At Mercantlis we understand that the use of your personal data requires your trust. We are subject to the highest privacy standards and will only use your personal data for clearly identified purposes and in accordance with your data protection rights. The confidentiality and integrity of your personal data is one of our main concerns. This Privacy Police establishes how Mercantlis uses the personal data of its customers and potenciaol customers.
1.1 COLLECTING AND PROCESSING OF USER DATA The Personal Data collected and processed consists of information regarding name, email, address, including the district, although other Personal Data may be collected that may be necessary or convenient for Mercantlis to provide Services.
After collecting the Personal Data, Mercantlis provides the User with detailed information about the nature of the data collected and about the purpose and treatment that will be carried out in relation to the Personal Data.
Mercantlis also collects and processes information about the characteristics of the device, its hardware and the characteristics of the browser/software, as well as information about the pages visited by the User within the Site. This information may include your browser type, domain name, access times and links through which the User accessed the Site (“Usability Information”). We only use this information to improve the quality of your visit to our Site.
These subcontracted entities may not transmit User Data to other entities without Mercantlis having previously given, in writing, authorization to do so, and are also prevented from contracting other entities without prior authorization from Mercantlis.
Mercantlis is committed to only subcontracting entities that offer maximum security in the execution of appropriate technical and organizational measures, in order to guarantee the defense of the User’s rights. All entities subcontracted by Mercantlis are bound by the latter through a written contract which regulates, namely the object and duration of the treatment, the nature and purpose of the treatment, the type of personal data, the categories of data subjects and the rights and obligations of the parties.
After collecting personal data, Mercantlis provides the User with information about the categories of subcontracted entities that, in the specific case, can process data on behalf of Mercantlis.
DATA COLLECTION CHANNELS
Mercantlis may collect data directly (i.e., directly from the User) or indirectly (i.e., through partner entities or third parties). Collection can be done through the following channels:
Direct collection: by email and throught the Site;
Indirect collection: through partners and oficial entities.
GENERAL PRINCIPLES APPLICABLE TO USER DATA PROCESSING
In terms of general principles relating to the processing of personal data, Mercantlis undertakes to ensure that the User Data processed by it are:
Object of treatment in accordance with the law, fair and transparente in relation to the User;
Collected for specified, objective and legitimate purposes and not further processed in a manner contrary to those purposes;
Adequate, justified and limited to what is necessary in relation to the purposes for which they are processed;
Accurate and updated whenever necessary, with all necessary measures being taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or corrected without delay;
Kept in a way that allows the User to be identified only for the period necessray for the purposes for which the data is processed;
Treated in a way that guaranteed its security, including protection against its unauthorized or unlawful treatment and against its loss, destruction or unforseen damage, with appropriate technical or organizational measures being adopted;
Data processing carried out by Mercantlis is permitted and legal when at least one of the following situations is verified:
The User has given, without any doubt, his cobnsent to the processing of User Data for one or more specific purposes;
Procesisng is necessary for the fulfillment of a contract to which the User is a party, or for pre-contractual procedures at the User’s request;
The treatment is necessary for the fulfillment of a legal obligation to wich Mercantlis is subject;
The processing is necessary to defend the fundamental interests of the User or another individual;
The processing is necessary for the purpose of the legal interests pursued by Mercantlis or by third parties (except if the interests or fundamental rights and freedoms of the User that require the protection of personal data prevail).
Mercantlis undertakes to ensure that the processing of User Data is only carried out under the conditions listed above and with respect for the principles mentioned above. When the procesisng of User Data is carried out by Mercantlis based on the User’s consente, the User has the right to withdraw their consente at any time. The withdrawal of consente, however, does not compromise the legality of the treatment carried out by Mercantlis based on the consente previously given by the User.
The period of time during wich the data is stored and maintained varies according to the purpose for which the information is processed. Indeed, there are legal requirements that oblige the retention of data for a minimum period of time. Thus, and whenever there is no specific legal obligation, the data will be stored and kept only for the minimum period necessary for the purposes that motivated their collection or subsequente processing and, at the end of this period, they will be deleted.
3. USE AND PURPOSE OF USER DATA PROCESSING In general terms, Mercantlis uses User Data for the following purposes:
Management of contacts with the User;
Inform the User, who has requested it, of new products and services made available on the Site, special offers and campaigns, updated information on Mercantlis’ activity and, in general, for Mercantlis’ marketing purposes and through any means of communication, including electronic support or social media;
Allow access to restricted areas of the Site, such as the online store;
Ensuring that the Site meets the User’s needs, by developing and publishing content that is adapted as possible to the requests and type of User, improving the Site’s search capabilities and functionalities and obtaining associated or statistical information with regard to the typical profile of the User (analysis of consumption profiles);
Provision of Services, and other services, such as newsletters, opinion surveys, or other information or products requested or purchased by the User;
Sending satisfaction questionnaires;
Mercantlis may combine Usability Information with anonymous demographic information for research purposes, and may use the result of this combination to provide more relevant content on the Site. In certain restricted áreas of the Site, Mercantlis may combine Personal Data with Usability Information to provide the User with more personalized content.
User Data collected by Mercantlis is not shared with third parties without the User’s consente, with the exception of the situations referred to in the following paragraph. However, in the event that the User contracts with Mercantlis services that are provided by other entities responsible for the processing of personal data, the User Data may be consulted or accessed by these entities, insofar as this is necessary for the provision of said services and the User will be informed of this.
TECHNICAL, ORGANIZATIONAL AND SAFETY MEASURES IMPLEMENTED
In order to guarantee the security of User Data and maximum confidentiality, Mercantlis treats the information you provide us in na absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, wich are periodically updated according to needs, as well as the legally established terms and conditions.
Depending on the nature, scope, context and purposes of data processing, as well as the risks arising from the procesisng for the rights and freedoms of the User, Mercantlis undertakes to apply, both when defining the means of processing as at the time of processing itself, the technical and organizational measures necessary and appropriate for the protection of User Data and compliance with legal requirements.
It also undertakes to ensure that, by default, only the data that are necessary for each specific purpose of the treatment are processed and that these data are not made available without human intervation to an indeterminate number of people.
Communication between the user’s device and Mercantlis is carried out through secure channels and communications that use the HTTPS protocol and the SSL security standard. Even so, in terms of general measures, Mercantlis adopts the following:
Regular audits with a view to identifying the competence of the technical and organizational measures implemented;
Awarenedss and training of personnel involved in data processing operations;
Pseudonymization and coding of personal data;
Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems;
Mechanisms that ensure the restoration of information systems and access to personal data quickly in the event of a physical or technical incident.
TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION
The Site does not transfer your personal data to recipientes located in countries outside the European Union.
When you visit our website, a small text file (Cookie) is created and saved on your computer’s disk, therefore, when browsing the Site you are accepting the installation of this text file on your device. This file will allow you to access the Site more easily and quickly, as well as customize it according to your preferences.
When browsing our Site, you are allowing the collection and storage of small text files called cookies, which contain information and wich are downloaded to the Users’ computer or other devices through a server. These text files will allow for a more personalized and eficiente browsing experience. On each visit to the Site, your internet browser sends these cookies back to the Site, allowing the recognition and memorization of the Users’ identity, as well as their usage preferences.
RIGHTS OF USERS (DATA HOLDERS)
RIGHT TO INFORMATION
Information provided to the User by Mercantlis (when data is collected directly from the User):
The identity and contacts of Mercantlis and the data controller;
Contacts of the Data protection Officer;
The purposes of the treatment for wich the personal data are intended, as well as, if applicable, the legal reasons for the treatment;
If data processing is based on legitimate interests of Mercantlis or a third party, indication of such interests;
If applicable, the recipientes or categories of recipientes of the personal data;
If applicable, indication that the personal data will be transferred to a third country or na international organization, and the existence or not of an adequacy decision adopted by the Comission or reference to appropriate or adequate transfer guarantees;
Period of conservation of personal data;
The right to request Mercantlis permission for personal data as well as its correction, deletion or limitation, the right to object to processing and the right to data accessibility;
If data processing is based on the User’s consent, the right to withdraw it at any time, without compromising the legality of the processing carried out based on the previously given consent;
The right to lodge a complaint with the CNPD or another supervisory authority;
Indication whether or not the communication of personal data constitutes a legal or contactual obligation, or a necessary requirement to enter into a contract, as well as whether the holder is obliged to provide personal data and the possible consequences of not providing such data;
If applicable, the existence of automatic decisions, including profiling, and information regarding the basic concept, as well as the importance and expected consequences of such processing for the data subject.
In the event that User Data is not collected directly by Mercantlis from the User, in addition to the information referred above, the User is also informed about the categories of personal data subject to processing and, as well as about the origin of the data and, eventually, if they are from publicity accessible sources.
If Mercantlis intends to further process the User Data for a purpose other than the one for wich the data was collected, before such treatment, Mercantlis will provide the User with information about that purpose and any other information of interest, in the terms above referred.
7.2 Procedures and measures implemented with a view to fulfilling the right to information. The information referred to in 7.1. is provided in writing (including by electronic means) by Mercantlis to the User prior to processing the personal data in question. Under applicable law, Mercantlis is under no obligation to provide the User with the information metioned in 7.1 when and to the extent that the User is already aware of them. The information is provided by Mercantlis at no cost.
RIGHT OF ACCESS TO PERSONAL DATA
Mercantlis guarantees the means that allow the User to consult their Personal Data. The User has the right to obtain from Mercantlis confirmation that the personal data concerning him or her are being processed and, if applicable, the right to access their personal data and the following information:
The purposes of data processing;
The categories of personal data in question;
Recipients or categories of recipientes to whom personal data have been or will be disclosed, namely recipientes established in third countries or belonging to international organisations;
The retention period of personal data;
Right to ask Mercantlis to correct, eliminate or limit the processing of personal data, or the right to prevent such processing;
Right to lodge a complaint with the CNPD or another supervisory authority;
If the data has not been collected from the user, the information available on the origin of that data;
The existance of automated decisions, including profiling, and information regarding the underlying logic, as well as the importance and expected consequences of such processing for the data subject;
Right to be informed about adequate guarantees associated with the transfer of data to third countries or international organizations.
Upon request, Mercantlis will provide the User, free of charge, with a copy of the User Data that is being processed. The provision of other copies requested by the User may incur administrative costs.
RIGHT TO RECTIFY PERSONAL DATA
The User has the right to request, at any time, the rectification of his Personal Data and, as well as the right to have his incomplete personal data completed, including by means of na additional declaration.
In the event of data rectification, Mercantlis communicated the respective rectification to each recipiente to whom the data has been transmitted, unless such communication is considered impossible or implies a disproportionate effort for Mercantlis.
RIGHT TO DELETE PERSONAL DATA (“RIGHT TO BE FORFOTTEN”)
The User has the right to obtain, from Mercantlis, the deletion of their data when one of the following reasons applies:
User Data is no longer necessary for the purpose for wich it was collected or processed;
The User withdraws the consente on wich the processing of data is based and there is no other legal basis for said procesisng;
The User opposes the treatment under the right of opposition and there are no prevailing legitimate interests that justify the treatment;
If User Data is processed illegally;
If User Data has to be erased to comply with a legal obligation to which Mercantlis is subject;
Under the applicable legal terms, Mercantlis is under no obligation to delete User Data to the extent that the processing proves necessary to comply with a legal obligation to wich Mercantlis is subject or for the purposes of declaring, exercising or defending a Mercantlis’ right in a lawsuit.
In case of deletion of data, Mercantlis communicates to each recipiente/ entity to whom the data has been transmitted the respective deletion, unless such communication proves impossible or implies a disproportionate effort for Mercantlis.
When Mercantlis has made User Data public and is obliged to erase them under the right of such deletion, Mercantlis undertakes to ensure the measures that are reasonable, including those of a technical nature, taking into account the technology available and the costs of its application, to inform those responsible for the effective processing of personal data that the User has asked them to delete the links to that personal data, as well as the copies or reproductions thereof.
RIGHT TO LIMIT THE PROCESSING OF PERSONAL DATA
The User has the right to obtain, from Mercantlis, the limitation of the procesisng of User Data, if one of the following situations applies (the limitation consists of inserting a mark in the personal data kept with the aim of limiting its treatment in the future):
If you contest the accuracy of the personal data, during a period that allows Mercantlis to verify its accuracy;
If the treatment is anlawful and the User opposes the deletion of the data, requesting, in return, the limitation of its use;
If Mercantlis no longer needs the User’s Data for processing purposes, but that data is required by the User for the purposes of declaring, exercising or defending a right in a legal proceeding;
If the User has objected to the treatment, until it is verified that Mercantlis’ legitimate reasons prevail over those of the User.
When User Data is subject to limitation, it may only, with the exception of conservation, be processed with the User’s consente or for the purposes of declaring, exercising or defending a right in a judicial proceeding, defending the rights of another natural person or collective, or for legally foreseen public interests reasons.
The User who has obtained a restriction on the processing of his data in the cases referred to above will be informed by Mercantlis before the limitation on the treatment is annulled.
In the event of limitation of data processing, Mercantlis will notify each recipient to whom the data has been transmitted of the respective limitation, unless this communication proves impossible or implies a disproportionate effort for Mercantlis.
RIGHT TO PORTABILITY OF PERSONAL DATA
The User has the right to receive the personal data concerning him and that he has provided to Mercantlis, in a structured, commonly used and machine-readable format, and the right to transmit this data to another controller, if:
The procesisng is based on consente or on a contract to which the User is a party; and
Processing is carried out by automated means.
The portability right does not include inferred data, nor devided data, i.e., personal data that are generated by Mercantlis as a consequence or result of the analysis of the data subject to treatment.
The User has the right for their personal data to be transmitted directly between those responsible for the treatment, whenever this is technically possible.
13. RIGHT TO OPPOSITION TO TREATMENT The User has the right to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him that is based on the exercise of legitimate interests pursued by Mercantlis, or when the processing is carried out for purposes that other than those for which personal data were cololected, including profiling, or when personal data is processed for statistical purposes.
Mercantlis will complete the processing of User Data, unless it presents urgent and legitimate reasons for such treatment that prevail over the interests, rights and freedoms of the User, or for the purposes of declaring, exercising or defending a right of Mercantlis in a legal proceeding.
When User Data is processed for the purposes of direct marketing, the User has the right to object at any time to the processing of data concerning him for the purposes of said marketing, which includes the definition of profiles on the in so far as it relates to direct marketing. If the User objects to the procesisng of their data for the purposes of direct marketing, Mercantlis ceases processing the data for that purpose.
The User also has the right not to be subject to any decision taken exclusively based on automated processing, including the definition of profiles, which produces effects in its legal sphere or which significantly affects it in a similar way, unless the decision:
Is necessary for the conclusion or execution of a contract between the User and Mercantlis;
Is authorized by legislation to which Mercantlis is subject or
Is based on the User’s explicit consent.
14. PROCEDURES FOR THE EXERCISE OF RIGHTS BY THE USER The right of access, the right of rectification, the right of deletion, the right of limitation, the right of portability and the right of opposition may be exercised by the User by contacting Mercantlis’ data Protection Officer via email: firstname.lastname@example.org.
Mercantlis will respond in writing (including by electronic means) to the User’s request within a maximum period of one month from receipt of the request, except in cases of special complexity, in which this period may be extended to two months.
If the requests submitted by the User are manifestly unjustified or excessive, namely due to their repetitive nature, Mercantlis reserves the right to charge administrative costs or refuse to comply with the request.
15. VIOLATIONS OF PERSONAL DATA In the event of a data breach and, to the extent that such breach is likely to imply a high risk for the User’s rights and freedoms, Mercantlis undertakes to communicate the breach of personal data to the User in question within 72 hours from becoming aware of the incident.
Under legal terms, communication to the Use ris not required in the following cases:
If Mercantlis has applied adequate protection measures, both technical and organizational, and these measures have been applied to the personal data affected by the breach of personal data, especially measures that make the personal data incomprehensible to any person not authorized to access such data, such as encryption;
If Mercantlis has taken subsequente measures to ensure that the high risk to the User’s rights and freedoms is no longer likely to materialize; or
If communication to the User implies a disproportionate effort for Mercantlis. In that case, Mercantlis will make a public communication or take a similar measure through wich the User will be informed. To exercise any of these rights, you can complete the annex.