I. Introduction

This Data Protection Policy compiles the principles, rules and procedures adopted by OSQUAY in order to promote and ensure the respect for the privacy and protection of personal data of all those who relate to it.

This Data Protection Policy covers the personal data processing operations carried out by OSQUAY in the context of any situation that may require it, namely with employees, customers or suppliers. 

The provisions included in this Data Protection Policy complement and develop the rules set out in the applicable legal instruments, and in particular in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 of April 2016 (General Data Protection Regulation or “GDPR”) and Law 58/2019 of 8 August.

By disclosing it, OSQUAY meets the information obligations to which it is subject in this regard.

II. Identification

Personal data are processed by OSQUAY as Controller. These are the identification and contact details to be taken into consideration in any communication relating to the processing of personal data:

• Name: OSQUAY, LDA.

• Address: Rua S. Salvador, nº 42, 9760-541 Praia da Vitória

• E-mail: info@osquay.com

  
  

III. Data Categories

Within the framework of its activity OSQUAY handles the following categories of personal data:

The provision of some of these data is mandatory by legal or contractual requirement; in other cases it is an essential condition for the negotiation or conclusion of contracts with OSQUAY, and without them the company will not be able to fulfil the obligations arising from it; in other situations the provision of the data is merely optional. OSQUAY indicates the specific nature of the data provision at the time of its collection. 

IV. Processing purposes

In general, the personal data collected by OSQUAY is used for the negotiation and conclusion of contracts and for the management of the contractual relationship and contacts with its customers, suppliers, employees and other collaborators, for the execution of such contracts, for the improvement and adequacy of OSQUAY's promotional and communication services and tools, for the dissemination of OSQUAY's institutional or promotional information, and for marketing activities. Personal data may also be processed for the purpose of complying with legal obligations. 

Whenever personal data is collected for specific purposes, OSQUAY will communicate the purposes of such processing in the appropriate forms and times. 

V. Lawfulness

Personal data shall be processed on the following grounds:

- Execution of contractual relations to which OSQUAY is a party;

- Compliance with legal obligations to which OSQUAY is a party; 

- Legitimate interests pursued by OSQUAY, where the interests, fundamental rights or freedoms of the data subject do not prevail;

- Data Subjects’ consent. 

Where the lawfulness  of the data processing is based on the consent of the data subject, there is the right to withdraw it at any time. 

VI. Information sharing

Personal data processed by OSQUAY may be disclosed to: 

- judicial, administrative, supervisory or regulatory authorities, or entities with delegated or concessionary public powers or functions;

- business partners and banking and insurance entities;

- service providers and subcontractors.

All data transmissions to third parties comply with the rules and conditions provided for by law. 

In cases where there is a need for data processing operations to be carried out by the entities to which they are transmitted, OSQUAY will ensure, by means of suitable contractual instruments, that these third parties comply with the minimum conditions for the protection of personal data. 

The data will be processed within the European Union. In cases where it becomes necessary to carry out some processing of personal data outside the EU territory, OSQUAY will ensure that the applicable legal conditions can be complied with and will only carry out the corresponding transmissions if it can guarantee that these conditions will be complied with.

VII. Data preservation

Personal data collected by OSQUAY will be kept for the period necessary to fulfill the purposes for which it was collected. 

Where applicable, the data will be retained by OSQUAY for such time as may be necessary to carry out orders and guidelines of the competent authorities, to comply with any legal or contractual obligations which may be required of it, or to exercise the rights which it holds in view of the periods of limitation of rights provided by law. 

Once the maximum storage period has elapsed or the purpose of the processing has been exhausted, the data shall be erased or made anonymous.

VIII. Data subjects' rights

Right to information

The data subject has the right to be informed about the circumstances surrounding the processing of his data. This information is generally made available on the various media and means used by OSQUAY to collect the data or communicate with the data subjects, including this Data Protection Policy, the contractual instruments it enters into, the institutional website and other communication tools. 

In addition, OSQUAY also provides the mandatory information in the following special cases:     

- In the consent collection instruments, whenever this is the basis for the lawfulness of the processing;

- At the time and through the support it uses to make the due notification to the data subjects in cases where the data have not been collected directly from them, also informing them of the origin of their data.

Other specific rights 

In particular, the personal data subject shall be entitled to the rights of access, rectification, erasure, restriction of processing, objection and non-subjection to automated decisions, portability and complaints to the national supervisory authority (CNPD).

In exercising these rights, the personal data subject may, at any time, request OSQUAY :

- to have access to the personal data provided by him/her;

- to obtain the rectification of information, if incorrect or incomplete;

- to erase or restrict the processing of his personal data;

- to provide his personal data in a structured, commonly used and automatically readable format for transmission to another data controller (portability).

To this purpose, the owner of the personal data, or whoever has a legitimate mandate, should write to OSQUAY, preferably by e-mail, using the contacts indicated in point II. 

OSQUAY will respond to requests within 1 month. If OSQUAY considers that it should not comply with the request, it will inform the data subject, within the same period, of the reasons for its decision and of the possibility of complaining to the CNPD or the courts. Whenever possible, answers will also be sent by e-mail, unless the data subject expressly requests otherwise. 

OSQUAY may also request proof of identity or legitimacy of action to ensure that the data are not shared with third parties or outside the will of the respective owners. 

IX. Confidentiality

All OSQUAY employees are required to observe complete confidentiality with regard to the personal data to which they have access by virtue of the functions or tasks they perform, even after they have ceased to perform those functions or tasks or have ceased to be associated with OSQUAY. OSQUAY shall ensure this obligation by including it in the contractual instruments it concludes with its employees.

X. Security measures

OSQUAY has adopted a set of technical and organisational measures for the protection of personal data it processes, which cover procedures and security measures related, namely, to the control of physical and electronic access to storage sites and systems, the control of disclosure to third parties and the management of risks of loss and destruction.

XI. Term and amendments

This version of the Data Protection Policy was approved by OSQUAY's board of directors on [02/05/2023] and may be amended at any time.

Changes to the Data Protection Policy will be disclosed through the communication channels normally used by OSQUAY for this purpose. 

Linda-a-Velha, 13 March 2024