Data Protection, Privacy and Security Information Policy
Data Protection, Privacy and Information Security Commitment
CIN complies with all national, community and legal regulations regarding data protection, privacy and information security.
Within the Personal Data Protection and Information Security System, CIN seeks to ensure regulatory compliance and corporate responsibility disclosure or evincement in data protection and information security, implementing all technical and organizational measures needed to comply with the Data Protection legal system in force.
Within this framework, CIN also commits to keeping the personal data it is responsible for processing confidential and secret, in accordance with this privacy and data protection policy. CIN thus guarantees compliance with all applicable norms regarding confidentiality and secrecy. It will demand the same from all staff members and suppliers, as well as the adoption of behaviours and the implementation of the necessary measures to the same degree of conformity, ensuring that the persons authorized to process personal data comply with the confidentiality measures or are subject to adequate confidentiality legal obligations.
“Personal data”, information regarding an identified or identifiable individual person (“data subject”); an individual person is considered identifiable if they can be directly or indirectly identified, particularly by reference of an identifier. Are examples of personal identifiers a name, an identification number, location data, electronic identifiers or identifiers of one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual person.
“Processing of Personal Data”
“Processing”, an operation or set of operations carried out on the personal data or sets of personal data, by automated or non-automated means, such as the collecting, registering, sorting, structuring, keeping, adapting or amending, recovering, referring, using, disclosing by transmission, distributing or any other form of providing, comparing or interconnecting, limiting, deleting or disposing.
“Cookies” are small text files with information considered relevant that the devices used for access (computers, mobile phones or portable mobile devices) carry through the Internet browser when an online site is visited by the Client or User.
CIN-CORPORAÇÃO INDUSTRIAL DO NORTE, S.A., with headquarters in Avenida de Dom Mendo, no. 831, city of Maia - Portugal, registered in Maia Commercial Register under a sole registration number of legal person 500.076.936, a share capital of 25,000,000 Euros, herein referred to as CIN, is the controller of the online site www.cin.com and the IT applications, hereinafter referred to as channels or applications, through which the Users, Service Recipients or Clients remotely access CIN's services and products presented, traded or provided, at any time, through these.
The use of the channels or applications by any User, Service Recipient or Client may imply the execution of data processing operations, the protection, privacy and security of which is ensured by CIN as the Processing Controller, in accordance with the terms of this Privacy and Data Protection Policy.
Data Protection Officer
If you wish to contact the Data Protection Officer at CIN, please send an email to firstname.lastname@example.org describing the issue of the request and indicating an email address, a telephone contact or a mail address.
Collecting and Processing Personal Data
CIN processes personal data where strictly necessary to provide information and to improve the channels’ performance, in accordance with the User, Service Recipient or Client's use.
As such, CIN collects personal data:
- directly from the Users or Recipients who provide them in their request registration or request for information;
- directly from the Clients when they join those channels or when they use the services provided by CIN, such as accesses, enquiries, instructions, transactions and other registrations related to its use.
In particular, the use or activation of certain features in these channels might imply processing various direct or indirect personal identifiers, such as name, home address, contacts, device addresses or geographical location, whenever explicit consent is given from the User, Service Recipient or Client.
The personal data collected by CIN is processed by computer, in certain cases in an automated manner, including processing files or the defining profiles in the management of pre-contractual, contractual or post-contractual relationships with the User, Service Recipient or Client, under the terms of the community and national regulations in force.
Categories of the Processed Personal Data
The categories or types of processed personal data can be, among others that might be necessary and might be legally collected, as follows: full name, tax number, civil identification number, marital status, sex, date of birth, place of birth, address(es), location(s), postal code(s), country, country code, telephone contacts, emails, name of the company where they work, etc.
In all cases, the User, Service Recipient or Client is always informed of the need to collect such data in order to access the features of the channels in question.
All data processing procedures comply with the fundamental legal principles regarding data protection and privacy, namely circulation, legality, loyalty, transparency, purpose, minimization, maintenance, accuracy, integrity and confidentiality, and CIN is available to show their responsibility before the data subject or any other third party which has a legitimate interest in this matter.
All data processing operations carried out by CIN have legitimate grounds, namely the subject's consent, the need to carry out a control or pre-contractual actions with the data subject, as well as the need to comply with a legal obligation or the legitimate interests of CIN or third parties.
All personal data processed in the context of CIN's channels is exclusively aimed at providing Users with information, managing the Service Recipients’ personal information considered necessary to manage the relationship or communication with them, as well as providing services requested by the Clients and, in general, managing the pre-contractual, contractual and post-contractual relationship with the Users or Clients.
The personal data collected can, still and eventually, be processed for statistical purposes, for information broadcasting or promotional measures, namely to promote new features or new products and services using direct communication, either by mail, e-mail, text messages or telephone calls or any other communication service.
The Users or Clients will always be informed and requested to expressly consent to these last purposes, and they can, at any moment, object to the use of their personal data for any purpose other than the management of the contractual relationship, namely for marketing purposes, receiving informative communications or for being included in informative lists or services. For such, they can send a written request to the Data Protection Officer (Encarregado de Protecção de Dados) at CIN, following the procedure indicated below.
Data Storing Period
The personal data will be stored only for the period needed to fulfil the purposes it was collected for or processed, and all legal regulations will be complied with while the data is stored.
Data Sharing with Other Entities
The User, Service Recipient or Client, by accessing the information or services provided by CIN through the channels, may eventually need to avail of outsourced third-party services, including entities headquartered outside the EU. These entities might then need to access the User, Service Recipient or Client's personal data.
In such circumstances and whenever necessary, CIN will only resort to outsourced entities which will sufficiently guarantee the execution of adequate technical and organizational measures so that the data processing complies with the applicable regulations, by way of a signed contract between CIN and each of these third parties.
Except when complying with legal obligations, in no instance will the personal data of a User, Service Recipient or Client be communicated to a third party that is not outsourced by CIN or a legitimate recipient. No communication will be carried out other than for the purposes indicated above.
International Data Transfers
Any personal data transfer to a third country or an international organization will only be carried out in the compliance of legal obligations or in the cases where compliance with the national and community legal regulations in this matter is guaranteed.
Considering the most advanced techniques, the application cost and the nature, scope, context and purpose of the data processing, as well as the variable gravity and probability risks to the User, Service Recipient or Client, CIN and all the outsourced entities apply adequate technical and organizational techniques in order to ensure a level of security suitable to the risk.
To that effect, various security measures are adopted in order to protect the personal data against disclosure, loss, misuse, amendment, unauthorised processing or access, as well as any other form of unlawful processing.
It is the User, Service Recipient or Client's sole responsibility to keep the access codes safe and not share them with third parties. In the specific case of IT applications used to access the channels, they must also keep and maintain the devices in good security condition, as well as follow the security practices advised by the manufacturers and/or providers, namely with regards to installing and updating the security application required, such as, among others, antivirus applications.
In case of outsourcing services to third parties that might have access to the User, Service Recipient or Client's personal data, CIN’s outsourced entities will be required to adopt security measures and protocols to the same level as the organization, as well as technical measures to protect the confidentiality and safety of personal data and prevent unauthorized access, loss or destruction of personal data.
Exercising the Rights of the Data Subject
CIN's Users, Service Recipients and Clients can, as data subjects, exercise at any time their right to data protection and privacy, namely the right to access, amend, delete, move, limit or object to processing, within the terms and limitations set out in the applicable regulations.
Any request to exercise data protection and privacy rights must be in writing and addressed by the subject to the Data Protection Officer, in accordance with the procedure and contact indicated below.
Complaints or Suggestions and Incident Report
CIN's Users, Service Recipients and Clients have the right to complain, both via an entry in the Complaints Book and by logging a complaint with the regulatory entities, as well as give suggestions by e-mail to the Data Protection Officer.
CIN has implemented an incident management system for privacy, data protection and information security.
If a User, Service Recipient or Client wishes to report any breach of personal data, which accidentally or unlawfully provokes the unauthorized destruction, loss, alteration, dissemination or access to the personal data provided, stored or subject to any other type of processing, they may contact the Data Protection Officer.
Explicit Consent and Acceptance
The terms of the Privacy and Data Protection Policy complement the terms and dispositions, with regards to personal data, of the General Conditions for Use of CIN's channels.
The free, specific and informed provision of the personal data by the data subject implies that they know and accept this Policy and substantiates an explicit consent for that data's processing, in accordance with the defined rules.
Data Protection Officer
In order to exercise any data protection, privacy or information security right, or any matter relating to the topics of data protection, privacy and information security, the Users, Service Recipients and Clients at CIN may contact the Data Protection Officer through the e-mail email@example.com, describing the subject of the request and indicating an e-mail address, a telephone contact or a correspondence address for the reply.