Privacy policy

PRIVACY POLICY

Introduction

The Privacy Policy has been developed to support Rascunho Diligente Lda, a company with fiscal number 515441295, headquartered at Rua Dr. José Carlos Pereira de Carvalho No. 237, R/C 3220-203 Miranda do Corvo - hereinafter CRU Ecoliving, in adapting its activities to the General Data Protection Regulation, approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 ("GDPR").

This policy is complemented by others related to security, which are relevant to the company's business, together describing CRU Ecoliving's approach to information security and privacy.

This policy applies to all Professionals and Partners of CRU Ecoliving and, when identified, to third parties who access the company's assets.

The terms 'Privacy,' 'Data Privacy,' and 'Data Protection' can be used interchangeably as they are associated with a complex set of legal requirements that apply to Personal Data, which goes beyond data security and confidentiality. For example, it includes requirements on the transparency of data use and its retention.

Compliance with this policy is mandatory, and therefore, all Professionals and Partners have an individual responsibility to ensure compliance with it and, if necessary, seek clarification from the leaders of their respective teams.

It is the responsibility of CRU Ecoliving to define the appropriate mechanisms to achieve compliance with this policy, with the operational implementation responsibility of the teams, supported by the Privacy Officer.

Compliance with this policy can be monitored through inspections, audits, and/or written confirmation requests of compliance, with all areas being responsible for regularly assessing their compliance within their area of responsibility.

In compliance, any employee who has violated this policy is subject to disciplinary action.

This policy is based on the principles established in the GDPR. However, there are national differences in the applicability of data protection and privacy for CRU Ecoliving when processing personal data outside the EU, receiving personal data from outside the EU, or processing personal data of non-EU citizens.

In case of doubt, contact CRU Ecoliving through the provided contacts.

Data Protection Principles

In the scope of our activity, we process Personal Data: whether when we receive personal data during our business opportunities, our commitments to customers, marketing activities, or a series of other related and supporting activities. Data can be received directly from a Data Subject (for example, in person, via mail, email, telephone, or other sources), namely from our customers, partners, subcontractors, joint controllers for Processing, support service providers, and credit reference agencies.

All professionals and partners must only request personal data from a Data Subject that is relevant and necessary to fulfill a specific purpose and business task.

CRU Ecoliving is committed to complying with the principles of personal data protection defined by the GDPR, namely:

1. Lawfulness, fairness, and transparency: means that we must have a legitimate reason for processing Personal Data, for example, the Data Subject's consent, compliance with a legal obligation to which we are subject. It also means that we must inform the Data Subject clearly about the processing;
2. Purpose limitation: we must only request Personal Data for specific, explicit, and legitimate purposes and not process them beyond the purpose for which they were requested;
3. Data minimization:  the Personal Data subject to processing must be adequate, relevant, and limited to what is necessary;
4. Accuracy: we have an obligation to ensure that Personal Data is accurate and update it whenever necessary;
5. Storage limitation: we must not retain Personal Data for longer than necessary for the purposes for which they are processed, although we may retain some for historical and statistical purposes;
6. Integrity and confidentiality: we must have adequate security controls in place to protect data against unauthorized and unlawful processing, loss, destruction, or damage, including technical and organizational measures, such as defined processes, training, and awareness;
7. Legal transfer outside the European Economic Area: we only transfer Personal Data outside the EEA when there are adequate safeguards, such as a contractual basis;
8. Data Subject's rights: Data Subjects have various rights that we must respect (for example, the right to access a copy of the data we store and the right to withdraw consent given for direct marketing purposes).

Lawfulness and fairness in processing

Whenever Personal Data is collected, it is necessary to have a legal basis for the inherent processing. According to the GDPR, we must identify at least one of the following reasons for processing Personal Data:

1. Consent: The Data Subject has given consent for them to be processed for one or more specific purposes;
2. Contractual: Processing is necessary for the performance of a contract to which the Data Subject is a party or for pre-contractual measures;
3. Legal: Processing is necessary to comply with a legal obligation to which the data controller is subject;
4. Vital interests: Processing is necessary to protect the vital interests of the Data Subject;
5. Public interest: Processing is necessary for the performance of a task carried out in the public interest;
6. Legitimate interests: Processing is necessary for the legitimate interests pursued by the data controller, except when overridden by the interests or fundamental rights and freedoms of the Data Subject.

When acting as the data controller, we must ensure that we have a legitimate basis for collecting and processing Personal Data.

In some situations, we may act as a Processor on behalf of our client, in which case it is the client's responsibility to ensure that they have a legitimate reason for processing Personal Data, which they should share with us. However, we must take steps to ensure that our contract is clear about our responsibilities in this regard and that if we collect Personal Data directly from Data Subjects on behalf of the client, we have the basis to do so legitimately.

When a Special Category of Data is processed, there is an additional set of conditions that must be met. Please contact CRU Ecoliving for further guidance.

The GDPR requires that Data Subjects be provided with information about the processing to ensure fair and transparent treatment. Whenever we collect Personal Data, we must ensure that we explain appropriately why we need the information and how we will treat it. When information is gathered through our website, this information is provided through a 'Privacy Notice.'

Any other information to be provided when collecting personal data must also be provided on the internet. Refer to our Privacy Policy and Cookie Policy for more information.

Processing only for specific purposes

Whenever we collect and process Personal Data, we must ensure that we only use it for specific purposes that have been communicated to the respective Data Subject.

CRU Ecoliving should never process Personal Data for additional purposes that have not been communicated to the Data Subject. Only then will we be clear about the purpose of the processing, and we must understand the purposes for which our customers may have collected Personal Data or contact the Privacy Officer.

Appropriate, relevant, and limited processing

When we collect and process Personal Data, we must follow the principle of data minimization. This means that we must only collect the minimum Personal Data necessary to perform a specific task.

Additionally, we must ensure that we have an adequate amount of personal data to perform a specific task appropriately. For example, collecting only the necessary data to identify a person.

This also applies to any sharing and other processing activities. It is essential to minimize the data kept and processed; we must ensure that if we

share data internally or externally or use it in activities such as testing, we should only use/share the minimum amount in each case.

Accuracy of Personal Data

We have an obligation to ensure that Personal Data is kept accurate and up-to-date. We must ensure that adequate processes are in place to keep the data accurate whenever necessary (for example, for current and potential professionals or customers maintained by the relevant areas).

When acting as a data controller regarding a client, we will not be required to implement mechanisms to keep this data up-to-date; it will be the responsibility of the data controller, that is, our client.

Retention of Personal Data

Personal Data should not be retained for longer than necessary. This means that we must define and apply maximum retention periods for the Personal Data we process and implement processes to delete it at the end. Therefore, the following retention periods may be applied:

(i) for the time necessary for the relevant activity or services;

(ii) any retention period required by law;

(iii) the end of the period in which disputes or investigations may arise in relation to the services; or

(iv) the minimum period specified in the contract.

 

Rights of Data Subjects

The GDPR requires us to inform individuals about the Personal Data we collect, the purposes, and the means for which it is processed. This information is provided in the form of a 'Privacy Notice.'

1. a) Right of Access
Data Subjects have the right to request access to the Personal Data we hold about them, the purpose of processing, and the categories of data involved. We must notify the Data Subject of the recipients with whom we will share their data, especially if the recipient is in another country or belongs to an international organization. Whenever possible, we will define the data retention period to meet business objectives. We must inform the Data Subject of the right to object to processing and their right to rectification and erasure. We must inform the Data Subject of their right to lodge a complaint with a supervisory authority. When data is collected from someone other than the Data Subject, we must inform the Data Subject of the source of this data. We must ensure that we have processes in place to identify and respond to access requests from the Data Subject promptly, and within a maximum period of one month.

1. b) Right to Rectification
Data Subjects have the right to rectify inaccurate data, and CRU Ecoliving shall make every effort to do so promptly.

1. c) Right to Erasure
The Data Subject has the right to obtain from the data controller the erasure of their data ('right to be forgotten'). It is the responsibility of CRU Ecoliving to attempt to erase the data held immediately, except when there is a legal requirement for its retention. If a request is received from a Data Subject, contact the Privacy Officer before deleting any data.

1. d) Rights of Children
All individuals, including children, are protected by the GDPR. For children under 13 years old, we should not process their Personal Data based on their consent unless authorized by those with parental responsibilities.

1. e) Marketing

At times, we may send marketing materials to our customers and partners to inform them about services, upcoming events, or other activities of interest. In such cases, we must specify the right to withdraw consent at any time if they wish not to be contacted in this manner again. We should also ensure that we have processes in place to record and respect all participation preferences.

Security of Retained Data

CRU Ecoliving will maintain the security of data by protecting the Confidentiality, Integrity, and Availability of Personal Data, where:

- Confidentiality: Only authorized individuals can access the data.
- Integrity: Personal Data must be accurate and suitable for the purposes inherent to the processing.
- Availability: Authorized users must be able to access the data when needed for authorized purposes.

International Transfer of Personal Data

CRU Ecoliving may transfer any Personal Data to a third country or international organization. The Personal Data we possess may also be processed by employees operating in a third country or by one of our suppliers.

We must ensure that at least one of the following conditions applies:

a) The country to which Personal Data is transferred ensures an adequate level of protection for the rights and freedoms of Data Subjects, by decision of the EU Commission.
b) Appropriate safeguards are provided (e.g., standard data protection clauses).
c) The Data Subject has given explicit consent to the transfer after being informed of possible risks.
d) The transfer is necessary for one of the reasons established in the GDPR, including the execution of a contract between CRU Ecoliving and the Data Subject, or the protection of the vital interests of the Data Subject.
e) The transfer is legally required for important reasons of public interest or for the establishment, exercise, or defense of legal claims.

Log Information, Cookies, and Web Beacons

The CRU Ecoliving website uses cookies to distinguish its users. CRU Ecoliving collects standard internet log information, including the user's IP address, browser type and language, access times, and addresses of referring websites.

To ensure that our website is well-managed and to facilitate navigation, CRU Ecoliving or its service providers may also use cookies (small text files stored in the user's browser) or web beacons (electronic images that allow our site to count visitors who have accessed a site and certain cookies) to collect aggregated data.

Information on Professionals

Collection and Storage

CRU Ecoliving, as an employer, collects, processes, and stores personal data of employees, contractors, consultants, and applicants. The Human Resources Department and other departments handling personal data of professionals must verify and document the legal basis for the processing they perform. Personal data of professionals should only be processed when there is a valid and legitimate purpose for doing so. The collection of personal data related to our employees occurs through various channels and formats, such as application forms, electronic web forms (e.g., during the recruitment process), data records, CCTV images, team photographs, including identification cards, data from other sources (e.g., previous employers), credit checks, and security checks, etc. The creation and storage of personal data related to our professionals occur through various channels and formats, such as pay receipts, evaluation records, employment contracts, emails, sickness records, etc.

Training and Awareness

We are committed to providing adequate training on the protection of personal data to all professionals. If necessary, we will provide customized training and awareness for individuals based on their roles.

Process Design and Change

For all new proposed business systems and procedures involving Personal Data, consideration must be given to whether a privacy impact assessment is necessary for privacy and information security to identify risks and controls.

 

COOKIE POLICY

This website uses cookies to provide a better experience for its visitors and to ensure that it is fully functional. This Cookie Policy is part of our Privacy Policy, which you should refer to for more information about us and how we protect user information. In order to provide a personalized and efficient service to our users, it is necessary to memorize and store information about how this website should be used. To do this, we use small text files called cookies that contain small amounts of information downloaded to the computer or other devices of our users through a server. Your internet browser subsequently sends these cookies back to the website on each subsequent visit, allowing the recognition and memorization of the identity of our visitors, including the usage preferences of our users. You can find more detailed information about cookies and how they work here. Browsing this website allows the collection of information using cookies and other technologies. By using this site, you accept the use of cookies as described in this Cookie Notice.

Types of Cookies Used and Why?

Some of the cookies we use are necessary to enable navigation on this website and take advantage of its features, such as accessing secure areas and content exclusive to registered users. Our website also uses functional cookies to record information about our users' choices and to tailor our website to their needs; for example, remembering the language of origin or region or that a user has completed a survey. The recorded information is anonymous and is only intended for the purpose mentioned above. We may use, directly or indirectly, web analytics services to assess the effectiveness of our content and the preferences of our users, allowing us to contribute to optimizing the operation of this website. Additionally, we use web beacons or tracking pixels to count the number of visitors and performance cookies to monitor how individual users access our website and how often. This information is used only for statistical purposes without identifying any particular user. However, for registered users who are logged into the website, we may combine this information with data collected via web analytics services and cookies to analyze how visitors use this website in more detail. This website does not use targeting cookies to promote targeted advertising to our visitors. Whenever you want detailed information about the cookies used on our website, please contact us via email.

 How to Control Cookies?

Users of the website accept the introduction of cookies on their computers or devices as indicated above, without prejudice to the available control and management. We inform users that removing or blocking cookies may affect their user experience and may limit access to some areas of the website.

Browser Controls

The vast majority of browsers allow our users to view stored cookies and delete them individually, or alternatively, block cookies on a specific website or all websites in general. Please note that set preferences, including auto-exclusion, are lost whenever cookies are deleted. For further clarification, users should refer to the websites or visit cookiecentral.com.

Management of Analytics Cookies

Our users have the option to choose to disable their anonymity in their browsing activity within websites monitored by analytics cookies. We use the following service providers where you can obtain more information about their privacy policies and how to disable their cookies by clicking on the following links:

Google Analytics: google.com/analytics/learn/privacy.html

Facebook Pixel: facebook.com/business/help/742478679120153

Management of Local Shared Objects or Flash Cookies

A local shared object or flash cookie resembles other browser cookies but differs in its ability to store more types of information. These cookies cannot be controlled through the mechanisms identified above. Some areas of our website use this type of cookie to store user preferences for media player functionalities, and without them, the content of some videos may not be viewed properly. These cookies can be manually controlled by visiting the Adobe website.