FRAMEWORK
This Privacy Policy describes a set of guidelines, rules and principles to be observed by Imopólis, Sociedade Gestora de Organismos de Investimento Coletivo, S.A. (hereinafter “Imopólis”) to ensure and guarantee the new data protection obligations, as well as the protection of data subjects’ rights. Imopólis is obliged to comply with its Personal Data Protection Policy in accordance with the new rules introduced by the General Data Protection Regulation, approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “General Data Protection Regulation” or ” RGPD ”) and other legislation applicable to data protection.
For the exercise and development of its activity, Imopólis needs to carry out a large number of personal data processing operations, namely the collection, consultation, transmission or updating of such data. This processing of personal data concerns more than one category of personal data holders, including here employees, customers and potential customers, including those who contact us requesting our services, for the purposes of, namely, collect information regarding the lease conditions of the spaces and properties that are part of our portfolio, as well as suppliers or service providers.
It is in this sense that Imopólis makes all the necessary efforts, in particular by carrying out an in-depth analysis of all its internal procedures, with a view to ensuring compliance with the obligations of applicable law, with a view to adapting to a continually changing reality to address the most relevant risks.
Imopólis seeks to ensure that the personal data of its employees, customers, potential customers, suppliers or service providers, as well as any other personal data holders whose personal data Imopólis treats in the course of its business, are processed in accordance with regulatory and legal standards in force and are kept safely.
Imopólis must comply with the data protection principles set forth in current legislation.
II. SCOPE
This Policy covers the processing of various categories of personal data, including the processing of special categories of personal data, data of minors, and data related to criminal convictions and offenses by Imopólis in the course of its business as controller and/or subcontractor.
The processing of special categories of personal data will be carried out taking into account a high level of protection with increased care by Imopólis. Both categories will also be referred to as “Personal Data” in this Policy, unless otherwise indicated.
III. WHO MAKES TREATMENT OPERATIONS ON YOUR DATA
In the course of its daily activities, Imopólis may acquire, process and store Personal Data.
In accordance with European and Portuguese data protection law, this data must be acquired and managed in a lawful, fair and transparent manner.
Imopólis is committed to ensure that its team has sufficient knowledge of data protection law and practices to be able to anticipate and identify any data protection issues that may arise.
In such circumstances, the team shall ensure that the Data Subject is informed, ensuring that all appropriate and necessary corrective actions are taken to ensure the Data Subject’s rights, freedoms and warranties.
Imopólis may share Personal Data of Data Holders with Subcontractors or other controllers as necessary for the normal provision of its services.
Subcontractors access to Personal Data shared by Imopólis is governed by Imopólis’ obligations under the contract entered into with its Subcontractors.
In this sense, Imopólis contractually assures and regularly verifies that the Subcontractors are reliable entities that offer adequate protection guarantees, not being transmitted to them data beyond those necessary for the provision of the contracted service.
In the course of its role as Data Controller, Imopólis may also share Data Holders Personal Data with other Data controllers in order to perform the processing operations necessary to provide the contracted services.
In the context of this joint responsibility, Imopólis enters into an agreement with the other controller, which identifies, in a transparent manner, the respective purposes and responsibilities in compliance with the data protection legislation in force, ensuring compliance with Data Holders Rights and Freedoms by establishing appropriate communication channels to respond to Data Holders requests.
Regardless of the relationship between the Personal Data Recipients, Imopólis defines, by formal and written contract, the delimitation of the Personal Data obligations, the specific purpose or purposes for which they are involved and the understanding that they carry out the data processing operations in accordance with the Portuguese Data Protection Legislation.
IV. YOUR DATA MAY BE SHARED WITH THE FOLLOWING RECIPIENTS
- Providers of computer, technical and operational support services;
- Group entities;
- Related entities;
- Entities to which Imopólis provides services;
- Judicial Bodies, Criminal Police Bodies and Administrative Authorities.
V. WHAT WE DO WITH YOUR DATA
Imopólis warrants that all Personal Data:
- Will be obtained for specific, lawful and clearly defined purposes, with the Data Subject having the right to question the purpose(s) for which Imopólis collects and maintains it and Imopólis clearly and precisely states what the purpose or purposes are;
- Will be compatible with the purposes for which they were purchased;
- Will be maintained with appropriate security measures – implemented or to be implemented – to protect against unauthorized access, or the alteration, destruction or disclosure of any Personal Data held by Imopólis as the controller;
- Will be kept accurate, complete and up-to-date as needed;
- Will be collected in a limited manner and kept only for the time strictly necessary, and excessive data will not be collected and/or processed.
Thus, Imopólis has implemented a response procedure to requests from Data Holders, in order to manage such requests efficiently and appropriately, within the deadlines stipulated in the legislation. Imopólis has implemented or is implementing the levels of security and protection of Personal Data provided, as well as technical and organizational measures to protect Personal Data against its dissemination, loss, misuse, alteration, processing or access as well as against any other form of unlawful treatment.
All Imopólis Employees are also subject to confidentiality rules.
VI. PURPOSES AND FUNDAMENTALS OF TREATMENT OPERATIONS
- Customers and Potential Customers
Imopólis carries out processing operations in relation to the Personal Data of its Clients and Potential Clients (who contact Imopólis in order to obtain information about the services provided by it and about the portfolio of properties under management), in order to ensure compliance with the service contract agreed with the Data Holders or with the Responsibles for Joint Treatment (regarding the data and Data Holders collected by them, such as counterparties, workers and others). Personal data now identified and subject to processing operations are under a situation of necessity for the performance of a contract or for pre-contractual diligence or for the fulfillment of legal obligations. Customer or Potential Customer Special Category data, or obtained through Customers, will be subject to appropriate processing operations to the extent necessary for reasons of important public interest such as the prevention of money laundering and terrorist financing. The processing of Personal Data of Customers or Potential Customers or obtained through Customers, related to criminal convictions and infringements or related security measures will always be subject to adequate safeguards to protect the rights and freedoms of Data Holders, and transactions concerning limited to strict compliance with applicable legal obligations.
Thus, Imopólis has implemented a response procedure to requests from Data Holders, in order to manage such requests efficiently and appropriately, within the deadlines stipulated in the legislation. Imopólis has implemented or is implementing the levels of security and protection of Personal Data provided, as well as technical and organizational measures to protect Personal Data against its dissemination, loss, misuse, alteration, processing or access as well as against any other form of unlawful treatment.
All Imopólis Employees are also subject to confidentiality rules.
- Employees
Imopólis carries out processing operations regarding the data of its employees for the execution of the employment contract. The data processed are required for the purpose of performing a contract to which the Data Subject is a party, or for the purpose of pre-contractual due diligence at the request of the Data Subject.
Personal data of employees are also collected and processed for the purpose of complying with the legal obligations to which the controller is subject.
Processing operations concerning Special Category data collected from Employees are necessary for the purpose of complying with legal obligations and in exercising specific rights of the Data Controller or Data Subject in the field of labor law, social security and social protection and also for the purposes of preventive medicine or work, for the evaluation of the employee’s work ability.
The processing of Personal Data of Employees or obtained through Employees, related to criminal convictions and infringements or related security measures shall always be subject to adequate safeguards for the protection of the rights and freedoms of Data Holders, and operations concerning such data are limited to strict compliance with applicable legal obligations.
- Service Providers
Imopólis carries out processing operations with respect to the Personal Data of its Service Providers to ensure compliance with the service agreement agreed with the Data Holders or with the Joint Processors (regarding the data and Data Holders collected by them, as counterparts, workers and others). Personal Data identified herein and subject to processing operations are under a situation of necessity for the execution of a contract or for pre-contractual diligence or for the fulfillment of legal obligations.
Special Category data relating to Service Providers or obtained through Service Providers shall be subject to processing operations to the extent necessary for the declaration, exercise or defense of a right in a court proceeding, or the processing required for the purposes of fulfilling the data controller’s obligations and exercising specific rights in respect of labor law, social security and social protection or important public interest.
The processing of Personal Data from Service Providers or obtained through Service Providers, related to criminal convictions and infringements or related security measures will always be subject to adequate safeguards to protect the rights and freedoms of data subjects, and transactions concerning such data limited to strict compliance with applicable legal obligations.
VII. CRITERIA FOR CALCULATING RETENTION PERIODS
Imopólis retains Personal Data for a period that is deemed necessary and sufficient for the purposes that motivated the collection and processing, varying the period of data storage according to the purpose for which the information is processed and according to with the legal norms that require their retention, after which they will be disposed of, subject to appropriate technical and functional guarantees, as documented in each of the relevant processes.
VIII. RIGHT OF ACCESS AND EXERCISE OF RIGHTS
Data Holders may exercise the rights conferred under applicable data protection legislation by email at hgrua@imopolis.pt.
Imopólis has also appointed a Data Protection Officer, in accordance with best practices in the area, who can be contacted at hgrua@imopolis.pt.