I. Purpose
The present Privacy Policy describes the guidelines and principles adopted by Silvex to ensure the protection of its suppliers and their representatives, as data subjects, establishing guidelines regarding their rights and the processing and free circulation of personal data.
This document provides the guidelines to act with integrity and in compliance with regulatory requirements under data privacy and should be respected by all of Silvex’s employees.
Silvex commits to give its employees the appropriate training in their roles in dealing with matters of privacy. Nevertheless, all employees must also be aware of the existence of this Privacy Policy and understand it. Requests for clarification on the Privacy Policy should be addressed to the following e-mail: rgpd@silvex.pt.
II. Scope and changes
Silvex reserves the right to alter this policy when necessary and it is subject to periodic reviews to ensure conformity with applicable laws, regulations and good business practices. Changes shall be made and approved by Silvex’s Administration and will be published on Silvex’s website so that the data subjects can at anytime consult the document.
The current version of this policy will remain available at all times on the Internet, in this page, and will be made available to suppliers and their respective representatives before the collection of any personal data.
III. Application of national laws
The General Data Protection Regulation’s main objective is to ensure respect for the fundamental right that each person has to decide the use of his or her personal data. The GDPR covers all companies operating in the European Union and the national law of each country will take precedence over it in case of conflict or in situations where the requirements of national law are more stringent.
Silvex is responsible for ensuring compliance with this policy and the applicable laws. In the event of the detection of any conflict between the contents of this policy and any law or guideline, Silvex’s Data Processing Officers (DPOs) must be immediately informed.
The General Data Protection Regulation can be found at: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL%3A2016%3A119%3ATOC
At the time of the creation of this privacy policy (April 2018), the national legislation regulating the implementation of the Regulation in Portugal was still pending approval.
Once approved, the processing of personal data by Silvex will take this legislation in due account and may even modify the present policy in accordance with the precepts then approved.
IV. Rights of the data subject
As for any information requests on personal data, Silvex will guarantee the security of the data by requesting authentication by the data subject. Silvex ensures a response time that is inferior to one month, save in exceptional cases for which, given the complexity of the request and/or the number of requests made, a response time of up to 2 months will be defined. If the response time is extended, Silvex will notify the data subject, within a maximum of one month from the date of receipt of the request, of the reasons for the delay in the response to the request.
All information requests will be analysed to verify compliance with regulatory requirements. Whenever there is a legal framework preventing the data subject from invoking certain rights, Silvex reserves the right to not respond to the request by informing the data subject of the reasons why his or her request will not be satisfied and of the possibility to submit a complaint to a supervisory authority and file a lawsuit. When the requests placed by a data subject are manifestly unfounded or excessive, Silvex reserves the right to demand the payment of a fee that is equivalent to the administrative costs incurred by Silvex to respond to the requests.
The rights of the suppliers and their representatives, as data subjects, are listed below, noting their particularities and the means made available by Silvex so that they can invoke these rights. The preferential means of communication to invoke each right are presented. However, for other situations that are not contemplated, the data subject can place their request through one of the channels presented in section XV. Contacts.
a. Right to transparent communication
Silvex will inform the data subject in a clear and transparent manner about the processing of personal data, at the time of its collection, by communicating the following information:
- The purpose(s) of the processing for which the personal data is intended;
- What is the lawful basis for the treatment (legitimate interests of Silvex, legal or contractual obligation or others), as well as the possible consequences of not providing such data;
- The categories of recipients of personal data, if applicable;
- Whether personal data is transferred to a third country or an international organisation, should this occur;
- The period of storage of personal data or, if it is not possible, the criteria used to define this period;
- The existence of automated decision-making, if applicable;
- Your rights as the data subject (presented in this section), which include the right to file a complaint with a supervisory authority;
- Silvex’s contacts.
If the data is not obtained from the data subject and the data subject has not been informed about the collection of personal data, Silvex shall ensure that, within a reasonable time after obtaining the personal data, the data subject is informed of the above mentioned points, as well as of the following:
- The origin of the personal data;
- The category of the data that has been collected.
Silvex commits to always inform the data subject of its intention to use their data for other purposes than those previously reported.
b. Right of access
Silvex ensures the existence of means to enable the data subject to access personal data that it holds on them and the following information included in section a. Right to transparent communication.
If requested by the data subject, Silvex will send a copy of his/her personal data that is being processed, in electronic format.
If the information requested by the data subject impairs or compromises the rights and freedoms of third parties, Silvex, in accordance with regulatory requirements, will not follow-up on the request for access.
c. Right to rectification
Silvex ensures that the data subject can rectify their personal data, if it is incorrect, or to complete it, if it is incomplete.
As data subjects, Silvex’s suppliers, as well as their representatives, should request it to through the contacts indicated in section XV. Contacts of the present document.
d. Right to be forgotten
Silvex ensures the necessary means for the data subject to request the erasure of their personal data. The requests received will be reviewed and, if considered valid in light of the regulatory requirements, Silvex commits to "forget" the data within a reasonable time, from the end of the period of necessity of the data for the purpose for which it is intended and which necessarily legitimises the processing of the personal data of the supplier or its representatives. If the requests are not considered valid, Silvex will not process them and will inform the data subject of the reasons associated with that decision.
e. Right to object
Silvex ensures the necessary means so that the data subject may object to certain personal data processing for certain purposes, subject to any applicable policies or laws. If the requests are not considered valid, Silvex will not process them and will inform the data subject of the reasons associated with that decision.
f. Restriction of processing
Silvex ensures the necessary means for the data subjects to request the restriction of processing of their personal data, ensuring data accuracy and limiting the legitimate treatment to the necessary time period.
g. Right to data portability
Silvex provides the necessary means for the data subject to request a copy of their data to be sent to another entity. This data will be transmitted in a digital and structured format.
Silvex reserves the right to refuse portability requests whenever this negatively affects the rights and freedoms of others or conflicts with any legal requirement.
In any case, Silvex reserves the right to demand the payment of a fee that is equivalent to the administrative costs incurred to respond to the request and/or process it.
h. Automated individual decision-making
Silvex does not make decisions regarding its suppliers and respective representatives using automated decision-making processes.
V. Principles for data processing
a. Lawful, loyal and transparent
Personal data is obtained and processed in a lawful and transparent manner, informing the data subject of the data collected, the purposes for which the data is processed, the recipients to whom it is to be communicated and the period for which the personal data will be stored.
b. Specified, explicit and legitimate purposes
Personal data is collected for specified, explicit and legitimate purposes and cannot be further processed in a manner that is incompatible with those purposes.
c. Integrity and confidentiality of data
The security of personal data is ensured through the adoption of measures that allow its protection against unauthorised or unlawful processing as well as its accidental loss, destruction or damage.
d. Accuracy and updating of data
The accuracy and updating of the data is ensured through the provision of specific channels that allow the data subject to communicate any updates, as well as measures for revision and analysis of the quality of the data, which will guarantee that inaccurate data is erased or rectified immediately.
e. Data Minimisation
Data collection operations are subject to prior analysis to ensure that only relevant and strictly necessary personal data is collected, with reference to the purpose of the processing. With this in mind, information collection operations are carried out through forms with limited fields in order to guarantee that the data subject does not communicate any personal data other than what is required for that particular situation.
f. Storage of data for no longer than is necessary for the purposes for which the personal data is processed
Personal data is stored for a predefined period, called the storage period. This time period is established by taking into consideration the time that is necessary for the completion of the purposes for which the data is processed. After the storage period, the personal data is deleted or anonymised and it will no longer be possible to relate the data to its subject.
g. Responsibility for the data
Silvex holds responsibility for the collection and processing of the data subject’s personal data, even if third party subcontractors carry out the processing.
VI. Procedures for collecting and processing clients’ personal data
During its activity, Silvex collects and processes personal data belonging to suppliers and their representatives, for various purposes. The collection and treatment of this information has legal framework and is carried out in accordance with the regulatory and legal requirements in force, except in situations for which the consent of these data subjects is requested. The treatments performed by Silvex in this context are as follows:
a. Purpose 1: Management of business contacts that are established with suppliers and potential suppliers and of subsequent contracts for the supply of products or the rendering of services, as well as following up and processing complaints related to the contracted supplies.
Lawful Basis for Processing: contractual relationship with the supplier, or a legitimate interest in obtaining commercial information from suppliers or potential suppliers, regardless of them leading or not to entering into a contract.
b. Purpose 2: Compliance with the legal obligation of the Controller to keep the suppliers’ data and the orders made, in accordance with applicable tax rules.
Lawful Basis for Processing: Compliance with the legal obligation to keep invoices.
c. Purpose 3: Submission of information and/or commercial communications addressed by any means about the products and services offered by Silvex.
Lawful Basis for Processing: The Controller’s legitimate interest to promote, to its suppliers, the company’s products and services.
d. Purpose 4: Protection of people and goods at the premises of the Controller, by means of image collection through video surveillance systems.
Lawful Basis for Processing: Public interest in the prevention and deterrence of unlawful acts and the Controller’s legitimate interest to protect its own assets and the assets of its employees, suppliers and clients, as well as to protect the same people.
VII. Obligation to indicate certain data; consequences of not providing data.
Failure to provide other data requested may hinder and possibly prevent the execution of the intended purpose.
VIII. Data storage period
The personal data provided will be kept for the period necessary for the performance of the contract or the accessory aspects related to the contractual relationship (proof of relationship, management of complaints, management of administrative endeavours) and, as long as its erasure isn’t requested, it will be kept for a maximum period of five years since the last order, as long as it is adequate and pertinent to the purposes they are intended for and its processing will be limited to what is strictly necessary for those purposes.Billing data will be kept for the legally established period, currently set at ten years.
Data referring to business contacts with potential suppliers or their representatives that have not led to entering into a contract will be kept, as long as its erasure is not requested, for a maximum period of two years since the last business contact.
The data resulting from the Video Surveillance systems shall be stored for a minimum period of 30 (thirty) days and a maximum period that may reach 6 (six) months, which will be defined on a case by case basis by the corresponding authorisation or impact assessment.
The collected data shall be kept for the indicated periods as long as they prove to be appropriate and relevant for the purposes for which they are intended and its processing shall be limited to what is strictly necessary for such purposes.
IX. Transfer of personal data to third parties
Silvex retains responsibility over the suitability of the data processing, even when subcontractors carry out the processing.
Throughout this transmission of personal data, Silvex will ensure compliance with applicable regulatory requirements.
During the process of contracting these services, Silvex will verify that the entity it intends to subcontract has an adequate level of data protection. To this end, Silvex will apply a set of measures to ensure that data is only transferred to entities that present sufficient guarantees of executing technical and organisational measures that are appropriate to the processing of personal data, of complying with regulatory requirements and of ensuring the protection of the rights and freedoms of the data subjects. For this reason, data will only be transferred after entering into a contract which contains a set of pre-defined clauses that establish the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and the rights of both parties.
These contracts will stipulate that the subcontracted entities will only carry out processing that is requested by Silvex and will impose requirements to ensure the correct processing of this data, in accordance with the principles set out in section V. Principles for data processing, as well as the existence of the necessary mechanisms to enforce the rights set out in section IV. Rights of the data subject.
Silvex will adopt the necessary measures to monitor the activities of the subcontractor.
Data is not currently transferred to third countries or to international organisations.
X. Processing Confidentiality
The obligation of confidentiality imposed to Silvex’s employees regarding data collected by the company is obtained in the employment contract, is emphasised by the privacy policies in force in the company and will remain even after they have ceased to work in the organisation. Any unauthorised collection, processing or use of data is strictly prohibited and will be subjected to disciplinary action.
XI. Processing Security
Regarding data storage, there are defined security procedures and controls in place, both physically and digitally, to ensure the integrity of the data and access control.
Access to Silvex’s physical files is limited to employees authorised for this purpose and the files are segregated by categories of processing.
Regarding the security of the information systems, Silvex establishes security controls to be applied to stored data, in particular to personal data. Access to data is segregated and limited by necessity and registration and monitoring of the access logs is performed. Wherever possible, data protection mechanisms such as encryption, anonymisation or pseudonymisation of data are applied. Procedures and rules for performing backups to the information systems are defined. Silvex also defined a business continuity plan for it and the corresponding disaster recovery plan, which allow the reduction of the risk of loss of data or of data integrity. These plans are reviewed periodically and subjected to testing.
XII. Data Protection Control
XIII. Data Protection Incidents
Silvex’s suppliers and their representatives, as data subjects, should use these channels. On the other hand, all employees are responsible for informing the company’s Directors of any suspicions of a data breach incident, when faced with such a situation, which they have the possibility of doing anonymously.
When an incident that poses a risk to the affected data subjects occurs, Silvex immediately triggers a set of measures for risk mitigation and reports the incident to the supervisory authority within a reasonable time, up to a maximum of 72 hours after its identification. If the risk to the subjects of the affected data is considered high, Silvex undertakes the commitment to inform them of the occurrence of the incident, of the potential consequences, of the measures adopted (or that shall be adopted) to repair the situation and mitigate any negative effects, as well as the name and contacts of the people responsible for following up on the incident, without undue delay.
XIV. Responsibilities and sanctions
Silvex is subject to inspections by the supervisory authority, the National Data Protection Commission (Comissão Nacional de Proteção de Dados). Unlawful processing of personal data or other violations of data protection laws makes Silvex liable to legal action. Employees who are held liable for data protection violations are subject to disciplinary sanctions in accordance with the labor law in force and may also be held liable for civil or criminal liability.