The use by SONHOS DA PRADARIA, Lda., hereinafter known as MADEIRA SUN TRAVEL, of the information available in the context of its activity should always bear in mind the legal provisions in force in Portuguese territory, on which the Data Protection Policy, hereinafter referred to as DPP, of MADEIRA SUN TRAVEL is based.
-The DPP regulates and monitors the use of information by the company's internal and outsourcing business processes.
-The DPP it is not confidential but is based on a need to know logic with regard to the internal and external use of data, always in line with the applicable legal provisions.
It is in this context that MADEIRA SUN TRAVEL has developed its Data Protection Policy (DPP) applicable to all those who collaborate with MADEIRA SUN TRAVEL
2.1. The purpose of this document is to establish and maintain a certain level of data protection that:
- Comply with applicable legal provisions on data protection.
- Meet the needs of customers, partners, and employees.
- Enable you to carry out business processes effectively.
- Allow MADEIRA SUN TRAVEL to maintain a suitable image of high responsibility and strict compliance with the law
- RULES AND PROCEDURES
3.1. All employees who use personal data are individually responsible for compliance with applicable legal and regulatory provisions.
3.2. The management of the company, in addition to being obliged to comply with the rules and procedures related to the DPP, has the task of implementing structures and ensuring adequate resources for the proper functioning of the DPP.
3.3. Employees have an obligation to ensure the confidentiality of the data as an inseparable part of their functions provided for in the employment contract. They should also proceed in accordance with all information and training received and comply with all the guidelines set out in the DPP. Failure to comply with these obligations may have disciplinary consequences, and all failures under the DPP should be reported to the RPD.
3.4. Employees, for the purposes of the Data Protection Policy, are those who have with MADEIRA SUN TRAVEL a working relationship, internship, service provision or other comparable
3.5. DPR is responsible for ensuring compliance with data protection regulations by providing information to all employees of the company in this field.
3.6. The DPR will also be responsible for identifying risks and proposing opportunities for improvement related to PPD.
- PERSONAL DATA DEFINITION
Personal information is considered all information, of any nature and regardless of the support in which it is stored, related to the personal characteristics or material circumstances of a natural or identifiable person, namely. the address, profession, civil or tax identification number, the banks in which they have accounts, bank account numbers, bank card numbers, marital status, income or financial position and everything else that, at any time, is considered information and personal character.
- PERSONAL DATA PROCESSING
5.1. The processing of personal data means any operation or set of operations on personal data, carried out with or without automated means, such as the collection, registration, organisation, conservation, adaptation or alteration, recovery, consultation, use, communication by transmission, dissemination or any other form of making available, with comparison or interconnection, as well as blocking , erasure or destruction.
5.2. Personal information should be collected, processed and used:
- based on a contractual and confidential relationship with the person concerned.
- With the written consent of the persons involved.
- With the detail that is legally possible or required.
5.3. All procedures for the processing of personal data must comply with the requirements imposed by the applicable rules. (See Annex)
5.4. Any change to the method of collection and processing of personal data should be communicated to the DPR to verify its feasibility and compliance with applicable standards.
5.5. The collection of data shall be carried out for certain purposes and be limited to the information necessary for the business process in question, and may not concern, except with the prior consent of the data subject, personal data relating to philosophical or political beliefs, party and trade union affiliation, religious faith, private life, racial or ethnic origin, health or sex life.
5.6. The personal data collected should be accurate and should be updated if necessary, and appropriate measures should be taken to erase or rectify inaccurate and incomplete data.
5.7. As far as possible and when it is considered advantageous the information should be anonymous and pseudonyms may be used.
- DELETE AND FREEZE INFORMATION
6.1. Where the data is not necessary for a particular purpose, or when the purposes that motivated its storage have been fulfilled, the information shall be deleted.
6.2. In case it is necessary to retain the data for a certain period the information should be "frozen".
6.3. In the latter case, access to “frozen” information requires specific authorization from the Executive Council, after hearing the DPR.
- DATA SUBJECTS RIGHTS
MADEIRA SUN TRAVEL should establish procedures aimed at protecting data subjects’ rights about:
- Compliance with the specific purpose of the data collection, i.e. personal data may not be used for purposes other than those which motivated its collection, and of which the data subject has been duly informed.
- Providing information to the data subject on the storage of his/her data, its content and its right to consultation and correction of information.
- Rectification, deletion or blocking of data, and its notification, if possible, to third parties who have been aware of such data.
- Opposition, always based on compelling and legitimate reasons relating to its situation, to the processing of the data held by it.
- Notification when the information is first stored by another method other than the original.
- Not using personal data for advertising, direct marketing or any other form of commercial prospecting, as well as your non-communication to third parties for the same purposes, except with the prior consent of the data subject.
- MANAGEMENT OF EMPLOYEE DATA
8.1. The personal data of employees will be processed in accordance with the data protection policy, considering the rights and operational requirements of the Company.
8.2. The personal data of employees are processed exclusively in the context of employment contracts.
8.3. The processing of employee personal data within a business relationship underlies the same data processing procedure as a normal customer.
8.4. Access to this information should be requested from the DPR
- DISCLOSURE AND CONTRACTUALIZATION
9.1. The DPP will be posted on the company's website.
9.2. The obligation of confidentiality by MADEIRA SUN TRAVEL employees, in relation to personal data to which they have access by virtue of their functions, must be included in the employment contracts, remaining in any case in force even after the end of their duties at the service of MADEIRA SUN TRAVEL.
- INFORMATION AND TRAINING
10.1. Appropriate information and training on DPP should be made available to all employees
- MAKING PERSONAL DATA AVAILABLE TO THIRD PARTIES
11.1. Personal data may only be made available to external entities where this is specifically provided for in the Law, or by express consent of the data subject.
11.2. Prior to the provision of any information by telephone, appropriate identification of the applicant for the information should be carried out by contrasting specific personal data.
11.3. The applicant shall be informed in advance that the information requested for contrast is a measure to protect his own personal data.
11.4. The provision of personal data to spouses or legally equivalent to persons whose personal data is collected will follow the same rules as providing information to third parties
11.5. In the event of the requirement of personal data by auditors or external authorities, their provision shall be limited to what is strictly necessary for these entities to be able to properly perform the tasks and functions which are committed to them by law or contract.
11.6. In case of doubt about rights of access to information, the DPR should be consulted.
- EXTERNAL SERVICE PROVIDERS
Contracts with external providers should include appropriate specific requirements for the DPP.
- DATA PROTECTION AND SECURITY MEASURES
13.1. Measures should be put in place to provide an appropriate data protection policy, avoiding improper, accidental, or intentional disclosure.
13.2. Data should be classified according to its level of confidentiality.
13.3. The rigour of protection measures should be proportionate to the level of confidentiality of the data to be protected.
14.1. In case of doubt about rights of access to information, on specific requirements to be imposed on third parties or others that comply with the DPP, the DPR should be consulted
14.2. O DPR provides guidance to internal teams whenever their intervention is requested, and has been requested, and which may interfere with the normal functioning of the services.
Data Protection Legal Regime
Personal Data Protection
Article 35 of the Constitution of the Portuguese Republic - use of information technology
Law No. 67/ 98 of October 26 - Law on the Personal Data Protection
Law No. 43/ 2004, of August 18 - Law of the organization and operation of CNPD Health
Law No. 41/2004 of August 18 - Regulates the protection of personal data in the Electronic Communications sector
Decree-Law No. 7/2004 of January 7 – transposes the E-Commerce Directive and Article 13 of the Electronic Communications Directive
Law No. 32/2008 of July 17 - Regulates the retention of data in the context of electronic communications service
Decree-Law No. 35/ 2004 - use of video surveillance systems by private security and self-protection services.
Law No. 1/2005 of January 10 – use of video cameras by forces and security services in public places of common use.
Law No. 99/ 2003 of August 27- approves the Labour Code
Law No. 35/ 2004 of July 29 - regulates the Labour Code
Law No. 109/ 91 of August 17 - Computer Crime Law