A. GENERAL PART
1.1. USER DATA COLLECTION & PROCESS
As a rule, Personal Data is requested when the User wishes to contact MPR, either to request any of the services it provides or to obtain additional information about them. MPR collects different categories of personal data from its clients, potential clients, suppliers, service providers and candidates. These categories of personal data may include identification data, contact data, billing data and data relating to academic and professional background. In the context of providing consultancy services to its clients, MPR may process special categories of personal data, in particular: political opinions and/or trade union membership. This data is only processed when it has been manifestly made public, in accordance with Article 9(2)(e) of the GDPR.
Considering that the Website has an unstructured field for sending messages to MPR MPR, Personal Data may be sent as part of said message. Personal Data belonging to special categories (i.e., racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data to uniquely identify a person, data concerning health or data concerning a person’s sex life) should not be entered in this field.
1.2. DATA RECIPIENT
As part of the processing of User Data, MPR uses or may use third parties that it subcontracts to process User Data on its behalf and in accordance with the instructions given by MPR.
MPR ensures that such subcontractors provide sufficient guarantees for the implementation of appropriate technical and organisational measures, so that the processing meets the requirements of applicable law and ensures the security and protection of the rights of data subjects, under the terms of the subcontracting agreement entered into with said subcontractors.
MPR may also transmit its Clients’ Personal Data to third parties, not qualified as subcontractors, when it deems such data communications to be necessary or appropriate (i) in the light of applicable law, (ii) in fulfilment of legal obligations/court orders, or (iii) to respond to requests from public or governmental authorities. In this regard, MPR may transmit your Personal Data to public authorities and regulators.
The table below lists the recipients of Personal Data transmissions:
Provision of consultancy and legal services
1.3. DATA COLLECTION CHANNELS
MPR may collect data directly (i.e., directly from the User) or indirectly (i.e., through partner organisations or third parties). Collection can take place through the following channels:
Direct collection: in person, by telephone, by e-mail and via the Website.
2. GENERAL PRINCIPLES APLLICABLE TO THE PROCESSING OF USER DATA
Categories of recipients
Consultants and Lawyers
Purposes of processing Personal Data
Providers of Human Resources (“HR”), Accounting and IT services.
Provision of services (e.g. Website hosting, HR, Accounting and IT)
In terms of general principles regarding the processing of Personal Data, MPR undertakes to ensure that the User Data it processes is:
1- Processed in accordance with the law, fairly and transparently in relation to the User;
2- Collected for specific, objective and legitimate purposes and not further processed in a manner contrary to those purposes;
3- Adequate, justified and limited to what is necessary in relation to the purposes for which they are processed;
4- Accurate and up-to-date whenever necessary, with all necessary measures being taken to ensure that inaccurate data, taking into account the purposes for which it is processed, is erased or corrected without delay;
5- Kept in a way that allows the User to be identified for no longer than is necessary for the purposes for which the data is processed;
6- Processed in a manner that guarantees their security, including protection against unauthorised or unlawful processing and against their loss, destruction or unforeseen damage, with the adoption of appropriate technical or organisational measures.
7- The processing of data carried out by MPR is permitted and legitimate when at least one of the following situations applies:
- The User has given his or her free, positive, explicit and unambiguous consent to the processing of User Data for one or more specific purposes;
- The processing is necessary for the fulfilment of a contract to which the User is a party, or for pre-contractual procedures at the User’s request;
- Processing is necessary for the fulfilment of a legal obligation to which MPR is subject;
- Processing is necessary for the defence of the vital interests of the User or another individual;
- Processing is necessary for the purposes of the legitimate interests pursued by MPR or by a third party (unless the interests or fundamental rights and freedoms of the User that require the protection of Personal Data prevail). MPR undertakes to ensure that the processing of User Data is only carried out under the conditions listed above and with respect for the aforementioned principles. When the processing of User Data is carried out by MPR on the basis of the User’s consent, the User has the right to revoke his/her consent at any time. Revoking consent, however, does not jeopardize the lawfulness of the processing carried out by MPR on the basis of the consent previously given by the User.
The period of time for which data is stored and retained varies according to the purpose for which the information is processed, and it is only stored for as long as is necessary to fulfil the purposes for which it is processed, taking into account the Data Retention Policy approved by MPR.
In fact, there are legal requirements that oblige data to be kept for a minimum period of time. Therefore, and whenever there is no specific legal obligation, the data will be stored and kept only for the minimum period necessary for the purposes for which it was collected or subsequently processed, and at the end of which it will be deleted.
3. USE AND PURPOSES OF PROCESSING USER DATA
In general terms, MPR uses User Data for the following purposes:
Information request management
Data processing in order to respond to enquiries from potential clients.
Pre- Contractual due diligence
Management of the contractual relationship between clients and supplies
Data processing with a view to carrying out actions during the course of the contractual relationship, with the aim of keeping the data provided up to date, possible changes to contractual conditions, fulfilment of contractual obligations, monitoring of clients and suppliers, support in the use of services, among others.
Providing consultancy services to clients
Media and Public Relations External communication Crisis management
Public affairs & engagement
Selection & Recruitment
For recruitment purposes, we collect and process candidate data as part of MPR’s recruitment processes.
Ensuring the safety of our facilities by managing accidents at work and controlling physical access, among other actions.
Legitimate Interest Legal Obligation
Emission of Invoices for the products and services purchased.
Legal Obligation Contractual Execution
Sending marketing communications
Sending marketing communications for products or services similar or not similar to those transacted.
Consent Legal interests
4. TECHNICAL, ORGANISATIONAL AND SECURITY MEASURES IMPLEMENTED
In order to guarantee the security of User Data and maximum confidentiality, MPR treats the information you have provided us with in an absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, which are periodically updated as necessary, as well as with the terms and conditions provided for by law.
Depending on the nature, scope, context and purposes of the data processing, as well as the risks arising from the processing for the User’s rights and freedoms, MPR undertakes to apply, both at the time of defining the means of processing and at the time of the processing itself, the necessary and appropriate technical and organisational measures to protect the User’s Data and to comply with legal requirements.
It also undertakes to ensure that, by default, only the data necessary for each specific processing purpose is processed and that this data is not made available without human intervention to an indeterminate number of people.
Communication between the User’s device and the MPR Website is carried out through secure channels and communications using the HTTPS protocol and the SSL security standard.
Nevertheless, in terms of general measures, the MPR adopts the following:
- Regular audits to identify the competence of the technical and organisational measures implemented;
- Sensitisation and training of staff involved in data processing operations;
- Pseudonymisation and coding of Personal Data;
- Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems;
- Mechanisms to ensure that information systems and access to personal data can be restored quickly in case of a physical or technical incident.
5. TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION
MPR may transfer your Personal Data to recipients located in countries outside the European Union, which may have different levels of protection for Personal Data. Consequently, MPR endeavours to adopt appropriate measures to ensure the safe transfer of your Personal Data whenever there is a transfer to a third country whose level of protection for your Personal Data is different from that of the country where the Personal Data is collected. MPR undertakes to ensure that transfers of Personal Data to countries outside the European Union comply with the applicable legal provisions, in particular with regard to determining the suitability of such country with regard to data protection and the requirements applicable to such transfers.
When you visit our Website, small text files (Cookie) are created and saved on your computer’s disc. These text files will enable a more personalised and efficient browsing experience. On each visit to the Website, your internet browser sends these cookies back to the Website, allowing it to recognise and memorise the identity of Users, as well as their usage preferences. These cookies will only be installed with your express consent, except in cases where the consent is necessary for the operation of the Website.
To find out all the information about the cookies we use on the Website, namely their purposes, categories, duration and to whom they belong, you can consult our Cookies Policy available here.
In addition, you can manage your preferences regarding the collection of cookies at any time in the preferences manager available here.
7. THIRD-PARTY TOOLS INTEGRATED INTO THE WEBSITE
The Website offers interactivity with LinkedIn, through the respective button, establishing a connection to LinkedIn’s servers, which will identify the Website that the User is visiting and possibly store other data, such as the IP address. Information on data processing carried out by LinkedIn is available at: https://www.linkedin.com/legal/privacy-policy?_l=pt_BR.
The Website offers interactivity with Facebook, through a connection to the servers of this social network, which will make it possible to identify the Website that the User is visiting and possibly store other data, such as the IP address. If the User has started their Facebook session, the data will be associated with their account. To prevent this from happening, the User should log out of Facebook before visiting the page. Information on the data processing carried out by these social networks is available at: https://www.facebook.com/about/privacy/
B. RIGHTS OF USERS (DATA SUBJECTS)
8. RIGHT TO INFORMATION
8.1. Information provided to the User by MPR (when the data is collected directly from the User):
- The identity and contact details of the Data Controller and, if applicable, his/her representative;
- The contact details of the Data Protection Officer;
- The purposes of the processing for which the Personal Data is intended, as well as, if applicable, the legal grounds for the processing;
- If the processing of the data is based on the legitimate interests of MPR or a third party, an indication of such interests;
- If applicable, the recipients or categories of recipients of the Personal Data;
- If applicable, an indication that the Personal Data will be transferred to a third country or an international organisation, and the existence or not of an adequacy decision adopted by the Commission or reference to appropriate or adequate transfer guarantees;
- The retention period of the Personal Data;
- The right to ask MPR for permission to Personal Data, as well as its correction, deletion or limitation, the right to object to the processing and the right to data accessibility;
- If the processing of the data is based on the User’s consent, the right to withdraw it at any time, without jeopardising the lawfulness of the processing carried out on the basis of the consent previously given;
- The right to lodge a complaint with the CNPD or other supervisory authority;
- Indication of whether or not the communication of Personal Data constitutes a legal or contractual obligation, or a necessary requirement to enter into a contract, as well as whether the data subject is obliged to provide the Personal Data and the possible consequences of not providing such data;
- If applicable, the existence of automated decisions, including profiling, and information regarding the basic concept, as well as the significance and expected consequences of such processing for the data subject. If User Data is not collected directly by MPR from the User, in addition to the information referred to above, the User is also informed about the categories of Personal Data being processed, as well as the origin of the data and, if applicable, whether it comes from publicly accessible sources.
In case that MPR intends to further process User Data for a purpose other than that for which the data was collected, prior to such processing MPR shall provide the User with information on that purpose and any other information of interest, under the terms set out above.
8.2. Procedures and measures implemented to fulfil the right to information.
The information referred to in 8.1. shall be provided in writing (including by electronic means) by MPR to the User prior to the processing of the Personal Data in question. Pursuant to applicable law, MPR is under no obligation to provide the User with the information referred to in 8.1 when and to the extent that the User is already aware of it.
The information is provided by MPR free of charge.
9. RIGHT OF ACCESS TO PERSONAL DATA
MPR guarantees the means for the User to access his/her Personal Data.
The User has the right to obtain confirmation from MPR as to whether or not Personal Data concerning him/her is being processed and, where applicable, the right to access his/her Personal Data and the following information:
- The purposes of the data processing;
- The categories of Personal Data in question;
- The recipients or categories of recipients to whom the Personal Data has been or will be disclosed, namely recipients established in third countries or belonging to international organisations;
- The retention period of the Personal Data;
- The right to request from MPR the correction, deletion or limitation of the processing of Personal Data, or the right to prevent such processing;
- The right to lodge a complaint with the CNPD or other supervisory authority;
- If the data has not been collected from the User, the information available on the origin of that data;
- The existence of automated decisions, including profiling, and information on the underlying logic, as well as the significance and expected consequences of such processing for the data subject;
The right to be informed of the appropriate guarantees associated with the transfer of data to third countries or international organisations.
Upon request, MPR will provide the User, free of charge, with a copy of the User Data being processed. The provision of other copies requested by the User may entail administrative costs.
10. RIGHT TO RECTIFICATION OF PERSONAL DATA
The User has the right to request the rectification of their Personal Data at any time, as well as the right to have incomplete Personal Data completed, including by means of an additional declaration.
In case of rectification of the data, MPR will communicate the rectification to each recipient to whom the data has been transmitted, unless such communication is deemed impossible or involves a disproportionate effort for MPR.
11. RIGHT TO ERASURE (‘RIGHT TO BE FORGOTTEN’)
The User has the right to obtain from MPR the deletion of his/her data when one of the following reasons applies:
- The User Data is no longer necessary for the purpose for which it was collected or processed;
- The User withdraws the consent on which the processing of the data is based and there is no other legal basis for said processing;
- The User objects to the processing under the right to object and there are no overriding legitimate interests justifying the processing;
- If the User Data is processed unlawfully;
- If the User Data has to be erased for the fulfilment of a legal obligation to which MPR is subject; Under the applicable legal terms, MPR is under no obligation to erase the User Data insofar as the processing proves necessary for the fulfilment of a legal obligation to which MPR is subject or for the purposes of declaring, exercising or defending a right of MPR in a judicial proceeding.
In the event of the deletion of data, MPR shall inform each recipient/entity to whom the data has been transmitted of the deletion thereof, unless such communication proves impossible or involves a disproportionate effort.
When MPR has made the User Data public and is obliged to delete it under the right to such deletion, MPR undertakes to take reasonable measures, including technical measures, taking into account available technology and the costs of their implementation, to inform those responsible for the effective processing of the Personal Data that the User has asked them to delete the links to such Personal Data, as well as copies or reproductions of them.
12. RIGHT TO RESTRICTION OF PROCESSING OF PERSONAL DATA
The User has the right to obtain from MPR the restriction of the processing of the User Data if one of the following situations applies (the restriction consists of inserting a mark in the Personal Data stored with the aim of limiting its processing in the future):
- If you contest the accuracy of the Personal Data, for a period enabling MPR to verify its accuracy;
- If the processing is unlawful and the User opposes the deletion of the data, requesting instead the limitation of its use;
- If MPR no longer needs the User Data for processing purposes, but such data is required by the User for the purposes of declaring, exercising or defending a right in legal proceedings;
- If the User has opposed the processing, until it is established that MPR’s legitimate reasons prevail over those of the User. When the User Data is subject to limitation, it may, with the exception of storage, only be processed with the User’s consent or for the purposes of declaring, exercising or defending a right in legal proceedings, defending the rights of another natural or legal person, or for reasons of public interest legally provided for. The User who has obtained the limitation of the processing of their data in the above cases will be informed by MPR before the limitation of processing is cancelled.
If the processing of data is restricted, MPR will inform each recipient to whom the data has been transmitted of the restriction, unless such communication proves impossible or involves a disproportionate effort for MPR.
13. RIGHT TO PORTABILITY OF PERSONAL DATA
The User has the right to receive the Personal Data concerning him/her that he/she has provided to MPR, in a structured, commonly used and machine-readable format, and the right to transmit this data to another controller, if:
- The processing is based on consent or on a contract to which the User is a party; and
- The processing is carried out by automated processes.
The right of portability does not include inferred data or derived data, i.e. Personal Data that is generated by MPR as a consequence or result of analysing the data being processed. The User has the right to have their Personal Data transmitted directly between the data controllers, whenever this is technically possible.
14. RIGHT TO OBJECT TO PROCESSING
The User has the right to object at any time, on grounds relating to his/her particular situation, to the processing of Personal Data concerning him/her, which is based on the exercise of legitimate interests pursued by MPR, or when the processing is carried out for purposes other than those for which the Personal Data were collected, including profiling, or when the Personal Data are processed for statistical purposes.
MPR will terminate the processing of User Data unless it has urgent and legitimate reasons for such processing which override the interests, rights and freedoms of the User, or for the purposes of declaring, exercising or defending a right of MPR in legal proceedings.
When User Data is processed for the purposes of direct marketing, the User has the right to object at any time to the processing of data concerning him/her for the purposes of said marketing, which includes profiling insofar as it is related to direct marketing. If the User objects to the processing of their data for the purposes of direct marketing, MPR will cease processing the data for this purpose.
The User also reserves the right not to be subject to any decision taken solely on the basis of automated processing, including profiling, which produces effects in his/her legal sphere or significantly affects him/her in a similar way, unless the decision:
- Is necessary for the conclusion or performance of a contract between the User and MPR;
- Is authorised by legislation to which MPR is subject; or
- Is based on your explicit consent.
15. PROCEDURES FOR EXERCISING USER RIGHTS
The right of access, the right to rectification, the right to deletion, the right to limitation, the right to portability and the right to object may be exercised by the User by sending an email to MPR will respond in writing (including by electronic means) to the User’s request within a maximum period of one month from receipt of the request, except in cases of particular complexity, where this period may be extended up to two months.
If the requests submitted by the User are manifestly unjustified or excessive, in particular due to their repetitive nature, MPR reserves the right to charge administrative costs or refuse to comply with the request.
16. PERSONAL DATA BREACHES
In case of a data breach and insofar as such breach is likely to entail a high risk to the User’s rights and freedoms, MPR undertakes to communicate the Personal Data breach to the User concerned within 72 hours of becoming aware of the incident.
Under legal terms, communication to the User is not required in the following cases:
- If MPR has implemented appropriate technical and organisational protection measures and such measures have been applied to the Personal Data affected by the Personal Data breach, in particular measures that render the Personal Data unintelligible to any person not authorised to access such data, such as encryption;
- If MPR has taken subsequent measures to ensure that the high risk to the User’s rights and freedoms is no longer likely to materialise; or
- If communication to the User would involve a disproportionate effort for MPR. In this case, MPR will make a public announcement or take a similar measure through which the User will be informed.
18. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
You can always submit your complaint to Autoridade de Controlo para a Proteção de Dados – Comissão Nacional de Proteção de Dados.