The protection, security and privacy of your personal data is very important for PTDF-PORTUGAL DUTY FREE, LDA (henceforth referred to as ‘PTDF’).
This Policy intends to inform PTDF customers, and all other data subjects whose data the company may process, about the general rules that apply to the processing of personal data as well as the rights attributed to the data subjects.
Personal data are collected and processed in strict compliance with the personal data protection laws in force at any given time.
PTDF makes every effort to protect personal data and conserve their confidentiality, and has adopted measures that is deems suitable to guarantee the accuracy, completeness and confidentiality of the personal data, as well as all the other rights of the data subjects. As such, PTDF adopts the best practices as regards the security and protection of personal data, having implemented the technical and organisational measures necessary to meticulously comply with all the applicable legal regulations and guarantee that the treatment of the personal data is legal, honest, transparent and restricted to the authorised purposes.
PTDF-PORTUGAL DUTY FREE, LDA
Aeroporto Humberto Delgado
Rua C – Edifício 69, Piso 1
Telephone: 21 852 53 00
Email address: firstname.lastname@example.org
SCOPE OF THE DATA PROTECTION POLICY
The PTDF website may include links and hyperlinks to other websites that are out of its control. These links are provided in good faith, only to inform users about the existence of other sources of information about the same matter, on the internet. PTDF cannot be held responsible for the collection and processing of personal data carried out by these websites, and therefore does not provide any guarantees or accept any responsibility relative to such websites, namely as regards the accuracy, credibility and functionalities they provide. A hyperlink or link providing access to other websites does not imply, under any circumstances, a relationship between PTDF and the owners of these internet pages.
Personal data consists of information of any nature and regardless of its form, including sound and image, relative to a singular identified or identifiable person. An identifiable person is deemed one who can be identified, directly or indirectly, in particular by reference to a name, identification number or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
PROCESSING OF PERSONAL DATA
Processing of personal data comprises an operation or set of operations performed on personal data or on sets of personal data, by automated or non-automated means, such as the collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, comparison, interconnection, restriction, erasure or destruction.
CONTROLLER OF THE DATA PROCESSING
The entity responsible for the treatment of the personal data is PTDF. If the data subject needs to contact the data controller, it can do so using the aforementioned contact details.
COLLECTION OF PERSONAL DATA
PTDF collects its personal data mainly by telephone, in writing and through the respective website.
Whenever the data subjects’ consent is required by law for the processing activities, the controller shall take measures to obtain such consent before starting to process the data in question.
Some personal data are indispensable for the contract, and if they are missing or insufficient the controller cannot provide the product in question.
The personal data collected may be processed by computer in an automated or non-automated manner, in all cases guaranteeing strict compliance with the personal data protection laws. The personal data will be stored in specific databases created for the purpose and under no circumstances will the data collected be used for purposes other than those for which they were collected or for what the data subjects have given their consent.
KINDS OF PERSONAL DATA PROCESSED
PTDF, within the scope of its activities, shall process the personal data necessary for the supply of products or provision of services.
The data processed can categorised as follows:
- Identification data (name, telephone numbers, email address, citizen card data, taxpayer number, nationality, address, bank details, boarding pass);
- Billing and financial data of the suppliers (name, taxpayer number, address, contacts of the supplier responsible for the commercial relationship with PTDF – name, telephone number, mobile phone number and email address, bank details);
- Employee data (name, academic level, qualifications, address, telephone number, email address, citizen card data, bank details, aptitude data in the field of occupational medicine, and data referring to previous employers);
- Candidate data within the Recruitment activity (professional activities, current job status, data provided by candidates in the curriculum vitae);
- Data relating to video surveillance (image data captured in the scope of security);
The detail of the data collected for each processing activity shall be provided at the moment the data is collected.
Whenever the data subjects have provided their consent for the processing, this consent may be withdrawn at any time, albeit without compromising in any way the lawfulness of the processing meanwhile carried out based on the previously provided consent.
PURPOSES OF THE PROCESSING OF THE PERSONAL DATA
In general, the personal data collected is based on the management of the contractual relationship with the customers, and the undertaking of the business activity of PTDF, which includes:
- Customer and complaint management: Customers can make sure their needs are met by contacting the PTDF Customer Care department using the email email@example.com,
- Management of contacts with suppliers
- Employee information management within the scope of the contractual relationship and within the scope of the management of airport authorizations
- Recruitment and Human Resource Management (please see the recruitment policy on our website https://recrutamento.ptdf.pt/privacidade).
- Image capture management in the field of video surveillance for the purpose of complying with legal obligations namely to police, judicial, fiscal and regulatory entities.
Notwithstanding additional information provided when the data is collected, PTDF may also, provided it is legally permitted, use the personal data supplied by the data subject for other purposes, such as for charitable initiatives, to send complaints and suggestions, to disseminate institutional information and/or publicise campaigns, to advertise and supply news about the products it sells, and to carry out market studies or surveys.
STORAGE OF PERSONAL DATA
The period of time during which the personal data are stored varies depending on the purpose for which the information is processed.
Legal requirements make it compulsory to store the data for minimum periods of time. In these cases, the storage period is the legally stipulated period of time.
Whenever there is no legal requirement, the data are stored only for the minimum period required for the purposes for which they were collected or processed, under the legally defined terms.
For personal data related to customer management, contact management, requests for information and complaint management, the estimated storage period is 1 (one) year after the last interaction with the customer, unless a different deadline is legally imposed or the data have to be stored within the scope of complaints or judicial actions, in which case the data shall be stored while such procedures are ongoing.
For video surveillance footage, the storage period is 30 days.
RECIPIENTS OF THE PERSONAL DATA
RIGHTS OF DATA SUBJECTS
As data subjects, customers are guaranteed at all times the right to access, rectify, update, restrict and erase their personal data (apart from data that by law must be maintained or which corresponds to compliance with the controller’s legal obligations), the right to oppose the use of the data for commercial purposes by the controller and the right to withdraw consent, without compromising the lawfulness of the processing carried out in line with this consent, and the right to portability of the data.
RIGHT OF ACCESS
Data subjects may obtain confirmation at any time that their data are being processed by PTDF and which data are being processed. To do so use the contact details above.
RIGHT TO RECTIFICATION
Data subjects may request the controller of their personal data to rectify incorrect or out-of-date data at any time.
RIGHT TO ERASURE
Data subjects are entitled, in given situations, to request erasure of their personal data. This right cannot be exercised, for example, when the data processing is necessary to comply with legal requirements the controller is subject to, or when this processing is necessary for the management of complaints or to build a defence in a judicial action.
RIGHT TO RESTRICT THE PROCESSING
Data subjects are entitled to request the controller to restrict access to their personal data or suspend the processing activities, e.g. when such suspension is needed to confirm the legitimate grounds to continue the processing.
RIGHT TO DATA PORTABILITY
In cases where the data processing is based on a contract, the data subjects may request the controller to deliver the data supplied in a structured, commonly used and machine-readable format, or alternatively, and provided that it is technically possible, to request these data be transmitted to other controllers.
RIGHT TO OBJECT
When the data processing is based on the legitimate right of the controller or when it is carried out for purposes other than those for which the data was collected, but which are compatible with the data, the data subjects are entitled to oppose the processing of their personal data.
In these cases the controller shall no longer process these data unless they understand that their legitimate rights prevail.
RIGHT TO OBJECT TO AUTOMATED INDIVIDUAL DECISION-MAKING
Data subjects are entitled to object to automated individual decision-making, including profiling.
RIGHT TO WITHDRAW CONSENT
For data that are processed based on consent, the data subjects have the right to withdraw their consent at any time. In these cases the personal data shall no longer be processed, unless there is another legal basis that allows such processing. The withdrawal of consent shall not affect the lawfulness of processing based on the consent provided before it was withdrawn.
RIGHT TO LODGE A COMPLAINT WITH THE REGULATORY AUTHORITY
Notwithstanding the possibility to lodge complaints directly to PTDF as the data controller, using the contacts provided for the purpose, data subjects can also complain directly to the National Data Protection Commission (CNPD), using the respective contacts provided by this authority for the purpose.
MEASURES ADOPTED TO ENSURE THE SECURITY OF THE PERSONAL DATA
PTDF undertakes to guarantee the security of the personal data supplied to it, and has approved and implemented rigorous procedures to do so. Compliance with these procedures is compulsory for all personnel who can access the personal data.
In view of the concern and effort of PTDF to protect the personal data, several security measures of a technical and organisational nature have been adopted to protect the personal data supplied against loss or improper dissemination, use, alteration, processing or non-authorised access, as well as against any other forms of unlawful processing.
Furthermore, third parties who, in order to provide services, process the customers’ personal data on behalf of PTDF are required to implement technical and security measures that at any time meet the requirements of the legislation in force and ensure the data subjects’ rights are defended (namely the protection of the customers’ privacy and personal data).
Accordingly, the personal data collection forms on the PTDF website require encrypted sessions of the browser and all the personal data provided is stored securely in their systems that, in turn, are in a European Union Operator’s Datacentre, protected by all the physical and logical security measures that PTDF deems indispensable for the protection of personal data.
Notwithstanding the security measures adopted by PTDF, we point out that all internet users should adopt additional security measures, namely to ensure they use a PC and Browser that is up to date in terms of properly configured security “patches”, with firewall, antivirus and anti-spyware software active and they should certify the authenticity of the websites they visit, avoiding untrustworthy websites.
COMMUNICATION OF DATA TO OTHER ENTITIES (THIRD PARTIES AND OUTSOURCERS)
PTDF may use third parties to provide certain services within its business operation. Sometimes the provision of these services requires such entities to have access to the personal data processed by the controller. When this happens, the controllers shall take measures to ensure that the entities who have access to the data are of good repute and provide the strongest security guarantees. This shall be duly consecrated and safeguarded through a contract between the controller and the third party (or parties).
Consequently, any outsourcer hired by PTDF who shall process the personal data on behalf of the controller is required to adopt technical and organisational measures needed to protect the personal data against destruction, whether accidental or illegal, accidental loss, alteration, dissemination or non-authorised access and against any unlawful processing.
In any of the listed situations, PTDF shall remain responsible for the personal data that is entrusted to it.
TRANSFER OF PERSONAL DATA
The supply of products or provision of certain services by PTDF, given its relationship with the service providers and external partners, may imply the transfer of your data outside Portugal, but within the European Union.
Likewise, and for the same purposes, the personal data may be transferred to the shareholder companies of PTDF, namely Dufry AG and VINCI Airports, and its subsidiaries.
All the entities that receive the transfer of personal data are required to guarantee the confidentiality and security of the personal data they have access to.
Moreover, the controller shall scrupulously comply with the applicable legal provisions, namely when deciding on the suitability of the destination country (or countries) with regard to the protection of personal data and the requirements applicable to such transfers, including, whenever applicable, signing contractual instruments which guarantee compliance with the legal regulations in force.
CHANGES TO THE PERSONAL DATA PROTECTION POLICY