1. Introduction

The use by ATOUCH WINWEL, LDA. The information available within the scope of its activity must always bear in mind the legal provisions in force in Portuguese territory, on which the Data Protection Policy, hereinafter referred to as PPD, of ATOUCH WINWEL, LDA, is based.

PPD regulates and monitors the use of information by the company’s internal and external business processes.

PPD does not have a confidentiality character, but is based on a “need to know” logic regarding the internal and external use of data, always in line with the applicable legalprovisions.

It is in this context that ATOUCH WINWEL, LDA., In this code called “ATOUCH WINWEL”, has developed its Data Protection Policy (PPD) applicable to all those who collaborate with ATOUCH WINWEL, LDA.

When you subscribe to our services, you trust us with personal information. This Privacy Policy is intended to clarify what data we collect, the reasons that support its collection and the purpose for which it is intended.

By using our website or subscribing to our services, you expressly accept and consent to the processing of your personal data under the terms of this Privacy Policy.

This Privacy Policy explains:

• What information we collect and process and why we do it;
• How we use this information;
• Cookies;
• The options we offer, including how to access, update and remove information.

The collection, treatment and conservation of the personal data of the Users of the Site is also subject to the provisions of the legislation on the protection of personal data, namely Law No. 67/98, of 26 October and Regulation (EU) 2016 / 679 of the Par-liament and Council of 27 April 2016, ATOUCH WINWEL, LDA. it has the conditions to apply the provisions contained therein with regard to information security. ATOUCH WINWEL, LDA. may, at any time and unilaterally change, add or amend this Privacy Policy, without prior notice.

2. Purpose and Scope

The purpose of this document is to establish and maintain a certain level of data protection that:

• Comply with applicable legal provisions on data protection;
• Meet the needs of customers, partners and employees;
• Allow to carry out business processes effectively;
• Allow ATOUCH WINWEL to maintain a positive external image in the market.

Data protection is a central function and a Data Protection Officer will be appointed, hereinafter referred to as “RPD”, who must report to the administration, at least once a year, the development of the activities carried out within the scope of the PPD.

3. Rules and Procedures

All employees or units of the company that use personal data are individually responsible for complying with the applicable legal and regulatory provisions.

The members of the Administration and Management, in addition to being obliged to comply with the rules and procedures related to the PPD, have the task of implementing structures and ensuring adequate resources for the proper functioning of the PPD.

Department officers must ensure that the processes in their department comply with the PPD.

Employees have an obligation to guarantee the confidentiality of data as an inseparable part of their functions provided for in the employment contract. They must also proceed in accordance with all information and training received and comply with all guidelines defined in the PPD. Failure to comply with these obligations can have disciplinary consequences, and all failures within the scope of the PPD must be reported to the RPD.

For the purposes of the Data Protection Policy, employees are considered to be those who have an employment, internship, service or other comparable relationship with ATOUCH WINWEL.

The RPD is responsible for ensuring compliance with data protection regulations, by providing information to all company employees in this field.

The RPD will also be responsible for identifying risks and proposing improvement opportunities related to the PPD.

Upon approval by the Administration, the RPD may, within the scope of its functions, determine the implementation of PPD measures in any department, and for this purpose, it must have adequate controls and access.

4. Definition of Personal Data

Personal information is considered to be all information, of any nature and regardless of the medium on which it is stored, relating to personal characteristics or material circumstances of a natural or identifiable person (the data subject), namely but not limited to the address, number tax identification, civil identification, personal email, bank identification, profession, biometric data and other details such as health status, income among others legally applicable.

5. Treatment of Personal Data

Personal data processing means any operation or set of operations on personal data, carried out with or without automated means, such as the collection, registration, organization, conservation, adaptation or alteration, recovery, consultation, the use, communication by transmission, diffusion or any other form of provision, with comparison or interconnection, as well as blocking, erasure or destruction.

Personal information must be collected, processed and used:

• On the basis of a contractual and confidential relationship with the data subject;
• With the written consent of the persons involved;
• With the detail that is legally possible or required.

All procedures for processing personal data must comply with the requirements imposed by the applicable rules.

Any change to the method of collecting and processing personal data must be communicated to the DPO to verify its feasibility and compliance with the applicable rules.

The collection of data must be carried out for specific purposes and be limited to the information necessary for the process in question, and cannot affect, except with the prior consent of the data subject, personal data related to philosophical or political beliefs, party affiliation and union, religious faith, private life, racial or ethnic origin, health or sex life.

The personal data collected must be accurate and must be updated if necessary, and appropriate measures must be taken so that inaccurate and incomplete data is deleted or rectified.

As far as possible and when considered advantageous, the information must be anonymous and pseudonyms can be used.

In case of transfer of personal information and/or the respective supports, special security measures must be taken

6. Erase and “Freeze” information

When data is not needed for a particular purpose, or when the purposes for which it was stored have been fulfilled, the information must be deleted.

In case it is necessary to retain the data for a certain period of time, the information must be “frozen”.

In the latter case, access to “frozen” information requires specific authorization from the administration, after hearing the RPD.

7. Processing of personal information from the Bernardo da Costa Group

The processing of personal data by another company of the BERNARDO DA COSTA group in which ATOUCH WINWEL is integrated will only be possible with the authorization of the persons involved.

8. Data subjects’ rights

ATOUCH WINWEL shall establish procedures to protect the rights of data subjects with respect to:

• Compliance with the specific purpose of data collection, that is, personal data cannot be used for purposes other than those that motivated its collection, and of which the data subject has been duly informed;
• Provision of information to the data subject on the storage of their data, on the respec-tive content and on their right to consult and correct the information;
• Correction, deletion or blocking of data, and its notification, if possible, to third parties who have become aware of such data;
• Opposition, always based on ponderous and legitimate reasons related to your particular situation, to the processing of data that you hold;
• Notification when information is stored for the first time by a method other than the original;
• Non-use of personal data for purposes of advertising, direct marketing or any other form of commercial prospecting, as well as its non-communication to third parties for the same purposes, except with the prior consent of the data subject.

9. Employee Data Management

The personal data of employees will be treated in accordance with the data protection policy, taking into account the rights and operational requirements of the company.

The personal data of employees are treated exclusively under employment contracts. ATOUCH WINWEL can transfer this data to central units of the group. This transfer will always depend on the approval of the Management, after hearing the RPD, and on the employee’s knowledge.

The processing of the employee’s personal data in the context of a business relationship is based on the same data processing procedure as a normal customer.

Access to this information must be regulated in the company’s agreement.

10. Disclosure and Contracting

The PPD will be posted on the company’s website.

The obligation of confidentiality on the part of ATOUCH WINWEL employees, in relationto the personal data to which they have access by virtue of their functions, must be included in the employment contracts, remaining in any case in force even after the endof the respective functions at the service ATOUCH WINWEL for the time legally required.

11. Information and Training

Adequate information and training on PPD should be made available to all employees in the company.

12. Provision of Personal Data to Third Parties

Personal data can only be made available to external entities when this is specifically provided for in the Law, or by express consent of the data subject.

Before any information is provided by telephone, an appropriate identification of the information requestor must be carried out by contrasting specific personal data.

The applicant must be informed in advance that the information requested for the purpose of contrast constitutes a measure to protect his own personal data.

The provision of personal data to spouses or legally equivalent to the persons whose personal data are collected will follow the same rules as the provision of information tothird parties.

If personal data are required by auditors or external authorities, their supply will be limited to what is strictly necessary so that these entities can adequately perform the tasks and functions that, by law or contract, are assigned to them.

In case of doubt about access rights to information, the RPD should be consulted.

13. External Service Providers

Contracts with external providers should include specific requirements specific to PPD.

14. Data Protection and Security Measures

Measures aimed at an adequate data protection policy should be implemented, avoiding its improper, accidental or intentional disclosure.

The data should be classified according to its level of confidentiality.

The strictness of the protection measures must be proportional to the level of confi-dentiality of the data to be protected.

Doubts

In case of doubt about access rights to information, about specific requirements to be imposed on third parties or others that pertain to the PPD, the RPD should be consulted, and, whenever applicable, it will use the Legal Services to obtain the legal framework of the respective decisions.

The RPD reports to the administration the cases in which it was heard and the guidance it provided on such cases.

The RPD immediately informs the administration whenever its intervention has been requested and may interfere with the normal functioning of the services.