The new rules on personal data protection established under Regulation (EU) 2016/679 (“General Data Protection Regulation”) entered into force on 25 May 2018. The General Data Protection Regulation (GDPR) establishes a set of important legislative changes to reinforce your rights as a data subject and the measures businesses and public authorities need to implement to protect your personal data.

Complying with data protection law and respecting data subject rights is a priority at Banco Português de Fomento and all entities encompassed by the GDPR are obliged to implement appropriate technical and organizational measures to ensure the security, confidentiality and integrity of the personal data they process.

We will only process your personal data based on the following lawful bases:

PERFORMANCE OF A CONTRACT OR PRE-CONTRACT DUE DILIGENCE

In this case, we process data for the purposes of managing the contracts in which Banco Português de Fomento or the funds we manage are counterparties, as well as to perform pre-contract due diligence, including personal data provided by applicants during a recruitment process, both for applications submitted spontaneously or those we request.

FULFILMENT OF LEGAL OBLIGATIONS

This lawful basis encompasses data processing required to fulfil legal obligations, which includes, for example, transmitting data to other (Portuguese and Community) public bodies, tax authorities and courts.

PUBLIC INTEREST

Given that Banco Português de Fomento is a public company entrusted with the task of stimulating the funding market for Portuguese SME, we process data for the implementation of both Portuguese and Community programmes, as well as to manage relationships with other institutional players (for example, business or regional associations and intermediaries which oversee the operation of financial instruments managed by Banco Português de Fomento) with which the companies are associated.

LEGITIMATE INTERESTS

This lawful basis applies to processing needed to pursue the legitimate interests of Banco Português de Fomento or those of third parties, without prejudice to your rights and freedoms. This includes all processing resulting from duties assigned to us under law, in particular the internal and external dissemination of programmes to boost the financing of Portuguese SME, both at home and abroad.

CONSENT

Sometimes we might need to process personal data based on your consent. In such cases, data will always be collected on a voluntary basis, with your free and informed consent. To this end, our Privacy Policy will always be readily available for you to read whenever data is collected. Consent-based data collection, in particular, will be restricted to situations in which you would like to receive information about activities carried out by Banco Português de Fomento and the funds we manage, even if we don’t have a prior existing relationship.

We will only collect or process your data for the following specific, explicit and legitimate purposes:

• Contracting, managing and disseminating the financial instruments we manage to support SME or those financed through the public funds we manage
  

• Formalizing and managing employment contracts, as well as procurement and service contracts and performing respective procedures and associated pre-contract due diligence

• Managing events we promote

Banco Português de Fomento will process data fairly and transparently, ensuring the confidentiality and security of the information you provide and that it is only used for the expressly indicated and authorized purposes.

In accordance with the duties assigned to Banco Português de Fomento and based on the lawful basis for data collection, we may need to share your data with third parties, including Portuguese and international public bodies and private entities to fulfil legal or regulatory obligations (in particular, your data may be transmitted to entities responsible for the implementation, control, certification, audit and monitoring of the Portuguese or Community financial instruments for funding we manage), contractual obligations or to perform our duties in the public interest. Your data may also be accessed by service providers we engage for the purpose for which such data is being processed, in particular information security and storage services.

As a result of technology advancements related to data access and retention, in particular Banco Português de Fomento’ use of cloud-based computing and computer applications, your personal data may be transferred to other Member States or third countries outside the European Union. We will ensure that such transfer is limited to certified services and companies in compliance with the GDPR.

When we need to use external services or service providers to process your personal data, we will only engage suppliers and services that ensure the privacy and confidentiality of the data they process, as stipulated under the GDPR.

The personal data we process will only be stored for as long as needed to fulfil the purpose for which it was collected.

Banco Português de Fomento undertakes to ensure you are able to exercise the following rights, within applicable legal deadlines:

RIGHT OF ACCESS

You have the right of access to information related to the data we process that belongs to you and the respective characteristics thereof (in particular, type of data, lawful basis for processing, retention periods and what data has to be mandatorily provided and which is optional).

RIGHT TO RECTIFICATION

You have the right to request that your data be rectified and that it be accurate and up-to-date, for example when you believe it is incomplete or outdated.

RIGHT OF ERASURE OR “RIGHT TO BE FORGOTTEN”

You have the right to request that your data be erased when you believe there is no lawful basis for it to be stored and provided that is no other valid lawful basis for processing, such as the performance of a contract or fulfilment of a legal or regulatory obligation.

RIGHT TO RESTRICT

You have the right to suspend or restrict the processing of certain categories of data or lawful bases.

RIGHT TO PORTABILITY

You have the right to ask us to send you your data in a commonly used and machine-readable format so that you can reuse it. Alternatively, you can request that your data be transmitted to another entity who will then be responsible for processing it.

RIGHT TO OBJECT

You have the right to object to certain lawful bases for processing, provided that no legitimate interests prevail over yours.

RIGHT TO WITHDRAW CONSENTO

You have the right to withdraw your consent. However, you may only exercise this right when consent was the only requirement for the legitimate processing of personal data.

You will be ensured of your ability to exercise the aforementioned rights, whenever legally acceptable (e.g. when a legal or contractual obligation does not prevent you from exercising the right), by the Data Protection Officer appointed by Banco Português de Fomento, by sending a written request to one of the following address:

Headquarters (Porto):
Rua de Mota Pinto, 42F – 2º Andar – Entrada 2.11
4150-353 Porto
Phone +351 226 165 280
Fax +351 226 165 289
Email bpfomento@bpfomento.pt

Offices (Lisboa):
Edifício Arcis, Rua Ivone Silva, 6 – 14º Piso
1050-124 Lisboa
Phone +351 217 994 260
Email bpfomento@bpfomento.pt

By providing personal data to Banco Português de Fomento, you acknowledge that your data will be processed in accordance with this Privacy Policy and consent to such processing.

You will always be ensured of your right to lodge a complaint related to this Privacy Policy with the Portuguese Supervisory Authority, that is, with the Comissão Nacional de Proteção de Dados [Portuguese National Data Protection Authority], located at Rua de São Bento, n.º 148 – 3.º, 1200-821 Lisbon, or by sending an email to: geral@cnpd.pt

This Privacy Policy may need to be reviewed when, as a result of changes to the activity carried out by Banco Português de Fomento or amendments made to legislation as well as technological innovations or unforeseen circumstances, it proves to be insufficient to ensure the proper protection of the data subjects whose data we process.