PRIVACY POLICY

This Privacy Policy provides an overview of how UNICRE - Instituição Financeira de Crédito, S.A. ("UNICRE") collects and processes personal data within the scope of its card payment acceptance activity, carried out under the REDUNIQ brand. UNICRE hereby intends to communicate and make known the way in which it processes personal data and to indicate the rights of the data subject under the terms of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter GDPR or Regulation).

This Regulation lays down rules on the protection of natural persons with regard to the processing of their personal data and the free movement of such data. The data that is specifically processed and the way in which it is used will essentially depend on the products/services requested and provided and the respective processing purposes. UNICRE will endeavour to provide all relevant information under the terms of the Regulation. For specific products or services, UNICRE may provide additional information. UNICRE ensures that the processing of personal data is carried out with the strictest respect for individual rights and the legal regime in force. The processing of personal data is carried out to the extent necessary to fulfil the purposes for which it is processed and to maintain a high standard of service. To obtain additional information in this area, you can contact UNICRE through the channels mentioned in 2.

1. Who is responsible for processing personal data and how can I contact them?

UNICRE is responsible for processing the personal data of the representatives and shareholders or members of the board of directors or equivalent(1) of participating retailers and/or potential participating retailers, and the following means of processing shall be used
contact:

UNICRE - Instituição Financeira de Crédito S.A.
Customer Service
Rua General Firmino Miguel, 6-B, piso -1, 1600-300 Lisboa
Telephone: +351 213 132 900
Fax: +351 213 509 554
E-mail: REDUNIQ.comercial@unicre.pt

UNICRE - Instituição Financeira de Crédito S.A.
Data Protection Officer (DPO)
Rua General Firmino Miguel, 6-B, piso -1, 1600-300 Lisboa
Telephone: +351 213 509 500
Fax: +351 213 545 153
E-mail: dpo@unicre.p

2. What categories of personal data does UNICRE process and from what sources?

The categories of personal data processed by UNICRE are as follows, taking into account the specific purposes of each processing:

a) Identification and contact details of the data subject (e.g. name, identification document number, tax identification number, address, telephone contact, email address);
b) Voice recording data (in the context of call recordings);
c) Professional, family and biographical data (e.g. date of birth, sex, nationality, place of birth, marital status, household information, academic qualifications, occupational data);
d) Data for assessing the trader's risk profile;
e) Financial situation (information on assets, financial liabilities, income);
f) Transaction data (e.g. date, time, description and value of transactions);
g) Data to fulfil the duties of prevention of terrorism and money laundering
and the regimes of politically exposed persons.

UNICRE processes personal data collected from the following sources:

a) Provided by merchants and potential merchants as part of the process of signing up and contracting the card payment acceptance system and in interactions with the customer service, commercial delegations, online contracting channels and chat for the offer of products and services;
b) Resulting from the operations and transactions carried out by the holders of payment instruments and accepted by the merchants in the use of the contracted services;
c) Provided by the data subject or by third parties, in the context of the process of contracting products and services with service providers;
d) Obtained from sources publicly accessible by UNICRE (namely the Public List of Foreclosures, the Publicity of Insolvency Proceedings, the Commercial Registry Certificate, the Land Registry, the press and other media and the Internet);
e) obtained from public authorities and bodies, e.g. by consulting the databases of the Central Credit Register (CRC), the Agency for Administrative Modernisation and the Central Register of Beneficial Owners (RCBE); or
f) Sent to UNICRE by partners or third parties (namely information agencies and fraud detection and prevention entities) whenever this is relevant to the fulfilment of contracts or the fulfilment of legal obligations imposed on UNICRE.

3. How is your personal data processed?

As Data Controller, UNICRE guarantees that all Personal Data will be:

a) Obtained for specific, lawful and clearly defined purposes, with the Data Subject having the right to question the purposes for which UNICRE collects and maintains them, and UNICRE must clearly and precisely inform them of the purpose or purposes;
b) Compatible with the purposes for which they were collected;
c) Maintained with appropriate security measures - implemented or to be implemented - to protect against unauthorised access, or against the alteration, destruction or disclosure of any Personal Data processed by UNICRE as Controller;
d) Maintained in an accurate, complete and up-to-date manner, where necessary;
e) Collected in a limited way and kept only for the time strictly necessary, with no excessive data being collected and/or processed.

UNICRE has implemented a procedure for responding to requests from Data Subjects, in order to manage such requests efficiently and appropriately, within the time limits stipulated by law.

UNICRE has implemented the levels of security and protection of Personal Data made available, as well as technical and organisational measures for the protection of Personal Data against its dissemination, loss, misuse, alteration, unauthorised processing or access, as well as against any other form of illicit processing.

All UNICRE employees are also subject to confidentiality rules.

UNICRE enters into service contracts with subcontractors in order to guarantee that, when processing personal data on behalf of UNICRE, they undertake to at least:

a) Process Personal Data in accordance with UNICRE's documented instructions and under the terms of the Contract;
b) To apply the security measures for processing under the terms of the Contract;
c) Maintain the confidentiality of the Personal Data processed under the Contract and guarantee that the persons it has entrusted or will entrust with the processing of the Personal Data are subject to appropriate legal obligations of confidentiality or, if they are not, it undertakes to ensure that they commit themselves to confidentiality;
d) To respond promptly and adequately to all requests for information from the Data Controller relating to the Processing of Personal Data and that it will submit to the decisions of the Supervisory Authority in relation to the same Processing;
e) Implement, maintain and update appropriate technical and organisational security measures, taking into account the most advanced techniques, depending on the state of technological development, the costs of implementation and the nature, scope, context and purposes of the Processing;
f) To scrupulously follow the rules and instructions established by UNICRE, by means of a service contract or addendum thereto, with regard to data protection.

4. What are the purposes of the processing and the respective grounds for legitimisation?

UNICRE processes personal data in accordance with the provisions of the GDPR and complementary legislation for the following purposes and respective grounds:

a) For the conclusion, execution and management of contracts to which the data subject is a party or for pre-contractual procedures, at the request of the data subject:

i) Management and provision of contracted products and services, payment and collection;
ii) Providing support and information to the data subject within the scope of the contracted services, including the rental of payment terminals, contact management and complaints;
iii) Recovery of outstanding amounts;
iv) Subscription to and management of online services.

b) To pursue the legitimate interests of UNICRE or a third party:

i) Direct marketing communications and advertising;
ii) Provision of information to data subjects;
iii) Evaluation of satisfaction and quality of service (e.g. complaints management);
iv) Development of products and their segmented presentation to member traders; v) Assignment of the contractual position;
vi) Management control and monitoring of operational performance;
vii) Quality control and service improvement;
viii) Management and security of information, transactions and physical security.

c) For the fulfilment of legal obligations or in the public interest, including with regard to special category data:

(i) Assessment of the client's risk profile;
(ii) Preventing and combating fraud;
(iii) Prevention of money laundering and terrorist financing offences;
(iv) Providing information and responses to public authorities (e.g. Bank of Portugal, Competition Authorities);
(v) Security and protection of personal data;
(vi) Accounting and Financial Reporting;
(vii) Keeping documentary records and information for regulatory, accounting, tax and similar purposes;
(viii) Audit and internal control.

d) Based on the consent of the data subject:

(i) Marketing campaigns aimed at the data subject outside the scope of the service provided with the contract with the trader;
(ii) Formalisation of products and services online using voice;
(iii) Recording of telephone calls for the protection and proof of contractual or commercial transactions, of the instructions transmitted and for monitoring the quality of the service;
(iv) Consultation of the databases of the Central Credit Register (CRC) to assess the creditworthiness of third parties providing guarantees for the obligations assumed by traders and/or potential traders.

5. Who are the recipients of your data?

UNICRE may give access to the data to service providers who, in order to fulfil the processing purposes, need to have access to the personal data or process the data on behalf of UNICRE within the scope of services that UNICRE has contracted to them, such as entities and authorities to whom the personal data must be communicated by virtue of a legal obligation (namely the Bank of Portugal, the Tax Authority, Judicial Bodies, Criminal Police Bodies and Administrative Authorities).

6. Is the data passed on to a third country or an international organisation?

The transmission of the data subject's data to third countries (countries outside the European Union and the European Economic Area) only occurs if this is necessary for the execution of contractual obligations, by legal requirement or execution of orders or requests from the data subject or, furthermore, with prior and express consent for this purpose. In the event that it is necessary to use service providers from third countries, they will be obliged to comply with UNICRE's written instructions, under the terms of the GDPR, by signing an agreement with the European Union's standard contractual clauses.

7. What rights do data subjects have in relation to the processing of their personal data?

a) Right of access - data subjects have the right to know whether or not their data is being processed by UNICRE and, if so, have the right to obtain a set of information about the processing carried out.
b) Right to rectification - data subjects have the right to request the rectification of inaccurate data and the completion of incomplete data, without undue delay.
c) Right to erasure - data subjects have the right, in certain circumstances, to request the erasure of their personal data.
d) Right to restriction of processing - data subjects have the right, in certain circumstances, to ask the controller to restrict the processing of their data, without this entailing its erasure.
e) Right to object - the data subject has the right, under the terms of the GDPR, to object to certain types of data processing. By exercising this right, the data controller must stop processing the data.
f) Right to portability - the data subject has the right to request, under the terms of the GDPR, that their data be transferred to another company/entity by electronic means or that such data be delivered to them in a structured, easy-to-read file.
g) Right to lodge complaints with the supervisory authority. If you wish to lodge a complaint regarding matters related to the processing of your personal data, you may do so with the National Data Protection Commission, the competent supervisory authority in Portugal.

Any request regarding the exercise of these rights may be submitted to UNICRE through the contacts referred to in point 2.

It should also be noted that the data subject may, at any time..:

 Ask UNICRE for a copy of the consents you have given;
 To revoke the consent given for the processing of your personal data, whenever the respective processing is based solely on such consent;
 Exercise any of your rights by letter, fax, telephone or e-mail to the contact details listed above.

8. Does the data subject have an obligation to provide personal data?

The data subject must provide the personal data necessary for UNICRE to establish and maintain a business relationship and fulfil the necessary contractual obligations, or whenever the law requires UNICRE to collect such data. More specifically, the obligations regarding the prevention and repression of money laundering oblige UNICRE to carry out a series of checks before agreeing to enter into a contract with a data subject.
adhering trader and/or potential adhering trader. To enable UNICRE to fulfil this obligation, the data subject must provide the necessary information and documents in accordance with money laundering legislation, both before contracting and after any
relevant change. In the event that the data is not provided by the respective holder, UNICRE will not be required to conclude the contract or to maintain it or to execute the order given, and may ultimately lead to the cancellation of the contract by UNICRE.

9. How is personal data protected?

UNICRE makes its best efforts to protect your personal data against destruction, loss, accidental or unlawful alteration, unauthorised disclosure or access. To this end, UNICRE has adopted the appropriate technical and organisational measures, such as security systems, access control and other procedures aimed at such protection.

10. How long is personal data kept for?

UNICRE processes and stores your personal data for as long as necessary to fulfil contractual and legal obligations. The commercial relationship between UNICRE and the data subjects is of continuous execution.

As soon as the data becomes unnecessary to fulfil contractual or legal obligations, it will be erased or deleted periodically, unless additional temporary processing is required for the following purposes:

 Fulfillment of a duty to preserve data imposed by legal provisions, namely commercial and tax law, banking law, the Money Laundering Act and the Securities Code.
 The right to keep evidence in accordance with the applicable legal limitation periods, which can be up to 20 years.

11. Changes to the Privacy Policy

UNICRE may change its privacy policy at any time. Changes will be duly published on REDUNIQ.pt and may be sent on another medium if requested.