Privacy policy

Privacy Policy

1. Data Processing

Privacy is an important asset and Stemmatters is committed to protecting and safeguarding the right to privacy of personal data, treating it in a lawful, fair and transparent manner.

This privacy policy¹ applies to personal data collected and processed within the scope of Stemmatters' activities. It describes the type of personal data collected and processed and how compliance with legal obligations is ensured.

1 In compliance with EU Regulation 2016/679, of the European Parliament and of the Council, of 27 April 2016 - General Regulation on Data Protection (GDPR) and Law No. 58/2019, of 8 August.

 

2 Treatment Purposes, Legal Basis and Conservation Deadlines

2.1 Purpose of treatment

The personal data collected by Stemmatters may be processed either in the context of managing a contractual relationship or in the context of compliance with legal requirements, with the protection, privacy, security and fundamental freedoms of the holder of the processed personal data being ensured. Treatment will occur only during the period strictly necessary for the pursuit of certain processing purposes, under the terms of the legislation in force. For any clarification or additional information or to exercise rights in this area, contact us via email (dpo.stm[at]stemmatters.com).

The data processing operations carried out by Stemmatters fit into one or more specific purposes, constituting the legitimacy of the consent of the data subject and the processing is considered necessary for (but not limited to):

     - The execution of a contract to which the data subject is a party or for pre-contractual steps at the request of the data subject;

     - Compliance with a legal obligation to which the controller is subject;

     - Effect of legitimate interests pursued by Stemmatters or by third parties;

     - Defense of the vital interests of the data subject or another natural person;

     - Facilitating business communications through e-mailing, calling or communicating with employees of Stemmatters;

     - Providing visitors requesting commercial information about services which may be of interest to them;

     - Posting a question or comment through the website;

     - Consent given on the website if you send a request or query via our contact form;

     - Consent given on the website if you send a request for inclusion in a newsletter or other mailing list;

     - Consent if you have submitted your CV for an application for a future job vacancy at Stemmatters;

     - Other business-related reason.

Thus, the strictly necessary personal data are collected and processed:

     - from potential customers, to carry out pre-contractual procedures, subscription and contract management;

     - for the fulfilment of the legal obligations related to the management of personal accidents in the exercise of functions (medical and health-related information);

     - from members of the governing bodies, for the fulfilment of legal obligations;

     - from workers, to fulfill the legal obligations regarding labor legislation, professional training, Social Security, Social Protection and other contractual obligations;

     - from suppliers and service providers, to ensure compliance with legal and contractual obligations.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

The personal data collected may, eventually, be treated for statistical purposes, for information dissemination or promotional actions and for communication actions, through direct communication, either by correspondence, by email, messages or any other electronic communications service;

The personal data requested is also processed in order to send commercial information about the products and services that Stemmatters currently offers and may offer in the future; this information includes advertising and promotional communications via post, email or any other means. The personal data is only used to the extent permitted by applicable law, including in accordance with your consent where required by applicable law.

However, with prior information and the collection of express authorization for the latter purposes always ensured, holders may, at any time, exercise their right to oppose the use of their personal data for other purposes that go beyond the management of the relationship with Stemmatters.

2.2 Legal Basis

All data processing operations are guided by the fundamental legal principles applicable in the scope of data protection and privacy, namely as regards their circulation, lawfulness, loyalty, transparency, purpose, minimization, conservation, accuracy, integrity and confidentiality, being Stemmatters available to demonstrate its responsibility to the data subject or any other third party that has a legitimate interest in this matter.

2.3 Data Retention Deadlines

Personal data will be kept for as long as necessary for the purposes that motivated its collection or further processing, with a view to ensuring compliance with all applicable legal rules regarding archiving.

The criteria used to determine the period of storage of personal data are the following:

     - as long as the commercial relationship lasts;

     - as long as the person concerned does not request their deletion;

     - according to the legal retention periods. After expiration of that period, the corresponding data will be deleted, as long as it is no longer necessary for the fulfilment of the contract or the start of a new contract or required as part of the Stemmatters´ services.

 

3 Exercise of Rights

Under the terms of the applicable legislation, the data subject is guaranteed the right to access, rectify and update his personal data, as well as the right to oppose the treatment, portability and forgetfulness, whenever the exercise of these rights is not incompatible with compliance of the stated purposes and with the legal obligations of maintenance and conservation of the data.

To exercise these rights, the data subject must address a request to Stemmatters via email to dpo.stm[at]stemmatters.com or in writing requesting their rights from the Stemmatters Data Protection Officer. The request will be analysed and answered within 30 (thirty) days from the submission of the request.

In any case, if the data subject considers that Stemmatters has not secured the rights it has under the terms of the applicable data protection legislation, a complaint can be filed to the National Data Protection Commission (CNPD), as Control Authority, using the contacts made available on the website www.cnpd.pt by this entity.

3.1 Rights of subjects of personal data:

Right of access to data: right to obtain confirmation of what personal data are processed and information about them, such as, what are the purposes of the treatment, which are the storage periods, among others.

Right of rectification: right to request rectification of personal data that are inaccurate or to request that incomplete personal data be completed, such as the address, tax number, e-mail address, telephone contacts, or others .

Right to erase data or “right to be forgotten”: right to obtain the erasure of personal data, provided that there are no valid grounds for its conservation, such as, for example, cases in which Stemmatters has to keep the data to comply a legal preservation obligation for the investigation, detection and prosecution of crimes or because a judicial process is ongoing.

Right to portability: right to receive, in digital format, the data provided to Stemmatters, or to request the direct transmission of your data to another entity.

Right to withdraw consent or Right to oppose: right to oppose or withdraw consent, at any time, to a data processing, as long as there are no legitimate interests that prevail over those interests, rights and freedoms, such as defense of a right in a judicial process.

Right of limitation: the right to request the limitation of the processing of personal data, in the form of: (i) suspension of processing or (ii) limiting the scope of processing to certain categories of data or processing purposes.

Right to information: right to be previously informed about the purpose for which the personal data collected is intended and about the terms under which they will be treated.

Right to notification in case of breach of security: right to be informed of the occurrence of breach of your personal data, due to breach of security.

The exercise of the aforementioned rights may be limited due to the existence of rights and freedoms of third parties, legal or confidentiality obligations and legitimate interests prevailing from Stemmatters or third parties, under the terms of the Law in force.

 

4 Data Communication

Stemmatters will be able to transmit the data it treats to subcontracted entities, only for the execution of clearly described purposes, during the period strictly necessary for the same pursuit, subjecting the entities with which it contracts to the obligations of secrecy, confidentiality and security in the treatment, arising from this information, making sure that all of its workers, service providers and suppliers are aware of being obliged to scrupulously comply with such obligations.

The availability of personal data to third parties, which are not covered in the paragraph above, depends on the prior obtaining of the consent from the data subject, in a free, specific, informed, unequivocal, express and revocable manner, and will be carried out in the strict terms detailed in the applicable laws and regulations, or even when the transmission is carried out within the scope of the fulfilment of a legal obligation, a decision of the authorities, a court order, to protect the vital interests of the data subjects or any other legitimate purpose provided for by law.

In cases where the transmission of personal data, to the aforementioned entities, involves an international transfer of personal data (ie, outside the European Union), Stemmatters (i) will carry out this transfer based on the European Commission's suitability decision, under which the country or international organization concerned guarantees a level of protection of personal data, equivalent to that deriving from European Union legislation; or, (ii) if there is no Commission adequacy decision, it will ensure that such data transfers are carried out in strict compliance with legal provisions and that adequate guarantees are implemented to ensure the protection of personal data.

 

5 Security Measures

Stemmatters is committed to developing its best efforts to put in place the appropriate technical and organizational measures to protect the personal data of the respective holders against unauthorized access. For this purpose, it uses security systems, rules and other procedures in order to prevent its accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorized access.

Access to information was restricted to people who, internally, need this information for the purpose of processing specific functions that are assigned to them or that are within their competence. These people are subject to specific obligations of contractual confidentiality, and may be subject to condemnation for the practice of crimes, as well as disciplinary proceedings and / or contractual termination or loss of mandate, in case of non-compliance with these obligations.

Procedures for recording, maintaining and storing evidence of all actions for the collection and processing of personal data were implemented: signed consents from data subjects, provision of information to data subjects, data sharing with third parties, as previously described. These procedures cover all areas of activity that involve the collection and processing of personal data.

At Stemmatters, information collection, processing and storage practices are periodically reviewed, including physical security measures, to protect against unauthorized access to computer systems and also to assess the adequacy of consents (when this is the source of legitimate treatment of personal data) and information provided to data subjects.

Despite Stemmatters' efforts to protect your personal data, in cases where personal data is collected through an open network - the internet - they can circulate on the network without security conditions, at the risk of being seen and used by unauthorized third parties.

 

6 Incident Reporting

Stemmatters has appointed a Data Protection Officer and has implemented an incident management system within the scope of data protection, privacy and information security.

If necessary, the report of occurrence of any situation of violation of personal data that causes, accidentally or unlawfully, the destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, stored or subject for any other type of treatment, can be made by contacting the Data Protection Officer.

 

7 Automated Decisions

Stemmatters does not take automated decisions based on the treatment of your personal data.

 

8 Data Protection Officer

For any question related to the General Data Protection Regulation, you can contact the Data Protection Officer, through the following email address: dpo.stm[at]stemmatters.com or by letter to:

     Stemmatters, Biotecnologia e Medicina Regenerativa SA

     Parque de Ciência e Tecnologia Avepark, Zona Industrial da Gandra,

     4805-017 Barco

     Guimarães

 

9 Changes to the Privacy Policy

The privacy policy is reviewed and may be changed from time to time. Changes are published on the website www.stemmatters.com/privacy.

 

10 Online Privacy Policy

Stemmatters, Biotecnologia e Medicina Regenerativa SA (“Stemmatters”) values the privacy of its website viewers and is committed to protecting your personal data.

In this Online Privacy Policy, we describe how we deal with personal data when you visit our website (regardless of where you visit it from), and in the context of providing Stemmatters' services. Please note that Stemmatters may amend this Online Privacy Policy at any time.

It is important that you read this Online Privacy Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.

This Online Privacy Policy is relevant to any user or visitor of Stemmatters’ website (www.stemmatters.com) or any subdomains of the website where these services directly link to this Online Privacy Policy. This Online Privacy Policy does not cover any other data collection or processing, including, without limitation, through other contractual arrangements for services that do not display a direct link to this Online Privacy Policy, or through third-party websites. The latest version of this policy will be published in the website.

The intent of Stemmatters for collecting and processing information is first and foremost for providing our services. Secondly, we may use such information for the operation of our website and services, to maintain the quality thereof, and to obtain statistics regarding the use of the website and services. In compliance with the provisions of the legislation, Stemmatters is responsible for processing its users’ data, which it does in order to provide the service that the user requests via the contact form. This Online Privacy Policy provides information about how it receives, collects, uses and transfers information about any user or visitor of www.stemmatters.com. In order to do this, it requires that the user checks the box which indicates that he/she accepts this policy; should he/she fail to do so, it does not have his/her express consent and, therefore, will be unable to respond to his/her request. Any of the following personal information that may be made available through using the website or otherwise shall be kept confidential:

     - First and last name;

     - Company or institution;

     - Contact information, for example, telephone number, email address, and other similar information;

     - Title or position in a company or an institution;

     - Occupation;

     - Industry;

     - Any other information needed to provide a service you requested.

Examples of scenarios where Stemmatters collects, processes, and stores personal information obtained from the website are described in section 2.1.

Stemmatters provides you the opportunity to agree or decline to give your personal information via the Internet. Your personal data will be collected and used by Stemmatters for the purpose of the engaging into, performance and management of a commercial relationship with you, including activities aimed at increasing Stemmatters’ customer base, and does not intend to transfer your personal information to third parties without your consent, and no international data transfers will be performed unless the company is legally required to do so or it needs to pass data on solely and exclusively to provide the service requested, in which case it will ask for consent to do so (please see the exceptions under the limited conditions described under the discussion entitled “Information Sharing and Disclosure” below).

10.1 Domain Information Collection

Stemmatters collects anonymized domain information to enable us to analyse how our visitors use this site. This data enables us to become more familiar with how people use our site. Specific information that is gathered includes but is not limited to country and region of the site visitor, the duration of their interaction for each page on the site and the site as a whole, the time and date of each site visit, and how they have interacted with the site. Stemmatters uses this information to improve its website design and content dissemination. This information is collected automatically and requires no action on your part.

10.2 Use of Cookies and Tracking User Traffic

Some pages on this site may use “cookies” - small files that the site places on your hard drive for identification purposes. Some are functional cookies without which the website would not work. Some are analytical cookies generated by Google Analytics to track user traffic patterns and are used anonymously. A cookie file can contain information such as a user ID to track the pages visited, but the only personal information a cookie can contain is information you supply yourself. Please note that cookies cannot read data from your hard drive.

Your Web browser may allow you to be notified when you are receiving a cookie, giving you the choice to accept it or not. If you prefer not to receive cookies while browsing our Web site, you can set your browser to warn you before accepting cookies and refuse the cookie when your browser alerts you to its presence. You can also refuse all cookies by turning them off in your browser. By not accepting cookies, some pages may not function fully and you may not be able to access certain information on this site.

10.3 Internet Security

Stemmatters strives to protect your personal information; we take technical, physical, and organizational steps to safeguard any information you provide us, and to protect it from unauthorized access, loss, misuse, or alteration. Although we take reasonable security precautions, no computer system or transmission of information can ever be completely secure or error-free, so we urge you to take every precaution to protect your personal data when you are on the Internet. Change your passwords often and use a combination of letters and numbers.

10.4 Links to Third Party Sites

This site may contain links to other sites. Stemmatters does not share your personal information with those Web sites and is not responsible for their privacy practices. When you leave our website, we encourage you to learn about the privacy policies of those companies. This website may include links to third-party websites, plug-ins and applications. Stemmatters is not responsible for the content of websites that our web page provides links to.

10.5 Aggregated Data

We also collect and use Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.