This website uses cookies to improve performance and your user experience on our website. If you do not agree with the use of cookies other than the essential ones, you can manage your preferences by clicking on "Cookie Settings"

PT

Privacy and Personal Data Protection Policy

This Privacy and Personal Data Protection Policy (“Policy”) establishes the terms under which BMA – Baptista, Monteverde & Associados – Sociedade de Advogados, SP, RL, taxpayer identification number 508690820, with registered office at Edifício Heron Castilho, Rua Braamcamp, 40 – 5 E, 1250-050 Lisboa (“BMA”), processes personal data in the course of its business.

BMA processes personal data in compliance with Regulation (EU) 2016/679 of 27 April (General Data Protection Regulation – GDPR) and with Law No. 58/2019 of 8 August, which ensures the implementation of the GDPR in Portugal.

The protection of personal data is a core commitment of BMA and forms an integral part of its organisational culture. This commitment is reflected in the implementation of appropriate technical and organisational measures, the application of the principles of privacy by design and privacy by default, and the promotion of responsible, secure and transparent information processing practices.

This applies solely to personal data processed by BMA in the context of its activities. It does not extend to third-party websites, platforms or services, even where these are accessible through the BMA website and BMA assumes no responsibility for the processing of personal data carried out by such entities.

Concepts Related to the Processing of Personal Data

For the purposes of this Policy, the concepts set out in the GDPR shall apply, namely:

  1. Personal data: information relating to an identified or identifiable natural person.
  2. Common personal data: data that do not fall within special categories, including identification, contact, professional, financial, image, browsing data, among others.
  3. Special categories of personal data: data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.
  4. Processing: any operation performed on personal data, whether or not by automated means.
  5. Data controller: body which determines the purposes and means of data processing.
  6. Data processor: body which processes personal data on behalf of the data controller.
  7. Personal data breach: a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  8. Data Protection Impact Assessment (DPIA): a procedure designed to assess and mitigate high risks to the rights and freedoms of data subjects.

Principles Relating to the Processing of Personal Data

The processing of personal data by BMA is carried out in full compliance with the principles established in the GDPR, namely:

  1. lawfulness, fairness and transparency;
  2. purpose limitation;
  3. data minimisation;
  4. accuracy;
  5. storage limitation;
  6. integrity and confidentiality;
  7. accountability.

Data Controller

The controller responsible for the processing of personal data is:

BMA – Baptista, Monteverde & Associados – Sociedade de Advogados, SP, RL
NIPC: 508690820; Address: Edifício Heron Castilho, Rua Braamcamp, 40 – 5 E, 1250-050 Lisboa; Data Protection Contact: [email protected]

BMA determines the purposes and means of the processing of personal data and ensures compliance with applicable legislation throughout all stages of the data lifecycle.
 

Collection of Personal Data

BMA collects and processes personal data solely where this is necessary, proportionate and supported by an appropriate legal ground, in particular in the following contexts:

  1. provision of legal services and case management;
  2. recruitment, selection and human resources management
  3. management of contractual relationships with clients, suppliers and partners;
  4. institutional communications, marketing activities and event organisation;
  5. judicial and extrajudicial debt recovery and claims;
  6. use of IT systems, access control and security measures;
  7. compliance with legal, regulatory and ethical obligations;
  8. website browsing, through the use of cookies.

Where applicable, data subjects are provided with the relevant information at the time their personal data is collected.

Categories of Personal Data

BMA processes, in particular:

Common personal data, including identification and contact details, professional and academic information, financial and banking information, image and sound data, communication and interaction records, authentication credentials, access logs and browsing data, as well as identification, contact and access log data of visitors to BMA’s premises and identification and contact details of third parties provided by employees or other persons associated with BMA, such as emergency contacts, for the purposes of security, access control, emergency management and the protection of persons and property.

Special categories of personal data, where legally permitted and strictly necessary, including data concerning health and data relating to criminal convictions and offences, always subject to enhanced protection measures.

Categories of Data Subjects

BMA processes personal data from:

  1. employees;
  2. representatives and employees of clients, suppliers and partners;
  3. counterparties, witnesses and other parties involved in proceedings;
  4. users of the website and digital platforms;
  5. participants in events and initiatives organised by BMA;
  6. third parties whose data is provided to BMA by others, such as emergency contacts indicated by employees;
  7. visitors to BMA’s premises and other individuals who interact with BMA in an institutional or professional capacity, including on an occasional basis.

Purposes of Processing

Personal data is processed by BMA solely for legitimate, specific and clearly defined purposes, in accordance with the principles of purpose limitation and proportionality. Such data is not used for purposes other than those for which it was collected, unless otherwise permitted by law.

In particular, personal data may be processed for the following purposes:

  1. management and provision of legal services;
  2. recruitment, selection and human resources management;
  3. administrative, financial and accounting management;
  4. management of information systems, physical and logical security, and control of access to BMA’s premises and systems;
  5. management of emergency situations and safeguarding the vital interests of employees, visitors or other individuals present at BMA’s premises;
  6. institutional communications, organisation of events, marketing activities and submissions to legal directories;
  7. debt collection, credit recovery and management of judicial and extrajudicial disputes;
  8. compliance with legal, regulatory, tax and ethical obligations;
  9. management of personal data protection and regulatory compliance.

In certain circumstances, particularly in the context of institutional communications, newsletters, event invitations and other interactions arising from a prior professional or institutional relationship, the processing of personal data may be based on BMA’s legitimate interests, without prejudice to the data subject’s right to object.

Legal Grounds for Processing

The processing of personal data by BMA is based, depending on the nature of the data concerned and the purposes pursued, on one of the legal grounds set out in the GDPR, namely:

  1. the consent of the data subject, when required by law, which must be freely given, specific, informed and unambiguous, and may be withdrawn at any time, without prejudice to the lawfulness of the processing carried out up to that point;
  2. the performance of a contract to which the data subject is a party, or the implementation of pre-contractual measures at the request of the data subject;
  3. compliance with a legal obligation to which BMA is subject;
  4. the pursuit of the legitimate interests of BMA or of third parties, provided that such interests are not overridden by the data subject’s fundamental rights and freedoms, following the appropriate balancing assessment.

Where the processing of personal data is based on the legitimate interests of BMA or of third parties, a prior assessment is conducted. This assessment takes into account the nature of the relationship with the data subject, the reasonable expectations of the data subject regarding the processing, the proportionality of the processing and the existence of adequate measures to safeguard their fundamental rights and freedoms.

Retention of Personal Data

The retention of personal data is determined in accordance with the purposes of the processing, applicable legal grounds and BMA’s legal and ethical obligations. In particular, the following retention periods apply:

  1. Legal services: for the duration of the mandate and for an additional period of 20 years thereafter, taking into account applicable limitation periods, ethical obligations, archiving requirements and the need to exercise or defend rights in legal proceedings.
  2. Institutional communications and marketing: for as long as a valid legal ground for processing exists. The storage and use of data for this purpose will cease where the data subject exercises their right to object or withdraws consent, where applicable.
  3. Events:  for a maximum period of 3 years after participation or last contact, for the purposes of management, subsequent communication and analysis of institutional initiatives.
  4. Compliance:  for up to 8 years, in order to ensure compliance with legal, regulatory and internal control obligations, including reporting and audit requirements.
  5. Billing and accounting: for up to 10 years, in compliance with applicable legal and tax obligations.
  6. Legal directories: for up to 1 year after submission of information, for the purposes of monitoring, updating or validating the content submitted.
  7. Human resources: for up to 3 years after the termination of the professional relationship, for compliance with legal obligations, administrative management and possible defence of rights.
  8. Collections and litigation: until the final resolution of the matter or full payment of the amounts due, including any enforcement or appeal stages.
  9. Recruitment: for up to 1 year after the conclusion of the selection process, for the purpose of potential consideration in future opportunities, unless the candidate objects.
  10. Contact requests: for up to 3 years after completion of the request, for follow-up purposes, responding to subsequent contacts, or managing institutional relationships.
  11. Cookies and browsing: for up to 1 year, depending on the nature and purpose of the cookies used, in accordance with the applicable Cookie Policy.
  12. Visitor registration and physical access control: for up to 6 months after registration, unless retention is required for the investigation of incidents or for the exercise or defence of rights in legal proceedings, in which case the data may be retained until the matter is definitively resolved.
  13. Protection of persons and property (including security records and, where applicable, video surveillance systems): for the legally applicable period or, in the absence of a specific legal provision, for up to 1 year, for security purposes, incident prevention and investigation.

At the end of the applicable period, the data is securely deleted or anonymised.

Sharing of Personal Data

BMA may share personal data, where necessary, with professional advisers, experts, arbitrators, mediators, courts, public authorities, regulatory bodies, registries, insurers, technology service providers, document storage providers, IT support providers, translation service providers, secure confidential waste disposal providers, as well as other entities involved in the provision of legal services or in the fulfilment of legal obligations.

Data sharing is carried out in accordance with the law and subject to the implementation of appropriate safeguards to ensure the protection of personal data. The above list is not exhaustive.

Data Protection Agreements

Where BMA engages processors, it ensures that they provide sufficient guarantees of security and confidentiality through written agreements governing their responsibilities, security measures, and notification duties.

International Transfers of Personal Data

Where personal data is transferred outside the European Economic Area, BMA implements appropriate safeguards, including the standard contractual clauses approved by the European Commission, in order to ensure a level of protection equivalent to that required by the GDPR.

Data Subject Rights

Under the terms and for the purposes of the General Data Protection Regulation, data subjects are entitled, where applicable, to exercise the rights of access, rectification, erasure, restriction of processing, objection and data portability, as well as the right not to be subject to a decision based solely on automated processing, including profiling.

As a rule, these rights may be exercised free of charge at any time by contacting [email protected]

BMA undertakes to respond to requests submitted by data subjects within a maximum period of one month from receipt, without prejudice to the possibility of extending this period, in accordance with the law, taking into account the complexity and number of requests received.

Data subjects have the right to object at any time to the processing of their personal data based on BMA’s legitimate interest, including processing for institutional communications or newsletters and processing for these purposes will cease after this right is exercised, unless there are compelling and legitimate reasons that prevail.

Information to Data Subjects

BMA ensures compliance with the information obligations set out in the General Data Protection Regulation by providing data subjects with all legally required information regarding the processing of their personal data in a transparent, clear and accessible manner. This includes, in particular, the respective purposes, the applicable legal grounds, the retention periods, their rights and relevant contact details, without prejudice to the exceptions provided for by law.

Record of Processing Activities

BMA maintains a Record of Processing Activities, in accordance with Article 30 of the GDPR. This record is kept up to date and subject to periodic review, and documents, in particular, the purposes of processing, categories of personal data and data subjects, legal grounds, recipients, international transfers, retention periods and security measures.

Security of Personal Data Processing

BMA implements appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of systems and personal data. These measures involve management and all employees and are aligned with BMA’s internal information security policies.

Data Protection Impact Assessments

Where processing is likely to result in a high risk to the rights and freedoms of data subjects, BMA carries out a prior Data Protection Impact Assessment, which is reviewed whenever relevant changes occur.

Personal Data Breaches

BMA has internal procedures in place for the detection, management and reporting of personal data breaches. These procedures include notification to the Portuguese Data Protection Authority within the applicable legal timeframe and communication to data subjects whenever there is a high risk.

Complaints

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with the competent supervisory authority, the Portuguese Data Protection Authority (CNPD), in accordance with the General Data Protection Regulation and applicable legislation.

Supervisory Authority

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa
Telephone: (+351) 213 928 400
Email: [email protected]

Changes to the Policy

BMA may update this Policy at any time. Any relevant changes will be communicated through the website or by other appropriate means.

Date of last update: 2025

Privacy and Personal Data Protection Policy

This Privacy and Personal Data Protection Policy (“Policy”) establishes the terms under which BMA – Baptista, Monteverde & Associados – Sociedade de Advogados, SP, RL, taxpayer identification number 508690820, with registered office at Edifício Heron Castilho, Rua Braamcamp, 40 – 5 E, 1250-050 Lisboa (“BMA”), processes personal data in the course of its business.

BMA processes personal data in compliance with Regulation (EU) 2016/679 of 27 April (General Data Protection Regulation – GDPR) and with Law No. 58/2019 of 8 August, which ensures the implementation of the GDPR in Portugal.

The protection of personal data is a core commitment of BMA and forms an integral part of its organisational culture. This commitment is reflected in the implementation of appropriate technical and organisational measures, the application of the principles of privacy by design and privacy by default, and the promotion of responsible, secure and transparent information processing practices.

This applies solely to personal data processed by BMA in the context of its activities. It does not extend to third-party websites, platforms or services, even where these are accessible through the BMA website and BMA assumes no responsibility for the processing of personal data carried out by such entities.

Concepts Related to the Processing of Personal Data

For the purposes of this Policy, the concepts set out in the GDPR shall apply, namely:

  1. Personal data: information relating to an identified or identifiable natural person.
  2. Common personal data: data that do not fall within special categories, including identification, contact, professional, financial, image, browsing data, among others.
  3. Special categories of personal data: data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.
  4. Processing: any operation performed on personal data, whether or not by automated means.
  5. Data controller: body which determines the purposes and means of data processing.
  6. Data processor: body which processes personal data on behalf of the data controller.
  7. Personal data breach: a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  8. Data Protection Impact Assessment (DPIA): a procedure designed to assess and mitigate high risks to the rights and freedoms of data subjects.

Principles Relating to the Processing of Personal Data

The processing of personal data by BMA is carried out in full compliance with the principles established in the GDPR, namely:

  1. lawfulness, fairness and transparency;
  2. purpose limitation;
  3. data minimisation;
  4. accuracy;
  5. storage limitation;
  6. integrity and confidentiality;
  7. accountability.

Data Controller

The controller responsible for the processing of personal data is:

BMA – Baptista, Monteverde & Associados – Sociedade de Advogados, SP, RL
NIPC: 508690820; Address: Edifício Heron Castilho, Rua Braamcamp, 40 – 5 E, 1250-050 Lisboa; Data Protection Contact: [email protected]

BMA determines the purposes and means of the processing of personal data and ensures compliance with applicable legislation throughout all stages of the data lifecycle.
 

Collection of Personal Data

BMA collects and processes personal data solely where this is necessary, proportionate and supported by an appropriate legal ground, in particular in the following contexts:

  1. provision of legal services and case management;
  2. recruitment, selection and human resources management
  3. management of contractual relationships with clients, suppliers and partners;
  4. institutional communications, marketing activities and event organisation;
  5. judicial and extrajudicial debt recovery and claims;
  6. use of IT systems, access control and security measures;
  7. compliance with legal, regulatory and ethical obligations;
  8. website browsing, through the use of cookies.

Where applicable, data subjects are provided with the relevant information at the time their personal data is collected.

Categories of Personal Data

BMA processes, in particular:

Common personal data, including identification and contact details, professional and academic information, financial and banking information, image and sound data, communication and interaction records, authentication credentials, access logs and browsing data, as well as identification, contact and access log data of visitors to BMA’s premises and identification and contact details of third parties provided by employees or other persons associated with BMA, such as emergency contacts, for the purposes of security, access control, emergency management and the protection of persons and property.

Special categories of personal data, where legally permitted and strictly necessary, including data concerning health and data relating to criminal convictions and offences, always subject to enhanced protection measures.

Categories of Data Subjects

BMA processes personal data from:

  1. employees;
  2. representatives and employees of clients, suppliers and partners;
  3. counterparties, witnesses and other parties involved in proceedings;
  4. users of the website and digital platforms;
  5. participants in events and initiatives organised by BMA;
  6. third parties whose data is provided to BMA by others, such as emergency contacts indicated by employees;
  7. visitors to BMA’s premises and other individuals who interact with BMA in an institutional or professional capacity, including on an occasional basis.

Purposes of Processing

Personal data is processed by BMA solely for legitimate, specific and clearly defined purposes, in accordance with the principles of purpose limitation and proportionality. Such data is not used for purposes other than those for which it was collected, unless otherwise permitted by law.

In particular, personal data may be processed for the following purposes:

  1. management and provision of legal services;
  2. recruitment, selection and human resources management;
  3. administrative, financial and accounting management;
  4. management of information systems, physical and logical security, and control of access to BMA’s premises and systems;
  5. management of emergency situations and safeguarding the vital interests of employees, visitors or other individuals present at BMA’s premises;
  6. institutional communications, organisation of events, marketing activities and submissions to legal directories;
  7. debt collection, credit recovery and management of judicial and extrajudicial disputes;
  8. compliance with legal, regulatory, tax and ethical obligations;
  9. management of personal data protection and regulatory compliance.

In certain circumstances, particularly in the context of institutional communications, newsletters, event invitations and other interactions arising from a prior professional or institutional relationship, the processing of personal data may be based on BMA’s legitimate interests, without prejudice to the data subject’s right to object.

Legal Grounds for Processing

The processing of personal data by BMA is based, depending on the nature of the data concerned and the purposes pursued, on one of the legal grounds set out in the GDPR, namely:

  1. the consent of the data subject, when required by law, which must be freely given, specific, informed and unambiguous, and may be withdrawn at any time, without prejudice to the lawfulness of the processing carried out up to that point;
  2. the performance of a contract to which the data subject is a party, or the implementation of pre-contractual measures at the request of the data subject;
  3. compliance with a legal obligation to which BMA is subject;
  4. the pursuit of the legitimate interests of BMA or of third parties, provided that such interests are not overridden by the data subject’s fundamental rights and freedoms, following the appropriate balancing assessment.

Where the processing of personal data is based on the legitimate interests of BMA or of third parties, a prior assessment is conducted. This assessment takes into account the nature of the relationship with the data subject, the reasonable expectations of the data subject regarding the processing, the proportionality of the processing and the existence of adequate measures to safeguard their fundamental rights and freedoms.

Retention of Personal Data

The retention of personal data is determined in accordance with the purposes of the processing, applicable legal grounds and BMA’s legal and ethical obligations. In particular, the following retention periods apply:

  1. Legal services: for the duration of the mandate and for an additional period of 20 years thereafter, taking into account applicable limitation periods, ethical obligations, archiving requirements and the need to exercise or defend rights in legal proceedings.
  2. Institutional communications and marketing: for as long as a valid legal ground for processing exists. The storage and use of data for this purpose will cease where the data subject exercises their right to object or withdraws consent, where applicable.
  3. Events:  for a maximum period of 3 years after participation or last contact, for the purposes of management, subsequent communication and analysis of institutional initiatives.
  4. Compliance:  for up to 8 years, in order to ensure compliance with legal, regulatory and internal control obligations, including reporting and audit requirements.
  5. Billing and accounting: for up to 10 years, in compliance with applicable legal and tax obligations.
  6. Legal directories: for up to 1 year after submission of information, for the purposes of monitoring, updating or validating the content submitted.
  7. Human resources: for up to 3 years after the termination of the professional relationship, for compliance with legal obligations, administrative management and possible defence of rights.
  8. Collections and litigation: until the final resolution of the matter or full payment of the amounts due, including any enforcement or appeal stages.
  9. Recruitment: for up to 1 year after the conclusion of the selection process, for the purpose of potential consideration in future opportunities, unless the candidate objects.
  10. Contact requests: for up to 3 years after completion of the request, for follow-up purposes, responding to subsequent contacts, or managing institutional relationships.
  11. Cookies and browsing: for up to 1 year, depending on the nature and purpose of the cookies used, in accordance with the applicable Cookie Policy.
  12. Visitor registration and physical access control: for up to 6 months after registration, unless retention is required for the investigation of incidents or for the exercise or defence of rights in legal proceedings, in which case the data may be retained until the matter is definitively resolved.
  13. Protection of persons and property (including security records and, where applicable, video surveillance systems): for the legally applicable period or, in the absence of a specific legal provision, for up to 1 year, for security purposes, incident prevention and investigation.

At the end of the applicable period, the data is securely deleted or anonymised.

Sharing of Personal Data

BMA may share personal data, where necessary, with professional advisers, experts, arbitrators, mediators, courts, public authorities, regulatory bodies, registries, insurers, technology service providers, document storage providers, IT support providers, translation service providers, secure confidential waste disposal providers, as well as other entities involved in the provision of legal services or in the fulfilment of legal obligations.

Data sharing is carried out in accordance with the law and subject to the implementation of appropriate safeguards to ensure the protection of personal data. The above list is not exhaustive.

Data Protection Agreements

Where BMA engages processors, it ensures that they provide sufficient guarantees of security and confidentiality through written agreements governing their responsibilities, security measures, and notification duties.

International Transfers of Personal Data

Where personal data is transferred outside the European Economic Area, BMA implements appropriate safeguards, including the standard contractual clauses approved by the European Commission, in order to ensure a level of protection equivalent to that required by the GDPR.

Data Subject Rights

Under the terms and for the purposes of the General Data Protection Regulation, data subjects are entitled, where applicable, to exercise the rights of access, rectification, erasure, restriction of processing, objection and data portability, as well as the right not to be subject to a decision based solely on automated processing, including profiling.

As a rule, these rights may be exercised free of charge at any time by contacting [email protected]

BMA undertakes to respond to requests submitted by data subjects within a maximum period of one month from receipt, without prejudice to the possibility of extending this period, in accordance with the law, taking into account the complexity and number of requests received.

Data subjects have the right to object at any time to the processing of their personal data based on BMA’s legitimate interest, including processing for institutional communications or newsletters and processing for these purposes will cease after this right is exercised, unless there are compelling and legitimate reasons that prevail.

Information to Data Subjects

BMA ensures compliance with the information obligations set out in the General Data Protection Regulation by providing data subjects with all legally required information regarding the processing of their personal data in a transparent, clear and accessible manner. This includes, in particular, the respective purposes, the applicable legal grounds, the retention periods, their rights and relevant contact details, without prejudice to the exceptions provided for by law.

Record of Processing Activities

BMA maintains a Record of Processing Activities, in accordance with Article 30 of the GDPR. This record is kept up to date and subject to periodic review, and documents, in particular, the purposes of processing, categories of personal data and data subjects, legal grounds, recipients, international transfers, retention periods and security measures.

Security of Personal Data Processing

BMA implements appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of systems and personal data. These measures involve management and all employees and are aligned with BMA’s internal information security policies.

Data Protection Impact Assessments

Where processing is likely to result in a high risk to the rights and freedoms of data subjects, BMA carries out a prior Data Protection Impact Assessment, which is reviewed whenever relevant changes occur.

Personal Data Breaches

BMA has internal procedures in place for the detection, management and reporting of personal data breaches. These procedures include notification to the Portuguese Data Protection Authority within the applicable legal timeframe and communication to data subjects whenever there is a high risk.

Complaints

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with the competent supervisory authority, the Portuguese Data Protection Authority (CNPD), in accordance with the General Data Protection Regulation and applicable legislation.

Supervisory Authority

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa
Telephone: (+351) 213 928 400
Email: [email protected]

Changes to the Policy

BMA may update this Policy at any time. Any relevant changes will be communicated through the website or by other appropriate means.

Date of last update: 2025