TCB | TRANSPORTES COLECTIVOS DO BARREIRO | SEMPRE PRESENTES, NO FUTURO DA MOBILIDADE

Privacy Policy

Commitment of Barreiro Public Transport

Barreiro Public Transport (TCB), as a public sector entity, clearly understands its role in society and the need to establish citizen trust in public services provided by the State, both nationally and locally.

Legislation imposes privacy obligations, committing TCB to using personal data for clearly identified purposes and in accordance with data protection principles. The confidentiality and integrity of personal data are among TCB’s main concerns.

This Privacy Policy establishes how TCB uses the personal data collected for the personalization of our users’ cards, and is composed of the following sections:

Who is responsible for data processing?

Within the scope of its activities and responsibilities, TCB is responsible for the collection and processing of personal data, which is processed and stored in both automated and non-automated ways.

TCB can be contacted in the following ways:

• Address: Rua dos Resistentes Antifascistas, 2830-523 Barreiro
• Telephone: 212068787

Who is the Data Protection Officer?

The Data Protection Officer can be contacted via email at dpo@tcbarreiro.pt.

The Data Protection Officer is responsible, in particular, for monitoring the compliance of activities involving the processing of personal data with applicable legal and regulatory standards, and is also the point of contact between TCB and the National Supervisory Authority, as well as between TCB and its users on matters relating to the processing of personal data.

What is personal data?

Personal data is all information of any nature, collected by any means, relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified by reference to an identifier (such as an identification number or location data).

In what context do we collect personal data?

Given the nature of the activities carried out by TCB, user data is collected for the purpose of entering into transport contracts, including data from children and particularly vulnerable individuals, to whom we pay special attention regarding the processing of their data. This data is collected through a specific document in physical format and entered into a restricted access computer platform.

We also collect personal data from:

• TCB employees;
• Partners and their collaborators;
• Service providers and their collaborators;
• Candidates for work at TCB and/or professional internships;
• Participants in events promoted by TCB (e.g., seminars and training).

What personal data do we process and how do we collect it?

TCB only collects data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

Data collection can be done in writing (namely through the completion of forms and questionnaires), as well as through access to online surveys. In general, the data is obtained directly.

For the execution of the different purposes, it may be necessary to collect the following types of personal data:

• Identification data (such as name, age, gender);
• Contact data (such as mobile phone number, address/residence or email);
• Educational and professional status data (such as level of education, professional status and CV);
• Location data (such as IP address);
• Data characterizing mobility on a reference day (start and end point(s) of the trip(s), start and end times, modes of transport used, reason(s) for travel, reasons for choosing the mode(s), parking modalities, transport tickets, etc.)
  Images from event recordings or videoconferences, when consented to.

As a rule, TCBs do not collect special data, such as health data or information relating to criminal offenses or infractions, being especially attentive when such collection is necessary, particularly for compliance with applicable legislation.

Why and on what basis are personal data used?

All data collected and processed by TCBs are based on one of the following conditions of legitimacy:

Consent:

Collection is preceded by express, specific and informed consent, through written media. Consent is obtained, for example, for purposes related to conducting interviews or surveys, for subscribing to newsletters or for registering for actions promoted by TCBs.

Execution of a contract or pre-contractual due diligence:

when processing is necessary for the execution of a contract to which you are a party or for pre-contractual due diligence. This condition is met when the data is processed for the purposes of public tenders, the signing of financing and cooperation protocols, or the formalization of supply and service contracts.

Compliance with legal obligations:

when processing is necessary for compliance with a legal obligation. This includes, for example, the communication of data to other public (national and community), tax, or judicial bodies.

Legitimate interest:

when processing is necessary for the pursuit of legitimate interests of the entity responsible for processing or of third parties, without prejudice to the rights and freedoms of its clients and/or users.

For what purpose is data collected?

• The personal data collected by TCBs is processed only for specific, explicit, and legitimate purposes. Whenever personal data is collected, it is intended exclusively for the purposes expressly identified at the time of collection. The main purposes that justify the collection of personal data by TCBs are the following:
• Collection of information about personal characteristics, considering only the information necessary to fulfill the objectives of the project; Contracting of supply and service agreements;
• Distribution of newsletters/publications;
  Information regarding the service provided.

How is the security of personal data guaranteed?

A variety of security measures, including encryption and authentication tools, are implemented to help protect and maintain the security, integrity, and availability of personal data.

Although data transmission over the internet or website cannot guarantee complete security against intrusions, both TCB and its service providers and business partners are making every effort to implement and maintain physical, electronic, and procedural security measures designed to protect your personal data in accordance with applicable data protection requirements. Among others, the following are being implemented:

• Restricted access to personal data based on the “need to know” criterion and only within the scope of the communicated purposes;
• Protection of information technology systems through firewalls, in order to prevent unauthorized access to your personal data;
• Continuous monitoring of access to information technology systems to prevent, detect, and impede the misuse of personal data.
• Personal data is stored on protected servers, both owned by TCB and those of service providers, and is accessed and used exclusively in accordance with the policies and standards of TCB or the service providers.
• Furthermore, third-party entities that, within the scope of service provision, process personal data on behalf of and for TCB, are obligated to implement appropriate technical and security measures that, at any given time, meet the requirements of current legislation and ensure the protection of the data subject’s rights.

What is the retention period for personal data?

TCB processes and retains personal data only for the period necessary to achieve or complete the purposes of the processing for which it is intended, respecting the maximum periods necessary to comply with contractual, legal, or regulatory obligations.

As a general rule, and when there is a contract that legitimizes the processing of data, TCB will retain such data for as long as that contractual relationship is maintained.

Other circumstances exist, such as compliance with legal or regulatory obligations (for example, for tax purposes, personal data relating to invoicing must be kept for a minimum period of ten years from the date of the transaction), as well as pending legal proceedings, which may justify keeping your data for a longer period. Once the retention period has ended, TCB will delete the data.

Personal data collected in interviews, focus groups, workshops, or surveys will be irreversibly anonymized (the anonymized data may be retained) or securely destroyed one month after the completion of the project in which it was collected. A project is considered completed when it is approved by the client.

Regarding customer support and marketing purposes, personal data will be retained until explicit information is received indicating the withdrawal of your consent.

What are the rights of data subjects?

Under current legislation, from the moment TCB collects and processes personal data, there is a set of rights that can be exercised at any time with TCB.

Right of access:

The right to obtain information regarding the processing of data.

Right to your data and its characteristics (namely the type of data, the purpose of the processing, to whom your data may be communicated, retention periods, and which data you must provide mandatorily or optionally).

Right to rectification:

Right that allows you to request the rectification of data, requiring that it be accurate and up-to-date, for example, when you consider that it is incomplete or outdated.

Right to erasure or “to be forgotten”:

Right that allows you to request the deletion of data when you consider that there are no valid grounds for retaining the data and provided that there is no other valid ground that legitimizes such processing (such as the execution of a contract or compliance with a legal or regulatory obligation).

Right to restriction of processing:

Right that allows you to suspend processing or limit processing to certain categories of data or purposes.

Right to object: Right that allows you to object to certain purposes, provided that there are no legitimate interests that prevail over individual interests. One example of this right concerns the objection to direct marketing purposes.

All the rights described above may be exercised, with the limitations provided for in applicable legislation, by means of a written request, to be sent via email to dpo@tcbarreiro.pt.

Similarly, questions related to the processing of your data may be sent directly to the Data Protection Officer at the same email address. A complaint may also be filed with the National Supervisory Authority, the National Data Protection Commission.

With whom do we share your personal data?

In accordance with TCB’s responsibilities, and depending on the respective purpose, data may be shared with third-party entities, such as national and international public bodies and private entities, for the purpose of fulfilling legal or regulatory obligations, contractual obligations, or functions of public interest.

Data may also be shared with TCB service providers deemed necessary for the execution of the purposes described above, especially with regard to information collection services. TCB guarantees that it only uses service providers that offer assurances of implementing the necessary and appropriate technical and organizational measures to protect personal data and that explicitly agree to comply with the standards imposed by TCB.

Legislation

The processing of personal data carried out by TCB, as well as the sending of commercial communications by electronic means, complies with current national and European legislation, in particular the General Data Protection Regulation.

Changes to this Privacy Policy

This Privacy Policy may be revised.