Privacy Policy

Privacy Policy of Expressão, Lda.

Expressão, Lda. (“Expressão”, “we”, “us” and “our”) is committed to safeguarding the privacy of its clients, suppliers, employees and website users. This Privacy Policy provides information on how we collect, store, use and disclose any personal information provided to us.

Table of Contents

1. Introduction
1.1 Background to the General Data Protection Regulation (‘GDPR’)
1.2 Principles of data protection
1.3 Definitions

2. General information on our data processing
2.1 Data processors
2.2 Data protection officer
2.3 Legal basis for processing personal data
2.4 Data erasure and storage duration
2.5 Source of the personal data
2.6 Specific categories and purposes for processing personal data

3. Processing of personal data via our website
3.1 Provision of data on our website
3.3 Use of cookies
3.4 Use of the analysis tool Google Analytics

4. Data security, data protection by design and data protection by default
5. Your rights as a data subject
6. Our contact details

1. Introduction

1.1 Background to the General Data Protection Regulation (‘GDPR’) (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

The GDPR regulates the way businesses process and manage personal data. Its purpose is to protect the “rights and freedoms” of natural persons and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.

1.2 Principles of data protection

All processing of personal data must be conducted in accordance with the data protection principles as set out in the GDPR.

This policy sets out our commitment to ensure that all personal data is:

  • processed lawfully, fairly and in a transparent manner;
  • processed for specified, explicit and legitimate purposes;
  • adequate, relevant and not excessive in relation to those purposes;
  • accurate and, where necessary, up to date;
  • not kept longer than necessary for the purposes for which it is being processed;
  • processed in a secure manner, by using appropriate technical and organisational means;
  • processed in keeping with the rights of data subjects regarding their personal data.

1.3 Definitions drawn from the GDPR

Material scope (Article 2) – the GDPR applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.

Territorial scope (Article 3) – the GDPR will apply to all controllers that are established in the European Union (EU) who process the personal data of data subjects, in the context of that establishment. It will also apply to controllers outside of the EU that process personal data in order to offer goods and services, or monitor the behavior of data subjects who are resident in the EU.

Personal data (Article 4) – any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing (Article 4) – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing (Article 4) – means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling (Article 4) – any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior.

Pseudonymisation (Article 4) – means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not.

Filing system (Article 4) – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Data controller (Article 4) – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor (Article 4) – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient (Article 4) – means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third party (Article 4) – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Data subject consent (Article 4) – means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

Personal data breach (Article 4) – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.

Special categories of personal data (Article 4) – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Establishment (Article 4) – the main establishment of the controller in the EU will be the place in which the controller makes the main decisions as to the purpose and means of its data processing activities. The main establishment of a processor in the EU will be its administrative centre. If a controller is based outside the EU, it will have to appoint a representative in the jurisdiction in which the controller operates to act on behalf of the controller and deal with supervisory authorities.

Representative (Article 4) – a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under the GDPR.

Data subject (Article 4) – any living individual who is the subject of personal data held by an organisation.

Child (Article 8) – the GDPR defines a child as anyone under the age of 16 years old, although this may be lowered to 13 by Member State law. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained.

2. General Information on Our Data Processing

2.1 Data processors
Expressão has appointed certain entities that will also process personal data of its clients, suppliers and employees (e.g. accountants, lawyers, project managers, and similar third-party vendors and outsourced service providers that assist us in carrying out business activities). Access to your information will only be provided to a third-party that has signed a Non-Disclosure Agreement.
2.2 Data protection officer

Expressão did not appoint a data protection officer (DPO) due to the fact that according to Article 37 of the GDPR companies only need to appoint a DPO if their core activities involve processing sensitive data on a large scale or involve the large-scale, regular and systematic monitoring of individuals.

2.3 Legal basis for processing personal data

These are the following legal reasons for processing personal data:

  • Where we obtain your consent for processing personal data;
  • Where personal data need to be processed for the performance of a contract with you;
  • Where personal data need to be processed to comply with a legal obligation;
  • Where personal data need to be processed in order to protect your vital interests or those of another natural person;
  • If the processing is necessary for us to carry out a task that is in the public interest;
  • If the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

In all circumstances no sensitive personal data, such as race, sexual orientation, religion, political beliefs or race, for example, is collected or processed.

We do not knowingly collect personal data from children.

2.4 Data erasure and storage duration

Expressão will not retain your personal data for longer than required. When determining the relevant storage periods, we will take into account:

  • our contractual obligations and rights in relation to the information involved;
  • legal obligation(s) under applicable law to retain data for a certain period of time (for example, the Tax Administration requires us to retain certain data, which may also include personal data, for a period of ten (10) years as accounting evidence); and
  • guidelines issued by relevant data protection authorities.

Otherwise, we securely erase your information where we no longer require your information for the purposes collected. Where we process personal data on the basis of consent given to the processing of data, the processing will end when you withdraw this consent.

2.5 Source of the personal data

The personal data we process largely originate directly from the data subjects, e.g. when they

  • transmit information such as the IP address to our web server as users of our website via the web browser and their device (e.g. PC, smartphone, tablet, laptop);
  • fill in forms in our website to receive a quote or apply as a language service supplier;
  • request an offer from us (prospective clients);
  • place an order or conclude a contract with us (clients);
  • supply us with goods or perform services etc. for us as agreed (suppliers);
  • work for us an employee.

2.6 Specific categories and purposes for processing personal data

We process the following categories of personal data:

  • Users of our website
  • Clients and suppliers
  • Employees

Depending on the category of data in question, we process personal data for the following purposes.

Website user data

When you use our website we will not collect any personal data about you, except your IP address, unless you fill in our contact forms or quote forms.

Clients and suppliers

We process the data of our suppliers and business partners for contract processing purposes and/or on the basis of consent given. This also applies if the processing is required in order to take steps prior to entering into a contract.

Employees

As an Employer, we naturally process personal data of our employees for human resources and payroll purposes, and to allow us to carry out our business operations.

3. Processing of personal data via our website

3.1 Provision of data on our website

The use of our website is usually possible without providing personal data. Personal data, such as names, job title, addresses, telephones or e-mail addresses are always provided on a voluntary basis.

Our website features forms that can be used for contacting us electronically. The data types are indicated in the respective contact form. The forms also show which data are mandatory and which ones you can optionally send us additionally.

If you make use of this option, the data entered will be transmitted to us and retained by us to:

  • Respond to your requests for information
  • Provide you with quotes or other information about our business
  • Contact you for recruitment processes after you have applied for a job vacancy

When the message is transmitted, the following data are stored additionally:

  • IP address of the user
  • Date and time of the transmission

3.2 Use of cookies

When you visit our websites, some of your information (such as your Internet Protocol (IP) address, browser type and activity data) may be automatically collected through our systems or the use of “cookies.”

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.

Please note that you have full control over the use of cookies. You can find more information about how to manage and remove cookies (including how to opt-out) at www.allaboutcookies.org/manage-cookies/ or by visiting the website relevant to the browser you are using.

The purpose of the use of technically necessary cookies is to facilitate the use of websites for the user. Aside from enabling a more efficient page load, cookies may tell us, for example, whether you have visited our site before or whether you are a new visitor.

The use of the analysis tools and/or of the analysis cookies serves the purpose of improving the quality of our website and its content.

The legal basis for processing personal data using cookies is point (f) of Article 6 (1) GDPR, i.e. a legitimate interest on our part. Our legitimate interest lies in the purposes specified above. Where the user has given his consent, the legal basis for processing personal data using cookies for analysis purposes is point (a) of Article 6 (1) GDPR.

3.3 Use of the analysis tool Google Analytics

This website uses Google Analytics, a web analysis service of the company Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") as a means to monitor your activity on our websites. This information is used solely for the purpose of tracking webpage performance and is not used together with any other Personal data collected.

Detailed information on the terms of use and privacy is available at http://www.google.com/analytics/terms/gb.html.

The legal basis for processing personal data using cookies is point (f) of Article 6 (1) of the GDPR, i.e. a legitimate interest on our part. Our legitimate interest lies in the purposes specified above. As Google Inc. has joined the EU-US Privacy Shield, the transmission of data to the USA is permissible.

Please note that you can prevent the collection of data by Google Analytics by clicking the following link. An opt-out cookie will be set to prevent the future collection of your data when visiting this website: https://tools.google.com/dlpage/gaoptout?hl=en.

4. Data security, data protection by design and data protection by default

Expressão is committed to keeping your personal data safe and secure from unauthorised access to or unauthorised alterations, disclosure or destruction of information that we hold. We will take all reasonable technical and organisational precautions to prevent the loss misuse or alteration of your personal information.

Our security measures include:

  • Data protection by design meaning that when designing new products or services, due consideration to data protection is taken;
  • Data protection by default ensuring that we always make the most privacy friendly setting the default setting;
  • Appropriate technical measures for data secutiry;
  • Regular review of information collection;
  • Restricted access of data to employees and contractors; and
  • Non-use of cloud data storage.

We have drafted Internal policies setting out our data security. Please be aware that, although we endeavour to provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches. Additionally, the transmission of information via the internet is not completely secure.

Should the data for which we are responsible be disclosed, either accidentally or unlawfully, to unauthorised recipients or be made temporarily unavailable or altered, we will notify our Data Protection Authority within 72 hours after becoming aware of the breach.

5. Your rights as a data subject

As a data subject you have specific rights when it comes to your own personal data. To exercise any of these rights (listed below), please contact us by e-mail (expressao@expressao.pt).

Right of access

You have the right to request access to your personal data, free of charge and in an accessible format.

Right to rectification

You have the right to obtain the rectification or completion of personal data which are inaccurate or incomplete.

Right to erasure

You have the right to obtain the erasure of your personal data without undue delay, such as when the data is no longer need to fulfil the processing purpose.

Right to restriction of processing

You have the right to obtain from us restriction of processing where one of the grounds specified in Article 18 of the GDPR applies.

Right to be informed

If you have asserted the right to rectification, erasure, or restriction of processing vis-à-vis us, we shall communicate this rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You have a right to be notified about these recipients.

Right to data portability

You have the right to ask for your personal data to be returned or transmitted to another company without hindrance by us where the grounds specified in Article 20 GDPR apply.

Right to object in the case of processing for specific reasons

You have the right to object to the processing of your personal data and ask us to stop processing your personal data if it is being processed for the purpose of direct marketing, scientific/historical research and statistics, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claim.

Right to object if consent has been granted

You may revoke any previously granted consent to the collection and use of personal data at any time with effect for the future. For this purpose, you can contact us by mail or e-mail.

Automated decision-making including profiling

You have the right not to be subject to a decision that is based solely on automated processing, including profiling. Please note that we do not carry out automated decision-making.

Right to lodge a complaint with a data protection authority

Without prejudice to any other rights, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes data protection law.

Responsible for us: Comissão Nacional de Proteção de Dados

Rua de São Bento n.º 148-3º 1200-821 Lisboa, Portugal

Tel: +351 213928400

e-mail: geral@cnpd.pt

6. Our contact details

Controller responsible for the collection and use of personal data in the meaning of data protection law is Expressão, Lda., represented by Ms. Susana Peixoto, General Manager.

If you have any questions or comments about this Privacy policy, please contact us:

Expressão, Lda.

Avenida da Boavista, 899 - 2.º T

4100-128 Porto

Portugal

tel: +351 223 257 971

e-mail: expressao@expressao.pt

We may change, update or amend this Privacy Policy at any time and for any reason.

Last revised on 25.5.2018.