Data Protection Policy

Opensoft > Data Protection Policy

This data protection regulation applies to Opensoft SA, which undertakes to comply with it in accordance with national and international data protection law.  We also suggest consulting Opensoft’s Information Security Policy as additional information.

 

The data protection regulation defines the conditions and assumptions for the storage, processing and exchange of data, as required by the Law No. 58/2019, published in the Republic Diary No. 151/2019, Series I of 2019-08-08.

 

Principles for processing personal data

 

1. Fairness and legality

In the processing of personal data, the rights of the person involved must be preserved. Personal data must be collected and processed in a legitimate and complete manner.

 

2.Vinculation

The processing of personal data should only serve the purposes for which it was determined before data collection. Any change beyond the scope of data collection must be justified.

 

3. Transparency

The collection of personal data should be made to the party who must be informed about how their data is processed. In the data collection process, the data subject must at least be able to recognize or be adequately informed about the following:

  • Information about the department responsible for the data
  • Purpose of data processing
  • Third parties or categories of third parties to whom the data will eventually be transmitted

 

4. Sentiality and economy in data

Prior to the processing of personal data, it should be checked whether the data collected is necessary to achieve the intended purpose of the processing. Data should be anonymised, except where the objective of data processing can not be achieved and where the relationship between the effort to anonymize the data in relation to the intended purpose is inadequate.

Personal data should not be stored for future purposes, except as stipulated or permitted by the laws of the country.

 

5. Data Deletion

Personal data that are no longer needed must be deleted after the data storage period has been prescribed, taking into account what is specified by law or foreseen in the internal processes of the company. In exceptional cases, such as the historical importance of the data, the data should be retained for a longer period until the interests worthy of protection can be legally clarified.

 

6. Accuracy of facts and timeliness of data

Personal data must be stored in a correct, complete and, if necessary, in the latest version. The necessary steps should be taken to ensure that incorrect, incomplete or outdated data is eliminated, corrected, completed or updated.

 

7. Confidentiality and security of data

Personal data is confidential, so it must be treated with confidentiality. Through appropriate technical and organizational measures, data must be protected against unauthorized access, undue processing or forwarding, as well as destruction, loss or alteration.

 

Admissibility of data processing

 

The collection, processing and use of personal data are admissible if one of the factual circumstances mentioned below is verified. Any of these factual circumstances are necessary if the purpose for the collection, processing and use of personal data has changed in relation to the original purpose.

 

1. Customer and Partner Data

1.1 Data processing for a contractual relationship

 

The personal data of the affected party, customer or partner can be processed to substantiate, effect and terminate a contract. This also applies to contractor partner monitoring activities, as long as it does not exceed the purpose of the contract.

 

In the preparation of a contract, that is, in its initial stage, the processing of personal data is allowed for the creation of proposals, the preparation of purchase requests or the fulfillment of other needs of the interested party related to the conclusion of the contract. It is allowed to contact the interested parties using the data provided by them.

 

1.2 Processing of data for advertising purposes

 

If the involved person contacts Opensoft with a request for information, the data processing will be allowed to fulfill this request.

 

The processing of personal data for the purpose of advertising or market research and opinion is allowed, provided that it is in accordance with the purpose for which the data was originally collected. You must be informed about the use of your data for advertising purposes and may choose not to authorize such use.

 

In the context of the communication with the person involved, the consent of the person involved in the processing of the data may be carried out through one of the available contact channels, such as traditional mail, electronic mail and telephone.

 

If the party concerned opposes the use of his data for advertising purposes, the use of his data for this purpose will be inadmissible and the data will have to be blocked for this purpose. In addition, the restrictions of some countries on the use of data for advertising purposes should be respected.

 

1.3 Consent in data processing

 

Data processing may be performed by consent of the party involved. However, the data subject must be informed before consent is given to the processing of the data.

 

There should be evidence of the consent form to be obtained in writing or electronically. In some cases, for example, in telephone counseling, consent may also be verbally recorded, but it will have to be recorded.

 

1.4 Data processing due to legal permission

 

The processing of personal data is permitted, if national legal requirements require, presuppose or authorize the processing of data. The type and extent of data processing required for processing legally is guided by legal norms.

 

1.5 Data processing due to legitimate interests

 

Processing of personal data may also occur if there is a need to meet a legitimate interest of Opensoft. Legitimate interests are those of a legal nature (eg enforcement of outstanding claims) or economic (eg avoiding contractual interference). Personal data processing should not be processed for a legitimate interest if, in individual cases, there is evidence that the interests of the data subject, worthy of protection, overlap with the interest of processing. At each processing the interests that need protection should be examined.

 

1.6 Processing of data worthy of special protection

 

The processing of personal data worthy of special protection can only be done by law or with the express consent of the person involved.

 

Processing of this data will also be permitted if it is expressly required to claim, exercise or defend legal rights to the party involved. Before any processing of data worthy of special protection, the data protection officer must be informed in advance.

 

1.7 Automated individual decisions

 

Automated personal data processing through which individual personality traits (eg credibility) are analyzed should not be the sole basis for exclusion for decisions with negative legal consequences or serious harm to the data subject. The party concerned should be informed of the facts and the outcome of an automated individual decision and should be given the opportunity to speak up.

 

1.8 User and Internet data

 

When personal data are collected, processed and used on web pages or in applications, those involved should be informed of the data protection observations and, if applicable, the cookie policy. Data protection and cookie instructions should be integrated so that those involved can easily identify them and access them immediately and whenever they wish. If user profiles are created to assess the behavior of using web pages and apps, this must be documented in the data protection policy. This data can only be collected if it is allowed by the legislation in force or the involved consent. The data subject should be given the opt-out in the data protection instructions.

 

If access to personal data in a private area is allowed on web pages or in apps, it can only be accessed after identification and authenticity of the person being executed.

 

2. Data of collaborators

2.1 Processing of data for employment relationship

 

For the employment relationship, the data necessary for the execution, execution and termination of the employment contract may be collected.

 

The personal data of candidates for job offers may be processed to start a work link. After a refusal, the candidate’s data should be deleted, taking into account the legal deadlines in force, unless the candidate has consented that the data will remain stored for consultation in future selection processes. If there is an employment relationship, the data processing must always be subject to the purpose of the employment contract.

 

If, in the initial process of the employment relationship or in the existing employment relationship, it is necessary to collect additional information about the job seeker / candidate from third parties, the legal requirements in force must be complied with. In ambiguous cases, the consent of the candidate should be obtained.

 

There should be a legal standing for data processing of employees who are in the labor context, but who are not originally used to fulfill the employment contract. These may be legal impositions, collective regulations with employee representatives, employee consent or legitimate business interests.

 

2.2 Data processing due to legal permission

 

The processing of personal data of employees will be allowed, if there are national legal norms that require it, presuppose or authorize the processing of data. The type and extent of processing should be guided by these legal norms. Whenever possible, the interests of the employee should be taken into account.

 

2.3 Consent in data processing

 

The processing of data with the consent of the person involved must be accompanied by a declaration of consent (which will always be voluntary). The consent statement should preferably be obtained in writing or electronically, but in exceptional circumstances consent may be granted orally. In any case, all statements of consent must be properly documented.

 

2.4 Data processing due to legitimate interests

 

The processing of employees’ personal data may be effected if there is a need to fulfill a legitimate interest of Opensoft. Legitimate interests are those of a legal nature (eg claiming, exercising or defending legal requirements) or economic (eg, business valuation).

 

The processing of personal data should not be performed to satisfy a legitimate interest if there are indications that the interests of the employee, worthy of protection, overlap with the interest of the processing. Thus, every processing must have a verification of interests worthy of protection.

 

Control measures requiring the processing of personal data may only be taken if there is a legal obligation or a justified reason. Even if there is a justified reason, the proportionality of the control measure must be verified. The legitimate interests of the company in carrying out the control measure (for example, compliance with the legal provisions and internal regulations of the company) should be weighed against a possible interest of the employee in protecting his data. The legitimate interest of the company and the possible interests of workers worthy of protection should be ascertained and documented before any action is taken. In addition, other requirements should be considered in accordance with national law, for example the right to vote of the employee’s representative and the information rights of those involved.

 

2.5 Processing of data worthy of special protection

 

Personal data worthy of special protection should only be processed under specific conditions. By data with special protection are meant those that are related to race or ethnicity, political positions, religious or philosophical conviction, trade union affiliations, and the health or sexual life of the person involved. National legislation may classify other categories of data in the special protection category. Data relating to offenses may only be processed under special conditions determined by the law of the country.

 

The processing of data worthy of special protection should be explicitly permitted or stipulated by national legislation. Processing may also be allowed, if necessary, to enable it to fulfill rights and obligations under labor law. The employee may also consent to processing in an express and voluntary manner.

 

Any data processing with special protection can only be performed after the data protection officer has been informed.

 

2.6 Automated decisions

 

If, in the context of an employment relationship, personal data are processed in an automated manner, based on the identification of individual characteristics of the persons involved (eg in the selection of staff), it can not be used as the sole basis for decisions with negative consequences or great losses for the employees affected.

 

In order to avoid wrong decisions, the automatic processing of the data must be verified by a person who evaluates the data. This assessment should be used as the basis for the decision to process the data in an automated way. In addition, the employees in question should be informed of the facts and the result of the automated processing of the data, giving them the possibility to express themselves on the process and results.

 

2.7 Telecommunication and internet

 

Telephones, e-mail addresses, intranet, internet and internal social networks are made available by the company to carry out the tasks of each employee. These equipment and work resources may be used in accordance with applicable legal provisions and internal regulations. In the case of an authorized use for particular purposes, the confidentiality of telecommunications and legislation on telecommunications at national level, where applicable, shall be respected.

 

Controls are not made to telephone and e-mail communication or the use of the intranet and internet. To combat attacks on the technology structure or specific users, protection measures can be implemented on the Opensoft network to block technically harmful content. The evaluations of this personal data can only be carried out by means of a concrete and reasoned suspicion of violation of the legislation or of the company’s directives. This type of control must comply with national legislation as well as existing corporate regulations.

 

Transmission of personal data

 

A transmission of personal data to recipients who do not belong to the company is governed by the conditions of admissibility of the processing of personal data. The recipient of the data shall undertake to use the data only for the purposes specified.

 

If a data transmission is made to an outgoing recipient outside the third party, the third party must ensure a level of data protection similar to that defined by the European Data Protection Directive. This does not apply if the transmission occurs due to a legal imposition.

 

In the case of a transmission of third party data to the company, there must be a guarantee that the data can only be used for the intended purposes.

 

Rights of the person involved

 

Each party is the owner of the rights to their information, as well as several associated rights, such as:

  1. The party involved may require information about what personal data and the origin of the data that are stored by the company. The data subject also has the right to know the purpose of these data.
  2. In the case of transmissions of personal data to third parties, information on the identity of the recipient should be provided.
  3. If the personal data is incorrect or incomplete, the person involved has the right to demand the correction or alteration of the same.
  4. The party involved has the right to oppose the use of their personal data for advertising purposes or market research. In this case, the data will have to be blocked for these purposes.
  5. The party involved has the right to demand the deletion of their data. In this case, the system must keep a record of when the data deletion action was performed and who performed it.
  6. The party has the right to object to the processing of their data. This right is not valid if there is a rule of law that requires the execution of the processing.
  7. The data subject has the right to submit a complaint to the National Data Protection Commission, whenever he or she verifies the non-compliance with the data protection policy.

 

Claims for these rights may be made by the party concerned at any time and without any prejudice to the same. However, in certain cases, the request may not be immediately met (for example due to legal requirements).

 

Any request made by the party will be treated with care to ensure their rights. It is possible that a proof of identity is required, since the personal data will only be shared with the person involved.

 

Confidentiality in data processing

 

Personal data must be treated with confidentiality, so it is prohibited for employees to collect, process or use the data unduly. Undue processing of data means any processing carried out by an employee outside the scope of his duties and without authorization to process the data in question. The need-to-know principle must be applied: Employees may only have access to personal data if it is necessary for the performance of their tasks. Each authorization for the processing of data must be specific as to the type of data that can be accessed and what its application. Authorizations should be updated as necessary.

 

Employees are not permitted to use personal data for private or economic purposes, they may not transmit them to unauthorized persons or allow them any access. Workers should be required to respect and ensure confidentiality and confidentiality in the processing of data from the beginning of the employment relationship. This obligation of confidentiality remains valid after the termination of the employment relationship.

 

Data processing security

 

Personal data must always be protected against unauthorized access, processing or improper disclosure, as well as against loss, falsification or destruction of data. This protection applies to data in digital and paper format.

 

Prior to the introduction of new data processing systems, particularly in the case of a new computer system, measures should be defined and implemented to ensure the protection of personal data both technically and organizationally. These measures should be guided by technological advances, the risks involved in data processing, the need for data protection (ascertained by the information classification process) and need to be validated by the data protection team. technical and organizational needs must be continually adapted to technological change and organizational change.

 

Data Protection Control

 

Compliance with data protection policies and laws needs to be checked regularly. The data controller in partnership with other company elements and, if necessary, external inspectors are responsible for this verification. All results of these controls have to be communicated to the data protection officer, who will select the most relevant ones to report to the company’s management.

 

Incidents that affect data security

 

Any employee who reports a breach of data security (whether by applicable law or internal policy) must immediately report to their superior or to the data protection officer. The superior shall be responsible for communicating the incident as soon as possible to the data protection officer when there is one or more of these cases:

 

  • improper transmission of personal data to third parties;
  • improper access of third parties to personal data;
  • loss of personal data.

 

When any of the above cases occur, the internal procedures necessary to comply with legal obligations to notify data security incidents should be immediately activated.

 

Responsibilities and sanctions

 

Company management is responsible for data processing and is committed to ensuring that the legal requirements in the data protection policy are met (for example, notification obligations). The correct processing of the data and the guarantee of its protection is executed through compliance with the legislation backed by organizational and technical measures defined by the administration and that are fulfilled by all the collaborators.

 

When new processing of personal data is envisaged, whether due to changes to the internal processes or to the creation of new projects, data protection officers should be informed. If it is necessary to process data that could endanger the rights of those involved (especially personal data with special protection), the data protection officer should be included in the process.

 

It is necessary to ensure that employees are trained on data protection according to the function they perform, ie the more their tasks are associated with personal data, the more knowledge they must have about the current legislation.

 

Responsible for Data Processing and Responsible for Data Protection

 

The person in charge of data protection is the element that enforces and supervises compliance with national and international data protection legislation.

 

If you have any questions regarding the way we treat your personal data or wish to exercise any of your rights, please contact us at: rgpd@opensoft.pt

 

Last Updated

October 30th, 2019