Privacy Policy

Version dated 24^th January 2020

We are concerned with protecting your privacy, ensuring that the processing of your personal data is carried out in accordance with the applicable legal provisions on data protection.[1]

For that matter, we advise you to read this Privacy Policy and its updates. In the event we amend this Privacy Policy, the date of the last amendment, available at the top of this page, shall also be updated.

This Policy addresses:

• The data controller
• Which personal data are collected and processed
• How we collect personal data
• How we use your personal data
• On what basis we use your personal data
• For how long we keep personal data
• With whom we share your personal data
• How we protect your personal data
• To which countries we transfer your personal data
• Your rights regarding your personal data

The data controller

Sociedade Rebelo de Sousa & Advogados Associados, SP, RL, with its registered office at Rua D. Francisco Manuel de Melo, no. 21, 1070-085 Lisbon, and registered with the Lisbon Regional Council of the Portuguese Bar Association under the no. 74/09 (hereinafter referred to as “SRS”) is responsible for collecting and processing your personal data, while providing you with legal services and within such scope decides which personal data is collected, the means of processing and the purposes for which the information is used.

If you have any question related to how we process your personal data, if you would like any clarification on this document or if you wish to exercise any of the rights mentioned below, please e-mail us at dadospessoais@srslegal.pt or, alternatively, write us to:

Rua D. Francisco Manuel de Melo no. 21

1070-085 Lisbon, Portugal

SRS would also like to inform that a Privacy Officer has been appointed, who shall be responsible for, among other duties (i) monitoring compliance of the data processing with the applicable rules, (ii) being a point of contact with data subjects to clarify matters related to the processing of their data by SRS, (iii) cooperating with the National Data Protection Authority (hereinafter referred to as “CNPD”), and (iv) providing information and advice to SRS on their privacy and data protection obligations.

If you wish to contact our Privacy Officer, please send a written communication to the contact details set out in this Policy.

Which personal data are collected and processed

‘Personal data’ means any information, of any nature and in any form, relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by a reference such as a name, an identification number location data, an online identifier or any other elements that allow the identification of that natural person, such as specific elements of the physical, physiological, genetic or economic identity.

Your personal data may be collected during the provision of our services, through the use of our website, by contacting or requesting information about SRS or as a result of the contacts you may have with any of our employees or clients.

Personal data processed by SRS includes:

• Identification data, such as your name (including prefix or title), your company, the title or position and your connection to a particular person;
• Contact details, such as postal address, e-mail address and telephone numbers;
• Financial information, such as your tax payer number and payment methods;
• Technical information, such as information about your visits to our website or in relation to communications sent to you by SRS through electronic means;
• Information you provide in order to schedule meetings or attend events, including accessibility constraints;
• Background information you have provided or that has been gathered as part of the acceptance of clients process, including financial, administration and business marketing details;
• Information related to proceedings;
• Personal data collected by SRS in its own name or incurred from our clients within the services we provide, including special categories of personal data;
• Data collected through the use of our website, namely cookies; and
• Any other data you may provide us.

How we collect personal data

• Data collection may be carried out as part of the process to hire our services, and may extend to third parties, as applicable, during the provision of legal services;
• Through our computer tools and applications, including our website and electronic communications sent to SRS;
• When you provide us your personal data, or interact directly with us, for example through contacts with our employees;
• And through other means and sources, for example by using means that make publicly available information to keep your data updated.

How we use your personal data

SRS collects and processes your personal data in many ways, particularly through the use of our website and of our services. We use your data:

• To provide our services, which may include processing of personal data of third parties on behalf of our clients;
• To make available information upon your request;
• To promote our services, through sending news and publications and/or newsletters;
• To promote events and/or seminars organised or co-organised by our firm;
• To guide and direct our relationship with you;
• To comply with the tax legislation and on the prevention of money laundering or terrorist financing, as well as to carry out conflict checks;
• In pursuing our legal, regulatory and risk management obligations, including in the exercise of rights and in the defence of judicial proceedings;
• To make available and to improve our website, including to audit and monitor its use;
• For recruitment purposes.

On what basis we use your personal data

We use your personal data in a lawful, fair and transparent manner based on the following grounds:

• Through your previous consent, in writing, orally or through the validation of an option, and if such consent is freely given, informed, specific and unambiguous;
• In the pre-contractual procedures or before the willingness to negotiate declaration, and in the performance of contractual obligations, namely through the provision of legal services;
• To take or defend legal actions or judicial proceedings;
• To comply with regulatory and legal obligations;
• For legitimate commercial purposes. Please read “How we use your personal data” for further details.

The communication of your personal data is entirely voluntary. However, it is a necessary requirement for the provision of our services.

For how long we keep personal data

SRS processes and retains your personal data according to the purposes for which they are processed and whenever there is a specific legal and/or regulatory obligation to retain them.

Therefore, by way of example, there are cases in which the law requires the processing and the retention of data for a minimum period of time, namely (i) data relating to accounting or tax purposes are kept for, at least, 10 years; (ii) data for the purposes of prevention of money laundering and terrorist financing are kept for 7 years; or (iii) during the attorney relationship, plus 20 years, for data processed within the legal mandate.

Likewise, SRS shall retain the data in accordance with the limitation periods to bring legal proceedings before the courts.

Once the maximum retention period has been reached, your personal data shall be irreversibly anonymised (anonymised data may be retained) or shall be securely destroyed.

With whom we share your personal data

We may share your personal data with third parties, in accordance with the current contractual and legal provisions, including:

• Governmental and judicial authorities, such as courts and the Tax Authorities;
• Our consultants and professional auditors;
• Suppliers with whom SRS hires certain supporting services, such as wording processing, translations, copies, revisions of documents;
• IT service providers;
• Third parties involved during the services we provide to our clients and with their previous consent, such as lawyers, implementing agents, local consultants, amongst others;
• Entities involved in the events or seminars organisation or co-hosting thereof.

Whenever your personal data are shared with processors, SRS shall take all the necessary contractual measures to ensure that the processors respect and protect your personal data, thus SRS shall only use processors that provide sufficient guarantees to implement appropriate technical and organizational measures.

Whenever necessary, or for any reason foreseen in this Policy, personal data may be shared with supervisory authorities, courts and official entities. Although unlikely, we may be required to share your personal data to comply with legal obligations. We will make reasonable efforts to notify you before sharing your personal data, unless we are legally prevented from doing so.

If, in the future, we reorganise or transfer our company, in whole or in part, we may need to transfer your personal data to the new entities related to SRS or to the third parties through which the services of SRS shall be provided.

SRS may use social networks, such as LinkedIn and Twitter. If you use any of these services, you shall review their privacy policy for further information on how they handle your personal data.

SRS DOES NOT COMMERCIALLY SELL, LEASE OR MAKE AVAILABLE PERSONAL DATA TO THIRD PARTIES.

How we protect your personal data

We use a variety of technical and organisational security measures to help protect your personal data against the unauthorised destruction, loss, change, disclosure and access, in accordance with the applicable data protection legislation.

To which countries we transfer your personal data

In order to provide our services, the transfer of your personal data to other countries may be necessary.

Therefore, SRS may transfer your personal data to a third country outside the European Economic Area (“EEA”) which is not part of the list of countries that the European Commission has decided that ensures the adequate level of protection. In these cases, SRS shall assure that the data transfers are in strict accordance with the applicable legal provisions, namely chapter V of the GDPR.

Your rights regarding your personal data

As a subject of data processed by SRS, you may exercise, at any time, within the limits of what is legally possible, the following rights through a written communication to SRS at dadospessoais@srslegal.pt:

1. Right of access – the right to obtain confirmation as to which of your personal data is processed and information about them; for example, what are the purposes of the processing, what are the retention periods, amongst others;

2. Right to rectification – the right to request rectification of your personal data that are inaccurate or request the completion of incomplete personal data, such as the address, the tax pay number, the e-mail address, phone numbers, amongst others;

3. Right to erasure or “right to be forgotten” – the right to obtain the erasure of your personal data, unless there are valid grounds their storing. For example, when SRS is required to keep the data to comply with a legal obligation or because of ongoing judicial proceedings;

4. Right to data Portability – the right to receive the data you have provided in a commonly used and machine-readable digital format, as well as the right to directly transmit such data to the new data controller, but in this case only if technically possible;

5. Right to withdraw consent – the right to withdraw your consent, at any moment, for data processing, such as in the event of data processing for marketing purposes, without affecting the lawfulness of processing based on the previously given consent;

6. Right to object – the right to object, at any moment, to the processing of your personal data, unless compelling legitimate grounds prevail over your interests, rights and freedoms, such as for the defence of a right in judicial proceedings; e

7. Right to restriction of processing – the right to request a restriction to the processing of your personal data, in the form of: (i) suspension of processing, or (ii) limitation of the scope of processing to certain categories of data or purposes of processing.

This communication must contain your full name, a copy of your citizen card or other official identification document, or of the person that is representing you, under the applicable legal terms, the address for notification purposes and your specific request.

The exercise of your rights is free, unless the request is manifestly unfounded or excessive, in which case a reasonable fee may be charged taking into account the costs.

Information shall be provided in writing, but, at your request, they may be provided orally. In this case, SRS shall verify your identity by means other than orally.

The replies to the requests shall be provided, generally, within a maximum period of 30 days, unless the request is particularly complex or there is a multiplicity of requests.

In addition to the rights abovementioned, SRS would like to inform that you also have the Right to Complain, i.e., the right to lodge a complaint with the national supervisory authority, CNPD (www.cnpd.pt), if you consider that SRS has breached the GDPR or the applicable national legislation regarding your personal rights.

Moreover, you have the right to bring legal proceedings before the courts, without prejudice to any other administrative or non-judicial remedies against SRS or a processor, in case you consider there has been a breach of your rights.