Privacy Policy

I. Introduction

This Personal Data Privacy and Protection Policy outlines the terms regarding the processing of the personal data supplied by Customers, Partners, Employees and Users of the www.rootsandwings.pt website (henceforth referred to as “website”). The website belongs to the company CARINGH FAMILY, UNIPESSOAL LDA. (henceforth referred to as “COMPANY”), a private limited company, with the single registration and tax number 516680625, and with fully paid-up share capital of five thousand euros, with head office at Rua São João da Mata, n.º59, R/C, 1200-850 – Lisboa. The website is run in Portugal.

This Personal Data Privacy and Protection Policy is applied in compliance with Regulation (EU) 2016/679 of the European Parliament and Council – General Data Protection Regulation (GDPR) – and all other applicable national legislation regarding data privacy and protection

II. Concepts

Personal Data – information relating to an identified or identifiable natural person (Data Subject); a natural person is considered identifiable if he or she can be identified, directly or indirectly, especially by means of an identifier such as a name, identification number, tax number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Subject: identified or identifiable natural person to whom the Personal Data pertain.

Processing – an operation or set of operations which is performed on personal data or on sets of personal data, by automated or non-automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction.

Controller – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of the personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.

Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

III. Internal rules and procedures:

All employees, companies and divisions of the COMPANY accept responsibility (individually, if applicable) for compliance with all the applicable legal provisions regarding protection of personal data.

The COMPANY Management guarantees compliance with the aforementioned legal provisions and shall strive to implement and maintain all the means, structures and resources needed for this purpose.

IV. Data processing officer

The COMPANY is responsible for processing the personal data supplied to it by the Data Subjects and may be contacted for all related matters using the following contact details.

Address: Rua de São João da Mata 59, R/C, 1200-850 Lisboa

Telephone: 925264981

E-mail: [email protected]

V. Purposes of the processing

To provide the services and goods supplied by the COMPANY, it may collect and process the following categories of personal data for the purposes outlined below:

1. Management of Users and Contracts: Personal data collected when the Data Subject contacts or hires the COMPANY for the first time, whereby such personal data may be updated, added to and/or corrected at a later time. The personal data shall be processed to ensure the COMPANY complies with its management, accounting and tax obligations, and the contracts signed between the COMPANY and the Data Subject.
2. Commercial use: Some data collected (in particular name and contact details) may be used for the transmitting commercial and marketing information, which shall be sent by the COMPANY. The Data Subject’s personal data may only be used after obtaining prior consent from the Data Subject to do so. The Data Subject may, at any time, object to the processing of data for this purpose by refusing to give his or her consent, or if consent has been granted by withdrawing it, clicking on the “unsubscribe from this list” option available at the bottom left-hand side of the homepage of the website, and at the end of all communications sent by the COMPANY.
3. Compliance with legal obligations;
4. Pursuing the COMPANY’S legitimate interests.

VI. Principles of processing the personal data collected:

Protecting the privacy of the personal data is a priority for the COMPANY, and as such the COMPANY makes the commitment that the data it collects shall be:

1. Processed in a legal, honest and transparent manner in relation to the data subject;
2. Collected for specific, explicit and legitimate purposes, and shall not be processed at a later data in a manner incompatible with these purposes;
3. Suitable, pertinent and restricted to what is necessary for the purposes for which they are processed;
4. Accurate and updated whenever necessary, adopting all suitable measures so that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;
5. Stored in a form that allows identification of the data subjects only during the time necessary for the purposes for which the data are processed, although the data may be stored for longer periods provided they are processed solely for public interest purposes of archiving or scientific, historical or statistical purposes.
6. Processed in a way that ensures their safety, including protection against non-authorised or illegal processing and against their loss, destruction or accidental damage, adopting the appropriate technical or organisational measures.

VII. Transmitting the personal data collected to third parties

The personal data collected by the COMPANY may be transmitted to public and private entities to comply with legal or contractual duties imposed on the COMPANY.

The COMPANY may also use third parties – subcontractors – to provide certain services, which may imply access by such third parties to the customers’ personal data. In these circumstances, the COMPANY shall ensure that the subcontractors comply with the applicable legal requirements and provide suitable data protection guarantees.

VIII. Storage period

The personal data processed by the COMPANY for the management of Data Subjects and Contracts shall be stored while the contractual bond between the COMPANY and the Data Subject remains in effect, and subsequently for the legally imposed period.

The personal data processed by the COMPANY based on the consent granted by the Data Subject shall be stored while the consent is not withdrawn.

IX. Cookie Policy

Cookies are small text files stored on the computer by websites, comprising automatically collected information about the preferences of a given Data Subject during his or her visit to a given web page. Whenever the Data Subject revisits the website in question, these files are automatically activated so the website is configured with the preferences from previous visits, allowing faster and more efficient navigation and eliminating the need to insert the same information repeatedly.

The COMPANY uses cookies on the website to provide the Data Subject with a better navigation experience, simplifying and providing more efficient presentation of the different website content.

Most browsers automatically accept cookies and the Data Subject may accept, delete or reject them, using the browser settings. The Data Subject may configure his or her browser settings to prevent the creation of cookies, and the website may continue to be navigated, although the user experience will be negatively affected.

The information collected and/or stored by the cookies used by the COMPANY is used solely to improve the user’s website navigation experience.

X. Storage period

The personal data processed by the COMPANY will be stored while the contractual bond between the COMPANY and the Data Subject remains in effect, and later for the legally imposed period of time or when the data is collected and processed by the COMPANY based on consent granted by the Data Subject, while the consent is not withdrawn.

XI. Data subjects’ rights

Right of access: The Data Subject shall have the right to obtain from the COMPANY confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information about it;

Right to rectification: The Data Subject shall have the right to obtain from the COMPANY without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement;

Right to erasure of the data: The Data Subject shall have the right to obtain from the COMPANY the erasure of personal data concerning him or her without undue delay and the COMPANY shall have the obligation to erase personal data where one of the following grounds applies:

1. The personal data are no longer necessary in relation to the purposes for which they were collected or processed;
2. The Data Subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
3. The Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
4. The personal data have been unlawfully processed;
5. The data have to be erased for compliance with a legal obligation in European Union or Member State law to which the controller is subject;
6. The personal data have been collected in relation to the offer of information society services.

Right to restriction of processing: The Data Subject shall have the right to obtain from the COMPANY restriction of processing where one of the following applies:

1. The accuracy of the personal data is contested by the Data Subject, for a period enabling the COMPANY to verify the accuracy of the personal data;
2. The processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. The COMPANY no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
4. The Data Subject has objected to processing, pending the verification whether the legitimate grounds of the COMPANY override those of the Data Subject.

Right to object to the processing: The Data Subject shall have the right to object to the processing if it is not lawful, legitimate or justifiable. 

Right to data portability: The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the COMPANY in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the COMPANY, where:

1. The processing is based on consent granted or on a contract; and
2. The processing is carried out by automated means.

In exercising his or her right to data portability, the Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The right to lodge a complaint with a supervisory authority: The Data Subject shall have the right to lodge a complaint with the National Data Protection Commission if any of the aforementioned rights has been breached or if the data has been processed in an unlawful, illegitimate, unjustifiable or non-transparent way.

XII. Exercising Rights by the Data Subject

The Data Subject may exercise his or her rights using the physical and e-mail addresses written in Point III above. Requests for information about the management of personal data may also be made by letter or e-mail addressed to the contacts written in Point III above. The Data Subject may also make a complaint to the National Data Protection Commission, the public authority that supervises the application of this legislation in Portugal.

XIII. Confidentiality and security

The COMPANY, as the controller of the data processing, undertakes to make every effort to guarantee the privacy of the data collected and/or transmitted, adopting the security measures imposed by law as regards the data processing, using the technologies and safety procedures to protect the data collected against unauthorised access, use, damage or disclosure.

Access to the data collected is restricted to the COMPANY’S employees.

Notwithstanding the provisions of the previous paragraph, the COMPANY may yield the personal data of the Data Subject:

1. a) to third parties, under the terms of this Privacy Policy, to enable them to supply products and services to the Data Subject;
2. b) to public and private entities to comply with the legal or contractual duties that the COMPANY is subject to.

Notwithstanding the efforts made in the preceding points, the COMPANY hereby notifies the Data Subjects that the data collected on the website may, at the time they are collected, circulate on the web in insecure conditions, running the risk of being seen by non-authorised third parties.

XIV. Change to the privacy policy

This Privacy Policy may be changed, and the changes shall be deemed in effect from the date they are published on the website of the COMPANY’S Group, making express reference to the date of the update.

XV. Applicable legislation and court of law

This Privacy Policy is regulated in all its aspects by applicable Portuguese and European legislation, in particular, by the General Data Protection Regulation [Regulation (EU) 2016/679 of the European Parliament and Council, of 27 April 2016].

Any litigation deriving from the interpretation, integration and execution of this Privacy Policy shall be settled exclusively by the Portuguese courts.

Date of last update of the privacy policy: 29/05/2023