Privacy and Data Protection Policy
The Norfin Group aims to ensure the protection of the personal data of all users of its website, and has drawn up this data protection policy in order to demonstrate its commitment to and respect for the personal data of its users. Among other commitments, Norfin has been adopting best practices with regard to technical security measures regarding the protection of personal data (the “Personal Data Protection Policy”), as further described below.
Data protection shall mean not only ensuring the privacy of the data and its processing only within the scope of the purposes provided herein, but also the security and integrity of such data.
In this sense, please read the Personal Data Protection Policy carefully as accessing the website and providing your personal data implies knowledge and express and prior acceptance of the conditions contained herein. In particular, by providing your personal data through the contact form available on the same, you acknowledge and accept its collection and processing in accordance with the rules set out herein.
The Norfin Group clarifies that the mere navigation or access to the website does not necessarily imply the collection of your personal data or cookies. However, we would like to point out that the website also uses cookies and therefore has a Cookies Policy, which you should consult.
It is further clarified that the legal references you may find below, in the absence of indication to the contrary, refer to Regulation (EU) No. 2016/679, of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (commonly known as the “General Data Protection Regulation” or “GDPR”).
Norfin excludes its liability for any damages that may occur in connection with the information contained in this Site, in particular for transcription errors or inaccuracies. In no event shall Norfin, or any entity belonging to or related to the Group, agents or employees, be liable to you or any third party for decisions or actions taken by you based on the information conveyed by the Site or for any specific or similar damages, even after you have become aware of the possible damages resulting therefrom.
1. Personal Data
What is personal data?
Personal data is defined as information relating to an identified or identifiable natural person – the data subject; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data, electronic identifiers, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Through this website, personal data that the user considers relevant will be collected and may be processed when asking a question or make a suggestion or complaint to the Norfin Group (as identified below), such as name, email, telephone number and address. The provision by the user of any data other than those explicitly listed in this policy will be timely destroyed, unless there is a legal obligation or legitimate interest of the Personal Data Controllers in their storage and/or processing.
What is the processing of personal data?
Processing of personal data is considered to be an operation or set of operations which is performed upon personal data or sets of personal data, by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction.
2. Parties Responsible for the Processing of Personal Data
Under the terms permitted by Article 26 of the RGPD, the entities jointly responsible for collecting and processing the Personal Data for the purposes mentioned below are:
- NORFIN – SOCIEDADE GESTORA DE FUNDOS DE INVESTIMENTO IMOBILIÁRIOS, S.A., with registered office at Av. Alm. Gago Coutinho 30, Piso 0 1000-017 Lisboa, holder of the single registration and tax identification number 500963312, hereinafter referred to as “Norfin SGFII”;
- NORFIN SERVIÇOS, S.A., with registered office at Av. Alm. Gago Coutinho 30, Piso 0 1000-017 Lisboa, registered under the single registration and taxpayer number 509519326, hereinafter referred to as “Norfin Serviços”; and
- NORFIN – INVESTIMENTOS, S.A., with registered office at Av. Alm. Gago Coutinho 30, Piso 0 1000-017 Lisboa, registered under the single registration and taxpayer number 508 596 300, hereinafter referred to as “Norfin Investimentos”.
Should you believe that any information contained in this Personal Data Protection Policy is not sufficiently clear and transparent or, for any other reason, should be amended, you may contact us using the contact form available on the website.
3. Purposes of processing personal data
The purpose of the contact form available on the website is for general contact with the above mentioned Personal Data Controllers, namely to provide answers to questions asked through the contact form related to their activity, suggestions or complaints that you wish to submit. It is hereby made clear that the contact form is not to be used for recruitment purposes (including the submission of spontaneous applications). If any data relating to recruitment is received via this form, it will be deleted in due course.
We would also like to remind you that the Data Controllers do not request or encourage anywhere the sending of personal data concerning philosophical or political convictions, party or trade union membership, religion, private life and racial or ethnic origin, as well as the processing of data concerning health and sex life, including genetic data, so that if you provide them, you cannot be held liable for their processing under the Personal Data Protection Policy.
4. Legal basis for processing – USER CONSENT
By submitting the contact form on the website, the user explicitly and unequivocally consents to the processing of his/her personal data by the Data Controllers identified in this policy solely for the Purposes set out therein and better identified in the preceding paragraph.
You may revoke your consent at any time by completing the contact form. However, we remind you that withdrawal of consent does not affect the lawfulness of the processing of personal data carried out on the basis of the consent previously given, nor the processing of personal data based on any other legal basis (e.g. the existence of a contract in force between you and any of the Data Controllers).
5. Conservation of Personal Data
The period of time during which Personal Data are stored and kept varies according to the Purposes, and in particular the questions you ask and your contractual position with the Data Controllers.
6. Your rights as a data subject
Users are guaranteed the right at any time to access their Personal Data, as well as the right to rectify and portability and, where there are no contractual or legal impediments, the right to erasure, limitation and/or opposition to processing – in this regard, they may exercise any of these rights through the contact form.
The user shall also have the right to lodge complaints as he/she sees fit with the supervisory authority which, in the case of Portugal, is the National Commission for Data Protection, whose contacts are available at www.cnpd.pt.
7. Security of Personal Data Processing
Personal Data will be processed and stored by computer on the Data Controllers’ own servers or on those of trusted subcontractors.
The Personal Data Controllers are committed to ensuring the protection of the Personal Data sent by the user through the website, having adopted the appropriate technical and organisational measures for this purpose, namely: (i) protection with passwords, (ii) use of digital certifications, (iii) restrictions on physical entry to the locations where the servers storing Personal Data are located; (iv) firewalls, (v) secure communication via https protocol, (vi) restricted access by a limited number of workers and duly identified.
The Data Controllers inform you that these security measures are reviewed and updated according to the needs and state of the art in these matters.
If, for any reason, there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, the Controllers shall notify the competent authorities without undue delay and, whenever possible, within 72 hours of becoming aware of it and in accordance with applicable law. Similarly, controllers shall notify the Personal Data Breach to the Personal Data Subject (herein after you) in accordance with applicable law.
Notwithstanding the security measures adopted by the Data Controllers, users are advised that they must adopt additional security measures, such as an active firewall, up-to-date anti-virus and anti-spyware programs.
8. Communication of Personal Data to Third Parties
The personal data of our customers is processed within the European Economic Area (EEA), where it is protected by European legislation, more precisely the General Data Protection Regulation (GDPR).
Our Company only shares personal data with third parties where legally authorised to do so. When we do so we establish appropriate contractual arrangements and security mechanisms to protect data and comply with data protection, confidentiality and security standards.
Norfin is a subsidiary company of Arrow Global Plc Group (“AGG” and/or “Arrow”), based in the UK. Due to Brexit, with effect from 1 January 2021, the UK will no longer be part of the European Union and the European Economic Area, as from that date, should your data be transferred will be in force European standards, looking after your personal data is very important and Brexit will not change this.
We only share personal data with other non-EEA countries where we are legally entitled to do so, namely where:
- The European Commission has decided that the country concerned has adequate data protection rules in place (an “adequacy decision”);
- Irrespective of the data subject’s consent, we are entitled to share the data because it is necessary for the performance of a contract, the fulfilment of a legal obligation, the exercise of a public task or the legitimate interests pursued by us; or
- We are able to guarantee by means of relevant “standard contractual clauses” (set of obligations on the form of contract) the lawfulness and appropriateness as to how your data is protected and used with the recipient of your personal data.
9. Access to third party websites
The Personal Data Protection Policy is not applicable to third party websites, so if you visit another website from this one you should always read the personal data protection policies of that website and check that you agree to its terms before providing your data.
The Controllers are not responsible for the personal data protection policies or the content provided on third party websites.
10. Changes to the Personal Data Protection Policy
The Controllers reserve the right to make adjustments or amendments to this Personal Data Protection Policy at any time, such amendments being duly published on this website. The version published on this website is always the version currently in force.