Privacy Policy

Privacy Policy

I. Introduction

The purpose of this document is to provide a concise policy statement on the data protection obligations of Gouveia Pereira, Costa Freitas & Associados, Sociedade de Advogados, S.P. R.L. (GPA).

GPA is committed with the development of mechanisms for processing personal data in accordance with the requirements of the relevant legislation.

II. Rationale 

GPA must comply with the data protection principles set out in current legislation. 

This Policy applies to all operations involving the processing of Personal Data, including its collection, processing and storage by GPA in relation to its employees, service providers and clients in the course of its business.

III. Scope 

The policy covers all personal data including data relating to special categories of personal data processed in relation to data subjects by GPA as Controller or Processor. This Policy also applies to personal data processed manually as long as it is included in a structured file. 

All personal data relating to special categories of personal data will be treated with extra care by GPA. Both categories will also be referred to as Personal Data in this policy, unless otherwise stated.

IV. Who processes your data

In the course of its daily activities, GPA may acquire, process and store personal data.

In accordance with European and Portuguese data protection legislation, this data must be acquired and managed in a fair, lawful and transparent manner.

GPA is committed to ensuring that its staff has sufficient knowledge of data protection legislation and practices in order to be able to anticipate and identify any data protection issues that may arise. In such circumstances, the team must ensure that the Data Controller is informed and that appropriate corrective action is taken to guarantee the rights, freedoms and guarantees of the Data Subjects.

GPA may share the personal data of Data Subjects with Subcontractors insofar as this is necessary for the normal provision of its services.

Subcontractors' access to personal data shared by GPA is regulated, within the scope of GPA's obligations, by the contract signed with its Subcontractors.

In this regard, GPA contractually ensures and regularly verifies that subcontractors are reliable entities and offer adequate protection guarantees, and that data is not transmitted to them beyond what is necessary for the provision of the contracted service.

In the course of its role as Data Controller, GPA may also share the personal data of Data Subjects with other Data Controllers in order to carry out the processing operations necessary for the provision of the contracted services. Within the scope of GPA's joint responsibility, the agreement in force between the two parties transparently identifies the respective purposes and responsibilities in compliance with the data protection legislation in force, guaranteeing the fulfilment of the Data Subjects' Rights and Freedoms through the establishment of communication channels for responding to the Data Subjects' requests.

Regardless of the existing relationship between the Recipients of Personal Data, GPA defines, through a formal written contract, the delimitation of the obligations in terms of Personal Data, the specific purpose or purposes for which they are involved and the understanding that they carry out the data processing operations in compliance with the Portuguese Data Protection Legislation.

V. Data may be shared with the following Recipients: 

  • Providers of IT, technical and operational support services;
  • Law firms belonging to the network of national or international law firms and other colleagues in judicial practice;
  • GPA Academy - Formação e Desenvolvimento, Lda;
  • Portuguese Bar Association;
  • Judicial bodies, Criminal Police bodies and administrative authorities.

VI. What we do with your data: 

As Data Controller, GPA guarantees that all data are: 

  • Obtained for specific, lawful and clearly defined purposes. The Data Subject has the right to question the purpose(s) for which GPA holds their data, and GPA will be able to clearly inform them of the purpose(s).
  • Compatibility with the purposes for which the data was acquired.
  • Maintained with appropriate security measures, implemented or to be implemented, to protect against unauthorised access to, or alteration, destruction or disclosure of, any personal data held by GPA as Controller.
  • Precise, complete and up-to-date maintenance when necessary.
  • Do not collect excessive data and only keep it for as long as necessary.

GPA has therefore implemented a procedure for responding to requests from Data Subjects, in order to manage such requests efficiently and appropriately, within the time limits stipulated by law.

GPA has implemented or is in the process of implementing the levels of security and protection of personal data made available, as well as technical and organisational measures for the protection of personal data against its dissemination, loss, misuse, alteration, unauthorised processing or access, as well as against any other form of unlawful processing.

All GPA employees are also subject to the rules on professional secrecy and confidentiality under the terms of the Statute of the Portuguese Bar Association.

VII. Purposes and legal grounds for processing operations: 

Clients 

GPA carries out processing operations on the Personal Data of its Clients to ensure the fulfilment of the services contract agreed with the Data Subjects or Joint Controllers (in relation to the data and Data Subjects collected by them, such as counterparties, employees and others). The personal data identified herein and subject to processing operations is necessary for the performance of a contract or for pre-contractual steps or for the fulfilment of legal obligations.

Special Category data relating to Customers or obtained through Customers will be subject to processing operations insofar as they are necessary for the declaration, exercise or defence of a right in legal proceedings, or if processing is necessary for reasons of relevant public interest such as the prevention of money laundering and terrorist financing.

The processing of personal data of Clients or obtained through Clients, related to criminal convictions and offences or related security measures will always be subject to appropriate guarantees for the rights and freedoms of the data subjects, and the relevant operations will be limited to strict compliance with the applicable legal obligations. 

  • Employees and candidates

GPA carries out processing operations on the data of its employees for the performance of the employment contract. The data processed is necessary for the performance of a contract to which the Data Subject is a party, or for the purposes of pre-contractual steps at the request of the Data Subject.

The personal data of employees is also collected and processed for the purposes of complying with legal obligations to which the Data Controller is subject.

Processing operations relating to Special Category data collected from Employees are necessary for the purposes of complying with legal obligations and exercising specific rights of the Data Controller or the Data Subject with regard to labour legislation, social security and social protection, as well as for the purposes of preventive or occupational medicine, for the assessment of the employee's working capacity.

The processing of employees' personal data relating to criminal convictions and offences or related security measures will always be subject to appropriate safeguards for the rights and freedoms of data subjects, and the relevant operations will be limited to strict compliance with applicable legal obligations.

  • Service Providers

GPA carries out processing operations on the Personal Data of its Service Providers to ensure the fulfilment of the service contract agreed with the Data Subjects or Joint Controllers (in relation to the data and Data Subjects collected by them, such as counterparties, employees and others). The personal data identified above and subject to processing operations are necessary for the performance of a contract or for pre-contractual steps or for the fulfilment of legal obligations.

Special Category data relating to Service Providers or obtained through Service Providers will be subject to processing operations insofar as they are necessary for the establishment, exercise or defence of a right in legal proceedings, or the processing is necessary for the purposes of fulfilling obligations and exercising specific rights of the Data Controller or the Data Subject in matters of labour law, social security and social protection or important public interest.

The processing of personal data of Service Providers or obtained through Service Providers in connection with criminal convictions and offences or related security measures shall always be subject to appropriate safeguards for the rights and freedoms of data subjects, and the relevant operations shall be limited to strict compliance with applicable legal obligations.

VIII. Criteria for Calculating Retention Periods

GPA retains personal data for the period deemed necessary and sufficient for the purposes for which it was collected and processed, with the length of time for which the data is stored varying according to the purpose for which the information is processed and in accordance with the legal rules requiring its retention, after which it will be deleted, subject to the appropriate technical and functional guarantees, as documented in each of the relevant processes.

IX. Right of Access and Exercise of Rights

Data subjects can exercise their rights under the applicable data protection legislation by e-mailing gpa@gpasa.pt.

GPA has also appointed a Data Protection Officer, in accordance with best practice in the area, who can be contacted via e-mail at GPA@dataprotection.pt.

Please note, your browser is out of date.
For a good browsing experience we recommend using the latest version of Chrome, Firefox, Safari, Opera or Internet Explorer.