“Approved on 24 May 2018”
LUSÁGUA Serviços Ambientais, a company established in 1987, is currently active in the public and private sectors in the environmental services areas. This is principally the management, operation and maintenance of supply systems and sanitation systems, collection and transport of solid waste, urban cleaning, consultancy and provision of services in the sectors of environmental industries, drinking water and wastewater analyses, composting and recovery of sludge and biosolids for agricultural purposes, as well as the exercise of public works and private works contractor activities, in accordance with the authorisations obtained.
LUSÁGUA collects and processes personal data of various subjects in order to carry out its activity, namely customers, employees, suppliers, among others. The aim of this Policy is to describe the guidelines of LUSÁGUA to guarantee the protection of the personal data of all those interacting with our company. This document establishes the guidelines for acting with integrity and in compliance with the regulatory requirements in the context of data protection. It must be complied with by all LUSÁGUA employees. If you want any additional clarification on the contents of this Policy, you may use the channels defined for this purpose, as follows:
a. Contacts for asserting data subjects’ rights:
- E-mail: email@example.com
- Address: Av. Marechal Gomes da Costa, nº33-1º-A – 1800-255 Lisboa
- Telephone: 21 792 86 70
b. Contacts of the Data Protection Officer (DPO):
- E-mail: firstname.lastname@example.org
- Address: Av. Marechal Gomes da Costa, nº33-1º-A – 1800-255 Lisboa
- Telephone: 21 792 86 70
2. Scope and Amendments
The current version of this policy is available at: https://www.lusagua.pt
Application of National Laws
The GDPR’s main objective is to ensure respect for the fundamental right that each person has in deciding on the use of his or her personal data. The GDPR covers all companies operating in the European Union and it is expected that the national law of each country will take precedence over it in the event of conflict or in situations where the requirements set out in national law are more stringent. LUSÁGUA is responsible for ensuring compliance with this policy and with applicable laws. In the event any conflict is detected between the content of this policy and any law or directive, LUSÁGUA’s DPO must be immediately informed.
The Regulation can be viewed here
Principles Applicable to the Data Processing
The processing of personal data in LUSÁGUA is governed by the following principles:
a. Lawful, fair and transparent
- Personal data are obtained and processed in a lawful and transparent manner, informing the subject of the data collected, the purposes for which the data are processed, the recipients to whom they are to be communicated and their storage period.
b. Defined, explicit and legitimate purposes
- Personal data are collected for specific, explicit and legitimate purposes and cannot be processed in a manner incompatible with those purposes.
c. Data integrity and confidentiality
- The security of personal data is ensured through the adoption of measures that ensure protection against unauthorised or unlawful processing of the data as well as their accidental loss, destruction or damage.
d. Data accuracy and update
- The accuracy and updating of the data is ensured through the provision of specific channels that allow the data subject to communicate any updates as well as data quality review and analysis measures, ensuring that inaccurate data are immediately erased or rectified.
e. Data minimisation
- Data collection operations are subject to prior analysis ensuring that only relevant and strictly necessary personal data are collected taking into account the purpose of their processing. Accordingly, many of the information collection operations are based on forms with limited fields, ensuring that the data subject does not communicate more personal data than is appropriate for the situation in question.
f. Storage of data only for the period necessary for the purposes for which they are intended
- Personal data are stored for a predefined period of time, called the retention period. This is defined taking into account the period required for the purpose for which they are processed. The personal data are deleted or anonymised when the retention period ends and it is no longer possible to relate the data to its subject.
g. Data accountability
- LUSÁGUA shall be responsible for the collection and processing of the personal data of the subjects, even if the processing is performed by processors.
5. Governance Structure for Privacy
LUSÁGUA has defined a privacy governance structure in order to ensure adequate coordination of the teams and management of topics related to data protection in the organisation. This structure is based on the appointment of a Data Protection Officer – DPO.
The DPO is engaged in all matters related to the protection of personal data, in an adequate and timely manner. The DPO has access to the resources necessary to carry out its duties, to ensure the correct performance of the role. The DPO reports directly to LUSÁGUA’s Management.
The DPO’s contacts are indicated in section 1 of this Policy.
6. Data Subject's Rights
LUSÁGUA, in compliance with regulatory requirements, ensures that data subjects enjoy a set of rights relating to how their data is collected, processed and protected. Before responding to any requests, LUSÁGUA concerns itself with ensuring data security by requesting the authentication of the data subject. Accordingly, proof of identity may be requested from the subject, whenever necessary. In the event it is impossible to identify the data subject, LUSÁGUA reserves the right not to respond to requests to assert these rights, communicating this fact to the data subject. When the data subject is a minor, his/her rights may be asserted by those holding parental responsibilities, except in the case of those exceptions provided for in the regulatory requirements.
LUSÁGUA ensures a response period of less than one month, except in exceptional cases due to the complexity of the request or the number of requests submitted, in which case a period extensible up to 2 months is defined. If the time period is extended, LUSÁGUA will inform the data subject of the reasons for the delay in responding to the request, within a maximum of one month from the date of receipt of the request. LUSÁGUA will seek to respond to all requests. All will be analysed to verify whether they may be satisfied in compliance with regulatory requirements. Whenever there is legislation that prevents the data subject from asserting certain rights, LUSÁGUA reserves the right not to respond to the request, informing the data subject, within a maximum period of one month from the date of receipt of the request, of the reasons why his or her request will not be answered. The data subjects may file a complaint with a supervisory authority and bring legal action. LUSÁGUA reserves the same right when the submitted requests are manifestly unfounded or excessive, and it may demand payment of a fee equivalent to the administrative costs incurred to respond to the requests.
The rights of the data subjects are listed below, highlighting their specific nature and the means made available by LUSÁGUA so that the subjects may assert these rights. The channels for asserting and exercising each of the rights are defined in point 1 of this Policy.
a. Right to transparent communication
LUSÁGUA informs the data subject, in a clear and transparent way, about the processing of his or her personal data, informing the following to him or her when collecting personal data:
- The purposes of the processing for which the personal data are intended;
- What are the grounds for the processing (legitimate interests of LUSÁGUA, legal or contractual obligation) if there is no explicit consent provided by the subject, as well as the possible consequences of not providing those data;
- The categories of the recipients of the personal data, if applicable;
- Whether the personal data are transferred to a third country or an international organisation;
- The storage period of personal data or, if it is not possible, the criteria used to define that period;
- The existence of automated decision-making, if applicable;
- Their rights as the data subject (set out in point 6), which includes the right to complain to a supervisory authority;
- The contact details of LUSÁGUA.
If the data were not collected from the data subject, and the referred subject has no information about that collection, LUSÁGUA ensures it will take measures to notify the data subject of the above mentioned points within a maximum period of one month after obtaining the personal data. LUSÁGUA will also add the following information in that notification:
- The source of the personal data;
- The category of the data that has been collected.
LUSÁGUA undertakes to communicate to the data subject whenever it intends to use his or her data for purposes other than those previously communicated.
b. Right of access
LUSÁGUA ensures the existence of the means to enable the data subject to access the personal data the entity holds on him or her. LUSÁGUA will send a copy of the personal data in the processing phase, in electronic form, if the data subject requests this. LUSÁGUA reserves the right to demand the payment of a fee equivalent to the administrative costs incurred to satisfy a request in the event of excessive or unfounded requests. LUSÁGUA will not proceed with the request for access, in accordance with regulatory requirements, if the information requested by the data subject impairs or jeopardises the rights and freedoms of third parties.
c. Right to rectification
LUSÁGUA ensures the existence of means to enable data subjects to correct their personal data, if incorrect, or to complete them if they are incomplete.
d. Right to be forgotten
LUSÁGUA ensures the existence of means that allow the data subject to request that his or her personal data are “forgotten”. The orders received will be analysed and, if considered valid in the light of regulatory requirements, LUSÁGUA undertakes to “forget” the data within a maximum period of one month. If the requests made are not considered valid, LUSÁGUA will not process them and will inform the data subject of the reasons for that decision.
e. Right to objection/opposition
LUSÁGUA ensures the existence of means that enable the data subject to oppose specific processing of personal data for certain purposes, without prejudice to directives or laws in force. If the requests made are not considered valid, LUSÁGUA will not process them and will inform the data subject of the reasons for that decision.
f. Limitation of processing
LUSÁGUA ensures the existence of means that allow the data subject to request the limitation of the processing of his or her personal data. The data subject can request the limitation of the processing of his or her data for an indefinite time period, when he or she wishes to suspend the processing but keep the data. This situation may occur when:
- The data subject contests the accuracy of the data. In this case, the processing is limited for a period of time that allows LUSÁGUA to verify the accuracy of the data, or
- The data subject is awaiting the response to a request to oppose the processing.
When processing is limited, personal data will only be processed again if the data subject gives consent, except for specific treatments established in law. LUSÁGUA guarantees that the data subject who requested the limitation of his or her data is informed before the limitation to said processing is cancelled. LUSÁGUA reserves the right to limit the processing of the data of the subjects when it does not need such, committing itself to store the data for the pre-established retention period. LUSÁGUA guarantees that the data subject who requested the limitation of his or her data is informed before its cancellation.
g. Consent and withdrawal of consent
LUSÁGUA seeks to obtain the consent of the data subject to collect and process his or her data for various purposes, except in situations where the processing falls within the scope of a service provision or performance of a contract or where there are legal requirements that do not oblige such consent to be obtained. One of these situations is visible when there is the legitimate interest of LUSÁGUA, when this processing is necessary for LUSÁGUA to perform its business activity and the processing does not jeopardise the interests of the data subjects or their fundamental rights and freedoms. These situations include, among others, the collection of the:
- Tax identification number for the issue of invoices;
- IBAN for bank transfers.
LUSÁGUA guarantees to the data subject the right to withdraw consent at any time, without jeopardising the lawfulness of the processing already carried out based on previously provided consent. LUSÁGUA informs the data subject of this fact before consent is given. Consent should be as easy to withdraw as it is to give. In situations where the processed personal data are those of a minor, consent is requested from those holding parental responsibility over the child.
h. Right to portability
LUSÁGUA ensures the existence of means that enable the data subject to request a copy of his or her data and that these are sent to another entity. These data are transferred in a digital and structured format. The right to portability covers only the data for which the subject gave his or her consent to be processed, data relating to a contract the subject is party to or if the processing is performed by automated means. LUSÁGUA reserves the right to refuse requests for portability whenever they impair the rights and freedoms of third parties, or conflict with any legal requirement.
i. Automated decision-making
LUSÁGUA ensures the means that enable the data subject to request the right not to be subject to any decision based solely on the automated processing of his or her data (including profiling) which produces legal effects concerning him or her or similarly significantly affects him or her. These requests are assessed to verify their compliance with regulatory requirements. LUSÁGUA currently has no automatic decision-making processes. However, it undertakes to respect the above-stated paragraph, by informing and collecting the explicit consent of data subjects if it intends to undertake this type of processing