1. IDENTIFICATION OF THE DATA CONTROLLER
In the scope of the website hosted at www.combro.pt (“website”), J. M. Cálem – Vinhos, Sa 505168863 Rua da Reboleira, 7 4050-492 Porto, may request personal data from the data subject (“User”) that allows COMBRO to identify and/or contact them (“Personal Data”). For the purposes of this Policy, COMBRO is the data controller.
The purpose of this Privacy Policy is to provide all users with detailed information about the nature of the data collected and the purposes of the processing carried out, and thus comply with the right to information and reinforce the transparency of our activities.
2. DEFINITIONS
For a better understanding of this Privacy Policy, the terms used in the document are defined as follows:
“Online services”: any pages, means, web, channels, applications, and promotions, as well as any other online initiatives of COMBRO.
“Personal data”: any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, electronic identifiers, email, telephone number, or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing”: any operation or set of operations carried out on personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure or destruction.
“User” or “Data subject”: the natural person who navigates the website or whose personal data is processed for some reason.
“Data controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, COMBRO is considered the data controller of personal data.
“Processor”: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
“Recipient”: the natural or legal person, public authority, agency or other body to whom personal data are disclosed.
3. GENERAL PRINCIPLES APPLICABLE TO USER DATA PROCESSING
IN TERMS OF GENERAL PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA, COMBRO IS COMMITTED TO ENSURING THAT THE USER’S DATA PROCESSED BY IT IS:
Subject to lawful, fair, and transparent processing in relation to the User.
Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
Accurate and up-to-date as necessary, with all appropriate measures taken to delete or rectify inaccurate data, taking into account the purposes for which they are processed.
Retained in a way that allows the User to be identified only for the period necessary for the purposes for which the data is processed.
Processed in a way that ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, with appropriate technical or organizational measures taken.
The data processing carried out by COMBRO is lawful when at least one of the following situations occurs:
The User has given explicit consent for the processing of their personal data for one or more specific purposes.
The processing is necessary for the performance of a contract in which the User is a party or for pre-contractual measures at the User’s request. The processing is necessary for compliance with a legal obligation to which COMBRO is subject.
The processing is necessary to protect the vital interests of the User or another natural person.
The processing is necessary for the purposes of the legitimate interests pursued by COMBRO or by third parties (except where the interests or fundamental rights and freedoms of the User that require the protection of personal data prevail).
COMBRO undertakes to ensure that the processing of User data is only carried out under the above conditions and with respect for the principles mentioned above.
When the processing of User data is carried out by COMBRO based on the User’s consent, the User has the right to withdraw their consent at any time. However, withdrawal of consent does not affect the lawfulness of processing carried out by COMBRO based on the User’s previously given consent.
The period of time during which the data is stored and retained varies according to the purpose for which the information is processed. There are indeed legal requirements that require data to be kept for a minimum period of time. Thus, and whenever there is no specific legal requirement, the data will be stored and retained only for the minimum period necessary for the purposes that motivated their collection or subsequent processing, after which they will be deleted. For more information, please refer to the following section.
4. ACTIVITIES OF PERSONAL DATA PROCESSING
4.1. CATEGORIES OF PERSONAL DATA
COMBRO collects and processes personal data of users (customers and visitors) and candidates for the purposes for which they were collected. Thus, the following data is collected:
Identification data, such as name and date of birth;
Contact data, such as emails and country of residence;
Recruitment data, such as academic qualifications and curriculum vitae.
Cookies may also be collected, whose information is available for consultation in our Cookies Policy.
PURPOSE | DESCRIPTION | LAWFUL BASIS | RETENTION PERIOD |
---|---|---|---|
Marketing | Information on new products and services similar to those previously purchased | Legitimate Interest | 5 years after data collection |
Website Management and Visit Tracking | Development of publications and content adapted to requests and types of Users in order to improve search capabilities and website functionalities, and obtain aggregated or statistical information about the User’s typical profile | Consent and Legitimate Interest (applicable to specific cases) | Up to 2 years after collection, according to our Cookies Policy |
Marketing | Sending newsletters, conducting opinion polls or information about other products and services | Consent | 5 years after data collection |
Contact Management | Data processing to respond to requests made through the contact form on the website | Consent | 6 months after completion of the request |
5. DISCLOSURE OF PERSONAL DATA
The user’s personal data is not shared with third parties without their consent, except in the following situations:
Communications required by law, in compliance with a specific legal obligation;
Suppliers that provide services as subcontractors (cf. point 5.1 of this Policy); or
Processing of personal data, to the extent necessary for the provision of COMBRO’s services and/or products.
5.1. SUBCONTRACTORS
In the context of processing the User’s data, COMBRO uses or may use third-party entities, subcontracted by it, to process the User’s data, on behalf of COMBRO and in accordance with the instructions given by it, in strict compliance with the law and this Privacy Policy.
These subcontracted entities may not transmit the User’s data to other entities without COMBRO’s prior written authorization, and are also prohibited from contracting other entities without prior authorization from COMBRO.
COMBRO undertakes to subcontract only entities that provide sufficient guarantees of the implementation of appropriate technical and organizational measures, in order to ensure the defense of the User’s rights. All entities subcontracted by COMBRO are bound to the latter through a written contract which regulates, in particular, the object and duration of the processing, the nature and purpose of the processing, the category and type of personal data, the categories of data subjects, the security measures adopted, and the rights and obligations of the parties.
5.2. RECIPIENTS
As mentioned above, COMBRO may also communicate personal data to other third-party entities that are not qualified as subcontracted entities.
In the processing of personal data, COMBRO will only communicate the User’s data in situations where it is essential. Thus, the User’s data may be communicated to:
Public entities, namely the Tax and Customs Authority, Courts and Police Bodies; and
Private entities, namely transport companies and marketing campaign agencies, among others.
6. TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES IMPLEMENTED
To ensure the security of the User’s data and maximum confidentiality, COMBRO treats the information provided by the User in an absolutely confidential manner, in accordance with internal security and confidentiality policies and procedures, which are updated periodically as needed, as well as in accordance with the legally prescribed terms and conditions.
Due to the nature, scope, context, and purposes of data processing, as well as the risks arising from the processing for the User’s rights and freedoms, COMBRO undertakes to apply, both at the time of defining the means of processing and during the processing itself, the technical and organizational measures necessary and appropriate to protect the User’s data and comply with legal requirements.
COMBRO also undertakes to ensure that, by default, only the data necessary for each specific purpose of the processing are processed and that such data are not made available without human intervention to an indefinite number of persons.
COMBRO adopts the following general measures:
• Awareness-raising and training of personnel involved in data processing operations;
• Encryption of personal data;
• Website security measures;
• Mechanisms capable of ensuring the permanent confidentiality, availability, and resilience of information systems;
• Mechanisms that ensure the restoration of information systems and timely access to Personal Data in the event of a physical or technical incident.
7. INTERNATIONAL TRANSFERS
As a rule, COMBRO does not transfer data outside the European Economic Area. However, if such transfer is necessary to fully comply with the purposes set forth in this Privacy Policy, COMBRO undertakes to carry out such transfer in full respect of the applicable legal provisions, in particular with regard to the determination of the adequacy of such country with regard to data protection.
8. MINORS
COMBRO does not process data from minors. However, if the website visitor is a minor and does not understand any content of this Policy, they should seek support from their legal representatives (parents or guardians).
9. USE OF COOKIES
COMBRO uses cookies on its websites. If you wish to manage the cookies collected and stored, you can do so through the following button. For more information, please refer to our Cookie Policy.
10. USER RIGHTS
The User has the following rights:
Right of Access: right to obtain confirmation as to whether or not personal data concerning the User are being processed and, if so, the right to access their personal data and certain information.
Right of Rectification: right to rectify inaccurate personal data concerning the User or to request that incomplete personal data be completed.
Right to erasure: the right to obtain the erasure of your personal data without undue delay, provided there are no valid grounds for their retention, such as cases where they have to be retained to comply with a legal obligation or because there is an ongoing judicial process;
Right to restriction of processing: the right to request the restriction of the processing of your personal data, in the form of suspension of processing or limitation of the scope of processing to certain categories of data or processing purposes, in accordance with Article 18 of the GDPR.
Right to data portability: the right to receive the personal data concerning you that you have provided in a structured, commonly used and machine-readable format and/or the right for those data to be transmitted to another controller.
Right to object: the right of the User to object at any time to the processing of data concerning him or her, provided that there are no legitimate grounds for such processing that override the interests, rights and freedoms of the User, or for the purposes of making a statement, exercising or defending a right in a judicial process;
The User may also withdraw his or her consent, in processing operations that depend on obtaining consent, without such withdrawal invalidating the processing of data while the consent is in force.
The User’s rights may be exercised by contacting COMBRO through:
Sending a registered letter to the address Rua da Reboleira, 7 4050-492 Porto
Email info@combro.pt
The communication must contain the following elements:
Name, email and customer number, if applicable;
Right to be exercised and in the case of exercising the right to restriction, the reasons why the User believes that his or her data are being improperly processed;
Address, for notification purposes in cases where the request is made by letter.
COMBRO will respond through the means by which the User exercised his or her right within a maximum period of one month from the receipt of the request, except in cases of special complexity, where this period may be extended up to two months with duly justified reasons by COMBRO.
If the requests submitted by the User are manifestly unfounded or excessive, particularly due to their repetitive nature, COMBRO reserves the right to charge administrative costs or refuse to follow up on the request.
If the User considers that COMBRO has not complied with the requirements of the GDPR or applicable national data protection legislation, the User may also exercise the right to lodge a complaint with the National Data Protection Commission through its website.
11. PERSONAL DATA BREACHES
In case of a data breach, and to the extent that such breach is likely to pose a risk to the rights and freedoms of the User, COMBRO undertakes to report the personal data breach to the National Data Protection Commission within 72 hours of becoming aware of the incident. If the risk is high, COMBRO ensures that Users are notified without undue delay, and by means it deems necessary, taking into account the measures taken to mitigate the breach.
12. CHANGES TO THE PRIVACY POLICY
COMBRO reserves the right to change this Privacy Policy. In case of a modification to the Privacy Policy, the last update date, available at the top of this page, will also be updated. If the change is substantial, a notice will be posted on the website.
13. APPLICABLE LAW AND JURISDICTION
The Privacy Policy, as well as the collection, processing, or transmission of User data, are governed by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and by applicable legislation and regulations in Portugal.
Any disputes arising from the validity, interpretation, or performance of the Privacy Policy, or related to the collection, processing, or transmission of User data, must be exclusively submitted to the jurisdiction of the judicial courts of the Porto district, without prejudice to applicable mandatory legal provisions.