the right to request the rectification and updating of any inaccurate or incomplete personal data.

The right to erasure (in circumstances where this is allowed):

Data subjects have the right to request that, where applicable, certain information held by the Organisation be deleted, without affecting the processing operations prior to the request.

In some cases, for example, if the information is necessary to propose or serve as a defence in any administrative claims, legal actions or for compliance with legal obligations, the Organisation may keep the personal data that has been requested to be deleted.

Right to restriction of processing:

Under certain circumstances, data subjects have the right to ask the Organisation to limit future processing of their personal data.

Right to data portability:

Under certain circumstances, data subjects have the right to ask the Organisation to limit future processing of their personal data.

Furthermore, they have the right to request that this data be directly transferred to another data processor, provided that it is technically possible.
This right applies only to information that data subjects have provided to the Organisation with their consent or that it is processed by the Organisation using automated means.

Handing over this data can be costly, particularly in technically complex cases.

The right to object:

The data subjects have the right to object to certain types of processing, for reasons related to his/her particular situation, at any time when such processing takes place, for the purposes of the legitimate interest of the organisation or of third parties.

The organisation may continue to process such data if it can prove “overriding legitimate reasons for the processing that override your interests, rights and freedoms” or if such data is necessary for the establishment, exercise or defense of a right in a legal proceeding.

The rights in terms of automated decision-making and profiling:

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces a legal effect, or similarly significantly affects them in the same way.

The right to file a complaint:

Besides the right to file a complaint with the Organisation, data subjects have the right to file a complaint with the competent supervisory authorities (in Portugal, the Comissão Nacional de Proteção de Dados – CNPD [National Data Protection Commission], if they consider that the processing carried out violates their rights and/or the Data Protection Legislation.

Exercising the rights of data subjects

Data Subjects may exercise their rights by contacting the Organisation by sending an email to the dpo@grupovisabeira.com.

You can file a complaint to the CNPD at www.cnpd.pt.

Security measures

The Organisation protects the information of all those it relates to by implementing technical and organisational measures which, taking into account the most advanced techniques, the costs of implementation, the nature, scope, context and purposes of each processing of personal data carried out under its responsibility, make it possible to reduce the risks, of varying magnitude and intensity, which could affect the fundamental rights and freedom of the affected data subjects in the event of a personal data breach.

In particular, the following measures are in place to ensure the confidentiality, integrity and availability of any information considered personal data:

  • Access control: Only authorised personnel whose job requires access to personal data have permission to view it, and this access is managed by strong authentication systems and monitored regularly.
  • Encryption: Personal data is protected during storage and transfer by means of encryption mechanisms, reducing the risk of unauthorised access.
  • Monitoring and Audit: The Organisation implements permanent monitoring systems and regular audits to identify and reduce potential vulnerabilities and prevent security incidents.
  • Threat Protection: The Organisation uses security solutions such as firewalls, intrusion prevision systems, antivirus and vulnerability management to present cyber-attacks and unauthorised access.
  • Physical Security: The Organisation’s premises are protected with physical access controls, surveillance systems and additional measures to ensure that data stores in physical or digital format are in secure locations.
  • Risk Management and Continuity: The Information Security Management System of the Organisation includes regular risk analysis and a business continuity plan, ensuring the preparation to respond effectively to incidents which could affect data security.
  • Training and awareness-raising: All the Organisation’s employees undergo regular training in good security and data protection practices, promoting an organisational culture focused on information security.
  • Incident Management: The Organisation has a strong procedure for identifying, reporting, investigating and reducing security incidents related to personal data, guaranteeing a swift and effective response.

Violations of this Privacy Policy by employees of the Organisation may give rise to disciplinary action.

Changes to the Data Protection Policy

A full copy of this Data Protection Policy can be obtained digitally from the Organisation’s website.

In order to make this document more effective, no significant changes are planned. However, for the sake of detail, the Organisation reserves the right to update this Data Protection Policy at any time, with all changes considered effective from the date of publication.

Other policiess

With regard to the processing of personal data which the Organisation carries out when visiting the website, as well as through the use of cookies, data subjects should consult the Privacy Policy and Cookies Policy, respectively.