This Data Protection Policy compiles the principles, rules and procedures adopted by ITUp in order to promote and ensure the respect for the privacy and protection of personal data of all those who relate to it.
This Data Protection Policy covers the personal data processing operations carried out by ITUp in the context of any situation that may require it, namely with employees, customers or suppliers.
The provisions included in this Data Protection Policy complement and develop the rules set out in the applicable legal instruments, and in particular in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 of April 2016 (General Data Protection Regulation or “GDPR”) and Law 58/2019 of 8 August.
By disclosing it, ITUp meets the information obligations to which it is subject in this regard.
Personal data are processed by ITUp as Controller. These are the identification and contact details to be taken into consideration in any communication relating to the processing of personal data:
III. Data Categories
Within the framework of its activity ITUp handles the following categories of personal data:
Identification and contact details
Platform access and traffic data
The provision of some of these data is mandatory by legal or contractual requirement; in other cases it is an essential condition for the negotiation or conclusion of contracts with ITUp, and without them the company will not be able to fulfil the obligations arising from it; in other situations the provision of the data is merely optional. ITUp indicates the specific nature of the data provision at the time of its collection.
IV. Processing purposes
In general, the personal data collected by ITUp is used for the negotiation and conclusion of contracts and for the management of the contractual relationship and contacts with its customers, suppliers, employees and other collaborators, for the execution of such contracts, for the improvement and adequacy of ITUp's promotional and communication services and tools, for the dissemination of ITUp's institutional or promotional information, and for marketing activities. Personal data may also be processed for the purpose of complying with legal obligations.
Whenever personal data is collected for specific purposes, ITUp will communicate the purposes of such processing in the appropriate forms and times.
Personal data shall be processed on the following grounds:
- Execution of contractual relations to which ITUp is a party;
- Compliance with legal obligations to which ITUp is a party;
- Legitimate interests pursued by ITUp, where the interests, fundamental rights or freedoms of the data subject do not prevail;
- Data Subjects’ consent.
Where the lawfulness of the data processing is based on the consent of the data subject, there is the right to withdraw it at any time.
VI. Information sharing
Personal data processed by ITUp may be disclosed to:
- judicial, administrative, supervisory or regulatory authorities, or entities with delegated or concessionary public powers or functions;
- business partners and banking and insurance entities;
- service providers and subcontractors.
All data transmissions to third parties comply with the rules and conditions provided for by law.
In cases where there is a need for data processing operations to be carried out by the entities to which they are transmitted, ITUp will ensure, by means of suitable contractual instruments, that these third parties comply with the minimum conditions for the protection of personal data.
The data will be processed within the European Union. In cases where it becomes necessary to carry out some processing of personal data outside the EU territory, ITUp will ensure that the applicable legal conditions can be complied with and will only carry out the corresponding transmissions if it can guarantee that these conditions will be complied with.
VII. Data preservation
Personal data collected by ITUp will be kept for the period necessary to fulfill the purposes for which it was collected.
Where applicable, the data will be retained by ITUp for such time as may be necessary to carry out orders and guidelines of the competent authorities, to comply with any legal or contractual obligations which may be required of it, or to exercise the rights which it holds in view of the periods of limitation of rights provided by law.
Once the maximum storage period has elapsed or the purpose of the processing has been exhausted, the data shall be erased or made anonymous.
VIII. Data subjects' rights
Right to information
The data subject has the right to be informed about the circumstances surrounding the processing of his data. This information is generally made available on the various media and means used by ITUp to collect the data or communicate with the data subjects, including this Data Protection Policy, the contractual instruments it enters into, the institutional website and other communication tools.
In addition, ITUp also provides the mandatory information in the following special cases:
- In the consent collection instruments, whenever this is the basis for the lawfulness of the processing;
- At the time and through the support it uses to make the due notification to the data subjects in cases where the data have not been collected directly from them, also informing them of the origin of their data.
Other specific rights
In particular, the personal data subject shall be entitled to the rights of access, rectification, erasure, restriction of processing, objection and non-subjection to automated decisions, portability and complaints to the national supervisory authority (CNPD).
In exercising these rights, the personal data subject may, at any time, request ITUp :
- to have access to the personal data provided by him/her;
- to obtain the rectification of information, if incorrect or incomplete;
- to erase or restrict the processing of his personal data;
- to provide his personal data in a structured, commonly used and automatically readable format for transmission to another data controller (portability).
To this purpose, the owner of the personal data, or whoever has a legitimate mandate, should write to ITUp, preferably by e-mail, using the contacts indicated in point II.
ITUp will respond to requests within 1 month. If ITUp considers that it should not comply with the request, it will inform the data subject, within the same period, of the reasons for its decision and of the possibility of complaining to the CNPD or the courts. Whenever possible, answers will also be sent by e-mail, unless the data subject expressly requests otherwise.
ITUp may also request proof of identity or legitimacy of action to ensure that the data are not shared with third parties or outside the will of the respective owners.
All ITUp employees are required to observe complete confidentiality with regard to the personal data to which they have access by virtue of the functions or tasks they perform, even after they have ceased to perform those functions or tasks or have ceased to be associated with ITUp. ITUp shall ensure this obligation by including it in the contractual instruments it concludes with its employees.
X. Security measures
ITUp has adopted a set of technical and organisational measures for the protection of personal data it processes, which cover procedures and security measures related, namely, to the control of physical and electronic access to storage sites and systems, the control of disclosure to third parties and the management of risks of loss and destruction.
XI. Term and amendments
This version of the Data Protection Policy was approved by ITUp's board of directors on [04/09/2020] and may be amended at any time.
Changes to the Data Protection Policy will be disclosed through the communication channels normally used by ITUp for this purpose.
Linda-a-Velha, 17 August 2021