PRIVACY POLICY
In the context of its activities and the contractual relationships established, Porto Santo Line acts to ensure the highest standards of personal data protection, meaning any information of any nature and regardless of its medium, including sound and image, relating to an identified or identifiable natural person (data subject).
To achieve this goal, it complies with all legislation on the protection of personal data, in particular the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (General Data Protection Regulation/GDPR), ensuring the confidentiality, integrity, and availability of such data.
Through this privacy policy, Porto Santo Line intends to inform all data subjects whose data is processed by it about the personal data collected, how and for what purpose it is used, to whom it is disclosed, and how their privacy is protected.
Thus, filling in forms and contractual documents of Porto Santo Line, the use and navigation on the website, movement within its facilities, use of its ships or ships operated by it, and the provision of data, directly or indirectly, by the data subjects, imply the knowledge and acceptance of the conditions of this privacy policy.
DATA CONTROLLER
Porto Santo Line is a private limited company that is part of the Grupo Sousa, with its head office at Largo dos Varadouros, No. 4, ground floor, 9000-503 Funchal, with Tax Identification Number (NIPC) 511186312, and is the data controller under the GDPR. Its Data Protection Officer can be contacted via the following e-mail: rgpd@gruposousa.pt
PROCESSING
This privacy policy applies to all personal data collected and processed by Porto Santo Line, ensuring a high level of protection when processing the personal data of vulnerable data subjects, especially children.
In general, Porto Santo Line collects and processes personal data for the development of its business activity, namely the provision of its services, the management of the contractual relationship with its customers, suppliers, and partners—from pre-contractual procedures to the final execution of the contract—and also for compliance with the legal obligations to which it is subject (including tax and regulatory obligations).
For the pursuit of specific processing purposes, Porto Santo Line collects and processes, depending on the context and the established commercial relationship, the personal data of the following data subjects:
(1) Customers and their representatives;
(2) Service users;
(3) Individual suppliers and representatives of suppliers;
(4) Other individual partners and representatives of partners; and
(5) Employees and collaborators.
Consequently, the personal data collected by Porto Santo Line through the website, the contract, or any other data collection method from the above data subjects, may include, among others, the following: name, surname, date of birth, gender, marital status, civil identification number, passport number, taxpayer number, tax address, address in Porto Santo, email address, telephone number, mobile number, type, brand, model, and license plate of an automobile.
The processing of personal data of children Under the age of 13, within the scope of the direct provision of information society services, is preceded by consent given by someone who can prove to be the holder of the parental responsibilities.
The collection and processing, whether manual or automated, of the personal data referred to by Porto Santo Line is intended exclusively for the following specific purposes:
(1) Provision of transport services;
(2) Application of the reduced fare for residents on the island of Porto Santo;
(3) Supply of its products and provision of contracted services;
(4) Compliance with customer instructions;
(5) Management of customer contacts;
(6) Formation of employment and service contracts;
(7) Sending newsletters to website users, customers, suppliers, and partners;
(8) Promotional communications for the dissemination of products and services targeted at customers;
(9) Issuance of customer loyalty cards;
(10) Execution of automated decisions, including the definition of profiles for marketing purposes;
(11) Conducting satisfaction surveys;
(12) Compliance with legal obligations, in which case Porto Santo Line may have to transmit the data to the requesting public entities whenever legally required;
(13) Satisfaction of Porto Santo Line’s legitimate interests, namely sending marketing information to all those with whom it maintains commercial relationships, namely its partners and customers;
(14) Automatic filling of data related to the passenger ticket and the automobile.
NEWSLETTER AND OTHER COMMUNICATIONS
Communications regarding the sending of newsletters and invitations to events will be carried out to inform customers, suppliers, partners, website users, and other entities (through the individual contacts provided) about the relevant activities and procedures in the context of Porto Santo Line’s activity and the universe of entities belonging to the same group.
All website users who have given their consent to receive newsletters and other communications may withdraw it by sending an email to rgpdpsl@gruposousa.pt or by selecting the “unsubscribe from the newsletter” option, when available.
The exercise of the right to withdraw consent does not invalidate the processing carried out up to that date based on the previously given consent.
Regarding customers, suppliers, and partners, the sending of newsletters is based on Porto Santo Line’s legitimate interest in informing those with whom it already maintains a commercial relationship about its activities.
DATA RETENTION PERIOD
The personal data collected will be retained by Porto Santo Line for the duration of its relationship with the customer, supplier, or partner in whose team the data subject is integrated, and may be retained for a longer period, as established by law for the defense of rights/interests in legal proceedings or for the pursuit of the purposes mentioned above. For more details, please refer to the defined data retention periods.
Once the maximum retention period is reached, the personal data of the data subjects will be irreversibly anonymized or securely destroyed.
RIGHTS OF THE DATA SUBJECTS
Under the law, the data subject may exercise the following rights regarding their personal data by submitting a written request to Porto Santo Line, using the provided GDPR Form, sending it to the following email address: rgpdpsl@gruposousa.pt.
-Access – The data subject has the right to access their data and obtain information about the purposes of its processing, the categories of data processed, the recipients of the data, and the retention period of their personal data;
-Rectification – The data subject has the right to obtain the rectification of inaccurate personal data concerning them, as well as the completion of incomplete personal data;
-Deletion – The data subject has the right to request the deletion of their data in certain cases, namely when the personal data is no longer necessary for the purpose for which it was collected, or if the data subject withdraws the consent previously given;
-Restriction of Processing – The data subject has the right to request the restriction of the processing of their data in certain cases, such as if they contest the accuracy of the personal data during a period that allows Porto Santo Line to verify its accuracy, if the processing is unlawful and the data subject opposes the deletion of the data, requesting instead the restriction of its use, or if Porto Santo Line no longer needs the data for processing purposes but requires it for the declaration, exercise, or defense of a right in legal proceedings, or if the data subject has objected to the processing until it is verified that Porto Santo Line’s legitimate reasons prevail;
-Data Portability – In cases provided by law, the data subject may request from Porto Santo Line the personal data concerning them that they have provided, in a structured, commonly used, and machine-readable format, and the right to transmit such data to another data controller;
-Objection – The data subject may, for reasons related to their particular situation, object to the processing of their personal data based on Porto Santo Line’s legitimate interests or when the processing is carried out for purposes other than those for which the personal data was collected, including profiling, or when the personal data is processed for statistical purposes;
-Complaint – The data subject has the right to lodge a complaint with the National Data Protection Commission or another competent supervisory authority if they consider that their data is not being processed in accordance with the applicable legislation and this Privacy Policy.
SECURITY MEASURES ADOPTED BY PORTO SANTO LINE
Porto Santo Line is committed to ensuring the protection of the personal data of data subjects against unauthorized access via the network.
For this purpose, it maintains all technical means at its disposal to prevent the loss, misuse, alteration, unauthorized access, disclosure, loss, or destruction, and improper appropriation of the personal data provided or transmitted, namely:
-Ensuring that communication between the user’s device and the Porto Santo Line website is carried out through secure channels and communications that use the HTTPS protocol and the SSL security standard;
-Transferring data only in an encrypted manner;
-Permanently monitoring accesses made to its information technology systems to prevent, detect, and inhibit the improper use of personal data;
-Conducting regular audits to assess the capacity of the technical and organizational measures adopted;
-Promoting regular awareness and training actions regarding personal data protection for its employees;
-Adopting mechanisms that ensure the confidentiality, integrity, and availability of personal data, as well as the resilience of the information systems in which these data are processed;
-Having mechanisms in place that guarantee the rapid restoration of information systems and access to personal data in the event of a physical or technical incident;
-Ensuring that the processing of children's personal data is preceded by consent given by someone who can prove to be the holder of parental responsibilities and by providing clear and simple information;
-Guaranteeing the compliance of the processing of deceased persons’ personal data and that the respective rights are exercised by the person designated by the deceased or by the respective heirs.
PERSONAL DATA BREACH
Porto Santo Line will notify data subjects in the event of a breach that poses a high risk to their rights and freedoms, undertaking to do so within 72 hours from the occurrence of the incident.
DATA DISCLOSURE TO OTHER ENTITIES
Porto Santo Line provides data to other companies within Grupo Sousa for the purposes of preventing money laundering, terrorism financing, and fraud, or for administrative and financial management inherent to the Group.
Porto Santo Line relies on other entities to provide certain Such service provision may, on occasion, involve these entities accessing personal data of its customers, suppliers, and partners.
Any subcontracted entity of Porto Santo Line will process the data subjects’ personal data on behalf of Porto Santo Line, under the strict obligation of following its instructions.
Porto Santo Line ensures that such subcontracted entities offer sufficient guarantees of implementing appropriate technical and organizational measures so that the processing complies with the applicable legal requirements and ensures the security and protection of the data subjects’ rights, under the terms of the subcontracting agreement with these entities.
In certain situations, the personal data of data subjects may also be transferred to third parties when such data disclosures are necessary or appropriate (i) in accordance with applicable law, (ii) for the fulfillment of legal obligations/court orders, (iii) by determination of the National Data Protection Commission or another competent supervisory authority, or (iv) to respond to requests from public or governmental authorities, such as tax authorities, courts, and regulatory entities.
In any of the above situations, Porto Santo Line undertakes to take all reasonable measures to ensure the effective protection of the personal data it processes.
INTERNATIONAL DATA TRANSFERS
The provision of products and the provision of services by Porto Santo Line may involve the transfer of personal data of data subjects to third countries (which are not part of the European Union or the European Economic Area).
In such cases, Porto Santo Line will take the necessary and appropriate measures under applicable law to ensure the protection of the personal data involved in such a transfer, strictly complying with the legal provisions regarding the requirements applicable to such transfers, namely by informing the data subject.
CONTACTS
A data subject may contact Porto Santo Line for further information regarding the processing of their personal data, as well as for any questions related to the exercise of their legal rights, via the following email address (without prejudice to, in some cases and as expressly provided by the established contractual relationship, these rights being exercisable before the relevant Porto Santo Line customers, suppliers, and partners): rgpdpsl@gruposousa.pt.
March 2020
