This Privacy Policy describes the guidelines and principles regarding personal data protection adopted by the companies belonging to the economic group designated as "CASTRO GROUP," which includes all companies under a relationship of control with CASTRO GROUP, SGPS, S.A., and which are under its dominant influence, in accordance with Article 486 of the Portuguese Commercial Companies Code (the "CASTRO GROUP").
This Privacy Policy therefore applies to all personal data processing activities carried out by the companies that are part of the CASTRO GROUP.
The CASTRO GROUP is an economic group composed of several companies that operate mainly in the following sectors of activity:
As of this date, with reference to the sectors of activity mentioned above, the following companies are part of the CASTRO GROUP:
The CASTRO GROUP may also include non-controlling interests in other companies, which may adhere to this Privacy Policy if their activities fall within the "real estate development and management" and/or "asset management" sectors. Adherence always depends on a written agreement between CASTRO GROUP, SGPS, S.A., and the entity in question, the essential terms and conditions of which, along with this Policy, must be made available to the data subjects.
This Privacy Policy also applies to the personal data processing activities carried out by entities that may become part of the CASTRO GROUP in the future through a controlling relationship. It is the responsibility of these entities, as well as the entities that currently form the CASTRO GROUP, to ensure that data subjects are informed of the existence and content of this Privacy Policy.
Regarding the personal data processing activities conducted by the companies in the "asset management" sector, this Privacy Policy also applies to the data processing activities conducted by the entities under their management (funds and companies).
In the course of their activities, the CASTRO GROUP companies collect and process personal data from various data subjects, including:
(all hereinafter jointly referred to, for the purposes of this policy, as "data subjects").
Depending on the processing activity in question, the data controller is the CASTRO GROUP company that, in that processing activity, determines the purposes and means of processing the personal data of the data subjects (the "Relevant Data Controller").
Regarding Potential Participants and Participants, the Relevant Data Controller may process personal data included in the following categories:
Regarding Potential Tenants and Guarantors, Tenants and Guarantors, Buyers and Sellers, and Potential Buyers and Sellers, the Relevant Data Controller may process personal data included in the following categories:
Personal data is mostly provided by the data subjects at the time of first contact and while the data subjects maintain a contractual relationship with the Relevant Data Controller.
Personal data may be collected at various times and through various communication channels, including telephone, email, and in person.
Personal data is processed for various reasons, justified by the applicable data protection laws in the European Union and Portugal.
The Relevant Data Controller processes the personal data of Participants and Potential Participants for the following purposes and based on the following legal grounds:
| Categories of Data | Purposes | Legal Basis |
|---|---|---|
| Identification and contact data |
|
|
| Bank account identification and financial information |
|
|
The personal data of Participants is retained for the duration of the contractual relationship with the Relevant Data Controller, as applicable, and for up to 10 (ten) years after the end of that relationship. In some situations, the retention period may be longer, in which case this extension will be legally justified and supported. This period has been defined taking into account the possibility that the Relevant Data Controller may need to present evidence in any dispute or potential dispute between itself and the data subjects.
In the case of Potential Participants, the Relevant Data Controller processes their personal data to gather the relevant and necessary information to formalize the contractual relationship, in accordance with relevant Portuguese and EU legislation. In this case, there are two legal bases for processing: on one hand, the execution of pre-contractual measures at the request of the data subject, and on the other hand, compliance with legal obligations to which the Relevant Data Controller is subject, particularly in the phase preceding the conclusion of a unit subscription agreement.
The personal data of Potential Participants is retained during the pre-contractual phase leading up to the conclusion of unit subscription agreements. If a contract is concluded, the data will be used for the contractual phase and treated as data of Participants. If, for any reason, no contract is concluded due to a lack of interest from the data subject or any other reason, the data may still be retained for a period calculated on a case-by-case basis, up to 10 (ten) years from the last contact, depending on the reason why no contract was concluded. In some situations, the retention period may be longer, in which case this extension will be legally justified and supported.
The Relevant Data Controller processes the personal data of Potential Tenants and Guarantors, Tenants and Guarantors, Buyers and Sellers, and Potential Buyers and Sellers for the following purposes and based on the following legal grounds:
| Categories of Data | Purposes | Legal Basis |
|---|---|---|
| Identification and contact data |
|
|
| Bank account identification and financial information |
|
|
The personal data of Tenants, Guarantors, Buyers, and Sellers is retained for the duration of the contractual relationship with the Relevant Data Controller and for up to 10 (ten) years after the end of that relationship. In some situations, the retention period may be longer, in which case this extension will be legally justified and supported. This period has been defined taking into account the possibility that the Relevant Data Controller may need to present evidence in any dispute or potential dispute between itself and the data subjects.
In the case of Potential Tenants and Guarantors, and Potential Buyers and Sellers, their data is retained during the pre-contractual phase leading up to the conclusion of lease or space use agreements. If a lease or space use agreement is concluded, the data will be used for the contractual phase and treated as data of Tenants and Guarantors or Buyers and Sellers, as applicable. If, for any reason, no contract is concluded due to a lack of interest from the data subject or any other reason, the data may still be retained for a period calculated on a case-by-case basis, up to 10 (ten) years from the last contact, depending on the reason why no contract was concluded. In some situations, the retention period may be longer, in which case this extension will be legally justified and supported.
The Relevant Data Controller may process the personal data of data subjects to send them institutional information or commercial communications.
This data processing will only be carried out with the consent of the data subject, provided at the time of personal data collection. If consent is given, the data subject may receive marketing communications via email, postal mail, and SMS.
Consent for the processing of personal data for direct marketing purposes can be revoked at any time, although this right to withdraw consent does not affect the lawfulness of the processing based on consent before its withdrawal, nor the subsequent processing of the same data based on another legal basis, such as the performance of a contract to which the data subject is a party, or for pre-contractual measures at the request of the data subject, and compliance with legal obligations.
If they wish to withdraw their consent, data subjects can contact the Relevant Data Controller using the contact details provided in this Policy.
The CASTRO GROUP companies do not use technologies to make decisions based solely on the automated processing of data subjects' data.
Nevertheless, these entities may use technologies that allow for the creation of a profile of the data subject, but never in a fully or exclusively automated manner and without this implying any legally relevant consequences (even if positive) for the data subject.
The personal data of data subjects may be transferred to companies within the same economic group, which, in any case, are obliged to respect this Privacy Policy and, in particular, the purposes for which the personal data was initially collected.
The personal data of data subjects may also be shared with service provider entities of the CASTRO GROUP companies that, in the context of providing these services, may process personal data on behalf of and under the instructions of one or more of these entities, as applicable, such as:
In the case of personal data transfers to service providers, the subcontracting entity is bound by a subcontracting agreement that obliges it to process personal data in compliance with personal data protection legislation.
The personal data of data subjects may also be shared with third parties (i) by virtue of a requirement or judicial notification to that effect, provided it is duly substantiated and legally supported; (ii) in the case of a request from a public authority, provided it is duly substantiated and legally supported; (iii) following an express request from the data subjects regarding the data they own, in the exercise of their rights, in particular, the right to portability; (iv) due to requirements of existing legislation.
Currently, the CASTRO GROUP companies do not use subcontractors or transfer data to third parties based outside the European Union.
However, if and when such a transfer occurs for any reason, the transferring entity will ensure that these third parties agree to protect the transferred data against improper use or disclosure, in accordance with the legal framework for personal data protection, by signing subcontracting agreements that include standard contractual clauses approved by the European Commission or other legally appropriate means.
As an expression of the commitment to guaranteeing the privacy of data subjects, the CASTRO GROUP companies ensure, in accordance with applicable national and EU legislation, a wide range of rights that can be exercised as follows:
Data subjects may, at any time, contact the Relevant Data Controller and request confirmation that their personal data is being processed and, if so, be informed about: (i) the categories of personal data in question; (ii) the purposes of the processing of their data; (iii) the respective retention period or the criteria used to determine it; (iv) the rights they have and how to exercise them; (v) the origin of the data concerning them; (vi) the existence of automated decisions, including profiling.
The Relevant Data Controller can only provide information about the data subjects and not personal data about other people. Furthermore, if access could negatively affect the rights of another person, we may not be able to provide it.
If the data subject requests it, the Relevant Data Controller will send a copy of their personal data being processed, in electronic format. If other copies are requested, the Relevant Data Controller reserves the right to charge a fee equivalent to the administrative costs incurred to fulfill the request.
Also known as "the right to be forgotten," it allows the data subject to request the deletion or removal of their personal data when there is no compelling reason for the Relevant Data Controller to continue using it. The right to erasure is not absolute, as the Relevant Data Controller may have the right or obligation to retain the information, for example, when it is subject to a legal obligation or has another valid reason to retain it.
Whenever they find that the personal data being processed is outdated, incomplete, or incorrect, data subjects may request its rectification as soon as possible.
Data subjects also have the right to: (i) receive from the Relevant Data Controller the personal data concerning them in a commonly used format; (ii) transmit that data to third parties, under their sole responsibility; and/or (iii) request the Relevant Data Controller to transmit that data to third parties. The right to portability only covers data for which the data subject has given consent to be processed, data related to a contract to which the data subject is a party, or if the processing is carried out by automated means.
The Relevant Data Controller reserves the right to refuse portability requests whenever they harm the rights and freedoms of third parties or conflict with any legal requirement.
In certain situations, the data subject has the right to "block" or suppress the continued use of the data subjects' information. When processing is restricted, the Relevant Data Controller can still store the data subjects' information but can no longer use it.
The data subject can request the restriction of the processing of their data for an indefinite period when they wish to suspend the processing but retain their data. This situation may occur when:
When processing is restricted, personal data will only be processed again if the data subject gives their consent, except for specific treatments provided for by law. The Relevant Data Controller ensures that the data subject who requested the restriction of their data is informed before the restriction on said processing is lifted. The Relevant Data Controller reserves the right to restrict the processing of data subjects' data when it is not needed, committing to keeping the data for the pre-established retention period. The Relevant Data Controller ensures that the data subject who requested the restriction of their data is informed before its cancellation.
The Relevant Data Controller ensures the necessary means for the data subject to object to certain processing of personal data for certain purposes, without prejudice to current directives or laws.
The data subject may object to the processing in the following circumstances:
Finally, data subjects are granted the right to lodge a complaint with the National Data Protection Commission (https://www.cnpd.pt) regarding the processing of their data, through any of the means permitted by said Supervisory Authority.
The rights provided for and described in this Policy, as well as other rights legally provided for in the relevant legislation in force, can be freely exercised by contacting the following address and email:
Address:
Avenida 31 de janeiro, 307,
4715-052 Braga, Portugal
E-mail:
geral@castro-group.pt
This Privacy Policy may undergo changes due to new legal or regulatory requirements, as well as following improvements in the quality of services and the development of the CASTRO GROUP companies' commitment to personal data protection. Any changes to this Privacy Policy will be duly publicized through the various communication channels of the Relevant Data Controller.