Data Protection and Privacy Policy
Suppliers/Service Providers
This Data Protection and Privacy Policy provides information on how AXIANS Portugal companies (“AXIANS”), part of the Vinci Group, process the personal data of their Suppliers/Service Providers and/or employees of Service Providers (“Providers”) during the performance of service contracts, under the terms of the national legislation in force on data protection and privacy and in accordance with the provisions of GDPR 2016/679 (General Data Protection Regulation), based on the principles of correctness, legality and protection of their privacy.
A. Data Controller
The AXIANS Portugal company with which the supplier/service provider has entered into a contract to provide the services is the Data Controller of your personal data.
B. Type of personal data collected and processed
AXIANS may collect and process the following types of personal data:
- Identification data, such as full name, date of birth, nationality, gender, government-issued ID numbers and their validity (National ID, Tax ID), photograph, video footage, and signature.
- Contact details, such as telephone/mobile number, address, and professional email address.
- Data related to professional status, such as employer, position, and place of work.
- Recurring contract data, such as supplier/service provider code, supply history, products and services, quantity of products and services, value/rate of products and services, date of purchase of products and services, place of purchase, discounts, and consumption history.
- Data relating to means of payment and transactions, such as account number, IBAN/NIB, transaction number, transaction description, transaction date, transaction amount, number of transactions, and invoice number.
- Authentication and access data, such as user account, username, password, creation date, access validity, log of entries and exits from the company building.
- Training data, such as training name, area, period, duration, training time, training evaluation, academic qualifications, skills, and professional qualification.
- IT usage data, such as user ID, functions, rights, login times, computer name, and IP address.
- Data related to legal proceedings, such as lawsuits, lawsuit number, litigation file, type of lawsuit, outcome of lawsuit, amount requested, criminal offenses and reports, identification of last step, date of last step, preferential claims.
C. Purposes and the Legal Basis
AXIANS may process this personal data for the following purposes:
- Management of the contractual relationship: data that is processed for the execution of the contract and the consequent fulfillment of the legal obligations arising from it, as well as administrative management, financial management, economic and accounting management, litigation management, invoicing, and collection of services.
- Management of the provision of the service: data that is processed for the planning, coordination, and execution of the contractually envisaged activities, technical training data deemed necessary for the provision of the service, and data that is transmitted, where applicable, to AXIANS’ end customer, in order to guarantee compliance with the contractual obligations that AXIANS has with the latter.
- Security of people and property: data processed for physical access control, logical access control, video surveillance, device monitoring, and access credential management.
- Compliance and audits: data that is processed to respond to possible internal investigations and as part of our auditing processes. We ensure that only necessary personal data is processed during audits in order to comply with applicable laws.
The processing of personal data is legitimized by one of the following legal bases:
- Execution of the contract to which the Provider is a party or the pre-contractual steps necessary to perform its engagement;
- Legitimate interest pursued by AXIANS unless the interests or fundamental rights and freedoms or fundamental rights and freedoms of the Provider that require the protection of their personal data prevail;
- Compliance with a legal obligation to which AXIANS is subject;
- Consent of the Provider.
D. Sharing your Personal Data
Entities providing services to AXIANS (“Subcontractors”):
Your personal data may be provided to companies responsible for providing services to AXIANS under a written contract that binds the Subcontractors to only process your Personal Data for the purposes set out in this Privacy Policy and are not authorized to process them, directly or indirectly, for any other purpose, for their own benefit or that of a third party.
Other “Controllers” or “Third Parties” with whom AXIANS may share your Personal Data:
If there is a legitimate interest in sharing your Personal Data within the group, AXIANS may transmit your Personal Data to other companies in the Vinci Group for internal administrative purposes and guarantee that they will process your Personal Data in accordance with this Privacy Policy.
In the context of the provision of services to AXIANS’ end customers by the Providers, personal data may be shared when required by the customers, if and to the extent permitted by applicable national laws.
At your request and with your consent, your Personal Data may also be shared with other entities.
In compliance with legal and/or contractual obligations, Personal Data may also be transmitted to judicial, administrative, supervisory, or regulatory authorities and also to entities that lawfully carry out data compilation actions, fraud prevention, and combat actions, market or statistical studies in an anonymous form.
E. International Transfers of Personal Data
AXIANS may transfer your Personal Data outside the European Economic Area (“EEA”) and to countries that may not guarantee the same level of protection equivalent to that ensured in the European Union.
In such cases, we may transmit your Personal Data for internal administrative purposes to the companies of the Vinci Group when they are party to the Intra-Group Agreement for the Protection of Personal Data (“IGA”), ensuring the international transfer of Personal Data in accordance with applicable legislation on personal data and privacy. The IGA parties are qualified as data controllers, or data controllers and processors, under applicable legislation.
We may also transfer your Personal Data based on an adequacy decision or standard data protection clauses approved by the European Commission (2021/914/EU).
When none of the above options apply, but the law still authorizes such transfer, for example, if it is necessary for the declaration, exercise or defense of a right in legal proceedings.
Details about the transfer of your Personal Data to third countries, the measures adopted to ensure the transfer, as well as a copy of the measures applied for this purpose, can be obtained by contacting us through the contacts provided in this Privacy Policy.
F. Retention period of your Personal Data
Your Personal Data will be retained for the period of time necessary to carry out the purposes described in this Privacy Policy. In some exceptional cases, AXIANS may be required to retain your Personal Data for a longer period:
- To comply with legal obligations applicable to AXIANS;
- By way of contractual obligations assumed towards AXIANS or other companies of the Vinci Group, to which limitation periods may be added under the legislation in force;
- In the event of any dispute, whether administrative or judicial, up to 6 months after the respective sentence becomes final; or,
- Guidelines issued by competent data protection authorities.
G. Security of personal data
AXIANS implements the necessary technical and organizational measures to ensure that only the personal data of Providers that is necessary for the respective processing purpose is processed by default. These measures are periodically reviewed and updated by the responsible department.
In addition, AXIANS has adopted technical, physical, organizational and security measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure, unauthorized access and any other form of unlawful processing.
The company uses different security mechanisms and procedures, following the best practices in terms of information security in the systems that support the services provided, which includes the use of firewalls and intrusion detection systems, the existence of restricted access, both physical and logical, the recording of operations (logging), and respective monitoring and auditing, as well as the collection and transmission of personal data by secure means.
The personal data collected by AXIANS is stored securely in its systems, which in turn are located in the company’s own datacenter, or under the management of the Vinci Group, or under the management of its subcontractors, covered by all the physical and logical security measures essential for the protection of personal data.
Whenever it is necessary to share personal data of its Providers to Third Parties, AXIANS will be responsible for the personal data in question and guarantees that:
- The sharing of personal information complies with the legal regulations in force;
- The transmission is carried out securely, namely through the use of encryption protocols; and
- Third parties are contractually obliged to observe the duties of confidentiality and secrecy and to ensure the security of personal data communicated to them for this purpose and may not use such data for any other purpose, for their benefit or the benefit of third parties, or correlate it with other data available to them.
H. Your Rights and how to exercise them
As the Data Subject of Personal Data processed by AXIANS, you have the right to information, access, and rectification or erasure of personal data and the right to data portability, the right to limit or object to the processing of your data, within the scope and under the terms of the GDPR and other applicable legislation.
You may withdraw your consent to the processing of your personal data at any time, within the framework of the GDPR. Withdrawal of consent will not affect the lawfulness of the processing of personal data that has been carried out so far, based on the consent you have previously given.
You also have the right to complain about the processing of your data with the CNPD.
You may at any time, in writing, exercise the rights enshrined in the legislation on data protection and privacy by sending an email to privacidade.axianspt@axians.com.
Alternatively, you can exercise them by mail, to the attention of AXIANS, at the following address: Av. Dom João II 44 C Piso 5, 1990-095 Lisboa.
I. Data Protection Officer Contact
You can also contact the AXIANS Data Protection Officer with any questions relating to the protection and privacy of your personal data by e-mail at: dpo.axianspt@axians.com.
J. Changes to this Data Protection and Privacy Policy
AXIANS may periodically update this Privacy Policy, as well as any other specific data protection and privacy statement. When making changes to this Privacy Policy, a new date will be added at the end of this document.
Last modified: 16/10/2024