Compliance with the law on protection of personal data and respect for the rights of data subjects' personal data is a priority for us.
The data controller and the data protection officer
Euroatla Navegação e Trânsitos, Lda., with registered office at Av. Álvares Cabral, 61, 2nd floor, 1250-017 Lisbon, Portugal, with the single registration and legal person number 501089454 (hereinafter referred to as Euroatla) collects and processes the personal data of its customers consisting of natural persons, as well as the personal data of the customers, natural persons, of its customers, to whom a particular consignment is addressed.
Euroatla is not legally obliged to appoint a Data Protection Officer. However, it is recommended to nominate an internal compliance officer to ensure compliance with the law and to inform and advise the company and its employees regarding processing of personal data. Under GDPR terms, it was decided to appoint Hugo Pereira, CFO, as internal compliance officer and data controller at Euroatla.
Personal data, personal data subjects and categories of personal data
Personal data means, according to the Regulation, information relating to an identified or identifiable natural person ("data subject"). An identifiable person is considered to be a natural person who is, directly or indirectly, identifiable in particular by reference to an identifier, such as the name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Examples of personal data collected:
|Identification and contacts||Name, tax identification number, address, e-mail address, telephone number|
|Financial data||Billing address; bank account number; credit or debit card numbers; name and information of holders of bank accounts or bank cards|
|Services||Products and/or services purchased|
|Electronic identification data||Cookies or similar technologies and activity logs|
These personal data are provided to us directly by the data subject or through a third party, generally in order to implement contracts relating to the carriage of goods.
Basis, Purposes and Duration of the Processing of Personal Data
The data provided by customers are processed with the following purposes: provision of contracted services in the performance of our business activity; customer management; accounting, tax and administrative management; management of litigation; network and systems management; control of information security and physical security; compliance with legal obligations; marketing and sales. The processing of data for marketing purposes will be carried out according to the consent option indicated by the customer.
What is the period for which the personal data will be stored?
The personal data of customers are stored for the period necessary for provision of the services, billing and compliance with applicable obligations. Accordingly, there are different retention periods depending on the purpose for which the data are intended. In all cases, Euroatla complies with the principles of need and of minimisation of the storage time.
Rights of the personal data subject
The data subject has the right to access, rectification, cancellation and objection:
a) The right of access consists on knowing whether your data are being processed, the purposes, the recipients (in particular in the case of transfer to third countries), the period for storage, the existence of the right to request rectification, deletion or limitation of the processing of the data subject's personal data from the data controller, or the right to object to such processing, and in relation to which may file a complaint with a supervisory authority.
b) The right of rectification means the subject has the right to ensure, without undue delay, the rectification of inaccurate personal data concerning him or her. As regards the purpose of the processing, te data subject has the right to complete any of his or her incomplete personal data, including by means of an additional declaration.
c) The right to cancellation (also known as "deletion" or "oblivion") means that in the certain circumstances specified in the GDPR, the subject has the right to ensure that the controller erases his or her personal data without undue delay and the controller is obliged to erase the personal data without undue delay.
d) The right of objection means that the data subject has the right to object at any time, for reasons relatinf to his or her specific situation, to the processing of his or her personal data which is based on legitimate interests or a public interest. The controller shall cease processing the personal data unless it submits overriding and legitimate reasons for such processing which prevail over the interests, rights and freedoms of the data subject, or for the purposes of declaration, exercise or defence of a right in judicial proceedings.
The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent does not compromise the lawful processing already occurred on the basis of consent previously given.
The data subject has the right not to be subject to any decision made solely on the basis of automated processing, including the definition of profiles.
The data subject has the right to receive the personal data concerning to him or her, and which had been provided to a data controller, in a structured, updated and automatic reading format. The subject also has the right to transfer his data to another data controller without the controller to whom the personal data had been supplied being able to prevent this, if: a) the processing is based on the consent give under Article 6(1)(a) or Article 9(2)(a) or in a contract referred to in Article 6(1)(b); and b) the processing is performed by automated means. In exercising his or her right to portability of data, the data subject has the right to have the personal data transferred directly between those responsible for the processing, whenever his is tecnically possible.
Personal data breach
In the case of a personal data breach that may entail a high risk for the rights and freedoms of the data subject, the data subject has the right to be informed of the personal data breach.
Complaint to a supervisory authority
The data subject has the right to complain to the national supervisory authority. In Portugal, this is the National Data Protection Authority (CNPD). The contacts of the CNPD are as follows:
- Address: Rua de São Bento, 148, 3rd floor, 1200-821 Lisbon
- Telephone: (+351) 213 928 400
- Fax: (+351) 213 976 832
- Private Line: (+351) 213 930 039
- E-mail: email@example.com
Exercise of the rights under the GDPR
In order to exercise any of your rights above, you may send an e-mail to the following address: firstname.lastname@example.org, or communication by any other means, sent to the data protection officer above.
We promise to reply to your request within 30 days. If it is necessary to extend this deadline, we will inform the data subject in writing.
The provision of information and the exercise of rights are free of charge. However, if the requests submitted by a data subject are manifestly unfounded or excessive, in particular because of their repetitive nature, the controller may require payment of a reasonable fee taking into account the administrative costs of providing the information or communication, or with taking the requested measures; or it may refuse to comply with the request.
How do we protect your data
Taking into account the nature, scope, context and purpose of the data processing, as well as the risks to the rights and freedoms of natural persons, Euroatla has implemented and maintains technical and organisational measures which are appropriate to ensure and demonstrate that the processing is carried out in accordance with this Regulation. Thus, to protect the personal data subject to processing, Euroatla has implemented and performs the following measures:
a) the use of anti-virus, firewalls and intruder detection systems;
b) access control and traceability system based on authentication;
c) physical security measures, such as the control of access to premises, locked cabinets;
d) pseudonymisation and data encryption.