1. Bondalti’s commitment
Bondalti Capital, S.A. and the companies which it directly or indirectly controls (hereinafter jointly referred to as ‘Bondalti’) are firmly committed to the protection of personal data and privacy.
Bondalti respects the privacy and protects the personal data of its Employees, Clients, Suppliers and business partners, according to the terms provided in the law and regulations relating to personal data protection, namely Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) applicable as from 25 May 2018 (hereinafter “GDPR”).
This policy provides a general view on how we process your data and rights in this regard, according to provisions in the GDPR and remaining relevant law on data protection and privacy, including the national law complementing the GDPR.
Specific data that will be processed and how they will be used depend to a large extend of the products and services requested and agreed.
2. The Personal Data Processing Controller and Data Protection Team
The entity responsible for processing personal data (hereinafter referred to as “Controller”) is:
Bondalti Capital, S.A.
Telephone no.: +351 21 00 58 600
email address: firstname.lastname@example.org
You can contact our Data Protection Team at:
Lagoas Park, Edifício 6, 2.º B
2740-244 Porto Salvo
Data Protection Team
Telephone no.: +351 210 058 600
email address: email@example.com
3. Personal data, data subjects and categories of personal data
Personal Data: any information, of any nature, regardless of respective format, including sound and image, relating to an identified or identifiable natural person, even if indirectly. Personal data further include data relating to other elements allowing to identify someone (for instance, login and logout records associated to a reference identifying a natural person).
Data Subject: any natural person to whom the data concern, namely employees, clients, suppliers and business partners of Bondalti.
Categories of personal data: among other, we consider as personal data such data the processing of which may be necessary and/or relevant, or the data required at the beginning of the relationship with the subject, client or potential client or during the process of concession, hiring, control and/or follow-up of a specific product/service, including the following:
- (i) Identifying and contact information such as, name, address and other contact details (telephone number and email address), place/country of origin;
- (ii) Professional status and activity, such as job type, sector, employed or self-employed.
- (iii) Information on default and credit risk, taking into account data available from credit and economic information systems and sources;
- (iv) Business data. Data derived from the product/service proposal or hiring, such as transactions and operations, propensity to additional hiring and cookies;
- (v) Information derived from email or any other form of communication with the Controller;
- (vi) Additional data contained in the documentation submitted to the Controller or obtained as a result of the relationship with the Controller, such as Citizen Card number and other relevant identification documents, passport, notary deeds, whether in physical or digital format and, in general, any documentation and information concerning the communication held with the client through different means, including marketing campaigns.
4. Sources, legal ground, purposes of the personal data processing and storage period
Sources: We process the personal data that we receive in the context of a commercial relationship with clients or potential clients and viewing compliance with relevant legal obligations. Additionally, we process personal data provided by other companies of the Group of companies of the controller or by third parties, where it may be relevant (for instance, for the provision of services, sale and supply of products, compliance with contracts and any legal obligation, or based on a consent). On the other hand, we process personal data which, where relevant, we receive from freely accessible public information sources (such as commercial records and corporate registration records, the press, media and the Internet) and from public authorities and agencies, where we have the legitimacy to do so, under the terms of the law.
Grounds and Purposes: we process the personal data described hereinabove according to provisions in the GDPR and other applicable legislation in this area, on the following grounds and for the following purposes:
- • Consent (Article 6 (1)(a) of the GDPR): when we have your previous consent - in writing or through the validation of an option - provided such consent is free, informed, specific and unequivocal. For instance, your consent for the release of data in cases not provided in this Policy or in specific documentation, of for the Controller to send marketing messages, including using your e-mail for sending newsletters. Your consent can be revoked at any time;
- • Performance of contract and pre-contractual diligences (Article 6 (1)(b) of the GDPR): where personal data processing is required for the conclusion, performance and management of the contract entered into with Bondalti, such as, preparation of proposal, management of contacts, information and enquiries, management of invoicing, collection and payments;
- • Fulfilment of legal obligation (Article 6 (1)(c) of the GDPR): Where the processing of personal data is required to comply with a legal obligation to which Bondalti is subject, such as the communication of data to police authorities, courts, tax or supervisory authorities;
Storage Periods: Your personal data will be processed only for such period of time as may be necessary to perform the defined purpose or, as the case may be, until you exercise your right to object, right to be forgotten or withdraw your consent (the exercise of these rights may be constrained pursuant to legal, regulatory or contractual rules). Following the end of the said period, Bondalti shall erase or make anonymous the personal data where that cannot be kept for a distinct purpose.
We process and store your personal data to the extent where it is necessary to comply with any relevant legal or contractual obligation. Accordingly, it should be borne in mind that our commercial relationship is often a continued obligation which will remain in effect for a long period. Moreover, we are subject to various obligations concerning documentation storage, resulting from various legal rules.
To such extent, processed personal data will be kept for such period of time as may be necessary for the provision of the hired services, sale and supply of products, and to meet tax and legal obligations applicable to Bondalti.
5. Communication of personal data to other entities, sub-contractors and third parties
Within Bondalti, only employees needing your data to perform contractual /pre-contractual duties and diligences will have access to them. Your personal data may be made available to companies and business partners of the Bondalti Group. Likewise, they can be made available to our suppliers, financial agents and other processors which may access such data for specific purposes under the terms of the GDPR, albeit subject to measures to ensure data protection and acting always on Bondalti’s behalf. In this case, Bondalti will take the contractual measures that may be necessary to ensure that processors will respect and protect the personal data of the data subjects. These entities may be established inside or outside the European Union.
The transfer of data to other countries (outside the European Union) will only occur where it is necessary to execute orders or requests from the subject (for instance, payment orders or relating to investment), where required by law and where you have given us your express consent. In case it is necessary to use service providers from third countries, such providers shall comply with all written instructions on this subject, namely they must sign an agreement containing contractual clauses similar to those used in the European Union on the compliance with data protection levels in force in the European Union. You will receive detailed information, separately, where defined by law.
Other agents with access to data may be those to whom you granted consent for the transfer of data or such entities to whom data must be communicated to under the law, such as the tax authorities.
6. Rights of the data subject
Bondalti ensures all your rights concerning the processing of your personal data, according to the GDPR, namely:
Access: Right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, information concerning such data, such as, the purposes of the processing, the envisaged period for which the personal data will be stored, etc.
Rectification: right to obtain the rectification of inaccurate personal data concerning you or to have incomplete personal data completed, such as, your address, taxpayer number, email address, telephone number, amongst other.
Right to erasure (‘right to be forgotten’): right to obtain the erasure of personal data concerning you, where there are no valid grounds to keep them, for instance, where Bondalti has to maintain the data to comply with a legal obligation of preservation for investigation, detection and suppression of crimes or for the establishment, exercise or defence of legal claims.
Portability: right to receive the personal data concerning you, which you have provided in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, as for instance, to receive your invoices or transmit your personal data from one controller to another, where technically feasible.
Withdraw the Consent or Right to Object: right to object or withdraw your consent where the processing is exclusively based on such consent (for instance, where personal data are processed for direct marketing purposes). The same applies to consents given prior to the direct application of the GDPR, i.e. prior to 25 May 2018. Please bear in mind that the right to withdraw your consent and to object is not retroactive, therefore any processing made prior to the withdrawal or objection will not be affected.
Limitation: right to request the limitation of the processing of your personal data, namely: (i) suspension of the processing or (ii) limitation of the scope of the processing to certain categories of data or processing purposes.
Claim: Right to submit claim to the controlling authority, the national data protection agency (“Comissão Nacional de Proteção de Dados”), in addition to the Controller or the Data Protection Team.
You may at any moment request a copy of the consents you provided to us.
The exercise of any of these rights is free of charge, except where the request is manifestly unfounded or excessive, in which case a reasonable fee may be charged taking into account expenses. Information will be provided in writing, however, it may also be supplied orally, if you request it. In this case, Bondalti must verify your identity by other means than orally. The answer to the claims shall be provided within no more than 30 days, except if the claim is especially complex.
In order to exercise your rights please contact our Data Protection Team through the e-mail firstname.lastname@example.org
7. How we protect your personal data
Bondalti shall use its best endeavours to protect your personal data against destruction, loss, accidental or illegal changes and non-authorised disclosure or access. To this end, Bondalti has implemented adequate, necessary and sufficient logic, physical, organisational and safety measures to protect your personal data from destruction, loss, change, disclosure, non-authorised access or any other accidental or illegal processing.
Released on 28 May 2018