Citibrain needs to collect and process personal data from physical persons for its activity. This includes information related to customers, suppliers, commercial contacts, collaborators and other people and members of organizations with whom it has had contact or with whom it might come to have contact.
This policy describes the manner the personal data must be collected, handled and stored according to the law and the Citibrain data protection requirements, regardless of their support (electronic, paper or any other).
This policy applies to:
- CITIBRAIN head office
- CITIBRAIN subsidiaries and branches
- All CITIBRAIN collaborators regardless of the contract they hold with the company
- All subcontractors, suppliers and other people and organizations acting on behalf of CITIBRAIN
This policy ensures that CITIBRAIN:
- Meets the legislation on personal data protection, especially the UE Regulation 2016/679 of 27/04
- Protects its collaborators, customers and other partner’s rights
- It is transparent about the manner its processes personal data
- Protects itself against the risk of personal data infringement
The principles applicable to personal data protection are:
- Lawfulness, loyalty and transparency: the legal ground for each data processing must be identified and the owners of such data must be previously informed in a clear and accessible language about the purposes and the manner how we do it.
- Purposes limitation: the specific purpose of personal data processing must be explicit, legitimate and specified at the moment of personal data collection. The data collected with a specific purpose must not be used for a different purpose which does not arise from the first purpose.
- Adequacy, pertinence and minimization: only the adequate and needed personal data are processed for the purposes that are to be achieved.
- Accuracy and update: the needed measures must be taken to ensure that the inaccurate data are corrected or deleted.
- Storage limitation: personal data will only be stored for the time needed for their specific purpose. A deadline for deletion or destruction will be established for each set of data.
- Security and confidentiality: personal data are stored in a manner that their protection is guaranteed and that their access is limited to ensure that only duly authorized personnel can process them.
- Privacy since their design and by default: before processing any data, measures will be taken to guarantee that privacy is a concern since the beginning and through the entire processing process.
Data owners are entitled to access, correct, limit purposes, portability, delete and oppose automated decisions.
The collaborator contacted by a data owner who intends to exercise any of these rights must verify the identity before supplying any information, according to the rights exercising procedure. Then, (s)he must forward the request to the DPO for processing.
CITIBRAIN can share data with public authorities without the owners’ knowledge if complying with a legal or judicial obligation.
Aveiro, 18th May 2018