To enable the reading of the present document, the main definitions used therein are hereby identified:
Personal Data: any information related to an identified or identifiable natural person (data subject). A natural person is deemed identifiable if it can be identified, directly or indirectly, particularly in reference to an identifier, such as a name, an ID number, location data, electronic identifiers, or one or more specific elements of physical, physiological, genetic, mental, economic, cultural or social identity of said natural person;
Processing: means an operation or a set of operations conducted on personal data or on sets of personal data by automatic or non-automatic means, such as collection, recording, organisation, structuring, storage, adaptation or modification, recovery, consultation, use, disclosure or transmission, dissemination or any other form of provision, comparison or interconnection, limitation, erasing or destruction;
Person responsible for Personal Data Processing: natural or legal person that determines the ends and means used in the processing of personal data.
Subcontractor: a natural or legal person that processes personal data on behalf of Caixa Capital, SCR, S.A., in a service provision context, formalised in a Contract.
Supervisory authority: an independent public authority that, in the case of Portugal, is the National Data Protection Commission (CNPD), which is responsible for monitoring the accurate enforcement of legislation on personal data protection.
Cookies: computer files that contain a sequence of numbers and letters that allow for the unique identification of a person's internet access device, but that can also contain other information. The cookies are downloaded through the browser into the device used for internet access (computer, cell phone, tablet, etc.) when certain websites are accessed;
C. ENTITY RESPONSIBLE FOR DATA PROCESSING
The entity responsible for data processing is Caixa Capital, SCR, S.A. with headquarters at Av. João XXI, 63, 1000-300 in Lisbon, Portugal.
D. PERSONAL DATA COLLECTION AND PROCESSING
Personal data of customers or potential customers or other individuals with a commercial relation with Caixa Capital can be collected directly or indirectly by Caixa Capital, SCR, S.A. from other sources or may stem from accesses, consultation, instructions, transactions and other records concerning the contracts that have been concluded between Caixa Capital, SCR, S.A. and its customers, partners or other individuals with public or private entities as part of the fulfilment of legal or regulatory obligations that apply to Caixa Capital, SCR, S.A., for the purpose of data confirmation or collection of the necessary elements of that contract relationship, whenever these are allowed for under applicable law.
Personal data of customers or potential customers or individuals that have a commercial relation with Caixa Capital, SCR, S.A., are only processed for predetermined purposes, which are explicit and legitimate.
E. PURPOSE OF DATA PROCESSING
Caixa Capital, SCR, S.A. processes the previously identified personal data according to the terms of GDPR and the remaining legal provisions that apply within this scope, and in accordance with the following purposes:
1. Management and execution of the contract or other proceedings requested by the data subject (Art. 6 no.1 b) of GDPR)
The processing of personal data is conducted with the aim of upholding the relation of Caixa Capital, SCR, S.A. with its customer, partner or data subject, and in order to allow for the execution of Venture Capital and Private Equity operations and for the provision of related services, as well as complementary services, namely to allow for the execution of contracts signed by the company and the data subject.
2. Per legal imperative or in benefit of public interest (Art. 6 no.1 c) and e) of GDPR
As a private equity and venture capital company society, Caixa Capital, SCR, S.A. is under several legal obligations, namely legislation that focuses on the private equity and venture capital activity, as well as that focusing on the fight against money laundering and financing of terrorism and tax law. Its activity is supervised by the Portuguese Securities Market Commission (CMVM).
3. As part of a legitimate interest (Art. 6 (1) (f) of GDPR)
Whenever necessary, we process your data in order to protect both the legitimate interests of the Company and those of third parties, namely the consultation and exchange of data with credit information systems to determine solvency or default risks, provisions regarding security of Caixa Capital, SCR, S.A., of its IT network, of its facilities and IT systems such as access control, security and transaction proof.
4. Based on your consent (Art. 6 (1) (a) GDPR
Whenever your consent for the processing of personal data for specific purposes has been given (for instance, the disclosure of data outside of the scope of the cases provided for in this Policy or in specific documentation of the Bank, assessment of data on payments), we will conduct such data processing that you have been notified of and on which you have given your consent. The consent can be repealed at any time, with such repeal being only applicable to situations taking place in the future and thus, not having any retroactive effects. This is also applicable to the repeal of any informed consents that have been given to us prior to May 25th, 2018.
F. COMMUNICATION OF DATA TO OTHER ENTITIES
The provision of services by Caixa Capital, SCR, S.A. to its customers, partners and other data subjects may imply that the Company shall turn to third parties (subcontractors, as per GDPR), including entities based outside of the European Union, for the provision of certain services, and this may potentially mean access by these parties to personal data of the Customers. The Company ensures that under such circumstances, it adopts all technical and organisational measures deemed appropriate in order to make sure that such subcontractors that have access to data are reputed and offer the highest guarantees at this level, which will be duly established and covered under the contract that is to be signed between Caixa Capital, SCR, S.A. and each of these third parties.
G. TIMEFRAME FOR DATA RETENTION
Caixa Capital, SCR, S.A. keeps a digital record of the customer's data, intended for accounting treatment, question clarification or for the compliance with legal, regulatory and fiscal obligations.
The period of time during which data is stored and retained varies according to the end for which such information is processed. Whenever there is no specific legal requirement, data is stored and retained only for the minimum time period necessary to complete the purpose that justified its collection in the first place or its later processing, or for the timeframe that is permitted by the National Data Protection Commission, after which the data will be deleted.
H. SECURITY MEASURES
Caixa Capital, SCR, S.A. ensures adequate levels of security and protection of personal data. To this end, several technical and organisational security measures have been adopted in order to protect personal data against dissemination, loss, undue use, modification, processing or unauthorised access, as well as against any other form of undue processing. Notwithstanding the security measures adopted by Caixa Capital, SCR, S.A., the data subject should hold any codes of access secret and not share them with third parties.
If Caixa Capital, SCR, S.A. subcontracts services to third parties that may have access to personal data, without prejudice to the aspects mentioned above, its subcontractors will be under obligation to adopt security protocols at the organisation level and the necessary technical measures to the protection of confidentiality and security of personal data, as well as to prevent unauthorised accesses, losses or destruction of personal data.
I. COOKIES POLICY
J. RIGHTS OF DATA SUBJECTS
Data subjects are entitled to access, update, rectify or erase, in this case whenever this is legally permitted, any personal information that may concern them, and are also entitled to oppose the processing of their information, as well as data portability.
Customers or potential customers or other individuals that have a commercial relation with Caixa Capital may oppose, at any time, the use of their data for marketing purposes, for the sending of information or the inclusion in information lists or services.
K. Exercise of Rights by DATA SUBJECTS
Caixa Capital, SCR, S.A.
A/C Data Protection Officer
Av. João XXI, 63