PRIVACY AND CONFIDENTIALITY POLICY

1. Personal Data and Information

Despomar ensures that in order to access most of its establishments, products or websites, it is not mandatory to provide any personal data. Personal information is an option for those who are wish to access knowledge about products, campaigns, promotions or other news involving the core business of our organization.

However, some of the services provided, by their nature, contemplate this need. Some examples of this are the delivery address information for purchases on websites or sales with deferred delivery, equipment rental, reselling in our shops or others.

Websites

Except as otherwise provided for in this Privacy Policy, the Despomar Group collects and stores information, including personal data, which the user voluntarily provides for commercial transactions on its online sites ericeirasurfskate.pt, 58surf.com, mrstitchservice.com or app.nuorder.com/despomar by subscribing to the “Friendsclub” service in our physical stores or by subscribing to our Newsletters. Additional information like fiscal identity number may be required in certain transactions.

Some websites Despomar, in addition to the consumer’s name, collect other personal information such as e-mail address, home address, postal code, country and telephone. We also collect varied and anonymous demographic information, such as date of birth, age, gender and personal interests.

Despite all data information security systems used by Despomar, it should be noted that personal data, or other sensitive information, indicated directly through public messages on our websites or chats this information can, even remotely, be collected and used by other people. We reiterate that we do not collect data or other private information through direct online communications on or off our websites websites.

Under aged

We avoid collecting data from children under 16 years of age, but whenever this happens on their own initiative for the purposes determined in this point 1., the processing of such data will only take place with the explicit consent given or authorized by the holders of the child's parental responsibilities.

Video Surveillance

For security reasons, all our facilities are covered by an internal video surveillance circuit. All that personal data is also covered by this Privacy Policy. Recorded videos are only accessed by employees with high hierarchical responsibilities in the company, namely, Security Officer, Department Heads, Supervisors, Managers and Store Sub-Managers. This surveillance is intended to prevent theft and other security risks and can be used as evidence in court or to raise internal disciplinary proceedings. We do not transfer images to third parties, unless duly notified by the competent authorities supervised by the Ministry of Internal Administration or Justice.

2. Use of Data and Personal Information

The use of the data will happen to create added customer value, create awareness of our aspiration and motivation, namely disseminating news and activities related to the Action Sports sector. It will also promote our products and services, campaigns, promotions and opportunities, or even to carry out opinion surveys on current or future services to be made available. The main goal will be facilitating the relationship between consumers and sale service, assistance, guarantees and other services from carefully selected partners.

We may also use aggregated anonymous personal data provided for internal business purposes, such as the production of statistics and the development of marketing plans. We may collect, store or accumulate certain non-personally identifiable information relating to other interactions between the holders of personal data and the Despomar Group.

3. Confidentiality and Information Security

Please note that your personal information is collected on a public network and, as a result, may be viewed and used by unauthorized third parties. Our Confidentiality and Data Protection Policy is based on a technological infrastructure security architecture to which we apply various information security measures to protect your personal information online and offline, namely through data encryption systems, and monitoring of access by our employees, recreating internal procedures for the anonymization of subjects in other processes, minimizing external risks, and penalties for internal data security violations.

Despomar also ensures that your information is safe using the most advanced techniques to control access to servers. If there is very sensitive information such as a credit card number, it should only be used with a secure server using the Secure Socket Layer (SSL) protocol.

This policy implies an automated procedure for the destruction of obsolete data acquired or updated for more than 10 years, each year, until the last day of April. However, when possible, we will respect all requests for deleting of the specific personal data if arriving from their owner using the means at their disposal, hereby in this Privacy Policy.

4. Assignment of Data to Third Parties

In case you allow the sharing of your personal data, please be informed that our retail brands are ERICEIRA SURF & SKATE, 58 SURF SHOP and BILLABONG STORES and that we do not transfer data to third parties in any case, in whole or in part, to national or foreign companies, without your consent, except if declared in this Privacy Policy. Despomar may communicate any information, including personal information, if necessary to comply with the service to be provided, any applicable laws, regulations, jurisdictional processes or State decisions.

We may, however, hire other companies and/or individuals to perform tasks on our behalf related to the purposes set out in this Privacy Policy. Examples might include data analysis firms, customer support specialists, website hosting companies, and other service providers such as companies that coordinate mailing lists. Under the confidentiality clauses added to possible subcontracts for this type of services, such third parties may have partial access to some of the personal data collected, however restricted to those absolutely necessary for the execution of the contracted tasks, and under no circumstances will they be able to use this information for other purposes or give it to third parties, under penalty of incursion into criminal proceedings.

We may in the future sell some of our assets. In this type of transaction, user information, including personal information, generally constitutes one of the transferred business assets. By submitting your personal information to Despomar, you accept that your data may be transferred to third parties under these conditions. Even in the case of a possible sale of assets of this nature, we ensure this eventual transfer only to third parties that are in compliance with the terms of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, known as General Data Protection Regulation (GDPR)

Data transfer to other countries

If any, we will only subcontract services related to personal data obtained with third parties that are in accordance with the terms of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, known as Regulation General on Data Protection (GDPR), its Privacy Policy, and only when its databases storage is located in the European Union, as well as in the United States and other countries that can guarantee the same level of protection of personal data as provided in the country where you reside. We require all our partners and other third parties to adopt procedures at least as rigorous as those we follow with regard to, including this Privacy Policy.

5. Data Processing

We will treat manually - and without the use of any robots or automated data processing machines - the personal data collected in all communications whenever it is justified to adapt the information about products, campaigns, promotions or news as much as possible. Whenever the data collected allows this analysis, we will avoid redundancy or repetition of records relating to the same individual.

At each data processing process that takes place, a Data Controller will be appointed and the respective technical file will be prepared, which will accurately describe the entire process, identifying the objectives and terms of of the process, groups targeted, used means, the data handler and all third parties involved. People who represent the eventual third parties involved will also be identified.

The handler will only initiate a data processing process on specific instructions from the designated controller, unless required to do so by Union or Member State law, and the final validation and control will always require the consent of the Data Protection Officer (DPO), under the terms of this Privacy Policy.

6. Data Processing Security

Considering the data processing techniques in use, the costs, nature and scope of their application, the context and purposes of their treatment, as well as the probability and serious risks that each treatment represents for the rights and freedoms of the their holders, we will apply the appropriate technical and organizational security measures, in particular with regard to the processing of the special categories of personal data referred to in Article 9, paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council. , of 27 April 2016, namely:

1. 1. Preventing unauthorized people from accessing equipment and places used for treatments;
2. 2. Preventing data carriers from being read, copied, altered or removed without authorization;
3. 3. Preventing the unauthorized introduction of personal data, as well as any unauthorized inspection, alteration or deletion of stored personal data;
4. 4. Preventing that, during the transfer of personal data or the transport of data carriers, these may be read, copied, altered or deleted without authorization;
5. 5. Ensuring that workers authorized to use an automated processing system only have access to the personal data covered by their access authorization;
6. 6. Ensuring that used systems can be restored in the event of an interruption;
7. 7. Ensuring that the system functions work, that operating errors are reported (reliability) and that the personal data stored cannot be falsified by a malfunction of the system and;
8. 8. Ensuring that the process can be controlled, during and after, by the competent internal and external entities;
   
   

7. Websites

Pixel Tags

The information available on the internet that can be accessed by Computers, Tablets or Mobile Phones, both in terms of hardware and software, can be automatically collected by our websites. This information may include IP addresses, browser type, domain names, access times and referring website addresses. This information is used by our websites for better operation of their services, to guarantee its quality and to obtain general statistics of the use of the website.

When you visit one of our websites or view one of our emails, Despomar may use pixel tags (also called clear gifs), hyperlink flow detectors and/or similar technology to record some of those pages and use this information to personalize your visit. We may also use pixel tags to determine the types of email your browser supports. We may also use information collected through pixel tags, hyperlink flow detectors and similar technology in combination with your personal data.

Cookies

We may place a “cookie” on your computer's hard drive so that we can recognize you as a frequent user and personalize your visit. A cookie is a set of data that allows us to locate and target your preferences and allow you to make better use of our website. The cookie will be stored on your computer's hard drive until you remove it. We may also use temporary or "session" cookies to help you navigate our websites, which expire when you leave. You can configure your (browser) program to notify you of the existence of cookiescookies.

IP Adress

If you reject our cookies, you can still use our websites, but you may be limited in the use of some of their features. Some of our business partners, or the owners of other websites, you can still use our websites, but you may be limited in the use of some of their features. Some of our business partners, or the owners of other. In addition, we may use IP (Internet Protocol) addresses to analyze trends, administer our website, track traffic patterns and gather demographic information for aggregate use. Except as otherwise provided in this Privacy Policy, we will not use IP addresses in combination with your personally identifiable information without your prior consent.

Hiperlinks

Our websites may contain hyperlinks (links) to, or from, other websites. Please note that we do not necessarily share personal data with all these entities, so we do not accept responsibility for the privacy practices of these other websites. This Privacy Policy only applies to personal information that we collect on our websites. We strongly advise you to read the privacy policies of other websites

8. Guaranteed rights

All personal data obtained with tacit consent - or those that the users of our services choose to provide for their enjoyment - will be considered valid for further communication under the terms defined in point 2. Despomar will keep this data, unless if informed otherwise by the use of individual rights to limit data processing, opposition, forgetting (deleting) or not being subject to automated decisions. If the individual prefer not to receive such communications, he’ll have to declare that it. 

In this sequence, we present the 10 Rights established by the aforementioned GDPR, Regulation, thus guaranteed by our Privacy Policy:

Right to transparency

Through the publication of our Privacy and Confidentiality Policy, data subjects guarantee the right to know what treatments are carried out by Despomar on their data.

Right to be informed

The holders have the right to ask the data controller for information on the type of treatment to which their data are being subjected. This information must be provided in writing. If the holder so requests, the information may be provided orally, provided that the identity of the holder is proven by other means. For example, at the time of data collection, the holder must be informed about the treatment to which they will be.

Right to Access Personal Data

The holders have the right to know whether or not their data are being processed by Despomar and what data we hold, how they are categorized or to whom we may have transferred them.

Right of Rectification

The holder is entitled to request the rectification of incorrect data and completion of incomplete data. Each correction made by the controller implies the communication of that change to the entities to whom the data have been transmitted, unless such communication proves impossible or involves a disproportionate effort.

Right to erasure (forgetfulness)

Individuals have the right to request their erasure, which should take place without unjustified undue delay. Data erasure is also mandatory in the following situations: -when the data is no longer necessary for the purpose for which it was collected or processed; -when the data subject withdraws consent to the treatment (provided there is no other basis for such treatment); -when the data subject opposes the treatment and there are no prevailing legitimate interests that justify such treatment; -when the data were treated unlawfully; -to comply with a legal obligation arising from the law of the European Union or of a Member State to which the person responsible is subject to; -when the data was collected in the context through other information service providers.

The right to erasure (forgetfulness) must be reconciled with the legal obligations that the data controller must ensure in relation to official entities, which in this case overlap (for example, the duty to maintain issued invoices).

Right to limit or condition data treatment

The individual can request the limitation of its personal data treatment. In this context, the holder has the right to have the controller limit the processing in one of the following cases:

1. i. During the period in which the data protection officer validates the accuracy of the data, after contesting the inaccuracy by the data subject;
2. ii. When there is unlawful treatment and the owner opposes the erasure, he can request the limitation of use;

iii. When the person in charge no longer needs the data for processing, but they are required by the data subject for the purposes of declaring, exercising or defending a right in a judicial process;

21. iv. In the event that the data subject opposes the processing under the terms of the number 1 of article 21, until it is verified that the legitimate reasons of the person responsible override those of the data subject;
22. v. Oppose, at any time, the processing of data concerning you for marketing purposes;

The controller must communicate to each recipient, to whom the data has been transmitted, any limitation of processing that he has made, unless such communication proves impossible or involves a disproportionate effort. In all these situations, the data can be kept, but their treatment can only take place with the consent of the holder, for the purposes of declaration, for the exercise or defense of a right in a judicial process, for the defense of another natural or legal person or for reasons public interest of the European Union or the Member State.

Right of opposition

The holder may object to the use of their data for the purpose of direct marketing.

Right to notification

Data subjects must be notified, or made aware of, of cases where their personal data is being collected or processed. For this purpose, Despomar took measures in terms of Video-Surveillance so that, in all establishments, there is a floor plan with the cameras installed and their respective orientation, as well as applying the appropriate signage, including the mandatory one. In all other acts of personal data collection there is, or will be, an explicit abbreviated reference to the purposes for which the data collected for each act, and also the redirection to this Privacy Policy whenever the nature of the act does not allow this inclusion, or that the presence thereof becomes materially disproportionate.

Change notification

Despomar may regularly review this Privacy Policy. If we decide to change our Privacy Policy, we will announce the revised policy in our websites, through footnotes, and we will make these revisions known to all holders whose data are subject to said, or may be influenced by them.

Right not to be subject to automated decisions

The data subject has the right to request human intervention in processes that are usually automatic, such as profiling, and may require human intervention in this automated process so that the decision is not taken exclusively automatically. Despomar understands that your explicit consent is given when you do not object to the processing of data.

Right to portability

The data subject may request its data to be transferred to another company/entity. In these cases, to guarantee this Right, the holder has use the means at their disposal defined in this Privacy Policy and must expressly indicate which format will be used, selecting from a common one.

To guarantee all these Rights referred above, holders may use the means at his disposal defined in this Privacy Policy.

9. Workers

Any employee, contracted, subcontracted, temporarily or permanently, of any company of the Despomar Group or partners, at any time of its employment contract duration or after eventual termination, who, despite the limitation and conditioning of access to Personal Data promoted by Despomar, that they have access to, even if they are not obtained by the said, which are of identification or of any other nature, in the exercise of their functions, they undertake to maintain full privacy and confidentiality over the said and not to copy, use, disclose or transmit to third parties, keep or treat, in any way, whether of a confidential nature or not, or even in cases where it was not made known that said information and/or documents were subject to confidentiality.

This scope excludes information the disclosure of which is essential for the pursuit of the task or for the exercise of their functions in the position for which the employee was hired, regardless of the position that the data holder has demonstrated regarding the Privacy Policy and whether they have been or not obtained by Despomar.

These workers are also prohibited from removing or taking any information or document outside their workplace, or any other establishment of the Despomar Group or its partners, without their prior written consent, and they must also not destroy, alter or delete any information or document, except in the normal exercise of their professional activity. They also undertake not to derive any benefit, for themselves or for third parties, from all knowledge and information, namely about personal data to which they have access in the scope of the exercise of the functions for which they were hired.

In the event of termination of the employment contract for any reason, the employee must immediately return all originals and/or copies of dossiers, correspondence, files, memos, passwords and/or other documents and information relating to personal data, that they are in power of.

In the event of non-compliance with the provisions of this Privacy Policy, the employee will incur a serious violation of this regulation, which may imply the opening of a disciplinary process that may constitute just-cause for the termination of the employment contract and will indemnify Despomar for all damages arising.

CURRICULUMS

Applications, spontaneous or resulting from specific recruitment actions, will be made through a partnership with the electronic platform available at DESPOMAR

This information will not be printed or archived in paper. The access to the data will be reserved for the heads of the respective departments, for a maximum period of one year. Annually, all files to be deleted will be reviewed until the last day of November.

Access to data will be departmentally restricted and exclusive to workers hierarchically defined as Heads of Department, Supervisors, Managers and Sub-Managers, in addition to the elements of the Human Resources team.

All applications, ad-hoc curricula, data sheets, etc. that reaches Despomar e-mail boxes will be deleted without ever being printed or forwarded. Printed applications delivered by hand will not be accepted in any of our establishments.

We do not process, transfer or transmit to third parties the personal information collected from candidates.

The “Factorial” electronic platform also complies with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 and its Privacy Policy can be accessed at factorialhr.pt/politica-de-privacidade.

10. Data Security and Protection

Taking into account the available technology, respective application costs and nature, the scope, context and purposes of each data treatment and archiving, risks and severity of possible damages to the rights and freedoms of data subjects, Despomar ensures the application of technical measures and organizational structures appropriate to the level of risk involved, namely assuring Pseudonymization and Encryptation , Confidentiality , Integrity, Availability and Permanent Resilience of data treatments.

So,

Backups are incremental within every hour with 1 week retention. After this retention, a full backup is performed and the process restarts. All backups are stored and encrypted in our datacenter on multi-disk storage equipment. It is sent in a weekly report by email to the IT Security Officer (CISO) with the success rate of all retention made. In case of error, this email takes the form of an Alert.

Through the procedure established in this privacy policy, which begins with the completion of the Data Restore Form (RGPD.010), access to backups is exclusive to CISO from backup software installed on the company's servers. The data recovery (restore) can be done immediately. In his absence, this responsibility will be delegated to the responsible service technician appointed for this purpose, and any type of contact can be made to it@despomar.com.

To guarantee the confidentiality of data subjects, the o CISO and all subordinate technicians are responsible for the Despomar’s Code of Conduct and Confidentiality that they signed with their Employment Contract.

Additionally, to ensure the safety and functioning of the system and the Data Backup and Restore processes, annually, until the last day of November, the system will be tested in the Internal Audit procedure.

11. Control and Prevention

To prevent possible risks arising from creation, maintenance (corrections, validations, deletion or others), conservation, handling and treatment, in particular due to the possibility of destruction, loss and accidental or illegal alterations, and/or disclosures or unauthorized access of personal data obtained, transmitted, preserved or subjected to any other type of treatment, annually, until the last day of November, Despomar will control the Security and Protection of these data through an Internal Audit (RGPD 050) where it will guarantee for all purposes that the assumptions determined in this Privacy Policy are ensured, and will take the respective corrective measures that are justified.

12. Eventual Personal Data Breach

In the event of a personal data breach, or mere suspicion of it, the person responsible for the treatment or any other employee who has direct knowledge, or because it has been reported to him, must notify the Data Protection Officer (DPO) within 48 hours of having become aware, via email to eduardo@despomar.com. This communication must detail all aspects that considered relevant for the possible violation suspected, including adding attachments when applicable.

Pursuant to article 55 of the RGPD regulement, the Data Protection Officer will assess the risks for data subjects, and whenever justified, will notify the competent entity identified here as the Comissão Nacional de Proteção de Dados – CNPD with address at Rua de São Bento, 148-3°, 1200-821 Lisboa that can be also contacted by tel. +351213928400, Fax +351213976832, e-mail: geral@cnpd.pt ou ainda pelo website: http://www.cnpd.pt/. This notification will contain the description and nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records concerned, identifying the likely consequences of the personal data breach and what measures have been taken or proposed to remedy the breach.

13. Notification of Personal Data Breach to Rightful Owner

If there is a breach of personal data that is likely to reveal a high risk for the rights and freedoms of individuals, the Data Protection Officer will communicate it, in clear and simple language, to the data subject without undue delay, making known of any known risks and the measures implemented and planned to minimize or eliminate any possible impact.

Communication to the data subject will not be mandatory if the controller has applied adequate protection measures that make the personal data incomprehensible, if he has taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is not materialized, or if such communication involves a disproportionate effort. In that case, a public communication will be made or a similar measure taken through which the data subjects are informed in an equally effective way.

14. Responsibility

A DESPOMAR, Com.Art.Desp.S.A., fiscally identified through number 501 823 646 , headquartered in the Ericeira Surf Center building at Av. de São Sebastião, 36B in Ericeira, with zip code 2655-483, assumes control and responsibility for the personal information acquired by its systems or by its employees, for all aspects defined by this Policy of Privacy and Confidentiality, as defined by Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, known as the General Data Protection Regulation (GDPR).

Also under the terms of the same regulation, on May 17, 2018, Despomar appointed, Eduardo Manuel Miranda Moreira as Data Protection Officer (DPO) and Ruben Fernando Alves da Silva as Chief Information Security Officer (CISO). Both can be contacted via the e-mail rgpd@despomar.com.

Despomar has taken important measures to ensure security and constant respect for the privacy of the data of the holders who have trusted us. Any questions, observations or concerns about these practices, can be questioned through the e-mail rgpd@despomar.com, pelo geral despomar@despomar.com, or through any other known means available on the numerous platforms we hold. We will always be available to help you.