General Regulation on the Protection of Personal Data

Since 25 May 2018 the General Regulation on the Protection of Personal Data - Regulation Nº. 2016/679 of the European Parliament and of the Council of 27 April 2016 were established the rules on the protection, processing and free movement of personal data of singulary persons and which applies directly to all entities processing such data in any Member State of the European Union, naturally applicable also in Portugal.

Purpose

The purpose of this document is make known the implementation of the new rules applicable to processing of personal data of all interlocutors (customers, employees, suppliers, partners and other entities) who interact with NAVIPOR, the rights that assist it, procedures, means processing, purposes, circuits and consents of the information collected by NAVIPOR, acting in accordance with the law and the new regulation of protection and personal data.

Definition of personal data protection policy

Personal data protection policy is the policy that define the terms which NAVIPOR treats the personal data of the interlocutors and the rights they may exercise, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council - General Regulation on the Data Protection (GRDP) - and other applicable national data protection legislation.

Definition of personal data and the processing of personal data

A personal data is all kind of information relating to a singulary person. For example, the name, an identification number, location data, contacts, even elements of your physical, economic or social identity. Processing personal data refers to any automated and non-automated operation performed on such data - collection, recording, alteration, consultation, use, transmission and destruction.

Application range

This personal data protection policy applies to all interlocutors, including external parties (workers coming from Port Labor Companies), who provide services at the various terminals where NAVIPOR operates.

Goal of data collection of NAVIPOR workers

NAVIPOR collects personal data strictly necessary for the percussion of your business activity. In the collection and processing of data, NAVIPOR complies with applicable legal obligations and observes the principles and rules of processing by requesting consent from employees when it is necessary to process their personal data.

Security of personal data of NAVIPOR workers

NAVIPOR adopts various technical and organizational security measures in order to protect the personal data of its employees against unauthorized loss, dissemination, alteration, processing or access.
All data may be retained as long as legal obligations establish or business relationships with customers remain.

Transfer of personal data of NAVIPOR employees to subcontractors

NAVIPOR may use subcontractors to provide certain services, which may require access by third parties to personal data of its employees. NAVIPOR ensures that these subcontractors fulfill with applicable legal requirements and offer adequate data protection safeguards.

NAVIPOR worker's rights

a) Right of access - provision of information about personal data that NAVIPOR holds about the data subject and about their processing;

b) Right of rectification - correction, updating or inclusion of information (which may be missing) concerning the data subject;

c) Right to erasure of data (“right to be forgotten”) - erasure of data, having verified the legal requirements for this purpose (the legal deadline for retention of data to which NAVIPOR is obliged);

d) Right to limitation of processing - suspension / (temporary) cessation of data processing, subject to applicable legal requirements;

e) Right of opposition - revocation of consent for data processing made on this basis.

Refusal / Impediment of access to personal data information of NAVIPOR workers

NAVIPOR assures workers the exercise of their access rights, rectification, opposition, deletion and limitation of treatment. Workers may exercise their rights through contact with the personal data protection officer - Paulo Rico - tel. 910385278 – paulo.rico@navipor.pt. The employee may, if not granted this right, to present a complaint to the National Data Protection Commission, the public authority that oversees the application of the legislation in Portugal.

Violation of access to personal data of NAVIPOR workers

A data breach is a breach of security that accidentally or unlawfully causes unauthorized destruction, loss, alteration, disclosure, or access to personal data processed by NAVIPOR. Examples of data breach:

• unauthorized verbal or written transmission of personal data,
• The loss, theft or unsafe storage of documents or devices (PC or mobile phone),
• Sending personal data to the wrong recipient.

Incident Reporting

NAVIPOR has implemented an incident management system for data protection, privacy and information security. If any User, Service Recipient or Customer wishes to report the occurrence of any breach of personal data, which may accidentally or unlawfully lead to unauthorized destruction, loss, alteration, disclosure or access, to personal data transmitted, retained or otherwise processed, you may contact the Data Protection Officer - Paulo Rico - tel. 910385278 – paulo.rico@navipor.pt.

Privacy policy change

In order to ensure the respective update, development and continuous improvement, NAVIPOR may, at any time, make the changes, deemed appropriate or necessary, to this Data Protection and Privacy Policy, and its disclosure by the various parties is assured, to ensure the transparency of the whole process.

Express consent and acceptance

The free, specific and informed availability of personal data by the respective holder implies the knowledge and acceptance of this Policy and implies an express authorization for its processing, according to the defined rules.

Responsible for the protection of personal data

To exercise any type of data protection rights, the different parties may contact the Data Protection Officer - Paulo Rico - tel. 910385278 – paulo.rico@navipor.pt, describing the subject matter of the request and indicating an email address, telephone contact or correspondence address for further response.

Impact Assessment on Personal Data Protection (IAPDP)

In accordance with the GRDP, NAVIPOR commits itself to all new forms of data processing (new technologies, other innovative forms of data processing) that may pose a high risk or to testing existing procedures, and in order to guarantee the rights and freedoms of the personal data of its workers, to carry out a periodic risk analysis of existing procedures / circuits, focusing in particular on the origin, nature, particularity and severity of the risks and more specifically for each risk. (illegitimate access, unwanted modification, disappearance of data), the source of the risk, identification of potential impacts on data subjects' rights and freedoms, and the estimation of the likelihood and severity of those risks.

Location / purpose of collected data

As mentioned above, NAVIPOR only collects, processes and stores the data of the various parties strictly necessary for its economic activity.