Personal Data Protection and Privacy Policy

1. Data Protection and Privacy Commitment

Sodecia is committed to complying with all applicable community and national legal regulations within the scope of data protection and information security.

Sodecia implemented a Personal Data Protection System and an Information Security System, in order to guarantee regulatory compliance and the demonstration or evidence of institutional responsibility in matters of data protection and information security, implementing all necessary technical and organizational measures considered appropriate, both for compliance with the legal regime of the General Data Protection Regulation (Regulation EU 2016/679, of April 27, hereinafter referred to as GDPR), and for compliance with the legal regime of the GDPR Implementation Law (Law No. 58/2019, of August 8, hereinafter referred to as LERGPD), or other applicable
complementary legislation.

For any clarification or additional information or to exercise rights in this regard, please contact Sodecia’s Data Protection Officer via email at dpo@sodecia.com.

2. Definitions

«Personal data»

«Personal data», information relating to an identified or identifiable natural person («data subjects») – is considered identifiable a natural person who can be identified, directly or indirectly, in particular by reference to an identifier. Personal identifiers are considered, for example, a name, an identification number, location data, electronic identifiers or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

«Processing of Personal Data»

«Processing» means an operation or set of operations carried out on personal data or on sets of personal data, by automated or non-automated means, such as collection, recording, organization, structuring, conservation, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or any other form of making available, comparison or interconnection, limitation, erasure or destruction. «Cookies» (Connection Testimonials).

«Cookies» (Connection Testimonies)

«Cookies», known as «Connection Testimonies», are small text files with information considered relevant that the devices used for access (computers, cell phones or portable mobile devices) load, through the internet browser («browser»), when an online site is visited by the User or User.

3. Entity responsible for the processing

Sodecia – Participações Sociais, SGPS, SA, Tax Number PT503437786, hereinafter referred to as Sodecia, is the entity responsible for the forms, online websites, computerized systems or applications, hereinafter referred to as channels or applications, through which Users or Service Recipients have remote access to Sodecia services that are presented or provided, at any time, through them, being the entity considered responsible for the personal data processing.

The use of channels, systems or applications by any User or Service Recipient may imply the carrying out of personal data processing operations, whose protection, privacy and security are ensured by Sodecia, as the entity responsible for the respective processing, in accordance with the terms of this Data Protection and Privacy Policy.

4. Institutional Contacts of the Data Officer

For the purpose of contacting Sodecia’s Data Protection Officer, please send an email to dpo@sodecia.com or to each of the specific addresses identified in the forms, online websites or applications, describing the subject of the request and indicating an email address, a telephone contact address or a mailing address for response.

For any other purpose, the following general contacts of Sodecia may be used, as Responsible for the Processing of personal data:

5. Personal Data Collection and Processing

Sodecia processes the personal data strictly necessary for the provision of information and the operation of its channels, according to the uses made of them by Users or Service Recipients, either those provided for the purposes of registering requests or obtaining information, or those provided for the purposes of joining those channels, or those resulting from the use of the services provided by Sodecia through them, such as access, queries, instructions, requests or applications, transactions and other records relating to their use.

In particular, the use or activation of certain functionalities of the channels may involve the processing of various direct or indirect personal identifiers, such as name, home address, personal contacts, device addresses or geographical location, provided that there is express consent from
the specific User or Service Recipient, provided that this is necessary for the management of the contractual relationship or the pursuit of legitimate interests or, finally, for the purposes of complying with legal obligations.

In all cases, Users, Service Recipients or Users will always be informed of the need to access such data in order to use the functionalities of the channels in question, as well as the respective basis of legitimacy for processing such data.

Personal data collected by Sodecia are processed manually or, in certain cases, in an automated or computerized manner, including the processing of files or the eventual definition of profiles, within the scope of managing the pre-contractual, contractual or post-contractual relationship with Users or Service Recipients, in accordance with current national and community regulations.

6. Personal Data Processed and Personal Owners Categories

The categories or types of personal data processed are generally as follows:

  • identification data;
  • contact details;
  • professional data;
  • billing data;
  • traffic and access control data.

At the various establishments of the Data Controller, biometric data may also be processed, which will be handled through video surveillance systems or other biometric systems that are installed.

The categories or types of personal data subjects subject to processing are generally Users or Service Recipients, and may also include, in special processing situations, members of their households or visitors to the Controller’s premises.

A detailed list of categories of personal data and categories of data subjects can be found in the Data Processing Information Forms for each specific processing activity.

7. Legal Principles

All data processing operations comply with the fundamental legal principles in the matter of data protection and privacy, namely with regard to their circulation, lawfulness, fairness, transparency, purpose, minimization, conservation, accuracy, integrity and confidentiality, and Sodecia is available to demonstrate its responsibility towards the data subjects, towards the authorities or towards any other third party that has a legitimate interest in this matter.

8. Legitimacy Foundations

All data processing operations carried out by Sodecia have a legitimate foundation, namely, either because the data owner has given their consent to the processing of their personal data for one or more specific purposes, or because the processing is deemed necessary for the performance of
a contract to which the data owner is a party or for pre-contractual steps at the request of the data owner, or because the processing is necessary for compliance with a legal obligation to which the data controller is subject, or in the public interest, or because the processing is considered necessary for the pursuit of the legitimate interests pursued by Sodecia or by a third party – the specific grounds being referred to in the specific data processing activities.

9. Processing Purpose

All personal data processed within the scope of Sodecia’s channels is intended exclusively for the provision of information to Users, the management of personal information of Service Recipients deemed necessary for the purposes of relationship management or communication, as well as the provision of services to Users and, in general, the management of pre-contractual, contractual or
post-contractual relationships with Users or Service Recipients.

The personal data collected may also be processed for statistical purposes, for disclosure of information or promotional actions and for communication actions, namely, to promote actions to publicize new features or new services, through direct communication, whether by correspondence, e-mail, messages or telephone calls or any other electronic communications service.

Provided that prior information and the collection of express authorization for the latter purposes are always ensured, Users or Services Recipients may, at any time, exercise their right to withdraw consent or their right to object or limit the use of their personal data for other purposes that go beyond the management of the relationship with the Data Controller, in particular for the pursuit of legitimate interests, for sending informative communications or for inclusion in lists or information services, by sending a written request to Sodecia’s Data Protection Officer, in accordance with the procedures set out below.

10. Information Form on Data Protection on Websites

In accordance with the loyalty and transparency principle and in order to guarantee compliance with the duty to provide information, Sodecia delivers directly or makes publicly available to all data subjects, depending on how their personal data is collected, information forms on the data processing activities carried out, which can be consulted at any public service point or by requesting them from the Data Protection Officer.

With regard to electronic sites (“Websites”) and online services (“Online”), please consult the Information on Data Processing on https://sodecia.groupdpo.com/p/information/.

11. Data Retention Periods

Personal data will only be retained for the period necessary for the purposes for which they were collected or subsequently processed, ensuring compliance with all applicable legal rules on archiving and specifying the specific retention period in each of the Data Processing Information Forms.

12. Use of Cookies (Connection Testimonials)

Regarding the use of Cookies or Connection Testimonials by Sodecia, see the Cookies Policy at https://sodecia.groupdpo.com/p/policies/.

13. Data communication to other entities

The provision of information or the provision of services by Sodecia to its Users or Service Recipients through the channels may involve the use of services by third party subcontractors, Joint Data Controllers or other autonomous Data Controllers, including entities based outside the European Union, for the provision of certain services, and this may involve access by these entities to such personal data. 

In these circumstances, and whenever necessary, Sodecia will only use entities that provide sufficient guarantees that appropriate technical and organizational measures have been taken to ensure that the processing meets the requirements of the applicable regulations, and such guarantees will be formalized in a contract signed between Sodecia and each of these third parties.

14. Data Recipients

Except in the context of compliance with legal obligations, the execution of contracts or the pursuit of legitimate interests, under no circumstances will the personal data of Users or Service Recipients be communicated to third parties other than subcontractors or legitimate recipients, nor will any other communication be carried out for purposes other than those referred to above, without the prior express consent of the data owner.

15. International Data Transfers

Any transfer of personal data to a third country or an international organization will only be carried out within the framework of compliance with legal obligations or guaranteed compliance with applicable community and national legal regulations in this matter.

16. Security Measures

Considering the most advanced techniques, the costs of application and the nature, scope, context and purposes of the processing, as well as the risks, of variable probability and severity, for Users or Service Recipients, Sodecia and all its subcontractors apply the appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Therefore, various security measures are adopted in order to protect personal data against its dissemination, loss, unauthorized use, alteration, unauthorized processing or access, as well as against any other form of unlawful processing.

It is the sole responsibility of Users or Service Recipients to keep their access codes secret and not share them with third parties, and in the particular case of the computer applications used to access the channels, they must maintain and keep the access devices in a safe condition and follow the security practices advised by the manufacturers and/or operators, in particular as regards the installation and updating of the necessary security applications, including, among others, antivirus applications.

17. Exercising the Rights of Personal Data Subjects

Sodecia Users or Service Recipients may, as owners of personal data, exercise their data protection and privacy rights at any time, namely the rights to withdraw consent, access, rectification, erasure, portability, limitation or opposition to processing, under the terms and with the limitations provided in the applicable rules.

Any request to exercise data protection and privacy rights must be addressed in writing by the data owner to the Data Protection Officer, in accordance with the procedure and contact details described below.

A Form for the Exercise of the Rights of Personal Data subjects is available at https://sodecia.groupdpo.com/pt-pt/home/formularios/ or at any Sodecia service point and can also be sent by email by requesting the Data Protection Officer by email at dpo@sodecia.com.

18. Complaints or Suggestions

Users, Service Recipients or Users have the right to submit a complaint, either by registering the complaint in the Complaints Book or by submitting a complaint to the regulatory authorities – in the last case, they can submit a petition or complaint directly to the national Supervisory Authority of each of the countries where each of the SODECIA Group companies is located, through the contacts available at https://sodecia.groupdpo.com/p/faqs/

Users or Recipients of Services may also make suggestions via email sent to the Data Protection Officer via email at dpo@sodecia.com.

19. Report of Personal Data Breach Incidents

If any User or Service Recipient wishes to report the occurrence of any personal data breach, which accidentally or unlawfully causes the unauthorized destruction, loss, alteration, disclosure of or access to personal data that has been transmitted, retained or otherwise processed, they may contact Sodecia’s Data Protection Officer or use Sodecia’s general contacts.

A Personal Data Breach Incident Report Form is available at https://sodecia.groupdpo.com/p/forms/ or at any Sodecia service point and can also be sent by email by requesting the Data Protection Officer by email at dpo@sodecia.com.

20. Permanent Security Contact Point

Sodecia has implemented a Permanent Contact Point for the management of information security and cyberspace security incidents.

If any User or Service Recipient wishes to report an information security incident or a cyberspace security incident, they can contact Sodecia’s Permanent Contact Point through the communication channels available at https://sodecia.groupdpo.com/p/security/.

An Information Security or Cyberspace Security Incident Reporting Form is available at https://sodecia.groupdpo.com/p/forms/  or at any Sodecia service point and can also be sent by email by requesting it from the Permanent Contact Point.

21. Protection of Whistleblowers

Sodecia has implemented a Whistleblower Channel, in accordance with the legal regulations in effect, guaranteeing the protection of data subjects’ personal data, under the terms of the Whistleblower Protection Policy accessible at https://www.sodecia.com/whistleblowing/ .

The Whistleblower Officer at Sodecia can be contacted via the contact details available at https://sodecia.groupdpo.com/p/whistleblowing/ .

The Sodecia Whistleblowing Platform is accessible via the link available at https://sodecia.groupdpo.com/p/whistleblowing/ https://www.sodecia.com/whistleblowing/ .

A Whistleblowing Form can be found at https://whistleblowing.sodecia.com/  or at any Sodecia service point and can also be sent by email on request to the Whistleblowing Officer.

22. Corruption Prevention

Sodecia has implemented a Regulatory Compliance Program within the scope of the Prevention of Corruption, in accordance with the legal regulations in effect, guaranteeing the protection of data subjects’ personal data, under the terms of the Prevention of Corruption Policy available at
www.sodecia.com .

For the submission of complaints within the scope of the corruption prevention regime, any interested party can use

23. Data Protection Policies and Special Information Forms

With a commitment to transparency and information and in order to ensure that the Data Protection and Privacy Policy is appropriate to the different data processing operations carried out and, above all, to the different categories of data subjects, Sodecia may develop special Data
Protection Policies, such as, for example:

  • the Data Protection and Privacy in the Employment Context;
  • the Data Processing Policy in the Management of Applications, Selection Processes and Recruitment;
  • the Data Processing Policy in the Relationship with Suppliers or
  • the Cookies and Testimonials Policy.

These special policies are made available directly to the respective categories of data subjects or in the context of the correlated processing activities and are available for consultation on request to the Data Protection Officer, by emailing dpo@sodecia.com.

The Data Protection Policies are also complemented by Data Processing Information Forms, reinforcing transparency and information on specific data processing activities at Sodecia, which are made available at the time of data collection, at any service point or by contacting the Data Protection Officer.

24. Information Form on Data Processing in Relationships with Users

The Information Form on Data Processing in Relationships with Users or Service Recipients is accessible at https://sodecia.groupdpo.com/p/information/.

25. Data Protection Officer

For any information, complaint, incident report or exercise of any type of data protection and privacy rights or for any matter relating to data protection and information security issues, Users or Service Recipients who interact with Sodecia may

  • contact the Data Protection Officer directly by email at dpo@sodecia.com, describing the request and providing an email address, a telephone contact address or a correspondence address for reply, or, if they prefer,
  • contact any Sodecia unit or service point, requesting communication with the Data Protection Officer.

26. Express consent and Acceptance

The terms of the Data Protection and Privacy Policy are complementary to the terms and provisions on personal data set out in the Specific Conditions of Use of each of Sodecia’s communication channels.

The free, specific and informed disclosure of personal data by the respective data owner implies knowledge and acceptance of the conditions set out in this Policy, and it is considered that, by using the channels or by providing their personal data, Users or Service Recipients are expressly authorizing their processing, in accordance with the rules defined in each of the channels or communication instruments.

27. Amendments to the Data Protection and Privacy Policy

In order to ensure its updating, development and continuous improvement, Sodecia may, at any time, make any changes that are deemed appropriate or necessary to this Data Protection and Privacy Policy, and its publication in the different channels is ensured to guarantee transparency and information to Users, Service Recipients and Users.

28. Versions of Data Protection and Privacy Policy

Version of this Policy: 202501.

Date: 20250131.

To consult previous versions of the Data Protection and Privacy Policy, please send a request by email to dpo@sodecia.com.

SODECIA
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.