Data Protection and Privacy Policy in the Employment Context

Sodecia – Participações Sociais, SGPS, SA, legal person with the Tax Number PT503437786, with registered office at Rua António Bessa Leite, 1430, 4º – 4150-074 Porto, Portugal, hereinafter referred to as Sodecia, “Employer” or “Data Controller”, hereby publishes this Data Protection and Privacy Policy, to ensure transparency and the disclosure to each of its employees of the rules applicable to Data Protection in the Workplace, following the entry into force of the General Data Protection Regulation (hereinafter GDPR) and the Law Implementing the General Data Protection Regulation (hereinafter LERGPD).

1. Contact details of the Data Officer

Sodecia establishes the following contacts for the purpose of applying the GDPR rules as Data Officer:

General email address: sgps@sodecia.com;

General telephone: (+351) 220 101 900;

Website: https://www.sodecia.com/;

Email address of the Data Protection Officer: dpo@sodecia.com.

2. Personal Data

2.1. Sodecia, as an Employer, within the strict limits of the purposes and legal basis specified below, processes, by itself or on its behalf, Employees’ personal data, namely, name, marital status, civil, tax, social security and health user identification numbers, age, date of birth, place of birth, academic, technical, professional qualifications, telephone numbers, composition and identification of members of the respective household, training data and professional performance data.

2.2. The Employer, with the exception grounds provided in article 9 of the General Data Protection Regulation and in strict compliance with the provisions of that article, especially in terms of the obligation of professional secrecy, eventually processes the following special categories of personal data: trade union membership, biometric data and health data.

3. Purposes of Processing

3.1. Employee’s personal data are processed for the purposes inherent in the execution of the employment contract, including compliance with connected legal obligations, namely work planning and organization, equality and diversity in the workplace, health and safety at work,
protection of the Employer’s assets and for the purposes of the exercise and enjoyment, individually or collectively, of employment related rights and benefits, as well as for the purposes of termination of the employment relationship.

3.2. Without prejudice against the above purposes, special categories of personal data are processed for the following specific purposes:

a) trade union membership – for compliance with legal obligations and/or at the request of Workers;

b) biometric data – for access control to facilities and/or attendance control and for the protection of people and property;

c) health data – for the purposes of preventive and occupational medicine and for assessing the working capacity of Workers, by subcontractors legally qualified for the purpose, and under strict obligation of professional secrecy.

4. Legal Basis for Processing

4.1. The processing of the aforementioned personal data is necessary for:

i) the execution of the employment contract;

ii) the fulfillment of legal obligations to which the Employer is subject by virtue of applicable national or Community legislation;

iii) the legitimate interests pursued by the Employer, namely the exercise of its management power and the corresponding optimization of its operational organizational processes.

4.2. Apart from these cases, the Employer may process data collected from Employees for other specific, explicit and legitimate purposes, expressly obtaining the corresponding legitimate consent of the Employees at the time the data is collected.

5. Recipients

5.1. Within the scope and context of the employment relationship and for the purposes and on the grounds specified above, the Employer may communicate the Employees’ personal data to other entities, namely subcontractors for the provision of occupational medicine, management consultancy, human resources, accounting, tax, legal or other services, banking entities, insurance entities, the Tax Authority, Social Security Services, the Working Conditions Authority, the Employment and Professional Training Institute, judicial entities, enforcement agents, the National Data Protection Commission and other entities as determined by law or in compliance with judicial orders.

5.2. The Employer, in accordance with the dispositions of the General Data Protection Regulation, will formalize the corresponding contracts with its subcontractors, ensuring that they adopt the technical and organizational protection measures adjusted to the protection of the personal data processed by them.

6. Retention Period

6.1. Without prejudice to the personal data being kept for the period strictly necessary to achieve the specific purposes in hand, and complying with other applicable legal deadlines depending on the special categories of personal data processed, the personal data of the Workers will be kept, by default, for a period of two years from the termination of the employment contract binding the Parties, under the terms set out in article 337 nº 1 of the Portuguese Labor Code.

6.2. Employees are informed that this period may be extended when this becomes necessary for the declaration, exercise or defense of the Employer’s rights in legal proceedings.

7. Rights of Personal Data Subjects

7.1. Employees, as owners of personal data, have the right to access, rectification, erasure, limitation, opposition and data portability, under the conditions and with the exceptions provided for by law.

7.2. In the event of a breach of their personal data, the Data Owner may also submit a complaint to a supervisory authority, namely the National Data Protection Commission.

7.3. In cases where the legal basis for the processing of their personal data is their consent, Employees also have the right to withdraw their consent at any time, without this affecting the lawfulness of the processing carried out until then on that basis.

8. Exercise of the rights of the Personal Data Subjects

8.1. To exercise any type of data protection and privacy rights or for any matter relating to data protection, privacy and information security, Employees may contact the Data Protection Officer at dpo@sodecia.com , describing the subject of the request and indicating an email address, a
telephone contact address or a correspondence address for reply.

8.2. A Form for Exercising the Rights of the Personal Data subjects is accessible to Employees at https://sodecia.groupdpo.com/p/forms/  or at any Employer’s service point.

9. Employee’s Obligations with Respect to the Protection of Personal Data

Employees are obliged to act in accordance with the applicable legal regulations in the domain of personal data protection and with the internal regulations in force in this area, namely the procedures, internal regulations and work instructions in the domain of data protection and information security, expressly being aware of the terms of the Data Protection Policies and Information Security Policies approved by the Data Controller, accessible on the Data Protection Officer’s Documentation Platform at https://sodecia.groupdpo.com/ .

10. Duty of Secrecy and Confidentiality

Employees are obliged to comply with duties of secrecy and confidentiality whenever they process personal data, in accordance with the terms of the Data Protection and Privacy Policy accessible at https://www.sodecia.com/  They must guarantee the confidentiality of all personal data within the scope of their employment responsibility, undertaking to comply with all the procedural, technical and organizational measures necessary for the secrecy of personal data or information, and these data must be processed in a manner that guarantees their security, including protection against unauthorized or unlawful processing and against accidental access, editing, disclosure, use, destruction or damage, adopting the measures deemed appropriate to ensure the protection of personal data.

11. Duty to Notify a Personal Data Breach

11.1. Workers must know and comply with the rules of the incident management system regarding personal data and information security in application at the Employer.

11.2. In the event of a breach of personal data, Workers must notify the Employer of this fact, without undue delay and, whenever possible, within 8 hours of becoming aware of it, unless the breach of personal data is not likely to result in a risk to the rights and freedoms of natural persons. If the notification is not transmitted within 8 hours, it must be accompanied by the reasons for the delay.

11.3. A Personal Data Breach Incident Reporting Form is available at https://sodecia.groupdpo.com/p/forms/  or at any Sodecia service point and can
also be sent by email by requesting it from the Data Protection Officer.

12. Permanent Security Contact Point

12.1. Workers are informed that the Employer has implemented a Permanent Contact Point for the purposes of managing information security and cyberspace security incidents, in accordance with the legal standards in force, with the obligation to communicate, as soon as they become aware, the occurrence of any information security incident or cyberspace security incident, contacting, without undue delay, the Permanent Contact Point through the communication channels indicated at https://sodecia.groupdpo.com/p/security/.

12.2. Workers must use the Information Security or Cyberspace Security Incident Reporting Form accessible at https://sodecia.groupdpo.com/p/forms/  or at any work service point and may also request it to be sent by email, by submitting a request to the Permanent Contact Point. 

13. Whistleblower Protection

13.1. Workers are informed that the Employer has implemented a Whistleblower Channel, accessible through the link available at https://whistleblowing.sodecia.com/ , in accordance with current legal standards, guaranteeing the protection of data subjects’ personal data. 

13.2. A Whistleblowing Form is available to workers at https://whistleblowing.sodecia.com/ or at any workplace service point, and the Whistleblowing Officer at the Employer may also be asked to send it by email, using the contact details available on that link. 

14. Corruption Prevention

14.1. Employees are informed that the Employer has implemented a Compliance Program for the Prevention of Corruption, in accordance with the legal regulations in force, guaranteeing the data protection of the personal data subjects.

14.2. For the purposes of submitting complaints within the scope of the corruption prevention regime, Employees are informed that they should, depending on their preference, use the Employer’s Whistleblowing Channel accessible at https://whistleblowing.sodecia.com/ , contact any workplace service point in person or send an email to the Regulatory Compliance Officer using the contact details available at https://whistleblowing.sodecia.com/ .

15. Data Processing Information Forms

Employees can consult all the Employer’s Data Processing Information Forms on the Data Protection Officer Platform, accessible at https://sodecia.groupdpo.com/p/information/ , or in person at any workplace service point.

16. Amendment of Internal Data Protection Procedures, Policies or Regulations 

16.1. In order to ensure their updating, development and continuous improvement, Employees are informed that the Employer may, at any time, make any changes that are deemed appropriate or necessary to the Procedures, Policies or Internal Data Protection Regulations, and their
publication in the various internal channels is ensured in order to guarantee transparency and information to Employees.

16.2. Employees are informed that they can consult the applicable updated versions of the Procedures, Policies or Internal Data Protection Regulations on the Data Protection Officer’s Documentation Platform, accessible at https://sodecia.groupdpo.com/  or, in person, at any workplace service point, and can also consult the document history by emailing a request to dpo@sodecia.com .

17. Support from the Data Protection Officer

To request intervention or request assistance or technical and regulatory support in the context of data protection or privacy, Workers must contact the Data Protection Officer of the Employer, via email dpo@sodecia.com , with the functional description, procedures and contacts available on the Data Protection Officer Support Platform, accessible to Workers at https://www.dataprotectionofficer.help/support/ .

18. Versions of the Data Protection and Privacy Policy in the Employment Context

Version of this Policy: 202501.

Date: 20250131.

To consult the previous versions of the Data Protection and Privacy Policy in the Employment Context, Workers can send a request by email to dpo@sodecia.com .

SODECIA
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.