The present Regulation is intended to establish the internal rules and procedures for the application of the GDPR. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation on Data Protection)

DEFINITIONS, RIGHTS AND OBLIGATIONS

1. For the purposes of the GDPR, personal data is all data that allows us to identify a person, such as the name, address, IP, taxpayer number, number of users of the Health Service, consumption habits.

2. The GDPR applies only to data about individuals, not companies.

3. The data controller in the company is the manager.

4. Data subjects have the following rights:
   a) Right of access
   b) Right of rectification
   c) Right of erasure
   d) Right to limitation of treatment
   e) Right to data portability
   f) Right of opposition and automated individual decisions

5. When the data subject intends to exercise any of these rights, the controller must try to respond as soon as possible, having a maximum of 30 days to do so and must respond in a clear, concise and sufficient manner.

6. The controller must provide rules to facilitate the exercise by the data subject of his rights.

7. (Duty of information): when collecting data, data subjects should be informed of the following:
a) The identity and contact details of the controller
b) The purposes of the processing of personal data
c) Your destiny
d) The legal basis for treatment
e) The recipients or categories of recipients of personal data, if any
f) The shelf life
g) Transfer to third countries, if applicable
h) The existence of the right to access, rectify, and erase and limit treatment
i) The existence of the right to object to treatment
j) Information that you can withdraw consent at any time
k) The existence of the right not to be subject to automated decisions including the definition of profiles
l) The right to data portability
m) The right to know of a data breach
n) The right to complain to a supervisory authority

8. Personal data must be processed lawfully, fairly and transparently in relation to the data subject.

9. Individuals must be able to understand how the personal data concerning them is collected, used, consulted or subjected to any other type of treatment and the extent to which personal data are or will be processed.

10. The procedures must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are treated.

11. Personal data can only be processed when the purpose of the processing cannot be achieved by other means.

12. The procedures must be accurate and updated whenever necessary.

13. All appropriate measures must be taken to ensure that inaccurate data, having regard to the purposes for which it is processed, is erased without delay.

14. The data must be kept in a way that allows the identification of the data subjects only for the period necessary for the purposes for which they are processed.

15. The data controller must implement a data maintenance, archiving and erasure policy to ensure that they are not kept for longer than the strictly necessary period.

16. The data must be treated in a way that guarantees its security, including protection against its unauthorized or illicit treatment and against its accidental loss, destruction or damage, adopting the appropriate technical or organizational measures.

17. The controller must be able to demonstrate that the holder of the personal data has consented freely and in an informed manner. A consent given orally or even through tacit or other consent does not offer these guarantees, as it does not allow proof of having been obtained in a free, specific, informed, explicit way and through the unambiguous act.

18. The person responsible for the processing of personal data must ensure:
    a) That the personal data you have is legitimate and limited to what is necessary
    b) That the data is up-to-date, secure and confidential
    c) That has policies, procedures, codes of conduct internal instructions formalized and capable of being made available to supervisory entities
    d) That has systems in place to monitor whether the policies and procedures being followed
    e) Implement the permanent and dynamic GDPR compliance verification mechanism
    f) Proving evidence of respect for the GDPR
    g) Promote audits within the scope of a continuous control to verify the effectiveness of the implemented measures and, eventually, modify them

19. The data controller is obliged to notify the control entity, which in Portugal is the National Data Protection Commission, of all data breaches with risk to the data subject, and this communication must be made within 72 hours.

APPLICATION OF THE REGULATION

20. The personal data that is collected in the company are:
    a) Name, address, telephone number, e-mail address of buyer and seller customers
    b) Name, tax number, identification number, marital status and address of employees and collaborators

21. The data is obtained in several ways:
    a) Através de contrato celebrado com o cliente vendedor, colaborador e empregado
    b) By contacting customers by email, or visiting our website where interested parties enter their personal data
    c) By calling the company
    d) By physical visit of the store

22. When collecting data through contracts or data collection with direct contact with the person, they are informed of their rights and asked for their consent to the processing of data.

23. In the case of telephone contact, the employee who collects the data, informs the person concerned that he will then send an email with the data of the person, asking him to respond by giving his express consent to the processing of data.

24. All data collected are entered into the CRM software of Janela Digital Lda ..

25. The data is encrypted.

26. The manager João Andrade responsible for data processing, Betty Andrade and Liliana Correia are the only ones with access to all data.

27. In addition, each consultant has access to the data of the client who delivered the property to you for mediation, and the data of the buyer client who expresses interest in the property you have raised.

27. All persons in the company with access to personal data must be informed of the rules contained in the GDPR and the consequences for their improper treatment.

29. All data contained in physical documents, whether they are customer visit forms, mediation contracts, copies of lease purchase and sale contracts, or others, are kept on a cover, and closed in a safe cabinet, which in turn is found in a lockable cabinet, a key that only João Andrade, Betty Andrade and Liliana Correia have access to.

30. Every 30 days the data controller must verify the physical security of the paper documents, and encryption of the aforementioned computer data.

31. Eventually, it should improve the application of the regulation.

32. Every 30 days you should delete the data whose storage period has expired.