GENERAL DATA PROTECTION REGULATION
A. GENERAL PART
This document is an integral part of the regulatory framework for the protection of personal data of TerraSense, taking into account the General Data Protection Regulation (2016/679), hereinafter referred to as GDPR. Whenever this document is updated, a new version will be made available immediately after its approval. Compliance with this standard will be monitored through the measurement of control assessment indicators and/or audits (internal or external), at regular intervals or when significant changes occur.
Scope and Objective
Personal Data – Any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, electronic identifiers, or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Special Categories of Personal Data – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Processing – Any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data Controller – The legal person or public authority, agency, or other organization which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Personal Data Breach – A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Processor (DPO) – A legal person or public authority, agency, or other organization that processes personal data on behalf of the controller.
Third Party – A natural or legal person, public authority, agency, or organization other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Collection and Processing of Data from Data Subjects
Within the scope of TerraSense's activities, the collection, recording, organization, storage, use, and consultation of personal data take place. It may also involve other operations or a set of operations that, according to the General Data Protection Regulation, are referred to as "processing of personal data."
The personal data collected applies not only to employees but also to suppliers, candidates, and customers. TerraSense collects personal data, including the necessary data for reservations and invoicing, as well as personal data of employees for legal employment purposes.
When collecting Personal Data, TerraSense provides data subjects with detailed information about the nature of the collected data, the purpose and processing to be carried out regarding personal data, as well as the information mentioned in the clause regarding the right to access personal data.
These subcontracted entities may not transmit the data of the data subject to other entities without prior written authorization from TerraSense, and they are also prohibited from subcontracting other entities without prior authorization. TerraSense undertakes to subcontract only entities that provide sufficient guarantees of implementing appropriate technical and organizational measures to ensure the defense of the rights of the data subject. All subcontracted entities are bound to TerraSense through a written contract that regulates, among other things, the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, and the rights and obligations of the parties.
When collecting personal data, TerraSense provides the data subject with information about the categories of subcontracted entities that, in the specific case, may process data on its behalf.
Data Collection Channels
TerraSense can collect data directly (i.e., directly from the data subject) or indirectly (i.e., through partner entities or third parties).
Data collection can be done through the following channels: Direct collection: in-person, by telephone, or by email;
Indirect collection: through partners or booking companies and official entities.
General Principles Applicable to the Processing of Data by the Data Subject
In terms of general principles regarding the processing of personal data, TerraSense is committed to ensuring that the data of the data subject processed by them are:
Subject to lawful, fair, and transparent processing in relation to the data subject.
Collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes.
Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accurate and up-to-date whenever necessary, with all appropriate measures taken to ensure that inaccurate data, considering the purposes for which they are processed, are erased or rectified without delay.
Retained in a manner that allows the identification of the data subject only for the period necessary for the purposes for which the data are processed.
Processed in a manner that ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, with appropriate technical or organizational measures implemented.
The data processing carried out by TerraSense is lawful when at least one of the following situations is met:
The data subject has given explicit consent for the processing of their personal data for one or more specific purposes;
The processing is necessary for the performance of a contract in which the data subject is a party, or for pre-contractual measures at the request of the data subject;
The processing is necessary for compliance with a legal obligation to which TerraSense is subject;
The processing is necessary to protect the vital interests of the data subject or another natural person;
The processing is necessary for the pursuit of legitimate interests by TerraSense or by third parties (except where such interests are overridden by the fundamental rights and freedoms of the data subject that require the protection of personal data).
TerraSense is committed to ensuring that the processing of the data subject's data is only done under the conditions listed above and with respect for the principles mentioned earlier.
When the processing of the data subject's data is based on the data subject's consent, they have the right to withdraw their consent at any time. However, the withdrawal of consent does not affect the lawfulness of the processing carried out by us based on the data subject's previously given consent.
The period of time during which the data is stored and retained varies depending on the purpose for which the information is processed.
Indeed, there are legal requirements that oblige us to retain the data for a minimum period of time. Therefore, unless there is a specific legal requirement, the data will be stored and retained only for the minimum period necessary for the purposes that motivated their collection or subsequent processing, after which they will be deleted.
Use and Purposes of Data Processing by the Data Subject
In general terms, TerraSense uses the data of the data subject for various purposes, including billing and collection from the data subject, for marketing purposes, and for human resources management and employee recruitment.
The data of the data subject collected by TerraSense are not shared with third parties without the consent of the data subject, except in the situations mentioned in the following paragraph. However, in the case where the data subject contracts services from TerraSense that are provided by other entities responsible for the processing of personal data, the data of the data subject may be accessed or shared with those entities to the extent necessary for the provision of such services.
Implemented Technical, Organizational, and Security Measures
To ensure the security of the data subject's data and maximum confidentiality, TerraSense treats the information provided to it in strict confidence, in accordance with its internal security and confidentiality policies and procedures, which are periodically updated as needed, as well as in accordance with the legally prescribed terms and conditions.
Considering the nature, scope, context, and purposes of the data processing, as well as the risks arising from the processing to the rights and freedoms of the data subject, TerraSense commits to implementing, both at the time of determining the means of processing and during the processing itself, the necessary and appropriate technical and organizational measures to protect the data subject's data and comply with legal requirements. It further ensures that, by default, only the data necessary for each specific purpose of processing are processed, and that such data are not made available without human intervention to an indefinite number of individuals.
In terms of general measures, TerraSense adopts the following:
Regular audits to assess the effectiveness of the implemented technical and organizational measures;
Awareness raising and training of personnel involved in data processing operations;
Mechanisms to ensure the ongoing confidentiality, availability, and resilience of information systems;
Mechanisms to ensure the timely restoration of information systems and access to personal data in the event of a physical or technical incident.
Transfer of Data Outside the European Union
The personal data collected and used by TerraSense are not disclosed to third parties established outside the European Union. If, in the future, such transfer occurs, TerraSense is committed to ensuring that the transfer complies with the applicable legal provisions, particularly regarding the assessment of the adequacy of the country in terms of data protection and the requirements applicable to such transfers.
B. RIGHTS OF THE DATA SUBJECTS
Right to Information
Information provided to the data subject by TerraSense (when data is collected directly from the data subject):
The identity and contact details of TerraSense, the data controller, and, if applicable, its representative.
The purposes of the processing to which the personal data are intended, as well as, if applicable, the legal basis for the processing.
If the processing is based on the legitimate interests of TerraSense or a third party, an indication of such interests.
If applicable, the recipients or categories of recipients of the personal data.
If applicable, an indication that personal data will be transferred to a third country or an international organization, and whether there is an adequacy decision adopted by the Commission or a reference to appropriate or suitable transfer safeguards.
The retention period of the personal data.
The right to request access to personal data, as well as their rectification, erasure, or restriction, the right to object to the processing, and the right to data portability.
If the processing is based on the data subject's consent, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
The right to lodge a complaint with the CNPD (National Data Protection Commission) or another supervisory authority.
An indication of whether the provision of personal data is a legal or contractual requirement, or a necessary requirement to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of not providing such data.
If applicable, the existence of automated decisions, including profiling, and information regarding the underlying logic, as well as the significance and envisaged consequences of such processing for the data subject.
In case the data subject's data is not collected directly by TerraSense from the data subject, in addition to the above information, the data subject is additionally informed about the categories of personal data being processed and, as well as the source of the data and, if applicable, whether they originate from publicly accessible sources.
If TerraSense intends to further process the data subject's data for a purpose other than that for which the data was collected, TerraSense will provide the data subject with information about that purpose and any other relevant information, in accordance with the above.
Procedures and measures implemented to comply with the right to information:
The aforementioned information is provided in writing (including electronically) by TerraSense to the data subject prior to the processing of the personal data in question. In accordance with applicable law, TerraSense is not obliged to provide the data subject with this information if and to the extent that the data subject is already aware of it.
The information is provided free of charge by TerraSense.
Right of Access to Personal Data
TerraSense ensures the means that allow the data subject to access their personal data. The data subject has the right to obtain from TerraSense confirmation as to whether or not personal data concerning them are being processed, and if so, the right to access their personal data and the following information:
The purposes of the data processing;
The categories of personal data concerned;
The recipients or categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
The retention period of the personal data;
The right to request the rectification, erasure, or restriction of the processing of personal data, or the right to object to such processing;
The right to lodge a complaint with the CNPD or another supervisory authority;
If the data were not collected from the data subject, the available information about the source of the data;
The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
The right to be informed about the appropriate safeguards relating to the transfer of data to third countries or international organizations.
Upon request, TerraSense will provide the data subject, free of charge, with a copy of their data undergoing processing. The provision of additional copies requested by the data subject may incur administrative costs.
Right to Rectification of Personal Data
The data subject has the right to request, at any time, the rectification of their personal data and the right to have their incomplete personal data completed, including through an additional statement.
In the event of data rectification, TerraSense will communicate the rectification to each recipient to whom the data has been disclosed, unless such communication proves impossible or requires disproportionate effort on the part of TerraSense.
Right to Erasure of Personal Data ("Right to be Forgotten")
The data subject has the right to obtain from TerraSense the erasure of their data when one of the following grounds applies:
The data subject's data is no longer necessary for the purposes for which it was collected or processed.
The data subject withdraws their consent on which the processing is based, and there is no other legal ground for the processing.
The data subject objects to the processing under the right to object, and there are no overriding legitimate grounds for the processing.
The data subject's personal data has been unlawfully processed.
The erasure of the data subject's personal data is required to comply with a legal obligation to which TerraSense is subject.
Under the applicable legal provisions, TerraSense is not obligated to erase the data subject's data to the extent that processing is necessary for compliance with a legal obligation to which it is subject or for the establishment, exercise, or defense of legal claims by TerraSense in a judicial process.
In the event of data erasure, TerraSense will communicate the erasure to each recipient/entity to whom the data has been disclosed, unless such communication proves impossible or would involve a disproportionate effort for TerraSense.
When TerraSense has made the data subject's data public and is required to erase it under the right to erasure, it undertakes to take reasonable measures, including technical measures, taking into account available technology and the cost of implementation, to inform the controllers responsible for the effective processing of personal data that the data subject has requested the erasure of any links to, or copies or reproductions of, such personal data.
Right to Restriction of Processing of Personal Data
The data subject has the right to obtain from TerraSense the restriction of processing of their personal data if one of the following situations applies (restriction entails marking the personal data stored with the aim of limiting its processing in the future):
If the data subject contests the accuracy of the personal data, for a period that allows TerraSense to verify its accuracy;
If the processing is unlawful and the data subject opposes the erasure of the data, instead requesting the restriction of its use;
If TerraSense no longer needs the data of the data subject for processing purposes, but the data is required by the data subject for the establishment, exercise, or defense of legal claims;
If the data subject has objected to the processing, pending verification of whether the legitimate grounds of TerraSense override those of the data subject.
When the data of the data subject is subject to restriction, except for storage, it shall only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest as provided by law. The data subject who has obtained the restriction of processing in the above-mentioned cases shall be informed by TerraSense before the restriction is lifted. In the event of a restriction on the processing of data, TerraSense shall communicate the restriction to each recipient to whom the data has been disclosed, unless such communication is impossible or involves disproportionate effort.
Right to Data Portability
The data subject has the right to receive their personal data, which they have provided to TerraSense, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another data controller, if:
The processing is based on the data subject's consent or on a contract to which the data subject is a party; and the processing is carried out by automated means.
The right to data portability does not include inferred or derived data, i.e., personal data that is generated by TerraSense as a consequence or result of the analysis of the processed data.
The data subject has the right to have their personal data transmitted directly between data controllers, whenever technically feasible.
The right to object to processing
The data subject has the right to object, at any time and for reasons related to their particular situation, to the processing of personal data concerning them, based on the pursuit of legitimate interests by TerraSense or when the processing is carried out for purposes other than those for which the personal data were collected, including profiling, or when personal data are processed for statistical purposes.
TerraSense will cease processing the data of the data subject, unless compelling legitimate grounds for the processing override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims by TerraSense.
When the data subject's data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing purposes, including profiling to the extent that it is related to direct marketing. If the data subject objects to the processing of their data for direct marketing purposes, TerraSense will cease processing the data for that purpose.
The data subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless the decision is:
Is necessary for the conclusion or performance of a contract between the data subject and TerraSense;
Is authorized by legislation to which TerraSense is subject;
is based on the explicit consent of the data subject.
Procedures for Exercising Rights by the Data Subject
The right of access, the right of rectification, the right of erasure, the right to restriction, the right to data portability, and the right to object can be exercised by the data subject by contacting TerraSense and completing the respective form.
TerraSense will respond in writing (including electronically) to the data subject's request within a maximum period of one month from the receipt of the request, unless in cases of particular complexity, where this period may be extended by up to two months.
If the requests made by the data subject are manifestly unfounded or excessive, particularly due to their repetitive nature, TerraSense reserves the right to charge administrative costs or refuse to proceed with the request.
Personal Data Breaches
In case of a data breach, and to the extent that such breach is likely to result in a high risk to the rights and freedoms of the data subject, TerraSense undertakes to notify the personal data breach to the CNPD within 72 hours from becoming aware of the incident. According to legal provisions, notification to the data subject is not required in the following cases:
If TerraSense has implemented appropriate technical and organizational protection measures, and those measures have been applied to the personal data affected by the data breach, especially measures that render the personal data unintelligible to any unauthorized person accessing such data, such as encryption;
If TerraSense has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
If notifying the data subject would involve a disproportionate effort for TerraSense. In such cases, TerraSense will make a public communication or take a similar measure through which the data subject will be informed.
C. FINAL PART
Applicable Law and Jurisdiction