Privacy Policy

Table of Contents:

  1. Introduction
  2. General provisions
      1. Governance
      2. Knowing and implementing the policy
        1. Knowledge, compliance and cooperation
        2. Privacy Awareness Program
        3. Doubts
      3. Definitions
  3. General principles
    1. Alignment
    2. Privacy by design
    3. Privacy by default
    4. Privacy impact assessments
  4. Personal Data
    1. Persons subject to the present policy
    2. Other sources
    3. Processing purposes
    4. Information
    5. Other purposes
    6. Grounds
    7. Consent
    8. Data processors
    9. Communication to third parties
    10. International transfers to third countries
    11. Retention period
    12. Data security
    13. Personal data breach
    14. Exercise of rights
    15. Data protection impact assessments
  5. Sensitive Data
    1. Sensitive data
    2. Reinforced duty of secrecy
    3. Practice and codes of conduct
    4. Information security containing sensitive data
    5. Restrictions of use
  6. Specific principles
    1. Employees
    2. Service providers
    3. Providers and partners
    4. Clients
    5. Contractual principals
  7. Safety measures
    1. General principle
    2. Internal policies
    3. Physical safety measures
    4. Logical safety measures
  8. Final provisions
    1. Binding
    2. Data protection officer
    3. Queries
    4. Revision and monitoring
    5. Communication and dissemination
    6. Entry into force

Introduction

VISION BOX – SOLUÇÕES DE VISÃO POR COMPUTADOR, S.A. (hereafter, “VISION BOX”), LPIN (Legal Person Identification Number) 505350173 with head offices at Casal do Canas Street, 2, Zona Industrial de Alfragide, 2790-204 Oeiras, is a company primarily engaged in the development, integration, production and marketing of computer vision solutions and information systems as well as the import and export of capital goods, components and computer consumables and consultancy services and training in similar areas.

In the scope of its activity VISION BOX, has access to as personal data, since it consists of information relating to an identified or identifiable natural person.

This information is collected directly from the data subjects, from employees, and clients. However, the information is also generated through a series of operations performed by VISION BOX in the scope of its activity. Consequently, VISION BOX’s activity must comply with the legislation, regulations and best practices for processing of personal data.

Due to the nature and complexity of VISION BOX’s activity, all members of governing bodies, employees, regardless of the nature of their position, service providers and other VISION BOX associates (hereafter “Persons Subject to the present Policy”) are bound to this Internal Policy for Data Protection and Privacy (hereafter “Policy”) and therefore, bound to its compliance and adherence, as well as to other Policies related to it, which are in force at VISION BOX from the moment the collaboration relationship with VISION BOX starts.

VISION BOX is committed to protecting all personal data, for which it is responsible. To this end, VISION BOX has drawn up this Policy, in order to raise awareness of its commitment to, and respect for, the rules of privacy and personal data protection of the data VISION BOX collects and processes.

The present Policy also aims to set out the compliance of internal practices and define the internal procedures for any processing of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

All Persons Subject to the present Policy must be aware that failure to comply with the rules established by the present document may cause immeasurable damages to, the privacy of the data subjects and may cause VISION BOX to be liable.

General provisions

Governance

The governance model including the roles and responsibilities for privacy and data protection issues is defined as set out in the organization’s Data Governance Overview document.

Knowing and implementing the policy

Knowledge, compliance and cooperation

It is mandatory that anybody who is subject to the present Policy knows and understands the content of the current Policy and any subsequent update. Therefore, all employees are required to read and review the privacy policy, privacy governance and information security policy upon being hired.

It is also mandatory for anybody, who is subject to the present Policy, to comply with the Policy and cooperate in its implementation.

Anybody who is subject to the present Policy should have knowledge of the overall Policies of VISION BOX, inter alia, Policies related to information security, explicitly stating that they know their respective contents and those they undertake its compliance.

It is important for us that everybody understands the role and responsibility they have within Vision Box and agree to comply with the company’s policies so we will keep you informed if any changes are made to the present Privacy Policy by sending you an e-mail with a link or reference.

Privacy Awareness Program

Vision Box has an annual privacy communication program (Data Protection Week) that will take place every year, according to the annual marketing and communication plan.

During the Data Protection Week employees will be asked to read and acknowledge that they agree and comply with Vision Box’s policies, they will be asked to complete an e-learning privacy training.

Vision Box’s annual marketing and communication plan shall include specific initiatives to implement during Vision Box’s Data Protection Week.

Doubts

Any doubts resulting from the interpretation of the present Policy must be promptly submitted to the competent bodies through the appropriate channels.

Anyone who is subject the present Policy shall refrain from any behaviour regarding procedures for which might have any doubts.

Unawareness, lack of knowledge or ignorance are not valid justifications for not complying with, or infringing on, the present Policy.

Definitions

For the purposes of this Policy:

  • Biometric Data shall mean personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
  • Client shall mean the entities who acquire VISION BOX products and services;
  • Controller shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • DPO shall mean Data Protection Officer or the person within the company with the role of ensuring compliance with privacy and data protection laws and regulations;
  • Personal Data shall mean any information of any type relating to an identified or identifiable natural person (“data subject”). A person can be identified, directly or indirectly, in particular by reference to identifiers such as name, an identification number, location data, online identifiers, as logins, and other access credentials or, other factors, inter alia, physical, physiological, genetic, economic, cultural or social;
  • Personal data breach shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • Processor shall mean the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  • Processing shall mean any operation or set of operations which is performed upon personal data, regardless its manual, logical or automatic nature. Therefore, operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, erasure or destruction, are always data processing;
  • Profiling shall mean any form of automated processing of personal data consisting of the use of that data to evaluate certain personal aspects regarding a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  • Pseudonymisation shall mean the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;
  • Recipient shall mean the natural or legal person, public authority, agency or any other body to whom personal data is disclosed, whether a Third Party or not. However, the public authorities that might receive personal data in the scope of specific inquiries, under the terms of the Union or Member-States Law, shall not be regarded as recipients; the processing of that data by those public authorities shall comply with the data protection rules applicable, according to the purposes of the processing;
  • Third Party shall mean any natural or legal person, public authority, agency or any other body other than the data holder, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.

General principles

Alignment

VISION BOX’s central activity, products and services are based on the processing of personal data.

Taking into consideration the increasing relevance that privacy and data protection represents to citizens, – but also the fact that the entities who acquire VISION BOX products and services, are obliged to comply themselves with data privacy, principles, laws and regulations – the present Policy is intended to be an essential step towards developing a governing strategy regarding personal data protection.

Privacy by design

Within the scope of its development procedures, VISION BOX will adopt internal guidelines and apply measures that respect, in particular, the principals of data protection from conception.

The goal of these measures is to reduce the risks that may arise from the processing of personal data by implementing the appropriate technical and organizational measures, such as pseudonymisation and minimization, both at the time of the selection of the means for processing and at the time of the processing itself.

The DPO shall advice and have an active role from the early stages of the development of any new products.

Internal guidelines regarding Privacy-by-Design procedures and policies will be reviewed annually and updated every time there are changes to applicable laws and regulations.

Privacy by default

Within the scope of the development procedures of its products and/or services, VISION BOX is committed to adopting internal guidelines and applying measures that respect, in particular, the principals of data protection by default.

The goal of these measures is to reduce the risks arising from the processing of personal data by implementing appropriate technical and organisational measures that ensure by default that only personal data – which is necessary for each specific purpose of the processing is processed – as well as compliance regarding data storage and accessibility.

Privacy impact assessments

In order to ensure the Privacy-by-Design and the Privacy by Default, when developing new products and/or services, VISION BOX shall conduct a Privacy Impact Assessment (PIA) in order to identify potential risks on privacy.

The DPO and Legal Department will both provide advice regarding the PIA.

Assessments shall contain at least:

  • A systematic description of products and/or services and the purposes of the processing, including, where applicable, the legitimate interest pursued by Vision Box;
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • An assessment of the risks to rights and freedoms of the data subjects;
  • The legal framework and legal risk assessment;
  • The privacy assessment risk;
  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the General Data Protection Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned;
  • Conclusions and recommendations.

Personal data

Persons subject to the present policy

Within the scope of the contractual relationship between the Persons Subject to the present Policy and VISION BOX, personal data will be provided and collected:

  • During a recruitment process, when the candidate submits his information for analysis. This data includes information provided by the curriculum vitae of the candidate and collected, eventually through specific recruitment platforms, inter alia, name, age, date of birth, telephone number, mobile phone number, address, e-mail, marital status, academic qualifications, working experience, certificates of competence and good repute;
  • When a contract is signed between VISION BOX and a new employee to comply with the legal obligations VISION BOX has with Social Security, the Authority for Working Conditions (ACT) as well as other authorities and regulatory bodies, inter alia, tax identification number, social security number or its equivalent, IBAN number, bank, number of dependents, social benefits and other equivalents, data related to good repute;
  • During the execution of the contract there may be processing of other personal data in virtue of the regulations set out internally and for the compliance with the regulatory and/or legal obligations, inter alia, data related to health and occupational medicine, data related to screening and prevention for alcohol consumption and drug abuse, biometric data, data resulting from the control of equipment usage and information systems.

Other sources

In order to comply with its obligations, VISION BOX may collect information related to the Persons Subject to the present Policy from other sources, inter alia, from supervision and regulation entities.

VISION BOX ensures that all information is collected and processed according to the law, regulations and good practices.

When the information was collected from other sources and not directly provided by the employee, VISION BOX will make the attained information available to the data subject.

Processing purposes

Information will be always collected in accordance with the applicable law and in accordance with the good practices, inter alia, through previous notification to the Portuguese Data Protection Authority (CNPD) when needed.

Employees will be previously informed of any processing regarding their data, namely information regarding:

  • The data that will be processed and how it will be collected;
  • The purposes intended for the processing;
  • The grounds for such processing;
  • Information of any third parties to whom the data may be disclosed;
  • The existence of international transfers to third countries or international organizations.

VISION BOX assures that the personal data will always be:

  • Processed in a lawful manner and with respect for the good faith principle;
  • Obtained for specified, explicit and lawful purposes and shall not be processed in any manner incompatible with those purposes;
  • Adequate, relevant and not excessive in relation to those purposes;
  • Accurate and kept up to date;
  • Kept safe, using the technical and organizational measures adequate to its protection;
  • Kept in a way that allows the identification of the holders no longer than necessary for collecting or subsequent processing.

Information

VISION BOX will provide the data subjects with the following information:

  • VISION BOX’s identification, as the data controller and where applicable its representative;
  • The purposes of the processing for which the personal data is intended;
  • The legal basis for the processing, inter alia, the legal interest of the Company, if applicable;
  • The categories of the personal data that will be processed;
  • The recipients or categories of recipients of the personal data, inter alia, their legitimate interest, if applicable;
  • The existence of international transfers to third countries or international organizations and existing safeguards;
  • The mandatory or optional nature of the information being requested;
  • The possible consequences in failing to provide data;
  • Means available for data subjects to exercise their rights;
  • The retention period.

Other purposes

If VISION BOX intends to further process personal data for a different purpose than the one for which the personal data was initially obtained, VISION BOX will provide data subjects with the information and elements listed in section Information of this document.

Grounds

VISION BOX ensures that data processing of personal data regarding Persons Subject to the present Policy will be done lawfully.

The grounds for the data collection and processing are based on:

  • Consent for one or more specific purposes;
  • Necessity to enter into a contract with the data subject, including the necessary pre-contractual actions;
  • Compliance with a legal obligation to which VISION BOX is subject to, inter alia, legal obligations;
  • VISION BOX’s legitimate purposes and interests.

Whenever necessary the consent of the data subject will be obtained as follows:

    • When obtained through a written document, it will be presented in an accessible way;
    • The document will present the different purposes, for which data will be used, in an individual and clearly differentiated way;
    • The language used must be intelligible and straightforward;
    • VISION BOX ensures that the right to withdrawal may be exercised at any moment, in accordance with International transfers to third countries.

Data processors

Whenever personal data is processed by a Data Processor on behalf of VISION BOX, the latter ensures that it will only recruit processors who can offer sufficient guarantees regarding appropriate implementation of technical and organizational measures that ensure the compliance of the law and the protection of the data subject’s rights.

VISION BOX will warrant that all contracts made with any Data Processors shall bind both parties to the principles of data protection mentioned in Contractual principals and that an explicit and previous written consent from VISION BOX will be needed for the Data Processor to engage another Processor.

Communication to third parties

Any communication of personal data to Third Parties will only occur in compliance with the legal and/ or regulatory obligations.

International transfers to third countries

VISION BOX ensures that any transfer of personal data to third countries (outside of European Union) can only occur if the country concerned ensures an adequate level of protection or there is a contract with the necessary safeguards.

The data subject will be informed of the personal data transfers concerning them directly.

Retention period

The personal data of the Persons Subject to the present Policy collected by VISION BOX will be kept for no longer than it is necessary for the purposes for which the personal data is processed.

Personal data may be collected and stored according to the legal provisions that might exist, and compel, the abovementioned storage for a certain time.

Data security

Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, as well as the risk for the rights of data subjects, VISION BOX has implemented the appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

  • These measures include, namely, and as appropriate:
  • Pseudonymisation and encryption of personal data;
  • Preservation of confidentiality, integrity, availability of the information;
  • Preservation of resilience of processing systems and services associated with the processing of personal data;
  • The ability to promptly restore the availability and access to personal data in the event of a physical or technical incident;
  • Measures to ensure the analysis and a regular assessment of effectiveness of technical and organisational measures implemented.

Along with these measures, VISION BOX has an information security policy that should be read and complied with.

Personal data breach

VISION BOX shall notify the Portuguese Data Protection Authority (DPA) of any data breach within 72 (seventy-two) hours as well as the data subjects in accordance with the law with the following information:

  • Description of the nature of the personal data breached, including the categories and the number of data subjects;
  • Information on the identity and contact details of the data protection officer or other contact point where additional information can be obtained;
  • Description of the consequences of the personal data breach; and
  • Description of the measures taken or proposed by the Company, to address the personal data breach, and, where appropriate, measures to mitigate its possible adverse effects.

VISION BOX shall document any personal data breaches, including the facts relating to the personal data breach, its effects and the remedial action taken in accordance with the present document and with the Information Security Incident Management Procedure.

Exercise of rights

VISION BOX ensures data subjects that they may exercise their rights foreseen in the law, namely, access, rectification, objection and erasure.

To exercise his rights, a written request must be addressed to the contacts defined in Queries.

VISION BOX will reply all requests within 30 days.

Data protection impact assessments

Where the type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, VISION BOX shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

The DPO and Legal Department will both provide advice regarding the Data Protection Impact Assessments (DPIA).

The assessment shall contain at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the data protection laws, taking into account the right and legitimate interests of data subjects and other persons concerned.

Sensitive data

Sensitive data

VISION BOX, in the course of its activities, can access and process sensitive data, whether from the Persons Subject to the present Policy, or VISION BOX’s clients and its clients.

Sensitive personal data refers to personal data consisting of information categories as to:

  • Which reveal racial or ethnic origin;
  • Related to political opinions, religious beliefs or philosophic;
  • Related to union membership;
  • Genetic data;
  • Biometric data;
  • Data related with a health condition;
  • Data related to sexual behaviour;
  • Data related to the sexual orientation of a person.

Reinforced duty of secrecy

The data subjects are compelled to an absolute duty of secrecy where information they have access to which might contain sensitive data is concerned.

Those who possess information and know, or under the circumstances, should know that such information contains sensitive data, shall refrain from using it for any action other than those instructed by VISION BOX and any infringement of these rules will imply an appropriate disciplinary and legal action.

Practice and codes of conduct

The data subjects who gain access to information containing sensitive data shall inform in writing and with no delay, the Director of the Department and/or the DPO to which they belong:

  • Characteristics of the information;
  • When was the information accessed.

The Director for the Department shall inform immediately the Human Resources Director, the Information Security Officer and the DPO of relevant facts related to the incident.

When information that includes sensitive data is intended to a group of people with the intent of carrying out a project, operation or implementing a service, the person in charge of the team will inform each member of the group of the sensitive nature of the information, and will inform the Director of Human Resources, the Information Security Officer and the DPO, of the following elements:

  • The identity of everyone who had access to the information;
  • Characteristics of the information;
  • Date on which each one of them had access to the information.

Information security containing sensitive data

Without prejudice to the proper technical and organisational measures to protect personal data under the terms of the law, data subjects who possess information which include sensitive data, and without prejudice to the information security policy and the contractual obligations of confidentiality, shall in any case:

  • Limit the knowledge of information, within each area, to the people who necessarily must have it for the appropriate performance of their tasks;
  • Refrain from any comments regarding the information in order to, directly or indirectly, avoid revealing its existence or content;
  • Use it exclusively for the proper legitimate purposes or the clients.

Comply with the measures which allow an appropriate control to access the information and the documents and other supports in which it is included;

Require a prior signature of a non-disclosure agreement, in case it is necessary to make sensitive data available to Third Parties, external to the company.

Restrictions of use

Those who possess information and know, or under the circumstances, should know that such information contains sensitive data, shall refrain from disclosing it to Third Parties, except if it is indispensable for the normal performance of its activity.

The Persons Subject to the present Policy who know that another person, non-subject, has access to sensitive data, shall notify as soon as possible, in writing, the Human Resources Director, the Information Security Officer and the DPO, with the following elements:

  • How the breach was found;
  • The identity of all persons knowing the information;
  • Characteristics of the information;
  • Date on which they had access to the information.

In case the data subjects are aware of any breach to the rules established for information security, they shall notify that breach, in writing, to the Information Security Officer, with the elements listed in the previous paragraph.

Any infringement of these restrictions will imply appropriate disciplinary and legal action.

Specific principles

Employees

The processing operations of personal data, regarding the workers, shall be conducted in compliance with the applicable legal provisions, as well as with the recommendations of the Portuguese DPA (Comissão Nacional de Protecção de Dados – CNPD) and the best practices.

The processing of the workers’ personal data is necessary due to the working relationship and the obligations that result from the mere execution of the contract.

These processing operations will always be based on:

  • The need to manage the working relationship, inter alia, on the level of human resources management and the processing of salary.
  • VISION BOX’s management powers.

Apart from this Policy, the specific principles regarding the workers are listed in other internal policies of VISION BOX, being mandatory for the worker to acknowledge them.

The working contract must foresee an ab initio clause, in which the minimal principles of data processing are established and where the duty of information is fulfilled.

Service providers

The relationship between the service providers, whether internal or external, shall always be based in a contractual instrument and must comply with the following elements, set out in Contractual principals.

Where service providing involves any access to personal data, there shall be specific clauses which regulate the way the service provider access that data, and that any action performed is always done on behalf of VISION BOX.

The refusal, by the service provider, in accepting its obligations regarding data protection and privacy to which VISION BOX is bound to in accordance with the law, shall lead to:

  • Renegotiation of the contract; or,
  • Termination of the contract.

The infringement of the contractual obligations implies civil and legal liabilities for the service providers.

Providers and partners

The relationship between the suppliers and partners shall always be based on a contractual instrument and must comply with the following elements, set out in Contractual principals.

Where supplying and/ or partnership involves any access to personal data, there shall be specific clauses which regulate the way the supplier accesses that data.

The supplier and/ or partner can, for the purposes of the relationship, be the processor or the controller.

In case the supplier and/ or partner are the processor, it shall be expressed and accepted by the supplier that any action performed will always be done on behalf of VISION BOX and in compliance with its written instructions.

In case the supplier and/ or partner is solely responsible for the processing, it shall expressly ensure the compliance with the applicable safety regulations as well as the compliance with the principals related to data protection set out in the law, inter alia, the legitimacy of processing, limitation, quality and the exercising of the subjects’ rights.

The refusal, by the supplier and/or partner, in accepting its obligations regarding data protection and privacy to which VISION BOX is bound to or those that derive to the supplier and/ or partner in accordance with the law, shall lead to:

  • Renegotiation of the contract; or,
  • Termination of the contract.

The infringement of the contractual obligations implies civil and legal liabilities for the supplier and/or partner.

Clients

Any processing of personal data belonging to Clients or from their clients shall always be based on a contractual instrument.

The instrument shall comply with the following elements, set out in Clause 5 of this Chapter.

Contractual principals

The actions involving personal data processing on behalf of VISION BOX, or in which, the latter performs the processing on behalf of the Clients, shall have as a minimal basis the following elements:

  • That the processing actions, inter alia, transfers and/ or communication of personal data are only performed through documented instructions from VISION BOX or from the Client, while responsible for the processing;
  • Where a non-disclosure agreement is established;
  • Where a data processing agreement is established;
  • Where the appropriate technical and organisational measures are ensured and preferentially defined, to guarantee an appropriate level of security for the risks of processing and the personal data to be treated;
  • The provision of assistance to the controller in such a way that it is able to fulfil its duties, in order to respond the demands of the data subjects, regarding the exercising of their rights;
  • That, when the data processing or the contractual relationship expires, the personal data shall be erased or returned, and the existing copies erased, within the limits required by the law to which VISION BOX or the Client are bound to;
  • That no other processor shall be engaged without prior specific or general written authorisation of the controller;
  • The object, duration, nature and processing purpose(s);
  • The categories of personal data concerned;
  • The categories of data subjects concerned;
  • The obligations and rights of VISION BOX, and;
  • The obligations and guarantees provided by the processor.

Safety measures

General principle

The regulations on processing security impose, upon VISION BOX, the obligation to implement the appropriate technical and organizational measures to avoid non-authorised interferences to processing operations according to this Policy, information security policy and other regulations set out in other internal policies.

Internal policies

The internal policies will cover the following elements:

  • Information on the internal policies concerning data security, and the obligations that result for the employees regarding data protection, especially those related to secrecy, under the terms of the law;
  • A clear distribution of responsibilities and a clear description of competences concerning data processing, particularly those regarding personal data processing decision-making and data transfer to Third Parties;
  • The use of personal data only in accordance with the instructions of VISION BOX or with the legal obligations to which VISION BOX is bound;
  • Protection against the access to VISION BOX’s facilities, as well as to any hardware and software, including controls related to access authorization;
  • To certify that the authorization to access personal data was granted by the competent person and it requires the appropriate documentation;
  • Automatized protocols on personal data access by electronic means and regular monitoring of those protocols by the Department responsible;
  • Comprehensive documentation of other forms of dissemination, different from the automatized access to data, in order to prove that there was no illegal or unauthorized transmission of data;
  • Provision of training and appropriate education on data security;
  • Annual review and assessment of the internal policies;
  • The execution of regular audits, in order to ensure that all measures deemed as appropriate were effectively implemented and are operational.

Physical safety measures

The physical security measures are implemented through security policies for all information users who have access to personal data.

Amongst such physical security measures are included, namely:

  • The control of access to buildings, inter alia, by using access cards and/ or biometric controls;
  • Entry registers, monitoring of doors and restricted access rooms;
  • The presence of security personal on site, as well as alarms;

The access to controlled areas is restricted, by using an access card and/ or biometric controls on the authorized personnel and requires documented approval of the Human Resources Department, which is forwarded to the Information Security Officer and to the DPO.

All individuals unauthorized to access controlled areas must enter and be escorted to the controlled area by a person with authorized access.

The right to access controlled areas will be entirely re-evaluated every year, and will be revoked at the end of the contract.

The facilities where the personal data is stored must be protected against environmental factors and against power failure.

Logical safety measures

VISION BOX has implemented security policies which include specific software for these purposes, particularly:

  • Antivirus software, firewall and data prevention loss;
  • Restrictions to share non-authenticated archives;
  • Restrictions on Peer-to-Peer applications;
  • Database encryption software;
  • User account password;
  • Appropriate maintenance services and with approved levels of correction.

In addition, procedural and technical controls are used in order to detect any compliance deviations.

Data transfer is performed, exclusively, through a secure network connection.

The procedural controls are defined by the Information Security Officer and implemented by the manager responsible for the Department, who shall notify the Information Security Officer.

In what concerns privileged access, only users who are expressly authorized may request access.

According to the instructions received and to determine which user credentials holders are still authorized by VISION BOX, a periodical verification is carried out as well as an annual revalidation to determine that the accesses are compatible with the existing users.

The exceptions identified during the process of revalidation shall be corrected, and the user’s access will be revoked at the end of the contract.

The verification passwords shall always be implemented according to the following requirements:

  • Minimum 8 characters in length;
  • Containing a combination of alphabetic and non-alphabetic characters (numbers, punctuation or special characters) or a mixture of, at least, two types of non-alphabetic characters;
  • It does not contain the user’s identification as part of the password; and,
  • It cannot be banal/ trivial.

The activities in the system are previously requested and booked for purposes of control and approval, in compliance with the defined procedure.

Regarding incident/ problem management, a registration and monitoring process is implemented through a set of reference procedures and tools, which can be changed over time.

Final provisions

Binding

The present Policy for Data Protection and Privacy binds all collaborators of VISION BOX.

The present Policy for Data Protection and Privacy shall be interpreted jointly with the Internal Policy for information security, other applicable policies and the legislation in force.

In case of a divergence, particularly, between the Policy for Data Protection and Privacy and the Internal Policy for information security, the present Policy prevails over the internal policy for information security.

Data protection officer

VISION BOX may designate a DPO, who will act in compliance with the obligations set out in the law and according to the best practices.

The DPO is responsible for ensuring that the privacy guidelines, general data policies and Privacy-by-Design procedures and reviewed every time there are changes to applicable laws and regulations and annually updated.

In order to monitor compliance with privacy policies and practices, the DPO will elaborate on a monthly bases, a report containing all data related flaws or incidents that have been detected, with a plan of action intended to mitigate or remedy the specific situation.

All situation specifically identified and reported by the DPO to the Board on the monthly reports, will continue to be mentioned on the following reports and may only be removed from the monthly reports after it has been considered remedied.

The Data Protection Officer, has, the powers, obligations and responsibilities established by law. You may be contact our DPO for all matters regarding the present Privacy Policy or any other issues concerning Data Privacy at the following e-mail address: (dpo@vision-box.com).

Queries

Any queries by a data subject regarding the content of the present Policy for Data Protection and Privacy or regarding the processing of his personal data, shall be forwarded, in writing, to the Information Security Officer and to the DPO, at the following email address dpo@vision-box.com.

When addressed to the Director of the Department, he shall forward them to the Information Security Officer and to the DPO.

The Information Security Officer and the DPO shall examine the queries and will inform the data subject within a period of time not exceeding 15 (fifteen) working days.

Any queries by a Client or its clients regarding the content of the present Policy for Data Protection and Privacy or regarding the processing of his personal data, shall be communicated to the Director of the Department, who shall follow the abovementioned procedure.

Any queries shall be answered within a period not exceeding 15 (fifteen) working days.

Revision and monitoring

The present Policy will be reviewed at least once a year, in order to detect, and if applicable, to correct any defective situation that may occur in its implementation.

The Policy review may occur, whenever, by virtue of specific circumstances, inter alia, needs arising from VISION BOX’s activity, facts or any legal legislative amendments, may require.

Communication and dissemination

After approval, the DPO and the Information Security Officer shall disclose, internally, the present Policy, and shall be responsible for making the present policy circulate within VISION BOX’s organisation.

Human Resources Department is also responsible for include in the inductions sections a training section regarding privacy and information security.

In case it becomes necessary to communicate the present policy to the public, it will be done through the publication of the basic principles of the present Policy through the VISION BOX website, through which they may access the summary of its content.

Entry into force

After the approval of the Board of Directors of the Company, this Policy enters into force immediately.

The updates to this Policy included in this document will be valid from the date of its approval, without prejudice to subsequent amendments.