DATA PROTECTION AND PRIVACY POLICY

I. PERSONAL DATA

The Guesthouselisbon, property of Grupo Shiadu, collective name Medisafra SA, with headquarters in Travessa das Pedras Negras nº 1, R/C 1100-404 LISBOA – Portugal, VAT 507 961 307, within the framework of its activities collects and treats personal data, such as:

• Name
• Address
• Email address
• Phone number
• Citizen ID / Passport
• VAT Number
• Photography and Image
• Questionnaires and inquiries

II. PERSONAL DATA PROCESSING

Personal data processing is performed by Grupo Shiadu through automated and/or analogical means (without prejudice of the provisions of chapter VIII), such as:

• Collection
• Register and storage
• Organization
• Customization
• Search and use
• Dissemination, regardless of the disclosure means
• Comparison or interconnection
• Limitation, deletion or destruction

III. DATA SUBJECT CONSENT

Grupo Shiadu requires to the data subject, in all cases, the freely given, specific, informed and unambiguous consent for the processing of his/her personal data, using formal templates designed case by case, considering the type, scope and extension of said personal data processing.

Conditions applicable to child’s consent

According to Article 8 of the GDPR, all personal data belonging to children can only be processed under an express consent observing the rules of Article 6, number 1, point a) of the GDPR related to information society services when said children complete 13 years old.

For children with less than 13 years old, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility for the child, preferably through the use of electronic certification means, such as Citizen Card or Digital Authentication Key.

IV. GDPR COMPLIANCE

Grupo Shiadu is fully compliant with EU rules concerning personal data protection, approved by the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter GDPR), as well as with the full body of internal legislation if force.

Grupo Shiadu is responsible for the personal data processing, under automated and analogical means, since its collection, through its organization and storage, up to its deletion.

Grupo Shiadu keeps a continuous and thorough registry of all its personal data processing activities.

V. LAWFULNESS OF PROCESSING

Personal data shall be processed only according to a bundle of lawful purposes, which include:

• Performance of Grupo Shiadu’s statutory goals and activities
• Compliance with legislation in force and generic legal rules and obligations
• Book-keeping and document integrity legal rules
• Performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract
• Project auditing activities, especially those object of public funding
• Quality certification procedures
• Control and users registry of premises and equipment
• Security and integrity of premises and equipment
• Grupo Shiadu’s role as a subcontractor, as defined in number 8, Article 4 of the GDPR

VI. DATA STORAGE PERIOD

Personal data will be stored for the period defined by legal rules or, in their absence, for the strict time needed for the fulfilment of the processing purpose, taking in consideration the legal basis for said processing, as well as all the remaining requisites and time periods determined by law, namely the lapse terms for legal actions based on the correlated rights.

Accordingly, in all cases where a mandatory storage period is determined by law, the right to erasure of personal data as stated in Article 17 of the GDPR can only be exercised by the data subject after the said period lapses.

Grupo Shiadu shall store the personal data for the strict period of time needed for the fulfilment of the data processing purpose, as well as its erasure (or anonymization, if and when applicable/needed) immediately after said period and/or upon the data subject’s request, always considering the above-cited exceptions and all legally defined terms.

VII. DATA SUBJECT RIGHTS

The data subject has the right, at all time, to require Grupo Shiadu, free of charge:

• The access to his/her personal data
• The rectification and correction of his/her personal data
• The erasure of his/her personal data (the “right to be forgotten”) (the conditions defined above in VI. on personal data storage may apply
• The limitation of his/her data processing (idem)
• The opposition of his/her data processing
• The portability of his/her personal data to an appointed third entity provided that said data are stored exclusively in electronic form

In every case, if a legal rule or legal obligation is in force which supersedes these data subject rights, Grupo Shiadu reserves the right of denial of the data subject request (and/or to determine restrictions to said request, if and when applicable), duly communicating to the data subject the respective grounds of said decision.

The data subject is entitled to file complaints to Comissão Nacional de Proteção de Dados (hereinafter, CNPD), the Portuguese Controller Authority, according to the definitions duly stated in numbers 21 and 22 of article 4 and article 51 of the GDPR.

VIII. PROCESSOR AND THIRD PARTY INTERVENTION

Third-party intervention

Grupo Shiadu, while conducting its undertakings, may authorise third parties (as defined in number 10 of article 4 of the GDPR) to process personal data which are under Grupo Shiadu’s domain, in order to comply with legal duties, pre-contractual or contractual obligations and/or as indispensable means of performance of Grupo Shiadu’s statutory goals. Said third parties can be public authorities, namely in charge of auditing tasks, project, activity or service partners.

In order to comply with the GDPR requisites, Grupo Shiadu shall require the previous and mandatory consent to the data subject for this specific processing.

Processor intervention

Grupo Shiadu, while conducting its undertakings, may subcontract third entities (as defined in number 8 of article 4 of the GDPR) to process personal data on Grupo Shiadu’s behalf. In order to comply with the GDPR requisites, Grupo Shiadu shall require the previous and mandatory consent to the data subject for this specific processing.

IX. COOKIES

Without prejudice of all the remaining data collection means used by Grupo Shiadu, the collection of anonymous information is performed by Grupo Shiadu through its website, namely related with the type of browser, operative systems and time and date of access to Grupo Shiadu’s website, using cookies. Grupo Shiadu’s full cookie policy is available here.

X. Grupo Shiadu’s DUTY OF PROTECTION

Grupo Shiadu complies with the drafting, approval and implementation of all formal and technical proceedings needed for the security of data processing, as well as to assure the accurate and timely record of all processing activities. In addition, a prior assessment will be made with regard to all future data processing activities to be launched by Grupo Shiadu in the future, assuring that they will be fully RGPD compliant.

Grupo Shiadu will perform its best efforts to assure the proper operation of all available technical means to avoid the loss, improper use, unauthorized access and unlawful appropriation of personal data, regardless of the likelihood of failure of part of the Internet security measures in force.

Grupo Shiadu assumes no liability for any damages and losses suffered by any individuals due to illegitimate access to personal data transmitted by any data subject through Grupo Shiadu’s Internet portal and/or through Grupo Shiadu’s remaining informatic infrastructure.

Nevertheless, Grupo Shiadu shall notify CNPD according to the rules defined in article 33º of the GDPR, if and when acknowledges any event which constitutes a violation of personal data, as defined in number 12 of article 4 of the GDPR.

XI. CONTACTS

The data subject can exercise his/her rights of rectification, modification or canceling of his/her personal data or request any information related with said data underwritten form, directed to Grupo Shiadu to the address indicated above in I. or through the following specific email address: rgpd@shiadu.pt.

XII. FINAL DISPOSITIONS

Grupo Shiadu is entitled to change this Policy without any prior notice, namely due to the need of its compliance with new legislation or CNPD recommendations. In the event of any change to this Policy, Grupo Shiadu will immediately publicize said changes through its public Internet portal.