PRIVACY POLICY

A- ASFC-SGPS, S.A. (hereinafter ASFC) exercises control, directly or indirectly, exercising a dominant influence over the other companies of the SOTKON Group, for example, by virtue of ownership or financial participation, being, in turn, 100% owned by NORS, S.A. 

B- For the purposes of Article 4, 19) of the General Data Protection Regulation (hereinafter GDPR), "Business group" means a group composed by the controlling company and the controlled companies.  

C- ASFC- informs you of its Privacy Policy, through which it informs you about your rights and provides information on how it processes your personal data. 

D- At ASFC we are committed to processing your data only for the purposes clearly clarified, and we have adopted various security measures, of both technical and organizational nature, in order to protect the personal data that are made available to us against its disclosure, loss, misuse, alteration, treatment or unauthorized access, as well as against any other form of illicit treatment.

1. PERSON RESPONSIBLE FOR THE PROCESSING OF YOUR PERSONAL DATA

1.1 ASFC with a share capital of 1,000,000.00 Euros, headquartered at Rua Manuel Pinto de Azevedo, no. 711-1.º - 4100-321 Porto is the entity responsible for the processing of your personal data. 

1.2 Contacts of the Data Controller: 

Address: Rua Manuel Pinto de Azevedo, n.º 711-3.º - 4149-010 Porto 

Phone: +351 226107786 

Email: marketing@sotkon.com  

2. DATA PROTECTION OFFICER

2.1. ASFC has appointed and communicated to the National Data Protection Commission in Portugal (hereinafter CNPD), pursuant to article 37 of the GDPR and article 9 of Law 58/2019, of August 8th (which ensures the execution, in the national legal order, of the GDPR), a Data Protection Officer (DPO). 

2.2 The Data Protection Officer, among other functions legally assigned pursuant to Article 39 of the GDPR,   

 (i) advises the controller on obligations under the rules on privacy and protection of personal data;  

 (ii) cooperates with the supervisory authority; 

 (iii) is the point of contact with the customer, or potential customer, in order to clarify possible questions about the data processing carried out by ASFC-SGPS. 

2.3 If you wish to clarify any doubt or lodge any complaint, you may do so with the Data Protection Officer of ASFC, through the following email address: dpo@nors.com 

3. PERSONAL DATA, OWNERS, CATEGORIES AND FORM OF COLLECTION OF PERSONAL DATA

3.1. What is personal data? 

Any information relating to a natural person, identified or identifiable is considered to be personal data. A natural person who can be identified, directly or indirectly, in particular by reference to an identifier, shall be considered identifiable. An identifier may be, for example, the name, identification number, location data, electronic identifiers or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

3.2. Who are the holders of personal data? 

a) Natural persons to whom the data relate and who enjoy, or intend to use, the products or services made available by the companies that make up the SOTKON Group, as well as all data holders with whom we relate within the scope of our activity and whose personal data we consequently process. 

b) Representatives, employees or contact point of the client or potential client, who is a legal person, whose personal data we process and submit to internal technical and organizational measures within the scope of said relations. 

 3.3. What categories of personal data are processed? 

IDENTIFICATION DATA (EXAMPLES) 

- PERSONAL AND CONTACT INFORMATION (Civil and tax identification data, telephone contact, e-mail address, among others) 

- DATA RELATING TO THE PURCHASE OF PRODUCTS AND SERVICES (History of products purchased or services rendered) 

- CUSTOMER HISTORY (Contract of purchase and sale; responses to satisfaction surveys; offers received; campaign history; participation in events; history of complaints; website pages viewed) 

 3.4. By what means do we collect your data? 

a) When we provide our services we may collect your personal information through various channels, namely:

(i) telephone; 

ii) website;

(iii) in writing, for example in the context of a contractual or pre-contractual relationship; 

iv) In person, for example in the context of events in which we participate or are organized by us.

4. LEGAL BASIS, PURPOSES AND RETENTION OF THE PROCESSING OF PERSONAL DATA

4.1. Legal Basis 

a) Depending on the circumstances, the processing of your personal data may be carried out on the legal basis:

i) for the purposes of pre-contractual procedures or performance of a contract to which the holder is a party;

ii) compliance with legal obligations to which we are subject;

iii) your consent, where applicable, which we will ensure that it is given by you in accordance with a free, specific, informed and unequivocal expression of will, through which you accept that your data will be processed; 

iv) our legitimate interests, only when they do not override your interests, rights and freedoms, which we will assess in each specific situation; 

v)  the defence of vital interests of the data holder or of another natural person, for example, when the processing of the data "is necessary for the protection of an interest essential to the life of the data holder or of any other natural person" and when we cannot "manifestly rely on another legal basis." (Recital 46 of the GDPR).

4.2. Purposes of the processing of personal data 

a) So therefore, ASFC will process your personal data, according to the following legal grounds and purposes:

- Consent: We process the personal data of customers, and potential customers, with consent, for commercial and marketing purposes, namely: marketing campaigns, events, promotions, information about new products 

- Pre-contractual procedures (at the request of the data subject) and/or Execution of the contract (to which the data subject is a party: We process personal data in accordance with this legal basis, for example, in the case of recruitment or execution of the contract with employees. 

- Compliance with legal obligation: Personal data may be communicated to official entities within the scope of compliance with obligations provided for in the law, for example, mandatory communications to Social Security in the case of our employees 

- Legitimate Interest: We process data on this basis, for example, when we need to contact the representative of a legal person, in the context of the execution of a contract or pre-contractual diligence, to respond to complaints, requests or inquiries for clarification made, billing, accounting organization, management of the website (server hosted in Portugal) and CRM (commercial proposals) or when we transmit personal data within the group of companies for administrative internal purposes  , including the processing of personal data of customers or employees. 

4.3. Term of retention of personal data 

a) ASFC keeps the personal data of the holders only for the period strictly necessary for the pursuit of the purpose for which they were collected.

b) In certain cases, the law requires the retention of data for a specific period, namely in the case of data necessary for information to the Tax Authority, which will be kept for 10 years, according to the legislation in force.

c) If there is no specific legal obligation, your data will be processed only for the period necessary to fulfill the purposes that motivated its collection, and as long as there are legitimate grounds that allow its conservation.

d) Once the maximum retention period has been reached, the personal data will be irreversibly anonymized (anonymized data may be retained) or will be destroyed securely.

5. HYPERLINKS TO OTHER WEBSITES

5.1. We warn you that ASFC is not responsible for the privacy practices of third parties whose websites have, or may have, a hyperlink on our website, and cannot guarantee the accuracy or authenticity of the information contained therein. We advise you to read the privacy policies of any other website that is linked to the ASFC website. 

5.2. ASFC does not guarantee the accuracy, completeness or authenticity of the information contained in any hyperlink or other Internet site. Personal data entered on other Internet sites that are linked to the ASFC website will be your sole responsibility. 

6. PROCESSING OF PERSONAL DATA FOR DIFFERENT PURPOSES

If we intend to further process your personal data for a purpose other than any of those informed herein, we will take the initiative, prior to processing, to inform you and provide the necessary information, as well as any other information that, in the context, is relevant and appropriate. 

7. RIGHTS OF THE HOLDERS OF THE PERSONAL DATA AND FORM OF EXERCISE OF THE SAME

7.1. Rights of data subjects 

 Right of access (Art. 15 GDPR) 

You have the right to ask us, among other things, for information on whether or not your data is being processed, what data we process and for what purposes; 

 Right to rectification (Article 16 GDPR) 

The right to rectify inaccurate personal data concerning you without undue delay and to complete data that is incomplete; 

 Right to erasure (Article 17 GDPR) 

Also called right to be forgotten – you can request, in certain circumstances, that your personal data be erased from our records, without undue delay, whenever there are any of the reasons provided for in the GDPR; 

 Right to object (Article 21 GDPR) 

You have the right to object, on grounds related to your particular situation, to certain types of data processing provided for in the GDPR, such as processing for the purposes of direct marketing, in which case we will cease processing for this purpose; 

 Right to restriction of processing (Article 18 GDPR) 

The right to obtain the restriction of the processing of your personal data, when you wish, for example, to contest the accuracy of your personal data for a period of time that allows us to verify its accuracy, when the processing is unlawful or if you have deduced your right to object; 

 Right to portability (Article 20 GDPR) 

You have the right to transfer your personal data that we hold to another organization or to receive it in a structured, commonly used and machine-readable format; 

 Right to withdraw consent (Art. 7(3) GDPR) 

If consent is legally necessary for the processing of personal data, the data subject has the right to withdraw consent at any time, in an easy manner, although this right does not compromise the lawfulness of the processing carried out on the basis of the consent previously given; 

 Right to lodge a complaint with a supervisory authority (Article 77(1) GDPR) 

In Portugal the supervisory authority is the CNPD - National Commission for Data Protection (www.cnpd.pt ); 

 Right to claim compensation and liability (Article 82 GDPR) 

If you have suffered material or non-material damage as a result of a breach of the GDPR, you are entitled to receive compensation from the controller or processor for the damage incurred in; 

7.1. Rights of data subjects (continued) 

 Right to mandate a non-profit-making body, organiszation or association to lodge a complaint on its behalf (Article 80 GDPR) 

The data subject shall have the right to mandate a non-profit-making body, organization or association, which is duly constituted under the law of a Member State, whose statutory objectives are in the public interest and whose activity covers the protection of the rights and freedoms of the data subject with regard to the protection of his or her personal data,  to lodge a complaint on their behalf, to exercise the rights provided for in Articles 77, 78 and 79 of the GDPR, and to exercise the right to receive compensation referred to in Article 82, if this is provided for in the law of the Member State; 

 Right to not be subjected to automated decisions (Article 22 GDPR) 

You have the right not to be subject to any decision taken solely on the basis of automated processing, including profiling, that produces effects in your legal sphere or that significantly affects you in a similar way. This subjection, if it occurs, will only take place, on our part, within the scope of the exceptions provided for in article 22, paragraph 2 of the GDPR, and we will apply measures that ensure the right to obtain human intervention, allowing you to express your opinion and contest the decision; 

7.2. Form of exercise of rights 

a) You may exercise your rights free of charge, except in the case of a manifestly unfounded or excessive request, in which case a reasonable fee may be charged taking into account the costs.

b) We will respond to your requests within a maximum period of 30 (thirty) days, except in cases of requests of greater complexity, in which the period may amount to 60 (sixty) days.

c) You can exercise your rights through the following addresses:

Letter: ASFC-SGPS, SA - Rua Manuel Pinto de Azevedo, n.º 711-1.º - 4100-321 Porto 

Email: dpo@nors.com 

If you are not satisfied with the way we respond or ensure the exercise of any of these rights, you have the right to file a complaint with the CNPD, which you can do by accessing the respective institutional website, accessible in www.cnpd.pt . 

8. PROCEDURAL AND TECHNICAL SECURITY MEASURES

8.1. ASFC has implemented physical, technological and organizational security measures appropriate to the protection of your personal data, in order to protect the personal data that is made available to us against its disclosure, loss, misuse, alteration, treatment or unauthorized access, as well as against any other form of illicit treatment. 

8.2. To this end, ASFC shall apply technical and organizational measures to ensure a level of security appropriate to the perceived risk, both with regard to the retention of personal data and with regard to their transmission. 

8.3. ASFC has a computer system capable of resisting, with a high level of confidence, accidental events or malicious or unlawful actions that compromise the availability, integrity and confidentiality of the Personal Data stored or transmitted. 

9. COOKIES

9.1 ASFC uses 'cookie' technology to enable us to track the routes you take to our website, to help us record your activity on that website and to evaluate and improve it, making it more useful to you.  

9.2 We inform you that you can set your browser not to accept cookies or to warn you if cookies are sent. 

10. USE OF THE WEBSITE 

10.1. With regard to the use of the materials present on the website, information, text, figures or graphics contained therein, they may only be used for your personal use, and never for commercial purposes, nor shall you reproduce, modify, transmit, authorize or publish such information, texts, figures or graphics, in whole or in part, for any purpose without the prior written authorization of ASFC. 

10.2. Regarding the use and risk of its use, ASFC specifically disclaims any liability for direct, indirect, incidental, consequential or special damages arising out of or in any way associated with your access to or use of this website, which affect your computer equipment, or your reliance on the information obtained through the ASFC website. 

10.3. The information contained on the website must be seen in its informative aspect, without prejudice to the efforts of ASFC to keep the contents updated and reliable, as these may contain inaccuracies, typographical errors or be outdated, and may also be changed at any time without ASFC having an obligation of prior notification. 

11. DATA PROCESSING ON A SUBCONTRACTING BASIS

11.1. Within the scope of our activity we may use subcontractors who process your data on our behalf, as provided for in the GDPR. 

11.2. If this happens, we will ensure that: 

i) We carefully choose our subcontractors and carry out a prior evaluation, which we document, determining in advance if there is evidence to comply with the RGPD and other applicable legislation, constituting this evaluation an auxiliary of choice in the hiring process;

ii) We determine, in this way, whether they present sufficient and adequate guarantees for the implementation of technical and organizational measures aimed at protecting your personal data and that they will act only in accordance with our instructions, which will be documented;

iii) We enter into a written contract with our subcontractors that will reflect all the legal requirements of Article 28 of the GDPR, so that the processing of your personal data is carried out in strict compliance with the law. 

11.3 SOTKON Group companies may act as subcontractors of the ASFC within the meaning of Article 4 (8) and Article 28 of the GDPR. 

11.4 The data processed by SOTKON Group companies acting as subcontractors are intended to fulfill the purposes of order processing, production planning, invoicing and accounting organization, as well as execution of the contract with employees, website management, CRM management and ASFC share drive. 

11.5 The ASFC ensures the responsibility of the subcontractors, ensuring that they only process the personal data in accordance with our instructions, also guaranteeing rules regarding the confidentiality of the data, the contracting of another processor or the security measures inherent to the treatment, also ensuring that the exercise of the rights of the data holders is ensured, among other matters legally foreseen. 

12. INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA

12.1. As a rule, your data will always be processed within the European Economic Area, and we choose, if necessary and preferably, providers that are in this geography. 

12.2. If we communicate personal data to third countries or international organizations, outside the European Economic Area, we will strictly comply with the applicable legal provisions, not proceeding to international transfers of personal data to entities that do not offer guarantees of maintaining the level of protection required by the GDPR without the appropriate legal safeguards. 

13. DATA COMMUNICATION

In the context of the services we provide, the communication of data is a requirement for us to be able to conclude a service contract or to be able to send you communications, and the lack of such information naturally constitutes an obstacle to such conclusion, which is the only consequence resulting therefrom. 

14. UPDATING THE PRIVACY POLICY

ASFC reserves the right to update this policy at any time, according to the legal requirements and/or needs of the commercial activity, so the user of our website should visit this page in order to be aware of all changes.