• Controller of your Personal Data
• Principles applicable to the protection of your Personal Data
• Personal Data, Processing of Personal Data and Data Subjects
• Category of Personal Data that TUPI processes
• Purposes of the processing of your Personal Data
• Lawful Bases
• Storage period of your Personal Data
• Sharing of your Personal Data
• International Flows of Personal Data
• Your rights and how you can exercise them
• The Data Protection Officer
• Security of your Personal Data
• Other TUPI Data Protection and Privacy Policies
1) Controller of your Personal Data
The Controller of your Personal Data is the company of the Tupi which provides services and/or supplies products to you, determining to this end, without limitation:
• The Personal Data that have to be processed in the context of providing services and/or sup-plying products;
• The Purposes for which the Personal Data are processed; and,
• The means to be used for the processing of the Personal Data.
2) The Principles applicable to the protection of your Personal Data
The Processing of your Personal Data is carried out according to the general principles enunciated in the General Data Protection Regulation (“GDPR”), namely:
• In the context of the relationship established, TUPI guarantees that your Personal Data will be processed lawfully, fairly and transparently (“Principle of lawfulness, fairness and transparency”);
• TUPI collects your Personal Data for certain explicit and legitimate purposes and does not subsequently process the same Data in a way incompatible with those purposes (“Principle of purpose limitation”);
• TUPI ensures that only Personal Data are processed that are appropriate, relevant and limited to what is strictly necessary for the purposes for which they are processed. (“Principle of data minimisation”);
• TUPI takes appropriate measures so that inaccurate Personal Data, bearing in mind the purposes for which they are processed, are deleted or rectified without delay (“Principle of accuracy”);
• TUPI stores Personal Data in such a way that it allows them to be identified only during the period necessary for the purposes for which they are being processed. (“Storage limitation principle”);
• TUPI ensures that your Personal Data are processed in a way that ensures their security, including protection against unauthorised or unlawful processing and against loss, destruction or accidental damage, adopting all appropriate technical and organisational measures to that end (“Principle of integrity and confidentiality”).
3) Personal Data, Processing of Personal Data and Data Subjects
“Personal Data” are all information and/or elements that, regardless of how they are stored, can identify you or make you identifiable, directly or indirectly, to TUPI, in particular by reference to an identifier, for example a name, an identification number, your location data and/or online identifiers, or to one or more specific elements of your physical, physiological, genetic, mental, economic, cultural or social identity.
“Personal Data Processing” means the operation or set of operations performed on the Personal Data of Data Subjects, via automated or non-automated means, from the gathering of information until its destruction. Within this cycle, among others, are included: recording, organisation, structuring, storage, adaptation or alteration, recovery, consultation, use, disclosure via transmission, dissemination or otherwise making available, comparison or interconnection, limitation, deletion. The concept of Personal Data Processing is quite broad and shall be applicable to all operations or sets of operations performed by TUPI with reference to your Personal Data.
In the context of the activities carried out by TUPI, the “Data Subject” is, without limitation, the customer and/or former customers, potential customers, investors, partners, candidates for a job, employees and ex-employees, employees of partners, suppliers and contractors and their employees, applicants and claimants, visitors and individuals captured in CCTV images and all those individual people that have a relationship with TUPI and who are the subjects of the Personal Data.
4) Category of Personal Data that TUPI processes
In the carrying out of its activities, TUPI processes Personal Data from a significant set of categories of Data Subjects.
The personal data collected by TUPI always depends upon the nature of the interaction, but may include the following:
Category of Personal Data / Personal Data (list of examples)
Identification and contact data:
Name, surname, citizen card number, postal address, landline or mobile phone number, fax number, email address and/or other similar contact information.
Country, gender, age and date of birth, language, general education and professional history, as well as data of general interest about work.
Business data for providing TUPI services and/or products:
Counter reader, universal installation code and delivery point code, data indicated on the invoice, consumption data, payment data, vehicle data, especially the licence plate number and product model, data arising out of information in the context of response to any questions, requests or complaints, data resulting from the collection of opinions, evaluations of TUPI services and/or data associated with information about the subject’s preferences and interests, to the extent that they are related to the products and/or services provided by TUPI.
Tax identification number, credit and/or debit card numbers, security code numbers, payment dates, amounts of debt or payments received and/or other related billing information.
Method of acquisition of or subscription to products and/or services, their transactions, billing history and customer loyalty, within the context of the TUPI services that they use or any other related information.
Data on preferences
Information on the preferences and interests of subjects, insofar as this is related to products and/or services, and on the method via which the subject prefers to receive information.
Data from social networks
Information shared on social networks in the interaction with TUPI, where transparency is ensured through the existence of appropriate privacy policies.
Identification and contact data in control of accesses and/or capturing and recording of images by CCTV devices
Data associated with access such as time of entry and exit, location, person to contact, reason for visit and/or data regarding the vehicle and images captured by the video surveillance system.
Data from the Global Positioning System (GPS) when the user allows services based on location and/or when they opt to provide information related to location during the registration of a product and/or service.
Security credentials data
User ID, passwords, answers to password recovery questions and/or other similar security information needed to authenticate and access TUPI accounts and services.
IT usage data
User ID, functions, rights, session start and finish times, computer name and/or IP address and/or traffic data and content of calls made.
We stress that you will not be required to share your Personal Data with TUPI. Nevertheless, if you choose not to share your personal information, in some cases TUPI may not be able to provide the desired services or supply the desired products, guarantee certain specialised features and/or respond effectively to certain questions that you may have.
5) Purposes of the processing of your Personal Data
The development and performance of various activities pursued by TUPI means the existence of a significant set of specific, explicit and legitimate purposes for the processing of your Personal Data, such as:
Purposes / Purposes of Processing (non-exhaustive list):
Accounting, Tax and Administrative Management
• Customer Management
• Vendor Management
• Administrative Management
• Economic and Accounting Management
Commercial and Marketing Activity
• Contacts Management
• Customer Management for providing TUPI services and/or products
• Customer support
• Online advertising
• Opinion surveys and polls
• Customer loyalty
Definition and Analysis of Profiles
• Definition of profiles
• Dynamic analysis of profiles
• Development of predictive models
• Improvement and innovation in TUPI services and products
• Research and analysis of analytical information
• Proof of contractual relationship
• Monitoring the quality of service
Capture and Recording of Images via CCTV Devices
• Video-surveillance for the security of people and goods
Access Control Management
• Access control for the protection of people and goods
Human Resources Management
• Selection of personnel and recruitment
Electronic Communications Management
• Management of use of websites and mobile applications
• Storing of traffic/location data
Scientific research or analysis of statistical information
• Improvement and innovation in TUPI services and products
• Collections management and credit recovery
• Providing information to judicial, administrative, supervisory and/or regulatory authorities
Compliance with Contractual and/or Legal Obligations
• Transferring Data to Third Parties
• Prevention of fraud and security
6) Lawful Bases
Regarding the “Lawfulness Principle” enshrined in current and future data protection laws, in developing and performing its activities, TUPI only processes your Personal Data when there is a lawful basis that legitimises the processing, namely:
Lawful Bases / What do they consist of?
TUPI will only process your Personal Data if you consent to the respective Processing via a free, specific, informed and explicit declaration of willingness, by which you accept, by a declaration (in writing or orally) or a positive unambiguous act (by filling in an option), that your Personal Data may be the subject of Processing.
Pre-contractual procedures or the execution of a contract
TUPI may process your Personal Data if they are needed, without limitation, for the execution of a contract to provide services and/or supply products to
which it is a party as Contractor, Client, Supplier and/or partner, or in order to carry out pre-contractual procedures for your order.
Compliance with a legal obligation
TUPI may process your Personal Data to ensure and guarantee compliance with legal obligations to which it is subject by the laws of a Member State and/or the European Union.
Defence of vital interests of the Data Subject
TUPI may process your Personal Data to ensure the defence of your vital interests, especially when such Processing is essential to your life.
TUPI, other Controllers or Third Parties, may process your Personal Data provided that this Processing does not prevail over your interests and fundamental rights and freedoms.
7) Storage period of your Personal Data
TUPI stores your Personal Data only for the period of time necessary to execute the specific purposes for which they were collected. However, TUPI may be obliged to store some Personal Data for a longer period, taking into consideration factors such as:
• Legal obligations, under the laws in place, to store Personal Data for a given period;
• Contractual obligations and/or legitimate interest of TUPI;
• Terms of prescription, under the laws in place;
• (possible) Disputes; and,
• Guidelines issued by the competent data protection authorities.
8) Sharing of your Personal Data
Entities with whom TUPI shares your Personal Data / Why we share your Personal Data
Your Personal Data may be shared with companies hired to provide services to TUPI.
Companies hired to provide services are bound to TUPI by written agreement, and may only process your Personal Data for the purposes specifically established and are not authorised to process your Personal Data, directly or indirectly, for any other purpose, for their own advantage or that of third parties.
Other Controllers and/or Third Parties
In compliance with legal and/or contractual obligations, Personal Data may be transmitted to judicial, administrative, regulatory or supervisory authorities, to energy distribution network operators, to third parties with whom TUPI establishes partnerships and also to entities that perform,
lawfully, data-gathering activities, actions to prevent and combat fraud, statistical or market studies.
9) International Flows of Personal Data
TUPI may transfer your Personal Data outside the European Economic Area (“EEA”), to locations that may not guarantee the same level of protection.
However, TUPI only transfers your Personal Data outside the EEA:
• Through binding rules applicable to TUPI (binding corporate rules);
• When the transfer is made to a location or through a method or in circumstances that the European Commission regards as ensuring adequate protection of your Personal Data;
• When it has implemented data protection clauses similar to those adopted by the European Commission or by a competent data protection authority; or,
• When none of the above apply, but, even so, the law authorises this transfer, for example, if it is required for the declaration, exercise or defence of a right in a lawsuit.
You may request detailed information about security measures that TUPI has implemented regarding transfers of Personal Data outside the EEA and, when applicable, a copy of the data protection clauses in force at the TUPI via the email email@example.com.
10) Your rights and how you can exercise them
Rights / What do they consist of?
Right to the provision of information
Right of access
TUPI may refuse to supply the requested information whenever, in order to do so, TUPI has to reveal Personal Data from another person or the information will have a negative impact on the rights of another person.
Right to rectification
If your Data are incorrect or incomplete (for example, if your name or address is wrong), you may ask TUPI to take reasonable measures to correct them.
Right to deletion of data
This right is also known as the “right to be forgotten” and, so put simply, it allows you to request the deletion or elimination of your data, provided that there are no valid grounds for TUPI to continue to use them or their use is illegal. This is not a generic right to deletion, because exceptions are allowed (for example, whenever these data are required for the defence of a right in a judicial process).
Right to restriction of processing
You have the right to “block” or prevent future use of your Data while TUPI evaluates a rectification request or as an alternative to deletion. Provided that the Processing is limited, TUPI continues to be able to store your data, but it cannot use them later. TUPI keeps a list of subjects who have requested the “blocking” of future use of their data to ensure that this limitation is respected.
Right to data portability
You have the right to obtain and reuse certain Personal Data for your own purposes in various organisations. This right applies only to your own Data that you have provided to TUPI and that TUPI processes with your consent and which are processed by automated means.
Right to opposition
You have the right to object to certain types of processing, for reasons related to your particular situation, at any time during which this Processing takes place, for the purposes of TUPI’s or Third Parties’ legitimate interests. TUPI may continue to process these Data if it can prove “overwhelming legitimate reasons for Processing that prevail over your interests, rights and freedoms” or if these Data are necessary for the establishment, exercise or defence of a right in a lawsuit.
Right to submit a complaint
You are entitled to submit a complaint to the competent supervisory authority, namely, the National Data Protection Commission, whenever you believe that the processing of your personal data violates your rights and/or the applicable data protection laws.
You may at any time, in writing, exercise the rights enshrined in the Law on the Protection of Personal Data and other applicable legislation, via the email contact @tupienergy.com.
11) The Data Protection Officer
TUPI has appointed a Data Protection Officer, who assumes a critical role within TUPI in monitoring processing activities of data carried out and in ensuring their respective legal compliance.
The Data Protection Officer has the following functions:
a) Controlling compliance of the processing performed by TUPI with the provisions of current data protection laws and those connected with the issue of personal data protection in the various Member States and/or in the Union;
b) Providing advice to TUPI;
c) Cooperating with the Control Authorities of the respective European Union Member States; and,
d) Establishing a point of contact with the Control Authorities and with the respective data sub-jects about any issues related to data protection matters.
You may at any time, in writing, contact TUPI’s data protection officer for any questions related to the protection of data and your privacy via the email firstname.lastname@example.org.
12) Security of your Personal Data
Your Personal Data will be processed by TUPI, within the context of the purposes identified in this Policy, according to the TUPI Group’s internal policy and standards, and with the assistance of appropriate technical and organisational measures to promote their security and integrity, notably in relation to unauthorised or unlawful processing of your personal data and their loss, destruction or accidental damage.
Without limitation, TUPI uses logical and physical security requirements and measures to ensure the protection of your Personal Data by preventing unauthorised access, it ensures that the storage of the information is carried out on secure computers in a closed and certified information centre, and that the Data are encrypted whenever possible, it implements audit and control procedures to ensure compliance with the security and privacy policies and, periodically, it reviews security policies and procedures to ensure that TUPI’s systems are secure and protected.
However, given that the transmission of information via the internet is not completely secure, TUPI cannot guarantee the security of your Data when transmitted on an open network.
15) Other TUPI Privacy and Data Protection Policies
Without prejudice to applicable law, all alterations will take effect as soon as the Updated Policy is published but, whenever TUPI has already collected Personal Data about you and/or whenever required by law, TUPI may take additional measures to inform you about any material alterations and may ask you to agree to these alterations.