In the course of its activities, SERaro collects and processes personal data from various data subjects, including members, promoters, employees, job applicants, suppliers, among others. This Privacy Policy (hereinafter, the policy) describes the guidelines and principles adopted by SERaro to ensure the protection of data subjects' personal data, establishing guidelines regarding data subjects' rights and the processing and free movement of personal data.

This document provides guidance for acting with integrity and in compliance with regulatory requirements in the field of data protection, and must be respected by all SERaro stakeholders.

SERaro is committed to providing its personnel with privacy training appropriate to their roles. This does not relieve anyone of the obligation to be aware of this Privacy Policy and to understand it.

SERaro's Privacy Policy covers any and all processing of personal data and applies to all areas of SERaro.

SERaro reserves the right to amend this policy when necessary. This policy is subject to periodic review in order to ensure alignment with applicable laws, regulations and business best practices. Amendments to this policy will be approved by SERaro's governing bodies. In the event of a change to the policy, data subjects will be informed.

SERaro's Privacy Policy is governed by the data protection principles set out in the General Data Protection Regulation (hereinafter GDPR or Regulation), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The GDPR's primary objective is to ensure respect for the fundamental right of each person to decide on the use of their personal data. The GDPR covers all organisations operating in the European Union, and national law of each country is intended to take precedence over it in the event of conflict, or in situations where the requirements set out in national law are more stringent.

SERaro is responsible for ensuring compliance with this policy and with applicable laws.

In order to ensure adequate coordination of the various stakeholders and management of data protection matters within the organisation, SERaro has designated the members of the Management Body as being responsible for data protection.

If a privacy incident occurs at SERaro, the Management Bodies must be informed immediately by email (ser@seraro.pt) or by post to Praça David Leandro da Silva, nº 25 – 1950-064 Lisboa.

SERaro, in compliance with regulatory requirements, ensures that data subjects enjoy a set of rights regarding how their data is collected, processed and protected.

Before responding to requests, SERaro takes care to ensure data security by requiring authentication of the data subject. To this end, proof of identity may be requested from the data subject whenever necessary. If the data subject cannot be identified, SERaro reserves the right not to respond to requests to exercise these rights, and will inform the data subject of this situation.

Whenever there is a legal framework that prevents the data subject from exercising certain rights, SERaro reserves the right not to respond to the request, informing the data subject, within a maximum period of one month from the date of receipt of the request, of the reasons why the request will not be fulfilled and of the possibility of lodging a complaint with a supervisory authority and pursuing legal action. SERaro reserves the same right when requests are manifestly unfounded or excessive, and may charge a fee equivalent to the administrative costs incurred in responding to the requests.

The rights of data subjects are set out below, with note taken of their particularities and of the means made available by SERaro for data subjects to exercise those rights.

The channels for invoking and exercising each of the rights are defined in Section XIV. Contacts of this document.

The processing of personal data at SERaro is governed by the following principles:

• • Lawful, fair and transparent
• Specified, explicit and legitimate purposes
• Integrity and confidentiality of data
• Accuracy and up-to-dateness of data
• Data minimisation
• Retention of data only for the period necessary for the purposes for which they are processed
• Accountability for data

The processing of personal data at SERaro is carried out when one of the following conditions is met:

If none of the above conditions is met, processing of personal data must be carried out only after obtaining the data subject's explicit consent for the purpose expressly communicated to them.

The various processing operations of personal data, respective purposes (where necessary), types of data and collection methods routinely carried out at SERaro are described below, aligned with the processes and activities recognised by the entity. The types of data are described in Section XIII. Types of Personal Data.

• processing is carried out in the context of the provision of a service or performance of a contract, or where there is a legitimate interest demonstrating that the rights and freedoms of the data subject are safeguarded;
• processing is carried out within a legal framework, arising from regulatory requirements as provided for in the Regulation.
• processing is carried out to communicate any initiative (seminars, training, events, for example).

SERaro periodically carries out quality control within which forms are assessed to verify the existence of any event also relating to data privacy controls.

SERaro implements a set of procedural and technological measures aimed at ensuring the security of the processing of personal data where such processing is carried out by SERaro.

At the level of data retention, security procedures and controls are defined, both physical and digital, to ensure data integrity and access control.

At the level of information system security, SERaro establishes security controls to be applied to stored data, in particular personal data. Access to data is segregated and limited to strictly necessary employees, with access logs recorded and monitored. Where possible, data protection mechanisms such as data encryption are applied. Procedures and rules are defined for performing backups of information systems. A business continuity plan for SERaro and a corresponding disaster recovery plan are also defined, which reduce the risks of loss or compromise of data integrity. These plans are reviewed periodically and tested by a company contracted for IT support.

SERaro ensures the adoption of principles and best practices for the management of documents containing personal data.

SERaro has established processes and procedures to identify and handle incidents in the field of data privacy. SERaro provides channels for reporting potential incidents as set out in Section XIV. Contacts.

SERaro is responsible for the processing of all data collected and processed by it.

SERaro is subject to inspection actions by the supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD). Unlawful processing of personal data or other violations of data protection laws may give rise to legal action against SERaro. Employees who are held responsible for data protection violations are subject to disciplinary sanctions in accordance with applicable employment law.

Consent: a legally valid agreement by which a person authorises the processing of their personal data for a specific purpose.

Personal data: any data that allows the direct or indirect identification of a person.

Incident or breach: a situation in which there is suspicion that personal data have been unlawfully obtained, modified, copied, transmitted or used.

Data subject: for the purposes of this policy, a data subject is any person whose data are processed.

Data transmission: transmission occurs whenever personal data in SERaro's possession are passed to third parties.

Personal Identification Data: first name, middle name, last name, date of birth, age, gender, Citizen Card number, height, weight, marital status, nationality, photograph, biometric data, supplementary data.

Personal Directory Data: household number, number of children, address (primary), address (secondary), landline telephone number, mobile telephone number, email, fax number, supplementary data.

Other Government-Issued Identifiers: social media identifiers, NIF (tax identification number), NISS (social security number), health user number, supplementary data.

Special Data: driving licence number, racial or ethnic origin, beliefs, trade union membership, sexual orientation, supplementary data.

Other Sensitive Personal Data: political opinions, access credentials, criminal sanctions, IBAN, geolocation, contract number, meter serial number, supplementary data.

Health Data: health insurance number, device identifiers and serial number, medical treatment, medical diagnosis, medical history, medical requests, prescription number, other medical data or acts, genetic tests, health history, supplementary data.

General contact for exercising data subject rights: ser@seraro.pt

Photo by Joshua Sortino on Unsplash