The purpose of this document is to provide a concise policy statement on the data protection obligations to be implemented at VERDELAGO – Sociedade Imobiliária S.A., a society with headquarters in Lisbon, at Avenida Engenheiro Duarte Pacheco, Torre 2, 15.o A, Amoreiras, dully incorporated on the Comercial Registry Office under the identification nr. 501661964, (hereinafter “VERDELAGO”).
This policy includes VERDELAGO’s obligations regarding the processing of personal data in the tourist resort “Verdelago Resort”, in order to ensure compliance with the requirements of the relevant legislation, from the perspective of adapting efforts to a reality in continuous change, to address the most relevant risks.
VERDELAGO must comply with data protection principles established in current legislation.
This Policy applies to all personal data processing operations, including data collection, processing and storage by VERDELAGO of personal data belonging to their employees, service providers and clients during the course of their activities.
The Policy covers all personal data, including data regarding special personal data categories, which are processed in relation to the data subjects by VERDELAGO, as the Data Controller or Subcontractor.
This Policy also applies to personal data processed manually provided this date is included in a structured file.
All personal data related to special personal data categories will be processed with extra care by VERDELAGO. Both categories are equally referred to as “Personal Data” in this Policy, unless stated otherwise.
4. Who processes your data
In the course of their daily activities, VERDELAGO may acquire, process and store personal data.
According to European and Portuguese data protection legislation, this data must be lawfully, fairly and transparently acquired and managed.
VERDELAGO is committed to ensuring that your team is sufficiently aware of data protection laws and practices, in order to be able to anticipate and identify any data protection issues that may arise.
Under these circumstances, the team must ensure that the Controller is informed, so that appropriate and necessary corrective actions may be taken, and to protect the rights, freedoms and guarantees of the Data Subjects.
VERDELAGO may share Personal Data of their Data Subjects with Processors provided it is necessary for the normal provision of services.
Regarding the obligations of VERDELAGO, Processors’ access to Personal Data shared by VERDELAGO is regulated by the contract made with their Processors.
Therefore, VERDELAGO contractually ensures and regularly verifies that Processors are reliable entities that offer appropriate protection guarantees and that no more data is sent to them than is required to provide the contracted service.
During the course of their duties as Data Controller, VERDELAGO may also share the Personal Data of their Data Subjects with other Data Controllers so to perform processing operations required for providing the contracted services.
Within the scope of the aforementioned joint responsibility, VERDELAGO makes an agreement with the other controller, in which the purposes and responsibilities are clearly identified in compliance with the applicable data protection legislation, ensuring compliance with the Rights and Freedoms of Data Subjects by establishing appropriate communication channels to respond to requests from Data Subjects.
Regardless of the existing relationship between personal Data Recipients, VERDELAGO shall outline, by means of a written formal written contract, the personal data obligations, the specific purpose or the purposes of their involvement, and the understanding that they perform data processing operations according to the Portuguese Data Protection Law.
5. Your data may be shared with the following Recipients:
- Providers of digital, technical and operational support services;
- Blue & Green – Serviços e Gestão S.A., as a subcontractor and manager of the “Verdelago Resort”;
- Entities related to, or with common management with Blue & Green – Serviços e Gestão S.A., which belongs to B&G Group; and;
- Judicial bodies, and bodies of the Criminal Police and Administrative Authorities.
6. What we do with your data:
As Data Controller, VERDELAGO ensures that all Personal Data:
- Is obtained for specific, lawful and clearly defined purposes. The Data Subject may question the purpose(s) for which VERDELAGO collects and maintains the data, and VERDELAGO must clearly and precisely state what those purposes are.
- Will be compatible with the purposes for which the data was acquired.
- Will be stored with appropriate security measures – implemented or to be implemented – to protect the data against unauthorised access, or against modification, destruction or disclosure of any Personal Data held by VERDELAGO as Data Controller.
- Will be stored complete, accurate, and updated as necessary.
- Will be limitedly collected and only stored for the time that is strictly necessary. Excess data will not be collected and/or processed.
Thus, VERDELAGO has implemented a procedure to respond to the Data Subjects’ requests in order to efficiently and appropriately manage such requests within the time limits set out in the legislation.
VERDELAGO has implemented or is implementing available levels of Personal Data security and protection, as well as technical and organisational measures to protect against the loss, misuse, change, or unauthorised access of Personal Data, as well as against any other form of unlawful processing.
All Employees of VERDELAGO are also subject to confidentiality standards.
7. Purposes and lawfulness of the Processing operations:
VERDELAGO processes the Personal Data of their Clients to ensure compliance with the service agreement made with the Data Subjects or the Joint Data Controllers (regarding data and Data Subjects they collect, such as counterparts, employees and others). The personal data identified herein, which is subject to processing operations, is required for the execution of a contract or for pre-contractual arrangements or for compliance with legal obligations, or in the case of marketing, the data may fall under consent.
Special Category data on Clients, or obtained from Clients, will be subject to appropriate processing operations, insofar as the data is required for important public interest reasons, such as preventing money laundering and financing terrorism.
The processing of Personal Data belonging to Clients, or obtained from Clients, which is related to criminal convictions and infringements or to related security measures, will always be subject to the protection of rights and freedoms of Data Subjects, with operations regarding said data strictly limited to the compliance with applicable legal obligations.
VERDELAGO processes the data of their employees to enforce the work contract. The data processed is required to enforce a contract to which the Data Subject is a party, or for the purpose of pre-contractual arrangements at the request of the Data Subject.
The personal data of employees is also collected and processed for the purpose of complying with legal obligations that the Data Controller is subject to.
Operations relating to the processing of Special Category data collected from Employees are required for the purpose of complying with legal obligations and exercising the specific rights of the Data Controller or the Data Subject in terms of labour, social security and social protection law, and also for the purpose of preventive or occupational healthcare, and to assess the employee’s work capacity.
The processing of Personal Data belonging to Employees, or obtained from Employees, which is related to criminal convictions and infringements or to related security measures, will always be subject to the protection of rights and
freedoms of Data Subjects, with operations regarding said data strictly limited to the compliance with applicable legal obligations.
- Service Providers
VERDELAGO processes the Personal Data of their Service Providers to ensure compliance with the service agreement made with the Data Subjects or the Joint Data Controllers (regarding data and Data Subjects they collect, such as counterparts, employees and others). The Personal Data identified herein, which is subject to processing operations, is required for the execution of a contract or for pre-contractual arrangements or for compliance with legal obligations.
Special Category data on Service Providers or obtained from Service Providers will be subject to processing operations, insofar as the data is required to declare, exercise or defend a right in a legal procedure, or if the processing is required for the purpose of complying with obligations and exercising the specific rights of the Data Controller or the Data Subject in terms of labour, social security and social protection law or if the data is of public interest.
The processing of Personal Data belonging to Service Providers or obtained from Service Providers, which is related to criminal convictions and infringements or to related security measures, will always be subject to the protection of rights and freedoms of Data Subjects, with operations regarding said data strictly limited to the compliance with applicable legal obligations.
8. Criteria for Calculating Retention Periods
VERDELAGO will store Personal Data for the period they deem necessary and sufficient for the purposes behind the data collection and processing. The data storage time will vary according to the purpose for which the data is processed and according to legal standards demanding data storage. At the end of this period, the data will be deleted pursuant to the appropriate technical and operational guarantees, as documented in each of the relevant processes.
9. Right of Access and Exercise of Rights
Data Subjects can exert their rights under the applicable data protection law by writing to the following email address: firstname.lastname@example.org
The VERDELAGO has also appointed a Data Protection Officer, in accordance with best practices in the field, who can be contacted at the following email address: email@example.com