PERSONAL DATA PROTECTION POLICY
The new rules on personal data protection established under Regulation (EU) 2016/679 (“General Data Protection Regulation”) entered into force on 25 May 2018. The General Data Protection Regulation (GDPR) establishes a set of important legislative changes to reinforce your rights as a data subject and the measures businesses and public authorities need to implement to protect your personal data.
Complying with data protection law and respecting data subject rights is a priority at PME Investimentos and all entities encompassed by the GDPR are obliged to implement appropriate technical and organizational measures to ensure the security, confidentiality and integrity of the personal data they process.
We will only process your personal data based on the following lawful bases:
PERFORMANCE OF A CONTRACT OR PRE-CONTRACT DUE DILIGENCE
In this case, we process data for the purposes of managing the contracts in which PME Investimentos or the funds we manage are counterparties, as well as to perform pre-contract due diligence, including personal data provided by applicants during a recruitment process, both for applications submitted spontaneously or those we request.
FULFILMENT OF LEGAL OBLIGATIONS
This lawful basis encompasses data processing required to fulfil legal obligations, which includes, for example, transmitting data to other (Portuguese and Community) public bodies, tax authorities and courts.
Given that PME Investimentos is a public company entrusted with the task of stimulating the funding market for Portuguese SME, we process data for the implementation of both Portuguese and Community programmes, as well as to manage relationships with other institutional players (for example, business or regional associations and intermediaries which oversee the operation of financial instruments managed by PME Investimentos) with which the companies are associated.
This lawful basis applies to processing needed to pursue the legitimate interests of PME Investimentos or those of third parties, without prejudice to your rights and freedoms. This includes all processing resulting from duties assigned to us under law, in particular the internal and external dissemination of programmes to boost the financing of Portuguese SME, both at home and abroad.
We will only collect or process your data for the following specific, explicit and legitimate purposes:
- Contracting, managing and disseminating the financial instruments we manage to support SME or those financed through the public funds we manage
- Formalizing and managing employment contracts, as well as procurement and service contracts and performing respective procedures and associated pre-contract due diligence
- Managing events we promote
PME Investimentos will process data fairly and transparently, ensuring the confidentiality and security of the information you provide and that it is only used for the expressly indicated and authorized purposes.
In accordance with the duties assigned to PME Investimentos and based on the lawful basis for data collection, we may need to share your data with third parties, including Portuguese and international public bodies and private entities to fulfil legal or regulatory obligations (in particular, your data may be transmitted to entities responsible for the implementation, control, certification, audit and monitoring of the Portuguese or Community financial instruments for funding we manage), contractual obligations or to perform our duties in the public interest. Your data may also be accessed by service providers we engage for the purpose for which such data is being processed, in particular information security and storage services.
As a result of technology advancements related to data access and retention, in particular PME Investimentos’ use of cloud-based computing and computer applications, your personal data may be transferred to other Member States or third countries outside the European Union. We will ensure that such transfer is limited to certified services and companies in compliance with the GDPR.
When we need to use external services or service providers to process your personal data, we will only engage suppliers and services that ensure the privacy and confidentiality of the data they process, as stipulated under the GDPR.
The personal data we process will only be stored for as long as needed to fulfil the purpose for which it was collected.
PME Investimentos undertakes to ensure you are able to exercise the following rights, within applicable legal deadlines:
RIGHT OF ACCESS
You have the right of access to information related to the data we process that belongs to you and the respective characteristics thereof (in particular, type of data, lawful basis for processing, retention periods and what data has to be mandatorily provided and which is optional).
RIGHT TO RECTIFICATION
You have the right to request that your data be rectified and that it be accurate and up-to-date, for example when you believe it is incomplete or outdated.
RIGHT OF ERASURE OR “RIGHT TO BE FORGOTTEN”
You have the right to request that your data be erased when you believe there is no lawful basis for it to be stored and provided that is no other valid lawful basis for processing, such as the performance of a contract or fulfilment of a legal or regulatory obligation.
RIGHT TO RESTRICT
You have the right to suspend or restrict the processing of certain categories of data or lawful bases.
RIGHT TO PORTABILITY
You have the right to ask us to send you your data in a commonly used and machine-readable format so that you can reuse it. Alternatively, you can request that your data be transmitted to another entity who will then be responsible for processing it.
RIGHT TO OBJECT
You have the right to object to certain lawful bases for processing, provided that no legitimate interests prevail over yours.
RIGHT TO WITHDRAW CONSENTO
You have the right to withdraw your consent. However, you may only exercise this right when consent was the only requirement for the legitimate processing of personal data.
You will be ensured of your ability to exercise the aforementioned rights, whenever legally acceptable (e.g. when a legal or contractual obligation does not prevent you from exercising the right), by the Data Protection Officer appointed by PME Investimentos, by sending a written request to one of the following address:
PME Investimentos, S.A.
c/o Data Protection Officer
Rua Ivone Silva, 14.º andar