II - Privacy and Data Protection Policy

2.1. Introduction

Browsing the PROZIS website and customer registration on the online store requires the acknowledgment and the acceptance of this Privacy and Data Protection Policy.

PROZIS maintains a constant concern for the protection of the privacy of personal data and a preventive action regarding the security of the site and the protection of the data of its customers and visitors.

To reinforce the guarantees of the confidentiality of personal data, new data protection measures were implemented, both in terms of verifying the legitimacy of the use of personal data processed as in terms of ensuring compliance with the rights granted to the data subjects. In this context, and through the specialization of customer support channels, PROZIS aims to promote a clearer and more objective communication of the purposes underlying the processing of personal data and the transparency of processing operations.

Thus, the information contained in this text is intended to convey, clearly and unambiguously, the content of the privacy policy and protection of personal data that will be processed under the terms of the General Data Protection Regulation in force (hereinafter GDPR) and delimited by the content of the business relationship to be established between the data subject and PROZIS.

2.2. Types of personal data collected

In general terms, personal data are collected in three situations directly arising from PROZIS' activity:

2.2.1. User registration: PROZIS client account creation and data processing purposes

For the purpose of creating the customer account, a personal area is provided in which the customer must enter the data necessary for their identification as a customer. The first purchase will depend on the provision of additional personal data, indispensable for order processing and delivery.

Required fields on the forms available for those registration stages are marked with an asterisk (*).

PROZIS is committed to protecting customer data which will never be made available to third parties without the acknowledgment or consent of the data subject, as legally required.

PROZIS has entered into Confidentiality and Data Protection agreements with the companies of the business group to which it belongs, namely with PROZIS GROUP, S.A., tax no. 509423272; PROZIS.TECH, S.A., tax no. 504276638, PROZIS.COMMERCIAL, S.A., tax no. 507107381 and VERYFEX, S.A., tax no. 509838057, that provide the supporting services of sale and distribution of the online store products, as well as with every single company that render supporting services for the operationalization of the functionalities and applications that customers intend to use.

Besides that, when making a purchase on the site, customers will also be asked for their shipping address and payment details in order to promote maximum effectiveness and to ensure that the delivery times are met. Such data will be transmitted to the abovementioned companies of Prozis Group as well as to the carrier which will guarantee the delivery operation, all those entities being obliged to process such data in strict compliance with the GDPR key principles on the protection of personal data.

When processing a customer's order, it is possible that certain personal data - such as address and zip code - may be disclosed to third parties for the sole purpose of fraud prevention and detection and always following a request from the competent authorities. Such entities are also required to implement protection and security measures of such data.

Warning: For security reasons and for the protection of personal data, we recommend customers to destroy or struck through the label on which the data are printed, immediately after receiving the order, so as to prevent such data from being consulted by third parties after disposal of the packaging at recycling points.

For the effectiveness of the remaining functionalities made available by PROZIS upon customer's request, additional data may be collected. Such data will be subject to processing accordingly to the terms and conditions of use specifically laid down and made available for each functionality.

The data provided will be stored for the strictly necessary period, which usually corresponds to the period of existence of the customer account. For this reason, when the customer triggers the deactivation of their account, the personal data will be permanently deleted, except for the data necessary to comply with legal obligations, namely but without limitation, for billing and accountancy purposes. Such data will be stored in a database specifically created for such purpose and only for the time absolutely necessary. Likewise, on an exclusive database, the data regarding the transactions made by PayPal and Credit Card will be stored, respectively for six and twelve months. Such storage is made for the sole purpose of allowing future reimbursements due to customers during the said periods, from the date of issuance of the respective invoice.

Therefore, once the account has been deactivated, if customer wants to place a new order on the site, the customer must make a new initial registration, subject to the terms and conditions in force at that same date.

Warning: In the event that, after the expiry of the abovementioned time periods, a reimbursement shall take place and the account has already been deactivated, the customer shall contact the Customer Support, providing the new bank details by means of the presentation of an original and official bank statement. Only bank statements on which the customer is identified as the sole or main holder of the new bank account will be accepted.

Completion of customer registration will trigger a registration confirmation for the email address that the customer associates with the customer account and will include a hyperlink to this text.

Any functionality or platform that PROZIS may own and that the customer intends to use shall be conditioned to the acceptance of the respective terms and conditions of use as well as to, whenever specifically provided for, to the respective Privacy and Data Protection Policy. In all matters not covered by the before mentioned texts will be governed by, with the necessary adjustments, by the terms set out on the present document.

In regards to the accuracy of the customer's data and the respective registry, whenever the customer intends to verify the data provided to PROZIS, the customer may do so on their personal area. Customer should keep their account access data secure, as any action or request made through your account will be their responsibility, provided that the customer follows the customer identity validation procedures described below.

We recommend customers not to store their password in their browser, as someone else with access to their computer can access their personal data.

For what purpose is the collected data used?

Customer data are processed in the context of actions such as order processing, customer's notification of any changes to site functionalities, surveys and the evaluation of interactions for statistical purposes.

Customers may, periodically and by email, receive information about products and services, campaigns, promotions and special offers. If the customer does not wish to be contacted for these purposes, the customer may unsubscribe from the newsletter by opting--out of the Manage Permissions tab in the account data area or by clicking on the hyperlink provided in the newsletter text for that specific purpose.

2.2.2. Customer contact with PROZIS

Whenever the customer, on their own initiative, contacts PROZIS in order to obtain information, regarding the products, purchase procedures, the status of the order or to report any situation related to the site or to any services provided, PROZIS may need to collect additional personal data for various purposes, which will be specifically communicated in this case, but which may generally fall under the circumstances of confirming the customer's identity and the purpose of the contact.

In order to ensure that the contact is actually being established by the data subject, PROZIS has implemented measures to reinforce the identity of the caller, especially in cases where the contact is established by telephone.

Thus, as from 25 May 2018, the operator will only proceed with the call after the clear and objective communication of the purpose, of the conditions of validation of the customer's identity and after the express confirmation, by the customer, of the intention to continue the conversation under such conditions. In this context, the customer may, for example, be asked to indicate one or more products purchased in previous orders, which the operator will do after requesting permission to access the purchase history of the last 6 (six) months. Alternatively, and after describing the identity validation mechanism, the operator may send an alphanumeric validation code to the telephone contact or email address registered in the customer's account which will be required by the operator at the beginning of the conversation.

Once the customer identity has been validated, the operator will ask key questions based on the description of the purpose of the contact in order to frame the situation and to eventually forward it to the adequate customer service operator.

Eventual recording of the call for the purpose of quality of service assessment will depend on the prior and express consent of the customer for this purpose.

For each communication established between the customer and the customer service and as soon as the situation that led to the customer's contact with PROZIS is considered resolved, the customer will be sent a message confirming the update of the complaint or the status of their request. Personal data associated with the initial contact will be retained for a maximum period of 36 months, after which it will be permanently deleted. In certain cases, upon completion of the process, a request for assessment of the service provided, with an optional reply, will be sent. Accordingly, and if the customer expressly consents, the customer's opinion on the level of satisfaction with the service provided will be stored. This specific registry will not imply the storage of any personal data, but only the level of satisfaction but using a proper pseudonymisation procedure.

2.2.3. PROZIS contact with the customer

When processing a specific order, there may be a need for PROZIS Customer Service to contact the customer with a view to:

i) confirmation or rectification of any of the personal data required to complete the delivery process (e.g. the delivery address). In such cases, contact will be made to the mobile phone number on the customer file. Once the connection has been established, the operator will confirm the caller's identity by following, if necessary, the procedure described on the clause 2.2.2. above.

ii) informing the customer that a message has been sent to his or her mailbox in the customer account as a result of the stockout of one or more items in the order concerned and that, as an alternative to unavailable products, the amount paid back or similar products may be returned, as provided for in the clause 1.4. of the General Conditions of Sale.

iii) request for clarification on the content of any message sent by the customer or regarding conversations already in progress. In either case, such contact will be followed by a written message confirming the content addressed and / or any fact eventually agreed upon.

2.3 - Secure Data Processing, Lawfulness, Fairness and Transparency

PROZIS uses one of the safest online ordering systems and is constantly improving its software so to offer the safest possible data processing to its clients and to assure their trust. A server certificate, also known as a digital certificate, ensures our identity, as well as Secure Sockets Layer (SSL) encryption of transmitted data.

All the personal data of PROZIS' customers are subject to a lawful, fair and transparent processing. For that reason, the data subject may always contact PROZIS for any clarification regarding the processing of their data, as stated on the clause 2.5.1. below.

2.4. Access and Purpose Limitation

PROZIS undertakes to use the personal data of its customers and visitors for the purposes strictly necessary for the pursuit of its activity, with the limitations arising from the scope of the same or the extent of the consent expressly granted by its holder. This also means that the data will not be transmitted to any third party without their knowledge and / or authorization where PROZIS is so legally bound to.

In this sense, PROZIS also ensures the access to such data by its employees to the extent deemed absolutely necessary to carry out the action in question. Those employees are identified and tracked according to the functions and tasks assigned to them and within the framework of the contractual relationship set between them.

All data processed by PROZIS, whether directly indicated by the data subject or collected by PROZIS for the sole purpose of executing the contract set between them or for the execution of any functionality requested or accessed by the customer will be definitely erased as soon as the purpose which has determined the processing fails to exist. For that reason, the storage of personal data shall observe the principles of data minimisation, purpose limitation and storage limitation since only the strictly needed data for the compliance with the legal and contractual obligation will be collected, which will be stored in a specific proper database for the period strictly necessary to such purposes.

2.5 - Data Subject Rights

2.5.1. Right to information and access to personal data

The customer may at any time request information about the stored personal data, whether concerning the category of personal data, the source and recipient (s) thereof, the length of the storage period and the underlying purposes, or concerning the identification of the data controller, the data protection officer and their contacts.

In the event of a manifestly unfounded or excessive exercise of the right to be informed, PROZIS may charge a fee of 100,00 € / hour (one hundred Euros per hour). This amount should be settled within five business days of receipt of payment instructions. The instructions shall be sent in writing to the email address provided by the data subject and / or via SMS to the mobile contact registered in their account or indicated as response to such request.

2.5.2. Right to rectification and Right to Erasure of personal data

In order to exercise their right to rectification of their personal data, customer shall send the request, identifying the data to be modified and the up-to-date information, via email sent to [email protected] or by registered letter sent to data controller: PROZIS.COM, S.A., Zona Franca Industrial, Plataforma 28, Pavilhão K, Modelo 6, Caniçal, 9200-047 Machico, Portugal. The same procedure should be followed if the customer wishes to exercise their right to erasure of personal data. In either case, the customer will receive confirmation, via the same channel used, that their request has been answered as requested.

2.5.3. Right to Restriction of processing, to Object and to Withdraw prior consent

In reinforcement of the principle of transparency in the processing of personal data and customer communications, PROZIS allows the customer to, at any time, modify the data processing permissions granted for each of the stated purposes. Through the opt-in and opt-out features made available for the activation and deactivation of the granted permissions, in the tab "Manage Permissions" of the customer's personal account, the customer can modify or revoke the previous consents, namely those given for the purpose of receiving advertising campaigns, newsletters and other individualized communications including profiling, designed for the PROZIS-customer relationship or for the optimization of the custom navigation experience as well as for the data processing by the remaining Group companies or by third parties which are PROZIS' partners for the execution of any of the functionalities that may be made available at the customer's request.

2.6 Subsidiary application

This text shall govern all the matters regarding the privacy and the data processing done within the framework of the use of the apps and further functionalities, whether accessible through a hyperlink made available by PROZIS on the website, or on any other platform owned by PROZIS. For that reason, it shall be applicable on a subsidiary basis to all the situations which may not be specifically regulated.

2.7 Privacy Policy changes and contacts

2.7.1. Any changes made to this Privacy and Data Protection Policy will be posted on the PROZIS website and all versions prior to this will be made available upon express request of the customer.

2.6.2. Within the meaning of the GDPR, PROZIS.COM, S.A., tax no.506806693, headquartered at Zona Franca Industrial, Plataforma 28, Pavilhão K, Modelo 6, Caniçal, 9200-047 Machico, Portugal is the Controller of the personal data.

2.6.3. Irregularities, non-compliance and any security restrictions on the processing of personal data should be immediately reported to the Data Protection Officer of PROZIS by email: [email protected].