( 0 )

PRIVACY AND CONFIDENTIALITY POLICY

1. Use of Personal Information

Despomar ensures that in order to access most of its establishments, products or websites, no cession of personal data is mandatory, however some of the services provided, by their nature, have this need. For example, delivery address information for website purchases or sales with delayed delivery, rental of equipment, access to your resale products and others.

Except when provided in this Privacy Policy, Despomar Group collects and stores the information, including personal data, which you voluntarily provide for business transactions on its websites ericeirasurfshop.pt, 58surf.com, mrstitchservice.com or app.nuorder.com/despomar, through the subscription of our Loyalty Card at physical stores or the subscription of Newsletters. Additional information, including tax information, may be required in certain transactions.

Registration is not required to access the site 58 Surf, and make purchases on it being this voluntary option.

The use of the data collected by Despomar have the main purpose of add value to the client, by giving him know how about our aspiration and motivation, announcing news and activities related to the sector of Action Sports. Also is important for Despomar that their clients know the products, services, campaigns, promotions and opportunities.

The good relationship between the customer and all our after-sales services, are one of our goals.

Despomar may also use aggregated (anonymous) personal data that we provide for internal business purposes, such as producing statistics and developing marketing plans. We may collect, store or accumulate certain non-personally identifiable information regarding the other interactions between the personal data holders and the Despomar Group.


Websites

The website 58 Surf collects personal information, such as your email address, your name, address, country and telephone. Also collects anonymous demographic information, such as your ZIP code, age, gender, interests and favourites.

Video Surveillance

All facilities where Despomar services operate, for security reasons, are covered by an internal video surveillance circuit. The personal data obtained are also covered by this Privacy Policy, and the images are only viewed by employees with high hierarchical responsibilities in the company. These images are intended to prevent theft or other security risks in our establishments and, if needed, used as evidence to file a criminal complaint or to file disciplinary proceedings. We will not disclose your personal data to third parties without your consent, except as provided in this Privacy Policy. The 58 Surf may disclose any information, including personally identifiable information, as needed to satisfy any law, regulation, legal proceedings or decisions applicable state.

2. Confidentiality and Information Security


Our Privacy and Data Protection Policy is based on a technological infrastructure security architecture to which we apply various information security measures to protect your personal information online and offline, by data encryption systems, control and monitoring the access by our employees, recreating internal procedures for the anonymization of subjects in other processes, minimization of external risks, and internal penalties for violations of data security.

Despomar uses an advanced server access control to insure the data protection of every client. If there is any sensitive information such as a credit card number, it should only be used with a secure server using the Secure Socket Layer (SSL) protocol, never otherwise.

Our policy for data preservation, provides an automated procedure for the destruction of obsolete data acquired or updated for more than 10 years, each year, until the last day of April. However, we will politely respect any manifestations of the clients in the exercise of their rights of forgetting / removal, using the means at their disposal defined in this Privacy Policy.

3. Handover of Data to Third Parties


In the case of allowing your personal data to be shared, this information will be shared only, with the companies of the Despomar Group, like Despomar Lda. VAT 501 823 646 and Miranda & Ribeiro, Lda. VAT 500 386 048.

These companies all together work retail insignias, like, ERICEIRA SURF & SKATE, 58 SURF SHOPS, BILLABONG and other brands, recognized internationally, represented exclusively in Portugal, as Billabong, Element, Rvca, Nixon, Dakine, Fcs, Xcel, JS Surfboards, Vonzipper and Supra , among others.

Despomar cannot, in any case, provide all or part of its acquired personal information to any other companies or entities outside the Despomar Group, whether domestic or foreign, without their consent, except as provided in this Privacy Policy.

Despomar can use or communicate any kind of personal data in order to fulfil any state decisions, court cases, regulations or in any case, justify any applicable laws.

However, we may, contract other companies and/or individuals to perform tasks on our behalf, related to the purposes set forth in this Privacy Policy. It could include data analysis firms, customer support specialists and website hosting companies. Under the confidentiality clauses added to any subcontracting contracts for such services, such third parties may have partial access to some of the personal data collected, but restricted to those absolutely necessary for the performance of the contracted tasks. Use of information for other purposes or provide it to third parties, could result into a criminal proceeding.

In way to develop our business, we may in the future sell some of our assets. In this type of transaction, user information, including personal information, is generally one of the transferred business assets. By submitting your personal information to Despomar, you agree that your data may be transferred to third parties under these conditions. Even in the eventual sale of assets of this nature, we will ensure that this will be transferred only to third parties that are in compliance with the terms of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, General on Data Protection (RGPD)

Transfer of data to other countries

We will only deal with any subcontracting services related to personal data obtained from third parties that are in compliance with the terms of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Data Protection (RGPD). We require all our partners and third parties to adopt procedures at least as strictly as we have followed in respect of personal data, including this Privacy Policy.

4. Data Handling

We will treat the personal data collected in all communications, exclusively by hand and without the use of any robots or automated data processing machines, in way to adjust the information about products, campaigns, promotions or news as much as possible. When the collected data allows such analysis, we will avoid redundancy or repetition of records relating to the same individual.

For each data processing process that occurs, a Data Processing Officer will be appointed and the respective data sheet will be drawn up, which will describe the process in detail, identifying the objectives and terms of the communication, the target groups for the treatment, the media used, the data handler and all third parties involved by naming the persons representing them, the physical data processing and filing locations of the data processed.

The data handler will only initiate a data-processing procedure on the specific instruction of the designated controller, unless this is required by Union or Member State law, and final validation and consent of the Data Protection Officer (DPO), under the terms of this Privacy Policy.

5. Data Processing Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

7. Websites

Pixel Tags

There is information on internet access terminals, such as PCs, Tablets or Mobile Phones, both hardware and software that can be automatically collected by our websites. This information may include IP addresses, browser type, domain names, access times, and addresses of referring websites. This information is used by Despomar websites in order to ensure the quality of the service and to maintain general statistics regarding use of the website.

When you visit one of our websites or read one of our emails, Despomar may use pixel tags (also called clear gifs), crawlers and / or similar technology to track some of the pages that were visited in our websites. All this information will customize your visit. We may also use pixel tags to determine the types of email your browser supports. We may also use the information collected through pixel tags, flowchart detectors, and similar technology in combination with your personal data.


Cookies

We may place a "cookie" on your computer's hard drive so that we can recognize you as a frequent user and customize your visit. A cookie is a set of data that allows us to locate and target your preferences and allows you to make better use of the Site. The cookie will be stored on your computer's hard disk until you remove it. We may also use temporary or "session" cookies to help you navigate in our websites, which expire when you leave. You can configure your browser to notify you of the existence of cookies or to reject them automatically. The "help" option in the toolbar of most navigation programs will tell you how to stop accepting new cookies.


IP Address

If you reject our cookies, you may still continue to use our websites, but you may experience limitations in using some of its features. Some of Despomar's business partners or owners of other websites with links to ours may also use cookies as part of your visit to us, however, we do not have access to or control over these cookies and we accept no responsibility for such use. In addition, we can use Internet Protocol (IP) addresses to analyze trends, manage our website, track traffic patterns, and gather demographic information for aggregate use. Except as otherwise provided in this Privacy Policy, we will not use IP addresses in combination with your personal information without your prior consent.


Hyperlinks

Our websites may contain hyperlinks (links) to or from other sites. Please note that Despomar does not necessarily share personal data with all such entities, so it is not responsible for the privacy practices of those other websites. This Privacy Policy only applies to the personal information we collect on our websites. We strongly advise you to read the privacy policies of other websites that you access from our websites.


8. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (General Data Protection Regulation)

All personal data obtained with tacit consent, or those that the users of our services choose to provide for their use, will be considered valid for further communication under the terms of point 2., and Despomar will keep such data, except if you inform us otherwise, using your rights of access at data processing, opposition, erasure. If you prefer not to receive such communications, you should choose not to receive them under the terms provided by law.

In this case, here we present the rights established by RGPD Regulation, hereby assured by this our Privacy Policy


Transparent information

The controller shall take appropriate measures to provide any information referred to any communication relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.


Right to information and Access to personal data

Each person, have the right to request from the data controller, information about the type of treatment to which their data are subject. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

The controller shall facilitate the exercise of data subject rights. In order to guarantee this right, each data subject may use the means at his disposal defined in this Privacy Policy.

When personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

  1. The identity and the contact details of the controller and, where applicable, of the controller's representative;
  2. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.


Right to erasure (“right to be forgotten”)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  3. There are no overriding legitimate grounds for the processing, or the data subject objects to the processing;
  4. The personal data have been unlawfully processed;
  5. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. The personal data have been collected in relation to the offer of information society services.

Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  1. The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.


A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.


Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.


Right of Notification

Data subjects must be notified or given notice in cases where their personal data are being collected or processed. Despomar has taken measures at the level of Video Surveillance so in all the establishments there is a floor plan with the cameras installed and their orientation, as well as applying the appropriate signage, including the obligatory one. In all other acts of collecting personal data there is, or will be, an abbreviated explicit reference to the purposes for which the data collected is used for each act, and also the redirection to this Privacy Policy whenever the nature of the act does not allow this inclusion, or that the presence of it becomes materially disproportionate.


Notification regarding rectification

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out according to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Despomar may regularly review this Privacy Policy. If we decide to change our Privacy Policy, we will post the revised policy here through footnotes, and we will make those revisions known to all data holders.


Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Despomar understands that its explicit consent is given when it does not oppose the processing of data, but in order to guarantee this right, the data subject can use for this the means at his disposal defined in this Privacy Policy.


Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another.

9. Workers

Any employee, hired, subcontracted, provisionally or definitively, of any company of the Despomar Group or partners, at any stage of the employment contract or after any cessation, that, in spite of the limitation and conditioning of access to Personal Data promoted by Despomar, that they have access to in the exercise of their duties undertakes to maintain full privacy and confidentiality.

Exceptions from this scope are information whose disclosure is essential for the performance of the task or for the performance of their duties in the position for which the employee was hired, regardless of the position that the data subject has shown on the Privacy Policy and whether they have been or not obtained by Despomar.

Workers are prohibited from withdrawing or taking any information or document out of their place of work, or any other establishment of the Despomar Group or its partners, without the prior written consent of the latter and should not also destroy, alter or delete any information or document, except in the normal exercise of their professional activity. They also undertake not to derive any benefit for themselves or for third parties from all knowledge and information, including personal data to which they have access in connection with the performance of the duties for which they were employed.

In case of employment contract cessation, you must return all originals and / or dossiers, correspondence, files, memos, passwords and other documents and information.

In case of breach of the guideline of this Privacy Policy, the contract will be in violation of this norm that may indicate the opening of a disciplinary process that may constitute just cause of dissolution of the contract of employment.

10. Security and Data Protection

Taking into account the available technology, the respective application costs and nature, the scope, context and purposes of each treatment and filings, risks and seriousness of possible damages to the rights and freedoms of the data owners, Despomar ensures the application of technical measures and organizational structures appropriate to the level of risk involved, ensuring in particular the Pseudonymization, Encryption, Confidentiality, Integrity, Availability and Resilience of systems and treatment services.


Therefore,


Use of backups (define what kind of equipment we use, how often we record and who can access these backups) - The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;

Define processes to regularly test and evaluate the effectiveness of technical and organizational measures to ensure treatment safety.

Include in the Data Processing Data Sheet (RGPD 005) that the controller and the subcontractor take measures to ensure that any person acting under the authority of the controller or the processor has access to personal data, treatment unless instructed to do so by the law of the Union or of a Member State.

Make Restore Data Sheet for Personal Data (RGPD 010) and place contacts of the technician and substitute that includes compliance with an approved code of conduct as referred to in Article 40 or an approved certification procedure as referred to in Article 42 may used to demonstrate compliance with the obligations laid down in paragraph 1 of this Article.

11. Control and Prevention

Preventing possible risks from the creation, maintenance (corrections, validations, erasure or otherwise), conservation, handling and treatment, in particular due to the possibility of destruction, loss and accidental or unlawful alterations, and / or disclosures or to unauthorized access, of personal data obtained, transmitted, stored or subjected to any other type of treatment, annually until the last day of November, Despomar will control the Security and

Protection of this data through an Internal Audit ( Annex RGPD 050) where it will guarantee for all effects that the assumptions set forth in this Privacy Policy are assured, and will take such corrective measures as may be warranted

12. Notifications of Personal Data Violations to the Authority

In the event of a breach, or of a mere suspected violation of personal data, the controller or any other employee who has knowledge directly or because it has been reported by third parties, must notify up to 48h of having known about them, to the Data Protection Officer (DPO) by email at eduardo@despomar.com, and in this communication you must detail all the aspects that you consider relevant to determine the possible violation that you suspect, including adding attachments if applicable.

According to article 55, the Data Protection Officer shall evaluate the risks to data subjects, and when appropriate, notify the competent entity identified here as National Data Protection Commission (CNPD) with address in Rua de São Bento nº 148-3º, 1200-821 Lisboa and that can be contacted by phone 00351213928400, Fax 00351213976832, e-mail: geral@cnpd.pt or the website: http://www.cnpd.pt. This notification shall include the description and nature of the breach of the personal data including, where possible, the categories and approximate number of affected data holders, as well as the categories and approximate number of personal data records concerned, identifying the likely consequences of the violation of personal data and what measures have been taken or proposed to repair the violation of personal data.

13. Notification of Personal Data Violations to the data subject

In case of a personal data breach which is likely to indicate a high risk to the rights and freedoms of each person, the Data Protection Officer shall communicate, in plain and simple language, the said breach to the data subject without undue delay, making known the possible known risks and the measures implemented and planned to minimize or nullify the possible impact.

Communication to the data subject shall not be obligatory if the controller has implemented appropriate protection measures and provide the personal data incomprehensible if he has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects , or if such communication involves a disproportionate effort. In such case, a public communication or a similar measure will be carried out through which data subjects are informed equally effectively.

14. Responsible for Data Processing

DESPOMAR, Lda., VAT no. 501 823 646, located at Edificio Ericeira Surf Center - Av São Sebastião, 36B, Ericeira, with postal code 2655-483 assumes control and responsibility for the personal information acquired by its systems or its duly identified in actions or group activity, for all aspects defined by this Privacy and Confidentiality Policy, as defined by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, General Regulation on Data Protection (RGPD).

On May 17th, 2018, Despomar appointed Eduardo Manuel Miranda Moreira as Data Protection Officer (DPO) and Ruben Fernando Alves da Silva as Data Security Officer (CISO). Both can be contacted through the e-mail rgpd@despomar.com.

Despomar has taken important steps to ensure the security and constant respect for the privacy of the personal data that we have entrusted. Any questions, comments or concerns about our practices or others, contact us to rgpd@despomar.com, or despomar@despomar.com. Also you can contact us, through any other means of contact that we make available in the numerous platforms that we have and establishments.


There will always be one of us available to help you.


Ericeira, May 25th 2018