Decsis-sistemas de Information, S.A., hereinafter referred to as Decsis, respects your privacy and recognizes the importance of protecting your personal data and is committed to ensuring that its processing is carried out responsibly and in accordance with the principles of Personal Data Protection as defined by the General Data Protection Regulation (GDPR).
This privacy statement is intended to inform you of the terms relating to the processing of personal data resulting from your interaction with Decsis, namely if you are our customer, supplier, partner, use our site or in any way have Interaction with Decsis or its facilities. The processing of personal data of employees whose information is secured internally is excluded from this statement.
■ 1. Controller of Processing
This privacy statement applies to the processing of personal data carried out by Decsis, regardless of its capacity as controller or processor, in accordance with the General Data Protection Regulation (GDPR).
In this context, Decsis assumes the role of subcontractor in particular in the following situations:
- Contract with the manufacturer (brand): authorized repair centers;
- Subcontractor for the provision of services.
In any of the situations, DECSIS may collect the data, and when acting as a subcontractor, it will do so in accordance with the instructions of the Data Controller, to whom it will communicate the data collected. In this case, the holder is advised to consult the information from the Data Controller regarding the protection of personal data.
■ 2. Our Commitment
Decsis is committed to ensuring the protection of all personal data at its disposal, having implemented security measures, physical, technical and to protect the personal data available, regardless of the medium on which they are stored, against any form of unlawful processing. These measures shall be limited to the intervention of Decsis in the process, especially in cases where it acts as a subcontractor.
Decsis undertakes to process personal data only for the identified purposes and always in compliance with the legal provisions.
We do not intentionally collect data from minors, nor do we have any way of distinguishing them without being intrusive. Since the responsibility for monitoring the child in all dimensions of his or her life belongs to the holder of parental responsibilities, we will delete the data of minors as soon as the holder of parental responsibilities notifies us that such data has been collected without his or her permission.
Decsis has appointed a Group responsible for personal data protection to monitor compliance with the policies and rules on personal data protection.
■ 3. Processing of Personal Data by Decsis
The main areas of personal data processing are summarized below, and the duty of information to other situations is addressed on a case-by-case basis.
Where Decsis acts as a subcontractor, it assumes its responsibilities in this capacity. The Data Subject should consult information from Decsis’ manufacturers and/or partners relating to the protection of personal data.
A. Provision of Services
A.1 What data is collected?
The personal data collected is limited to name, address, telephone contact, e-mail, ID number, IMEI or serial number of the equipment. The data is collected and processed in electronic form, and the file can also be kept in paper format.
As a rule, this data is collected at the time of requesting a service, which may be directly at the counter or by electronic means, for example, by filling out a form on our website or by sending an e-mail.
Personal data collected from the website or sent by email is provided to us voluntarily, and will be used only for the purposes of these requests.
Refusal to provide the data may condition the provision of the service, depending on the nature and requirements of the Data Controller, in cases where Decsis is a subcontractor. In the case of the forms present on the site, some fields are mandatory, and their non-filling will not allow to complete the functionality where they are requested.
A.2 What is the purpose? The personal data collected are intended for:
- Management of contractual relationships;
- Provision of services and/or supply of products;
- Validation of customer satisfaction, with prior consent.
Personal data collected may also be processed to respond to customer inquiries, suggestions or complaints, and may be transmitted to other entities for the fulfillment of legal obligations.
A.3 Specific Retention Period
Personal data will be retained for a period of 12 years, in the case of accounting data, and 3 years for operational data necessary and resulting from the performance of the service.
A.4 Basis
Execution of the contract or pre-contractual diligences.
B. Suggestions and Complaints
B.1 What data are collected?
The personal data collected is limited to name, address, telephone contact, e-mail, ID number, IMEI or serial number of the equipment. Data can be collected through the form on our website, by e-mail or by filling in the complaint book (paper or digital).
The refusal to provide the data may condition the achievement of the purpose, depending on their nature and requirements, for example from legal entities or manufacturers (brands). In the case of the forms present on the website, some fields are mandatory, and their non-filling will not allow to complete the functionality where they are requested.
B.2 What is the purpose?
The personal data collected are intended for:
- Management of suggestions and complaints.
B.3 Specific retention period
Personal data will be retained for a period of 3 years.
B.4 Basis
Execution of contractual and legal obligations.
C. Recruitment and Selection
C.1 What data is collected?
Data related to the competencies and professional background of each holder, as well as identifying data that allow a subsequent contact for the eventual follow-up of the candidacy. These data or other complementary information that the holder chooses to provide us with are voluntary by the holder.
C.2 What is the purpose? The personal data collected are intended for:
- Application management (spontaneous or not);
- Selection processes.
C.3 Specific retention period
Personal data are kept for a period of one year, if there is no recruitment of the holder. Otherwise, the terms for employees will apply.
C.4 Basis
Consent of the holder with the sending of the information, legitimate interest of Decsis in analyzing the applications submitted.
D. Accounting, Taxation and Administrative Management (Customers and Suppliers)
D.1 What data is collected?
Data necessary for accounting processing, in particular those required by the AEAT and/or those contained in invoices and/or receipts issued by the Holder. Contact details and IBAN of the Holder may also be collected.
D.2 What is the purpose? The personal data collected are intended for:
- Management of the contractual relationship;
- Accounting processing and payments;
- Tax information, including sending information to the tax authority.
D.3 Specific Retention Period
Personal data will be retained for a period of 12 years.
D.4 Basis
Execution of the contract or pre-contractual diligences, fulfillment of legal obligations.
E. Outsourcing
In specific cases, in particular the outsourcing of human resources or the provision of services, it may be necessary to collect employee data from third parties. In these cases, data may be sent to external entities to which Decsis provides service.
E.1 What data is collected?
Data will be appropriate to the situation in presence and requested in writing, generally by email or other means to be agreed with the supplier/service provider. Data collected will generally include name, resource identification (owner) and means of contact. In specific cases, it may be necessary to collect data relating to competencies and skills for the job to be performed.
E.2 What is the purpose? The personal data collected are intended for:
- Performance of services (competence and aptitude test; access to infrastructures);
- Fulfillment of legal obligations.
E.3 Specific retention period
Personal data is retained for the period necessary to fulfill Decsis’ obligations.
E.4 Basis
Execution of the contract or pre-contractual diligences, compliance with legal obligations.
F. Contensioso Management
F.1 What data is collected?
The data will be appropriate to the situation at hand and determined by the process itself.
F.2 What is the purpose? The personal data collected is intended for:
- Judicial and extrajudicial collection;
- The management of other disputes;
- Response and notification to judicial authorities.
F.3 Specific retention period
Personal data is retained for the period necessary to fulfill Decsis’ obligations.
F.4 Basis
Compliance with legal obligations, legitimate interest in defending Decsis’ rights.
G. Physical Security Control
G.1 What data is collected?
Our facilities are protected with video surveillance systems, with image collection (CCTV). Images are collected in reception areas, common circulation areas, access points, parking lots and warehouses, with real-time image display. Image collection is signposted at each location.
G.2 What is the purpose? The personal data collected is intended for:
- Protection of persons and property.
G.3 Specific Retention Period
Personal data is retained for a period of 30 days.
G.4 Basis
Legitimate interest in ensuring the safety of persons and property within our facilities.
H. Access to Infrastructure (Physical and Logical)
Access to Decsis infrastructure other than for customer service is subject to the rules and identification of the owner.
H.1 What data is collected?
Holder identification data.
For areas classified as sensitive, the identification of the holder will be the unambiguous one and will be complemented with the direct contacts of the holder.
H.2 What is the purpose? The personal data collected are intended for:
- Protection of persons and property.
H.3 Specific Retention Period
Personal data are kept only for the period necessary for the execution of the purposes for which they are intended, in particular during the execution of the contract and the underlying legal obligations.
H.4 Basis
Legitimate interest in ensuring the security of persons and property within our premises and ensuring the security of the network and information on its computer systems.
I. Cookies
With the use of the website cookies are collected which, however, do not contain personally identifiable data.
For more information related to the collection of cookies, please see: Privacy and Cookies – Information…
■ 4. Service Providers
In the performance of some services, Service Providers may be involved. DECSIS undertakes to ensure that these entities have sufficient guarantees to implement appropriate technical and organizational measures so that the processing satisfies our requirements and the legislation, with the processing of data by these Service Providers being formalized in writing and in accordance with the Data Protection Regulation.
■ 5. Retention Period
The period of retention of personal data is that identified for each processing or the time required to comply with legal obligations on the part of Decsis. In particular, in the event of litigation, the data will be retained for the duration of the proceedings until the court judgment.
■ 6. Communications and Transfers
Decsis depending on the purpose of collection may have to share personal data of customers and suppliers with other entities, namely:
- Entities with legal legitimacy for data processing (AEAT, SS, INE, etc.);
- Manufacturers and business partners;
- Suppliers and service providers;
- Customers
- Communications between the companies Decsis, Decsis II Iberia, Decunify, Expandiserve and Deccare, considering the relationship between the companies, which share the same policies and behaviors in the field of personal data protection.
Decsis as data controller, will carry out the processing of personal data entirely within the territory of the European Economic Area.
■ 7. Rights of Data Subjects.
The holder of the personal data has at its disposal a set of rights that it may request from DECSIS at any time. Thus if the holder wants to consult his data he can request access to them, if any information is incorrect or obsolete he can and should request its rectification. If the holder wishes to receive the personal data he/she has provided, he/she can also request its portability. The data subject also has the right to be forgotten/deleted.
However, there may be legal and/or regulatory frameworks that prevent DECSIS from fulfilling the holder’s request. In such cases, DECSIS will communicate to the data subject, within a maximum period of one month from the date of receipt of the request, the reasons why it cannot be fulfilled.
In cases where the processing of personal data depends on consent, the holder is free to provide and withdraw it at any time.
In order to exercise one of these rights, the holder shall submit the request in writing to the contacts listed below. Decsis reserves the right to prove the identity of the holder in order to carry out the request submitted.
The response to requests must be made within a maximum of 30 days, unless it is a particularly complex request. The exercise of rights is free of charge, except in the case of a manifestly unfounded or excessive application, in which case a reasonable fee may be charged taking into account the costs.
The data subject also has the right to lodge a complaint with the National Data Protection Commission (CNPD) or to the other supervisory authority competent under the legislation in force.
■ 8. Contacts
For additional information or exercise of your rights under the General Personal Data Protection Regulation, please write to:
Email to:
privacidade@grupodecsis.com
Letter to the address:
A/C GSIP
Decsis – Sistemas de Informação, SA
Rua das Artes Gráficas, 162
4100-091 Porto
■ 9. Disclosure and Updating of this Information
Decsis reserves the right at any time to revise this policy, with revisions being reflected on this page.
Date of last revision: July 2019