Crie a sua conta
Privacy Policy
1. SCOPE OF APPLICATION
The purpose of this policy is to present the commitments of Pluris Investments S.A. (hereinafter referred to as PLURIS or the Group1) in relation to the management of the privacy and protection of the personal data of the data subjects for whom it is responsible for processing and to respond to the requirements of the General Data Protection Regulation2 and the respective national implementing legislation3.
The aim is also to demonstrate how personal data will be processed in the context of the activity carried out by the Group and its employees, by defining internal rules that comply with the requirements of the Regulation, namely legitimacy, processing and storage.
All personal data will be processed and managed under the terms of this policy in conjunction with the Information Security Policy, taking into account a completed and up-to-date inventory of such personal data.
2. ROLES AND RESPONSIBILITIES
Pluris management will ensure that this policy is aligned with the Group’s strategy, in order to guarantee its continuous improvement with regard to information security and privacy.
The role of the Data Protection Officer (DPO) is to ensure compliance with the requirements of the Regulation on an ongoing and systematic basis, that all the rights of the data subjects are being complied with and that the appropriate security controls are in place for the purposes defined here.
The PLURIS Board of Directors appoints and assigns the Data Protection Officer (DPO) the duties and responsibilities described above in relation to all Group companies.
All the Group’s employees, as well as its subcontractors – insofar as this applies to them – are responsible for collaborating with and complying with and enforcing the commitments of this policy.
In the case of river ships and seagoing vessels, a “Local DPO” is also defined for each ship, whose mission is to carry out local DPO duties when the ships are cruising, and who will act in accordance with the rules of this policy.
1 Group means all companies in which Pluris Investments, S.A. holds, directly or indirectly, at least 10% of their share capital.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 and subsequent amendments.
3 Law no. 58/2019, of August 8 (and its subsequent amendments), which ensures the implementation of the General Data Protection Regulation in the national legal order.
3. PERSONAL DATA SUBJECTS
In order to carry out its activities and associated processing purposes, Pluris collects personal data from the following sources:
- Corporate clients by contract
- Customers registered via web tools
- Customers through ticket purchases
- Internal employees and contracted service providers Suppliers and service providers
- Visitors to physical or nautical facilities
4. GUARANTEE OF CONFIDENTIALITY AND PRIVACY OF PERSONAL DATA
The personal data identified in this Policy will be processed by Pluris as the entity responsible for processing personal data.
In order to guarantee the confidentiality and privacy of the data, the Group ensures that it is only accessed by employees formally authorized to perform their duties.
The responsibilities of each employee in terms of Security, Privacy and Protection of Personal Data are detailed in the contracts signed with Pluris, including the obligations of confidentiality and secrecy to which they are bound.
5. IDENTIFICATION OF THE PERSON RESPONSIBLE FOR PROCESSING PERSONAL DATA
The person responsible for processing personal data is Pluris Investments, S.A. with registered offices at Rua de Miragaia 103, 4050-387, Porto, Portugal, with company registration number 508 767 881.
The PLURIS group leads a group of companies to which the responsibilities and obligations arising from this Policy apply.
6. DATA PROTECTION IMPACT ASSESSMENT
In cases where data processing operations are likely to result in a risk whose level is not accepted by the group, PLURIS will carry out an impact assessment prior to the start of processing in order to identify and deal with them.
7. COLLECTION, PROCESSING, SHARING AND RETENTION OF PERSONAL DATA
a) Collection of personal data
- For situations that don’t involve web tools
Personal data is collected directly in the following ways:
- Spontaneous applications or responses to job offers with the sharing of CVs Filling in paper forms
- Image and video capture in fixed installations and on board sea or river vessels
- Biometric data
- Telephone (for employees)
- On the purchase of ticketing, marketing products or other materials acquired in the Group’s physical stores or ships, including catering services
Personal data may be collected indirectly in the following ways:
- Importing the content of the Curriculum Vitae into the human resources register.
- Importing data with shared responsibility with contracted commercial partners
- Marketing outlets, catering services or the like
- Companies that screen job applicants
- Companies that provide medical services
- Companies that provide life insurance services
Sensitive personal data will only be collected in cases that are strictly necessary and justified by the activity carried out by PLURIS and its Group and in accordance with the legislation in force.
- For situations involving web tools
Personal data is collected directly through the organization’s official web tools, namely online shopping websites, or indirectly through marketing automation and online advertising tools from duly authorized subcontracting partners and in full compliance with our personal data privacy management policy.
Indirect collection may also occur through subcontracting partners in relation to the placement of orders, in particular the purchase of ticketing for access to exhibitions or company services.
The cookie management policy complements this topic, presenting the “opt-in” and “opt-out” options that are available for this component of the websites.
The holder of personal data may also opt out of online advertising services on social tools, namely Facebook, Google Ads, Instagram and Linkedin.
Pluris guarantees that no manual or computerized form will have pre-filled options, all alternatives being selected by the data subject.
Personal data will be collected on the basis of the legal grounds set out in this policy and in compliance with the principle of minimization.
b) Processing of personal data
- For situations that don’t involve web tools
There will be no use of personal data for the purposes of creating and using sales profiles or product, region or trend indicators.
2. For situations involving web tools
Such activities include:
c) Sharing personal data
1. For situations that don’t involve web tools
In addition to the sharing purposes described below, no other purposes may be carried out unless expressly authorized in advance by the Data Protection Officer.
Purposes arising from the activity of Pluris Investment S.A. and its Group companies, inter alia:
- Social security;
- Communication with tax, customs or other legal authorities;
– Reporting complaints or breaches of privacy;
– Communication with the DPO;
– Port security and immigration control;
– Work registration & pay roll;
– Issuing a medical certificate for maritime or similar purposes;
– Compliance with union registration and obligations;
– Creation and registration of insurance policies;
– Compliance with tax and customs obligations.
Personal data may be shared with subcontractors for the purposes mentioned above, under the terms of the contracts signed with them. Pluris only uses subcontractors that guarantee, under the terms of the law, the implementation of appropriate technical and organizational measures to protect your data through subcontractor agreements, thus ensuring the defense of your rights under the applicable data protection law.
Data classified as sensitive will only be shared with legal entities, partners providing medical services and the like.
This data sharing will, as a rule, take place within Europe.
There are specific situations that require data to be shared with entities outside the European area, namely:
- With the port authorities: for security and immigration control purposes on cruise ships, in accordance with the applicable legal provisions.
- With Group companies: to support activities of legitimate interest, guaranteeing the minimization of the processing of personal data
2. For situations involving web tools
In addition to the sharing purposes described below, no other purposes may be carried out unless expressly authorized in advance by the Data Protection Officer.
Purposes arising from marketing, electronic payments and other services involving the use of electronic tools:
– Carrying out advertising campaigns
– Advertising on virtual sites such as Google Ads, Facebook, Instagram and Linkedin;
– Operational needs in the interconnection with HiPay and Paypal and other electronic payment gateways using credit cards;
– Sending news, campaigns and personalized offers to the client.
Data is shared with formally authorized subcontractors for digital marketing purposes, and the personal data involved in this sharing is subject to the consent of the respective data subject, with the possibility of opting out at any time.
This sharing may give rise to data transfers outside the European area, in the case of segmentation of digital marketing campaigns with intercontinental subcontracting partners.
In these cases, the organization will take care to implement security controls appropriate to each risk situation identified, as well as ensuring that the data subject is guaranteed unconditional execution of their rights and all the requirements of the General Data Protection Regulation.
d) Retention of personal data
The period of time for which personal data will be kept varies according to the purpose for which the data is processed.
Retention means the secure storage of data, in digital or paper format, ensuring access management conditions to guarantee confidentiality, integrity, availability of information and non-repudiation, as well as its preservation in the appropriate conditions for use over a defined period of time.
The legal requirements that require the retention of personal data for a minimum period for each purpose will be complied with.
Where no such minimum period is imposed, personal data shall be kept only for the period strictly necessary for the purposes for which the data were collected or are further processed or, if and when applicable, for the period determined by the competent data protection authority, after which the data shall be permanently erased in a secure manner
8. USE & PURPOSE OF COOKIES
Cookies are used to personalize content and advertisements according to the visitor’s characteristics, interact with social network functionalities, analyze website traffic, as well as to support the security controls implemented.
Depending on the choices made by visitors to the pages of the websites, data may be shared with our social media partners for advertising purposes, to analyze traffic and navigation through the pages of the websites and social media tools within the scope of this policy.
Under no circumstances will personal data be collected through cookies.
a) Types of cookies:
Cookies are text files that can be used by websites to make the user experience more efficient. In accordance with the legislation in force, cookies may be stored and operated on the equipment to which the visitor has access if they are strictly necessary for the operation of the website.
For all other types of cookies we allow the personal data subject to exercise their right to informed consent.
Some cookies may be installed automatically by our business partners, always in a way that is explicit to the visitor.
b) Websites may use the following types of cookies:
Ba) Necessary
The necessary cookies support the execution of basic functions such as navigation between pages and their tracking.It is important to note that the website may not function properly without these cookies, and as such, they are considered fundamental and justified.
Bb) Estatísticos ou Funcionais
Os cookies de estatística ajudam o gestor do website a entender como o visitante interage com as páginas que o compõe, recolhendo e tratando informações de forma anónima.
Bc) Marketing
Marketing cookies are used to track the visitor’s access to and use of the page.
They make it possible to customize ads or other marketing materials to be presented that are relevant and appealing to the visitor, making the browsing experience more personalized and dynamic.
Visitors to the website, and as such holders of personal data, must select the type of cookies they authorize in each available box.
By clicking on the “I accept” button, you acknowledge acceptance of this cookie policy and confirmation of consent for the type of cookies selected.
9. OWNERS’ RIGHTS
Data subjects will be guaranteed the conditions to exercise their rights under the General Data Protection Regulation.
The Data Protection Officer appointed by the group will be involved in all questions relating to the protection of personal data, and should preferably be asked in writing via the email address dpo.mysticinvest@mysticinvest.com any questions that the holders of personal data deem necessary.
If the data subject wishes to lodge a complaint or report a breach of privacy, they can do so by sending an email to complaint.mysticinvest@mysticinvest.com or directly with the supervisory authority they have selected.
Alternatively, the data subject will have at their disposal a web-based communication portal where they can carry out all the aforementioned interactions and obtain information on the processing of such requests.
Following the registration of a complaint or breach of privacy, the Group undertakes to inform the data subject of each step and progress of the complaint process, without prejudice to compliance with the deadlines defined by the regulations.
10. REVIEW AND CONTINUOUS IMPROVEMENT
This policy will be reviewed annually, or whenever there are significant changes to the inventory of personal data and/or computer or documentary media.
Each of these revisions will give rise to a new version of this document.
11. DISSEMINATION AND PUBLICATION
The Privacy Management Policy is classified as publicly accessible information (see Information Classification Policy) and will be available for consultation on the Internet, on the institutional website, on the Internet tools that support the business and also on the group’s social networks.
During the induction process, new employees will be made aware of this Policy, as well as being obliged to take part in the training and awareness-raising sessions on security, privacy and personal data protection that will form part of the induction process.
After publication and dissemination of the policy, employees are obliged to:
➢ Protect the information assets in its charge;
➢ Collaborate in the management of the respective risk;
➢ Participate in any event that could jeopardize information security;
➢ Comply with and enforce this policy.
Employees can consult this Policy at any time via the document management platform of the group’s internal network.
Entities/employees who, for reasons inherent to their role, do not have access to the platform, will be made aware of this policy by sharing it in the format appropriate to each case.
12. VALIDITY OF THE POLICY:
This policy has been approved by the Board of Directors of the Pluris group and becomes effective on the date it is published.
Any subsequent amendments will enter into force immediately after their publication.
