---

Prolacto Lacticínios de São Miguel S.A. is dedicated to the production of Dairy Products and its Derivatives, and its Policy about Web data protection and privacy is based on:
 
1. Introduction
This Policy has been developed to support Prolacto Lacticínios de São Miguel S.A. (referred to below as “we”, “us” or “our”) data protection compliance activities, prepared following the General Data Protection Regulation (GDPR).

This policy applies to all Staff and Partners of Prolacto and, where identified, Third Parties accessing the firm’s Assets (customers and other).

The terms Privacy, Data Privacy and Data Protection may be used in the same sense, as they refer to the complex set of legal requirements that apply to Personal Data, which is much broader than just Information Security and Confidentiality.  For example, it includes requirements around transparency of data usage and the retention of data.

Adherence to this policy is mandatory to all Staff and Partners and therefore they have an individual responsibility to ensure their personal compliance with this policy and should seek guidance from their team leaders for further clarification if required. Any Staff or Partners found to have violated this policy may be subject to disciplinary action as per the processes included in the Disciplinary Procedure.

2. Data Protection Principles
In the course of our business, we process Personal Data. This may include Personal Data we receive through our service opportunities, our client engagements, from sales activities or from a range of other related and support activities.  The data may be received directly from a Data Subject, for example, in person, via mail, email, telephone or from other sources, including, but not limited to, third parties, joint controllers, technical and non-technical subcontractors and support services.

All Staff and Partners should only collect Personal Data that is relevant and necessary to accomplish a corporate function and responsibility.

Prolacto is committed to adhering to the data protection principles set out by the GDPR, which are:

• Lawfulness, fairness and transparency; this means that we should have a legitimate basis for which we are processing Personal Data, for example a contractual relationship with the Data Subject, or that the processing is necessary for compliance with a legal obligation to which we are subject. It also means that we should inform the Data Subject about the processing in accessible and easy to understand communication.
• Purpose; we should only collect Personal Data for specified, explicit and legitimate purposes and not process the data further than for the purpose for which it was collected.
• Data Minimization; the Personal Data processed should be adequate, relevant and limited to what is necessary in relation to the purposes.
• Accuracy; we have an obligation to ensure that Personal Data is accurate and to keep Personal Data up to date, where required.
• Storage; we should not retain Personal Data for a longer period than what is necessary for the purposes for which it was processed, although we may retain certain data for historical and statistical purposes.
• Integrity and Confidentiality; we should have the right security controls in place to protect against unauthorized and unlawful processing and against accidental loss or destruction of, or damage to, Personal Data.  This includes both technical and organizational measures such as defined processes and training and awareness.
• Lawful transfer to third countries or international organizations; we only transfer Personal Data to third countries or an international organization where the Eu Commission has decided that they ensure an adequate level of protection or otherwise there are appropriate safeguards in place, such as the right contractual framework.
• Data Subject Rights; Data Subjects have a number of rights that we should adhere to, for example the right to access a copy of the data we hold on them, and the right to opt out of sales, which they have previously opted in to.

3. Fair and lawful Processing
Whenever we collect Personal Data, we have a legal basis on which to collect and process the data.  In accordance with GDPR, we are able to identify at least one of the following grounds for processing the Personal Data:

• Consent: The Data Subject has given consent for the data to be processed for one or more specific purposes.
• Contractual:  The processing is necessary for the performance of a contract that the Data Subject is a party to, or is entering into.
• Legal: The processing is necessary to comply with a legal obligation, to which the Data Controller is subject.
• Vital interests: The processing is necessary to protect the vital interests of the Data Subject.
• Public interest: The processing is necessary for the performance of a task carried out in the public interest.
• Legitimate interests: The processing is necessary for the purposes of the legitimate interests of the Data Controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.

Where we act as a Data Controller, we ensure that we have a legitimate ground to collect and process the Personal Data.
In some cases, we will be acting as a data processor on behalf of our client, in which case it is ultimately the responsibility of our client to ensure they have the correct basis for processing the Personal Data, including the right to share with us. However, we should take steps to ensure that our contract is clear on our own responsibilities in this regard, and that if we are collecting Personal Data directly from Data Subjects on behalf of clients, that we have the grounds to do so legitimately.

Where a Special Category of Data is being processed (see Appendix A for definition), there are a further set of conditions that should be met. 

GDPR requires us to provide the Data Subjects with information about the processing in order to ensure fair and transparent processing.  Wherever we collect Personal Data from Data Subjects, we ensure that we provide appropriate Information on why we require the Information, and how we are going to process it. 

4. Processed for specific purposes only
Whenever we collect and process Personal Data, we ensure that we only use the data for the specific purposes that are communicated to the Data Subject.

Prolacto should never process Personal Data for additional purposes that have not been communicated to the Data Subject. Thus, we be clear as to the purpose of processing and should understand the purpose that our clients may have collected the Personal Data for.

5. Adequate, relevant and non-excessive Processing
When we collect and process Personal Data, we follow the principle of data minimization.  This means that we only collect the minimum Personal Data necessary to do a particular task.
At the same time, we ensure that we have an adequate amount of Personal Data to do a particular task properly.  For example, collect no more than the required and necessary Personal Data to be able to identify them uniquely.

6. Accuracy of Personal Data
We have an obligation to ensure that Personal Data is kept accurate and up to date.  We ensure that we have reasonable processes in place to keep data accurate where required, for example employee Personal Data or existing and prospective client Personal Data held by the relevant areas.
When acting as a Data Processor in relation to a client engagement, we will not be required to put in place mechanisms to keep that data updated; that will be the responsibility of the Data Controller i.e. our client.

7. Retention of Personal Data
Personal Data is not retained longer than required.  This means that we set and apply maximum retention periods to Personal Data that we process, and put in place processes to delete the Personal Data upon expiry of the set retention period. Therefore the following retention periods may apply: (i) as long as is necessary for the relevant activity or services; (ii) any retention period that is required by law; (iii) the end of the period in which litigation or investigations might arise in respect of the services; or (iv) for the minimum period foreseen by contract.

8. Data Subjects Rights
GDPR requires us to inform individuals about the Personal Data we collect and the purposes and means for which it is processed. This Information is given in the form of a ‘Privacy Notice’.

1. Right to Access
   - The Data Subject has the right to ask us the Information that we hold about them, the purpose of the Processing and the categories of Personal Data concerned.
   - We notify the Data Subject with whom we share their Personal Data, particularly if the recipient is in a third country or international organization.
   - Where possible, we define how long we need to retain Personal Data in order to meet its business purposes.
   - We communicate to the Data Subject the existence of their right to object to the processing and to their right to rectification and erasure of Personal Data.
   - We communicate to the Data Subject the existence of their right to complaint to the appropriate Supervisory Authority.
   Where data has been collected from someone other than the Data Subject himself/herself, we communicate the source of that data to the Data Subject.
   - We ensure that we have processes in place to identify and respond to Data Subject access requests without undue delay and no later than one month upon receipt of the request.
2. Right to rectification
   - Data Subjects are entitled to have inaccurate data corrected. Prolacto will endeavour to rectify inaccurate data without undue delay.
3. Right to erasure
   - The Data Subject has the right to erasure (“right to be forgotten”).  We will endeavour to erase data held without undue delay, except where there is legal requirement for the retention of data. 
4. Children’s Rights
   - All individuals, including children, are protected under GDPR. For children below the age of 13, we should not process their Personal Data based on their consent unless this is given or authorized by the person with parental responsibility over the child.
5. Sales
   - We may send to our clients and third parties targeted sales material from time to time to inform them of similar services, future events or other activities that we believe will be of interest to them. We will provide them with an option to opt-out if they no longer wish to be contacted.
   ​- We will also ensure that we have processes in place that ensure that all opt-in preferences are recorded and respected.

9. Security of Data Held 
Prolacto maintains the information secure by protecting the Confidentiality, Integrity and Availability of the Personal Data, defined as follows:

• Confidentiality means that only people who are authorized can access the data.
• Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed.
• Availability means that authorized users should be able to access the data if they need it for authorized purposes.

10.  Data Disclosure
All Staff and Partners should avoid any inappropriate disclosure of Personal Data and adhere to our general duties in relation to Confidentiality.

We may:

1. Share Personal Data we hold with any Prolacto member firm, provided we have a legitimate basis to do so and no further restrictions are in place.
2. Only disclose Personal Data we hold to third parties under instruction or where we have a legitimate basis to do so and no further restrictions are in place.
3. Disclose Personal Data to third parties in the case where we sell or buy any business or assets, or where we are joint controller.
4. Share Personal Data with a Third Party that is Processing data on our behalf.  This may include transferring data to be processed in a third country.

Personal Data can usually be disclosed:

1. To Employees or agents to enable them to perform their duties as Employees or agents.
2. In instances where failure to do so would be likely to prejudice either the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty.  Prolacto should have reasonable grounds for disclosing the data under this category in order to avoid criminal prosecution. All disclosers should be justified and documented.

For legal purposes data may be disclosed if:

1. Required by statute, by any rule of law, by order of the regulator, supervisory authority or court;
2. Made for the purpose of obtaining legal advice;
3. Made for the purposes of, or in the course of, legal Processing or where it is necessary for defending or establishing legal right; or
4. For the safeguarding of national security.
   
   

11.  Overseas Transfer of Personal Data
We may transfer any Personal Data to a third country or international organization. Personal Data we hold may also be processed by Staff operating in a third country, namely Angola, or work for us or for one of our suppliers.
We will ensure that at least one of the following conditions are applied:

1. The country to which the Personal Data is transferred ensures an adequate level of protection for the Data Subjects' rights and freedoms as per decision of the EU Commission published in the Official Journal of the European Union;
2. Appropriate safeguards have been provided, e.g. standard data protection clauses;
3. The Data Subject has given explicit consent to the transfer after having been informed of the possible risks;
4. The transfer is necessary for one of the reasons set out in GDPR, including the performance of a contract between Prolacto and the Data Subject, or to protect the vital interests of the Data Subject;
5. The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims

12.  Log information, cookies, and web beacons
PROLACTO website uses cookies to distinguish one user from another. PROLACTO collects standard internet log information including the user’s IP address, browser type and language, access times and referring website addresses. To ensure that our website is well managed and to facilitate improved navigation, we or our service providers may also use cookies (small text files stored in a user’s browser) or web beacons (electronic images that allow our website to count visitors who have accessed a particular page and to access certain cookies) to collect aggregate data.
 
By Prolacto - Lacticínios de São Miguel, S.A.
Lagoa, 16 October, 2018

---