Scope of Application and Responsibility
APCER provides certification, auditing and training services and has as one of its commitments, the protection of the privacy of the personal data it collects, in the various areas of its activity. With the entry into force of the General Data Protection Regulation (EU), on May 25, 2018, APCER's commitment in this regard, will be accentuated.
Your data will be collected, processed and stored by APCER - Portuguese Association of Certification, with registered office at Rua António Bessa Leite, 1430, 1º, 4150-074 - Porto, with VAT number 503 731 765.
The collection of your data, including personal data, takes place in interactions with APCER, namely:
- Management of Audits and Certification;
- Management of Accreditors;
- Recruitment and Selection of Auditors and Trainers;
- Management of Spontaneous Applications;
- Training Management;
- Management of Auditors and Trainers;
- Communication and Marketing;
- Complaints Management;
- Event Management;
- Management of Cookies.
Depending on the nature of the interaction and only when necessary, APCER processes the following categories of personal data, for which some examples (non-exhaustive) of personal data collected are listed:
- Identification data (Name, date of birth, civil identification number, etc.);
- Contact data (Address, e-mail address, mobile phone number, etc.);
- Billing data (NIF, amount charged, IBAN, etc.);
- Data on professional life (CV, professional situation, education, training, diplomas, etc.);
- Traffic and location data (IP addresses, logs, date and time data, etc.);
- Internet browsing data (IP session cookies, user cookies, third party cookies, browsing data, etc.).
Why we collect the data
APCER only processes your personal data when it is duly empowered to do so, collecting and processing the data strictly necessary for contractual performance, or pre-contractual steps to comply with legal obligations, in accordance with your consent and for the pursuit of legitimate interests.
By way of example, APCER may request your data when related to the purpose at home, such as:
- Provide an appropriate and targeted response to requests for information/proposal;
- Communicate better with you, for relevant matters and only with the necessary frequency, according to the characterization of your data and your preferences;
- Comply with business purposes, namely statistical data to improve the performance of the various services provided;
- Comply with the requirements of the accrediting entities, on which depends the validity of the certificates of some of the services provided, namely training actions;
- To provide certification, education and training and auditing services;
- Invoice services/products, such as audits and training actions.
Whenever there is no specific legal obligation, personal data is processed by APCER only for the period necessary to fulfil the defined purpose.
If there is a specific legal obligation, your data will be processed and kept for a minimum period. (Ex. invoicing data is kept for a period of 10 years, for accounting or tax purposes, or information to the Tax Authority).
If not, the data will be processed only for the period necessary to fulfil the respective purposes, or based on the guidelines or decisions of the CNPD.
APCER will treat and keep your personal data for the period during which it maintains a contractual relationship with you.
It may keep other personal data for periods longer than the duration of the contractual relationship, whether based on your consent, to ensure rights or duties related to the contract or to pursue legitimate interests, only for the period strictly necessary to achieve the respective purposes.
The retention periods of your data may change significantly when archive purposes of public interest, historical, scientific or statistical reasons are at stake, APCER undertaking to provide the appropriate conservation and security measures.
APCER may communicate your personal data to third parties, ensuring that they process such personal data only and exclusively for the fulfilment of the purposes indicated.
Where applicable, we will share your information with:
- APCER group companies, for marketing communication purposes;
- Regulatory Entities, for the purpose of compliance verification of the activities provided by APCER;
- Entities with which APCER has an operational partnership, for the purposes of carrying out the activities included therein.
The Entities referred in the previous paragraphs may have their headquarters outside the European Union. In such cases, APCER shall ensure that data transfers are carried out securely, in compliance with applicable legal regulations.
The processing of users' data may be carried out by a suitable service provider contracted by APCER. The said service provider will process the data exclusively for the purposes established by APCER and in compliance with the instructions issued by the latter, in strict compliance with the legal rules on personal data protection, information security and other applicable regulations.
Data Protection Rights
You can exercise, at any time, your rights contemplated in the General Regulation on Data Protection, such as: access, rectification, limitation or elimination of your personal data.
If the use of your personal data is based on consent, you have the right to withdraw it, without compromising the validity of the data processing carried out until that moment.
In the event of any type of request regarding your data, you may be asked to provide proof of identification, for security and protection reasons, to the data subject himself.
You can obtain further information about your rights from the Control Authority - Comissão Nacional de Proteção de Dados (www.cnpd.pt).
You also have the right to lodge a complaint with the CNPD from: https://www.cnpd.pt/cidadaos/participacoes/.
Personal Data Security
We use a set of appropriate security technologies and procedures to protect your Personal Data from unauthorised access, use or disclosure, access control and monitoring of databases and information systems, through security policies in line with the best information security practices, which ensure appropriate auditing and monitoring, and accountability of access.
30 March 2023