This document aims to present the policy, system and procedures to be adopted by Carregosa – Sociedade Gestora de Organismos de Investimento Coletivo S.A. (“Carregosa SGOIC”) to ensure compliance with the requirements on data protection of natural persons, the processing thereof and free circulation of such data, as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 (General Data Protection Regulation, hereinafter “GDPR”) and other relevant regulation, in particular Law 58/2019 of 08th August (Law on the protection of personal data).
The terms below shall have the meaning attributed to them in the following paragraphs, in accordance with the aforementioned Regulation:
- “Personal data”, means any information relating to an identified or identifiable natural person (“data owner ”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- “Processing", means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organizingstructuring, storage, adaptation or changing, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Restriction of processing, means the marking of stored personal data with the aim of limiting their processing in the future;
- “Profiling, means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- “File, means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
- “Controller, means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller of the specific criteria for its nomination may be provided for by Union or Member State law;
- “Processor, means a natural or legal person, public authority, agency or another body that processes the personal data on behalf of the controller;
- “Recipient, means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- “Third party, means a natural or legal person, public authority, agency or body other than the data owner, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- “Consent, of the data owner means any freely given, specific, informed and unambiguous indication of the data owner’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or to her;
- “Personal data breach, means a breach of security leading to the accidental or unlawful destruction, loss, changing, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- “Enterprise, means any natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
- “Group of undertakings, means a controlling undertaking and its controlled undertakings;
- “Binding corporate rules, means personal data protection policies which are adhered to by a controller or the internal rules concerning the protection of personal data applied by a controller or a processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third within a group or undertakings, or a group of enterprises engaged in a joint economic activity;
- “Supervisory authority, means an independent public authority which is established by a Member State pursuant to article 51 of the GDPR;
Full name, signature, gender, date of birth, tax identification number or equivalent number issued by a competent foreign authority, civil identification number (citizen card, identity card, passport or residence permit), its issuing entity and dates of issue/validity, nationality(ies), place of birth, photo, marital status, marital arrangement, status of politically exposed person or public or political office holder.
Phone number, mobile phone, e-mail address, permanent home address, tax address.
Financial data and business relationship data
Knowledge of and experience in investment services and financial instruments, bank account identification, financial situation, business correspondence, history of transactions in financial instruments, history of contacts with back office.
Qualifications and academic background, profession and employer, professional address.
Data collected indirectly through the Carregosa SGOIC website
Date, duration and location of the visit to the website, browser type, operating system and device details, browser language.
Carregosa SGOIC collects your personal data when you adhere or potentially adhere to the services we provide, as described and for the purposes below.
We promote the lawful and transparent processing of your personal data, using validated forms of legitimation and using them only for the purposes described below.
3.1. Processing of personal data as part of contract performance
Certain personal data are processed by Carregosa SGOIC as they are required for the performance of a contract or to implement pre-contractual proceedings:
- Registration and storage of information necessary for the provision of services;
- Provision of information on the marketing of products and services provided by Carregosa SGOIC and verifying its suitability to the client’s profile;
- Examination of and response to claims, requests for clarification, and suggestions.
3.2. Processing of personal data based on a legal obligation
The activity of Carregosa SGOIC is subject to a set of legal obligations that imply the collection and processing of a set of data, namely:
- Legislation on the prevention of money laundering and terrorist financing;
- Regulations and other policy documents issued by the Portuguese Securities Market Commission and by the National Board for Public Real Estate and Construction Markets;
- Other European and national legislation that binds Carregosa SGOIC in conducting its business;
- Determination of risk profiles and verification of investment knowledge, experience and objective to subscribe the traded products;
- Screening and filtering entities as part of the prevention of money laundering and terrorist financing;
- Response to requests from supervisory bodies – Portuguese Securities Market Commission and the National Board for Public Real Estate and Construction Markets – and other public authorities;
- Compliance with tax and accounting obligations;
- Registration of contacts made when placing orders on product subscriptions;
- Creation of a document archive.
3.3. Processing of personal data based on the legitimate interest of Carregosa SGOIC
The processing of personal data necessary for the purposes of the legitimate interests pursued by Carregosa SGOIC is aimed at continuously improving the business relation and the client’s experience, except where such interests are overridden by the interests or fundamental rights and freedoms of the data owner which require protection of personal data, in particular where the data owner is a minor. Under this framework, personal data will be subject to processing for the following purposes:
- Checking levels of satisfaction and quality of services provided;
- Managing non-compliance (litigation) or exercise/defence of a claim, irrespective of whether it is a judicial or an administrative or out-of-court proceeding;
- Storing and managing information systems with a view to protecting the integrity of data, namely through access control and monitoring.
3.4. Processing of personal data based on data owner consent
The data owner may allow Carregosa SGOIC to process certain data by providing free, express, informed, specific consent (orally or by other verifiable means).
The browsing experience on the Carregosa SGOIC website is based on:
- Counting the number of visits, their origin, duration, and pages viewed on the website;
- Optimising the browsing experience based on the devices used (computer, tablet, mobile phone).
Additionally, the data owner may be asked to give consent to the following processing:
- Using the history of interaction with clients and financial information collected to define profiles and categories, to increase the quality of communications and services provided;
- Providing information to clients, on the initiative of Carregosa SGOIC, on financial markets, technical analyses, etc.
3.5. Other legal grounds for processing personal data
The GDPR also claims the following grounds for processing personal data:
– When data processing is necessary to protect the vital interests of the data owner or of any other person; and
– When data processing aims at meeting the public interest and is carried out by a compliance officer vested with public authority.
Carregosa SGOIC is responsible for processing the data of its clients and/or potential clients. You can contact us in the following ways:
Address: Avenida da Boavista, 1057, 4100-129, Porto
Phone number: +351 220 105 790
Carregosa SGOIC will ensure compliance with the law, the management of interactions with data owner, and cooperation with the relevant supervising authority, the National Data Protection Authority (“CNPD”). Any queries regarding the processing of your data must be sent to the following e-mail address:
Carregosa SGOIC may have to communicate or give access to your personal data to other entities so that they may process them, on its behalf and for its own account. However, the Management Company will only transmit your personal data to the following recipients:
– Enterprises part of the same group undertaking, in particular when they operate as service providers;
– Entities and authorities to whom the personal data must be communicated by virtue of a legal obligation (for e.g the Portuguese Securities Market Commission, the National Board for Public Real Estate and Construction Markets, the Tax Authority and public authorities);
– Carregosa SGOIC processors (for e.g. custodians and marketing entities) – in these cases, we will adopt the necessary contractual measures to ensure that processors respect and protect the data being transmitted, as required by the GDPR.
Carregosa SGOIC adopts appropriate technical and organisational measures to protect personal data against loss, accidental or unlawful destruction or damage, and to ensure that the data provided are protected against unauthorised access or use by third parties or against any breach of personal data.
In the case of a personal data breach, we will notify the CNPD and the data owner pursuant to articles 33 and 34 of the GDPR.
Where processing is carried out based on consent, the data will be erased as soon as the data owner withdraws their consent or exercises the right to erasure. Regarding data collected due to a legal obligation, Carregosa is obligated by Article 51(1) of Law 83/2017 to retain the following elements for a period of 7 years after termination of the business relationship:
– The copies, records or electronic data extracted from all documents obtained or made available by clients or any other persons, as part of the identification and diligence procedures provided for in the aforementioned law;
– The documentation part of the processes or files related to the clients, including the commercial correspondence sent;
– Any internal or external documents, records and analyses formalising compliance with the provisions of the aforementioned law.
Additionally, pursuant to Article 6(1)(f) of the GDPR, the above data may be stored until the limitation period for contractual liability which, under civil law, is set at 20 years.
If you are a Carregosa SGOIC client, you may withdraw consent to the processing of personal data collected on the basis of this form of legitimation through the contacts indicated in the tab “Data controller”.
If you are not our client, you may manage the matters of interest you have subscribed to and the respective consents by the same means.
The GDPR also reinforces the guarantees already provided by previous legislation and grants new rights to data owners . As such, the following rights are available at Carregosa SGOIC:
– Request further information regarding the types of withheld data, the purposes of the processing, and to whom they are transmitted;
– Request copies of data;
– Request the portability of data provided in connection with the performance of the contract;
– Request the correction of any incorrect or inaccurate data;
- Request the erasure of data whose processing has become unlawful because, for instance, you have withdrawn consent or the retention period imposed by mandatory legislation has expired;
– Object to the processing where such processing is carried out in the public interest or in the interest of the controller and there are no compelling legitimate grounds that override the interests, rights and freedom of the data owner, or the data are not necessary for the establishment, exercise or defence of legal claims;
– Demand the limitation of data processing in the following cases:
– – When contesting the accuracy of your personal data;
– – When the processing has become unlawful, but you do not wish to request the erasure thereof;
– – When the processing has already ceased, but Carregosa SGOIC needs the data for establishing, exercising or defending a legal claim.
Whenever you exercise any of these rights, Carregosa SGOIC will reply within one month. In the cases where the request is particularly complex, this period will be extended by one month and the reply will be accompanied by a statement of the reasons thereof.
If the response from Carregosa SGOIC does not meet your expectations or if you are unhappy about the processing operations carried out, you may file a complaint with the National Data Protection Authority, the relevant supervisory authority, through the following contacts:
Address: Rua de São Bento, n.º 148, 3º, 1200-821, Lisboa
Telefone: +351 213 928 400
E-mail: [email protected]