FRAMEWORK
With the implementation of the General Data Protection Regulation (GDPR), established by Regulation (EU) No. 2016/679 on April 27, 2016, the Academia de Formação – Grupo Garantia is tasked with defining its Data Protection Policy. This policy governs the organization of information related to the processing of personal data, both for employees and third parties, including customers, suppliers, security partners, transport partners, and website users.
Additionally, it is essential to outline the internal and external use of Personal Data (PD) in compliance with applicable legal requirements. By adopting this policy, the Academia de Formação – Grupo Garantia commits to adhering to the GDPR, ensuring its operations are guided by the principles of lawfulness, fairness, transparency, and limitation. This is achieved through the implementation of necessary measures to maintain the accuracy, timeliness, integrity, confidentiality, and security of PD.
This Regulation takes effect on May 22, 2018.
RESPONSIBLE FOR PROCESSING PERSONAL DATA
The data controller is the legal entity that determines the purposes and means of processing personal data. In other words, the Controller decides how and for what purposes personal data will be processed.
For the purposes of this Data Protection Policy, the Data Controller is as follows:
Corporate name: Garantia – Sociedade de Fiscalização Preventiva de Generos Alimenticios, Lda
NIPC: 500504105
Registered office: Avenida São João de Deus nº 7 A/D 1000-277 Lisbon
Email address: formacao@academiagarantia.pt
Telephone: (+351) 218 123 555
PRINCIPLES FOR PROCESSING PERSONAL DATA
- Legality
The processing of personal data will always be subject to prior justification, ensuring the personality rights and data protection rights of the data subject. - Purpose
Personal data should only be processed for the purposes determined at the time of data collection. - Transparency
The data subject (individual) must be informed about how their data is processed.
Personal data should be collected directly from the individual.
The data subject must be informed by the entity processing their personal data of the following:- Identification of the department of the Academia de Formação – Grupo Garantia responsible for processing;
- Purpose of data processing;
- Third parties to whom the data may be transmitted;
- Data retention periods;
- Right to access and rectify data;
- Right to complain.
- Erasure
Personal data that is no longer necessary should be erased after the legally defined retention period. In exceptional cases, if the data has historical or statistical importance, legitimate interest, or by legal determination, it may be retained. - Data Accuracy
Personal data must be stored correctly, completely, and always in its updated version. Necessary measures should be taken to ensure that incorrect, incomplete, or outdated data is, whenever possible, eliminated, corrected, or updated. - Confidentiality and Data Security
Holders of personal data are obliged to maintain confidentiality regarding the data processed. Technical measures must be implemented to protect data against unauthorized access, improper processing or forwarding, as well as against destruction, loss, or alteration.
TYPE OF DATA PROCESSED BY ACADEMIA DE FORMAÇÃO – GRUPO GARANTIA
ADMISSIBILITY, PROCEDURES AND SECURITY MEASURES
The Academia de Formação – Grupo Garantia adheres to legal standards for protecting the personal data of its employees, job applicants, third parties (such as trainees, trainers, employees of service providers, and interns), clients and potential clients, and suppliers (individuals). This includes ‘security data’ for visitors and users of the website, in compliance with national and community legal provisions and decisions by the National Data Protection Commission.
Personal data refers to any information related to an identified or identifiable individual. For the purposes outlined in this privacy policy, the Data Controller collects and processes personal data as specified for each type of processing, depending on the services requested or the existing contractual relationship with the company.
The Academia de Formação – Grupo Garantia commits to handling data with complete confidentiality and implementing appropriate security measures—physical, technical, and organizational—to protect your personal data. The data subject guarantees and is responsible for the truthfulness, accuracy, validity, and authenticity of the personal data provided and agrees to keep it duly updated.
1. Workers’ Personal Data
Introduction
Lawfulness of Workers’ Data Processing
Regarding the employees with whom the Academia de Formação – Grupo Garantia has an active employment contract, the data processing arises from:
Contractual relationship – when necessary for the execution of the employment contract;
Legal obligation – when necessary to comply with a legal obligation to which the controller is subject;
Legitimate interests – when the position or need of the Controller in relation to the employment contract justifies the action;
Consent – when there is a free, specific, informed, and explicit expression of will from the data subject, accepting the processing of their data.
Employee Personal Data Privacy Policy
The personal data (PD) of employees will be handled in accordance with this Data Protection Policy, other internal regulations, and official authorizations, particularly concerning geolocation, as well as individual employment contracts and confidentiality agreements.
The processing of employees’ personal data is restricted to those designated by the Data Controller at any given time, with access limited and duly justified under the law, always ensuring confidentiality.
Employees may request access to their protected data at any time and request its alteration or correction in case of error or incompleteness.
In accordance with the law, employees have the rights to information, access, and opposition to the processing of their personal data. To exercise these rights, they must submit a written request to the Academia de Formação – Grupo Garantia as the Data Controller.
Employees may, under legal terms, exercise the right to be forgotten regarding their personal data, except in cases required for the fulfillment of legal obligations.
The processing of employees’ clinical data follows the regime for sensitive data processing and is therefore exclusively accessible to the company’s doctor or certified medical team, with employees having access to it upon direct request to the occupational doctor.
By signing the employment contract and throughout its duration, the employee consents to their personal data being securely stored digitally, processed, and accessed under the previously specified or occasionally specified terms.
Purpose of Workers’ PD Treatment
- Administrative management;
- Calculation and payment of wages, benefits, allowances, and subsidies;
- Calculation and withholding of mandatory or optional deductions from remuneration, arising from legal, conventional, or contractual provisions;
- Execution of judicial decisions or sentences, as well as handling requests made by employees;
- Handling other matters related to wages, benefits, allowances, or subsidies;
- Processing of training certificates by the employer and/or external training entities;
- Issuance of travel tickets, visas, and/or other documents required for employee travel;
- Attendance and/or access records and control;
- Compliance with legal obligations in the field of occupational safety and health;
- Processing within the scope of video surveillance as authorized and in legal compliance;
- Attendance and/or access control through biometric registration, if applicable.
PD category to be collected
For the aforementioned purposes, the Academia de Formação – Grupo Garantia may collect and process personal data, as well as the original and copies of the respective documents (when legally permissible and applicable), which include the following categories:
- Identification data;
- Family situation;
- Data related to academic qualifications;
- Data related to professional activity;
- Data related to remuneration;
- Other data necessary to comply with the provisions of the previous article.
Workers’ PD retention period
For administrative management of employees and training certificates, data will be retained for a legally specified period. Even after the termination of the employment relationship, data may be kept to meet other accounting and tax obligations.
For employee remuneration, benefits, and allowances, data may be retained for the maximum period allowed by law.
The retention period of the respective data may be extended due to judicial actions, following the transfer of data to judicial institutions or the final judgment of a case.
For pensions, social security, or the payment of subsequent supplementary benefits due after the end of employment, data necessary to prove employment status, length of service, and salary progression may also be retained for the legally required periods corresponding to each purpose.
Recipients of Workers’ Personal Data (PD)
- Entities to whom the data must be communicated by legal provision or at the request of the data subject;
- Financial institutions managing the employer’s accounts for the payment of employees’ remuneration;
- Pension Fund or Social Security Scheme managing entities;
- Insurance companies with which work accident or personal accident insurance contracts are concluded (if applicable);
- Training entities for the issuance of training certificates and organization of the pedagogical dossier;
- The accounting and human resources departments for payroll processing or the company’s accounting obligations;
- Auditing entities (internal and external) within the scope of certification processes and inspections;
- External consulting entities within the scope of their consulting services;
- The Occupational Health department, which ensures compliance with occupational health and safety obligations within the company;
- Entities managing IT systems for the processing of personal data.
- Data may be transmitted to outsourcing entities coordinating business activities for data investigation and processing.
External entities (subcontractors) to whom employees’ personal data is provided under this PD policy are contractually obligated to comply with the legal data protection obligations imposed on the Data Controller.
Photographs, Filming and Recordings
Internal Communications
- Informing employees about the Privacy Policy;
- Collecting consent for the processing of personal data (PD), when applicable;
- Binding employees to confidentiality regarding PD they have access to within the scope of their duties.
Security Measures
2. Job Applicant Personal Data
The Academia de Formação – Grupo Garantia ensures the protection of job applicants’ data rights, whether provided voluntarily through spontaneous applications or during recruitment processes conducted by the company or an outsourcing entity, with the data subject’s authorization. All data will be treated confidentially, in accordance with current laws.
The company’s recruitment privacy policy is detailed in a separate document, which specifies the types of personal data processed, the purpose and legitimacy of the processing, and the recipients of the data. This document is an integral part of the overall Data Protection Privacy Policy.
3. Third Party Personal Data (Trainees, Trainers, Candidates, Employees of Service Provider Companies, Service Providers and Interns)
Introduction
Third Party Data Processing Lawfulness
- Contractual Relationship: Arising from the status of employee/trainee, external trainer, service provider, or employee of service provider companies, as the data subject (in the case of sole proprietors and representatives of legal entities).
- Legitimate Interests: When the position of the Academia de Formação – Grupo Garantia justifies the action in relation to the third party.
- Consent: Express and directed authorization, manifesting a free, specific, informed, and explicit will, accepting the processing of their data for the respective purpose.
In its activities as a provider of SST, Training, and HSA services (whether as an employer or not) and regarding Occupational Health and Training data, the processing is based on:
- Contractual Relationship: Arising from the registration of the trainee/internal or external employee or service provider for training, or from the service contract with the client, for the execution of contracted services in the field of occupational health, SST, or HSA.
- Legitimate Interest: When the position of the Training Academy – Grupo Garantia justifies the action in relation to the employee of our client or trainee/trainer (internal or external employee or service provider).
- Consent: Express and directed authorization, manifesting a free, specific, informed, and explicit will, accepting the processing of their data.
In its contractual relationships with service providers and suppliers, and their employees working for our company, the data processing is based on:
- Contractual Relationship: In which the data subject is an intervening party or constitutes a necessary element for the execution of the contract.
Regarding other third parties, data processing is based on:
- Contractual Relationship: Arising from the internship and the respective internship contract.
- Consent: Express and directed authorization, manifesting a free, specific, informed, and explicit will, accepting the processing of their data.
Privacy Policy
Purpose of Third Party Data Processing
Occupational Health Data
The personal data (PD) of employees of the clients of the Academia de Formação – Grupo Garantia can only be processed to fulfill legal obligations and services provided by the Academia de Formação – Grupo Garantia, as well as for contact purposes, such as informing about schedules made by the Academia de Formação – Grupo Garantia.
SST Data
The PD of employees of the clients of the Academia de Formação – Grupo Garantia can only be processed to fulfill legal obligations and services provided by the Academia de Formação – Grupo Garantia, as well as for contact purposes, such as questioning employees about work accidents they have suffered.
Training Data
The PD of trainees/trainers of the Academia de Formação – Grupo Garantia can only be processed to fulfill legal obligations and services provided by the Academia de Formação – Grupo Garantia, as well as for contact purposes, website registration, advertising, and disclosures. These communications aim to inform about the training activities of the Academia de Formação – Grupo Garantia and third parties, from which they may benefit, and for contact, dissemination of activities, issuance of training certificates, and conclusion of training contracts.
HSA Data
The PD of employees of the clients of the Academia de Formação – Grupo Garantia can only be processed to fulfill legal obligations and services provided by the Academia de Formação – Grupo Garantia.
Data of External Workers from Service Providers and Suppliers (Individuals)
The processing of PD of service providers and suppliers and their employees working for us can be carried out by the Academia de Formação – Grupo Garantia to support the execution of contracts, covering all acts related to the intended purpose, ensuring the Data Protection Policy for all.
Intern Data
The processing of PD of interns at the Academia de Formação – Grupo Garantia is based on the execution of the respective internship and internship contract (whether in the form of a curricular internship, protocolled with an educational institution or the State, a public entity, or a free internship), covering all acts related to the intended purpose, ensuring the Data Protection Policy in all situations.
Data for Informational Purposes (Visitors and Website Users)
The processing of PD for information dissemination is only permitted for this purpose. The data subject must be informed about the use of their data for the specific purpose intended and give their respective consent.
Communications
In implementing the Data Protection Policy for third parties, the Academia de Formação – Grupo Garantia has adopted the following procedures:
- Internally disseminating and posting the Data Protection Policy at the Academia de Formação – Grupo Garantia’s premises and on the website.
- Informing new trainers and service providers about the Data Protection Policy.
- Informing current trainers and service providers about the Data Protection Policy through a circular.
- Informing trainees/trainers about confidentiality in data processing at the Academia de Formação – Grupo Garantia.
- Obtaining consent declarations for the processing of personal data (PD) from trainers and employees of service providers.
- Informing new subscribers of the quarterly updates on the Data Protection Policy.
- Requesting authorization to maintain data for the dissemination of information by the Academia de Formação – Grupo Garantia.
- Adapting and integrating all service contracts to comply with the GDPR, particularly regarding Articles 26 and 28, when applicable
Security Measures
4. Processing of Personal Data of “Customers and Suppliers”
What type of personal data do we process from Customers?
- Identifying Data: Company name, Tax Identification Number (NIF), address, phone number, email address, number of employees, company activity (CAE), number of establishments;
- Name and phone contact of the client’s representative(s);
- Identifying data of the client’s employees: full name, date of birth, Tax Identification Number (NIF), role, professional category, date of admission to the company, workplace, job position, establishment;
- Establishment data: establishment name, geographical location, size in m²;
- Transaction data: products and services provided.
What type of personal data do we process from Suppliers?
- Identifying Data: Company name, Tax Identification Number (NIF), phone number, email address, address;
- Financial data: bank account;
- Transaction data: products and services provided;
- Name and phone contact of the supplier’s representative.
For what purpose do we process your personal data?
What is the legitimacy for the processing of your personal data?
To which recipients will your data be transmitted?
5. Processing of Personal Data of “Contacts and Potential Customers”
What type of personal data do we process?
Identifying Data: Company name, Tax Identification Number (NIF), address, phone number, email address, number of employees, company activity (CAE), size of the facilities.
For what purpose do we process your personal data?
What is the legitimacy for the processing of your data?
6. Processing of Personal Data of “Transport Management Activity”
What type of personal data do we process?
- Identifying Data: Company name, Tax Identification Number (NIF), address, phone number, email address;
- Academic and Professional Data: Qualifications, profession, position;
- Data Related to Vehicle Geolocation: Company vehicle geolocation, routes taken, as well as tachograph data.
For what purpose do we process your personal data?
What is the legitimacy for the processing of your data?
To which recipients will your data be transmitted?
USE OF THE WEBSITE ACADEMIA DE FORMAÇÃO – GRUPO GARANTIA
Conditions for access and use of the website
Access to the website is the sole responsibility of the user, implying acceptance and understanding of the associated legal warnings, conditions, and terms of use. The user guarantees the authenticity and accuracy of all data provided, whether in registration forms or at any other time, and is responsible for updating the information to reflect their current situation. The user will be held accountable for any inaccuracies or false information provided.
The USER agrees to use the content and services provided by our company through its portal appropriately and, by way of example but not limited to, not to use them to:
- Engage in illegal activities or activities contrary to good faith and public order;
- Disseminate content or propaganda of a racist, xenophobic, illegal pornographic nature, incitement to terrorism, or that violates human rights;
- Cause damage to the physical and logical systems of Academia de Formação – Grupo Garantia, its suppliers, or third parties, introduce or spread computer viruses or any other physical or logical systems likely to cause such damage;
- Attempt to access and, if applicable, use the email accounts of other users, as well as modify or manipulate their messages.
Our company reserves the right to remove any comments and contributions that violate human dignity, are discriminatory, xenophobic, racist, pornographic, that threaten youth or childhood, public order or safety, or that, in its opinion, are not suitable for publication.
Intellectual property rights
Commercial downloads from this website are prohibited, meaning the user cannot exploit, reproduce, distribute, modify, publicly transmit, assign, transform, or use the website’s contents for commercial purposes. Additionally, under this Legal Notice, reproducing any part of the website’s content without the author’s express permission is prohibited, and such permission does not transfer ownership of the content to the user.
Disclaimer and Limitation of Liability
- If there are difficulties or impossibilities in connecting to the communication network through which this website is accessible, regardless of the type of connection used by the user.
- If there is an interruption, suspension, or cancellation of access to the website, as well as any issues with the availability and continuity of the website’s operation or its services and/or contents, due to (i) service interruptions for technical network maintenance or (ii) causes beyond our company’s control, whether direct or indirect.
- If there is a lack of quality and speed in accessing the website and the technical conditions that the user must ensure to access the website and its services and/or contents.
Change of terms and conditions of use
These general conditions, along with any specific conditions that may be established, will remain in effect indefinitely as long as the portal is active. The company reserves the right to unilaterally modify the access conditions and content of the portal at any time.
By accessing the website, the user agrees to comply with the following terms of use: The user must use the services and information provided on the website as presented, without altering the content, and solely for their own use. They cannot transfer or notify anyone else of this information and must use it in their own interest according to the nature of the content. The user is responsible for the exclusive use, conservation, confidentiality, and correct use of their access credentials (username and password).
Our company reserves the right to change these general terms of use at any time without prior notice, so users must review these General Conditions each time they access the website. Our company is not responsible for any damage caused by the use of the user’s password by others, whether with or without the user’s knowledge. The use of the website’s services and content is the sole responsibility of the users.
Users acknowledge and accept that the use of the website, its services, and content is entirely at their own risk. Specifically, our company does not guarantee the continuity, availability, or usefulness of the website, its services, or content. Therefore, it is not liable for any potential damages of any kind that may occur to users.
Additionally, our company does not guarantee the absence of viruses or other elements that may cause alterations to users’ computer systems or electronic documents or files stored therein. Consequently, it is not responsible for any potential damages of any kind that may occur to users.
HOLDER AND DATA RIGHTS
The rights of data subjects include:
- Right to information: You have the right to be informed in a concise, transparent, understandable, and easily accessible manner, using clear and simple language, about the use and processing of your personal data.
- Right of access: You have the right to request, at any time, confirmation of whether we are processing your personal data, and to be given access to them and information about their processing, as well as to obtain a copy of the data. Copies of documents containing your personal data will generally be free of charge, although requests for additional copies may be subject to a reasonable fee based on administrative costs. The Academia de Formação – Grupo Garantia may ask you to confirm your identity or provide additional information necessary to manage your data access request.
- Right to rectification: You have the right to request the correction of inaccurate, outdated, or incomplete personal data. You may also request that incomplete personal data be completed, including through an additional statement.
Right to erasure: You have the right to request the deletion of your personal data if, among other reasons, the data are no longer necessary for the purposes for which they were collected. However, this is not an absolute right, and the Academia de Formação – Grupo Garantia reserves the right to continue to retain them, duly blocked, under the legal terms and conditions provided by applicable regulations. - Right to data portability: You have the right to have your data transferred to another processor in a structured, commonly used, and machine-readable format. This right applies when the processing of your personal data is based on consent or the execution of a contract, but only if the processing is carried out by automated means.
- Right to object: You can object to the processing of your personal data, including profiling, unless we have legitimate grounds for processing or for the establishment, exercise, or defense of legal claims.
- Right not to be subject to automated decisions, including profiling: You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly affect you, unless necessary for the performance or execution of a contract, authorized by law, or based on consent.
- Right to withdraw consent: If you have given consent for the processing of your personal data for specific activities (e.g., sending commercial or institutional communications), you can withdraw this consent at any time. This will stop the specific activity for which your consent was previously obtained, unless there is another legal reason or basis justifying the continued processing of your data for these purposes, in which case you will be informed.
- Right to lodge a complaint with a supervisory authority: You have the right to file a complaint with the National Data Protection Commission.
OBLIGATIONS OF THE RESPONSIBLE FOR PROCESSING PERSONAL DATA
- Personal data is collected for specific, explicit, and legitimate purposes and is not processed in a manner incompatible with those purposes.
- Only adequate, relevant, and non-excessive personal data is collected in relation to the purposes for which it is collected.
- The collected personal data is accurate and up-to-date.
- Personal data is only retained for the necessary period to achieve the purposes for which it was collected/processed, ensuring compliance with applicable CNPD Deliberations and specific legislation.
- All information related to the processing is made available to the data subject, granting them the right to access, rectify, and delete their data, as well as to object to its processing, as stipulated by law and outlined above.
- Data subjects can, through a specific form (Reg. PD0002), request from the Data Controller (Academia de Formação – Grupo Garantia) the exercise of their rights listed in this Data Protection document.
- The data subject’s consent is obtained for data processing, where required.
- Data processing is duly notified to the CNPD (if applicable) and, when legally required, prior authorization is obtained, or it is duly regulated under legal terms.
- Authorized employees accessing personal data are bound by confidentiality obligations.
- Written contracts safeguarding confidentiality and privacy are established with subcontractors handling our data subjects’ personal data.
- The transmission of personal data to a third-party recipient must be accompanied by a guarantee of data protection and a commitment to use the data only for specified purposes. Such guarantees should be included in contractual clauses, and the Academia de Formação – Grupo Garantia must verify the existence of such clauses in current contracts, aiming to establish amendments if necessary.
- Appropriate technical and organizational measures are implemented to protect personal data against accidental or unlawful destruction, alteration, unauthorized access, and disclosure, and against any form of unlawful processing.
- The registration of personal data processing activities is carried out in accordance with legal terms