search close iconSogrape Logo Colour

Privacy Policy

Privacy Policy

1. Personal data controller

As part of the provision of the website hosted at (“website”), Sogrape SGPS, S.A. (“SOGRAPE”), under the fiscal identification number 503584266, with headquarters at Lugar de Aldeia Nova, 4430-761 Vila Nova de Gaia, may request the personal data owner ("User") to provide personal data, that is, information provided by the User that allows SOGRAPE to identify and / or contact the subject ("Personal Data"). For the purposes of this Policy, SOGRAPE is the personal data Controller.

The purpose of this Privacy Policy is to provide all users with detailed information about the nature of the data collected and the purposes of the data processing carried out, and thus comply with the right to information and reinforce the transparency of our activities.

2. Definitions

For a better understanding of this Privacy Policy, the terms used in the document are defined:

  • “Online services”: any pages, media, web, channels, applications and promotions, as well as any other online initiatives of SOGRAPE.

  • “Personal data”: any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, electronic identifiers, email, mobile phone number, or to one or more specific elements about the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • “Processing activity”: the operation or set of operations carried out on personal data, whether by automated or non-automated procedures, such as the collection, registration, organization, structuring, conservation, adaptation or modification, recovery, consultation, use, dissemination by transmission, diffusion or any other form of availability, comparison or interconnection, limitation, erasure or destruction.

  • “User” or “Personal data owner”: the natural person who browses the website or who, for some reason, personal data is processed.

  • “Personal data Controller”: the natural or legal person, the public authority, the agency or other body that, individually or in conjunction with others, determines the purposes and means of processing personal data. For the purposes of this Policy, SOGRAPE is considered to be the personal data Controller.

  • “Personal data Processor”: natural or legal person, the public authority, agency or other body that processes personal data on behalf and in accordance with the instructions of the personal data Controller.

  • “Personal data Recipient”: natural or legal person, public authority, agency or other body that receives personal data.

3. General principles applicable to personal data processing activities

In terms of general principles relating to the processing of Personal Data, SOGRAPE undertakes to ensure that the User’s personal data is:

  • Subject to lawful, fair and transparent processing in relation to the User.

  • Collected for specific, explicit and legitimate purposes, not being later processed in an incompatible manner with those purposes.

  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

  • Accurate and updated whenever necessary, taking all appropriate measures so that the inaccurate data, taking into account the purposes for which it is processed, is erased or rectified without delay.

  • Kept in a way that allows the identification of the User only for the period necessary for the purposes for which the data is processed.

  • Processed in a way that guarantees data’s safety, including protection against its unauthorized or unlawful processing and against its accidental loss, destruction or damage, implementing appropriate technical or organizational measures.

Data processing carried out by SOGRAPE is lawful when at least one of the following situations occurs:

  • The User has given the explicit consent for the processing of his personal data for one or more specific purposes.

  • Processing is necessary for the execution of a contract to which the User is part of, or for pre-contractual steps as requested by the User.

  • Processing is necessary to comply with a legal obligation to which SOGRAPE is subject to.

  • Processing is necessary to defend the vital interests of the User or another natural person.

  • Processing is necessary for the purpose of the legitimate interests pursued by SOGRAPE or by third parties (except if the fundamental interests or rights and freedoms of the User that require the protection of Personal Data prevail).

SOGRAPE undertakes to ensure that the processing of User’s personal data is only carried out under the conditions listed above and with respect for the principles above mentioned.

When the processing of the User's data is carried out by SOGRAPE based on the User's consent, the User has the right to withdraw consent at any time. The withdrawal of consent, however, does not compromise the lawfulness of the processing carried out by SOGRAPE based on the consent previously given by the User.

The period of time during which the data is stored and preserved varies according to the purpose for which the information is processed. Effectively, there are legal requirements that require data to be kept for a minimum period. Thus, and whenever there is no specific legal requirement, the data will be stored and preserved only for the minimum period necessary for the purposes that motivated its collection or further processing, after which they will be eliminated. For more information, please refer to the following point.

4. Personal data processing activities

4.1. Personal data categories

SOGRAPE collects and processes personal data from users (customers and visitors) and candidates with a view to pursuing the purposes for which they were collected. Thus, the following data is collected:

  • Identification data, such as name and birthdate;
  • Contact data, such as email and country of origin;
  • Recruitment data, such as educational qualifications and curriculum vitae.

Cookies may also be collected, further information is available for consultation in our Cookie Policy.

4.2. Purposes, lawfulness and retention periods

In general, SOGRAPE uses User data for the following purposes:

PurposeDescriptionLawfulnessRetention period
MarketingInformation on new products and services similar to those previously purchasedLegitimate interest5 years after data collection
Website management and visits trackingDevelopment of publications and contents adapted to the requests and types of Users in order to improve search capabilities and functionalities of the websites and obtaining aggregated or statistical information regarding the user's standard profileConsent and legitimate interest (applicable to specific cases)Up to 2 years after collection, according to our Cookie Policy
MarketingSending newsletters, conducting opinion surveys or information on other products and servicesConsent1 to 5 years after data collection
Recruitment and selectionFor recruitment purposes, candidate data is collected and processed in the context of ongoing recruitment processes (job vacancies) and spontaneous applicationsConsent1 to 5 years after data collection
Contact managementData processing to respond to requests made via the contact form available on the websiteConsent6 months after request completion

5. Personal data communication

User’s personal data is not shared with third parties without consent, except in the following situations:

  • Communications required by law, in compliance with certain legal obligations;
  • Suppliers that provide services as processor (see point 5.1. of this Policy); or
  • Processing of personal data, to the extent necessary to provide SOGRAPE’s services and / or products.

5.1. Data processors

As part of the processing of User’s data, SOGRAPE uses or may use third parties, subcontracted by itself, so that, on behalf of SOGRAPE, and in accordance with the instructions given by SOGRAPE, proceed with the processing of User’s data, in strict compliance with the provisions of the law and this Privacy Policy.

These subcontracted entities will not be able to transmit the User's data to other entities without SOGRAPE’s previously written authorization, being also prevented from contracting other entities without prior authorization from SOGRAPE.

SOGRAPE is committed to subcontracting only entities that present sufficient guarantees for the execution of the appropriate technical and organizational measures, in order to ensure the guarantee of the User's rights. All entities subcontracted by SOGRAPE are linked to the latter through a written contract which regulates, namely, the object and duration of the processing, the nature and purpose of the processing, the category and type of personal data, the categories of data owners, security measures adopted and the rights and obligations of the parties.

Within the scope of the management of this website, SOGRAPE uses the Wunderman Thompson Agency (Wunderman JWT Publicidade, Unipessoal, Lda., with corporate taxpayer number 500726353), for content management and website promotion.

5.2. Data recipients

SOGRAPE, as mentioned above, may also communicate personal data to other third parties not qualified as Processors. When carrying out personal data processing activities, SOGRAPE will only communicate User’s data in situations where this is essential. Thus, the User's data may be communicated to:

  • Public entities, namely Tax and Customs Authority, Courts and Police Bodies; and
  • Private entities, namely transport companies and marketing campaign agencies, among others.

6. Technical, organizational and security measures

In order to guarantee the security of the User's data and maximum confidentiality, SOGRAPE treats the information that it has provided to us in an absolutely confidential manner, in accordance with the internal security and confidentiality policies and procedures, which are updated periodically according to needs, as well as per the legally provided terms and conditions.

Depending on the nature, scope, context and purposes of processing the data, as well as the risks arising from the processing activities for the rights and freedoms of the User, SOGRAPE undertakes to apply, both when defining the means of processing as in the moment of the processing itself, the technical and organizational measures necessary and adequate to protect the User's data and to comply with legal requirements.

It also undertakes to ensure that, by default, only the data that is necessary for each specific purpose of treatment are processed and that this data is not made available without human intervention to an undetermined number of people.

SOGRAPE adopts the following general measures:

  • Regular audits to assess the effectiveness of the technical and organizational measures implemented;

  • Awareness and training of personnel involved in data processing operations;

  • Encryption of personal data;

  • Website security measures;

  • Mechanisms capable of ensuring the confidentiality, availability and permanent resilience of information systems; and

  • Mechanisms that ensure the restoration of information systems and access to Personal Data in a timely manner in the event of a physical or technical incident.

7. International transfers

As a rule, SOGRAPE does not transfer data outside the European Economic Area. However, if this transfer is necessary to ensure full compliance with the purposes mentioned in this Privacy Policy, SOGRAPE undertakes to make such transfer in full respect of the applicable legal provisions, namely regarding the determination of the suitability of that country with regard to data protection.

8. Minors

SOGRAPE does not process data about minors, however if the website visitor is a minor and does not understand any content of this Policy, he / she should ask for support from his legal representatives (parents or legal guardians).

9. Cookies' use

SOGRAPE uses cookies on its websites. If you want to manage the collected and stored cookies you can do so through the button below. For more information, please read our Cookies Policy.

10. User's rights

The User has the following rights:

  • Right of Access: right to obtain confirmation that which personal data concerning the User is or is not subject to processing and, if so, the right to access such personal data and certain information.

  • Right of Rectification: right to rectify inaccurate personal data concerning the User or to request incomplete personal data to be completed.

  • Right to Erasure: right to obtain the erasure of personal data, without undue delay as long as there are no valid grounds for its conservation, such as cases in which data has to be kept in order to comply with a legal obligation or because judicial proceedings are underway.

  • Right to Limitation of processing: right to request a limitation on the processing of personal data, in the form of suspension of processing or limitation of the scope of processing to certain categories of data or processing purposes, in accordance with article 18 of the GDPR.

  • Right of Portability: right to receive personal data that concerns the User in a structured, of common use and automatic reading format and / or the right to transmit this data to another controller.

  • Right of Opposition: right of the User to oppose to the processing of data him at any time, as long as there are no legitimate reasons for such processing that prevail over the interests, rights and freedoms of the User, or for the purposes of declaration , exercise or defence of a right in a judicial proceeding.

The User may also revoke his consent, in processing activities dependent on obtaining consent, without such revocation invalidating the processing of the data while the consent is in force.

User’s rights may be exercised through contact with SOGRAPE, through:

  • Registered letter to the address Lugar de Aldeia Nova, 4430-761 Vila Nova de Gaia, at the care of the Privacy Provider; or
  • Email

The communication must contain the following elements:

  • Name, email and customer number, if applicable;
  • Right to be exercised and in the case of exercising the right to limitation, the reasons why the User believes that his data is being treated improperly; and
  • Address, for notification purposes in cases where the request is sent through a letter.

SOGRAPE will respond by means of which the User has exercised his right within a maximum period of one month from receipt of the request, except in cases of special complexity, in which this period may be extended up to two months by justification duly substantiated by part of SOGRAPE.

If the requests submitted by the User are manifestly unfounded or excessive, namely due to their repetitive nature, SOGRAPE reserves the right to charge administrative costs or refuse to proceed with the request.

If the User considers that SOGRAPE has not complied with the requirements set out in the GDPR or the applicable national data protection legislation, he / she may also exercise the right of complaint to the Supervisory Authority – Comissão Nacional de Proteção de Dados – through its website.

11. Personal data breaches

In the event of a data breach and insofar as such breach is likely to imply a risk to the User's rights and freedoms, SOGRAPE undertakes to report the breach of Personal Data to the Supervisory Authority within 72 hours from knowledge of the incident. If the risk is high, SOGRAPE guarantees communication to Users, without undue delay, and by the means it deems necessary, taking into account the necessary mitigation measures.

12. Changes to the Privacy Policy

SOGRAPE reserves the right to change this Privacy Policy. In case of modification of the Privacy Policy, the date of the last change, available at the top of this page, is also updated. If the change is substantial, a notice will be posted on the website.

13. Applicable law and jurisdiction

The Privacy Policy, as well as the collection, processing or transmission of User data, is governed by the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016 and by the applicable laws and regulations in Portugal. Any disputes arising from the validity, interpretation or execution of the Privacy Policy, or which are related to the collection, processing or transmission of User data, must be submitted exclusively to the jurisdiction of the judicial courts of the Oporto District, without prejudice to the legal rules applicable imperatives.