Despomar ensures that in order to access most of its establishments, products or websites, it is not mandatory to provide any personal data. Personal information is an option for those who are wish to access knowledge about products, campaigns, promotions or other news involving the core business of our organization.
However, some of the services provided, by their nature, contemplate this need. Some examples of this are the delivery address information for purchases on websites or sales with deferred delivery, equipment rental, reselling in our shops or others.
Some websites Despomar, in addition to the consumer’s name, collect other personal information such as e-mail address, home address, postal code, country and telephone. We also collect varied and anonymous demographic information, such as date of birth, age, gender and personal interests.
Despite all data information security systems used by Despomar, it should be noted that personal data, or other sensitive information, indicated directly through public messages on our websites or chats this information can, even remotely, be collected and used by other people. We reiterate that we do not collect data or other private information through direct online communications on or off our websites websites.
We avoid collecting data from children under 16 years of age, but whenever this happens on their own initiative for the purposes determined in this point 1., the processing of such data will only take place with the explicit consent given or authorized by the holders of the child's parental responsibilities.
The use of the data will happen to create added customer value, create awareness of our aspiration and motivation, namely disseminating news and activities related to the Action Sports sector. It will also promote our products and services, campaigns, promotions and opportunities, or even to carry out opinion surveys on current or future services to be made available. The main goal will be facilitating the relationship between consumers and sale service, assistance, guarantees and other services from carefully selected partners.
We may also use aggregated anonymous personal data provided for internal business purposes, such as the production of statistics and the development of marketing plans. We may collect, store or accumulate certain non-personally identifiable information relating to other interactions between the holders of personal data and the Despomar Group.
Please note that your personal information is collected on a public network and, as a result, may be viewed and used by unauthorized third parties. Our Confidentiality and Data Protection Policy is based on a technological infrastructure security architecture to which we apply various information security measures to protect your personal information online and offline, namely through data encryption systems, and monitoring of access by our employees, recreating internal procedures for the anonymization of subjects in other processes, minimizing external risks, and penalties for internal data security violations.
Despomar also ensures that your information is safe using the most advanced techniques to control access to servers. If there is very sensitive information such as a credit card number, it should only be used with a secure server using the Secure Socket Layer (SSL) protocol.
We may in the future sell some of our assets. In this type of transaction, user information, including personal information, generally constitutes one of the transferred business assets. By submitting your personal information to Despomar, you accept that your data may be transferred to third parties under these conditions. Even in the case of a possible sale of assets of this nature, we ensure this eventual transfer only to third parties that are in compliance with the terms of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, known as General Data Protection Regulation (GDPR)
Data transfer to other countries
We will treat manually - and without the use of any robots or automated data processing machines - the personal data collected in all communications whenever it is justified to adapt the information about products, campaigns, promotions or news as much as possible. Whenever the data collected allows this analysis, we will avoid redundancy or repetition of records relating to the same individual.
At each data processing process that takes place, a Data Controller will be appointed and the respective technical file will be prepared, which will accurately describe the entire process, identifying the objectives and terms of of the process, groups targeted, used means, the data handler and all third parties involved. People who represent the eventual third parties involved will also be identified.
Considering the data processing techniques in use, the costs, nature and scope of their application, the context and purposes of their treatment, as well as the probability and serious risks that each treatment represents for the rights and freedoms of the their holders, we will apply the appropriate technical and organizational security measures, in particular with regard to the processing of the special categories of personal data referred to in Article 9, paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council. , of 27 April 2016, namely:
The information available on the internet that can be accessed by Computers, Tablets or Mobile Phones, both in terms of hardware and software, can be automatically collected by our websites. This information may include IP addresses, browser type, domain names, access times and referring website addresses. This information is used by our websites for better operation of their services, to guarantee its quality and to obtain general statistics of the use of the website.
When you visit one of our websites or view one of our emails, Despomar may use pixel tags (also called clear gifs), hyperlink flow detectors and/or similar technology to record some of those pages and use this information to personalize your visit. We may also use pixel tags to determine the types of email your browser supports. We may also use information collected through pixel tags, hyperlink flow detectors and similar technology in combination with your personal data.
We may place a “cookie” on your computer's hard drive so that we can recognize you as a frequent user and personalize your visit. A cookie is a set of data that allows us to locate and target your preferences and allow you to make better use of our website. The cookie will be stored on your computer's hard drive until you remove it. We may also use temporary or "session" cookies to help you navigate our websites, which expire when you leave. You can configure your (browser) program to notify you of the existence of cookiescookies.
All personal data obtained with tacit consent - or those that the users of our services choose to provide for their enjoyment - will be considered valid for further communication under the terms defined in point 2. Despomar will keep this data, unless if informed otherwise by the use of individual rights to limit data processing, opposition, forgetting (deleting) or not being subject to automated decisions. If the individual prefer not to receive such communications, he’ll have to declare that it.
Right to transparency
Through the publication of our Privacy and Confidentiality Policy, data subjects guarantee the right to know what treatments are carried out by Despomar on their data.
Right to be informed
The holders have the right to ask the data controller for information on the type of treatment to which their data are being subjected. This information must be provided in writing. If the holder so requests, the information may be provided orally, provided that the identity of the holder is proven by other means. For example, at the time of data collection, the holder must be informed about the treatment to which they will be.
Right to Access Personal Data
The holders have the right to know whether or not their data are being processed by Despomar and what data we hold, how they are categorized or to whom we may have transferred them.
Right of Rectification
The holder is entitled to request the rectification of incorrect data and completion of incomplete data. Each correction made by the controller implies the communication of that change to the entities to whom the data have been transmitted, unless such communication proves impossible or involves a disproportionate effort.
Right to erasure (forgetfulness)
Individuals have the right to request their erasure, which should take place without unjustified undue delay. Data erasure is also mandatory in the following situations: -when the data is no longer necessary for the purpose for which it was collected or processed; -when the data subject withdraws consent to the treatment (provided there is no other basis for such treatment); -when the data subject opposes the treatment and there are no prevailing legitimate interests that justify such treatment; -when the data were treated unlawfully; -to comply with a legal obligation arising from the law of the European Union or of a Member State to which the person responsible is subject to; -when the data was collected in the context through other information service providers.
The right to erasure (forgetfulness) must be reconciled with the legal obligations that the data controller must ensure in relation to official entities, which in this case overlap (for example, the duty to maintain issued invoices).
Right to limit or condition data treatment
The individual can request the limitation of its personal data treatment. In this context, the holder has the right to have the controller limit the processing in one of the following cases:
iii. When the person in charge no longer needs the data for processing, but they are required by the data subject for the purposes of declaring, exercising or defending a right in a judicial process;
The controller must communicate to each recipient, to whom the data has been transmitted, any limitation of processing that he has made, unless such communication proves impossible or involves a disproportionate effort. In all these situations, the data can be kept, but their treatment can only take place with the consent of the holder, for the purposes of declaration, for the exercise or defense of a right in a judicial process, for the defense of another natural or legal person or for reasons public interest of the European Union or the Member State.
Right of opposition
The holder may object to the use of their data for the purpose of direct marketing.
Right to notification
Right not to be subject to automated decisions
The data subject has the right to request human intervention in processes that are usually automatic, such as profiling, and may require human intervention in this automated process so that the decision is not taken exclusively automatically. Despomar understands that your explicit consent is given when you do not object to the processing of data.
Right to portability
Any employee, contracted, subcontracted, temporarily or permanently, of any company of the Despomar Group or partners, at any time of its employment contract duration or after eventual termination, who, despite the limitation and conditioning of access to Personal Data promoted by Despomar, that they have access to, even if they are not obtained by the said, which are of identification or of any other nature, in the exercise of their functions, they undertake to maintain full privacy and confidentiality over the said and not to copy, use, disclose or transmit to third parties, keep or treat, in any way, whether of a confidential nature or not, or even in cases where it was not made known that said information and/or documents were subject to confidentiality.
These workers are also prohibited from removing or taking any information or document outside their workplace, or any other establishment of the Despomar Group or its partners, without their prior written consent, and they must also not destroy, alter or delete any information or document, except in the normal exercise of their professional activity. They also undertake not to derive any benefit, for themselves or for third parties, from all knowledge and information, namely about personal data to which they have access in the scope of the exercise of the functions for which they were hired.
In the event of termination of the employment contract for any reason, the employee must immediately return all originals and/or copies of dossiers, correspondence, files, memos, passwords and/or other documents and information relating to personal data, that they are in power of.
Applications, spontaneous or resulting from specific recruitment actions, will be made through a partnership with the electronic platform available at DESPOMAR
This information will not be printed or archived in paper. The access to the data will be reserved for the heads of the respective departments, for a maximum period of one year. Annually, all files to be deleted will be reviewed until the last day of November.
Access to data will be departmentally restricted and exclusive to workers hierarchically defined as Heads of Department, Supervisors, Managers and Sub-Managers, in addition to the elements of the Human Resources team.
All applications, ad-hoc curricula, data sheets, etc. that reaches Despomar e-mail boxes will be deleted without ever being printed or forwarded. Printed applications delivered by hand will not be accepted in any of our establishments.
We do not process, transfer or transmit to third parties the personal information collected from candidates.
Taking into account the available technology, respective application costs and nature, the scope, context and purposes of each data treatment and archiving, risks and severity of possible damages to the rights and freedoms of data subjects, Despomar ensures the application of technical measures and organizational structures appropriate to the level of risk involved, namely assuring Pseudonymization and Encryptation , Confidentiality , Integrity, Availability and Permanent Resilience of data treatments.
Backups are incremental within every hour with 1 week retention. After this retention, a full backup is performed and the process restarts. All backups are stored and encrypted in our datacenter on multi-disk storage equipment. It is sent in a weekly report by email to the IT Security Officer (CISO) with the success rate of all retention made. In case of error, this email takes the form of an Alert.
To guarantee the confidentiality of data subjects, the o CISO and all subordinate technicians are responsible for the Despomar’s Code of Conduct and Confidentiality that they signed with their Employment Contract.
Additionally, to ensure the safety and functioning of the system and the Data Backup and Restore processes, annually, until the last day of November, the system will be tested in the Internal Audit procedure.
In the event of a personal data breach, or mere suspicion of it, the person responsible for the treatment or any other employee who has direct knowledge, or because it has been reported to him, must notify the Data Protection Officer (DPO) within 48 hours of having become aware, via email to[email protected]. This communication must detail all aspects that considered relevant for the possible violation suspected, including adding attachments when applicable.
Pursuant to article 55 of the RGPD regulement, the Data Protection Officer will assess the risks for data subjects, and whenever justified, will notify the competent entity identified here as the Comissão Nacional de Proteção de Dados – CNPD with address at Rua de São Bento, 148-3°, 1200-821 Lisboa that can be also contacted by tel. +351213928400, Fax +351213976832, e-mail: [email protected] ou ainda pelo website: http://www.cnpd.pt/. This notification will contain the description and nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records concerned, identifying the likely consequences of the personal data breach and what measures have been taken or proposed to remedy the breach.
If there is a breach of personal data that is likely to reveal a high risk for the rights and freedoms of individuals, the Data Protection Officer will communicate it, in clear and simple language, to the data subject without undue delay, making known of any known risks and the measures implemented and planned to minimize or eliminate any possible impact.
Communication to the data subject will not be mandatory if the controller has applied adequate protection measures that make the personal data incomprehensible, if he has taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is not materialized, or if such communication involves a disproportionate effort. In that case, a public communication will be made or a similar measure taken through which the data subjects are informed in an equally effective way.
A DESPOMAR, Com.Art.Desp.S.A., fiscally identified through number 501 823 646 , headquartered in the Ericeira Surf Center building at Av. de São Sebastião, 36B in Ericeira, with zip code 2655-483, assumes control and responsibility for the personal information acquired by its systems or by its employees, for all aspects defined by this Policy of Privacy and Confidentiality, as defined by Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, known as the General Data Protection Regulation (GDPR).
Also under the terms of the same regulation, on May 17, 2018, Despomar appointed, Eduardo Manuel Miranda Moreira as Data Protection Officer (DPO) and Ruben Fernando Alves da Silva as Chief Information Security Officer (CISO). Both can be contacted via the e-mail [email protected].
Despomar has taken important measures to ensure security and constant respect for the privacy of the data of the holders who have trusted us. Any questions, observations or concerns about these practices, can be questioned through the e-mail [email protected], pelo geral [email protected], or through any other known means available on the numerous platforms we hold. We will always be available to help you.
Update on April, 29nd of the year 2022