AQUAPOR – Serviços, S.A. (AQUAPOR) was created on 25 March 1997. It is a corporate instrument of AdP – Águas de Portugal, SGPS, S.A. (AdP), operating in the national and international water supply and wastewater management markets, providing solutions for the growing needs of these markets. On 31 December 2008 Aquapor was taken over by the company Criar Vantagens, Lda., its current sole shareholder.
AQUAPOR collects and processes personal data of various subjects in order to carry out its activity, namely customers, employees, suppliers, among others.
The aim of this Policy is to describe the guidelines of AQUAPOR to guarantee the protection of the personal data of all those interacting with our company.
This document establishes the guidelines for acting with integrity and in compliance with the regulatory requirements in the context of data protection. It must be complied with by all AQUAPOR employees.
If you want any additional clarification on the contents of this Policy, you may use the channels defined for this purpose, as follows:
a. Contacts for asserting data subjects' rights:
- E-mail: geral@ aquaporservicos.pt
- Address: Av. Marechal Gomes da Costa, nº33-1º-A - 1800-255 Lisbon
- Telephone: 21 792 86 70
b. Contacts of the Data Protection Officer (DPO):
- E-mail: firstname.lastname@example.org
- Address: Av. Marechal Gomes da Costa, nº33-1º-A - 1800-255 Lisbon
- Telephone: 21 792 86 70
2.SCOPE AND AMENDMENTS
AQUAPOR may amend this policy whenever this is warranted and in order to ensure compliance with the applicable laws, regulations and good business practices. Amendments to this policy will be made in coordination with the Data Protection Officer (DPO) and approved by AQUAPOR's Management. Data subjects will be informed in the event of amendments to the policy.
The current version of this policy is available at: www.aquaporservicos.pt
3.APPLICATION OF NATIONAL LAWS
The GDPR's main objective is to ensure respect for the fundamental right that each person has in deciding on the use of his or her personal data. The GDPR covers all companies operating in the European Union and it is expected that the national law of each country will take precedence over it in the event of conflict or in situations where the requirements set out in national law are more stringent.
AQUAPOR is responsible for ensuring compliance with this policy and with applicable laws. In the event any conflict is detected between the content of this policy and any law or directive, AQUAPOR's DPO must be immediately informed.
The Regulation can be viewed at:
4.PRINCIPLES APPLICABLE TO DATA PROCESSING
The processing of personal data in AQUAPOR is governed by the following principles:
a. Lawful, fair and transparent
Personal data are obtained and processed in a lawful and transparent manner, informing the subject of the data collected, the purposes for which the data are processed, the recipients to whom they are to be communicated and their storage period.
b. Defined, explicit and legitimate purposes
Personal data are collected for specific, explicit and legitimate purposes and cannot be processed in a manner incompatible with those purposes.
c. Data integrity and confidentiality
The security of personal data is ensured through the adoption of measures that ensure protection against unauthorised or unlawful processing of the data as well as their accidental loss, destruction or damage.
d. Data accuracy and update
The accuracy and updating of the data is ensured through the provision of specific channels that allow the data subject to communicate any updates as well as data quality review and analysis measures, ensuring that inaccurate data are immediately erased or rectified.
e. Data minimisation
Data collection operations are subject to prior analysis ensuring that only relevant and strictly necessary personal data are collected taking into account the purpose of their processing. Accordingly, many of the information collection operations are based on forms with limited fields, ensuring that the data subject does not communicate more personal data than is appropriate for the situation in question.
f. Storage of data only for the period necessary for the purposes for which they are intended
Personal data are stored for a predefined period of time, called the retention period. This is defined taking into account the period required for the purpose for which they are processed. The personal data are deleted or anonymised when the retention period ends and it is no longer possible to relate the data to its subject.
g. Data accountability
AQUAPOR shall be responsible for the collection and processing of the personal data of the subjects, even if the processing is performed by processors.
5.GOVERNANCE STRUCTURE FOR PRIVACY
AQUAPOR has defined a privacy governance structure in order to ensure adequate coordination of the teams and management of topics related to data protection in the organisation. This structure is based on the appointment of a Data Protection Officer - DPO.
The DPO is engaged in all matters related to the protection of personal data, in an adequate and timely manner. The DPO has access to the resources necessary to carry out its duties, to ensure the correct performance of the role. The DPO reports directly to AQUAPOR's Management.
The DPO's contacts are indicated in section 1 of this Policy.
6.DATA SUBJECT'S RIGHTS
AQUAPOR, in compliance with regulatory requirements, ensures that data subjects enjoy a set of rights relating to how their data is collected, processed and protected.
AQUAPOR concerns itself with, before responding to any requests, ensuring data security by requesting the authentication of the data subject. Accordingly, proof of identity may be requested from the subject, whenever necessary. In the event it is impossible to identify the data subject, AQUAPOR reserves the right not to respond to requests to assert these rights, communicating this fact to the data subject.
When the data subject is a minor, his/her rights may be asserted by those holding parental responsibilities, except in the case of those exceptions provided for in the regulatory requirements.
AQUAPOR ensures a response period of less than one month, except in exceptional cases due to the complexity of the request or the number of requests submitted, in which case a period extensible up to 2 months is defined. If the time period is extended, AQUAPOR will inform the data subject of the reasons for the delay in responding to the request, within a maximum of one month from the date of receipt of the request.
AQUAPOR will seek to respond to all requests. All will be analysed to verify whether they may be satisfied in compliance with regulatory requirements. Whenever there is legislation that prevents the data subject from asserting certain rights, AQUAPOR reserves the right not to respond to the request, informing the data subject, within a maximum period of one month from the date of receipt of the request, of the reasons why his or her request will not be answered. The data subjects may file a complaint with a supervisory authority and bring legal action. AQUAPOR reserves the same right when the submitted requests are manifestly unfounded or excessive, and it may demand payment of a fee equivalent to the administrative costs incurred to respond to the requests.
The rights of the data subjects are listed below, highlighting their specific nature and the means made available by AQUAPOR so that the subjects may assert these rights.
The channels for asserting and exercising each of the rights are defined in point 1 of this Policy.
a. Right to transparent communication
AQUAPOR informs the data subject, in a clear and transparent way, about the processing of his or her personal data, informing the following to him or her when collecting personal data:
- The purposes of the processing for which the personal data are intended;
- What are the grounds for the processing (legitimate interests of AQUAPOR, legal or contractual obligation) if
there is no explicit consent provided by the subject, as well as the possible consequences of not providing those data;
- The categories of the recipients of the personal data, if applicable;
- Whether the personal data are transferred to a third country or an international organisation;
- The storage period of personal data or, if it is not possible, the criteria used to define that period;
- The existence of automated decision-making, if applicable;
- Their rights as the data subject (set out in point 6), which includes the right to complain to a supervisory authority;
- AQUAPOR contact details and the DPO contacts.
If the data were not collected from the data subject, and the referred subject has no information about that collection, AQUAPOR ensures it will take measures to notify the data subject of the above mentioned points within a maximum period of one month after obtaining the personal data. AQUAPOR will also add the following information in that notification:
- The source of the personal data;
- The category of the data that has been collected.
AQUAPOR undertakes to communicate to the data subject whenever it intends to use his or her data for purposes other than those previously communicated.
b. Right of access
AQUAPOR ensures the existence of the means to enable the data subject to access the personal data the entity holds on him or her and to the following information set forth in section a.
AQUAPOR will send a copy of the personal data in the processing phase, in electronic form, if the data subject requests this. AQUAPOR reserves the right to demand the payment of a fee equivalent to the administrative costs incurred to satisfy a request in the event of excessive or unfounded requests.
AQUAPOR will not proceed with the request for access, in accordance with regulatory requirements, if the information requested by the data subject impairs or jeopardises the rights and freedoms of third parties.
c. Right to rectification
AQUAPOR ensures the existence of means to enable data subjects to correct their personal data, if incorrect, or to complete them if they are incomplete.
d. Right to be forgotten
AQUAPOR ensures the existence of means that allow the data subject to request that his or her personal data are "forgotten". The orders received will be analysed and, if considered valid in the light of regulatory requirements, AQUAPOR undertakes to "forget" the data within a maximum period of one month. If the requests made are not considered valid, AQUAPOR will not process them and will inform the data subject of the reasons for that decision.
e. Right to objection/opposition
AQUAPOR ensures the existence of means that enable the data subject to oppose specific processing of personal data for certain purposes, without prejudice to directives or laws in force. If the requests made are not considered valid, AQUAPOR will not process them and will inform the data subject of the reasons for that decision.
f. Limitation of processing
AQUAPOR ensures the existence of means that allow the data subject to request the limitation of the processing of his or her personal data.
The data subject can request the limitation of the processing of his or her data for an indefinite time period, when he or she wishes to suspend the processing but keep the data. This situation may occur when:
- The data subject contests the accuracy of the data. In this case, the processing is limited for a period of time that allows AQUAPOR to verify the accuracy of the data, or
- The data subject is awaiting the response to a request to oppose the processing.
When processing is limited, personal data will only be processed again if the data subject gives consent, except for specific treatments established in law. AQUAPOR guarantees that the data subject who requested the limitation of his or her data is informed before the limitation to the processing is cancelled.
AQUAPOR reserves the right to limit the processing of the data of the subjects when it does not need such, committing itself to store the data for the pre-established retention period. AQUAPOR guarantees that the data subject who requested the limitation of his or her data is informed before its cancellation.
g. Consent and withdrawal of consent
AQUAPOR seeks to obtain the consent of the data subject to collect and process his or her data for various purposes, except in situations where the processing falls within the scope of a service provision or performance of a contract or where there are legal requirements that do not oblige such consent to be obtained.
One of these situations is visible when there is the legitimate interest of AQUAPOR, when this processing is necessary for AQUAPOR to perform its business activity and the processing does not jeopardise the interests of the data subjects or their fundamental rights and freedoms. These situations include, among others, the collection of the:
- Address and telephone contact for the purpose of providing services at home;
- Tax identification number for the issue of invoices.
AQUAPOR guarantees to the data subject the right to withdraw consent at any time, without jeopardising the lawfulness of the processing already carried out based on previously provided consent. AQUAPOR informs the data subject of this fact before consent is given. Consent should be as easy to withdraw as it is to give.
In situations where the processed personal data are those of a minor, consent is requested from those holding parental responsibility over the child.
h. Right to portability
AQUAPOR ensures the existence of means that enable the data subject to request a copy of his or her data and that these are sent to another entity. These data are transferred in a digital and structured format.
The right to portability covers only the data for which the subject gave his or her consent to be processed, data relating to a contract the subject is party to or if the processing is performed by automated means.
AQUAPOR reserves the right to refuse requests for portability whenever they impair the rights and freedoms of third parties, or conflict with any legal requirement.
i. Automated decision-making
AQUAPOR ensures the means that enable the data subject to request the right not to be subject to any decision based solely on the automated processing of his or her data (including profiling) which produces legal effects concerning him or her or similarly significantly affects him or her. These requests are assessed to verify their compliance with regulatory requirements.
AQUAPOR currently has no automatic decision-making processes. However, it undertakes to respect the above-stated paragraph, by informing and collecting the explicit consent of data subjects if it intends to undertake this type of processing.
7.PERSONAL DATA PROCESSING PROCEDURES
The processing of personal data in AQUAPOR is performed when one of the following conditions is met:
- the processing is carried out in the context of a service provision or performance of a contract or when there is a legitimate interest demonstrating that the rights and freedoms of the data subject are guaranteed;
- the processing is carried out within the framework of legislation, resulting from regulatory requirements set forth in the Regulation.
In the event that none of the above-mentioned conditions exist, the processing of the personal data must be carried out only after obtaining the explicit consent of the data subject for the purpose specifically communicated to the same.
Described below are the various forms of personal data processing, the respective purposes (when necessary), data types and collection methods currently carried out in AQUAPOR, and in line with the processes and activities recognised by the entity. The type of data is described in point 17: Type of Personal Data.
AQUAPOR ensures that the data processing is carried out in accordance with the processing principles listed in point 4, for any sporadic collection of personal data.
7.1 Commercial Management
AQUAPOR collects and processes the data of customers and other data subjects, for the performance of this activity. The type of personal data processed includes: personal identification data, personal directory data and other identifiers issued by the Government. This data is collected in person and/or via e-mail.
7.2 Financial Management and Management Control
AQUAPOR collects and processes the data of customers and suppliers, for the performance of this activity. The type of personal data processed includes: personal identification data and home directory data. This data is collected in person, via e-mail, by telephone and/or via website.
7.3 Operational Management
AQUAPOR collects and processes the data of suppliers for the performance of this activity. The type of personal data processed includes: personal identification data and home directory data. This data is collected in person, via e-mail, by telephone and/or via website.
7.4 Software development
AQUAPOR collects and processes the data of suppliers and employees for the performance of this activity. The type of personal data processed includes: personal identification data and home directory data. This data is collected in person, via e-mail, by telephone and/or via website.
7.5 Maintenance and Support of Information Systems
AQUAPOR collects and processes the data of suppliers, customers and employees for the performance of this activity. The type of personal data processed includes: personal identification data and home directory data. This data is collected in person, via e-mail, by telephone and/or via website.
7.6 Commercial Management of Concessions
AQUAPOR collects and processes the data of suppliers, the customers of the Concessions and employees for the performance of this activity. The type of personal data processed includes: personal identification data and home directory data. This data is collected in person, via e-mail, by telephone and/or via website.
7.7 Procurement Management
AQUAPOR collects and processes the data of customers, employees and other data subjects, for the performance of this activity. The type of personal data processed includes: personal identification data, personal directory data, other identifiers issued by the Government. This data is collected in person, via e-mail, by telephone and/or via website.
7.8 Fleet Management
AQUAPOR collects and processes the data of employees for the performance of this activity, which includes the declaration of knowledge of GPS use in the vehicles and registration of vehicle usage times. The type of personal data processed includes: personal identification data, personal directory data and other identifiers issued by the Government. This data is collected in person.
7.9 Communication and Image
AQUAPOR collects and processes the data of customers, employees and other data holders for the performance of this activity, which includes institutional disclosures, commercial and activity services and navigation on the company's web platform. The type of personal data processed includes: personal identification data, personal directory data, other identifiers issued by the Government. This data is collected in person, via e-mail, by telephone and/or via website.
7.10 Management of Impacts, Risks and Emergencies
AQUAPOR collects and processes the data of employees and other data holders for the performance of this activity, which includes the management of impacts, risks and emergencies and reporting accidents to the insurer. The type of personal data processed includes: personal identification data, personal directory data, other identifiers issued by the Government. This data is collected in person and/or via e-mail.
7.11 Administrative Management
AQUAPOR collects and processes the data of customers, employees and other data holders for the performance of this activity, which includes the preparation of draft contracts, draft correspondence, opinions, procedural documents and correspondence. The type of personal data processed includes: personal identification data, personal directory data, other identifiers issued by the Government. This data is collected in person, via e-mail, by telephone and/or via website.
7.12 Human Resources Management
AQUAPOR collects and processes the data of employees and other data subjects for the performance of this activity. The type of personal data processed includes: personal identification data, personal directory data, other identifiers issued by the Government. This data is collected in person, via e-mail, by telephone and/or via website.
8.TRANSFER OF PERSONAL DATA TO THIRD PARTIES
AQUAPOR uses processors to provide services that may involve the processing of personal data. AQUAPOR remains accountable for the suitability of the data processing, even when the processing is performed by processors.
AQUAPOR ensures, in this transfer of personal data, compliance with the applicable regulatory requirements and, if necessary, requests the explicit consent of the data subject.
In the process of acquiring these services, AQUAPOR verifies that the entity it intends to subcontract provides an adequate level of data protection. AQUAPOR applies a set of measures for this purpose to ensure that data are only transferred to processors who provide sufficient guarantees of the performance of technical and organisational measures appropriate to the processing of personal data, who comply with regulatory requirements and who ensure the defence of the rights and freedoms of the data subjects. Data will only be transferred, accordingly, after the signing of a contract containing a set of pre-defined clauses that establish the aim and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the obligations and rights of both entities.
These contracts establish that the processors may solely and exclusively carry out the processing requested by AQUAPOR. They also impose requirements which ensure the correct processing of these data, in accordance with the principles set out in point 4 - Principles applicable to data processing, and there exist the mechanisms necessary to enforce the rights set out in point 6 - Data subject's rights.
AQUAPOR takes measures to monitor the activity carried out by the processor.
In the event the data transfer is due to legal obligation, the above-described procedure does not apply. This data transfer is performed in the light of the legal requirements in force.
9.CROSS-BORDER DATA TRANSFER
AQUAPOR undertakes to ensure the security and integrity of data in the cross-border (non-EU) transfer of data, ensuring that the data subject's consent is obtained for that purpose.
AQUAPOR undertakes to ensure the confidentiality of the personal data collected and processed. The minimum access principle applies, ensuring that AQUAPOR employees only have access to the data necessary for the correct performance of their duties. For this purpose, the data and documents collected by AQUAPOR are inventoried, classified, processed and monitored according to their level of confidentiality.
The confidentiality obligation of AQUAPOR employees concerning the data collected by the organisation is obtained on entering into the employment contract and is maintained when removed from their duties in the organisation. Any unauthorized collection, processing or use of data is strictly prohibited and subject to disciplinary action.
11.SUPERVISION OF THE SYSTEMS IMPLEMENTED REGARDING COMPLIANCE WITH THE APPLICABLE DATA PROTECTION LEGISLATION
AQUAPOR periodically carries out internal audits in which the controls in the field of data privacy are verified. All the results are reported to the DPO, who will articulate any necessary mitigation measures in collaboration with AQUAPOR's Management. The DPO may also conduct audits under the GDPR.
AQUAPOR implements a set of procedural and technological measures aimed at ensuring the security of the processing of personal data if this is carried out by AQUAPOR or by companies it has contracted.
Physical and digital security procedures and controls are defined for the storage of data, to ensure data integrity and control of access to the data.
AQUAPOR establishes, in terms of the security of information systems, security controls to be applied to stored data, in particular to personal data.
Security is ensured in all data processing, from the daily operation to the development of new products, processes, applications or software. The concept of privacy by default is applied. In this sense, measures have been defined to protect personal data during the development cycles. An example of an adopted measure is the anonymization of the data needed for software development testing.
AQUAPOR guarantees the adoption of principles and good practices for the management of documents containing personal data.
These principles ensure the security and integrity of personal data throughout the document life cycle, from the time of collection/generation, through registration, sharing, retention, and until the destruction of the documents.
14.DATA PROTECTION INCIDENTS
AQUAPOR has established processes and procedures to identify and address incidents in the field of data privacy. AQUAPOR has available channels to provide warnings of the potential incidents presented in point 1 of this Policy.
These channels must be used by the data subjects, whether they are customers, employees or other subjects interacting with AQUAPOR. All employees are responsible for informing the DPO when they suspect the occurrence of an incident. They are given the possibility to do so anonymously.
The DPO coordinates interactions with business areas, data subjects, and the supervisory authority to ensure that potential incident resolution activities are conducted within time limits and in accordance with regulatory requirements.
When an incident occurs that poses a risk to the affected data subjects, AQUAPOR immediately triggers a set of risk mitigation measures and reports the incident to the supervisory authority within 72 hours of its discovery.
AQUAPOR also undertakes, if the risk to the affected data subjects is considered high, to notify them of the occurrence of the incident without undue delay, describe the potential consequences, and the measures taken (or to be taken) to remedy the situation and mitigate its possible negative effects. It also provides them with the name and contacts of the DPO.
15.LIABILITY AND PENALTIES
AQUAPOR is the controller responsible for the processing of all data collected and processed by itself and for processing performed by other processors at the request of AQUAPOR.
AQUAPOR is subject to inspection by the supervisory authority, the Portuguese Data Protection Authority. The unlawful processing of personal data or other infringements of data protection laws may lead to legal action being taken against AQUAPOR. Employees found to be liable for data protection infringements are subject to disciplinary penalties in accordance with the labour law in force.
- Anonymization: amendment to the registration of personal data which makes it impossible (or practically impossible) to associate the data with a person.
- Consent: legally valid agreement in which a person authorises the processing of his or her personal data for a specific purpose.
- Data controller: entity that collects, keeps and/or processes personal data. In the context of this policy, the situations in which AQUAPOR is the data controller are described.
- Incident or infringement: situation in which there is a suspicion that personal data may have been illegally obtained, modified, copied, transferred or used.
- Legitimate interest: legitimate interest occurs in situations where the data subject requests a service or action from AQUAPOR that strictly depends on the collection and processing of personal data for its execution (e.g. the collection of the address for the provision of a home service, or the collection of banking details for the purpose of wage processing).
- Third parties (individuals/entities): entities external to AQUAPOR to whom AQUAPOR transfers personal data for necessary business reasons.
- Data subject: a data subject is, for the purposes of this policy, any person whose data is processed.
- Data transfer: transfer occurs whenever personal data held by AQUAPOR are transferred to third parties.
- International transfer: the transfer of data is considered international when the recipient is outside the area where the GDPR is applicable.
17.TYPE OF PERSONAL DATA
- Personal Identification Data: a name, an identification number, location data, online identifiers or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Personal Directory Data: number of persons in the household, number of children, address (main), address (secondary), fixed-line telephone number, telephone number (mobile phone), e-mail, fax number.
- Other Identifiers Issued by the Government: Taxpayer number, Social Security number, health system number.
- Special personal data categories ('sensitive data'): data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data to identify a person unambiguously, data relating to health or data relating to the sexual life or sexual orientation of a person.
Approved on 24 May 2018
Reviewed on 25 Jun 2018