Close
    • Home
    • Privacy Policy

    Privacy Policy

    PRIVACY POLICY

    This Privacy Policy applies to all Processing of Personal Data by GRUPO ALVES BANDEIRA S.A. or by any company within its group (hereinafter referred to as "GAB”).


    1.Our Privacy Commitment

    GAB and the Companies that form part of it conduct their activities with transparency and security in the processing of personal data. This commitment extends to the day-to-day relationship with all visitors to its websites, with the privacy and security of the data entrusted to us being a priority.

    It is our commitment to only collect, store, process, transmit or delete personal data when using our Services and/or browsing our website, with transparency and ensuring that such personal data is essential to provide the best services.

    We inform you how we use your personal data and for what purposes, with the assurance that we collect, share and store such data in accordance with best practices in the field of security and personal data protection.

    When your personal data is collected, stored, processed, transmitted or deleted by other entities, we require the same level of privacy and security.

    Should you have any questions regarding how we use your personal data, we shall be available to clarify through the following means:

    Postal Address: C/O Data Protection Officer (DPO) Ana Sousa - Zona Industrial da Pedrulha, Lote 12, 3050-183 Casal Comba, Mealhada

    Telephone: 231 244 200

    You may also contact our "DPO” (Data Protection Officer) via the following e-mail address: rgpd@a-bandeira.pt


    2.Who Is Responsible for Your Personal Data:

    GRUPO ALVES BANDEIRA S.A., with registered office at Zona Industrial da Pedrulha, Lote 12, 3050-183 Casal Comba, Mealhada, registered at the Commercial Registry Office under collective identification number (NIPC) 509.654.185, hereinafter referred to as ‘GAB’, is the Controller responsible for the Processing of your Personal Data, in accordance with the General Data Protection Regulation and supplementary legislation on personal data protection in force in the countries where it operates.

    With regard to subparagraph V of Point 4, the companies identified in Annex I are joint controllers for the processing of your Personal Data.


    3.Personal Data and data subjects: when do we collect personal data and what type of personal data do we collect?


    What are Personal Data?

    Personal Data means any information, of any nature and in any format, relating to an identified or identifiable natural person. A person is deemed identifiable if they can be identified directly or indirectly, for example through their name, identification number, location data, electronic identifier or other elements that enable the identification of that natural person.


    Who Are the Data Subjects?

    The Stakeholder(1), a natural person to whom the data relates and who has used the products or services of GAB or any company within its group, and who has provided personal data through completing forms available on the websites, interactions or transactions with us.

    (1)A GAB stakeholder shall be considered a contact with whom a contract has been entered into for the supply of a good or service. Contacts who may be the target of advertising campaigns, promotional offers, invitations to commercial, informational, sporting or recreational events, promotions, competitions, prize draws, commercial information about energy solutions, mobility, insurance, loyalty programmes, payment methods and services or third-party telecommunications, through different channels, are also considered within this group.

    Also within this scope, GAB informs that it equally protects personal data and respects the rights of these stakeholders.


    When do we collect your personal data?

    We collect personal data with your consent or within the scope of commercial relationships established with GAB or any Business Unit belonging to it.

    The collection may be carried out orally, in writing or through the GAB website or the website of any Business Unit mentioned in Annex I (where applicable).


    What type of Personal Data do we collect?

      • Identification data – Natural persons, Legal persons (clients, suppliers, partners, users): address and contact data (e.g.: name, company, address, telephone, mobile phone, e-mail, role, etc.);
      • Identification data, contact data and behavioural data of the User;


    4.For what purposes, on what legal basis and for how long do we process your Personal Data?

    Your Personal Data is processed only for the period necessary to fulfil the purposes that motivated its collection and retention or, as applicable, until you exercise your right to object, right to be forgotten or withdraw your consent.

    There are cases in which the law requires the processing and retention of data for a minimum period of time, namely for 10 years for data required for reporting to the Tax Authority for accounting or tax purposes or data relating to commercial transactions, as well as for 7 years for the purpose of combating money laundering and the financing of terrorism.

    GAB or any other Business Unit forming part thereof shall process and retain your personal data for the period during which a contractual relationship is maintained with you.

    With regard to video surveillance of its premises, GAB or any other company within the group that uses this type of system shall only retain image recordings and respective personal data for a maximum period of 30 days.

    GAB or any other company within the group may retain other personal data for periods exceeding the duration of the contractual relationship, whether based on your consent, to safeguard rights or duties related to the contract, or because it has legitimate interests that justify it, but always for the period strictly necessary to fulfil the respective purposes and in accordance with the guidelines and decisions of the CNPD.

    After the respective retention period has elapsed, GAB shall delete or anonymise the data whenever such data need not be retained for any subsisting purpose.

    Examples of purposes:

    I. Marketing and Sales: Marketing or sale of new products and/or services; Analysis of consumption profiles; Adaptation and development of new products and/or services; Advertising campaigns; Promotional offers; Invitations to commercial, informational, sporting or recreational events; Promotions, Competitions, Prize draws, Commercial information about energy solutions, mobility, insurance; Loyalty programmes.

    II. Institutional Communication: Dissemination of institutional information about GAB and its respective Business Units – Educational initiatives / awareness campaigns regarding the sector, activity, products or brand recognition.

    III. Client Management and Service Provision: Management of contacts, information or requests, complaints management, invoicing management, collection and payments, communications within the scope of the contractual relationship.

    IV. Fulfilment of communication and brand actions and projects.

    V. Application Management: Unsolicited applications or applications for a specific role: within the scope of these applications, the companies identified in Annex I are joint controllers for the processing of your Personal Data, and the specific information for this processing activity shall be provided at the time of creation of the Recruitment and Selection process.

    VI. Sending informational and direct marketing communications, generic or personalised, the latter of which may be based on the user profile, via e-mail.

    VII. Implementation of partnership actions within the scope of Corporate Social Responsibility.

    VIII. Compliance with regulatory reporting duties, financial and tax information, including the submission of information to the Tax Authority.

    IX. Litigation management: Judicial and extrajudicial debt recovery; management of other disputes.

    X. Physical security control: Video surveillance of premises.

    XI. Fleet Management: geolocation for optimisation of routes and vehicle consumption.

    When a legal or contractual obligation must be fulfilled, failure to provide personal data may result in non-compliance with the obligation in question.


    5.With whom may we share your Personal Data?

    In some cases, we may disclose your personal data to other companies within the Grupo Alves Bandeira. In such cases, we ensure that adequate security measures are in place to protect your Personal Data.

    When required by law, we may have to disclose your personal data to authorities or third parties, in which case our control over how your personal data is protected is limited.

    In addition to the above, in seeking to provide our services, namely in services related to cloud-based information systems (cloud services), information security management or when our partners’ subcontractors need to access personal data in specific circumstances, we may rely on the support of partners located or headquartered outside the European Economic Area ("third countries”), e.g. the USA or the United Kingdom. In such cases, GAB shall ensure that data transfers are carried out in strict compliance with applicable regulations.

    As we recognise that in these situations the level of protection of your personal data may vary in relation to that guaranteed by the General Data Protection Regulation of the European Union, before any transfer, we undertake to adopt appropriate technical and organisational measures to ensure a high standard of protection and security of your personal data, in accordance with the said Regulation, giving preference to third countries with an adequacy decision adopted by the Commission.


    6.What are your rights?

      • Right to information: request additional information about how we use your personal data;
      • Right of Access: access or request access to the personal data you have provided to us;
      • Right to Portability: request the transfer of the personal data you have provided to us;
      • Right to Rectification: request the correction or updating of your personal data;
      • Right to Erasure: request the erasure of your personal data, where permitted by law or the contract;
      • Right to Restriction: request the restriction of the way we use your personal data, whilst we correct or clarify any queries regarding their content or our use thereof;
      • Right to Object: we provide a channel so that you may challenge decisions that have been based on your personal data.
      • Right to lodge a complaint: right to file a complaint with the supervisory authority, the CNPD, in addition to the company or the DPO.

     

    You also have the right to withdraw or amend, at any time, the consent you have given us to use your personal data, when the processing is based on consent. Therefore, should you wish to stop receiving the communications referred to in point 4, subparagraph VI, you may send an e-mail to rgpd@a-bandeira.pt, or click "unsubscribe” in each communication.

    The exercise of these rights may be restricted when your personal data is used to safeguard the public interest, namely in cases of crime detection and prevention, or when such data is subject to professional secrecy.

    To exercise your rights regarding data protection, or should you have any questions about how we use your personal data, you should contact our DPO (Data Protection Officer), the legal department dedicated to data protection, through the following channels:

    - Postal Address: Zona Industrial da Pedrulha, Lote 12, 3050-183 Casal Comba, Mealhada

    - E-mail address: rgpd@a-bandeira.pt.

    You may also contact our Data Protection Officer ("DPO”) at the same postal address and via the e-mail address rgpd@a-bandeira.pt

    Should you be dissatisfied with the way we use your personal data or with our response to your request to exercise your rights, you may file a complaint with the Comissão Nacional de Proteção de Dados (CNPD):

    ·       Address: AV. D. Carlos I, 134, 1st floor, 1200-651 Lisbon

    ·       Telephone: +351213928400

    ·       Fax: +351213976832

    ·       E-mail address: geral@cnpd.pt


    7.How do we protect your Personal Data?

    We have a variety of information security measures in place, aligned with national and international best practices, in order to protect your personal data, including technological controls, administrative, technical, physical measures and procedures that ensure the protection of your personal data, preventing its misuse, unauthorised access and disclosure, loss, improper or inadvertent alteration, or unauthorised destruction. We assume the same commitment to continuous improvement in information security as we uphold in our daily activities.

    Among others, we highlight the following measures:

      •  Restricted access to your personal data only by those who need it for the purposes set out above;
      • Storage and transfer of personal data only in a secure manner;
      • Protection of information systems to prevent unauthorised access to your personal data;
      • Implementation of mechanisms that ensure the safeguarding of the integrity and confidentiality of your personal data;
      • Monitoring and control of the level of compliance with the GDPR and of our information systems, with the aim of preventing, detecting and impeding the misuse of your personal data;
      • Conducting audits focused on compliance with the privacy policy, giving priority to those that represent a significant risk to the rights and freedoms of data subjects and to GAB, based on the risk classification of processes;
      • Redundancy of personal data storage, processing and communication equipment, to prevent loss of availability;
      • Updates to this Privacy Policy


    8.May we amend the terms of this Privacy Policy?

    This Privacy Policy may be updated at any time. Whenever any amendment is made, we shall update it with a new effective date. Amendments shall not be applied retroactively and shall come into effect from the date of publication. We recommend that you regularly consult the Privacy Policy published on our websites.


    9.What are your responsibilities?

    You are responsible for all data you provide to us, for its truthfulness, accuracy, validity, currency and authenticity, as well as for the consent you grant us for your data to be used/processed.

    You are also responsible for the data of third parties that you provide to us and, in respect of such data, you undertake to obtain their consent and to make available to them the information we normally provide to our users for any data processing, as well as our Privacy Policy.

    This Policy values the trust placed in it and respects the privacy of visitors to its websites, digital platforms, online services, Social Networks (Facebook, Instagram, LinkedIn, Twitter, etc.), digital channels, applications or any other website/digital environment.


    You may download our Newsletter on the Privacy Policy of ‘GAB’ here.

    Last updated: 23 January 2026