CODE OF CONDUCT

2020

  1. GENERAL

  1. Introduction.

1.1. XEKVITA, LDA, legal person with number 516249436 and headquartered at Largo do Esteiro, nº 6, 2050-261 Azambuja, within the scope of its activity has access to a set of information which, by its nature, is classified as personal data.

1.2. XEKVITA, LDA positions itself on the market as a company that takes the issues associated with Privacy and Data Protection seriously, believing that protecting the personal data of each of the people with whom it relates constitutes one of the bases of the trust that exists in the relationships establish in the exercise of their activity.

1.3. This Internal Data Protection Policy (hereinafter “Policy”) covers the principles, obligations and procedures that guide the processing of personal data by XEKVITA, LDA and establishes specific rules for the operations of processing personal data under its responsibility.

1.4. XEKVITA, LDA conforms its activity to the legislation, rules and good practices of privacy and protection of personal data; given that XEKVITA, LDA processes the personal data of different types of data subjects, the structure of this Internal Data Protection Policy is part of a set of personal data treatments in general (II) regulating the common principles and obligations to all types of treatment, proceeding to the processing of personal data in particular (III) where the specificities and particularities presented by the listed data treatments are focused.

1.5. Last but not least, this Internal Data Protection Policy is not a “closed document”, and should be updated at all times, whenever legal reasons so require (here, in particular, always taking into account the guidelines of national and European supervisors on this matter).

1.6. This text also serves as a true compass for the most varied documents used internally, which are obviously relevant to the protection and privacy of personal data.



  1. Legislative Framework.

2.1 This Code of Conduct was prepared taking into account all legislation applicable to data protection and other normative instruments with relevance and impact on data protection, whether at national or international level, such as, for example, Law 46/2012 of 29 August, which regulates the protection of personal data in the Electronic Communications sector, Law No. 7/2009, of 12 February, Labor Code, Regulation (EU) 2016/679, on the protection of individuals concerning the processing of personal data and the free movement of such data and which repeals Directive 95/46 / EC (General Regulation on Data Protection - GDPR), the deliberations of the supervisory authority (CNPD), the Guidelines the Article 29 Working Party on Data Protection and the European Committee for Data Protection, Guidelines from the Article 29 Working Group and the European Committee;

2.2 This Code of Conduct was prepared taking into account also the good practices of privacy and protection of personal data.

  1. Policy Application. Non-compliance.

3.1. All People Subject to this Code of Conduct are obliged to know its content and any updates, and People Subject to this Code of Conduct are obliged to comply with it and collaborate in its application.

3.2. This Code of Conduct must be interpreted in conjunction with the internal policies aimed at Information Security, as well as with the applicable legislation (national and European).

3.3. Without prejudice, Persons Subject to this Code of Conduct must also be aware of other internal rules of XEKVITA, LDA that have a direct relationship with the matter that addresses the present.

3.4. Failure to comply with these rules may lead to the initiation of disciplinary action, and the ignorance of this Internal Data Protection Policy does not justify any type of non-compliance.



  1. Definitions.

4.1. In this Code of Conduct, unless the context or the legislation clearly has a different meaning, these terms and expressions will have the following meaning:

(a) “Personal data” means information relating to a person (the data subject), who identifies or makes it identifiable, directly or indirectly, in particular, with reference to identifiers such as name, an identification number, location data, online identifiers such as logins and other access credentials, or other factors, namely, physical, psychological, genetic, economic, cultural or social;

(b) “Supervisory authority (interested party)”, the independent public authority affected by the processing of personal data with the responsibility to supervise the application and compliance with the legislation on the protection of personal data. In Portugal, at the date of publication of this code of conduct, the National Data Protection Commission (CNPD);

(c) “Sensitive data (special categories of personal data)”, personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or union affiliation, as well as the processing of genetic data, biometric data to uniquely identify a person, health related data or data about a person's sexual life or sexual orientation;

(d) “Profiling” means any form of automated processing of personal data that consists of using that personal data to assess certain personal aspects of a natural person, namely to analyze or predict aspects related to his professional performance, his situation economic, health, personal preferences, interests, reliability, behavior, location or travel;

(e) “Subject Person”, a natural person who is linked to XEKVITA, LDA under any contract, namely, employees and service providers;

(f) “Data Protection Policy”, a set of actions and measures set out in a document by XEKVITA, LDA, whose objective is to guide the forms of personal data processing that it carries out, in order to protect the holders of personal data when proceeding your treatment.

(g) "Data Controller" means a natural or legal person, public authority, service or any other body that, individually or in conjunction with others, determines the purposes and means of processing personal data;

(h) “Subcontractor” means a natural or legal person, public authority or other body that processes personal data on behalf of the controller, with the respective subcontracting treatment being regulated by contract or normative act under the law that binds the subcontractor the controller;

(i) “Third Party” means the natural or legal person, the public authority, the service or body other than the data subject, the controller, the subcontractor and persons who, under the direct authority of the controller or the subcontractor, are authorized to process personal data;

(j) "Data Subject", a natural person whose personal data is processed by XEKVITA, LDA, namely employees (current, future and former employees), customers, suppliers, partners;

(k) “Data processing” means any and all operations or a set of operations carried out on personal data or on personal data sets, by automated or non-automated means, such as the collection, registration, organization, structuring, conservation, adaptation or alteration, recovery, consultation, use, dissemination by transmission, diffusion or any other form of availability, comparison or interconnection, limitation, erasure or destruction.

(l) “Breach of personal data” means a breach of security that causes, accidentally or unlawfully, the destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, kept or subject to any other type of treatment.



  1. General Principles of Data Processing

5.1. The following data protection principles, in accordance with national and European legislation, apply to any information relating to an identified or identifiable natural person and any data processing operation to be carried out by XEKVITA, LDA in its capacity as Data Controller:

(a) Lawfulness, loyalty and transparency: all personal data and data processing operations will be carried out in a lawful, loyal and transparent manner in relation to the data subject;

(b) Limitation of purposes: all personal data are and will be collected for specific, explicit and legitimate purposes and cannot be further processed in a manner incompatible with those purposes, without prejudice to the possibility of further processing for archival purposes, scientific or historical research or for statistical purposes, in which case the appropriate guarantees for the rights and freedoms of the data subject are applied through the adoption of technical and organizational measures in order to ensure, in particular, respect for the principle of data minimization;

(c) Data minimization: all personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(d) Accuracy: all personal data will be accurate and updated whenever necessary, XEKVITA, LDA adopting the appropriate measures so that the inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;

(e) Limitation of retention: all personal data will be kept in a way that allows the identification of the data subjects only for the period necessary for the purposes for which they are processed, without prejudice to being able to be kept for longer periods due to compliance with XEKVITA, LDA's legal obligations, or, for archival, scientific or historical research or statistical purposes, in which case the appropriate guarantees for the rights and freedoms of the data subject are applied through the adoption of technical and organizational measures in order to ensure, inter alia, compliance with the principle of data minimization; and,

(f) Integrity and confidentiality: all personal data will be treated in a way that guarantees its security, including protection against its unauthorized or unlawful treatment and against its loss, destruction or accidental damage, adopting technical or organizational measures appropriate.


  1. PROCESSING OF PERSONAL DATA IN GENERAL

  1. Responsible for Treatment

    1. Identification of the Responsible for Treatment.

The Person Responsible for Processing within the scope of this Internal Data Protection Policy is XEKVITA, LDA, legal person with number 516249436 and headquartered at Largo do Esteiro, nº 6, 2050-261 Azambuja (PORTUGAL).

    1. Person in Charge of the Data Protection.

(a) XEKVITA, LDA may appoint a Data Protection Officer, who will act in accordance with the law.

(b) The Responsibilities and Responsibilities of the Data Protection Officer, as well as the form of interaction with the Data Subject and Data Subject, will be the subject of a separate Chapter to be added to this Internal Data Protection Policy in case of review.

  1. Object

    1. General purposes of treatment

2.2. The processing of personal data carried out by XEKVITA, LDA and which are covered and regulated by this Code of Conduct, aim at the exercise of its activity, namely, the management of its relationship with its employees, customers and suppliers, as well as the fulfillment of its obligations arising from legislation directly applicable to it.

2.3. Without prejudice to the rules directly directed at the data processing of employees, customers and suppliers, this Code of Conduct also regulates specific situations regarding the processing of personal data, namely:

(a) Use of information and communication means by Subject Persons;

(a) Monitoring of Subject Persons;

(c) Use of CCTV systems (if applicable); and,

  1. Occupational Health and Safety.


  1. OBLIGATIONS RELATED TO DATA PROCESSING.

    1. Obligations of Subject Persons

3.1.1. People subject to this Code of Conduct, must comply with it during their activity and exercise of their functions.

3.1.2. Subject Persons shall, in particular, in the exercise of their functions and when they have access to personal data:

(a) Treat personal data in accordance with either the purposes for which said personal data are intended, as well as with the instructions of XEKVITA, LDA;

(b) Ensuring that access to personal data is limited and in accordance with the confidentiality duties to which they are contractually bound;

(c) Not using the personal data to which they have access for purposes other than those necessary for the exercise of their functions;

(d) Not communicating personal data to third parties, even for the purpose of its storage, beyond what is necessary, and for the fulfillment and performance of its contractual obligations and XEKVITA, LDA's instructions;

(e) Inform, immediately and in writing, XEKVITA, LDA of the existence of any irregularity regarding the personal data that they detect or are aware of in the exercise of their functions;

(f) Inform XEKVITA, LDA of the existence of any request for the exercise of rights and / or complaints in relation to the personal data that they are aware of in the exercise of their functions;

(g) Maintain documented the operations they carry out in accordance with XEKVITA, LDA's instructions;

(h) Comply with the obligation of secrecy with regard to the content of the personal data to which they have access;

(i) Respect the technical and organizational measures implemented to protect personal data;

(j) Collaborate with XEKVITA, LDA and provide it with all documentation and information that is necessary to demonstrate compliance with the obligations set out in this document.



    1. Awareness and Training

3.2.1. XEKVITA, LDA will provide Subject Persons with regular training in the field of data protection and privacy to ensure that they are aware of the contents of this document, whether of the rules and practices to be applied in the scope of compliance with XEKVITA, LDA's obligations in the legal framework of protection of data and for the protection of the rights, freedoms and guarantees of Data Subjects, and these awareness and training actions will be mandatory.

    1. Records of tratment activities.

3.3.1. If XEKVITA, LDA is bound under the GDPR to the registration obligation, XEKVITA, LDA will keep a written record, in electronic format, of all processing activities under its responsibility.

    1. Audits. Cooperation with Supervisory Authorities.

3.4.1. XEKVITA, LDA will carry out internal audits in order to validate compliance with this document, as well as to identify situations in which it is not being complied with in order to correct these situations.

3.4.2. XEKVITA, LDA will cooperate with the supervisory authority, at its request, in carrying out its tasks.



    1. Impact Evaluation.

3.5.1. XEKVITA, LDA will carry out impact assessments on data protection when a certain type of treatment, in particular using new technologies and taking into account its nature, scope, context and purposes, is likely to imply a high risk for the rights and freedoms of data subjects.

    1. Treatment security.

3.6.1. XEKVITA, LDA always evaluates and will assess, what is the adequate security level, to the treatment operations that it performs.

3.6.2. For this purpose, XEKVITA, LDA will take into account, namely:

(a) The nature of the processing operations;

(b) The categories of personal data;

(c) The risks presented by the treatment, in particular due to accidental or unlawful destruction, loss and alteration, and the unauthorized disclosure or access, of personal data transmitted, preserved or subject to any other type of treatment.

3.6.3. Based on the assessment, XEKVITA, LDA will apply all appropriate measures to ensure a level of safety appropriate to the risk.

    1. General procedure for exercising rights

3.7.1. Requests for the exercise of rights by data subjects must be submitted in writing.

3.7.2. In response to requests to exercise rights, any and all information is provided in writing, namely, by email.

3.7.3. If the data subject requests it, the information may be provided orally, and the identity of the data subject must be proven and a document must be presented in which the data subject declares to have received the information orally, with reference to the day and time.

3.7.4. XEKVITA, LDA must provide the holder with information on the measures taken within thirty (30) days from the date of receipt of the request.

3.7.5. This period can be extended up to sixty (60) days, when necessary, taking into account the complexity of the order and the number of orders.

3.7.6. XEKVITA, LDA informs the data owner of any extension and the reasons for the delay within one month from the date of receipt of the request.

3.7.7. If it is decided not to proceed with the request made by the data subject, the data subject must be informed without delay and, at the latest, within one month from the date of receipt of the request, of the reasons that led him to not take action and the possibility of lodging a complaint with a supervisory authority and bringing legal action.

3.7.8. Without prejudice to the exercise of rights being free, if the requests submitted by a data subject are manifestly unfounded or excessive, namely, due to its repetitive nature, XEKVITA, LDA may demand the payment of a reasonable fee taking into account the administrative costs of the providing the information or communication or taking the requested measures.

3.7.9. All responses to exercise of rights should be filed, and, whenever possible, a statement from the data subject should be obtained.

3.7.10. The specific procedures for responding to the exercise of rights will follow that established by law.


  1. PROCESSING OF PERSONAL DATA IN PARTICULAR.

  1. APPLICANTS

    1. Purposes.

1.1.1 As part of the recruitment processes carried out by XEKVITA, LDA, XEKVITA, LDA will process personal data in order to analyze and select the most suitable candidates for XEKVITA, LDA's positions and needs.

1.1.2 The candidate must always be informed that the personal data collected may be used for the purposes of preparing and concluding the employment contract, in case of success and, also, for the employee record.

    1. Background.

1.2.1 The processing of personal data of candidates is based on:

(a) The applicant's consent for the purposes of examining the application;

(b) Your need for pre-contractual steps at the request of the candidate in the event of a successful application;

(c) Compliance with XEKVITA, LDA's legal obligations.

1.3 Data collection.

1.3.1 Candidates' personal data is collected through:

(a) Specific form for that purpose on the XEKVITA, LDA website (if applicable);

(b) By e-mail sent by the applicant;

(c) Through the candidate's curriculum.

1.3.2 Personal data may also be collected when interviewing candidates.

1.3.3 XEKVITA, LDA may also validate personal data collected from third parties when the function in question to which the candidate proposes so requires, namely, by virtue of legal obligations to which XEKVITA, LDA is bound.

    1. Information to be provided.

1.4.1 XEKVITA, LDA undertakes to provide candidates with the following information:

(a) XEKVITA, LDA's identity and contacts;

(b) The contact details of the data protection officer, if appointed;

(c) The purposes of the processing for which the personal data are intended;

(d) The legal basis for the processing of personal data;

(e) If any, the recipients or categories of recipients of personal data;

(f) The existence of transfers of personal data to a third country;

(g) The period of retention of personal data and the criteria used to define that period;

(h) The existence of rights and form of exercise;

(i) The right to file a complaint with the supervisory authority;

(j) The fact that the communication of personal data is a legal obligation and a necessary requirement to conclude a contract;

(k) The possible consequences of not providing such data;

(l) The existence of automated decisions, including profiling.

      1. This information must be presented to applicants at the time of data collection, or, when personal data is not collected from applicants, at the latest within one month after obtaining personal data or at the time of first communication with candidates, except when candidates are already aware of the information in question.

    1. Personal Data categories.

1.5.1 When XEKVITA, LDA processes special categories of personal data, it will justify these treatments:

(a) For compliance with XEKVITA, LDA's obligations in the field of preventive or occupational medicine, for the assessment of the employee's work capacity, medical diagnosis, if applicable;

(b) Consent to the processing of such personal data by the data subject for one or more specific purposes.

    1. Term for conservation.

      1. The personal data of the candidates will be kept for a maximum period of one (1) year after the collection, without prejudice to being kept longer in case of successful application.

      2. XEKVITA, LDA considers that this retention period is sufficient in view of the best market practices for the personal data of the candidates to be kept sufficiently updated for the purpose for which they are intended.

      3. At the end of this one (1) year period, the candidates' data will be automatically deleted, however, the data that, due to the fulfillment of XEKVITA, LDA's legal obligations, must be kept for longer periods.

      4. Without prejudice to the previous number, XEKVITA, LDA may keep the “name”, “contact (email / mobile phone)” and “position for which the candidate is applying” for five (5) years.

    1. Other treatments.

      1. If XEKVITA, LDA intends to proceed with the further processing of candidates' personal data for a purpose other than that for which the data was initially collected, before such processing begins XEKVITA, LDA will provide candidates with the information about that purpose and any other relevant information under the law.

    2. Subcontractors.

      1. XEKVITA, LDA may communicate the personal data of candidates for recruitment and human resource management service providers.

      2. XEKVITA, LDA will ensure that the aforementioned service providers present sufficient guarantees for the execution of appropriate technical and organizational measures in a way that the treatment meets the requirements of XEKVITA, LDA and the legislation, with the subcontracting treatment being regulated by these service providers. by contract and in accordance with this Code of Conduct.

    3. Security of treatment.

      1. XEKVITA, LDA applies to candidates' personal data the appropriate administrative, logical and physical measures to ensure an adequate level of security, taking into account the nature, scope, context, purposes and risks of the treatments.

      2. These measures will take into account both the general principles established in this Code of Conduct, as well as the best practices and the Information Security Policy.

    4. Exercise of Rights.

      1. The exercise of rights by candidates will be regulated by the procedure and rules provided for in this Code and in the legislation.




  1. EMPLOYEES.

    1. Purposes.

      1. The activities of processing personal data of XEKVITA, LDA employees are intended for activities related to the administration and management of the employment contract and the employment relationship between XEKVITA, LDA and employees, namely:

(a) Human resource management;

(b) Processing of renumberings;

(c) Vocational training;

(d) Management of disciplinary sanctions;

(e) Temporary work management;

(f) Teleworking management;

(g) Occupational Health and Safety;

(h) Control of time / attendance.

      1. XEKVITA, LDA may also carry out the processing of personal data necessary for the purpose of the legitimate interests pursued by XEKVITA, LDA or by third parties, among them, other entities with whom it relates, namely, when the processing of personal data is strictly necessary and proportional to ensure network and information security.

    1. Background.

      1. The processing of employees' personal data is based on:

(a) In his need for the performance of a contract to which the employee is a party;

(b) In its need to fulfill the legal obligations to which XEKVITA, LDA is subject;

(c) In its need for the purpose of the legitimate interests pursued by XEKVITA, LDA or by third parties.

    1. Data Collection.

      1. Personal data, and others that may be treated by XEKVITA, LDA, will be obtained through the employment contract, as well as through other documents that may be requested by XEKVITA, LDA, during the exercise of the employee's functions, and, in the course of the employment relationship between XEKVITA, LDA and the employee.

    2. Information to be provided.

      1. XEKVITA, LDA is committed to providing employees with the following information:

(a) XEKVITA, LDA's identity and contact details;

(b) The contact details of the data protection officer, if appointed;

(c) The purposes of the processing for which the personal data are intended;

(d) The legal basis for the processing of personal data;

(e) If any, the recipients or categories of recipients of personal data;

(f) The existence of transfers of personal data to a third country;

(g) The period of retention of personal data and the criteria used to define that period;

(h) The existence of rights and form of exercise;

(i) The right to file a complaint with the supervisory authority;

(j) The fact that the communication of personal data is a legal obligation and a necessary requirement to conclude a contract;

(k) The possible consequences of not providing such data;

(l) The existence of automated decisions, including profiling.

      1. This information must be presented to applicants at the time of data collection, or, when personal data is not collected from applicants, at the latest within one month after obtaining personal data or at the time of first communication with candidates, except when candidates are already aware of the information in question.

    1. Legal Obligation.

      1. The operations of processing personal data of employees are necessary both for the execution of the contract between XEKVITA, LDA and employees, or for the fulfillment of the legal obligations to which XEKVITA, LDA is subject, namely, within the scope of labor law, social and fiscal security, therefore, the communication of personal data constitutes a contractual and legal obligation, as well as a necessary requirement for the execution of the employment contract between XEKVITA, LDA and the employees.

    2. Personal Data Categories.

      1. XEKVITA, LDA will proceed, in particular, to the treatment of the personal data categories of the employees.

    3. Special Data Categories.

      1. XEKVITA, LDA may process special categories of personal data when:

(a) Necessary for the fulfillment of XEKVITA, LDA's obligations and the exercise of specific rights in matters of employment, social security and social protection legislation; or,

(b) Necessary for the purposes of preventive or occupational medicine, for the assessment of the Employee's work capacity.

      1. The treatments of special categories of personal data and information complementary to these treatments, are better described in the section of this Policy relating to special categories of personal data, or, within the scope of other policies and / or internal regulations of XEKVITA, LDA.

    1. Term for Conservation.

      1. XEKVITA, LDA will retain personal data only for the period necessary to carry out the purposes for which they are intended, namely, during the execution of the contract.

      2. Without prejudice, XEKVITA, LDA will also retain personal data for the period necessary to fulfill the legal obligations to which XEKVITA, LDA is subject, namely, within the scope of labor, social security and tax legislation.

      3. In the event of a dispute between XEKVITA, LDA and employees, XEKVITA, LDA may retain personal data until the judicial decision is final.

    2. Other Treatments.

      1. If XEKVITA, LDA intends to proceed with the further processing of employees' personal data for a purpose other than that for which the data was initially collected, before such processing begins XEKVITA, LDA will provide employees with the information about that purpose and any other relevant information under the law.

    3. Communiation and Tranfers.

      1. XEKVITA, LDA, within the scope of activities related to the administration and management of the employment contract and employment relationship, may communicate and / or transfer the personal data of employees to the entities identified below, not excluding other entities not mentioned, but that have legal legitimacy to process the data in question:

(a) IGFSS - Social Security Financial Management Institute;

(b) AT - Tax Authority;

(c) Banking and Insurance Institutions;

(d) INE - National Statistics Institute;

(e) ACT - Authority for Working Conditions;

      1. XEKVITA, LDA guarantees that in the event of any data transfer occurring outside the European Union, both XEKVITA, LDA and the third recipient of the personal data in question will comply with their legal obligations regarding the conditions of such transfer, in particular, with regard to the application of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

    1. Subcontractors.

      1. XEKVITA, LDA may communicate employees' personal data to service providers, namely:

(a) Entity responsible for carrying out the functions related to Safety, Hygiene and Medicine at work;

(b) Any other entity to which wage processing functions have been assigned;

(c) Entity to which functions related to the management of human resources have been assigned.

      1. The communications and / or transfers referred to in the previous number have the purpose, namely:

(a) The calculation and payment of remuneration, ancillary benefits, other allowances and gratuities;

(b) The calculation, withholding tax and transactions related to discounts on remuneration, mandatory or optional, resulting from a legal provision;

(c) Carrying out non-nominative statistical operations related to the processing of wages within the processing entity;

(d) Compliance with the obligations to which XEKVITA, LDA is subject, namely, within the scope of labor, social security and tax legislation

      1. XEKVITA, LDA will ensure that the aforementioned service providers present sufficient guarantees for the execution of appropriate technical and organizational measures in a way that the treatment meets the requirements of XEKVITA, LDA and the legislation, with subcontracting treatment being regulated by these service providers. by contract and in accordance with this Policy.

    1. Treatment Security.

      1. XEKVITA, LDA applies to employees' personal data the appropriate administrative, logical and physical measures to ensure an adequate level of security, taking into account the nature, scope, context, purposes and risks of the treatments.

      2. These measures will take into account both the general principles established in this Code of Conduct, as well as the best practices and the Information Security Policy.

    2. Exercise of Rights.

      1. The exercise of rights by candidates will be regulated by the procedure and rules provided for in this Code of Conduct and in the legislation.



  1. CUSTOMERS AND USERS.

    1. Purposes.

      1. The activities of processing personal data of XEKVITA, LDA customers are intended for activities related to the administration and management of its activity and any commercial relations established between XEKVITA, LDA and customers, namely those that fall within the following activities:

(a) Economic and accounting management;

(b) Administrative management;

(c) Billing management;

(d) Customer management;

(e) Collection and payment management;

(f) Marketing;

(g) Opinion polls and surveys;

(h) Analysis of consumption profiles;

(i) Customer loyalty;

(j) Statistical purposes;

(k) User registration on an internet website.

      1. XEKVITA, LDA may also process the personal data necessary for the purpose of legitimate interests pursued by XEKVITA, LDA or by third parties, including other entities that form part of the relationship established, namely, when the processing of personal data is strictly necessary and proportionate to ensure:

(a) Fraud detection and prevention;

(b) Compliance with legal obligations, court orders or foreign regulatory bodies to which XEKVITA, LDA;

(c) Compliance with self-regulatory mechanisms to which XEKVITA, LDA has adhered;

(d) Network and information security;

(e) General corporate operations and audits;

(f) Product development and improvement.

    1. Background.

      1. The processing of customers' personal data is based on:

(a) His need to perform a contract to which the customer is a party;

(b) In its need to fulfill the legal obligations to which XEKVITA, LDA is subject;

(c) The customer's consent, namely, for marketing purposes;

(d) In its need for the purpose of the legitimate interests pursued by XEKVITA, LDA or by third parties.





    1. Data Collection.

      1. Personal data, and others that may be treated by XEKVITA, LDA, will be obtained through:

(a) The contract between XEKVITA, LDA and the customer;

(b) Through documents that may be requested by XEKVITA, LDA;

(c) During the performance of the contract;

(d) With other entities, namely rating agencies and with supervisory and regulatory bodies.

    1. Information to be provided.

      1. XEKVITA, LDA is committed to providing customers with the following information:

(a) XEKVITA, LDA's identity and contact details;

(b) The contact details of the data protection officer, if appointed;

(c) The purposes of the processing for which the personal data are intended;

(d) The legal basis for the processing of personal data;

(e) If any, the recipients or categories of recipients of personal data;

(f) The existence of transfers of personal data to a third country;

(g) The period of retention of personal data and the criteria used to define that period;

(h) The existence of rights and form of exercise;

(i) The right to file a complaint with the supervisory authority;

(j) The fact that the communication of personal data is a legal obligation and a necessary requirement to conclude a contract;

(k) The possible consequences of not providing such data;

(l) The existence of automated decisions, including profiling.

      1. This information must be presented to customers at the time of data collection, or, when personal data is not collected from customers, at the latest within one month after obtaining personal data or at the time of first communication with customers, except when customers are already aware of the information in question.

    1. Legal obligation.

      1. When the processing of customers' personal data is required by law to comply with XEKVITA, LDA's legal obligations, this information must be provided to the customer in accordance with paragraph 3.4.2 above.

    2. Special categories of Personal Data.

      1. XEKVITA, LDA may process special categories of personal data when said processing is necessary for the purpose of fulfilling contractual obligations and exercising specific rights of XEKVITA, LDA in accordance with the law.

    3. Retention period.

      1. XEKVITA, LDA will retain personal data only for the period necessary to carry out the purposes for which they are intended, namely, during the execution of the contract.

      2. Without prejudice, XEKVITA, LDA will also retain personal data for the period necessary to comply with the legal obligations to which XEKVITA, LDA is subject, namely, within the scope of legislation and tax, but also for the period of time suitable for exercise and defense of judicial rights.

      3. In the event of a dispute between XEKVITA, LDA and customers, XEKVITA, LDA may retain personal data until the judicial decision is final.

    4. Other treatments.

      1. If XEKVITA, LDA intends to proceed with the further processing of customers' personal data for a purpose other than that for which the data was initially collected, before such processing begins XEKVITA, LDA will provide customers with the information about that purpose and any other relevant information under the law.

    5. Comunication and Transferences.

      1. XEKVITA, LDA, within the scope of activities related to the administration and management of contracts and commercial relations with clients, may communicate and / or transfer the clients' personal data to the entities identified below, not excluding other entities not mentioned, but that have legal legitimacy to process the data in question:

(a) AT - Tax Authority;

(b) Banking and Insurance Institutions;

(c) Regulatory and judicial authorities.

      1. XEKVITA, LDA guarantees that in the event of any data transfer occurring outside the European Union, both XEKVITA, LDA and the third recipient of the personal data in question will comply with their legal obligations regarding the conditions of such transfer, in particular, with regard to the application of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

    1. Subcontractors.

      1. XEKVITA, LDA may communicate personal data of customers to service providers, namely, within the scope of administrative management services, billing management, customer management, collection and payment management, marketing, surveys and opinion surveys, analysis consumption profiles and / or customer loyalty, etc.

      2. The communications and / or transfers referred to in the previous number are intended, namely, to administer and manage your commercial activity and the commercial relations established between XEKVITA, LDA and the customers.

      3. XEKVITA, LDA will ensure that the aforementioned service providers present sufficient guarantees for the execution of appropriate technical and organizational measures in a way that the treatment meets the requirements of XEKVITA, LDA and the legislation, with subcontracting treatment being regulated by these service providers. by contract and in accordance with this Code of Conduct.

    2. Treatment security.

      1. XEKVITA, LDA applies administrative, logical and physical measures to customers' personal data to ensure an adequate level of security, taking into account the nature, scope, context, purposes and risks of the treatments.

      2. These measures will take into account both the general principles established in this Code of Conduct, as well as the best practices and the Information Security Policy.

    3. Exercise of Rights.

      1. The exercise of rights by clients will be regulated by the procedure and rules provided for in this Policy and in the legislation.


  1. SUPPLIERS.

    1. Purposes.

      1. The activities of processing personal data of XEKVITA, LDA suppliers are intended for activities related to the administration and management of their commercial activity and the commercial relations established between XEKVITA, LDA and the suppliers, namely, those that fall within the following activities :

  1. Economic and accounting management;

  2. Administrative management;

  3. Billing management;

  4. Supplier management;

  5. Collection and payment management.

      1. XEKVITA, LDA may also carry out the processing of personal data necessary for the purpose of the legitimate interests pursued by XEKVITA, LDA or by third parties, including, inter alia, when the processing of personal data is strictly necessary and proportional in order to guarantee:

  1. Fraud detection and prevention;

  2. Compliance with legal obligations, court orders or foreign regulatory bodies to which XEKVITA, LDA is bound.

  3. Compliance with self-regulatory mechanisms to which XEKVITA, LDA has adhered;

  4. Network and information security;

  5. General corporate operations and audits;

  6. Product development and improvement.

    1. Background.

      1. The processing of personal data of suppliers is based on:

  1. In your need to perform a contract to which the supplier is a party;

  2. In its need to fulfill the legal obligations to which XEKVITA, LDA is subject;

  3. In its need for the purpose of the legitimate interests pursued by XEKVITA, LDA or by third parties.

    1. Data Collection.

      1. Personal data, and others that may be treated by XEKVITA, LDA, will be obtained through:

(a) The contract between XEKVITA, LDA and the supplier;

(b) Through documents that may be requested by XEKVITA, LDA;

(c) During the performance of the contract;

(d) With other entities, namely, with supervisory and regulatory entities.

    1. Information to provide.

      1. XEKVITA, LDA is committed to providing suppliers with the following information:

  1. XEKVITA, LDA's identity and contacts;

  2. The contact details of the data protection officer, if appointed;

  3. The purposes of the processing for which the personal data are intended;

  4. The legal basis for the processing of personal data;

  5. If any, the recipients or categories of recipients of personal data;

  6. The existence of transfers of personal data to a third country;

  7. The period of retention of personal data and the criteria used to define that period;

  8. The existence of rights and form of exercise;

  9. The right to file a complaint with the supervisory authority;

  10. The fact that the communication of data constitutes a legal obligation and a necessary requirement to conclude a contract;

  11. The consequences of not providing this data;

  12. The existence of automated decisions, including the definition of profiles.

      1. This information must be presented to customers at the time of data collection, or, when personal data is not collected from suppliers, at the latest within one month after obtaining personal data or at the time of first communication with customers, except when suppliers are already aware of the information in question.

    1. Legal Obligation.

      1. When the processing of suppliers' personal data is required by law to comply with XEKVITA, LDA's legal obligations, this information must be provided to suppliers in accordance with paragraph 3.4.2 above.

    2. Personal Data Categories.

      1. XEKVITA, LDA may process special categories of personal data when such processing is necessary for the purpose of fulfilling obligations and exercising specific rights of XEKVITA, LDA in matters of legislation.

      2. The treatment of special categories of personal data and information complementary to these treatments, are better described in the section of this Code of Conduct on special categories of personal data, or, within the scope of other policies and / or internal regulations of the XEKVITA, LDA.

    3. Term for conservation.

      1. XEKVITA, LDA will retain personal data only for the period necessary to carry out the purposes for which they are intended, namely, during the execution of the contract.

      2. Without prejudice, XEKVITA, LDA will also retain personal data for the period necessary to comply with the legal obligations to which XEKVITA, LDA is subject, namely, within the scope of legislation and tax, but also for the period of time appropriate for exercising and defense of judicial rights.

      3. In the event of a dispute between XEKVITA, LDA and suppliers, XEKVITA, LDA may retain personal data until the judicial decision is final.

    4. Other Treatments.

      1. If XEKVITA, LDA intends to proceed with the further processing of suppliers' personal data for a purpose other than that for which the data was initially collected, before such processing begins XEKVITA, LDA will provide customers with the information about that purpose and any other relevant information under the law.

    5. Comuniccation and Transferences.

      1. XEKVITA, LDA, within the scope of activities related to the administration and management of contracts and commercial relations with suppliers, may communicate and / or transfer the personal data of customers to the entities identified below, not excluding other entities not mentioned, but that have legal legitimacy to process the data in question:

(a) AT - Tax Authority;

(b) Banking and Insurance Institutions;

(c) Regulatory and judicial authorities.

      1. XEKVITA, LDA guarantees that in the event of any data transfer occurring outside the European Union, both XEKVITA, LDA and the third recipient of the personal data in question will comply with their legal obligations regarding the conditions of such transfer, in particular, with regard to the application of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

    1. Subcontractors.

      1. XEKVITA, LDA may communicate personal data of suppliers to service providers, namely, in the context of administrative management services, billing management, supplier management, collection and / or payment management.

      2. The communications and / or transfers referred to in the previous number are intended, namely, to administer and manage your commercial activity and the commercial relations established between XEKVITA, LDA and the suppliers

      3. XEKVITA, LDA will ensure that the aforementioned service providers present sufficient guarantees for the execution of appropriate technical and organizational measures in a way that the treatment meets the requirements of XEKVITA, LDA and the legislation, with subcontracting treatment being regulated by these service providers. by contract and in accordance with this Policy.



    1. Treatmet security.

      1. XEKVITA, LDA applies to suppliers' personal data the appropriate administrative, logical and physical measures to ensure an adequate level of security, taking into account the nature, scope, context, purposes and risks of the treatments.

      2. These measures will take into account both the general principles established in this Code of Conduct, as well as the best practices and the Information Security Policy.

    2. Exercise of Rights.

      1. The exercise of rights by suppliers will be regulated by the procedure and rules provided for in this Code of Conduct and in the legislation.



  1. OTHER OBLIGATIONS.

  1. VIOLATION OF PERSONAL DATA.

    1. General principle.

      1. In the event of a personal data breach, XEKVITA, LDA will comply with the following rules and procedure.

    2. Notification to the Supervisory Authority.

      1. In the event of a personal data breach, XEKVITA, LDA notifies the competent supervisory authority accordingly.

      2. The notification must be made up to seventy-two (72) hours after XEKVITA, LDA has become aware of it.

      3. If it is impossible to notify the personal data breach within seventy-two (72) hours, it must be accompanied by the reasons for the delay.

    3. Subcontractors.

      1. When the breach of personal data, or a potential breach of personal data affects the subcontractor, the subcontractor has the obligation to notify XEKVITA, LDA within twelve (12) hours after becoming aware of it, regardless of whether or not it affects personal data by XEKVITA, LDA is responsible for the treatment. This obligation must be reflected in the contract with the subcontractor.

    4. Information to be provided.

      1. The notification to be provided by XEKVITA, LDA must contain at least the following information:

(a) Description of the nature of the personal data breach including, if possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records concerned;

(b) Identification of the name and contact details of the data protection officer (if any) or other point of contact where further information can be obtained;

(c) Description of the likely consequences of the breach of personal data;

(d) Description of the measures taken or proposed by the controller to remedy the breach of personal data, including, where applicable, measures to mitigate its possible negative effects;

      1. If, and to the extent that it is not possible to provide all the information at the same time, it must be provided in stages, without undue delay.

    1. Documentation.

      1. XEKVITA, LDA will document any personal data breaches, including the facts related to them, the respective effects and the remedial measure adopted.

      2. The documentation may be delivered to the supervisory authority, and this delivery must be made in accordance with the rules of this Code of Conduct.

    1. Notification to Data Holders.

16.1 If there is a possibility of implying a high risk to the rights and freedoms of data subjects, XEKVITA, LDA will seek to communicate the breach of personal data to the affected data subjects within seventy-two (72) hours, without prejudice to the exceptions established legislation, which will be analyzed on a case-by-case basis.

    1. Other notifications.

      1. XEKVITA, LDA will also proceed with the necessary notifications with the judicial and police authorities, as well as with the Portuguese National Cybersecurity Center.




    1. COOPERATION WITH SUPERVISORY AUTHORITIES.

1.8.1 When XEKVITA, LDA's cooperation is requested by the supervisory authority, the request must be directed to legal support, and, if any, to the Data Protection Officer, who will instruct XEKVITA, LDA on the best way to cooperate and respond at the request of the supervisory authority, without prejudice to the legal obligations to which they are bound.



  1. FINAL DISPOSITIONS

  1. Binding.

    1. This Code binds all Subject Persons.

    2. In the event of non-conformity between this Code and other policies, this Code of Conduct prevails over other policies.

  1. Information request.

    1. Any request for information from a Subject Person regarding the content of this Code of Conduct, must be addressed in writing to its Department Manager.

    2. The Head of Department of XEKVITA, LDA, who is already appointed, will be:

Name: Nuno Miguel Santos Franco;

Eletronic Address: support@xekvita.com.



  1. Legal force entry.

    1. The present Policy enters into force fifteen (15) days after it has been communicated internally through the appropriate channels and the Subject Persons have been made aware of it.



Prepared by: GLOBAL LAWYERS, SOCIEDADE DE ADVOGADOS, R.L. (October 2020).

XEKVITA, LDA, 18th December, 2020.

Back to start page