PRIVACY POLICY AND PERSONAL DATA

The protection of privacy and personal data is a fundamental commitment of Imprensa Nacional-Casa da Moeda, S. A. (INCM) towards the data subject.

With the entry into force of the new General Data Protection Regulation (RGPD), INCM remains committed to complying with the personal data protection, privacy, and information security legislation in order to protect the personal data and privacy of its holders.

We will be clear and transparent about what information we are collecting and what we will do with that information.

This Policy defines the following:

• What personal data do we collect and process about you and your relationship with us as a data subject

• From where we get the data;

• What we do with that data;

• How we store the data;

• To whom we transfer/to whom we disclose data;

• How we handle your data protection rights;

• And how we comply with data protection rules.

Imprensa Nacional-Casa da Moeda, S. A. (INCM), with its head office at Avenida de António José de Almeida, Edifício Casa da Moeda, in Lisbon, registered at the Commercial Registry 500792887, with a share capital of € 30 000 000.00 is responsible for collecting and processing the personal data of the data subjects, under the terms and for the purposes indicated in this document, in compliance with the legal obligations applicable in this matter. The data may be processed directly by INCM or by entities subcontracted for this purpose.

In the scope of the activity carried out by INCM personal data is processed. The collection of such personal data is carried out through the provision of our services, customer engagements, marketing activities, or other ancillary and support activities. Data may be received directly from a data subject, for example, in person, by mail, email, telephone, or from other sources.

All employees and partners should only collect personal data that is relevant and necessary to perform their duties.

INCM is committed to adhering to the data protection principles established by the RGPD, which are:

• Lawful, fair, and transparent processing – this means that we must have a legitimate basis for which we are processing personal data, for example, a contractual relationship with the data subject, or the processing is necessary for compliance with a legal obligation to which we are subject. This also means that we must inform the data subject about the processing in a way that is accessible and easy to understand;

• Purpose – we shall only collect personal data for specified, explicit, and legitimate purposes and shall not process data beyond the purpose for which it was collected;

• Data minimization – adequate, relevant, and limited to what is necessary for relation to the purposes for which it is processed;

• Accuracy – we have an obligation to ensure that personal data is accurate and to keep personal data up to date;

• Limitation of retention – we shall not retain personal data for longer than is necessary for the purposes for which it was collected, although we may retain certain data for historical and statistical purposes;

• Integrity and confidentiality – handled in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, adopting appropriate technical or organizational measures;

• Lawful transfer to third countries or international organizations – we only transfer personal data to third countries or to an international organization where the EU Commission has confirmed that they ensure an adequate level of protection or, if not, that there are adequate safeguards in place;

• Data Subject Rights – Data subjects have various rights that we must respond to, for example, the right to access a copy of the data we hold.

Personal data refers to any information relating to the data subject that makes it possible to identify him or her.

Your personal data will only be processed where there is a lawful basis for doing so. The basis of lawfulness will depend on the reasons for which the personal data was collected and the need for its use.

We present the possible lawful bases for the processing of your personal data:

• Performance of a contract – the processing is necessary for the performance of a contract to which the data subject is a party or for pre-contractual steps at the data subject’s request;

• Legal obligation – the processing is necessary for compliance with a legal obligation to which the controller is subject;

• Defense of the vital interests of the personal data subject – processing is necessary in order to protect the vital interests of the data subject or of another natural person;

• performance of a task carried out in the public interest or under public authority – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

• Legitimate interests of the enterprise-processing are necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject require protection of personal data, in particular where the data subject is a child;

• Consent of the data subject – the data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes.

Only minors aged 16 and over can give valid consent for the processing of personal data, otherwise, consent is only considered lawful if and to the extent that it is given or authorized by the holders of parental responsibilities of the minor.

Personal data will not be kept longer than is necessary to fulfill the purpose for which it was collected. In determining the appropriate retention period, the amount, nature, and sensitivity of the personal data and the purposes of the processing have been considered.

Periods during which there is a need to retain personal data due to legal obligations or to respond to complaints have been taken into account.

Personal data will be securely deleted after the defined retention period. Consideration will be given over time to minimizing the personal data being processed and to assessing the possibility of anonymizing them so that they cannot be associated with the data subject or identified, in which case it will be possible to use this information without further notification.

If you would like to know in more detail the purposes of treatment, legal bases and/or retention periods of the personal data collected, click here.

The INCM commits to guarantee the security of the information it holds, as well as all the resources associated with it, whether they are procedural, technological, or human.

Protecting information is critical to the strategic success of the organization and the sustainability of the business.

The management of information security and the systems that support it is carried out ensuring, through an approach based on risk management and continuous improvement, the confidentiality, integrity, and availability of information.

Safeguarding these three pillars of information security ensures the image, reputation, and credibility of the organization and its production processes among employees, partners, and customers.

The INCM commits to guarantee the security of the information it holds, as well as all the resources associated with it, whether they are procedural, technological, or human.

Protecting information is critical to the strategic success of the organization and the sustainability of the business.

The management of information security and the systems that support it is carried out ensuring, through an approach based on risk management and continuous improvement, the confidentiality, integrity, and availability of information.

Safeguarding these three pillars of information security ensures the image, reputation, and credibility of the organization and its production processes among employees, partners, and customers.

By law, the data subject has the right to:

• Request information about whether we hold personal data about you, and if so, what that data is and why we hold it;

• Request access to your personal data, receive a copy of the personal data we hold about you, and verify that we are handling it legitimately;

• Request the rectification of the personal data we hold about you, and you may rectify at any time the incomplete or inaccurate data we hold about you;

• Request deletion of your personal data, and you may delete or remove your personal data at any time when a retention period is reached or the data processing is no longer lawful. You will also have the right to ask us to delete or remove your personal data where you have exercised your right to object to the processing (see below);

• Opposition to the processing of personal data in cases where we rely on a legitimate interest (or those of a third party) and there is a valid reason to object. You also have the right to object in cases where we are processing your personal data for the purposes of marketing direct;

• Opposition to automatic decision-making, including profiling;

• Request the limitation of data processing, forcing the suspension of personal data processing;

• Request portability of personal data in a structured, electronic form to yourself or to another entity;

• Withdraw consent. In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal data for a specific reason, the data subject has the right to withdraw his or her consent to that specific processing at any time.

If you wish to exercise any of these rights, please contact us at email address dpo@incm.pt or send your request by letter to the address Avenida de António José de Almeida, Edifício Casa da Moeda, 1000-042 Lisboa or by the link: Exercise of the rights of the holder of the personal data.

You will not have to pay a fee to access your personal information (nor to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly excessive or unfounded. Alternatively, we may refuse to fulfill the request in such circumstances.

We may need to ask you for specific information to help us confirm your identity and to ensure your right to access the information (or to exercise any of the other rights). This is another appropriate security measure to ensure that personal information is not disclosed to anyone who has no right to receive it.

Cookies are small text files transferred to your computer’s hard drive by your browser web to enable us to recognize your browser and help us track visitors to our site.

The website institutional (incm.pt) only uses cookies to obtain the user’s session information, this allows the user to continue with the session started on the website while browsing.

INCM reserves the right, at any time, to make readjustments or changes to this Policy under the legally applicable terms, such amendments/revisions being detailed below:

10.04.2019 – Policy Creation

29.01.2021 – Policy Review 

20.06.2023 – Policy updated

The holder of the data may contact INCM for all matters relating to the processing of your data and the exercise of the rights you are entitled to via the following email address email: dpo@incm.pt, by the link: Exercise of the rights of the holder of the personal data  or send your request by letter to the address Avenida de António José de Almeida, Edifício Casa da Moeda, 1000-042 Lisboa.