2. Purpose and grounds for processing the data collected

The personal data collected will be processed for the following purposes:

Management of the general commercial relationship and contractual purposes related to sales and services rendered; Answers to doubts and complaints regarding the activities carried out; Direct marketing, advertising and public relations within the scope of ASCENDUM Portugal’s activities and brands; Development of products and services, with the aim of making the business more efficient; Certifying and improving the quality of the products and/or services provided; Compliance with the law, regulations, judicial decisions or within the scope of the defense of the legal rights of the Ascendum Group.

3. How personal data may be collected

Personal data is collected if the customer purchases and / or uses a product or service provided by ASCENDUM Portugal or by any other company of the Ascendum Group, if he fills in the personal data and submits any of the forms on the ASCENDUM Portugal website.

4. List of personal data that may be collected

The personal data that may be collected are as follows:

• Identification data – full name, date of birth, citizen card number, tax identification number;
• Contact details – personal address, business address, phone/company email address, etc.
• Professional details – profession, organization where you work and its location;
• Financial information: account number and bank details;
• Information related to your sales and/or service history, including maintenance history, campaigns.
• Other information that the customer may choose to provide, such as the purpose of the visit to the Website and the ASCENDUM Portugal facilities.
• IP addresses of visits made to the website or social networks of ASCENDUM Portugal and even the Ascendum Group.

5. Retention period of the personal data collected

The data is kept for as long as the business relationship with the customer continues or as long as such retention is required by law.

Once the retention period allowed by law has been reached, personal data will be processed with the utmost security so that it cannot be identified in the future, as provided for in the General Data Protection Regulation.

6. Security measures implemented to protect the personal data collected

– Access control to DataCenters

All DataCenters used for service delivery are divided into several zones with security levels, with DataCenters receiving the highest security rating.

– Access control to systems

Access to systems and applications shall consist of the identification and authentication of individual users and shall be personal and non-transferable and it shall be the responsibility of the employee concerned not to share his/her access with anyone else, as well as access control, registration and traceability. Passwords are automatically checked for special, alphanumeric characters while requiring numbers, uppercase and lowercase letters and must be changed every 3 months.

– Access control to customer data

The systems prevent activities that are not covered by employee-specific access rights. The data access control system is based on a customized internal system where users can request access from their manager and which ensures differentiated access control depending on the role. The configuration of access/profiles (such as permission to create, change or delete) is defined within the applications. This task is managed by internal resources/system administrator.

– Control of disclosure of customer data

The applicable safety framework states that international and national legislation must be followed, regardless of where operations are carried out. The rules on personal integrity are based on the GDPR (General Data Protection Regulation) and any subsequent applicable regulation, supplemented by national legislation. Remote access to the network can only be done through a tunnel.

– Customer Data Entry Control

Each third party subcontractor has the possibility to record any action in systems and applications. Whether or not this possibility is used depends on the contract with the customer, who has to be aware of the classification of the information in relation to its personal character. There is no automatic function that, on its own, can judge whether data of a personal nature has been used, altered, moved or deleted.

– Control and availability of systems

It includes the protection measures in place at ASCENDUM Portugal, namely: the backup of hard disks (between different DataCenters if necessary), uninterrupted electricity supply in all DataCenters, backup copies stored in a third DataCenter, independent of the other two, for the purpose of processing primary data.

ASCENDUM Portugal has implemented an advanced policy of anti-virus measures, driven by the IT (Information Systems) Guidelines for Virus Protection and the physical implementation arising from this guideline consists of virus protection software. Servers and clients are protected with firewall(s) (LAN(s) access protection and control systems). The organization also includes a central function for vulnerability monitoring, security updates/corrections of HardWare, Operating Systems, OS and applications, which serve to prevent, secure and minimize possible failures with the systems and applications.

– Data separation control

Personal data collected for different purposes are processed separately in accordance with EU and national legislation and ASCENDUM Portugal’s security rules.

7. Identification of the entities with whom the collected personal data can be shared

Personal data may be shared with Ascendum Group companies, suppliers and service providers of ASCENDUM Portugal.

Personal data is only shared with those who need to access your information in the course of their duties or by legal obligation. Where third parties access personal data, the necessary security measures will be implemented to ensure that the information is used correctly and securely in accordance with this Data Protection Policy.

8. Procedure to access or amend the data collected and to request deletion of data and amendment or withdrawal of consent given

At any time, the customer can access personal data and request its amendment. You can also change or withdraw your consent, with effect for the future. Once the customer has withdrawn their consent, they will no longer be contacted and receive communications for the purposes described in this Data Protection Policy.

For access to data, request for amendment and to withdraw consent statements, the customer should use the following contacts:

ASCENDUM Portugal – Serviços de Gestão, SA

Rua do Brasil, nº 27

2695-535 São João da Talha

Email: [email protected]

9. Contact details for clarification of questions related to the right to protection of the data collected and the right to lodge a complaint with the competent authority.

For any question related to the collection and use of personal data, the customer should use the following contacts:

ASCENDUM Portugal – Serviços de Gestão, SA

Rua do Brasil, nº 27

2695-535 São João da Talha

Email: [email protected]

Under certain conditions, as the holder of personal data, the client may have the right to request additional information on the use that ASCENDUM Portugal makes of their data, a copy of the data that is collected, the transmission of personal data to another person responsible for processing, any inaccuracies in the personal data that is kept, the elimination of data whose use is no longer legitimate and the limitation of the way in which personal data is used.

The exercise of these rights is subject to exceptions intended to safeguard the public interest or the interest of ASCENDUM Portugal. If any of these rights are exercised, the request will be examined and every effort will be made to respond within 30 (thirty) days.

If you wish to submit a complaint regarding the collection and processing of personal data, it should be addressed to the national supervisory authority: Comissão Nacional de Protecção de Dados – CNPD, Rua de São Bento, n.º 148, 3º, 1200-821 Lisboa, Telephone: 213928400, Fax: 213976832, e-mail: [email protected].