Data Processing and Protection
CUNHA SOARES & FILHOS, S.A., hereinafter referred to as “CS”, is strongly committed to protecting the privacy of the personal data of its Employees, as well as all its Clients, potential Clients, Partners, and potential Partners, to whom it has legitimate access and whose data it processes within the scope of its professional activity, always in strict compliance with the General Data Protection Regulation (GDPR), approved by Regulation (EU) 2016/679 of the European Parliament and of the Council, dated April 27, 2016, hereinafter referred to as “GDPR”.
Through this Policy, “CS”, as the data controller, aims to disclose its commitment and the rules it has implemented, particularly regarding the personal information collected, its processing, legal basis, and usage, always guided by the principles of lawfulness, fairness, transparency, and purpose limitation.
1. PERSONAL DATA
According to the GDPR, “personal data” refers to any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, electronic identifiers, or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2. DATA CONTROLLER
2.1. “CS” is the entity responsible for collecting and processing personal data for the purposes indicated, having appointed Carla Mónica Freire da Silva as its representative in this matter.
2.2. If you consider the information provided herein insufficiently clear and/or transparent, or for any other relevant reason, please contact us via email: [cunhasoares@cunhasoares.pt](mailto:cunhasoares@cunhasoares.pt).
3. PERSONAL DATA COLLECTED
Depending on its business activity, “CS” collects and processes only the personal data strictly necessary to provide/perform the services requested (e.g., related to the execution of construction and subcontracting contracts), such as name (e.g., of the contact person/legal representative of a Client company), address, Citizen Card/Passport details, tax identification number, phone and email contacts, and other data that may be necessary and/or legally required in specific situations.
4. WHEN AND HOW PERSONAL DATA IS COLLECTED/PROCESSED
4.1. “CS” may collect and process personal data when a Client or potential Client contacts the company in the context of pre-contractual procedures (e.g., requesting a quote for a construction project) and/or for the purpose of entering into a contract.
4.2. Personal data may be collected through the following channels: in-person contact, telephone, postal mail, email, and website.
5. LEGAL BASIS FOR DATA COLLECTION AND PROCESSING
Personal data of Clients and potential Clients may be collected and processed:
– a) When necessary for the execution/performance of a contract to which the data subject is a party, or for pre-contractual procedures requested by the data subject (e.g., requesting a quote);
– b) When required to comply with a legal obligation to which “CS” and/or the data subject is subject;
– c) When the data subject has given consent for one or more specific purposes.
6. PURPOSES OF DATA PROCESSING
The collection of personal data aims to:
– a) Support the commercial activity of “CS” as a legally authorized company in the civil construction and public works sector;
– b) Execute the services requested by Clients or potential Clients;
– c) Conduct internal statistical processing;
– d) Offer new services aligned with the needs and interests of Clients and potential Clients.
7. DATA RETENTION PERIOD
Personal data collected by “CS” is stored and retained during the term of the service and/or contractual relationship, and even after its termination, for the period necessary to comply with legal obligations. This period may vary depending on the purposes mentioned above.
8. DATA SECURITY
8.1. Personal data is processed and stored both digitally and in paper format.
8.2. “CS” is committed to ensuring the security and protection of personal data, adopting appropriate technical and organizational measures to prevent loss, destruction, alteration, unauthorized access, or use, in accordance with technological standards, the nature of the data, and the risks involved.
8.3. As of the current version of this Privacy Policy, the implemented measures include:
– Data stored on two Windows Server machines with complex password systems for domain access;
– Group policy with permission levels up to the second level of the sharing tree;
– Passwords managed by users;
– No digital certificates in use;
– Network structure with two routers in cascade, each with primary firewalls and password protection, plus server firewalls;
– Network and server access via cable, Wi-Fi (requiring both domain and network passwords), and FTP with internal-use-only DNS;
– Servers housed in secure, locked locations;
– Backups performed in two stages: daily full backups to a restricted-access server, followed by encrypted cloud backups.
8.4. Security measures are reviewed and updated as needed.
8.5. In case of a security breach resulting in accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access to personal data, “CS” will notify the competent authorities without undue delay and, where possible, within 72 hours of becoming aware of the breach.
9. DATA CONFIDENTIALITY
“CS” enforces a confidentiality policy for personal data, restricting access and use to authorized employees who are bound by confidentiality obligations.
10. RIGHTS OF DATA SUBJECTS
10.1. “CS” guarantees data subjects the right to access, rectify, delete, transfer, limit, and/or object to the processing of their personal data at any time.
10.2. Right to Erasure
Specifically regarding the right to erasure, the data subject has the right to obtain from the data controller the deletion of their personal data, and the controller is obliged to delete such data whenever one of the following grounds applies: (i) The data is no longer necessary for the purpose for which it was collected or processed; (ii) The data subject withdraws consent, where consent was the legal basis, or objects to the processing and there are no overriding legitimate interests justifying its retention.
10.3. Exercising Data Subject Rights
The data subject may exercise any of these rights by contacting “CS” in writing, either via the company’s registered address or by email at: cunhasoares@cunhasoares.pt.
11. Right to Lodge a Complaint with the Supervisory Authority
The data subject may always submit any complaints they deem necessary to the competent supervisory authority. In Portugal, this authority is expected to be the CNPD – Comissão Nacional de Proteção de Dados: www.cnpd.pt.
12. Disclosure of Personal Data to Other Entities
12.1. In the course of its business activities, “CS” may engage third parties to provide certain services (located within or outside the European Union), which may, in some cases, involve access to the data subject’s personal data. 12.2. In such cases, “CS” undertakes to adopt the necessary and appropriate measures to ensure that the entities accessing such personal data are reputable and offer high standards of data protection, which will be duly formalized and safeguarded in a written contract between “CS” and the third party(ies). 12.3. Any entity subcontracted by “CS” will process the data subject’s personal data on behalf of and under the responsibility of “CS”, and will be required to implement the necessary technical and organizational measures to protect the personal data against accidental or unlawful destruction, accidental loss, alteration, disclosure, unauthorized access, and any other form of unlawful processing. 12.4. In all cases, “CS” remains responsible for the processing of personal data. 12.5. Where necessary, and in the context of engaging third parties, personal data may be transferred outside the European Union, in accordance with the terms and conditions permitted by applicable legislation.
13. Right to Amend the Privacy Policy
“CS” reserves the right to make adjustments or amendments to this Privacy Policy at any time, in order to adapt it to its operational reality and/or to any legislative changes that may require such updates. The version currently published is the one in force.
Lodares, May 21, 2018
We aim to:
- Be the best at what we do, ensuring that the reward for our service delivery is fair, consistent, and aligned with the high standards of quality, environmental protection, occupational health, and safety that guide our actions.
- Promote sustainable development and actively prevent discrimination, corruption, slavery, forced labor, and harassment, in full respect of fundamental human rights.
Our Policy is based on:
- Understanding the current and future needs of our Clients, meeting their requirements, and exceeding their expectations.
- Establishing strategic business partnerships to foster joint and continuous improvement of our services and optimize performance, through the definition and monitoring of objectives.
- Ensuring compliance with all applicable legal and regulatory requirements.
- Controlling the environmental impacts associated with our activities, protecting the environment and preventing pollution—particularly through the proper management of all waste, aiming to reduce, recycle, reuse, and recover whenever possible.
- Promoting a general atmosphere of well-being within the company, ensuring the safety and health of all workers who collaborate with us.
- Periodically assessing and monitoring risks to eliminate or reduce them, thereby promoting safe and healthy workplaces with the goal of zero incidents. We encourage prevention, consultation, and active participation of employees in matters related to occupational health and safety, quality, and environmental management.