1. Definitions
1.1 Consent – means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
1.2 Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
1.3 Data Subject – any living individual who is the subject of personal data held by an organisation.
1.4 Personal Data – any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.5 Personal Data Breach – any breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.
1.6 Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.7 Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
1.8 Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse, or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
1.9 Special Categories of Personal Data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
1.10 Third Party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
2. Purpose
2.1 TRADUQUEST is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct. TRADUQUEST is the Data Controller under the Data Protection laws, which means that it determines what purposes personal information held, will be used for.
2.2 This policy sets forth the expected behaviours of all TRADUQUEST employees and Third Parties in relation to the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to a Data Subject.
2.3 Personal Data is any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person. Personal Data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process Personal Data. An organisation that handles Personal Data and makes decisions about its use is known as a Data Controller. TRADUQUEST, as a Data Controller, is responsible for ensuring compliance with the Data Protection requirements outlined in this policy.
2.4 TRADUQUEST’s leadership is fully committed to ensuring continued and effective implementation of this policy, and expects all employees and Third Parties to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.
3. Scope
3.1 This policy applies to all TRADUQUEST entities processing Personal Data.
3.2 This policy applies to all Processing of Personal Data in electronic form or where it is held in manual files that are structured in a way that contains information about individuals.
4. Basic principles
4.1 TRADUQUEST has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of Personal Data: Lawfulness, fairness and transparency: Personal Data is processed lawfully, fairly and in a transparent manner in relation to the data subject. Purpose limitation: Any Personal Data collected shall have a specified, explicit and legitimate purpose. Data minimisation: Any Personal Data collected shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Accuracy: Any Personal Data collected shall be accurate and, where necessary, kept up to date. Storage limitation: Personal Data shall not be stored longer than what is necessary for the purposes for which the Personal Data are processed. Integrity and confidentiality: Personal Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Accountability: TRADUQUEST shall be responsible for, and be able to demonstrate compliance with the above mentioned principles. This policy provides the foundation for adherence to this responsibility.
5. Lawfulness of processing
5.1 TRADUQUEST will Process Personal Data in accordance with all applicable laws and applicable contractual obligations.
5.2 More specifically, TRADUQUEST will not Process Personal Data unless one of the other available foundations for processing is applicable. As non-exhaustive examples of these valid grounds can be mentioned the following: The Data Subject has given valid Consent. Processing necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract. Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
5.3 To the extent that TRADUQUEST process Special Categories of Data (also known as sensitive data), such processes shall receive special attention in the governance of personal data. Particularly, such processing shall only take place if the more stringent requirements for Processing of Special Categories of Data are fulfilled. As non-exhaustive examples of these valid grounds can be mentioned the following: The Data Subject has given valid Consent. The Processing relates to Personal Data which has already been made public by the Data Subject. The Processing is necessary for the establishment, exercise or defence of legal claims. The Processing is specifically authorised or required by law.
6. Information to data subjects
6.1 TRADUQUEST will, when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide Data Subjects with information as to the purpose of the Processing of their Personal Data.
6.2 When any Personal Data is collected, all appropriate disclosures will be made, in a manner that draws attention to them, unless one of the following apply: The Data Subject already has the information A legal exemption applies to the requirements for disclosure and/or Consent.
6.3 By way of non-exhaustive example, TRADUQUEST has implemented the following standard methods of providing information to Data Subjects: All Personal Data processed on TRADUQUEST’s website is described in a Privacy Policy made available to all users of TRADUQUEST’s website. All Personal Data processed on TRADUQUEST’s own employees, is described in the Employee contracts of each employee.
7. Continued compliance with basic principles
7.1 The basic principles of lawful Processing described in section 4 shall also apply when the same Personal Data is later stored, used and/or shared.
7.2 In particular it is essential to make sure that any changes in the purpose of Processing of Personal Data.
7.3 It is also essential that all stored Personal Data at all times is accurate and up-to-date.[1] In order to achieve this goal, TRADUQUEST has implemented the following procedures: Correcting Personal Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the Data Subject does not request rectification. Only storing Personal Data for the period necessary to satisfy the permitted uses or applicable statutory retention period. Restriction, rather than deletion of Personal Data, insofar as: a law prohibits erasure. erasure would impair legitimate interests of the Data Subject. the Data Subject disputes that their Personal Data is correct and it cannot be clearly ascertained whether their information is correct or incorrect.
8. Transfers within the group of companies
8.1 In order for TRADUQUEST to carry out its operations effectively across its various entities, there may be occasions when it is necessary to transfer Personal Data from one entity to another, or to allow access to the Personal Data from an overseas location. Should this occur, the TRADUQUEST entity sending the Personal Data remains responsible for ensuring protection for that Personal Data. All TRADUQUEST entities are located within the EU.
9. Transfers to Third parties
9.1 TRADUQUEST will only transfer Personal Data to, or allow access by, Third Parties when it is assured that the information will be Processed legitimately and protected appropriately by the recipient. Where Third Party Processing takes place, TRADUQUEST will first identify if, under applicable law, the Third Party is considered a Data Controller or a Data Processor of the Personal Data being transferred.
9.2 Where the Third Party is deemed to be a Data Controller, the TRADUQUEST entity will enter into an appropriate agreement with the Controller to clarify each party’s responsibilities in respect to the Personal Data transferred.
9.3 Where the Third Party is deemed to be a Data Processor, TRADUQUEST will enter into an agreement with the Data Processor.
10. Use of data processors
10.1 TRADUQUEST will enter into an agreement with all of its Data Processors.
10.2 The agreement must require the Data Processor to protect the Personal Data from further disclosure and to only Process Personal Data in compliance with TRADUQUEST instructions. In addition, the agreement will require the Data Processor to implement appropriate technical and organisational measures to protect the Personal Data as well as procedures for providing notification of Personal Data Breaches.
10.3 When TRADUQUEST is outsourcing services to a Third Party (including Cloud Computing services), they will identify whether the Third Party will Process Personal Data on its behalf and whether the outsourcing will entail any Third Country transfers of Personal Data. In either case, it will make sure to include adequate provisions in the outsourcing agreement for such Processing and Third Country transfers.
11. Transfer of personal data outside EU
11.1 TRADUQUEST will only transfer Personal Data to internal or Third Party recipients located in country outside of the European Union where the conditions for such a transfer are fulfilled.
12. Security
12.1 TRADUQUEST will adopt physical, technical, and organisational measures to ensure the security of Personal Data. This includes the prevention of loss or damage, unauthorised alteration, access or Processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment.
12.2 The minimum set of security measures to be adopted by TRADUQUEST is provided in the Information Security Policy. A summary of the Personal Data related security measures is provided below: Prevent unauthorised persons from gaining access to data processing systems in which Personal Data are Processed. Prevent persons entitled to use a data processing system from accessing Personal Data beyond their needs and authorisations. Ensure that Personal Data in the course of electronic transmission during transport cannot be read, copied, modified or removed without authorisation. Ensure that access logs are in place to establish whether, and by whom, the Personal Data was entered into, modified on or removed from a data processing system. Ensure that in the case where Processing is carried out by a Data Processor, the data can be Processed only in accordance with the instructions of the Data Controller. Ensure that Personal Data is protected against undesired destruction or loss. Ensure that Personal Data collected for different purposes can and is Processed separately. Ensure that Personal Data is not kept longer than necessary.
13. Breach Reporting
13.1 Any individual who suspects that a Personal Data Breach has occurred due to the theft or exposure of Personal Data must immediately notify the Data Protection Officer Eduardo Costa providing a description of what occurred. Notification of the incident can me made via e-mail geral [AT] traduquest.com or by calling the phone number +351 262 841 096.
13.2 The Data Protection Officer will investigate all reported incidents to confirm whether or not a Personal Data Breach has occurred. If a Personal Data Breach is confirmed, the Data Protection Officer will follow the relevant authorised procedure based on the criticality and quantity of the Personal Data involved, assessed by the completion of a Data Protection Impact Assesment (DPIA).
14. Limitation of retention period
14.1 To ensure fair Processing, Personal Data will not be retained by TRADUQUEST for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further Processed.
14.2 The length of time for which TRADUQUEST need to retain Personal Data is set out in the Personal Data Retention Schedule. This takes into account the legal and contractual requirements, both minimum and maximum, that influence the retention periods set forth in the schedule. All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
15. Notification of Data Protection Officer
15.1 All requests received for access to or rectification of Personal Data must be directed to the appointed Data Protection Officer, who will log each request as it is received.
15.2 The Data Protection Officer will observe that all Data Subject requests are handled in accordance with section 16-18 below.
16. Data Subject request handling procedure
16.1 The Data Protection Officer has established a system to enable and facilitate the exercise of Data Subject rights related to: Information access. Objection to Processing. Objection to automated decision-making and Profiling. Restriction of Processing. Data portability. Data rectification. Data erasure.
16.2 If an individual makes a request relating to any of the rights listed above, TRADUQUEST will consider each such request in accordance with all applicable Data Protection laws and regulations. No administration fee will be charged for considering and/or complying with such an initial request unless the request is deemed to be unnecessary or excessive in nature due to repetitive requests.
17. Information access
17.1 Data Subjects are entitled to obtain, based upon a request made in writing to the Office of Data Protection and upon successful verification of their identity, the following information about their own Personal Data: The purposes of the collection, Processing, use and storage of their Personal Data. The source(s) of the Personal Data, if it was not obtained from the Data Subject; The categories of Personal Data stored for the Data Subject. The recipients or categories of recipients to whom the Personal Data has been or may be transmitted, along with the location of those recipients. The envisaged period of storage for the Personal Data or the rationale for determining the storage period. The use of any automated decision-making, including Profiling.
18. Response time
18.1 A response to each request will be provided within 30 days of the receipt of the written request from the Data Subject. Appropriate verification must confirm that the requestor is the Data Subject or their authorised legal representative. Data Subjects shall have the right to require [Company] to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data. If [Company] cannot respond fully to the request within 30 days, the Office of Data Protection shall nevertheless provide the following information to the Data Subject, or their authorised legal representative within the specified time: An acknowledgement of receipt of the request. Any information located to date. Details of any requested information or modifications which will not be provided to the Data Subject, the reason(s) for the refusal, and any procedures available for appealing the decision. An estimated date by which any remaining responses will be provided. An estimate of any costs to be paid by the Data Subject (e.g. where the request is excessive in nature). The name and contact information of the TRADUQUEST individual who the Data Subject should contact for follow up.
19. Data Protection Officer
19.1 To demonstrate our commitment to Data Protection, and to enhance the effectiveness of our compliance efforts, TRADUQUEST has appointed an employee to be the primary supervisor of TRADUQUEST’s compliance with the Data Protection rules (the DPO).
19.2 The DPO reports directly to the CEO of TRADUQUEST.
19.3 The DPO’s duties include: Informing and advising TRADUQUEST and its Employees who carry out Processing pursuant to Data Protection regulations, national law or Union based Data Protection provisions; Ensuring the alignment of this policy with Data Protection regulations, national law or Union based Data Protection provisions; Providing guidance with regards to carrying out Data Protection Impact Assessments (DPIAs); Acting as a point of contact for and cooperating with Data Protection Authorities (DPAs); Determining the need for notifications to one or more DPAs as a result of TRADUQUEST’s current or intended Personal Data processing activities; Making and keeping current notifications to one or more DPAs as a result of TRADUQUEST’s current or intended Personal Data processing activities; The establishment and operation of a system providing prompt and appropriate responses to Data Subject requests; Informing senior managers, officers, and directors of TRADUQUEST of any potential corporate, civil and criminal penalties which may be levied against TRADUQUEST and/or its Employees for violation of applicable Data Protection laws. Ensuring establishment of procedures and standard contractual provisions for obtaining compliance with this Policy by any Third Party who: provides Personal Data to TRADUQUEST receives Personal Data from TRADUQUEST has access to Personal Data collected or processed by TRADUQUEST.
20. Awareness
20.1 The management team of TRADUQUEST will ensure that all TRADUQUEST Employees responsible for the Processing of Personal Data are aware of and comply with the contents of this policy.
20.2 All TRADUQUEST Employees that have access to Personal Data will have their responsibilities under this policy outlined to them as part of their staff induction training. In addition, each TRADUQUEST Entity will provide regular Data Protection training and procedural guidance for their staff.
20.3 The training and procedural guidance set forth will consist of, at a minimum, the following elements: The Data Protection Principles set forth in Section 4 above. Each Employee’s duty to use and permit the use of Personal Data only by authorised persons and for authorised purposes. The need for, and proper use of, the forms and procedures adopted to implement this policy. The correct use of passwords, security tokens and other access mechanisms. The importance of limiting access to Personal Data, such as by using password protected screen savers and logging out when systems are not being attended by an authorised person. Securely storing manual files, print outs and electronic storage media. The need to obtain appropriate authorisation and utilise appropriate safeguards for all transfers of Personal Data outside of the internal network and physical office premises. Proper disposal of Personal Data by using secure shredding facilities. Any special risks associated with particular departmental activities or duties.
21. Governance of Third Parties and Data processors
21.1 In addition, TRADUQUEST will make sure all Third Parties engaged to Process Personal Data on TRADUQUEST’s behalf (i.e. their Data Processors) are aware of and comply with the contents of this policy.
21.2 Assurance of such compliance must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to Personal Data controlled by TRADUQUEST.
22. Data Protection Impact Assessments
22.1 The Data Protection Officer will ensure that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the Office of Data Protection, for all new and/or revised systems or processes for which it has responsibility. Where applicable, the Information Technology (IT) department, as part of its IT system and application design review process, will cooperate with the Data Protection Supervisor to assess the impact of any new technology uses on the security of Personal Data.
23. Compliance Monitoring
23.1 To confirm that an adequate level of compliance that is being achieved by TRADUQUEST in relation to this policy, the Data Protection Officer will carry out an annual Data Protection compliance audit for all relevant parts of the organisation. Each audit will, as a minimum, assess: Compliance with Policy in relation to the protection of Personal Data, including the assignment of responsibilities, raising awareness and training of employees. The effectiveness of Data Protection related operational practices, The level of understanding of Data Protection policies and Privacy Notices. The accuracy of Personal Data being stored. The conformity of Data Processor activities. The adequacy of procedures for redressing poor compliance and Personal Data Breaches.
23.2 The DPO in cooperation with key business stakeholders from management, will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame.