Introduction

NoeXa, S.A. (“NoeXa”) is a company specialized in consultancy, project development, management, computer programming and professional training. At NoeXa we value the privacy and protection of Personal Data of all interested parties, including customers, suppliers, employees and users of our website, and this Privacy Policy aims to define the general principles and rules that we apply to the Personal Data that we collect and process, in accordance with the General Data Protection Regulation (GDPR) and other applicable legislation.

• NoeXa ensures that the Personal Data it collects and processes, in accordance with applicable legislation, is managed appropriately, using tools capable of monitoring and measuring the effectiveness of its protection;

• NoeXa has implemented several internal policies and procedures, which are subject to periodic review whenever necessary, with the aim of raising awareness among its employees about the importance of protecting Personal Data, providing them with operational guidance on how to comply with current legislation;

• NoeXa has a regular and periodic training program, with a view to providing and sensitizing its employees with the necessary skills in terms of privacy and protection of Personal Data.

Scope of Application

This Policy applies to:

• Users of our website and our LinkedIn Recruiter page;

• Customers and potential customers;

• Suppliers and business partners;

• Job seekers and employees.

General Principles

NoeXa guides the collection and processing of Personal Data in accordance with the following principles:

• Personal Data are collected and processed only for specific, explicit and legitimate purposes arising from current legislation, and are not used for any other purposes (purpose limitation principle);

• The Personal Data collected follows the principle of data minimization, i.e., only those that are strictly relevant and necessary to fulfill the purpose for which they are proposed are collected, being kept in an appropriate manner and limited to the necessary time, taking into account the purposes for which they are processed (data minimization principle);

• Personal Data is collected and processed legally, impartially and in a transparent manner (legality, impartiality and transparency);

• The Personal Data processed is current, accurately and accurately expressing the time to which it corresponds, and is therefore updated and rectified whenever necessary (accuracy principle).

NoeXa defines appropriate technical and organizational Security measures to effectively implement the aforementioned privacy and Personal Data protection principles.

NoeXa imposes, through the contracts it establishes with all its suppliers, service providers, partners, etc. (Processors), the same level of privacy and protection of Personal Data (service providers, suppliers, partners, etc.).

Collection and Processing of Personal Data

Responsible for Treatment:

NoeXa, S.A. (NIPC: 518 265 587) a limited company with headquarters at Edifício IDB – Praça José Queirós, N.º 1, Fração 2.3C, 1800 – 237 Lisboa, or, if the data is collected through other companies in the business group to which it belongs, these entities will be responsible for the processing. Contact email: rgpd@noexa.pt.

Categories of Data collected:

The categories of data collected may vary according to the purposes and scope of the project and may be classified according to the purpose and type of categories: personal data, special categories of personal data and other sensitive personal data, when applicable.

Data recipients:

In the case of Curriculum Vitae for the purposes of applying for job opportunities and/or data for concluding employment, service provision or internship contracts, the recipient is the Human Resources team, whose contact details are recruitment@noexa.pt and/or humanresources@noexa.pt.

In the case of customer, supplier and partner data, the recipients are the Office Management area (officemanagement@noexa.pt) and the Finance area (finance@noexa.pt).
NoeXa may share personal data with:

• Service providers (e.g., HR management platforms, financial software, accounting and payroll services, among others);

• Legal and regulatory authorities, when required;

• Companies of the Xrxes.cc Holding GmbH group for administrative and operational purposes.

Transfer to third countries:

NoeXa does not transfer personal data to third countries. However, if it does so in the future, it guarantees that it will carry out an adequate assessment of the level of security and protection, in order to guarantee the primacy of the rule of law, respect for the rights, freedoms and guarantees of Personal Data Holders and compliance with the legislation in force at the time.

Purposes for collecting Personal Data:

When visiting our website, you can provide us with your Personal Data, therefore, and in this context, NoeXa is likely to collect your Personal Data through the following means:

• When you browse our website, i.e. technical information, such as IP addresses collected through cookies or similar technologies;

• When you subscribe to the newsletter provided by NoeXa;

• When applying for a job opportunity;

• When you contact us for any complaints, suggestions or information;

• When you post comments or images on our social media pages.

Additionally, we may also receive and process your Personal Data by sending your personal information by email or letter, through the contact details available on the website or by direct contact.

The information collected in this context may be processed for the purposes of managing the relationship between NoeXa and the Data Subject, in compliance with contractual and/or legal obligations, to protect and defend the rights, interests, property and security of NoeXa, its employees or other people with whom it collaborates.

Within the scope of the services it provides, NoeXa only processes personal data that is necessary to carry out its activity and to strictly comply with the law, ensuring that any personal data processing operation is lawful and in accordance with all requirements imposed by applicable legislation on privacy and data protection and ensuring that such activities, whenever applicable, will be duly regulated through the conclusion of data processing agreements.

Whenever the collection and processing of your Personal Data is required by law, failure to provide it will result in the impossibility of concluding the respective contract or carrying out a certain act.

Legal Basis for Processing

The processing operations of NoeXa customers’ Personal Data are based on:

• The law, when the processing of Personal Data results from a legal requirement;

• The execution of contracts signed with its customers and/or suppliers and/or partners for the respective provision of services; and

• Legitimate interest, whenever, with a greater and better knowledge of the needs and preferences of its customers and partners, NoeXa processes their data with a view to personalizing offers and highlighting articles, products and/or services.

As part of its ongoing activity, NoeXa also has a legitimate interest in carrying out recruitment operations for new resources, collecting strictly necessary data on interested candidates.

NoeXa only collects and processes Personal Data where, among other circumstances:

• The Data Subject has given authorization for the Processing of their Personal Data for one or more specific purposes (when required); or

• The Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract; or

• The Processing is necessary to ensure compliance with a legal obligation to which NoeXa is subject; or

• Processing is necessary for the purposes of NoeXa’s legitimate interests, except when these interests override the interests or fundamental rights and freedoms of the Data Subject.

Within the scope of NoeXa’s activity, Personal Data is processed for the following purposes and legal bases:

• Execution of contracts: Establishment, execution and management of contracts with customers, suppliers and partners;

• Compliance with legal obligations: Tax, labor, data protection, among others;

• Legitimate interest: Internal management, business communication, performance analysis, among others;

• Consent: Sending email marketing and newsletters (if applicable).

Personal Data We Process

External Data (Customers, Suppliers and Partners)

• Identification: name, NIF, address;

• Contacts: email, telephone;

• Contractual and financial information: bank details, payment history.

Internal Data (Employees and Job Seekers)

• Personal data: name, marital status, address, contact details, date of birth, NIF, number and expiration date of the civil identification document, NISS;

• Personal data of spouses and children (whenever applicable): name, marital status, address, date of birth, NIF, number and expiration date of the civil identification document, NISS;

• Professional data: work history, qualifications;

• Sensitive data: health (only when necessary and permitted by law);

• Information for salary processing: IBAN, identification of the banking institution, SWIFT code, among others that are necessary.

Data Retention

Personal data is only stored for the period necessary to fulfill the purposes described or to respond to legal requirements, such as compliance with legal obligations (e.g. auditing, accounting and tax obligations), resolution of legal disputes and/or exercise of your legal rights. Circumstances may vary depending on the context, purpose and category of Personal Data. Each data controller and, where appropriate, their representative keeps a record of all processing activities under their responsibility, describing the expected deadlines for the storage and deletion of this data.

Rights of Data Subjects

Data subjects have the following rights:

• The holder has the right to request information about which personal data NoeXa has processed and for what purposes, and may also request a copy thereof, subject to the protection of NoeXa’s commercial secrets and the rights of third parties (Data subject’s right to access);

• If personal data is intended to be transmitted to third parties, the holder has the right to be informed about the identity of these recipients or categories of recipients (Data subject’s right to access);

• If personal data is incorrect or out of date, the holder has the right to request its rectification or updating (Right of rectification);

• The holder may request the erasure of their personal data, except in cases where the legal and/or contractual basis for their processing remains (Right to erasure of data, “right to be forgotten”);

• The holder has the right to object to the processing of their personal data for reasons related to their particular situation, in cases where their interests, rights and freedoms must prevail over the legitimate interests of NoeXa and there are no compelling and legitimate reasons prevailing on the part of NoeXa to justify such processing. This right to object is not applicable in cases where data processing results from compliance with a legal obligation, consent or execution of a contract to which the holder is a party (Right to object);

• The holder has the right to obtain the limitation of the processing of their personal data by NoeXa, in the following situations:

– while NoeXa is verifying the accuracy of the personal data raised by the holder;

-the processing is unlawful and the holder opposes the deletion of the data;

-NoeXa no longer needs the data, but the holder requests that they be kept for the purposes of declaring, exercising or defending a right in legal proceedings;

-the holder has objected to the processing of their data while NoeXa analyzes whether their interests prevail over those of the holder.

When data processing is limited, NoeXa only conserves it (Right to limit treatment).

• The holder has the right to obtain their data in a structured, commonly used and machine-readable format. This right is only applicable when data processing is carried out by computer means and the processing is based on the holder’s consent or the execution of a contract. In situations where processing is carried out on paper, this right does not apply (Right to data portability);

The exercise of any of these rights by the holder must be made directly to rgpd@noexa.pt.

In case of violation of the applicable rules regarding the protection of their Personal Data, Data Holders also have the right to lodge a complaint with the National Data Protection Commission (CNPD).

In the event of a breach of personal data, NoeXa notifies the National Data Protection Commission (CNPD), whenever possible, within a period of up to 72 hours after becoming aware of it, unless the breach of personal data is not likely to result in a risk to the rights and freedoms of natural persons.

Any NoeXa subcontractor must notify the Data Controller without undue delay upon becoming aware of a Personal Data breach.

Cookies and Similar Technologies

Our website uses cookies to improve the user experience, namely:

• Essential Cookies: Necessary for the website to function;

• Analytical Cookies: Used for performance analysis (with prior consent);

• Marketing Cookies: Personalize advertising content (with consent).

Users can manage or disable cookies directly in the browser.

Data Security

NoeXa follows organizational and technological security standards, as well as effective practices in information security management to protect the confidentiality, integrity and availability of information, namely the international standard ISO/IEC 27001, and community standards, legislation and specific national recommendations on information security.

NoeXa applies appropriate technical and organizational measures to ensure a level of security of Personal Data appropriate to the risk and, in particular, to protect Personal Data against destruction, loss, alteration, unauthorized disclosure or accidental or illegal access.

NoeXa imposes, through the conclusion of data processing agreements, the same level of protection on its suppliers and partners who act as Personal Data Processors.

NoeXa enters into a confidentiality agreement with all its employees, with a view to ensuring that they agree to keep all Personal Data to which they may have access in the course of carrying out their duties in the strictest confidence.

Changes to This Policy

This Privacy Policy will be updated to reflect legal or operational changes, whenever necessary or convenient. The latest version will always be available on NoeXa´s SharePoint and website.

Contacts

For any questions or complaints regarding privacy and protection of Personal Data, contact us via:

• Email: rgpd@noexa.pt.

• Address: Edifício IDB Lisbon – Praça José Queirós, N.º 1, Fração 2.3 C, 1800-237 Lisboa.

Version:
1.0

Last updated:
January 1, 2025

Approved by:
Abílio Martins Lopes
CEO, NoeXa, S.A.