Information Sheet on the Processing of Personal Data in the Workplace

Human Resources Management Procedures, Safety, Hygiene and Health at Work and Social and Corporate Activities

SODECIA Group companies(*) process the personal data of employees or similar collaborators who are at any of their facilities for the purposes of applying Human Resources Management Procedures, Occupational Medicine, Safety, Hygiene and Health at Work, as well as for social and corporate activities aimed at promoting well-being at work and interpersonal relations in the workplace. This processing is carried out in accordance with data protection regulations, namely the General Data Protection Regulation, the Law Implementing the General Data Protection Regulation or special legislation in the countries of each of the group’s companies, in accordance with the following parameters:

1. Data Officer:

Companies of the SODECIA Group, represented by Sodecia — Participações Sociais, SGPS, SA (hereinafter referred to as Sodecia), with Tax Number 503437786, with registered office at Rua António Bessa Leite, 1430, 4º – 4150-074 Porto, Portugal, telephone (+351) 220101900 and email sodecia@sodecia.com .

2. Contact of The Data Protection Officer:

The Data Controller has a specific email address for personal data protection purposes, and the Data Protection Officer is available at dpo@sodecia.com .

3. Categories of Data Subjects:

Workers or equivalent employees who are on any type of premises under the supervision or scope of Sodecia’s powers and responsibilities, including employees, directors, administrators and other hierarchical managers.

4. Personal Data to Be Processed:

General categories of data such as:

  • Personal and professional identification data;
  • Personal and professional contact data;
  • Private life data strictly necessary for the fulfillment of the identified purposes;
  • Limited temporal data (day and month of birth for the purposes of institutional congratulations);
  • Academic and professional data relevant to the job;
  • Attendance and punctuality data;

As well as special categories of personal data, such as health data considered necessary for the execution of the employment relationship within the framework of Occupational Medicine or Safety, Hygiene and Health at Work and other similar situations.

5. Context and Purpose of Processing:

Personal data is processed exclusively for the following purposes:

5.1 Main purposes:

  • Human resources management and administration of the employment relationship;
  • Application of occupational medicine procedures;
  • Safety, Hygiene and Health at Work, according to the instructions issued by the administrative authorities or by another entity in the context of Health at Work;

5.2 Complementary purposes:

  • Activities of a social and corporate nature, including sending birthday greetings and other communications of institutional courtesy designed to promote a positive working environment and interpersonal relations;
  • Organization of corporate events and team building activities;
  • Internal communication of an institutional nature;

5.3 Organizational Management Purposes:

  • Internal communications related to the organization of work;
  • Management of social and employment benefits;
  • Performance evaluation and professional development.

6. Legal Basis:

The processing of data is based on, depending on the specific purpose:

  • Performance of the employment contract (Article 6(1)(b) of the GDPR);
  • Compliance with legal obligations (Article 6(1)(c) of the GDPR);
  • Protection of vital interests (Article 6(1)(d) of the GDPR);
  • Pursuit of legitimate interests (Article 6(1)(f) of the GDPR), namely for social and corporate activities aimed at improving the working environment and interpersonal relations.

7. Consequences of Not Providing the Data:

The processing of personal data is, as a rule, necessary for the performance of the contract, the fulfillment of legal obligations, the protection of vital interests or the pursuit of legitimate interests. For mandatory purposes, it may be a condition of access to or presence on Sodecia’s premises, whereby if it is not carried out, the data subject is prohibited from accessing it, and the consequences for the maintenance of the employment relationship are also assessed.

With regard to additional purposes based on legitimate interest (such as birthday greetings), the employee may exercise the right to object without consequences for the employment relationship.

8. Recipients:

The data controller carries out the processing itself (through professional technicians subject to the obligation of qualified professional secrecy) or on its behalf, through subcontractors accredited for the provision of services selected by it and bound by strict technical and organizational measures adjusted to the protection of personal data.

For social and corporate purposes, access is limited to authorized administrators and managers, exclusively for the purposes identified.

9. Security Measures:

The technical and organizational security measures deemed appropriate to ensure a level of data processing security appropriate to the risk are in place, including:

  • Access controls based on user profiles;
  • Audit log of processing operations;
  • Encryption of data in transit and at rest;
  • Specific training for authorized personnel;
  • Procedures for responding to security incidents.

10. Place of Data Collection:

The data is collected or measured by a Human Resources Management technician, an Occupational Medicine technician or a Safety, Hygiene and Occupational Health technician accredited by Sodecia, and the privacy or confidentiality of its collection or measurement and the respective integrity, quality and accuracy of the data are guaranteed.

For data intended for social purposes, collection is limited to what is strictly necessary and is carried out with the same guarantees of confidentiality.

11. Retention Period:

Without prejudice to the exceptional situations of extension of the retention period provided for by law or considered necessary for the defense of legitimate rights or interests, the personal data processed is kept for the period necessary for the execution of the purposes, establishing the following criteria:

11.1 Main Purposes: Period necessary to carry out the purposes of the Human Resources Management, Occupational Medicine or Occupational Safety, Hygiene and Health Procedures;

11.2 Complementary purposes: Data for social activities is kept for the duration of the employment relationship and deleted within a maximum of 12 months after termination;

At the end of the applicable retention period, the data will be securely and irreversibly deleted.

12. Communication of Data:

With the exception of situations where there is a legal obligation to communicate data, there are no operations involving the communication of data to third parties. The data processed for social purposes remains exclusively within the internal scope of the SODECIA Group companies.

13. Interconnection of Data and Automated Decisions:

No interconnection of personal data is carried out and no decisions are made based exclusively on automated processing, including profiling.

14. International Transfers of Personal Data:

With the exception of transfers carried out within the group’s companies for the purposes of human resources management and coordination of corporate activities, no operations are carried out to transfer employees’ personal data to entities in third countries or international organizations.

15. Processing and Media:

Depending on the circumstances, personal data is eventually collected or measured by a Sodecia technician, and is subject to multiple non-automated and automated processing procedures and is incorporated into various types of analog or digital media that are deemed necessary to achieve the purposes of the Human Resources Management Procedures, Internal Security, Access Control, Prevention, Control and Surveillance of Safety, Hygiene and Health at Work, Contingency Plan Procedures and social and corporate activities.

16. Rights of the Data Subject:

The data subject has the right to request from the data controller:

  • Access to their personal data and information about the processing;
  • Rectification of inaccurate or incomplete data;
  • Erasure of data under the conditions laid down by law;
  • Limitation of processing in certain circumstances;
  • Opposition to processing, especially for purposes based on legitimate interest, including social activities;
  • Data portability, where applicable;
  • Withdrawal of consent, whenever this is the basis for the legitimacy of the processing;

To exercise these rights, simply contact Sodecia’s Data Protection Officer using the contact details given in point 18.

17. Right to Lodge a Complaint with the Supervisory Authority:

The data subject may always exercise the right to lodge a complaint with the national data protection supervisory authority (Comissão Nacional de Proteção de Dados – CNPD, in Portugal), should they deem it necessary.

18. Address for Exercising Rights:

To request any information, submit complaints or request the exercise of rights, please contact the email address dpo@sodecia.com  or the contacts indicated in point 1.

19. Data Protection Policy:

Personal data processing operations are carried out in accordance with the General Data Protection Policy available at www.sodecia.com .

20. Regulations and Information Leaflets:

The Regulations and Information Leaflets on Human Resources Management Procedures, Occupational Health, Safety, Hygiene and Health at Work, the Contingency Plan and Social and Corporate Activities are available for consultation at Sodecia’s Human Resources Department.

21. Exercising the Right to Object for Specific Purposes

Specifically for activities of a social and corporate nature (including birthday congratulations), the employee may exercise the right to object simply and free of charge, through the contacts indicated, without this having any negative consequences for the employment relationship.

Date of entry into force: [Date]

Version: 2.0

Approval: SODECIA Group Human Resources

(*) This information sheet applies to all SODECIA Group companies, and there may be additional specificities depending on the local legislation applicable in each country of operation. For detailed and up-to-date information on the processing of personal data in each specific company, you should consult the Sheet applicable to each of the Group’s companies, available on the Data Protection Platform accessible via the link sodecia.groupdpo.com.

SODECIA
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.