1 – INTRODUCTION

a) Your privacy and the protection of your personal data are very important to VNM;

b) This is a mission we take very seriously because we know we have a legal duty to protect the personal data we process, whether it’s from users of our website, our employees, service providers, suppliers, or customers;

c) This duty of ours is thus a daily priority in the exercise of our activity, and we comply with and enforce the terms of the General Data Protection Regulation, dated April 27, 2016, regarding the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR), amended on May 23, 2018 (Official Journal of the EU L 127/2) and corrected on October 12, 2020 (Council of the European Union), and also Law 58/2019, of August 8, which implements the GDPR in the Portuguese legal order;

d) If you have any questions, comments, or suggestions regarding our Privacy Policy, please contact us using the contact details provided below.

2 – WHO IS RESPONSIBLE FOR PROCESSING?

VNM – Sociedade de Advogados, (hereinafter VNM), holder of tax number 516 750 780, headquartered at Avenida da República nº19, 1º andar Apartado 17, 8700-308 Olhão, is responsible for processing your personal data.

3 – GENERAL PRINCIPLES OF OUR PRIVACY POLICY

a) In the scope of your relationship with us, especially when accessing our website, providing us with your personal data, or interacting in a way that allows us to collect them, notably through the forms we provide, we would like to emphasize that by doing so, you are accepting our Privacy Policy, with your personal information being processed according to the rules and concepts stated herein, including any future changes.

b) Our policy is based on the guiding principles outlined below, which are essential and guiding principles for us:

i) At VNM, only duly authorized persons process data that are strictly necessary for specific and legitimate purposes;

ii) Security regarding the processing of your data is a constant priority for us, which we periodically review in accordance with technological innovation and invest in periodically;

iii) We acknowledge that personal data do not belong to us, but to their owners, and it is our responsibility only to process them in accordance with the legal regulations in force, respecting and enforcing their rights, for which purpose we have implemented the necessary technical and organizational measures.

iv) We promote and internally disseminate best practices in the field of Privacy, Data Protection, and Information Security, which we regularly review because we understand that we are engaged in a process of continuous improvement, within which we know that it is always possible to do more and better.

4 – CONCEPTS AND INFORMATION TO DATA SUBJECTS

a) Within the scope and for the purposes of this policy, we follow the definitions contained in Article 4 of the General Data Protection Regulation, namely those listed below and without excluding compliance with the other definitions indicated therein:

i) Personal Data – any information relating to an identified or identifiable natural person, whereby an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

ii) Processing – any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction;

iii) Consent – of the data subject, meaning any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

iv) Controller – the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

v) Processor – a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

5 – WHAT CATEGORIES AND WHAT PERSONAL DATA DO WE COLLECT ON OUR WEBSITE?

a) For the purpose of providing our services, we collect various categories of personal data, namely, identification data, data related to academic qualifications, and browsing data.

b) We collect only the data strictly necessary, in strict compliance with the principle of minimization, namely:

i) name

ii) email address

iii) phone contact

iv) nationality

v) IP addresses, operating system, access device, language, and information collected by cookies

vi) personal data, namely, qualifications, certifications, positions held, employer data, all resulting from Curriculum vitae

6 – HOW AND WHEN DO WE COLLECT AND PROCESS YOUR PERSONAL DATA ON OUR WEBSITE?

a) Your personal data may be collected:

i) When you subscribe to VNM’s newsletter, by email or through our website;

ii) When you fill in the fields of the “Contact Us” form on our website;

iii) When you request registration or participate in one of the events organized by VNM;

iv) When you submit an application to collaborate with VNM, by email or through the form on our website;

v) When we receive applications through recruitment agencies.

b) The personal data we collect are subject to computer processing and stored in databases, strictly complying with the current European and national legislation regarding Privacy, Data Protection, and treatment security.

c) We will only process your personal data for specific and legitimate purposes, determined at the time of collection, and these data will not be subsequently processed in a manner incompatible with those purposes, except for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. In these cases, as provided for in the GDPR, the aforementioned incompatibility does not occur.

d) If we collect and process special categories of personal data (“sensitive data”), this processing will only be carried out in accordance with the exceptions provided for in Article 9(2) of the GDPR, and,

e) If this aforementioned data is collected from the data subject and the processing is based on their consent, we will inform you of the right to withdraw that consent.

f) Please note that, according to the legal terms provided in the GDPR, if you withdraw your consent, the lawfulness of the processing carried out based on the previously given consent is not affected.

7 – FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA?

a) We process your personal data for the following purposes:

i) Management and execution of the contractual relationship, including:

– Provision of contracted legal services:
– Invoicing and payment of services;
– Communication of changes to the contracted services’ conditions;
– Communication to public entities for legal reasons;
– Communication to insurers for the execution of insurance contracts.

ii) Recruitment, when the user/data subject applies through the submission of spontaneous applications or within the framework of recruitment processes initiated by us, under which we may receive applications from recruitment agencies;

iii) Sending of information of interest and communications within the scope of our activity;

iv) Clarifications regarding information requests you make to us;

v) Response we provide to manage and respond to your requests or complaints;

vi) For compliance with legal obligations to which we are subject;

vii) For the purpose of exercising or defending rights within the scope of judicial proceedings, regardless of their nature;

viii) To monitor the security of our website, optimize your visit, navigability, and personalization;

ix) Organization and management of events organized by us or jointly with other entities.

8 – WHAT ARE THE LEGAL GROUNDS FOR PROCESSING YOUR PERSONAL DATA?

a) We only process your personal data in strict compliance with the principle of lawfulness.

b) Depending on the circumstances, the processing of your personal data may be carried out on the following legal grounds:

i) Performance of a contract to which the data subject is a party or for pre-contractual measures at the request of the data subject;

ii) Compliance with legal obligations to which we are subject;

iii) Our legitimate interests;

iv) Your consent, freely given, specific, informed, and unambiguous, when consent is the lawful basis for processing;

v) Protection of vital interests.

9 – CHILDREN’S DATA

a) We do not collect or intend to collect, as a principle, personal data from children, considering the recipients of the services we provide;

b) Under Article 8 of the GDPR, personal data of children may only be processed based on the consent provided for in Article 6(1)(a) of the GDPR and relating to the direct offer of information society services when they are over 13 years old.

c) In the event that we voluntarily collect personal data from children, we will take care to comply with the legislation in force in this matter, namely obtaining prior parental consent for the processing of personal data to be carried out, in which case we will resort, if possible, to secure authentication methods, as provided for in Law 58/2019 of August 8.

10 – WHO MAY WE DISCLOSE YOUR DATA TO?

a) VNM does not routinely disclose your data to any third parties, except for the fulfillment of purposes described in this policy.

b) In particular, there may be transmission of personal data for the purpose of complying with legal obligations to which we are subject and which are applicable at any given time, or if the provision of our services so requires, as well as for sending newsletters or other communications consented to by you.

c) Whenever we use subcontractors to process your data on our behalf, which implies access by these entities to such data, we take appropriate measures by entering into the contract required by law to ensure that these subcontractors provide sufficient and adequate guarantees of implementing technical and organizational measures and that they will only act in accordance with our instructions, processing the data only for the intended purposes and deleting or returning the data to VNM upon completion of the service provision.

d) These subcontractors are subject to prior evaluation regarding their compliance with data protection regulations and are subject to periodic audits, as contractually provided for.

e) In the event that VNM transfers your personal data to third countries (outside the European Union or European Economic Area) for the purposes indicated, and in the absence of an adequacy decision adopted by the European Commission, we ensure that appropriate security and legal measures are taken to protect your personal data, complying with the current legislation.

11 – HOW LONG DO WE KEEP YOUR PERSONAL DATA?

a) The period during which data is stored and retained varies according to the purpose for which the information is processed. For example, we will retain your spontaneous application for one year, ensuring your rights as a data subject.

b) There are legal requirements that oblige us to retain data for a minimum period of time, in which case we will apply that period, especially in tax matters.

c) If there is no legal retention period, the data will be stored and retained in a manner that allows the identification of data subjects only for the period necessary for the purposes for which they are processed, after which they will be appropriately processed, securely destroyed, or anonymized.

12 – WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?

a) In accordance with the provisions of the GDPR, we ensure, through internal organizational measures that we have implemented and periodically review, the exercise of your rights as a data subject, within the deadlines and in compliance with the legal obligations provided for.

b) Your rights as a data subject:

i) Right of Access – you have the right to request information, among others, regarding whether your data is being processed, what data we process, and for what purposes. If you wish, you can request a copy of the personal data being processed, with the provision of additional copies subject to the payment of a reasonable fee, taking into account administrative costs. If the request is made in electronic format, and unless otherwise indicated by you, the information will be provided to you in an electronic format commonly used.

ii) Right to Rectification – you have the right to have inaccurate personal data concerning you rectified without undue delay, and incomplete data completed, including by means of providing a supplementary statement.

iii) Right to Erasure (“right to be forgotten”) – you may request, under certain circumstances, that your personal data be erased from our records without undue delay, whenever one of the reasons provided for in the GDPR applies.

iv) Right to Object – you have the right to object, on grounds relating to your particular situation, to certain types of processing of data provided for in the GDPR, such as processing for direct marketing purposes, in which case we will cease processing for that purpose.

v) Right to Data Portability – you have the right to receive the personal data you have provided to us, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller.

vi) Right to Restriction of Processing – the right to obtain restriction of processing of your personal data, for example, if you contest the accuracy of your personal data for a period enabling us to verify its accuracy, if the processing is unlawful, if we no longer need the personal data for the purposes of processing, but they are required by you for the establishment, exercise, or defense of legal claims, or if you have objected to processing.

vii) Right to Lodge a Complaint with a Supervisory Authority – in Portugal, the supervisory authority is the CNPD – Comissão Nacional de Proteção de Dados  (www.cnpd.pt)

viii) Right to Claim Compensation and Liability – if you have suffered material or immaterial damage due to a breach of the GDPR, you have the right to receive compensation from the controller or processor for the damage suffered.

ix) Right not to be subject to Automated Decision-making – you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

x) Right to Withdraw Consent – easily.

c) In order to exercise these rights, please refer to the “Contacts” section of this Privacy Policy.

d) After sending an email or another means indicating your wish to exercise any or some of the rights listed, we will act accordingly by sending you promptly, for the exercise of your rights listed in points i) to vi) and point ix), our “Data Subject Rights Exercise Form.”

e) Within the legal deadline of 30 (thirty) days, you will receive a duly substantiated communication from us.

f) The legal deadline referred to in the preceding paragraph may be extended to 60 (sixty) days, due to the number or complexity of requests.

g) If the requests made by the data subject are manifestly unfounded or excessive, particularly because of their repetitive nature, we may:

i) Demand the payment of a reasonable fee, taking into account the administrative costs of providing the information or communication, or taking the measures requested;

or

ii) Refuse to comply with your request.

13 – WHAT MEASURES HAVE WE IMPLEMENTED TO ENSURE THE SECURITY OF YOUR PERSONAL DATA?

a) We have adopted technical and organizational measures appropriate to ensure a level of security adequate to the risk, which we periodically review and improve, aimed at ensuring the security and protection of your personal data in terms of their availability, authenticity, integrity, and confidentiality, as well as measures aimed at preventing their loss, misuse, alteration, unauthorized processing or access, as well as any other form of unlawful processing.

b) Our commitment to the security of your personal data is ongoing, and it involves a set of measures aimed at safeguarding and mitigating the risk of data breaches, including the measures provided for in Article 32 of the GDPR, based on risk, context, and purposes, which include:

i) Pseudonymization and encryption of personal data;

ii) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

iii) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

iv) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

c) The level of security we have implemented takes into account the risks presented by the processing, particularly the risks of destruction, loss, alteration, unauthorized disclosure, or access to transmitted, stored, or otherwise processed personal data.

d) Please note that despite all the efforts we employ regarding security matters, we cannot guarantee the complete and absolute inviolability of the information received, given the insecure nature of open networks such as the Internet.

14 – CONNECTIONS TO OTHER WEBSITES

a) Our website may contain links that may lead you to other sites.

b) VNM does not assume any responsibility, endorse, or in any way support or subscribe to the content of these sites or their policies, including websites linked to or referred to therein.

c) In order for you to be properly informed, we advise you to read the privacy policies of any other website linked to VNM’s website.

15 – INTERNATIONAL DATA TRANSFERS

If we communicate your personal data to third countries or international organizations, we will strictly comply with applicable legal provisions and assess the adequacy of the country or organization concerned with regard to the requirements applicable to such transfers, or apply appropriate safeguards that allow data subjects to enforce their rights and effective legal remedies, as provided for in the GDPR.

16 – USE OF COOKIES

To learn more about cookies and how we use them on our website, please refer to our Cookie Policy.

17 – TRAINING OF OUR EMPLOYEES

We understand that the human factor is crucial in complying with applicable regulations, which is why we train all our employees, both initially and subsequently, ensuring that everyone is uniformly acquainted with the applicable rules and best practices aimed at protecting your personal information.

18 – CONTACTS

a) If you have any doubts or questions about how we collect and process personal data, you can contact us, and we will respond within the applicable legal deadlines:

Contacts

Email: info@vnm.pt

Address: VNM – Sociedade de Advogados
Avenida da República nº19, 1º andar Apartado 17, 8700-308 Olhão.

b) In order to protect your privacy, and if necessary, we will take the necessary measures to verify your identity, requesting limited additional information that is strictly necessary for the purpose of such identification.

c) If you wish to exercise your rights, and without prejudice to any applicable limits on their exercise, please use the contacts provided, and we will immediately send you our “Data Subject Rights Exercise Form,” which you should return to the email or address indicated above.

d) All responses will comply with the legally prescribed deadlines.

19 – REVIEW OF OUR PRIVACY POLICY

We reserve the right to change the content of our Privacy Policy without prior notice, while informing and publishing the changes on our website, making these changes an integral part of the Privacy Policy.

20 – VERSIONS OF OUR POLICY

Version 1: March 2024