I understand
This website uses cookies

1. Purpose, scope and users

INCENTIVEHOUSE, Lda., legal person with corporate TIN 508 192 269, with head office at Rua António Correia Baharem, nº11, r/c Esqº, 2580-468 Carregado and head of operations at Rua Gonçalves Zarco, nº 6-D, in Lisbon, hereinafter referred to as ‘INCENTIVEHOUSE’, hereby undertakes to comply with the applicable laws and regulations on personal data protection in the countries where INCENTIVEHOUSE operates. This policy establishes the basic principles by which INCENTIVEHOUSE processes the personal data of users, customers, suppliers, business partners, employees and other individuals, and states the responsibilities of its business departments and employees when processing said personal data.

This policy applies to all of INCENTIVEHOUSE’s locations in Portuguese territory.

The users of this document are all employees, permanent or temporary, who work on behalf of INCENTIVEHOUSE.

2. Reference documents

• EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons)
• National data protection legislation, not repealed by Regulation (EU) 2016/679
• Guidelines from the European Data Protection Board (EDPB) and the Portuguese Data Protection Authority (CNPD)
• Registration/inventory of INCENTIVEHOUSE’s data and processing activities
• Mechanisms for exercising the rights of INCENTIVEHOUSE’s data subjects
INCENTIVEHOUSE’s cross-border personal data transfer procedure
INCENTIVEHOUSE’s breach notification procedure

3. Definitions

The following definitions of terms used in this document are taken from Article 4 of the European Union’s General Data Protection Regulation:

Personal data: any information relating to an identified or identifiable natural person (‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special personal data: personal data which, due to their nature, are particularly sensitive in relation to fundamental rights and freedoms and deserve a specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms of individuals. These include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union association, genetic data, biometric data for the purposes of exclusive identification of a natural person, data relating to the health, sexual life or sexual orientation of a natural person or that expose their private life.

Controller: natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of processing of personal data. In this case, it is INCENTIVEHOUSE (INCENTIVEHOUSE).

Consent of the data subject: a freely, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

Anonymization: The irreversible disaggregation of personal data, so that the person cannot be identified through the use of reasonable time, cost or technology, either by the controller or by any other person, to identify that individual. The principles of processing personal data do not apply to anonymous data, since they are no longer considered personal data.

Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymisation reduces, but does not completely eliminate, the possibility of matching personal data to a particular person. Pseudonymised data remains personal data, the processing of pseudonymised data must comply with the processing principles of personal data not pseudonymised.

Cross-border processing of personal data: processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the European Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;

Supervisory authority: an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR; in Portugal, it is the Portuguese Data Protection Authority.

The supervisory authority is responsible for carrying out investigations and implementing measures and fines, promoting public awareness of the risks, rules, security and rights relating to the processing of personal data, as well as obtaining access to any installation of the Controller and the processor, including any means and data processing equipment.

4. Fundamental principles of data protection

In order to ensure an adequate level of protection of the personal data of natural persons, INCENTIVEHOUSE complies with the data protection principles set out in Article 5 of the GDPR, both as a Controller and a Processor.

4.1. Lawful, fair and transparent processing

Personal data shall be processed legally, in a fair and transparent way in relation to the data subject. Data subjects have the right to know why they are providing their personal data and how they will be processed. This knowledge shall be prior to the provision of the data. Where the data are not collected from its data subject, for example because it is transmitted between entities, the data subject must be informed within a reasonable time, but no later than within one month, unless the data subject is already aware of the information or if there are other exceptions provided for by law.

4.2. Purpose limitation

Personal data shall be collected for specified purposes, i.e. explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

4.3. Data minimisation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4.4. Accuracy

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

4.5. Storage limitation

Personal data shall be kept only as long as necessary for the purposes for which those personal data were collected. The deadlines for certain documents are provided for in legal documents. INCENTIVEHOUSE has a data retention policy where storage times are foreseen.

4.6. Integrity and confidentiality

Taking into account the state of technology and other security measures available, the cost of implementation, the probability and severity of risks to personal data, INCENTIVEHOUSE uses appropriate technical or organizational measures to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised processing and accidental or unlawful disclosure, loss, destruction or damage.

4.7. Accountability

INCENTIVEHOUSE shall be responsible for compliance with the above described principles and be able to demonstrate such compliance by maintaining data protection policies and a record of data processing activities.

5. Building data protection from the beginning

In order to show compliance with the data protection principles, INCENTIVEHOUSE must build data protection by applying the above-listed principles since the beginning of the processing. INCENTIVEHOUSE ensures that, by default, only the personal data necessary for each specific processing purpose are processed. INCENTIVEHOUSE reduces and eliminates all data processing that proves to be excessive in relation to the intended purpose.

5.1. Notification of data subjects

(See section 6 - fair processing guidelines)

5.2. Collection

INCENTIVEHOUSE shall strive to collect as little personal data as possible. If personal data are provided by a third party , their recipient must ensure that the personal data is collected legally. Upon collection, INCENTIVEHOUSE provides the necessary information to data subjects.

5.3. Use, retention and removal

The purposes for which personal data are used, methods, storage means and retention period should be consistent with the information provided in the privacy notices and information on the processing given to data subjects. INCENTIVEHOUSE shall maintain the accuracy, integrity and confidentiality of personal data based on the processing purpose. Appropriate security mechanisms designed to protect personal data should be used to prevent personal data from being stolen, misused or vilified, avoiding breaches of personal data.

5.4. Disclosure to third parties

Whenever INCENTIVEHOUSE uses a supplier or business partner to process personal data on its behalf, it shall ensure that this processor will provide security measures to safeguard personal data appropriate for the associated risks. For this purpose, the processor's GDPR compliance questionnaire may be used where necessary.

INCENTIVEHOUSE shall contractually require the supplier or business partner to provide at least the same level of data protection as practiced at INCENTIVEHOUSE. The supplier or business partner shall only process personal data in order to fulfil its contractual obligations to INCENTIVEHOUSE or in accordance with INCENTIVEHOUSE’s instructions and not for any other purposes. When INCENTIVEHOUSE processes personal data together with third parties (jointly responsible), INCENTIVEHOUSE shall determine, by agreement, the responsibilities of each party. This determination is made in a legally binding document.

5.5. Cross-border transfer of personal data

In the event of transferring personal data outside the European Economic Area (EEA), appropriate safeguards should be used, including verification of the existence of international agreements, as required by the European Union. The entity receiving personal data must comply with the principles of personal data processing set out in the cross-border data transfer.

5.6. Rights of data subjects

By acting as a Controller or a Processor of personal data, INCENTIVEHOUSE is responsible for providing data subjects with a mechanism for exercising rights over personal data.

Data subjects have the right to receive, upon request, a copy of their data on paper or in an easily accessible structured (digital) format. Data subjects should be allowed to access their personal data, update, rectify, request the restriction, erasure or transmission of their personal data, if appropriate or required by law. The access mechanism shall be more detailed in the data subject’s access request procedure. INCENTIVEHOUSE is responsible for ensuring that such requests are processed within one month.

5.7. Portability

Data subjects have the right to ask INCENTIVEHOUSE to transmit their data to another Controller free of charge. It should, however, be ensured that a data subject’s access does not affect the privacy rights of other individuals. When exercising their right to data portability under the law, the data subject has the right to have the personal data transmitted directly between the data controllers, whenever such is technically possible.

5.8. Right to be forgotten

Upon request, data subjects have the right to obtain from INCENTIVEHOUSE the removal of their personal data, within the legal limits. When INCENTIVEHOUSE acts as Processor, namely regarding data it processes on its platform, it shall act in agreement with the Controller. INCENTIVEHOUSE shall take the necessary steps (including technical measures) to inform third parties who use or process this data to comply with the request as well.

6. Fair processing guidelines

Personal data must only be processed when expressly authorised by INCENTIVEHOUSE’s Management.

6.1. Notices, notifications and information to data subjects

Upon or prior to personal data collection for any type of processing activities including, but not limited to, the provision of services, sale of products or marketing activities, INCENTIVEHOUSE is responsible for properly informing the data subjects of the following: INCENTIVEHOUSE’s identity and contacts, the category of personal data collected and the category of its data subjects, the processing purpose(s), the legal basis, the rights of data subjects in relation to their personal data, the retention period, potential transfers of international data if the data is shared with third parties and INCENTIVEHOUSE’s security measures to protect personal data. This information is provided through the privacy notice.

When personal data is shared with a third party, INCENTIVEHOUSE shall ensure that data subjects have been notified of this through a privacy notice.

When personal data are transferred to a third country in accordance with the cross-border data transfer, the notice must reflect this reality and clearly indicate to which country and which entity they are transferred to. It should also refer to the existing international data protection agreements between the two countries.

6.2. Obtaining Consents

Whenever the processing of personal data is based on the data subject’s consent, INCENTIVEHOUSE is responsible for keeping a record of such consents. INCENTIVEHOUSE is responsible for providing data subjects with options for consent and must inform and ensure that their consent (where consent is used as the legal basis for processing) can be withdrawn at any time and what the effects of withdrawal of consent are.

When the collection of personal data is made through the direct offer of information society services (Internet), INCENTIVEHOUSE warns you that INCENTIVEHOUSE services are directed only to adults of legal age. Since it is not possible to register unauthorized persons, INCENTIVEHOUSE may conclude that it never handles personal data of minors.

6.3. Fair processing

As for requests for the exercise of rights related to personal data, INCENTIVEHOUSE shall ensure that such requests are processed within a reasonable time frame and within one month, at most. INCENTIVEHOUSE must also keep track of requests and responses to them.

Personal data should only be processed for the purpose for which it was originally collected. Should INCENTIVEHOUSE wish to process personal data collected for another purpose, INCENTIVEHOUSE must obtain its data subjects’ consent using a clear and concise wording. Any request must include the original purpose for which the data was collected, as well as the new, or additional, purpose. The request must also include the reason for the amendment in the purpose. The Compliance Department is always consulted regarding the legality of the new purpose and assessment of the need to obtain new consent.

The Head of Compliance is responsible for creating and maintaining a register of privacy notices and a map of data processing activities.

7. Organization and Responsibilities

The responsibility for ensuring the proper processing of personal data rests with everyone who works for or with INCENTIVEHOUSE and has access to personal data processed by INCENTIVEHOUSE:

The director makes decisions and approves INCENTIVEHOUSE's general strategies regarding the protection of personal data.

The Compliance Department is responsible for managing the personal data protection plan and for developing and promoting policies for personal data protection.

The Compliance department monitors and analyses the laws and changes in regulations regarding personal data, develops compliance requirements and assists INCENTIVEHOUSE departments in achieving their goals that imply personal data processing.

The Head of marketing and communication is responsible for:

• Approving any data protection statements attached to communications such as emails and letters.
• Addressing any data protection queries from journalists or media such as newspapers.
• Where necessary, working together with the Data Protection Officer to ensure that marketing and communication initiatives comply with data protection principles.

The Head of Human Resources is responsible for:

• Providing each employee with the Employee Privacy Information document prior to beginning the collection of their personal data.
• Improving all employees’ awareness regarding personal data protection.
• Organising, together with the Compliance Department, training in personal data protection for all employees working with personal data.
• Protecting employees’ personal data from inception to removal. They must ensure that employees’ personal data are processed based on the employer’s legitimate purposes and on the need to use such data.

The Commercial Department is responsible for:

Sharing the responsibilities for personal data protection to suppliers and improving suppliers’ awareness levels on personal data protection, and for reducing the submission of personal data to any third party, supplier or business partner. The commercial department must ensure that INCENTIVEHOUSE reserves the right to audit suppliers. Whenever a contract transfers to a third party the power to process personal data under the responsibility of INCENTIVEHOUSE, a Personal Data Processing Agreement must be entered into with that entity.

8. Response to personal data breach incidents

Whenever INCENTIVEHOUSE becomes aware of a suspected or actual personal data breach, it shall bring it to the attention of the Compliance Department, which shall assist the Director in conducting an internal investigation and take appropriate corrective action in a timely manner in accordance with the data breach policy. Whenever there is any risk to the rights and freedoms of data subjects, INCENTIVEHOUSE shall notify the competent data protection authorities without undue delay and, where possible, within 72 hours in accordance with the criteria established by Law.

9. Audit and accountability

The Compliance department is responsible for auditing this document whenever the Director so understands.

Any employee who violates this policy shall be subject to disciplinary action, and may be subject to civil or criminal liability should their conduct violate laws or regulations on these matters.

10. Conflict of norms

This policy shall be governed by Portuguese, European and international legal and regulatory standards applicable to Portugal. Should there be any conflict between this policy and applicable laws and regulations, the laws shall prevail over this policy.

11. Document validity and management

This document is valid from 20 August 2019.