Impact logo

Data Protection Policy

Data4Deals is a company specialized in delivering card-based personalized rewards programs for financial institutions. In the scope of its activity, Data4Deals's activity and solutions may imply processing of personal data directly or indirectly from data subjects, such as employees, contractors, merchants, business partners, clients and clients' customers.

This policy establishes the general principles to be considered in the processing and protection of personal data for which the companies that constitute Data4Deals are responsible. It is part of the Data4Deals Privacy Program and is complemented by other documents, rules and procedures for managing the security and privacy of personal data.

1. Introduction

Data4Deals acts in compliance with the principles described in this policy, Regulation (EU) 2016/679, Law No. 58/2019 of August 8, and other applicable data protection legislation in all personal data processing activities under its responsibility.

2. Purpose

  • Align the Data Protection Strategy and keep Data4Deals up to date with applicable laws and standards.
  • Ensure awareness and transparency around how personal data is collected, used, shared and stored.
  • Promote data protection rights through accessible channels and processes.
  • Foster continuous improvement of personal data security and protection processes.
  • Enhance protection, response, notification and communication mechanisms for personal data breaches.
  • Strengthen trust with partners, investors, clients and other stakeholders.

3. Scope of Application

This policy applies to the processing of personal data carried out by all companies that are part of the Data4Deals group, including subsidiaries, affiliates, joint ventures and other entities controlled directly or indirectly by Data4Deals, regardless of geographic location.

It must be respected and applied by all employees, service providers and other associates of Data4Deals in activities that may directly or indirectly influence the processing of personal data.

4. Definitions

Controller: The natural or legal person, public authority, agency or other body that determines the purposes and means of processing personal data.

Processor: The natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Personal data: Any information relating to an identified or identifiable natural person.

Special categories of personal data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

Processing: Any operation performed on personal data, including collection, recording, storage, use, disclosure, erasure or destruction.

Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they agree to the processing of personal data relating to them.

Personal data breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

5. Data Protection Principles

  • Lawfulness, fairness and transparency: Personal data must be processed on a valid legal basis and in a transparent manner.
  • Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes.
  • Data minimization: Only personal data strictly necessary for the intended purpose should be collected and processed.
  • Accuracy: Personal data must be accurate and kept up to date, and corrected or deleted when necessary.
  • Storage limitation: Personal data must not be kept longer than necessary for the purposes for which it is processed.
  • Integrity and confidentiality: Appropriate technical and organizational measures must protect personal data from unauthorized or unlawful processing, loss, destruction or damage.
  • Accountability: Data4Deals is responsible for compliance and must be able to demonstrate it.

6. Data Protection Rights

Data subjects may exercise their rights by sending a written request to the Data Protection Officer. Data4Deals will reply within 30 days, with a possible extension of up to two additional months when the request is complex or when multiple requests are received.

  • Right of access
  • Right to rectification
  • Right of erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Protection against solely automated individual decision-making, including profiling, except where allowed by law

7. Privacy Program

The Data4Deals Privacy Program includes the following key components:

  • Privacy by design
  • Record of processing activities
  • Data protection impact assessments
  • Processors
  • Third parties
  • International data transfers

Whenever personal data is processed by a processor on behalf of Data4Deals, the relationship must be governed by a data processing agreement. Personal data transfers outside the European Union must comply with applicable legal requirements, including adequacy decisions or appropriate safeguards.

8. Technical and Organizational Measures

Data4Deals implements appropriate technical and organizational measures to protect personal data and ensure compliance with legal requirements. These measures are designed to safeguard confidentiality, integrity and availability.

Measures include internal policies, training, audits, access controls, encryption, secure network transfer, incident monitoring and breach documentation.

Personnel with access to sensitive data are bound by confidentiality obligations and may only use that information for authorized purposes related to Data4Deals's activity.

In the event of a personal data breach, Data4Deals will notify the Portuguese Data Protection Supervisory Authority within 72 hours when required by law and will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

9. Data Protection Officer

Data4Deals has appointed a Data Protection Officer to oversee the company's Privacy Program and data protection strategy, support compliance, handle requests from data subjects, conduct training and manage responses to personal data incidents.

The DPO can be contacted at privacy@datafordeals.com.

10. Final Provisions

This policy shall be interpreted jointly with other applicable Data4Deals policies and procedures and with the legislation in force. It will be reviewed from time to time to address operational, factual or legal changes that may require updates.

Any queries regarding this policy or the processing of personal data by Data4Deals shall be forwarded in writing to the DPO at privacy@datafordeals.com.