PRIVACY POLICY

Privacy policy and Personal data protection

The reading of this policy does not exempt the reading of the Clauses of the General Conditions regarding Personal Data and the provisions in clause 9 of the General Conditions of the Digital Certificate Issue Contract.

Available for consultation at: https://www.gns.gov.pt/trusted-lists.aspx

1. DigitalSign’s commitment

The protection of privacy and personal data is a fundamental commitment of the company towards our customers and users.

DigitalSign - Certificadora Digital, SA, hereinafter referred to as DigitalSign, is a Qualified Trusted Services Provider (QTSP), at European Union level under Regulation (EU) No 910/2014 of the European Parliament European Parliament and of the Council of July 23 (EIDAS Regulation), is part of the European Trusted List , and as such accredited to the National Security Authority in Portugal for the provision of various trust services services, and in particular for the issuance of Qualified Digital Certificates, for the strict compliance with the applicable legal regulations in this matter, such as the Decree-Law No. 12/2021 of 9 February 2021, which establishes the Legal Regime for Electronic Documents and Digital Signature. DigitalSign's complies with strict confidentiality and information security parameters, foreseen, in particular, in ISO 27001, being certified according to this international standard.

DigitalSign advises you to read this document, and the General Conditions, available on our website, as well as the Digital Certificate issuance contract agreement as they both represent DigitalSign's commitment to the protection of the data of our clients in the scope of the New General Regulation of Data Protection that takes effect on May 25, 2018.

This privacy policy covers the following services:

1.1.    Management of the account on our services;

1.2.    Identification and certification services for the issuance of digital certificates;

1.3.    Electronic signatures and timestamp stamps related services;

1.4.    SigningDesk Related Services;

1.5.    Invoicing;

1.6.    Technical and operational support;

1.7.    Supply and processing of reports containing commercial information;

1.8.    Training activity (e.g. webinars) for the use of the Services;

2. Definitions

To facilitate the understanding of this policy, the following definitions are:

" Personal Data " - information relating to a natural or legal person, where applicable, identified or identifiable, directly or indirectly, such as identifiers, or other specific elements relating to his physical, physiological, genetic, mental, economic, cultural identity or social.

" Processing of Personal Data " - means the operation, or a set of operations, carried out on personal data or on personal data sets by automated or non-automated means such as:

a)    The collection, registration, organization, structuring, preservation, adaptation or alteration, recovery, consultation or use;

b)    disclosure by transmission, dissemination or any other form of disclosure; or

c)    the comparison or interconnection, limitation, erasure or destruction.

" Third party " - means a natural or legal person, public authority, service or body other than the data subject, controller, subcontractor and persons who, under the direct authority of the controller or the processor, are authorized to process personal data;

" Person responsible for the processing of personal data " - means the natural or legal person, public authority, agency or other body which, individually or jointly with other entities, determines the purposes and means of processing personal data;

" Processor " - means the natural or legal person, public authority, agency or other body processing personal data on behalf of the controller;

" Supervisory Authority " - an independent public authority which, in the case of Portugal, the National Data Protection Commission (CNPD), which is responsible for supervising the correct application of the legislation regarding data protection;

" Cookies " - computer files containing a sequence of numbers and letters that allow a unique identifier of a user's Internet access device, but may contain other information such as your browsing preferences on a particular site. Cookies are downloaded via the browser to the Internet access device (computer, mobile phone, tablet, etc.) when accessing certain websites.

3. The Data Controller and Data Protection Officer

The entity responsible for collecting and processing your personal data will be DigitalSign, as it provides the service and, in this context, decides what data is collected, means of processing and purposes for which the data is used.

DigitalSign’s appointed a Data Protection Officer (DPO) who (i) monitors data compliance with applicable standards, (ii) is a point of contact with the customer or user (iii) cooperates with the supervisory authority, (iv) provides information and advises the controller or any processors of their obligations regarding privacy and data protection. You can contact our DPO via email: dpo@digitalsign.pt

4. Personal data, holders of personal data and categories of personal data

What is personal data?

Personal data is any information of any nature and in any format relating to an identified or identifiable natural person.

Identifiable person is considered a natural person which can be identified directly or indirectly for example, through the name, the identification number, a location data, an electronic identifier or other elements that allow the identification of that individual.

Who are the owners of personal data?

The customer or user, a natural person, to whom the data relate and has used DigitalSign’s products and services. You will be the person who concludes the contract with VeriSign, and the user is the person who uses the goods and services of VeriSign, which may not correspond to the customer. In this regard, DigitalSign informs that it also protects personal data and respects the rights of customers and users.

What categories of personal data do we treat?

Data Categories Examples
Identification and contact data Complete name, address, identification documents, payment and billing, email address and phone number
Other identification data If the data subject is Legal Representative /Member of an organization
Services Products and services purchased or subscribed

5. Legal basis, Purposes and Duration of processing activities of Personal Data

On what grounds will DigitalSign process your personal data?

Consent: When you have your express consent - in writing, orally or through the validation of an option -, prior and, if such consent is free, informed, specific and unambiguous. In the case of the processing of personal data of children who may be subject to prior consent, DigitalSign will require consent from the holders of parental responsibilities, in particular for the purpose of providing services by electronic means;

Contract execution and pre-contractual procedures: when the processing of personal data is necessary for the execution and management of the contract signed with DigitalSign, namely for the purpose of issuing the Digital Certificates, for the management of contacts and orders, for billing, and payment management;

Compliance with legal obligation: when the processing of personal data is necessary to fulfill a legal obligation to which DigitalSign must comply, such as the communication of data required by any judicial or administrative authority for compliance with the law;

Legitimate interest: where the processing of personal data corresponds to a legitimate interest of DigitalSign or third parties, such as data processing for fraud detection, security, direct marketing or improvement of the quality of services.

What are the principles observed by DigitalSign relating to processing of Personal Data?

When processing our Customers Personal Data, we observe the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, limitation of preservation, integrity, confidentiality and responsibility.

As provided in clause 9 of the Digital Certificate issuance agreement, DigitalSign guarantees the confidentiality Personal Data of our Customers not intended to be publicly disclosed.

For what purposes and for how long does DigitalSign treat your personal data?

Your personal data is processed by DigitalSign only for the period necessary to achieve the defined purpose or, depending on the applicable, until you exercise your right of opposition, right to erasure or withdraw consent. After the expiration of the storage period, DigitalSign will delete or anonymize the data when they are not to be stored for a different purpose and, in this sense, except for the fulfillment of the data preservation obligation imposed by Portuguese Legislation on Electronic Signatures, by the minimum legal period of 7 years, after the revocation of the certificate, as provided for in article 13 of the Legal Framework for Electronic Documents and Digital Signature, corresponding to the updated version of the Decree-Law No. 12/2021 of 9 February 2021 . All rights referred to above are fully secured by DigitalSign.

Purposes Examples (non exaustive)
Marketing and Sales Marketing or selling new products or services
Customer management and service delivery Management of contacts, information or orders Management of installation, activation, revocation or renewal of digital certificates Billing, billing and payment management Recording calls (and videoconferences) and communications within the contractual relationship, if applicable
Use of software solutions under a SAAS regime Creation of user accounts and managing the use of tools
Accounting, Tax and Administrative Management Accounting, billing Tax information, including sharing information with tax authority
Compliance with legal obligations Preservation of Digital Certificates issued for a legal period of 7 years, pursuant to article 13, of the Legal Regime for Electronic Documents and Digital Signature, corresponding to the updated version of the Decree-Law No. 12/2021 of 9 February 2021.

What are the deadlines for processing and keeping personal data?

DigitalSign processes and stores your personal data according to specified, explicit and legitimate purposes.

Thus, and whenever there is no specific legal obligation, the data will be processed only for the period necessary to fulfill the purposes that led to its collection and preservation, and always in accordance with the law, CNPD guidelines and decisions, or competent authority under the law, as applicable. The personal data collected by DigitalSign will therefore be processed and retained for the purpose of performing the contract and during its execution period.

After this period, the respective data will be kept for a legal period of 7 years, after the revocation of the digital certificate, according to article 13 of the Legal Regime of Electronic Documents and Digital Signature, corresponding to the updated version of the Decree-Law No. 12/2021 of 9 February 2021. Otherwise, the processing and conservation of the Customers personal data may only occur with express consent, for the purpose of ensuring rights or duties related to the contract, or when legitimate interests justify it, to that precise extent.

6. Collection of personal data

What are your rights?

We collect your personal data when you intend to use a DigitalSign service, at a pre-contractual stage, and for the performance of a contract. The personal data required by DigitalSign is the personal data indispensable for the provision of its services (in particular, issuing, billing and / or renewal of Digital Certificates and access to other services available). The collection can be done through the registration of the user in person, and by completing the form, through DigitalSign’s website, or by conducting a videoconference specifically directed to that purpose, if this option is applied and is chosen by the Client.

In particular, DigitalSign may also access, collect or confirm personal data on Public Administration sites and private entities, in particular to confirm the accuracy and timeliness of their identification and contact information.

7. Rights of the holder of personal data

Right of access: the right to obtain confirmation of the personal data that is collected and processed by DigitalSign, as well as to obtain information about them, for example, the purposes of the processing, as well as the right to obtain a copy, for example, of invoices, written agreements or calls and videoconferences to which it is party and which are recorded.

Right of rectification: right to request rectification of your personal data that is inaccurate or request incomplete personal data to be completed, such as the address, tax number, email, telephone contacts, among others.

Right to delete data or "right to be forgotten": right to erase your personal data, provided that there are no valid legal grounds for its retention, such as cases where DigitalSign has to keep the data for compliance with legal obligations (in particular, the legal obligation to retain the digital certificates it issues for a minimum legal period of 7 years), such as compliance with the legal obligation of preservation for investigation, detection and prosecution of crimes, or due to legal proceedings.

Right to portability: right to receive the data you have provided us in a digital format of current use and automatic reading or to request the direct transmission of your data to another entity that becomes the new data controller of your personal data, if this is technically possible.

Right to withdraw the Consent or Right of Opposition: right to oppose or withdraw consent at any time to the processing of personal data, for example in the case of data processing for marketing purposes, provided that there are no legitimate interests that prevail over data subject interests, rights and freedoms, such as defending a right in the course of legal actions.

Right of limitation: right to request the limitation of the processing of your personal data, in the form of: (i) suspension of treatment or (ii) limitation of the scope of treatment to certain categories of data or purposes of treatment.

User Registration and Reserved Area

By registering as users, Customers or potential Customers will be able to access the various services offered by DigitalSign and, in particular, place orders, among other available functions such as the management of orders placed in the reserved area ("View the Account").

If you already have a registration on the users site, simply log in using the email and the access password defined at the time of the initial registration. This password guarantees the user access to the management of the services in their reserved area and if, on the contrary, there is no registration on the users site, the registration request requires the introduction of the users or organization tax number and, subsequently, the definition of the email and password.

At the time of the initial registration DigitalSign will also require, as required data, its users tax number, billing name, contact name, address, door / floor number, postal code, city, country and telephone number, and how data, the country and the mobile phone. The data provided by the users will only be used for performance the services selected by the user for which they were provided, not being added to another list, made available to other entities or used to send unrelated information.

Use of Cookies

DigitalSign uses cookies on your site to improve the performance and navigational experience of personal data owners, while increasing the speed and efficiency of response and, on the other hand, eliminating the need to repeatedly enter the same information. For more information see our Cookies Policy, available for viewing on the Website.

Automated profile and decisions

DigitalSign will be able to profile customers based, for example, on the use of the service, location, etc., in particular to provide services, increase the quality and experience of the products and services, tailor marketing communications, etc., provided that this processing is necessary for the conclusion or performance of the contract between the holder and DigitalSign, or is based on the consent of the data subject.

Right to complain

Right to submit a complaint to the CNPD, or to another supervisory body competent under the law, in addition to the company or the DPO, if it considers that the processing of its data by DigitalSign violates the applicable law.

How can you exercise your rights?

The exercise of his rights is free of charge, except in the case of a manifestly unfounded or excessive request, in which case a reasonable fee may be charged. You must take into account, in particular, that the exercise of right to erasure, withdrawal of consent or limitation can only be exercised to the extent that they do not interfere with the fulfillment of any DigitalSign’s legal obligation.

The information must be provided in writing, but may be given orally if requested. In this case, DigitalSign must verify your identity by means other than through voice communications. The response to requests should be provided within a maximum of 30 days, unless it is a particularly complex request.

Please send them through the following addresses:

Letter: Largo Padre Bernardino Ribeiro Fernandes, n.º 26, 4835-489 Nespereira, Guimarães

Email: dpo@digitalsign.pt

8. Transmission of Personal Data

Under what circumstances is your personal data communicated to other entities, subcontractors (processors) or third parties?

Your personal data may be transmitted to processors for them to handle according with DigitalSign instructions. In this case, DigitalSign will take the necessary contractual measures to ensure that subcontractors respect and protect the personal data of the data subject. Data may also be transmitted to third parties - entities other than DigitalSign or subcontractors, in particular companies with whom DigitalSign develops partnerships, if the holder has consented, or entities to whom the data must be communicated according with a legal obligation.

Does DigitalSign transfer your data to a third country?

DigitalSign doesn’t transfer your personal data to a third country outside the European Union that isn’t included in the list of countries that the European Union has already considered to meet adequate levels of protection of personal data.

9. Website responsibility

DigitalSign Websites may contain links to other third-party websites, products or services that are not related to DigitalSign or are not covered by this Privacy Policy.

The processing of the personal data requested by these third parties is their sole responsibility. DigitalSign cannot be held liable under any circumstances for the content, accuracy or legitimacy of these third parties for the misuse of data collected or processed by them.

We alert customers and users of DigitalSign to the need to, before using this third-party websites, products or applications, to read the terms and conditions,

10. Procedural and technical security measures

How does DigitalSign protect your personal information?

DigitalSign has implemented the appropriate logical, physical and organizational security measures to protect your personal data from destruction, loss, alteration, dissemination, unauthorized access or any other form of accidental or illicit. DigitalSign has implemented:

A)     logical security requirements and measures such as the use of firewalls and intrusion detection systems in their systems, the existence of a rigorous access management policy to systems with personal data. DigitalSign has also implemented traceability mechanisms regarding the usage of our systems.

B)     Physical security measures, including a strict access control to the physical premises of DigitalSign, by employees, partners and visitors, as well as a very limited and permanently monitored access to the essential technological infrastructures of DigitalSign;

C)     Privacy by design using technological means such as mask, encryption, pseudonymization and anonymization of personal data, as well as a set of privacy-friendly preventive measures ("privacy by default ");

D)     Mechanisms of scrutiny, audit and control to ensure compliance with security and privacy policies;

E)     A training program of DigitalSign employees and partners;

F)     Authentication mechanisms for customers or users of certain products or services, such as the introduction of a password, to strengthen control and security mechanisms.

Privacy Policy and Protection of Personal Data and Cookies

DigitalSign may update or readjust this Policy, as well as its Cookies Policy, and the general conditions relating to Personal Data, these changes will be made public.

Last Version 1.3 updated, 12 de July de 2021

^