Privacy Policy

I – START

a) Thank you very much for consulting our Privacy Policy

b) This Privacy Policy aims to express our commitment to the protection of your personal data as a responsible organization that we are and that places your privacy at the heart of everything we do and the way we act

c) Iberol sees your privacy and the protection of your personal data as our responsibility, taking into account the applicable legal provisions and as a guiding principle of our activity

d) We comply with and enforce the personal data protection legislation in force, namely the General Data Protection Regulation (Regulation (EU) 2016/679), hereinafter RGPD, and law 58/2019 of 8 August, which enforces it in Portuguese legal system, in addition to other applicable European regulations

II – RESPONSIBLE FOR THE PROCESSING OF YOUR PERSONAL DATA

a) The Iberol – Sociedade Ibérica de Biocombustíveis e Oleaginosas, S.A. legal person n.º 500135959, is the entity responsible for processing your personal data, having its headquarters at Av. do Marco da IV Légua, 132, 2615-702 Sobralinho – Portugal

b) Our website is hosted at iberol.pt and our privacy email is as follows: rgpd@iberol.pt

III – OUR POLICY

a) Accessing our website and providing your personal data implies and presupposes that you know the content of this policy, and that you accept it.

b) We also advise you to read our Terms and Conditions, in addition, of course, to our Cookies Policy, documents that you will find at the bottom of the home page of our website.

c) The links that may exist on our website to websites external to Iberol are not controlled by us, so you should always consult the data protection information and other applicable information that are made available by these websites, as we do not assume, and cannot assume, any responsibility. regarding its content, level and accuracy of its information, compliance with applicable law or the way in which these entities operate

IV – THE IMPORTANCE OF YOUR PERSONAL DATA FOR IBEROL

a) Our Privacy Policy reflects the way we act when we provide our services whenever we process personal data

b) Access to personal information whose treatment you entrust us with is carried out only and only by those who are duly authorized internally, in accordance with defined access privileges and supported by the “need to know” principle.

c) Our concern with your personal data is established by design and by default, that is, it is present in all initiatives that we develop and will develop in the future, with your data being processed on a strictly necessary basis.

d) We always work from a perspective of continuous improvement, which we apply in everything we do, considering the most appropriate solutions to protect your personal information, supported by a prior risk assessment, which we carry out regularly.

e) For us, at Iberol, the training of our employees is a key factor in mitigating our operational risk in terms of data protection and a crucial factor in establishing an internal culture of privacy

f) We believe that there is always room for improvement in all aspects of our organization, always seeking to serve in an exemplary way those who trust us

g) We promote transparency, seeking to provide adequate, simple information that can be understood by everyone, promoting and reinforcing the trust that users of our website and customers place in us, which we believe is the basis that effectively sustains lasting relationships.

h) We know that mistakes are sometimes unavoidable, so we assume when we make mistakes, apply corrective measures and try to ensure that they do not happen again.

i) We always assume that the protection of your personal data begins with the rigor and qualitative level of the information we provide you, information that we communicate and reiterate internally

V – DEFINITIONS TO RETAIN:

a) We understand that the following concepts are very important, so we make them known, presented as follows, closely following the definitions of the GDPR:

i) What is “Personal Data”?

Any information relating to an identified or identifiable natural person, where a natural person who can be identified, directly or indirectly, namely by reference to an identification number or to one or more specific elements of his physical, physiological, psychological, economic, cultural or social

ii) What is meant by “treatment”?

Processing of personal data consists of an operation or a set of operations carried out on personal data or on sets of personal data, by automated or non-automated means, such as collection, registration, organization, structuring, conservation, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, erasure or destruction

iii) Who is the “Responsible for the treatment”?

A natural or legal person, public authority, agency or other body that, individually or jointly with others, determines the purposes and means of processing personal data

iv) Who is the “Subcontractor”?

A natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller

v) What is meant by “Consent”?

Consent is given by you, as the holder and when legally applicable, translating a free, specific, informed and unequivocal expression of will, by which you accept, by means of an unequivocal positive declaration or act, that the personal data concerning you are the object of treatment

vi) What is a “Personal Data Breach”?

It is a breach of security that accidentally or illicitly causes the destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, preserved or subjected to any other type of processing.

vii) what are cookies (connection testimonials)?

A cookie is a small information file that is installed on the user’s/data subject’s browser and stored on their computer when they visit a website and are used, as a rule, to improve the experience and performance of our website.

VI – HOW WE COLLECT YOUR PERSONAL DATA?

a) When we provide our services, your personal information is collected through several channels, namely:

i) through our website, when using our “Contacts” section

ii) by phone

iii) When you interact with us, for example, via email

 VII – WHAT PERSONAL DATA DO WE PROCESS?

a) The personal data we process are only those strictly necessary for the provision of our services, in strict compliance with the principle of data minimization

i) Identification data:

      • Name
      • Email address
      • Phone number
      • Address

ii) Data billing

      • Tax number
      • Billing address

b) Data resulting from Cookies (IP address, browser and version, time of visit to our website, duration of visit, location and other diagnostic data)

c) Academic data and professional experience, whenever you send us your CV

d) We do not, as a rule, process special categories of personal data (“sensitive data”), as referred to in article 9 of the GDPR, namely health data, political or religious beliefs

e) If this happens, this treatment will only take place on the basis of the exceptions provided for in paragraph 2 of the aforementioned article 9 of the GDPR

VIII – ARE THERE COOKIES ON IBEROL.PT?

a) Yes, there are, because it is our goal that you have a fluid and efficient browsing experience and for this reason we use cookies because they are necessary for the functionality of our website and because they are important for our business.

b) We are aware of the legal obligations and best practices in terms of placing cookies on our users’ devices, so we are absolutely transparent about the cookies we use, asking for your consent whenever the type of cookie placed requires it;

c) We assure you that you can change your consent for cookies, allowing you as the holder of personal data to manage on our website, in an easy and uncomplicated way, the consent given, as required by law, responding to your right to withdraw consent.

d) In our Cookies Policy you can obtain various information, namely which cookies we use, what are their categories and how you can manage them in your browser, being able to consult it HERE

IX – FOR WHAT SPECIFIC PURPOSES DO WE PROCESS YOUR DATA?

a) The purposes of the processing of personal data must be determined, explicit and legitimate, complying with the principles of limitation of purposes and lawfulness

b) In this context, your personal data are processed in accordance with the following purposes:

i) We provide our service

ii) We manage the contractual relationship

iii) Proceed to identify you as our customer

iv) Sending information about changes to the conditions for providing our service

v) Optimization of your visit and the navigability of our website

vi) To enable the use of the interactive features of our Service, should you choose to use

vii) Providing support, when necessary or requested, namely in the purchase or delivery process

viii) Detection, prevention and resolution of technical problems and monitoring of our website

ix) Billing of services provided

x) Compliance with legal obligations

xi) Holding of events and their dissemination

X – PROCESSING OF YOUR PERSONAL DATA FOR A PURPOSE OTHER THAN INITIAL

a) The regulatory framework in force requires that you are always duly and previously informed, as the data subject, about the treatment we make of your personal data, in order to be able to exercise over them, without surprises, a real and effective control.

b) If we intend to proceed with the further processing of your personal data for a purpose other than any of these informed here, we will take the initiative to inform you and provide the necessary information, as well as any other that, in the context, is relevant and appropriate , in the logic of a transparent performance that we cultivate in a permanent way

XI – WHAT ARE THE LEGAL BASES FOR THE PROCESSING OF YOUR PERSONAL DATA?

a) The processing of your personal data can be carried out on the following legal grounds:

i) the need for processing for the purposes of pre-contractual measures or contractual execution

ii) Legal obligations to which we are subject
iii) your consent, when that is the applicable legal basis of treatment

iv) our legitimate interests, and we will ensure that they do not override your interests, rights and freedoms, otherwise we will not invoke them

XII – CHILDREN’S DATA

a) As a rule, we do not intend to process data from children, given the services we provide and their scope, so if for some exceptional reason we collect data from children, it will be up to the holders of parental responsibilities to request their deletion, a request to which we will promptly access after verifying that this collection actually took place

XIII – PERIOD OF RETENTION OF YOUR PERSONAL DATA

a) We comply with the legal rule that your personal data are kept only for the time strictly necessary for the purposes that motivated their initial treatment

b) In this way, once the purposes have been fulfilled, your personal data are, as a rule, deleted or anonymized, under the terms legally provided for in the RGPD and in law 58/2019 of 8 August

c) It is important to mention that there are legal requirements that oblige us to keep your personal data given for a minimum period of time, so in these cases we are obliged by law to respect these deadlines

d) If your consent is the legal basis for us to process your personal data, they will be kept until you exercise it, or if the purpose we pursue no longer takes place

XIV – RIGHTS OF PERSONAL DATA HOLDERS?

a) Iberol respects, complies with and enforces your rights, so we let you know which rights you have and which you can exercise as the holder of personal data:

i) Right of access (Article 15 of the GDPR): You have the right to request, among others, information regarding whether or not your data is being processed, what data we process and for what purposes

ii) Right to rectification (Article 16 of the GDPR): Right to have, without undue delay, rectification of inaccurate personal data concerning you and incomplete data to be completed

iii) Right to Erasure (Article 17 of the GDPR): Also known as the right to be forgotten – you can request, in certain circumstances, that your personal data be erased from our records, without undue delay, whenever if any of the reasons provided for in the GDPR are verified

iv) Right to limitation of processing (Article 21 of the GDPR): You have the right to object, for reasons related to your particular situation, to certain types of data processing provided for in the GDPR, such as processing for the purposes of direct marketing, in which case we will cease processing for that purpose

v) Right to limitation of processing (Article 18 of the GDPR): The right to obtain the limitation of the processing of your personal data, when you want, for example, to contest the accuracy of your personal data for a period of time that allows us to verify the its accuracy, when the processing is unlawful or if you have deducted your right to object

vi) Right of Portability (Article 20 of the GDPR): You have the right to transfer your personal data that we keep to another organization or to receive them in a structured, commonly used and machine-readable format

vii) Right to withdraw consent (Article 7, no. 3 of the GDPR): If consent is legally necessary for the processing of personal data, the data subject has the right to withdraw consent at any time, so easy, although this right does not compromise the lawfulness of the treatment carried out on the basis of the consent previously given

viii) Right to submit a complaint to a supervisory authority (Article 77, no. 1 of the GDPR): In Portugal, the supervisory authority is the CNPD – National Data Protection Commission (www.cnpd.pt), which can be contacted via email: geral@cnpd.pt

ix) Right to claim compensation and liability (Article 82 of the GDPR): If you have suffered material or immaterial damage due to a breach of the RPGD, you are entitled to receive compensation from the controller or processor for the damage suffered

x) Right to mandate a non-profit organization, organization or association to file a complaint on its behalf (Article 80 of the GDPR): The data subject has the right to mandate a non-profit organization, organization or association, which is duly constituted under the law of a Member State, whose statutory objectives are in the public interest and whose activity covers the defense of the rights and freedoms of the data subject with regard to the protection of their personal data, to, on their behalf, submit claim, exercise the rights provided for in Articles 77, 78 and 79 of the GDPR, and exercise the right to receive compensation referred to in Article 82, if provided for in the law of the Member State

xi) Right not to be subject to automated decisions. (Article 22 of the GDPR): You have the right not to be subject to any decision made solely on the basis of automated processing, including profiling, which has effects in your legal sphere or which significantly affects you in a similar way. This subjection, if it occurs, will only take place, on our part, within the scope of the exceptions provided for in article 22, n. 2 of the GDPR, and we will apply measures that ensure your right to obtain human intervention, allowing you to express your opinion and contest the decision

b) If you wish to exercise with us the rights that precede and that are applicable, you can do so by consulting the point “Where can you find us” below.

c) After your contact, in which you express your willingness to exercise your rights, we will respond shortly by sending you the

d) The response, in writing or by other means, including, where appropriate, by electronic means, will be provided by the Data Protection Officer we have appointed in a concise, transparent, intelligible and easily accessible manner, using clear and simple, and up to a period of 30 (thirty) calendar days (which may reach 60 (sixty) days in case of complexity or depending on the number of requests)

e) You may request that the information be provided orally, provided that your identity is duly proven, and in the absence of such proof we may refuse to provide it

f) The counting of the period referred to above starts

XV – COMMUNICATION OF PERSONAL DATA

a) Within the scope of the services we provide, data communication is a requirement for us to be able to enter into a service contract or to be able to send you communications, and the lack of this information naturally constitutes an obstacle to this conclusion, which is the only resulting consequence

XVI – RECIPIENTS OF PERSONAL DATA

a) Under certain circumstances, Iberol may disclose your Personal Data to a natural or legal person, a public authority, agency or other body

b) In the case of a public authority, we may be required to make this communication by reason of legal imposition or in response to valid requests from public authorities (for example, a court or a government agency)

XVII – HOW IS THE SECURITY OF YOUR PERSONAL DATA GUARANTEED?

a) The security of your personal data is extremely important to us

b) We have adopted appropriate technical and organizational measures to ensure a level of security that we believe to be adequate for the risk associated with the treatment we make of your personal data, taking into account the measures provided for in article 32 of the GDPR, which we review periodically and taking into account technological developments

c) In this way, we ensure that the availability, authenticity, integrity and confidentiality of your data are ensured, as well as prevent its loss, alteration, unauthorized treatment or access and its misuse, as well as any other form of illicit treatment that may take place

d) Finally, because we understand that safety is based, in addition to technology, on the training of our employees, we ensure that they have adequate and regular training, thus seeking to minimize the risk that is recognized as inherent to the human factor

XVIII – ARE THERE SUBCONTRACTORS?

a) Within the scope of our activity, we may use subcontractors who process your data on our behalf, as provided for in the GDPR;

b) Whenever this occurs, our commitment is this:

i) Iberol’s subcontractors are carefully chosen

ii) We will thus determine:

1) Whether they present sufficient and adequate guarantees for the implementation of technical and organizational measures aimed at protecting their personal data and, furthermore,

2) that they will act only and only in accordance with our instructions, which will be documented

iii) Finally, once the choice has been made within the defined criteria, we will enter into a contract with our subcontractors, reduced to writing, which will reflect all the legal requirements of article 28 of the GDPR, so that the processing of your personal data is carried out in the strict compliance with the law

XIX – ASSESSMENT OF SUPPLIERS IN DATA PROTECTION

a) We carry out a prior assessment of our potential subcontractors, through which we seek to determine whether they demonstrate compliance with the RGPD, namely if they have published policies on their websites and if they comply with the rules regarding consent in the context of the placement of cookies, among other compliance parameters

XX – WHAT IF WE MAKE INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA?

a) As a rule, your data will always be processed within the European Economic Area, and we choose, if necessary and preferably, providers located in this geography

b) If we communicate personal data to third countries or international organizations, outside the European Economic Area, we will strictly comply with the applicable legal provisions, not proceeding with international transfers of personal data to entities that do not offer guarantees of maintaining the level of protection required by the GDPR without proper legal safeguards

XXI – WHERE ARE WE?

Address: Av. do Marco da IV Légua, 132, 2615-702 Sobralinho – Portugal

Telephone: +351 219 519 400

Personal Data Protection Email: rgpd@iberol.pt

XXII – CHANGES TO OUR PRIVACY POLICY

a) If justified, we will change our Privacy Policy, which may occur for several reasons, namely:

i) technological

ii) legislative changes

iii) inclusion or alteration of purposes

iv) changes to contacts

b) The new version, with the changes included, will be published on our website

c) After the change information and respective publication, all users of our website will be bound by the new terms whenever they access and browse its pages

XXIII – APPROVAL

a) This policy was approved by Iberol’s management body

XXIV – VERSION

a) Version 1: November, 2022