What is the Legal Framework?
The Moneris group is now a global organisation, attentive to the reality of companies and institutions, their socio-economic context and the challenges and opportunities they encounter, in the different markets where they operate.
We intend to be recognized for the excellence of the services we provide and seek, at every moment, to create value to our customers and exceed their expectations.
We are determined to contribute decisively to the promotion and development of our clients’ projects and businesses, relying on the determination and commitment of a vast and multidisciplinary team of professionals, who work in the most different management areas.
Gifts from north to south of the country, with more than 20 offices and 300 employees.
We are a leading group in the provision of accounting services, consulting and management support in Portugal, with approximately 4,000 clients.
The multiplicity of National and Community Legislation to which the Moneris Group is subject and the rigour, requirement and responsibility that the activities carried out by the Moneris Group require, justifies from the outset the creation of a Policy on the Protection of Data, not only for strict compliance with the legal standards in force, but also for each Employee to adopt conduct consistent with the high ethical, quality and rigor standards that the Moneris Group requires.
The adoption of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation – “Regulation” or “GDPR”), and consequent need to adapt processes and methodologies applicable to how personal data will be processed, makes it essential to know the rules which, from 25 May 2018, apply to the processing of personal data.
The Moneris Group’s Data Protection Policy (hereinafter “Politics”), is a document directly designed for all our Clients, whose main purpose is to transmit the rules for the processing of personal data, the purpose of its collection and the way they are processed, in the wake of the provisions of personal data protection legislation and the Regulation which will soon enter into force.
This document contains the identification of the set of principles governing the activity of the undertakings that are part of the Moneris Group (hereinafter “Moneris” or “Group”), as well as a set of procedural, ethical and deontological rules to which the Members of the Statutory (hereinafter “MoE”) and all its Employees are linked, always combined with the legal provisions regarding the protection of personal data.
This Policy also intends to convey Moneris’ high standards of action and conduct and also at the level of the relationship between MoE, Employees, Customers, Suppliers, Shareholders, Official Entities and Partners, and Community contributing transparency of its activity, so that it can be seen as a reference policy of excellence, transparency, honesty, commitment and rigour.
This document is subject to periodic reviews in order to ensure its continuous improvement and legal and regulatory compliance.
What is personal data?
“Personal Data” should be understood information relating to an identified or identifiable natural person (data subject); a natural person who can be identified, directly or indirectly, is considered identifiable, in particular by reference to an identifier, such as a name, identification number, location data, identifiers electronically or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Examples of personal data:
• Identification number (BI, NIF, driver’s license, Passport);
• Identification and location addresses (Physical such as email address: email address, web page, Facebook page, etc…);
• Biometrics (Height, weight, various physical connotations, Genetics);
• Health (Syndromes, diseases, Physical or mental performance, Diagnostic data such as blood pressure or ECG);
What are the Rights of Data Subjects?
In terms of the rights of data subjects, the Regulation gives the holders of personal data subject to processing a set of rights that must be safeguarded by the data controller. In order to have full information on the rights of personal data subjects, we have made a brief exposure about each of them:
I. Right of Access
Data subjects have the right to know whether or not personal data concern them are being processed, whether the data has been transmitted to another entity, as well as accessing their data and all information relating to processing processes. In other way, data subjects are entitled to obtain information about personal data that is processed and information about them, such as the purposes of the processing and what time limits for the retention of personal data are. In principle, the right of access must be free, however, fees may be created to allow such access in the case of unfounded or excessive requests;
Ii. Right of Rectification
Data subjects are guaranteed the right to obtain rectification of their personal data that is outdated, incorrect or incomplete.
Iii. Right of Erasure
Also referred to as “the right to be forgotten”, gives data subjects the right to request the data controller to erase their data. Data subjects, within the limitations established by law, are guaranteed the right to obtain the deletion of their personal data provided that:
• The data prove unnecessary for the purposes for which they were collected or processed;
• The holder withdraws consent when the processing is necessarily based on it and there is no other legal basis for the processing of the data;
• The holder opposes the processing of personal data used for automated and/or profiling purposes;
• When personal data has been unlawfully processed. It should be noted that there are limitations on the right to erasure, in particular those relating to data retention periods for reasons of public interest, national security, billing, commercial, tax and others.
Iv. Right to Limitation of Treatment
In parallel with the right of deletion, the right to limitation of the processing arises, i.e. the data subject has the right to require the limitation of the processing dose of his personal data in the following situations: • Contest the accuracy of personal data, during a period enabling the controller to verify its accuracy; • The processing is unlawful and the data subject opposes the deletion of personal data and request, on the other hand, the limitation of its use; • The controller fails to specify personal data for processing purposes, but such data is required by the holder for the purpose of declaring, exercising or defending a right in judicial proceedings; • If you have opposed the processing until it is found that the legitimate reasons of the controller prevail over those of the data subject.
v. Data Portability Right
The right of portability gives the holders of personal data the right to request the person responsible for their processing, their personal data, in a common use format and even their transfer to another controller, provided that this is technically possible.
Saw. Right of Opposition and Automated Individual Decisions
The data subject has the right to object at any time, for reasons relating to his particular situation, to the processing of personal data concerning him, which is based on legitimate interests or public interest, including the definition of profiles based on these provisions.
What is the processing of personal data?
The processing of personal data consists of an operation or set of operations carried out on personal data or personal data sets, through automated means or not, in particular the collection, registration, organisation, structuring, conservation, adaptation, recovery, consultation, use, dissemination, dissemination, comparison, interconnection, limitation, erasure or destruction.
The Regulation lays down stricter rules on the processing of special categories of personal data – e.g. racial or ethnic origin, political opinions, religious or philosophical convictions, trade union membership, health data or data related to sexual life or sexual orientation – maintaining law and consent as sources of legitimacy.
The principles of legitimacy, loyalty, transparency, purpose and accuracy are expressly referred to. In terms of the rights of data subjects, the rights of information, access, rectification, opposition are in force, establishing the general principle of interdiction of automated individual decisions.
In what situations we process your Personal Data
There are situations that legitimize the processing of personal data. Moneris will process personal data exclusively in the following situations:
There is a situation of legitimate interest where data processing is necessary for the purpose of the legitimate interests pursued by Moneris or third parties, unless the interests or fundamental rights and freedoms of the holder require the protection of personal data, in particular if the holder is a child, such as the processing of data to ensure the maintenance of contracted services, for the improvement of the quality of services, for fraud detection;
Hiring and Pre-Contracting
Where the processing is necessary for the performance of a contract in which the data subject is a party, or for pre-contractual proceedings at the request of the data subject.
Consent arises as a legitimising of the processing of personal data, however, there are requirements for it so that it can be taken into account. In order to make it valid, consent must be a free, specific, informed and explicit manifestation of will, whereby the data subject accepts, by means of a statement or unequivocal positive act, that the personal data concerning him be treatment object. Consent may be provided through validation when visiting moneris’s website by selecting the technical parameters for the services of the information society or by another statement or conduct that clearly indicates in that context that accepts the proposed processing of your personal data. Silence, pre-validated options or omission shall not constitute a form of consent;
Compliance with a legal obligation
The processing of data shall also be lawful, where it is necessary for the fulfilment of a legal obligation to which Moneris is subject;
For what purpose we process your Personal Data
Your personal data will only be processed for this purpose by providing consent in the context of a newsletter and dissemination of new products and services. If you consent, you will receive information via email.
Accounting and Tax Advisory
In this sector in particular, Moneris will process your personal data for the sole purpose of preparing your accounting and providing you with tax advice, whether under the organized accounting regime or under the simplified regime. Economic and accounting management, tax management, administrative management, billing management and the completion and delivery of VAT statements are some examples of purposes for which your personal data will be processed.
Moneris will process your data for the following purposes:
-Management of Trainees and Trainers;
-Certification and Accreditation.
Pre-Litigation and Litigation Management
In the event of a dispute or pre-litigation situation, Moneris will process your data for judicial and extrajudicial claims collections and management of other disputes that may arise.
As one of Moneris’ main sectors of activity, in human resources services your personal data will be processed for the purposes of wage processing, vocational training, human resource management and personnel selection and recruitment.
Compliance with legal obligations
Where necessary, your personal data will be processed for compliance with court orders, responses to judicial entities, regulatory entities and supervisory bodies.
How long is the storage and retention of your Personal Data
The length of time during which your personal data may be stored and retained varies depending on the purpose for which the personal data was provided and will be processed.
It should be borne in mind that there are legal rules requiring you to retain personal data for a certain period of time. Thus, where there is no legal requirement for the retention of your personal data, it will be stored and stored only for the period necessary for the pursuit of the purposes that motivated its collection or subsequent processing, in accordance with the provisions of the law or until your consent is revoked.
Here are some examples of storage period and storage of your personal data:
- The maximum period for the retention of data with fiscal relevance is 10 (ten) years from the date of termination of the Contract, as stipulated in Article 123(4) of the IRC Code (Drafting of Law No. 7-A/2016, of March 30, applying to tax periods that begin from January 1, 2017);
- The maximum period of retention of documentation with relevant labor matters is 10 (ten) years from the date of termination of the Contract, also as stipulated in Article 123(4) of the IRC Code.
- The maximum period for the retention of personal data contained in correspondence, bookkeeping and documents relating to it is 10 (ten) years, in accordance with Article 40 of the Commercial Code, with the wording given by Decree-Law No. 76-A/2006 of 29 March.
- The period for the retention of personal data relating to the records of working times and records of work provided to compensate for periods of absence from work, is 5 (five) years, as stipulated in Article 202 of the Labor Code.
- The period for the retention of personal data relating to Occupational Accident and Occupational Insurance (payroll to the Worker, including her name, profession, working days and hours, retribution and other benefits that review the character of regularity or copies of the sheets and retributions sent to social security), is 5 (five) years, pursuant to Article 16(b) of Standard No 12/99 R of 8 November, with the amendments introduced by Standards No 11/2000 R of 13 November, 16/2000 R of 21 December and 13/2005 R of 18 November (uniform occupational accident insurance policy for employees)
- The maximum period of retention of other personal data is 18 (eighteen) months from the date of termination of the Contract.
How and When Do We Collect Your Personal Data?
Your personal data is collected upon the provision of your consent, as a rule, at a pre-contractual stage designed to obtain our services. The collection of your personal data will always be done in writing upon prior provision of consent.
Some personal data are indispensable to the performance of the contract and, in case of lack or insufficiency thereof, either by default or by refusal to make these available, Moneris does not guarantee the provision of the service that is at issue and may not be liable.
The personal data collected may be processed electronically and in an automated or non-automated manner, ensuring in all cases strict compliance with personal data protection legislation, being stored in specific databases, created for this purpose and, in no situation, the data collected will be used for a purpose other than that for which the data subject was collected or given consent.
Who is the Controller of Personal Data?
The person responsible for the collection and processing of your personal data will be Moneris – Serviços de Gestão, S.A. (or another belonging to the Moneris Group), which provides the contracted service to you and within the scope of this, decides which data is collected, determines the purposes and means of processing the personal data.
The measures to be implemented shall take into account the nature, scope, context and purposes of data processing, as well as the risk it may entail for the rights and freedoms of natural persons.
The Data Protection Officer
The Data Protection Officer, also known as the “Data Protection Officer” (“DPO”), plays a key role in ensuring that Moneris complies with all legal obligations under the GDPR, being Moneris’ point of contact with the CNPD and functioning as a mediator with the holder of the personal data.
As far as Moneris is concerned, the DPO checks compliance with this Policy and defines clear rules for the processing of personal data.
The Moneris Data Protection Officer performs the following functions:
- Informs and advises the controller or processor, as well as the workers and other employees who process the data, regarding their legal obligations;
- Controls compliance with the GDPR and other applicable data protection provisions;
- Advises, where requested, as regards the data protection impact assessment and controls its implementation;
- Cooperates with the CNPD;
- It is the contact point for the CNPD on data processing issues.
For questions related to the processing of your personal data you should contact us through the following means:
Phone: 210 316 400
Address: Rua Dr. António Loureiro Borges, no. 1 – 2, 1495- 131 Algés