Privacy Policy

General Data Protection Regulation (GDPR)
Privacy Policy
Version: 3.0_Abril 2024
Classification: Public
Audience: Staff and Managers

Content

Introduction
Definitions
Principles Applicable to the Processing of Personal Data
Processing of Personal Data
Subcontracted Entities
Data Subject Rights
Exercise of Data Subject Rights
Technical, Organizational, and Security Measures Implemented
Personal Data Breaches
Transfer of Data Outside the European Union
Changes to the Privacy Policy
Applicable Law and Jurisdiction
Contacts
Version Control

1. Introduction

This document is part of the normative framework for the protection of Personal Data of João Líbano Monteiro e Associados S.A., a public limited company, with its registered office at Rua Joshua Benoliel, 6 Edifício Alto das Amoreiras, 4º A, 1250-133, Lisbon and with the Tax Identification Number 504189620 (hereinafter “JLM&A”), and aims to provide information to data subjects about the processing of personal data carried out, as well as to define

Whenever this document is updated, a new version will be made available in the designated place, immediately after its approval.

The monitoring of compliance with this standard will be ensured through the measurement of the evaluation indicators of the controls and/or audits (internal or external), at regular intervals or when significant changes occur.

Scope and purpose

JLM&A implemented this Privacy Policy with the aim of demonstrating its commitment and respect for the rules of privacy and protection of Personal Data.

Why this Privacy Policy?

This Privacy Policy arises because JLM&A intends to make known the general rules of privacy and processing of your Personal Data, which we collect and process in strict compliance with the national and community legislation on protection of Personal Data.

All JLM&A employees must respect the best practices in the field of security and protection of Personal Data, having approved a demanding program, capable of safeguarding the protection of the Personal Data that are made available to us by everyone who somehow relates to JLM&A.

What does this Privacy Policy cover?

This Privacy Policy applies exclusively to the collection and processing of Personal Data carried out by JLM&A.

Recipients

This Privacy Policy is intended for all employees, customers and suppliers of JLM&A.

Responsibilities

The following list defines the responsibilities related to the production and management of this document:

The Administrative and Financial Area is responsible for approving and updating this Privacy Policy.
The Administrative and Financial Area is responsible for communicating the Privacy Policy to all JLM&A employees.

2. Definitions

Personal Data – Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special Categories of Personal Data – Personal data revealing the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of a natural person, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Processing – Means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller – Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Personal Data Breach – Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Subcontractor – Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Third Party – Means a natural or legal person, public authority, service or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Supervisory Authority – Independent public authority established by a Member State.

3. Principles Applicable to the Processing of Personal Data

It is the responsibility of all JLM&A employees to ensure that the Personal Data they process is:

Processed lawfully, fairly, and transparently in relation to the Data Subject;
Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
Accurate and, where necessary, kept up to date, with every reasonable step taken to ensure that inaccurate Personal Data, having regard to the purposes for which it is processed, is erased or rectified without delay;
Kept in a form which permits identification of the Data Subject for no longer than is necessary for the purposes for which the Personal Data is processed;
Processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

Data processing carried out by JLM&A is lawful when at least one of the following situations applies:

The Data Subject has given explicit consent for the processing of their data for one or more specific purposes;
Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which JLM&A is subject;
Processing is necessary to protect the vital interests of the Data Subject or of another natural person;
Processing is necessary for the purposes of the legitimate interests pursued by JLM&A or by third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.

JLM&A commits to ensuring that the processing of the Data Subject’s data is only carried out under the conditions listed above and in compliance with the aforementioned principles.

When the processing of the Data Subject’s data by JLM&A is based on the Data Subject’s consent, they have the right to withdraw their consent at any time. However, the withdrawal of consent does not affect the lawfulness of the processing carried out by JLM&A based on the consent previously given by the Data Subject.

The period during which the data is stored and retained varies according to the purpose for which the information is processed.

There are legal requirements that mandate retaining data for a minimum period. Thus, where there is no specific legal requirement, data will be stored and retained only for the minimum period necessary for the purposes that justified its collection or subsequent processing, after which the data will be deleted.

4. Processing of Personal Data

In the course of its activities, JLM&A collects and processes Personal Data of clients, potential clients, employees, job applicants, and/or suppliers acting as natural persons.

As a rule, the Personal Data of Data Subjects is collected when they intend to contact JLM&A, either to request one of the services provided by it or to obtain additional information about them, or when a contractual relationship is established between an employee and JLM&A. JLM&A collects different categories of personal data from its clients, potential clients, suppliers, service providers, candidates, and employees. These categories of personal data may include: identification data, contact data, billing data, and data related to academic and professional backgrounds. In the context of providing consulting services to its clients, JLM&A may process special categories of personal data, in particular: political opinions and/or trade union membership. This data is only processed when it has been manifestly made public, in accordance with Article 9(2)(e) of the GDPR.

Considering that the Website has an unstructured field for sending messages to JLM&A, Personal Data may be sent within such a message. This field should not include Personal Data belonging to special categories (i.e., racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, health data, or data concerning a person’s sex life).

For the purposes of this Privacy Policy, a contractual relationship is understood to be any agreement established between JLM&A and the entities it relates to, regardless of its subject matter.

In general terms, JLM&A processes Personal Data for the following purposes:

Purpose	Description	Ground for Lawfulness
Information Request Management	Data processing to respond to information requests made by potential clients.	Pre-Contractual Steps
Cookie Management	Data processing to ensure the functioning of the JLM&A website and to guarantee a good user experience.	Consent, Legitimate Interest
Employee and External Service Provider Management	Data processing for obligations and responsibilities towards JLM&A employees, including salary processing, training and professional development, potential benefits, disciplinary processes, absence and time management, occupational health, management of work accidents, possible internal events and initiatives, among others. This also includes data processing for external service providers performing services at our facilities.	Contractual Performance
Client and Supplier Relationship Management	Data processing for actions during the contractual relationship, to maintain up-to-date provided data, possible changes in contractual conditions, fulfillment of contractual obligations, client and supplier support, assistance in using services, among others.	Contractual Performance, Legitimate Interest
Provision of consultancy services to clients	Provision of Consulting Services to Clients Media and Public Relations, External Communication, Crisis Management, Media Training, Public Affairs & Engagement, Social Media, Strategic Communication Consulting Contractual Performance	Contractual Performance
Selection and Recruitment	For recruitment purposes, we collect and process candidate data within JLM&A’s recruitment processes.	Pre-Contractual Steps
Security	Security Ensuring the security of our facilities through the management of work accidents, physical access control, among other actions. Legitimate Interest, Legal Obligation	Legitimate Interest, Legal Obligation
Billing	Issuing invoices for acquired products and services.	Legal Obligation, Contractual Performance

JLM&A may transfer or communicate the Data Subject’s data to other entities if such transfer or communication is necessary for the performance of the contract established between the Data Subject and JLM&A, or for pre-contractual steps at the request of the Data Subject, if it is necessary for compliance with a legal obligation to which JLM&A is subject, or if it is necessary for the pursuit of the legitimate interests of JLM&A or a third party. In the event of a transfer of the Data Subject’s data to third parties, reasonable efforts will be made to ensure that the transferee uses the Data Subject’s data in a manner consistent with this Privacy Policy.

5. Use of Cookies

JLM&A uses cookies to improve the User’s visit to its Website.

What are Cookies?

Cookies are small text files that are installed when accessing a Website and are stored in the browser folders, containing information related to browsing data and characteristics (e.g., how many times you accessed a Website) or the User’s preferences (e.g., what information you want to see when accessing a particular Website).

What are Cookies used for?

Cookies are used to improve the performance of Websites, making them faster and more efficient, as well as to help companies understand the usefulness and interest of their Websites.

What types of Cookies are used?

The types of Cookies used, as well as other information that must be provided to the User, can be found in the Cookie Policy available on the JLM&A website.

Third-Party Cookies:

When visiting the JLM&A page that contains embedded content from other Websites, you may receive Cookies from those Websites. . We do not control the implementation of these types of Cookies, and therefore we suggest that you check the third-party Websites for more information about their Cookies and how to manage or disable them. The same applies if you share JLM&A content through social networks such as LinkedIn.

JLM&A assumes no responsibility for Cookies used on other third-party Websites that are referred to or linked to.

6. Subcontracted Entities

In the context of processing the Data Subject’s data, JLM&A uses or may use third-party entities, subcontracted by it, to process the Data Subject’s data on its behalf and according to its instructions, in strict compliance with the law and this Privacy Policy.

These subcontracted entities are not permitted to transfer the Data Subject’s data to other entities without JLM&A’s prior written authorization, and they are also prohibited from hiring other entities without JLM&A’s prior authorization.

JLM&A commits to subcontract only entities that provide sufficient guarantees of implementing appropriate technical and organizational measures to ensure the protection of the Data Subject’s rights. All entities subcontracted by JLM&A are bound to it through a written contract that regulates, in particular, the subject matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of Data Subjects, and the rights and obligations of the parties.

The subcontracted entities engaged by JLM&A assume different roles in the processing of Personal Data, including human resources, accounting, IT, insurance, and occupational health, hygiene, and safety.

7. Third-Party Tools Used on the JLM&A Website

LinkedIn:
The JLM&A Website provides interactivity with LinkedIn through the respective button, establishing a connection to LinkedIn’s servers, which will identify the Website that the User is visiting and possibly store other data, such as the IP address. Information regarding data processing carried out by LinkedIn is available at: https://www.linkedin.com/legal/privacy-policy?_l=pt_BR.

8. Data Subject Rights

Right of Access

JLM&A ensures means for the Data Subject to access their Personal Data.

The Data Subject has the right to obtain confirmation from JLM&A as to whether or not their Personal Data is being processed and, if so, the right to access their Personal Data.

Right to Rectification

The Data Subject has the right to request, at any time, the rectification of their Personal Data and, as well, the right to have their incomplete Personal Data completed, including by means of an additional statement.

Right to Erasure of Personal Data (Right to Be Forgotten)

The Data Subject has the right to obtain from JLM&A the erasure of their data when one of the following reasons applies:

The data are no longer necessary for the purpose for which they were collected or processed;
The Data Subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
The Data Subject objects to the processing under the right to object, without prejudice to the existence of legal obligations and/or legitimate interests of JLM&A justifying the processing;
The Data Subject’s data are unlawfully processed.

In accordance with applicable law, JLM&A is not obligated to erase the Data Subject’s data to the extent that processing is necessary for compliance with a legal obligation to which JLM&A is subject or for the declaration, exercise, or defense of JLM&A’s rights in a legal proceeding or prevailing legitimate interest.

In the event of data erasure, JLM&A will communicate to each recipient/entity to whom the data have been transmitted the respective erasure.

Right to Restriction of Processing

The Data Subject has the right to obtain from JLM&A restriction of processing of the Data Subject’s data if one of the following situations applies:

If the accuracy of the Personal Data is contested by the Data Subject, for a period enabling JLM&A to verify the accuracy of the data;
If the processing is unlawful and the Data Subject opposes the erasure of the data and requests the restriction of their use instead;
If JLM&A no longer needs the data for the processing purposes, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims in a legal proceeding;
If the Data Subject has objected to processing, pending the verification of whether the legitimate grounds of JLM&A override those of the Data Subject.

When the Data Subject’s data are subject to restriction, they may, except for storage, only be processed with the Data Subject’s consent or for the establishment, exercise, or defense of legal claims in a legal proceeding, to protect the rights of another natural or legal person, or for reasons of public interest.

The Data Subject who has obtained restriction of processing of their data in the above cases will be informed by JLM&A before the restriction of processing is lifted.

Right to Data Portability

The Data Subject has the right to receive the Personal Data they provided to JLM&A in a structured, commonly used, and machine-readable format and the right to transmit those data to another controller, where:

The processing is based on consent or on a contract to which the Data Subject is party;
The processing is carried out by automated means.

The right to data portability does not include inferred data or derived data, i.e., Personal Data generated by JLM&A as a result or consequence of the analysis of the processed data.

The Data Subject has the right to have the Personal Data transmitted directly between controllers, where technically feasible.

9. Exercise of Data Subject Rights

The right of access, the right to rectification, the right to erasure, the right to restriction, the right to data portability, and the right to object may be exercised by the Data Subject via email to [email protected] or by mail to Rua Joshua Benoliel, nº 4ºA, 1250-133 Lisboa.

JLM&A will respond in writing (including electronically) to the Data Subject’s request within one month from the receipt of the request, unless in cases of special complexity, in which case this period may be extended by up to two months.

If the requests made by the Data Subject are manifestly unfounded or excessive, especially due to their repetitive nature, JLM&A reserves the right to charge administrative costs or refuse to comply with the request.

10. Technical, Organizational, and Security Measures Implemented

To ensure the security of the Data Subject’s data and maximum confidentiality, JLM&A employees are responsible for treating the information received directly from the data subjects confidentially, following document classification, internal security, and confidentiality policies and procedures, which are periodically updated as needed.

Considering the nature, scope, context, and purposes of data processing, as well as the risks arising from processing for the rights and freedoms of the Data Subject, JLM&A commits to applying, both at the time of defining the means of processing and during the processing itself, the necessary and appropriate technical and organizational measures to protect the Data Subject’s data and comply with legal requirements.

It also commits to ensuring that, by default, only data necessary for each specific purpose of processing are processed and that these data are not made available without human intervention to an indefinite number of people.

JLM&A ensures the security of retained Personal Data through two different methods: . In the case of digital information, all data are protected by passwords, and access is granted only through compliance with specific rules provided by the company. Meanwhile, information available only on paper (being phased out) is protected in locked cabinets.

In terms of general measures, JLM&A adopts the following:

Awareness and training of personnel involved in data processing operations;
Pseudonymization and encryption of Personal Data;
Mechanisms capable of ensuring permanent confidentiality, availability, and resilience of information systems;
Mechanisms ensuring the restoration of information systems and access to Personal Data promptly in the event of a physical or technical incident.

JLM&A will document all Personal Data breaches that may occur, including the facts related to the breach of Personal Data, its effects, and the actions taken.

Any employee should notify the Data Processing Officer as soon as possible in case of knowledge or suspicion of unauthorized access or use of Personal Data.

11. Personal Data Breaches

In the event of a data breach, and to the extent that such breach is likely to result in a high risk to the rights and freedoms of the Data Subject, the Data Controller of JLM&A is responsible for notifying the Data Subject affected by the Personal Data breach within 72 hours from becoming aware of the incident. Furthermore, in case of a violation of this policy by employees, proportional disciplinary measures and other procedural measures appropriate to prevent recurrence will be applied.

Under legal terms, notification to the Data Subject is not required in the following cases:

If JLM&A has implemented appropriate technical and organizational protection measures, and these measures have been applied to the Personal Data affected by the breach, especially measures that render the Personal Data incomprehensible to any unauthorized persons accessing such data;
If JLM&A has taken subsequent measures to ensure that the high risk to the rights and freedoms of the Data Subject is no longer likely to materialize; or
If notification to the Data Subject would involve disproportionate effort for JLM&A. In such cases, JLM&A will make a public notification or take a similar measure through which the Data Subject will be informed.

12. Transfer of Data Outside the European Union

The Personal Data collected and used by JLM&A may be transferred to Third Parties established outside the European Union when required by the object of the contract established between JLM&A and the client. When such transfer occurs for the aforementioned reasons, JLM&A undertakes to ensure that the transfer complies with applicable legal provisions, particularly regarding the determination of the adequacy of such country concerning data protection and the requirements applicable to such transfers.

13. Changes to the Privacy Policy

JLM&A reserves the right to change this Privacy Policy at any time. In case of modification of the Privacy Policy, the date of the last change, available at the top of this page, is also updated.

In any case, if you believe that JLM&A has violated or may have violated your rights under the applicable data protection legislation, you may file a complaint with the National Data Protection Commission.

14. Applicable Law and Jurisdiction

The Privacy Policy, as well as the collection, processing, or transmission of User Data, are governed by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and by the applicable legislation and regulations in Portugal.

Any disputes arising from the validity, interpretation, or enforcement of the Privacy Policy, or related to the collection, processing, or transmission of User Data, must be submitted exclusively to the jurisdiction of the judicial courts of the district of Lisbon, without prejudice to the applicable mandatory legal provisions.

15. Contacts

If the Data Subject has any questions or complaints related to the Privacy Policy, they can do so by emailing the following contact: [email protected]

16. Version Control

Title:	Policy Privacy
Company	JLM&A
Classification Level	Public
Review Period	Anual
Next Revision Date	01/04/2024

Version	Version Date	Created By	Approved By	Description
1.0		CTSU	CA	Creation of the initial version
2.0	01/04/2023	JLMA	CA	Adaptation of the initial version to the reality of JLMA
3.0	01/04/2024	JLMA	CA	Compliance review