Please note, your browser is out of date.
For a good browsing experience we recommend using the latest version of Chrome, Firefox, Safari, Opera or Internet Explorer.

Privacy Policy

Personal Data Privacy Policy

The Norfin Group aims to safeguard the protection of the personal data of its website’s users. In this sense, it prepared the present data protection policy in line with its commitment and respect for the personal data of its users. Among other pledges, Norfin has been adopting best practices with regard to technical safety for the protection of personal data (the “Personal Data Protection Policy”), as described below.

Data protection, means not only ensuring the privacy of personal and its processing solely within the scope of the purposes set forth herein, but also the safety and integrity of said data.

In this context, please read the Personal Data Protection Policy carefully since, the access to the website and provision of personal data entails the knowledge and the express and prior acceptance of the conditions contained herein. In particular, by making your personal data available through the contact form available on the website, you are acknowledging and accepting the collection and processing of such data in accordance with the rules set out herein.

The Norfin Group wishes to clarify that the simple browsing or access to the website does not necessarily imply the collection of your personal data or cookies. Nevertheless, we would like to point out that the website also uses cookies, so it has a Cookies Policy that you should read.

Moreover, the legal references you may find below, unless stated otherwise, refer to Regulation (EU) no. 2016/679 of the of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (commonly known as the “General Data Protection Regulation” or “GDPR”).

1. Personal data

What is personal data?

Personal data is defined as the information relating to an identified or identifiable natural person – data subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Through this website, personal data that the user deems relevant will be collected and may be processed to pose a question or submit a suggestion or complaint to the Norfin Group ( as identified below) , such as name, email, telephone and address. The provision by the user of any data other than those explicitly provided in this policy will be destroyed in due course, unless there is any legal obligation or legitimate interest of the Controller in its storage and/or processing.

What is the processing of personal data?

The processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

2. Controller

Pursuant to article 26 of the GDPR, the entities jointly responsible for collecting and processing Personal Data for the purposes below are:

  • NORFIN - SOCIEDADE GESTORA DE FUNDOS DE INVESTIMENTO IMOBILIÁRIOS, S.A., with registered office at Avenida da República, no. 35, 4th floor, 1050-186 Lisbon, holder of the sole taxpayer and registration number 500963312, hereinafter “Norfin SGFII “;
  • NORFIN SERVIÇOS, SA, with registered office at Avenida da República, no. 35, 4th floor, 1050-186 Lisbon, holder of the sole taxpayer and registration number 509519326, hereinafter “Norfin Serviços”; and
  • NORFIN - INVESTIMENTOS, SA, with registered office at Avenida da República, no. 35, 4th floor, 1050-186 Lisbon, holder of the sole taxpayer and registration number 508 596 300, hereinafter “Norfin Investimentos”;

If you believe that any information contained in this Personal Data Protection Policy is not sufficiently clear and transparent, or for any other reason, it should be changed, you may contact us through the contact form available on the website.

3. Purposes of the Personal Data Processing

The contact form available on the website is provided for general contact purposes with the above mentioned Controllers, namely to provide answers to questions posed through the contact form and related to your activity, suggestions or complaints that you want to present. It is clear from now on that the contact form should not be used for recruitment purposes (including the submission of voluntary employment applications). If any data related to recruitment is received via that form, such data shall be deleted in due course.

Please note that the Controllers will not request, or encourage the provision of personal data relating to philosophical or political views, political or trade union affiliations, religious beliefs, data related to private affairs and racial or ethnic origin, as well as the processing of data related to health and sex life, including genetic data, therefore, if you provide such information, the Controllers cannot be held liable for the processing thereof under the Personal Data Protection Policy .

4. Legal basis for processing – USER’S CONSENT

By submitting the contact form on the website, you explicitly and unequivocally consent to the processing of your personal data by the Controllers identified in this policy solely for the purposes set forth herein, and described above.

The user may, at any time, revoke the consent given hereunder by completing the contact form. Please note, however, that the withdrawal of consent does not compromise the legality of the processing made on the basis of prior consent, nor the processing of personal data carried out with a different legal basis (e.g., existence of a contract in force between the user and any one of the Controllers).

5. Storage of Personal Data

The period of time during which the Personal Data is stored and kept varies according to the Purposes, and in particular with the questions that are posed by the user and his/hers contractual position with the Controllers .

6. Rights of the user as data subject

The user is guaranteed, at any time, the right to access his/her Personal Data, as well as to the amendment and portability thereof and when there is no contractual or legal impediments, the deletion, restriction and/or opposition to the processing - the user may exercise any of these rights through the contact form.

The user will also have the right to submit complaints with the supervisory authority, which in Portugal, is theComissão Nacional de Proteção de Dados, whose contacts are available at

7. Security in the Processing of Personal Data

The Personal Data shall be processed and stored in a computerised way, on servers belonging to the Controllers or trusted processors.

Controllers undertake to ensure the protection of personal data that the user sends via the website, having adopted technical and organisational measures to that end, namely: (i) protection with passwords, (ii) use of digital certifications, (iii ) restrictions to the physical entry in places where the servers that store Personal Data are located; ( iv ) firewalls , ( v) secure communication via the https protocol , (vi) restricted access by a limited number of workers, dully identified.

Controllers would like you to know that these security measures are reviewed and updated as required and the state of the art in these matters.

If, for any reason, there is a breach of security that causes, accidentally or unlawfully, unauthorised destruction, loss, alteration, disclosure or access to Personal Data, the Controller shall notify, as soon as reasonably possible, and, where possible, within 72 hours of becoming aware of it and in accordance with applicable law, the competent authorities. Also, Controllers shall notify such breach of the Personal Data to the respective Data Subjects (the user herein), in accordance with applicable law.

Despite the security measures adopted by the Controllers, users must be aware that they should take additional security measures in particular, ensure that they have an active firewall, as well as up to date antivirus and anti-spyware.

8. Transfer of Personal Data to Third Parties  

Controllers, in the context of their activity, will be able to rely on third parties for the provision of certain services. Such third parties may be located inside or outside the European Union. Sometimes the provision of these services implies access by these entities to the users’ personal data.

When this happens, Controllers shall ensure that they have taken appropriate measures to ensure that the entities that have access to Personal Data are renowned and offer high guarantees at this level, which shall be duly provided and safeguarded by a written agreement between the Controllers and such third party(ies).

Thus, any entity subcontracted by the Controllers, processing the user’s Personal Data, on behalf and for the exclusive benefit of the Controllers, shall be required to take the necessary technical and organisational measures to protect the Personal Data against accidental or unlawful destruction, accidental loss, alteration, disclosure, unauthorised access and any other form of unlawful processing.

In the (unlikely) event  there is a need to transfer personal data to third countries (countries outside the European Economic Area) , the Controllers shall seek to ensure that the processors are bound by the Adequacy Decision or, at least, by the Data Protection Standard Contractual Clauses approved by the European Union.

The following are possible recipients of collected personal data: IT companies, software licensing and maintenance companies, and website maintenance companies.

9. Access to third party websites

The Personal Data Protection Policy is not applicable to third party websites, so if you visit another website from this website, you should always read the personal data protection policies of such website and confirm that you agree to its terms before providing your data.

The Controllers shall not be responsible for the personal data protection policies nor the content available on third-party websites.

10. Changes to the Personal Data Protection Policy

The Controllers reserve the right to, at any time, make adjustments or amendments to this Personal Data Protection Policy, being such changes dully published on this website. The published version of the website is always the one currently in effect.