June 6, 2021
1. Scope and data controller
- “Online Services” – web pages, applications, channels and other online initiatives of XPERIALAB.
- “Personal Data” – any and all information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, electronic identifiers, email, mobile phone number, or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Processing ” – operation or set of operations carried out on personal data, whether through automated or non-automated procedures, such as collection, registration, organization, structuring, conservation, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, broadcast or any other form of making available, comparison or interconnection, limitation, erasure or destruction.
- "Personal Data Subject" or "User" - refers to the natural person who browses the website or to whom personal data are processed,
- “Controller” – the natural or legal person, public authority, agency or body that individually or jointly with other entities determines the purposes and means of processing personal data.
- “Subcontractor” – natural or legal person, public authority, agency or other body that processes personal data in accordance with the instructions and on behalf of the data controller.
- “Recipient” – natural or legal person, public authority, agency or other body that receives communications of personal data.
3. General Principles Applicable to the Processing of Personal Data
In compliance with the general principles of the processing of Personal Data, XPERIALAB ensures that the User's personal data processed by it are:
- Object of lawful and transparent treatment towards the User.
- Collected and processed for a specific, explicit and legitimate purpose.
- Appropriate and limited to what is necessary for the purposes for which they are treated.
- Updated and corrected whenever necessary, all measures being taken so that incorrect data is eliminated or rectified as soon as possible.
- Maintained in order to allow the identification of the User only during the period strictly necessary for the purposes for which they are treated.
- Treated in such a way that their safety is guaranteed, namely the protection against their unauthorized treatment or their accidental loss or destruction. In this regard, the necessary technical and organizational measures will be taken.
The processing of personal data by XPERIALAB is lawful when at least one of the following conditions is met:
- The User has given explicit consent to the processing of their personal data for one or more specific purposes.
- The processing of data is necessary for pre-contractual steps at the User's request.
- The treatment is necessary for a legal obligation to which XPERIALAB is subject.
- The processing is necessary for the pursuit of the legitimate interests of XPERIALAB or third parties, without prejudice to the prevailing interests and rights of Users who require the protection of Personal Data.
XPERIALAB undertakes to ensure that the processing of User data is only carried out under the conditions and in compliance with the principles set out above.
When the processing of the User's data is carried out with the User's consent, the User may at any time withdraw their consent, which does not compromise the lawfulness of the processing carried out by XPERIALAB based on the consent previously given by the User.
The data, whenever there is no specific legal requirement, will be kept for the minimum period necessary for the purposes that led to its collection and processing. After that period they will be eliminated.
4. Personal data processing activities
4.1 Categories of personal data
XPERIALAB collects and processes data from visitors to its websites according to the purposes for which they are collected. The following data is thus collected:
- Identification data such as name;
- Contact details such as email, telephone number and others;
- Location data such as address;
- Tax identification data;
- Cookies are also collected, the detailed information of which can be consulted in the Cookies Policy .
4.2 Purposes, legal bases and conservation terms
5. Communication of personal data
XPERIALAB will not share users' personal data except in the following situations:
- Processing of personal data to the extent necessary to provide XPERIALAB contents and services.
- Situations where for legal reasons it is necessary to share personal data.
In the scope of the processing of personal data XPERIALAB does not resort to third parties.
XPERIALAB may transmit personal data to other entities not classified as subcontractors in situations where it is essential:
- Public Entities, namely Tax Authority, Police Bodies and Courts.
- Private entities such as printers, transport companies, among others.
6. Technical, organizational and security measures implemented
XPERIALAB, depending on the nature, scope and purposes of data processing, undertakes to adopt the technical and organizational measures necessary to protect the User's data and comply with legal provisions. XPERIALAB also undertakes to ensure that only the data necessary for the specific needs of the treatment will be processed and to limit the access of these data to professionals whose intervention in the treatment is strictly necessary.
XPERIALAB adopts the following measures:
- Training of its staff involved in data processing.
- Adopting security measures on their websites.
- Mechanisms to restore information systems and access to personal data in the event of a technical incident.
- Encryption of personal data.
- Regular audits to ensure compliance with the aforementioned technical and organizational measures.
7. International transfers
XPERIALAB does not transfer data outside the European Economic Area.
XPERIALAB does not process personal data of minors.
10. User Rights
- Right of access – right if personal data concerning the User are processed and, if so, the right to access their personal data.
- Right of rectification – right to rectify the User's personal data that is incorrect or incomplete.
- Right of erasure – right to obtain the erasure of your personal data in the shortest possible time. Exceptions are made to situations in which the data cannot be deleted for legal reasons.
- Right to limitation of treatment - in accordance with article 18 of the GDPR, the User has the right to request the limitation of the processing of their personal data, either in the form of suspension or limitation of the processing of certain categories of data, or in terms of the purposes of the treatment.
- Right of portability – the User has the right to receive personal data concerning him/her and which he/she has provided through a structured format and the right to have such data transmitted to another person responsible for the treatment.
- Right of opposition – the User has the right to object at any time to the processing of data concerning him. Exceptions are made to situations where there are legitimate reasons that prevail over this right as legal reasons.
The revocation of consent by the User does not invalidate the processing of data while the consent was in force.
The User may exercise his rights by contacting XPERIALAB through the following channels:
- Sending a registered letter to the address Av. da Peregrinação, 9, 1 dto, 1990-425 Lisbon, care of the Privacy Ombudsman.
- Email Privacy@xperialab.eu.
The communication must include the following elements:
- Name and email.
- Right you want to exercise. In the case of the right to limit processing, the reasons that lead the User to believe that his/her data is being improperly processed.
- Address for notification purposes, in cases where the request is made by letter.
XPERIALAB undertakes to respond to the User through the channel used by him within a maximum period of 15 days after the date of receipt. In cases of special complexity, this deadline can be extended, and XPERIALAB must present a new deadline and the reasons for its postponement.
The User may also, if he considers that XPERIALAB has not complied with the requirements of the RGPD or other national legislation applicable to data protection, exercise the right to complain to the National Data Protection Commission using this body website
11. Violations of personal data
In case of data breach and whenever there is a risk to the User's rights and freedoms, XPERIALAB will communicate the breach of personal data to the National Data Protection Commission within 72 hours of becoming aware of the incident.
In case of high risk, XPERIALAB will communicate with Users as soon as possible for the adoption of mitigation measures.
13. Applicable law and jurisdiction