1. INTRODUCTION

Personal data are essential for the development of Trasesa’s activity within the scope of the provision of its services. The use of the information made available to Trasesa within the scope of its activity will always be in accordance with the legal provisions in force, on which its Data Protection Policy (PPD) is based. The purpose of this policy is to inform data subjects who inform us provide personal information about our management of your personal data. This data protection policy applies to everyone who works at Trasesa.

2. PURPOSE AND SCOPE

The purpose of this document is to establish and maintain a certain level of data protection that:

– Comply with the applicable legal provisions under the General Data Protection Regulation:
> Creating and implementing internal procedures that guarantee the maintenance of information in a structured format and limiting access to data only to those with the right

– Meet the needs and expectations of customers, partners and employees:
> Through trust and responsibility and training employees to treat and protect their data in a more systematic and infallible way

– Allow to carry out business processes effectively.

– Allow Trasesa to maintain a positive external image in the market.

As data protection is a central area, Trasesa has appointed a Data Protection Officer, designated as “DPO” to oversee these activities, monitoring and reporting to the company’s Management, the development of activities carried out under the RGPD, and with whom holders of personal data, may contact you to exercise their rights.

3. RULES AND PROCEDURES

1. The Management undertakes to comply with the rules and procedures relating to the RGPD, and is responsible for implementing structures and ensuring adequate resources for the proper functioning of the PPD.

2. The Heads of each sector / Department must ensure that the business processes in their area are in accordance with the PPD.

3. All company employees who use personal data are individually responsible for complying with applicable legal and regulatory provisions.

4. Employees have the obligation to guarantee the confidentiality of data as an inseparable part of their duties provided for in the employment contract. They must also comply with all information and training received and comply with all guidelines defined in the PPD. Failure to comply with these obligations may have disciplinary consequences.

5. All company employees have the duty to report all failures within the scope of the PPD to the DPO.

6. Employees, for the purposes of the Data Protection Policy, are those who have an employment relationship, internship, service provision or other similar relationship with Trasesa.

7. The DPO is responsible for ensuring compliance with data protection regulations, by providing information to all company employees in this field.

8. The DPO will also be responsible for identifying risks and proposing opportunities for improvement related to the PPD.

9. The DPO may, within the scope of its functions, determine the implementation of data protection measures in any area of ​​the company, and for this purpose, it must have adequate controls and access.

4. DEFINITION OF PERSONAL DATA

Personal data is defined as a set of distinct information that can lead to the identification of a particular person, regardless of the medium in which it is stored, relating to personal characteristics or material circumstances.

Data or information concerning any customer, customer employee, service provider, supplier, or employee of Trasesa, which is personal data to which Trasesa has had access, created, processed, stored or transmitted within the scope of its activity.

Typology of personal data collected by Trasesa:

Personal Data Typology Personal Data Categories Legal reason Conservation Term
  Employee Data  Name, date of birth, gender, nationality, number (Identification Card Number, Citizen’s Card, Passport, or Residence Card), VAT Number, Social Security number, marital status, number of dependents, address, contacts (phone, cell phone, email), educational qualifications.   Legal Compliance (Employment Contracts)   Legal and contractual impositions
  Service Provider Data  Name, No. (Identification Card Number, Citizen’s Card, Passport, or Residence Card), VAT Number, Social Security numbe, address, contacts (phone, cell phone, email), proof of certifications/professional cards (if applicable).   Legal Compliance (Service Agreements)   Legal and contractual impositions
 Spontaneous Application Data  Email, Curriculum Vitae  Consent   1 year
  Supplier Data  Business name, VAT number, name of those responsible, Company address(es), contacts (phone, cell phone, email)   Legal Compliance (Product/Service Supply Contracts)
Billing Data		   Legal and contractual impositions
  Data for Provision of Services   Business name, VAT number, name of those responsible, Company address(es), contacts (phone, cell phone, email)   Legal Compliance (Service Agreements)
Billing Data		   Legal and contractual impositions
  Data for Provision of Services   Clients (workers): name, date of birth, nationality, date of admission, professional category   Contractual Compliance (provision of occupational health and safety services, professional training)   Contract duration
Legal Impositions (according to specific legislation on clinical data retention)
  Access Log Data and Usage History (Reserved Areas)   Customer Portal (reserved and limited access to customer documentation and information)
E-learning training platform (reserved and limited access)		   Contractual Compliance and Data Security   Contract duration
  Data for Commercial and Marketing Effects   Email   Consent   Consent Removal

Trasesa seeks to respect the best practices in matters of security and protection of personal data, promoting actions and improving systems in order to safeguard the protection of the data provided to us by our Customers.

Using and browsing our Platforms, filling out our forms and providing data directly or indirectly imply knowledge and acceptance of the conditions of this Policy, as well as any other specific terms, policies and conditions relating to the subscribed services. When subscribing to our services carefully read the respective terms and conditions. By providing your personal data, you authorize the collection, processing, use and disclosure of them in accordance with the rules defined herein.
Morada: Rua Dr. Flávio Resende, nº323 – 3ªCV. Esqª 2775-195 Parede

5. RELEVANT PERSONAL DATA

Data or information relating to any customer, service provider, supplier, employee, worker or any other third party and which is Personal Data that has been communicated by or on behalf of the CLIENT or that Trasesa has accessed, created, processed, stored or transmitted under the PSC.

6. PROCESSING OF PERSONAL DATA

The processing of personal data means any operation or set of operations on personal data, carried out with or without automated means, such as the collection, registration, organization, conservation, adaptation or alteration, retrieval, consultation, use, communication by transmission, by broadcasting or by any other form of making available, as well as blocking, erasing or destroying.

6.1 Trasesa undertakes to comply with all requirements applicable to it under the Data Protection Law.

6.2 Within the scope of the provision of services, although it recognizes that its respective status is determined by the Data Protection Law, for the purposes of this Law, it declares that the Customer is the Data Controller and that Trasesa is the Subcontractor.

6.3 With regard to any Relevant Personal Data, the parties must:

a.  Provide any reasonably required assistance in order to assist the Client and Trasesa in fulfilling their obligations under the Data Protection Act;

b. Trasesa shall process Relevant Personal Data only on behalf of the Client (or, if instructed by the Client or other members of the Client), only for the purposes of performing the Services and only in accordance with the instructions contained in the contracts or respective addenda, or otherwise periodically received by the Customer in writing;

c. Trasesa shall not transfer any Relevant Personal Data to any third country outside the European Economic Area, unless the parties authorize it in writing, in which case, being subject to any conditions that may be imposed by both parties;

d. In the event that Trasesa is required by applicable law to process the Relevant Personal Data without being in accordance with the previous clauses, it must inform the Client prior to the processing, giving notice of such processing as soon as reasonably possible;

e. Trasesa shall immediately inform the Client if, in Trasesa’s reasonable opinion, any instruction by the Client infringes, or is likely to infringe, the Data Protection Law;

f. Take appropriate technical and organizational measures to ensure a level of security appropriate to the risk and to protect the Relevant Personal Data from unauthorized or illegal processing and from any accidental loss, destruction, damage, alteration or disclosure. These measures must be appropriate for damages that may result from any unauthorized or illegal processing, loss, destruction or accidental damage to Relevant Personal Data and taking into account the nature of the Relevant Personal Data that must be protected. Trasesa must regularly test, evaluate and, if necessary, improve the measures regarding their suitability and effectiveness to ensure the safety of the treatment. Technical and organizational measures are subject to technical progress and future developments. Trasesa may change the technical and organizational measures, as long as the new measures do not fall short of the security level provided by the specified measures;

g. Trasesa must ensure that only its employees who need access to Relevant Personal Data receive access to such data, and only for the performance of the Services, and ensure that all Trasesa employees necessary to access the Relevant Personal Data are informed the confidential nature of the Relevant Personal Data and that are subject to confidentiality commitments or professional or legal obligations of confidentiality and that comply with the obligations set out in this Clause, in particular the obligation to handle the Relevant Personal Data only in accordance with the instructions contained in the this document, or otherwise received from you from time to time in writing;

h. Trasesa must immediately notify the Customer (and in any case within 24 hours) if it discovers any real or suspected breach of personal data (as defined in the Data Protection Law) in relation to Relevant Personal Data or if it receives any claim or request relating to Relevant Personal Data or any other communications directly or indirectly related to the processing of any Relevant Personal Data relating to this document or the Service Provision Agreement;

i. In the event that Trasesa receives a complaint, request or communication related to the processing of Relevant Personal Data, it shall only respond to such request in accordance with the Client’s documented instructions or as required by the Applicable Laws.

j. Trasesa must provide the Client with all cooperation and assistance in fulfilling the Client’s obligations under the RGPD and in relation to any claim, request or other communication made in relation to any Relevant Personal Data.

k. Trasesa must allow the Client or its external consultants (subject to reasonable and appropriate confidentiality commitments) to audit the data processing activities carried out by Trasesa and comply with all reasonable requests or instructions of the Client in order to allow it to verify and obtain information that Trasesa is in full compliance with its obligations under this document and the Data Protection Act;

l. Trasesa and Client shall provide the assistance and information that the parties reasonably need in order to demonstrate compliance with the Data Protection Law by Trasesa or the Client and ensure the Client’s compliance with the Data Protection Law including (without limitations) Customer’s obligations relating to data security and the conduct and implementation of data protection impact assessments;

m. Trasesa and Client must keep complete and accurate records of all information necessary to demonstrate compliance with the Data Protection Act (such records shall include but are not limited to: personnel training records; technical and organizational measures adopted to ensure the compliance with the Data Protection Act; and records of processing activities) and make such records available to the parties upon request;

n. Upon the Client’s request, Trasesa must return, in a way that meets the data protection requirements, all documents, results of processing and use and the Relevant Personal Data within a maximum period of thirty days from the termination of the Contract of Provision of Services and demonstrate to the Customer that this has been done;

o. In the event that Trasesa is required by Applicable Law to retain Relevant Personal Data, it shall comply with its obligations under this Clause with respect to such Relevant Personal Data as soon as permitted under Applicable Law;

p. Trasesa and Client must communicate between themselves the point of contact for all matters relating to privacy and data protection under the Agreement.

7. EMPLOYEE DATA MANAGEMENT

The personal data of Trasesa employees will be treated in accordance with the Data Protection Policy. Employees’ personal data are processed exclusively within the scope of employment contracts.

8. DATA HOLDERS RIGHTS

Trasesa must establish procedures aimed at protecting the rights of data subjects with regard to:

– Compliance with the specific purpose of data collection: personal data cannot be used for purposes other than those for which it was collected, and of which the data subject has been duly informed;

– Pursuant to applicable law, accept that the data subject may request, at any time, access to personal data concerning him, as well as its rectification, deletion or limitation of its processing, the portability of its data, or oppose its processing (with the exception of data strictly necessary for the provision of the service);

– Correction, deletion or blocking of data, and their notification, if possible, to third parties who have knowledge of such data;

– Non-use of personal data for advertising, direct marketing or any other form of commercial prospecting, as well as non-communication to third parties for the same purposes, except with the prior consent of the data subject.

9. EXTERNAL SERVICE PROVIDERS

Contracts and protocols with external providers should include appropriate specific requirements regarding PPD.

10. DATA PROTECTION AND SECURITY MEASURES

Trasesa is committed to ensuring the confidentiality, protection and security of its Customers’ personal data, through the implementation of appropriate technical and organizational measures to protect their data against any form of undue or illegitimate treatment and against any accidental loss or destruction of these data. For this purpose, we have computer systems that allow access control and prevent unauthorized access, accidental loss and/or destruction of personal data, committing to respect the legislation on the protection of Customers’ personal data and to process this data only for the purposes for which they were collected, as well as to ensure that this data is treated with adequate levels of security and confidentiality.

Trasesa provides information and training and awareness-raising actions to all company employees regarding the protection of personal data, in order to ensure that our employees are aware of the obligations imposed on them in this area, which they assume commitment not to reveal to third parties or use for purposes contrary to the law, any personal information of Customers, whose knowledge and access to them comes from the exercise of their functions.

In this context, Trasesa has also appointed a Data Protection Officer (Data Protection Officer or “DPO”), to monitor compliance with the applicable policies and regulations regarding the protection of personal data.

11. DATA PROTECTION OFFICER (DPO)

You may contact the Data Protection Officer (“DPO”) for more information on the processing of your personal data, as well as any questions related to the exercise of the rights granted to you by applicable law, and in particular those referred to in this Policy, through the following contacts:

Email: dpo@trasesa.pt

Address: Rua Dr. Flávio Resende, nº323 – 3ªCV. Esqª 2775-195 Parede