Despomar ensures that in order to access most of its establishments, products or websites, no cession of personal data is mandatory, however some of the services provided, by their nature, have this need. For example, delivery address information for website purchases or sales with delayed delivery, rental of equipment, access to your resale products and others.
Registration is not required to access the site 58 Surf, and make purchases on it being this voluntary option.
The use of the data collected by Despomar have the main purpose of add value to the client, by giving him know how about our aspiration and motivation, announcing news and activities related to the sector of Action Sports. Also is important for Despomar that their clients know the products, services, campaigns, promotions and opportunities.
The good relationship between the customer and all our after-sales services, are one of our goals.
Despomar may also use aggregated (anonymous) personal data that we provide for internal business purposes, such as producing statistics and developing marketing plans. We may collect, store or accumulate certain non-personally identifiable information regarding the other interactions between the personal data holders and the Despomar Group.
The website 58 Surf collects personal information, such as your email address, your name, address, country and telephone. Also collects anonymous demographic information, such as your ZIP code, age, gender, interests and favourites.
Our Privacy and Data Protection Policy is based on a technological infrastructure security architecture to which we apply various information security measures to protect your personal information online and offline, by data encryption systems, control and monitoring the access by our employees, recreating internal procedures for the anonymization of subjects in other processes, minimization of external risks, and internal penalties for violations of data security.
Despomar uses an advanced server access control to insure the data protection of every client. If there is any sensitive information such as a credit card number, it should only be used with a secure server using the Secure Socket Layer (SSL) protocol, never otherwise.
In the case of allowing your personal data to be shared, this information will be shared only, with the companies of the Despomar Group, like DESPOMAR, Com.Art.Desp.S.A. VAT 501 823 646 and Miranda & Ribeiro, Lda. VAT 500 386 048.
These companies all together work retail insignias, like, ERICEIRA SURF & SKATE, 58 SURF SHOPS, BILLABONG and other brands, recognized internationally, represented exclusively in Portugal, as Billabong, Element, Rvca, Nixon, Dakine, Fcs, Xcel, JS Surfboards, Vonzipper and Supra , among others.
Despomar can use or communicate any kind of personal data in order to fulfil any state decisions, court cases, regulations or in any case, justify any applicable laws.
In way to develop our business, we may in the future sell some of our assets. In this type of transaction, user information, including personal information, is generally one of the transferred business assets. By submitting your personal information to Despomar, you agree that your data may be transferred to third parties under these conditions. Even in the eventual sale of assets of this nature, we will ensure that this will be transferred only to third parties that are in compliance with the terms of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, General on Data Protection (RGPD)
Transfer of data to other countries
We will treat the personal data collected in all communications, exclusively by hand and without the use of any robots or automated data processing machines, in way to adjust the information about products, campaigns, promotions or news as much as possible. When the collected data allows such analysis, we will avoid redundancy or repetition of records relating to the same individual.
For each data processing process that occurs, a Data Processing Officer will be appointed and the respective data sheet will be drawn up, which will describe the process in detail, identifying the objectives and terms of the communication, the target groups for the treatment, the media used, the data handler and all third parties involved by naming the persons representing them, the physical data processing and filing locations of the data processed.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
Pixel TagsThere is information on internet access terminals, such as PCs, Tablets or Mobile Phones, both hardware and software that can be automatically collected by our websites. This information may include IP addresses, browser type, domain names, access times, and addresses of referring websites. This information is used by Despomar websites in order to ensure the quality of the service and to maintain general statistics regarding use of the website.
When you visit one of our websites or read one of our emails, Despomar may use pixel tags (also called clear gifs), crawlers and / or similar technology to track some of the pages that were visited in our websites. All this information will customize your visit. We may also use pixel tags to determine the types of email your browser supports. We may also use the information collected through pixel tags, flowchart detectors, and similar technology in combination with your personal data.
We may place a "cookie" on your computer's hard drive so that we can recognize you as a frequent user and customize your visit. A cookie is a set of data that allows us to locate and target your preferences and allows you to make better use of the Site. The cookie will be stored on your computer's hard disk until you remove it. We may also use temporary or "session" cookies to help you navigate in our websites, which expire when you leave. You can configure your browser to notify you of the existence of cookies or to reject them automatically. The "help" option in the toolbar of most navigation programs will tell you how to stop accepting new cookies.
All personal data obtained with tacit consent, or those that the users of our services choose to provide for their use, will be considered valid for further communication under the terms of point 2., and Despomar will keep such data, except if you inform us otherwise, using your rights of access at data processing, opposition, erasure. If you prefer not to receive such communications, you should choose not to receive them under the terms provided by law.
The controller shall take appropriate measures to provide any information referred to any communication relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Right to information and Access to personal data
Each person, have the right to request from the data controller, information about the type of treatment to which their data are subject. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
When personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (“right to be forgotten”)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Right of Notification
Notification regarding rectification
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out according to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another.
Any employee, hired, subcontracted, provisionally or definitively, of any company of the Despomar Group or partners, at any stage of the employment contract or after any cessation, that, in spite of the limitation and conditioning of access to Personal Data promoted by Despomar, that they have access to in the exercise of their duties undertakes to maintain full privacy and confidentiality.
Workers are prohibited from withdrawing or taking any information or document out of their place of work, or any other establishment of the Despomar Group or its partners, without the prior written consent of the latter and should not also destroy, alter or delete any information or document, except in the normal exercise of their professional activity. They also undertake not to derive any benefit for themselves or for third parties from all knowledge and information, including personal data to which they have access in connection with the performance of the duties for which they were employed.
In case of employment contract cessation, you must return all originals and / or dossiers, correspondence, files, memos, passwords and other documents and information.
Taking into account the available technology, the respective application costs and nature, the scope, context and purposes of each treatment and filings, risks and seriousness of possible damages to the rights and freedoms of the data owners, Despomar ensures the application of technical measures and organizational structures appropriate to the level of risk involved, ensuring in particular the Pseudonymization, Encryption, Confidentiality, Integrity, Availability and Resilience of systems and treatment services.
Use of backups (define what kind of equipment we use, how often we record and who can access these backups) - The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;
Define processes to regularly test and evaluate the effectiveness of technical and organizational measures to ensure treatment safety.
Include in the Data Processing Data Sheet (RGPD 005) that the controller and the subcontractor take measures to ensure that any person acting under the authority of the controller or the processor has access to personal data, treatment unless instructed to do so by the law of the Union or of a Member State.
Make Restore Data Sheet for Personal Data (RGPD 010) and place contacts of the technician and substitute that includes compliance with an approved code of conduct as referred to in Article 40 or an approved certification procedure as referred to in Article 42 may used to demonstrate compliance with the obligations laid down in paragraph 1 of this Article.
Preventing possible risks from the creation, maintenance (corrections, validations, erasure or otherwise), conservation, handling and treatment, in particular due to the possibility of destruction, loss and accidental or unlawful alterations, and / or disclosures or to unauthorized access, of personal data obtained, transmitted, stored or subjected to any other type of treatment, annually until the last day of November, Despomar will control the Security and
In the event of a breach, or of a mere suspected violation of personal data, the controller or any other employee who has knowledge directly or because it has been reported by third parties, must notify up to 48h of having known about them, to the Data Protection Officer (DPO) by email at [email protected], and in this communication you must detail all the aspects that you consider relevant to determine the possible violation that you suspect, including adding attachments if applicable.
According to article 55, the Data Protection Officer shall evaluate the risks to data subjects, and when appropriate, notify the competent entity identified here as National Data Protection Commission (CNPD) with address in Rua de São Bento nº 148-3º, 1200-821 Lisboa and that can be contacted by phone 00351213928400, Fax 00351213976832, e-mail: [email protected] or the website: http://www.cnpd.pt. This notification shall include the description and nature of the breach of the personal data including, where possible, the categories and approximate number of affected data holders, as well as the categories and approximate number of personal data records concerned, identifying the likely consequences of the violation of personal data and what measures have been taken or proposed to repair the violation of personal data.
In case of a personal data breach which is likely to indicate a high risk to the rights and freedoms of each person, the Data Protection Officer shall communicate, in plain and simple language, the said breach to the data subject without undue delay, making known the possible known risks and the measures implemented and planned to minimize or nullify the possible impact.
Communication to the data subject shall not be obligatory if the controller has implemented appropriate protection measures and provide the personal data incomprehensible if he has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects , or if such communication involves a disproportionate effort. In such case, a public communication or a similar measure will be carried out through which data subjects are informed equally effectively.
DESPOMAR, Com.Art.Desp.S.A., VAT no. 501 823 646, located at Edificio Ericeira Surf Center - Av São Sebastião, 36B, Ericeira, with postal code 2655-483 assumes control and responsibility for the personal information acquired by its systems or its duly identified in actions or group activity, for all aspects defined by this Privacy and Confidentiality Policy, as defined by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, General Regulation on Data Protection (RGPD).
On May 17th, 2018, Despomar appointed Eduardo Manuel Miranda Moreira as Data Protection Officer (DPO) and Ruben Fernando Alves da Silva as Data Security Officer (CISO). Both can be contacted through the e-mail [email protected].
Despomar has taken important steps to ensure the security and constant respect for the privacy of the personal data that we have entrusted. Any questions, comments or concerns about our practices or others, contact us to [email protected], or [email protected]. Also you can contact us, through any other means of contact that we make available in the numerous platforms that we have and establishments.
There will always be one of us available to help you.
Ericeira, May 25th 2018