A. GENERAL PROVISIONS
1.1 COLLECTION AND PROCESSING OF USER DATA
Within the scope of the website hosted in www.oni.pt (“Site”) and the services and communications made available therein (“Services”), ONITELECOM – Infocomunicações, S.A., with head office at Avenida D. João II, Lote 1.16.01, 8º Piso, Parque das Nações, 1990-083 Lisboa, with the corporate tax payer number 504 073 206 (hereinafter referred to as “ONI”), may process personal data or request the User for some of its personal data, namely information shared by the User which will allow ONI to identify or contact it (“Personal Information”).
As a rule, Personal Data is required when the User
- Registers on the Site;
- Requests a contact from ONI through the form available on the Site;
- Calls any of the customer support lines of ONI.
The Personal Data collected and processed consists on information regarding name, e-mail and any other information which the User may share with us.
ONI also collects and processes information about the characteristics of the user’s hardware device and browser/software features, as well as information about the pages visited by the User within the site. This information may include browser type, domain name, access times and links by which the User has accessed the Site (“Usability Information”). We only use this information to improve the quality of the user’s experience on website.
1.2 DATA PROCESSORS
These processors may not disclose the User Data to other entities without ONI having given prior written authorization to do so, and are also prevented from contracting other processors without ONI’s prior authorization.
ONI will only enter into agreements with processors that have implemented the appropriate technical and organizational measures, in order to guarantee the defense of the User’s Data. ONI shall bind all the processors contracted by a written agreement that covers the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties.
1.3 DATA COLLECTION CHANNELS
ONI may collect data directly (i.e., directly from the User) or indirectly (i.e. commercial partners or third parties). Such collection may operate through the following channels:
Direct collection: in person, by telephone, via e-mail and through the site;
Indirect collection: through business partners or affiliates and official entities.
2. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA
In terms of general principles regarding the processing of personal data, ONI undertakes to ensure that the User Data processed by it is:
- Processed in accordance with the law, as well as being fair and transparent in relation to the User;
- Collected for specific purposes that are objective and legitimate, not being processed subsequently in any way that runs contrary to these purposes;
- Appropriate, justified and limited to what is necessary in relation to the purposes for which the data is processed;
- Accurate and updated whenever necessary, ensuring that inaccurate data, taking into account the purposes for which they are processed, is erased or corrected without delay;
- Only retained for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements;
- Handled in a manner that ensures security, including protection against their unauthorized or illegal processing and against their loss, destruction or unforeseen damage, with appropriate technical or organizational measures being taken on this matter.
Data processing carried out by ONI is permitted and legal when at least one of the following situations occurs:
- The User has without doubt given their consent to the processing of User Data for one or more specific purpose;
- The processing is necessary for the implementation of a contract in which the User is a party, or for pre-contractual procedures at the request of the User;
- The processing is necessary for the fulfilment of a legal obligation to which ONI is subject;
- Processing is necessary for the defense of the fundamental interests of the User or another individual;
- The processing is necessary for legal interests pursued by ONI or by third parties (unless the interests or fundamental rights and freedoms of the User requiring the protection of personal data prevail).
ONI undertakes to ensure that the processing of User Data takes place under the conditions and respecting the principles above mentioned.
The User has the right to withdraw his consent at any time when ONI, based on the User’s agreement, performs the User Data processing. Such withdrawal of consent, however, does not jeopardize the legal basis of the processing carried out by ONI based on the consent that was previously given.
The time on which the data is filed and stored varies according to the purpose for which the information is being processed.
However, there are legal requirements that require the data to be preserved for a minimum period. Thus, and where there is no specific legal obligation, data will be stored and kept only for the minimum period necessary for the purposes that led to their collection or subsequent processing, being eliminated when that processing ends.
3. USE AND PURPOSES OF USER DATA PROCESSING
ONI processes the User Data for the following purposes:
- Provision and commercialization of ONI services;
- Providing information to the User upon its requests, about new products and services, using any means of communication special offers and campaigns, under ONI’s legitimate interests, notwithstanding the data subject right to oppose this processing at any moment;
- Granting access to restricted areas of the Site, according to previously agreed terms;
- Ensuring that the site meets the User’s needs by developing and publishing content that is best adapted to the requests made and the type of User, improving the search capabilities and functionalities of the site and obtaining associated or statistical information regarding to the user’s profile (analysis of consumption profiles);
- Service provision, such as newsletters, surveys or any other information requested or authorized by the User.
ONI may also contact the legal representatives of its corporate clients, to which it may send ONI service and products presentations, pursuing its legitimate interests in doing so, notwithstanding the data subject right to object that processing at any time.
The User Data collected by ONI is not shared with third parties without the User’s consent, except in the situations mentioned in the following paragraph. However, in the User requests services with ONI that are provided by other data controllers for the processing of personal data, User Data may be consulted or accessed by such entities, to the extent that it is necessary for the provision of such data services.
ONI may disclose the User Data to other entities if and whenever it is necessary to the fulfillment of the contract established between the User and ONI or for pre-contractual procedures at the request of the User. User Data can also be disclosed if necessary for the fulfilment of a legal obligation to which ONI is subject or to pursue our legitimate interests.
4. IMPLEMENTED TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES
In order to guarantee the security and maximum confidentiality of the User Data, ONI processes the information you provided to us in an absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, which are updated periodically as required, as well as the terms and conditions legally set out.
Depending on the nature, scope, context and purpose of data processing, as well as the risks arising from the processing to the rights and freedoms of the User, ONI undertakes to apply, both when defining the method and timing of handling the data, the necessary and appropriate technical and organizational measures for the protection of User Data in compliance with legal requirements.
ONI also undertakes to ensure that, as a principle, only data that are necessary for each specific purpose are processed and that such data are not disclosed without human intervention to an indeterminate number of people.
Nevertheless, in terms of general measures, ONI adopts the following:
- Regular audits to identify the effectiveness of the implemented technical and organizational measures;
- Sensitization and training of personnel involved in data processing operations;
- Pseudonymisation and coding of personal data;
- Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems;
- Mechanisms to ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident.
5. INTERNATIONAL DATA TRANSFERS
Personal data collected and used by ONI will not be disclosed to third parties established outside the European Economic Area. If, in the future, such a transfer takes place for the reasons mentioned above, ONI undertakes to ensure that the transfer complies with the applicable legal provisions, in particular determining that country’s suitability regarding data protection and the requirements applicable to such transfers.
B. USER RIGHTS (DATA SUBJECTS)
7. PROCEDURES FOR THE EXERCISING OF RIGHTS BY THE USER
You can exercise the right to access, rectification or erasure of personal data or restriction of processing concerning your data and to object to processing as well as the right to data portability by contacting our DPO through the e-mail privacidade.DPO@oni.pt or by letter to Avenida D. João II, Lote 1.16.01, 8º Piso, Parque das Nações, 1990-083 Lisboa, Portugal.
ONI will respond in writing (including by electronic means) to the User’s request within a maximum period of one month from the receipt of the request, except in particularly complex cases, for which this period may be extended up to two months.
If the requests submitted by the User are manifestly unfounded or excessive, in particular because of their repetitive character, ONI reserves the right to refuse to comply with the request.
8. PERSONAL DATA BREACH
In the case of a personal data breach, ONI shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it inform the User of that breach.
We are not obliged to do that if:
- If ONI has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
- If ONI has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize; or
- If communication to the User would involve a disproportionate effort on behalf of ONI. In this case, ONI will release a public communication or take a similar action by which the User will be informed.
C. FINAL PART
10. APPLICABLE LAW AND LEGAL JURISDICTION
Edition 00 – 25th of May 2018