Privacy Policy

Scope of Application

This Privacy Policy applies to all and any processing of personal data carried out by EXS - Mediação de Seguros, Lda. (hereinafter, "EXS - Seguros").

Os titulares dos dados pessoais tratados pela EXS - Seguros a que esta Política se aplica podem ser de clientes, colaboradores, candidatos, fornecedores, prestadores de serviços ou qualquer terceira pessoa com quem a EXS - Seguros se relacione no âmbito da sua atividade comercial.

The rules and procedures referred to in this policy may be further detailed in specific internal procedures and/or policies.

For clarification of any questions about the application of this Policy, please contact us at: seguros@exs.pt. Whenever necessary, EXS - Seguros will update this Privacy Policy in accordance with laws, regulations and best practices.

These changes will be notified to employees, clients and interested parties through the following means:

  • Employees: communication via email and posting in the workplace;
  • Customers and Service Providers, in their capacity as subcontractors: notification by email of changes to the Privacy Policy that affect the services provided or the data processing operations to which they relate, without prejudice to any need to amend contractual documentation or to make other notifications to the data subjects.

Privacy

EXS - Seguros is committed to the confidentiality and protection of personal data collected in the scope of its activities.

In the scope of its activity, EXS - Seguros may, by automated or non-automated means, process personal data, namely: Employees, Clients and Service Providers acting as subcontractors.

EXS - Seguros will collect and process personal data for determined, explicit and legitimate purposes, and these may not be subsequently processed in a manner incompatible with those purposes.

The data collected will be only those necessary and adequate for the purposes described and will be kept only as long as necessary and in an updated form.

Personal data must be retained for a pre-defined or definable period of time, taking into account the purposes of processing, and must be deleted or fully anonymized after the retention period.

EXS - Seguros will use a systematic review and update system for personal data present in its own systems, as well as those of third parties with whom it is related as data controller, co-controller or subcontractor.

EXS - Seguros undertakes to use internal security systems and procedures for the protection of personal data of its Clients, Employees and Service Providers that guarantee their integrity and confidentiality.

EXS - Seguros undertakes to maintain fair and transparent processing of personal data in its possession.

The processing of personal data is governed by the Data Protection Law internally approved and by the General Data Protection Regulation 2016/679 (the "GDPR"), or other applicable legislation.

Personal Information

Data Subject Rights

EXS - Seguros ensures that personal data subjects can exercise their rights at any time.

  • Requests to exercise rights will be submitted to EXS - Seguros via email to: seguros@exs.pt
  • Personal data subjects may also contact the data protection supervisory authority: the Portuguese Data Protection Authority (CNPD - Comissão Nacional de Proteção de Dados), Rua de São Bento, 148-3º, 1200-821 Lisboa, telephone +351 213928400, e-mail geral@cnpd.pt
  • Requests to exercise rights will be responded to without undue delay and, in any case, within one month of receiving the request.
  • EXS - Seguros ensures that all requests for the exercise of rights are attended to free of charge.
  • Other details: any degree of disability affecting you or a member of your household; any temporary disability resulting from an accident at work or an occupational illness; the location and method of payments to be made by EXS - Seguros; your bank account number and the name of the bank.

Other data may be collected from our customers and employees where necessary, and will be processed in accordance with all legal obligations.

Rights of Data Subjects

In accordance with the legal and regulatory requirements relating to data protection, EXS - Seguros ensures that data subjects can exercise their rights regarding the way in which their personal data is processed and stored.

To exercise their rights, data subjects should contact EXS - Seguros using the contact details provided below for this purpose, and these requests will be processed in accordance with legal requirements.

A EXS - Seguros poderá, antes de processar o pedido, proceder à prévia verificação da identidade do requerente, sempre que tiver dúvidas sobre a identidade da pessoa que apresentou o pedido.

Requests to exercise rights will be answered without undue delay and within a maximum of one month from the date of receipt of the request. Where a request is particularly complex or where a large number of requests are received, the response period may be extended to up to two months.

If the response period is extended, EXS - Seguros will inform the data subject, within one month of receiving the request, of the reasons for the delay in responding to the request.

EXS - Seguros endeavours to respond to all enquiries, and all enquiries are reviewed to ensure that their resolution complies with the applicable legal and regulatory requirements.

Where there is a legal and/or regulatory framework that prevents the data subject from exercising a right they have invoked, EXS - Seguros reserves the right not to comply with the request.

In such situations, EXS - Seguros will inform the data subject, within one month of receiving the request, of the reasons why the request cannot be granted and of the possibility of lodging a complaint with a supervisory authority and bringing legal proceedings.

Where requests are manifestly unfounded or excessive, EXS - Seguros also reserves the right to charge a reasonable fee, taking into account the administrative costs of providing the information or communication, or of taking the requested action.

The rights that may be invoked are set out in the following points, as defined in the applicable laws and regulations, with a note on their main features.

  • 1. The right of access
    You may contact EXS - Seguros at any time to request confirmation as to whether or not personal data concerning you is being processed by EXS - Seguros, as well as to be informed about the personal data in question, the grounds for processing that information, the recipients to whom the personal data has been or will be disclosed, the information available regarding the source of the data and, where possible, the retention period. Upon request, you may receive a copy of the personal data currently being processed.
  • 2. The right to correct and update your personal data
    The data subject may, taking into account the purposes of the processing, correct their personal data if it is incorrect or incomplete, and update it whenever it is out of date.
  • 3. The right to erasure (‘the right to be forgotten’)
    Every data subject has the right to request the erasure of personal data whenever, for example, such data is no longer necessary for the purpose for which it was collected or processed, or when the data subject withdraws their consent, where applicable, provided that there is no other legal basis for such processing, no overriding legitimate interests justifying the processing, or the processing is necessary for the purposes of establishing or defending a legal claim in legal proceedings.

    EXS - Seguros will review the request and, if it is deemed valid in accordance with the applicable legal and regulatory provisions, will confirm whether the data has been deleted or the reason why this was not possible.
  • 4. The right to restrict the processing of your data
    The data subject may request that the processing of their data be restricted if one of the following legal conditions applies:

    • Where the data subject disputes the accuracy of the personal data, in which case processing must be restricted for a period sufficient to allow EXS - Seguros to verify its accuracy, or where the data subject has objected to the processing, until it is established that the legitimate grounds of the data controller override those of the data subject;
    • Where the processing is unlawful and the data subject requests only that its use be restricted;
    • Where EXS - Seguros or the data controller on whose behalf EXS - Seguros processes the data no longer requires the personal data for the purposes of processing, but such data is required by the data subject for the purposes of asserting, exercising or defending a right in legal proceedings.
    With the exception of retention, where processing has been restricted, personal data will only be processed by EXS - Seguros with the data subject’s consent, for the purposes of establishing, exercising or defending a right in legal proceedings to defend the rights of another natural or legal person, or on compelling grounds of public interest. In the event that the restriction on the processing of personal data is lifted, EXS - Seguros will inform the data subject in advance.
  • 5. The right to object to the processing of your data
    The data subject has the right to request at any time that EXS - Seguros cease processing their personal data. Upon receipt of your request, EXS - Seguros will assess it and, if it is deemed valid in the light of the applicable legal and regulatory provisions, EXS - Seguros will cease the processing in question. If no decision is reached regarding the validity of the request within a maximum period of one month, EXS - Seguros will suspend the processing or processing operations in question, as far as possible, until a final decision is reached.
  • 6. The right to data portability
    The data subject has the right to request that EXS - Seguros transfer or provide, in a structured, commonly used and machine-readable format, the data subject’s personal data whenever such data is held by EXS - Seguros, in accordance with the applicable legal provisions, and where the processing of data is carried out by automated means and is based on the data subject’s consent or is necessary for the performance of a contract to which the data subject is a party or for pre-contractual measures at the data subject’s request. EXS - Seguros will comply with the request, insofar as this is feasible, within one month of receiving it. EXS - Seguros shall refuse portability requests where these would prejudice the rights and freedoms of third parties, or where another limitation set out in applicable legal or regulatory provisions applies.
  • 7. O direito de apresentar reclamação
    If the data subject considers that their data has not been processed in accordance with the law, they may lodge a complaint with the supervisory authority.

    Currently, the supervisory authority responsible for data protection matters in Portugal is the National Data Protection Commission (“CNPD”), to which you may address any queries or lodge complaints should you become aware of any breach of personal data protection regulations. The CNPD can currently be contacted as follows:

    Enquiries:

    https://www.cnpd.pt/bin/duvidas/duvidas_frm.aspx
    https://www.cnpd.pt/bin/duvidas/queixas_frm.aspx
    Rua de São Bento n.º 148-3º 1200-821 Lisboa
    Tel: +351 213928400 / Fax: +351 213976832
    geral@cnpd.pt

Processing of personal data by EXS Seguros

In general, EXS - Seguros processes data subjects’ personal data in the following contexts, for the following purposes and on the following legal grounds:

Performance of the employment contract and fulfilment of obligations as an employer

EXS - Seguros processes its employees’ personal data for the purposes of fulfilling the employment contract or complying with its legal obligations as an employer, in particular to carry out payroll processing and to fulfil obligations relating to health, safety and hygiene at work, occupational medicine, etc.

This information will be collected in person or by email; it will be provided by the employee and stored in EXS - Seguros’ computer system and paper files.

Employees’ personal and contact details may be sent to organisations subcontracted by EXS - Seguros, whilst ensuring compliance with the applicable legal and regulatory requirements at all times.

Any special category data will be processed in strict compliance with the applicable legal and regulatory provisions; in particular, it must not be used for purposes other than those for which it was collected, nor must it be accessed by any person who is not authorised to do so, and technical and organisational measures will be implemented to ensure that access to the data is restricted.

By law, EXS - Seguros is required to retain its employees’ data even after the end of their employment contract, until the statutory limitation period for legal rights or obligations expires.

Upon signing their employment contract, all employees must sign a confidentiality agreement, undertaking not to disclose any information to which they have access whilst carrying out their duties, in particular the personal data of other data subjects, and to comply with this policy, in accordance with the terms applicable at any given time following any amendments made to it.

Training

As part of the training provided to its staff, EXS - Seguros may collect, in addition to the trainees’ personal details, information regarding the training they have received.

As part of training activities, employees’ names may be disclosed to training service providers contracted by EXS - Seguros.

Employees will be informed in advance of the transfer of their personal data, the recipients of such data and the purposes for which it is being transferred, as well as any other information that must be provided to them in accordance with the applicable laws and regulations.

Occupational medicine and health and safety

In accordance with the applicable legal and regulatory requirements, employees must be provided with the safeguards set out in relation to occupational health and health and safety at work (HST).

In this context, personal and health data relating to Employees is collected, and such data must be collected and processed in accordance with the law.

The data collected is recorded on a medical fitness form and may be requested by a supervisory authority in the context of HST.

This information may be collected and processed by occupational health and health and safety service providers contracted by EXS - Seguros, always in strict compliance with the applicable regulations.

EXS - Seguros confirms that it is fully aware of and complies with all requirements relating to the processing of personal data for the purposes of occupational medicine and health and safety at work.

Insurance

In connection with the conclusion and performance of certain insurance contracts that are legally mandatory, or which EXS - Seguros, as the policyholder, offers to its employees, special categories of personal data relating to employees as insured persons and their beneficiaries may be disclosed.

Such notifications must be made directly by employees to the insurance company with which the insurance contract is concluded.

In connection with the conclusion and performance of insurance contracts that do not require the transfer of special category data, EXS - Seguros may, where necessary, be involved in the processing of such data, always in accordance with the principle of data minimisation.

Use of telephone and computer equipment

EXS - Seguros may provide its employees with access to computer and telephone equipment, where this is justified and necessary for the normal performance of their duties.

The use of this equipment, which is the property of EXS - Seguros, shall be restricted to professional purposes.

If the equipment provided is, or may be, subject to monitoring by the operator or supplier, the employee must be informed of this at the time the equipment is handed over.

Such monitoring will be preceded by a thorough legal and regulatory analysis, as well as a prior impact assessment.

Other communications to staff

EXS - Seguros may collect identification and contact details for purposes unrelated to the provision of the work or services in question, where this is justified by valid purposes and legal grounds.

The collection and processing of identification and contact details for the purpose of congratulating or supporting employees in personal circumstances – such as celebrating employees’ birthdays or weddings, or providing support in the event of the death of an employee’s family member – may be carried out on the basis of that employee’s valid prior consent for the purpose of sending personal communications.

Access controls

EXS - Seguros may collect and process personal data or record CCTV footage on its own premises for the purposes of controlling access to those premises or for crime prevention, on the basis of EXS - Seguros’ legitimate interests.

In any event, the processing of such data for the stated purposes must be preceded by a legal assessment and a prior impact assessment, and all necessary measures must be taken to ensure compliance with the applicable legal and regulatory requirements.

Clients

In the course of its business, EXS - Seguros also processes customers’ personal data necessary for the performance of a contract and/or to comply with legal obligations, with a view to managing the contractual relationship, including, but not limited to, registration as a New Customer, sending communications for the purposes of contract performance and management and/or marketing campaigns, where the Customer has given their consent, responding to any communications sent by post, telephone, email or other means, and the management and collection of applicable payments, fees and/or charges.

The data provided by these data subjects is generally used in the context of the contractual relationship and for the performance of the contract or to comply with a legal obligation to which EXS - Seguros is subject, unless the data subject has given their consent for specific purposes or in cases where another legal basis provided for in a statutory or regulatory provision applies.

In some cases, due to a legal obligation, EXS - Seguros must retain the data of these data subjects after the contractual relationship has ended, in which case the data subject will be informed, at the time of collection, of the applicable retention periods or the criteria according to which such data may be identified.

Upon signing the contract, Employees or Service Providers will sign a confidentiality agreement, undertaking not to disclose any information to which they have access during their contractual relationship with EXS - Seguros, in particular the personal data of other data subjects, and to comply with this Policy, in accordance with the terms applicable at any given time following any amendments made to it.

In some cases, due to a legal obligation, EXS - Seguros must retain the data of these data subjects after the contractual relationship has ended, in which case the data subject will be informed, at the time of collection, of the applicable retention periods or the criteria according to which such data may be identified.

Third parties with whom we share your information

EXS - Seguros may need to share your personal data with third parties acting on its behalf or providing services to it.

Your personal data will be kept secure at all times and will only be shared with such third parties where strictly necessary.

Your personal data may, in particular, be disclosed to the following organisations:

  • Professional advisers (including, but not limited to, legal advisers and financial advisers), insurance companies, banks, auditors, organisations and financial managers;
  • Providers of certain services, including, but not limited to, IT and systems administration services, cloud hosting and storage services, and other software used to meet data requirements and manage data in the course of the business;
  • The Portuguese Government or any other public authorities or national regulatory authorities, where EXS - Seguros is required to do so by any applicable laws.

Liability

For contractual reasons, EXS - Seguros holds some of your personal data, in particular for the purposes of managing the contractual relationship. This means that we are accountable to you for the way in which we process that data.

EXS - Seguros will treat all personal data for which it is the data controller with the utmost confidentiality, complying with and ensuring compliance, to the best of its ability and within the scope of its responsibility, with the prohibition of unlawful use.

EXS - Seguros employees who fail to comply with the terms and conditions of this Privacy Policy, or with other internal rules on the protection of personal data that implement it, are liable to disciplinary proceedings.

Conservation

Personal data is retained in strict compliance with legal provisions or for the period necessary to fulfil the purpose for which it was collected and processed, in the course of the activities carried out by EXS - Seguros.

EXS - Seguros complies with all legal obligations, including those relating to the storage and updating of personal data. Data is stored and destroyed in a secure manner.

The data collected is limited to what is strictly necessary and is protected against loss, misuse, unauthorised access or disclosure.

Safety Measures

EXS - Seguros ensures the security of your data and compliance with all legal obligations in the event of a security breach.

To ensure the security of personal data, EXS - Seguros has implemented a range of technical and technological measures and procedures.

EXS - Seguros will implement a range of data security controls, defined in accordance with business needs and security policies, and will actively monitor these controls to detect any failures or breaches, including reviewing authorisations for access to personal data – whether its own or that of third parties – by data subjects and EXS - Seguros employees.

Other data processing activities

Should it be necessary to process your data for a new purpose not covered by this document, EXS - Seguros will send you a notification explaining the reason for and the terms of such processing.

International Data Transfers

EXS - Seguros will not transfer personal data outside the European Union or to an international organisation unless appropriate safeguards are in place to ensure that personal data is kept secure, such as Standard Data Protection Clauses or Adequacy Decisions by the European Commission.

Contacts

Please contact EXS - Seguros regarding this Privacy Notice or your personal data:

EXS - Mediação de Seguros, Lda

Email: seguros@exs.pt

Phone: +351 21 782 7640