Click & Collect

Privacy Policy

The protection, security and privacy of your personal data is very important to PTDF‑PORTUGAL DUTY FREE, LDA (hereinafter referred to as ‘PTDF’).

This Policy aims to inform the Customers of PTDF, as well as all other data subjects whose data it may process, of the general rules applicable to the processing of personal data and the rights granted to those data subjects.

Personal data are collected and processed in strict respect and compliance with the personal data protection legislation in force at any given time.

PTDF is committed to protecting personal data and preserving their confidentiality, having adopted the measures it considers appropriate to ensure the accuracy, integrity and confidentiality of personal data, as well as all other rights held by the respective data subjects. Accordingly, PTDF adopts best practices in the field of personal data security and protection, having for that purpose taken the necessary technical and organizational measures to scrupulously comply with all applicable legal rules and to ensure that the processing of personal data is lawful, fair, transparent, and limited to authorized purposes.

WHO WE ARE

PTDF‑PORTUGAL DUTY FREE, LDA Humberto Delgado Airport Rua C – Building 69, Floor 1 1700‑008 Lisbon Portugal Phone: +351 21 852 53 00

Email address: geral@ptdf.pt

Scope of the data protection policy

This Privacy Policy applies exclusively to the collection and processing of personal data for which PTDF acts as controller, within the scope of services and products offered to its Customers and in all situations where PTDF processes personal data.

On PTDF’s website there may be links and hyperlinks to other websites beyond its control. The provision of such links is made in good faith, solely to inform the user about the existence of other sources of information on the same subject on the Internet, and PTDF cannot be held liable for the collection and processing of personal data carried out through those websites; therefore it gives no guarantees nor assumes any responsibility for such websites, particularly regarding their accuracy, credibility, or functionalities provided. The existence of a hyperlink or link to other websites does not imply, in any case, the existence of a relationship between PTDF and the owners of those web pages.

Personal data

Personal data consist of any information, of any nature and regardless of its medium, including sound and image, relating to an identified or identifiable natural person. A person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to a name, identification number, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

Processing of personal data

The processing of personal data consists of any operation or set of operations performed on personal data or sets of personal data, by automated means or not, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, comparison, interconnection, restriction, erasure, or destruction.

Data controller

The entity responsible for processing personal data is PTDF. If the data subject wishes to contact the data controller, they may do so via the means and contacts specified above.

Collection of personal data

PTDF collects your personal data, namely by telephone, in writing, and through its website.

Whenever the consent of the data subject constitutes the lawful basis for the processing activities carried out, the controllers will endeavor to obtain such consent before starting the processing of the data in question.

Some personal data are essential for the execution of the contract and, in the absence or insufficiency thereof, the data controller may not be able to provide the product concerned.

If the data subject is not a Customer of PTDF, their personal data will only be processed when provided under the terms set forth herein, in which case the rules of this Privacy Policy shall apply.

The personal data collected may be processed in an automated or non-automated manner, always ensuring strict compliance with personal data protection legislation, and shall be stored in specific databases created for that purpose. In no event will the data collected be used for any purpose other than that for which it was collected or that consented to by the data subject.

Types of personal data processed

In the scope of its operations, PTDF processes the personal data necessary for the provision of products or services.

The data subject to processing may fall into the following categories:

  1. Customer identification data (name, phone numbers, email address, identity card data, taxpayer number, nationality, address, bank data, boarding pass);
  2. Billing and financial data of suppliers (name, taxpayer number, address, contacts of the supplier responsible for the commercial relationship with PTDF – name, mobile phone and email address –, bank details);
  3. Employee data (name, academic degree, qualifications, address, phone number, email address, identity card data, bank data, occupational health data, data relating to previous employers);
  4. Applicant data for recruitment (professional activities, current employment situation, data provided by candidates in the curriculum vitae);
  5. Data regarding video surveillance (image data captured for security purposes);

The details of the data collected for each processing activity will be provided at the time of collection.

Whenever data subjects have given their consent to the processing activity in question, such consent may be withdrawn at any time without affecting the lawfulness of processing based on the consent before its withdrawal.

Purposes of processing personal data

In general, the personal data collected are intended and grounded in the management of the contractual relationship with the Customer, as well as in the development of PTDF’s activities, which include:

  • Customer and complaint management: in order to satisfy customer needs, customers may contact PTDF’s Customer Support department via email apoiocliente@ptdf.pt,
  • Supplier contact management,
  • Management of employee information in the context of contractual relationships and airport authorization management,
  • Management of Recruitment and Human Resources (please see the recruitment privacy policy on our website https://recrutamento.ptdf.pt/privacidade),
  • Management of image capture in the scope of video surveillance for compliance with legal obligations, namely to police, judicial, tax and regulatory authorities.

Without prejudice to the additional information provided at the time of data collection, PTDF may also, provided that consent is obtained and/or it is legally permissible, use the personal data provided by the data subject for other purposes, such as social initiatives, sending complaints and suggestions, dissemination of institutional information and/or making known campaigns, advertising and news about the products it markets, as well as carrying out market studies or evaluation surveys.

Retention of personal data

The period during which personal data are stored and retained varies according to the purpose for which the information is processed.

There are legal requirements that require data to be kept for minimum periods of time. In such cases, the retention period corresponds to the legally prescribed period.

Whenever there is no specific legal requirement, the data will be stored and retained only for the minimum period necessary to achieve the purposes for which they were collected or subsequently processed, under the terms defined by law.

With respect to personal data related to customer management, contacts, information or requests, and complaint handling, the retention period is estimated to be 1 (one) year after the last interaction with the customer, unless a different term is required by legal imperative or data must be preserved in the scope of complaint procedures or legal actions, in which case the data will be retained while these are pending.

With respect to video surveillance images, the retention period is 30 days.

Recipients of personal data

Without prejudice to potential recipients already indicated in this Privacy Policy, PTDF may disclose customer personal data for compliance with legal obligations, namely to police, judicial, tax and regulatory authorities.

Rights of the data subject

As data subjects, Customers are guaranteed at any time the right of access, correction, updating, limitation and erasure of their personal data (except for data that must be retained by law or that correspond to compliance with legal obligations to which the data controller is subject), the right to object to use of the data for commercial purposes by the data controller, and to withdraw consent, without affecting the lawfulness of processing based on the consent prior to withdrawal, as well as the right to data portability.

Right of access

The data subject may, at any time, obtain confirmation that their data are processed by PTDF and what data are subject to processing. Such access may be made through the contact means stated above.

Right of rectification

The data subject may, at any time, request that the data controller correct data that are incorrect or outdated.

Right to erasure (“right to be forgotten”)

The data subject has the right, in certain circumstances, to request erasure of their personal data. This right may not be exercised, for example, when processing is necessary for compliance with legal obligations to which the data controller is subject, or when processing is necessary for complaint management or to assert or defend a right in legal proceedings.

Right to restriction of processing

The data subject has the right to ask the data controller to limit the access to personal data or suspend processing activities, for example when suspension is necessary to confirm the existence of a legitimate ground to continue the processing activity.

Right to data portability

When processing is based on a contract to which the data subject is a party or on their consent, the data subject may request that the data controller provide the data supplied in a structured, commonly used and machine-readable format or, alternatively and where technically feasible, ask that such data be transmitted to another controller.

Right to object

When data processing is based on the data controller’s legitimate interest or when it is performed for purposes other than those for which the data were collected, but that are compatible with them, the data subject has the right to object to the processing of their personal data.

In such cases, the data controller will cease processing such data unless it ascertains that its legitimate interests prevail.

Right not to be subject to automated individual decisions

The data subject has the right to object to their data being processed for automated individual decisions, including profiling.

Right to withdraw consent

Whenever data processing is based on your consent, the data subject may withdraw consent at any time. In such cases, personal data will no longer be processed, unless another legal basis permits such processing. Processing activities carried out prior to withdrawal of consent shall not be affected.

Right to lodge a complaint with the supervisory authority

Without prejudice to lodging complaints directly with PTDF, as data controller, via the contacts provided for that purpose, data subjects may file a complaint directly with the supervisory authority, which is the Portuguese National Data Protection Commission (CNPD), using the contact methods made available by that authority.

Measures adopted to ensure the security of personal data

PTDF undertakes to guarantee the security of the personal data made available, having approved and implemented strict procedures in this regard. Compliance with these procedures is an obligation of all those legitimately able to access personal data.

With the concern and commitment that PTDF places on personal data protection, various technical and organizational security measures have been adopted to protect personal data provided against disclosure, loss, misuse, alteration, unauthorized access or other illegal processing.

Additionally, third‑party entities which, in the context of service provision, process Customers’ personal data on behalf of PTDF, are obliged to implement appropriate technical and security measures that, at all times, satisfy the legal requirements in force and protect the rights of data subjects (namely privacy and personal data protection).

Accordingly, on PTDF’s website, personal data collection forms require encrypted browser sessions and all personal data submitted is stored securely in its systems, which are hosted in a data center operated by a European Union provider, under all the physical and logical security measures that PTDF deems indispensable to protect personal data.

Notwithstanding the security measures adopted by PTDF, we alert all Internet users that they should adopt additional security measures, namely ensuring they use a PC and browser updated with adequate security patches, properly configured with firewall, antivirus and anti‑spyware, and verify the authenticity of the websites they visit, avoiding sites whose reputation they do not trust.

Disclosure of data to other entities (third parties and subcontractors)

PTDF may, in the course of its activities, use third parties to provide certain services. Occasionally, providing these services requires those entities to access personal data processed by the data controller. When that occurs, the data controller will take appropriate measures to ensure that the entities with access to the data are reputable and offer the highest assurances, contractually binding the data controller and such third parties.

Consequently, any subcontracted entity by PTDF shall process personal data on behalf of the data controller and commit to adopt the necessary technical and organizational measures to protect personal data from destruction (accidental or unlawful), loss, alteration, disclosure or unauthorized access, and any other form of unlawful processing.

In any case, PTDF shall remain responsible for the personal data made available to it.

Transfer of personal data

The supply of products or the provision of certain services by PTDF, given its relationships with service providers and external partners, may involve the transfer of your data outside Portugal, but within the European Union.

Similarly, for the same purposes, personal data may be transferred to PTDF’s shareholder companies, namely Dufry AG and VINCI Airports, and affiliates.

All entities receiving personal data transfers must guarantee confidentiality and security levels regarding the personal data they access.

Furthermore, the data controller shall scrupulously comply with applicable legal provisions, especially regarding the adequacy of the destination country(ies) with respect to personal data protection and the requirements applicable to such transfers, including, where applicable, the execution of appropriate contractual instruments that guarantee and respect the legal obligations in force.

Changes to the personal data protection policy

PTDF reserves the right to make adjustments or changes to this Privacy Policy at any time, and such changes will be properly publicized through its various communication channels.