A presente Política de Privacidade fornece uma visão geral sobre o modo de recolha e tratamento de dados pessoais, pela UNICRE – Instituição Financeira de Crédito, S.A. (“UNICRE”), no âmbito das atividades de aceitação de pagamentos com cartão e de factoring.
Por esta via pretende a UNICRE comunicar e dar a conhecer a forma como procede ao tratamento de dados pessoais e indicar os direitos que assistem ao titular dos dados nos termos do Regulamento (EU) 2016/679 do Parlamento Europeu e do Conselho, de 27 de Abril de 2016 (doravante RGPD ou Regulamento).
O referido Regulamento estabelece as regras relativas à proteção das pessoas singulares no que respeita ao tratamento dos seus dados pessoais e à livre circulação desses dados. Os dados que concretamente são tratados e a forma como são utilizados dependerão essencialmente de quais os produtos/serviços solicitados e prestados e das respetivas finalidades de tratamento.
A UNICRE cuidará de fornecer toda a informação relevante nos termos que resultam do Regulamento.
Para produtos ou serviços específicos, poderá a UNICRE fornecer informação adicional.
A UNICRE assegura que o tratamento de dados pessoais é realizado no mais rigoroso respeito pelos direitos individuais e pelo regime legal vigente. O tratamento de dados pessoais é realizado na medida necessária à prossecução das finalidades do seu tratamento e à manutenção de um padrão elevado de serviço.
Para obtenção de informação adicional neste âmbito, poderá contactar a UNICRE através dos canais referidos em 1.
1. Who is responsible for processing personal data and how can I contact them?
A UNICRE é responsável pelo tratamento de dados pessoais dos representantes e dos titulares de participações no capital ou dos titulares do órgão de administração ou equivalente(1) dos comerciantes aderentes e/ou potenciais comerciantes aderentes, devendo ser utilizados os seguintes meios de contacto:
Unicre – Instituição Financeira de Crédito S.A.
Customer Service
Rua General Firmino Miguel, 6-B, piso -1, 1600-300 Lisboa
Telephone: +351 213 132 900
Fax: +351 213 509 554
E-mail: reduniq.comercial@unicre.pt
Unicre – Instituição Financeira de Crédito S.A.
Data Protection Officer (DPO)
Rua General Firmino Miguel, 6-B, piso -1, 1600-300 Lisboa
Telephone: +351 213 509 500
Fax: +351 213 545 153
E-mail: dpo@unicre.pt
_________
(1) Inclui beneficiários efetivos do cliente e pessoas politicamente expostas, conforme definido no âmbito da Lei n.º 83/2017.
2. What categories of personal data does UNICRE process and from what sources?
The categories of personal data processed by UNICRE are as follows, taking into account the specific purposes of each processing:
a) Identification and contact details of the data subject (e.g. name, identification document number, tax identification number, address, telephone contact, email address);
b) Voice recording data (in the context of call recordings);
c) Professional, family and biographical data (e.g. date of birth, gender, nationality, place of birth, marital status, household information, academic qualifications, occupational data);
d) Data for assessing the trader's risk profile;
e) Financial situation (information on assets, financial liabilities, income);
f) Transaction data (e.g. date, time, description and value of transactions);
g) Dados para cumprimento dos deveres de prevenção de terrorismo e branqueamento de capitais e dos regimes de pessoas politicamente expostas.
UNICRE processes personal data collected from the following sources:
a) Provided by merchants and potential merchants as part of the process of signing up and contracting the card payment acceptance system and in interactions with the customer service, commercial delegations, online contracting channels and chat for the offer of products and services;
b) Resulting from the operations and transactions carried out by the holders of payment instruments and accepted by the merchants in the use of the contracted services;
c) Provided by the data subject or by third parties, in the context of the process of contracting products and services with service providers;
d) Obtained from sources publicly accessible by UNICRE (namely the Public List of Foreclosures, the Publicity of Insolvency Proceedings, the Commercial Registry Certificate, the Land Registry, the press and other media and the Internet);
e) obtained from public authorities and bodies, e.g. by consulting the databases of the Central Credit Register (CRC), the Agency for Administrative Modernisation and the Central Register of Beneficial Owners (RCBE); or
f) Sent to UNICRE by partners or third parties (namely information agencies and fraud detection and prevention entities) whenever this is relevant to the fulfilment of contracts or the fulfilment of legal obligations imposed on UNICRE.
3. How is your personal data processed?
As Data Controller, UNICRE guarantees that all Personal Data will be:
a) Obtained for specific, lawful and clearly defined purposes, with the Data Subject having the right to question the purposes for which UNICRE collects and maintains them, and UNICRE must clearly and precisely inform them of the purpose or purposes;
b) Compatible with the purposes for which they were collected;
c) Mantidos com medidas de segurança apropriadas – implementadas ou a implementar – para proteger contra o acesso não autorizado, ou contra a alteração, destruição ou divulgação de quaisquer Dados Pessoais tratados pela UNICRE enquanto Responsável pelo Tratamento;
d) Maintained in an accurate, complete and up-to-date manner, where necessary;
e) Collected in a limited way and kept only for the time strictly necessary, with no excessive data being collected and/or processed.
UNICRE has implemented a procedure for responding to requests from Data Subjects, in order to manage such requests efficiently and appropriately, within the time limits stipulated by law.
UNICRE has implemented the levels of security and protection of Personal Data made available, as well as technical and organisational measures for the protection of Personal Data against its dissemination, loss, misuse, alteration, unauthorised processing or access, as well as against any other form of illicit processing.
All UNICRE employees are also subject to confidentiality rules.
UNICRE enters into service contracts with subcontractors in order to guarantee that, when processing personal data on behalf of UNICRE, they undertake to at least:
a) Process Personal Data in accordance with UNICRE's documented instructions and under the terms of the Contract;
b) To apply the security measures for processing under the terms of the Contract;
c) Maintain the confidentiality of the Personal Data processed under the Contract and guarantee that the persons it has entrusted or will entrust with the processing of the Personal Data are subject to appropriate legal obligations of confidentiality or, if they are not, it undertakes to ensure that they commit themselves to confidentiality;
d) To respond promptly and adequately to all requests for information from the Data Controller relating to the Processing of Personal Data and that it will submit to the decisions of the Supervisory Authority in relation to the same Processing;
e) Implement, maintain and update appropriate technical and organisational security measures, taking into account the most advanced techniques, depending on the state of technological development, the costs of implementation and the nature, scope, context and purposes of the Processing;
f) To scrupulously follow the rules and instructions established by UNICRE, by means of a service contract or addendum thereto, with regard to data protection.
4. What are the purposes of the processing and the respective grounds for legitimisation?
UNICRE processes personal data in accordance with the provisions of the GDPR and complementary legislation for the following purposes and respective grounds:
a) For the conclusion, execution and management of contracts to which the data subject is a party or for pre-contractual procedures, at the request of the data subject:
i) Management and provision of contracted products and services, payment and collection;
ii) Providing support and information to the data subject within the scope of the contracted services, including the rental of payment terminals, contact management and complaints;
iii) Recovery of outstanding amounts;
iv) Adesão e gestão de serviços online;
v) Mediação de seguros.
b) To pursue the legitimate interests of UNICRE or a third party:
i) Direct marketing communications and advertising;
ii) Provision of information to data subjects;
iii) Evaluation of satisfaction and quality of service (e.g. complaints management);
iv) Development of products and their segmented presentation to participating traders;
v) Assignment of the contractual position;
vi) Management control and monitoring of operational performance;
vii) Quality control and service improvement;
viii) Management and security of information, transactions and physical security.
c) For the fulfilment of legal obligations or in the public interest, including with regard to special category data:
(i) Assessment of the client's risk profile;
(ii) Preventing and combating fraud;
(iii) Prevention of money laundering and terrorist financing offences;
(iv) Providing information and responses to public authorities (e.g. Bank of Portugal, Competition Authorities);
(v) Reporte à Central de Responsabilidades de Crédito (CRC);
(vi) Segurança e proteção de dados pessoais;
(vii) Contabilidade e Reporte Financeiro;
(viii) Conservação de registo documental e de informação para efeitos regulatórios, contabilísticos, fiscais e análogos;
(ix) Auditoria e controlo interno.
d) Based on the consent of the data subject:
(i) Marketing campaigns aimed at the data subject outside the scope of the service provided with the contract with the trader;
(ii) Formalisation of products and services online using voice;
(iii) Recording of telephone calls for the protection and proof of contractual or commercial transactions, of the instructions transmitted and for monitoring the quality of the service;
(iv) Consultation of the databases of the Central Credit Register (CRC) to assess the creditworthiness of third parties providing guarantees for the obligations assumed by traders and/or potential traders.
5. Who are the recipients of your data?
UNICRE may give access to the data to service providers who, in order to fulfil the processing purposes, need to have access to the personal data or process the data on behalf of UNICRE within the scope of services that UNICRE has contracted to them, such as entities and authorities to whom the personal data must be communicated by virtue of a legal obligation (namely the Bank of Portugal, the Tax Authority, Judicial Bodies, Criminal Police Bodies and Administrative Authorities).
6. Is the data passed on to a third country or an international organisation?
The transmission of the data subject's data to third countries (countries outside the European Union and the European Economic Area) only occurs if this is necessary for the execution of contractual obligations, by legal requirement or execution of orders or requests from the data subject or, also, with prior and express consent for this purpose. In the event that it is necessary to use service providers from third countries, they will be obliged to comply with UNICRE's written instructions, under the terms of the GDPR, by signing an agreement with the European Union's standard contractual clauses.
7. What rights do data subjects have in relation to the processing of their personal data?
a) Right of access - data subjects have the right to know whether or not their data is being processed by UNICRE and, if so, have the right to obtain a set of information about the processing carried out.
b) Right to rectification - data subjects have the right to request the rectification of inaccurate data and the completion of incomplete data, without undue delay.
c) Right to erasure - data subjects have the right, in certain circumstances, to request the erasure of their personal data.
d) Right to restriction of processing - data subjects have the right, in certain circumstances, to ask the controller to restrict the processing of their data, without this entailing its erasure.
e) Right to object - the data subject has the right, under the terms of the GDPR, to object to certain types of data processing. By exercising this right, the data controller must stop processing the data.
f) Right to portability - the data subject has the right to request, under the terms of the GDPR, that their data be transferred to another company/entity by electronic means or that such data be delivered to them in a structured, easy-to-read file.
g) Right to lodge complaints with the supervisory authority. If you wish to lodge a complaint regarding matters related to the processing of your personal data, you may do so with the National Data Protection Commission, the competent supervisory authority in Portugal.
Qualquer solicitação no âmbito do exercício destes direitos pode ser apresentada à UNICRE através dos contactos referidos no ponto 1.
It should also be noted that the data subject may, at any time..:
- Ask UNICRE for a copy of the consents you have given;
- Revoke the consent given for the processing of your personal data, whenever the respective processing is based solely on that consent;
- Exercise any of your rights by letter, fax, telephone contact or e-mail to the contacts listed above.
8. Does the data subject have an obligation to provide personal data?
O titular dos dados deve fornecer os dados pessoais necessários para que a UNICRE possa estabelecer e manter um relacionamento comercial e cumprir as obrigações contratuais necessárias, ou sempre que a lei exija que a UNICRE faça a recolha de tais dados.
Mais especificamente, as obrigações ao nível da prevenção e repressão do branqueamento de capitais obrigam a UNICRE a fazer um conjunto de verificações antes de aceitar celebrar um contrato com um comerciante aderente e/ou potencial comerciante aderente. Para permitir que a UNICRE cumpra esta obrigação, o titular dos dados deve fornecer as informações e documentos necessários de acordo com a legislação em matéria de branqueamento de capitais, tanto antes da contratação como após qualquer alteração relevante. No caso de os dados não serem fornecidos pelo respetivo titular, não será exigível que a UNICRE venha a celebrar o contrato ou que o mantenha ou que execute a ordem dada, podendo no limite motivar a resolução contratual por parte da UNICRE.
9. How is personal data protected?
UNICRE makes its best efforts to protect your personal data against destruction, loss, accidental or unlawful alteration, unauthorised disclosure or access. To this end, UNICRE has adopted the appropriate technical and organisational measures, such as security systems, access control and other procedures aimed at such protection.
10. How long is personal data kept for?
UNICRE processes and stores your personal data for as long as necessary to fulfil contractual and legal obligations. The commercial relationship between UNICRE and the data subjects is of continuous execution.
As soon as the data becomes unnecessary to fulfil contractual or legal obligations, it will be erased or deleted periodically, unless additional temporary processing is required for the following purposes:
- Fulfillment of a duty to preserve data, imposed by legal provisions, particularly in terms of commercial and tax law, banking law, the Money Laundering Act and the Securities Code.
- The right to keep evidence according to the applicable legal limitation periods, which can be up to 20 years.
11. Changes to the Privacy Policy
A UNICRE pode alterar a política de privacidade a qualquer momento. As alterações serão devidamente publicadas designadamente em reduniq.pt e poderão ser enviadas noutro suporte se solicitado.