1. INTRODUCTION

a) Your privacy and the protection of your personal data are very important to CoLAB BIOREF;

b) This is a mission we take very seriously because we are legally obliged to protect the personal data we process, whether of our website users, employees, service providers, suppliers, or clients;

c) This duty is a daily priority in our operations, and we comply with and enforce the General Data Protection Regulation of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data (GDPR), rectified on May 23, 2018 (Official Journal of the EU L 127/2) and amended on October 12, 2020 (Council of the European Union), and also Law 58/2019 of August 8, which implements the GDPR into Portuguese law;

d) If you have any questions, comments, or suggestions about our Privacy Policy, please contact us using the contact details below.

2. WHO IS RESPONSIBLE FOR THE PROCESSING?

Associação para as Biorrefinarias (hereinafter CoLAB BIOREF), with tax number 515 316 881, headquartered at Rua Amieira Apartado 1089, 4466-901 S. Mamede Infesta, is responsible for the processing of your personal data.

3. GENERAL PRINCIPLES OF OUR PRIVACY POLICY

a) In the context of your relationship with us, namely when you access our website, provide your personal data, or interact in ways that allow us to collect it (such as through the forms we provide), please note that you are accepting this Privacy Policy and that your personal data will be processed in accordance with the rules and terms here described, including any future amendments.

b) This policy is based on the core principles described below, which guide and shape our approach:

i) The security of your data processing is a constant priority, reviewed periodically based on technological advancements, and regularly invested in;

ii) We understand that personal data belongs to the data subjects, not to us. We are only entrusted with processing it in compliance with applicable laws, always upholding and enforcing your rights through appropriate technical and organisational measures.

iii) We promote and share best practices in Privacy, Data Protection, and Information Security internally, and regularly review them as part of a continuous improvement process.

4. DEFINITIONS AND INFORMATION TO DATA SUBJECTS

a) For the purposes of this policy, we follow the definitions in Article 4 of the GDPR, including (but not limited to) the following:

i) Personal Data – any information relating to an identified or identifiable natural person. An identifiable person is someone who can be identified, directly or indirectly, by reference to an identification number or one or more elements specific to their physical, physiological, psychological, economic, cultural, or social identity;

ii) Processing – any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

iii) Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, agrees to the processing of personal data;

iv) Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

v) Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

5. WHAT CATEGORIES OF PERSONAL DATA DO WE COLLECT ON OUR WEBSITE?

a) For the purpose of providing our services, we collect various categories of personal data, including identification data, academic qualifications, and navigation data.

b) We only collect data strictly necessary and in accordance with the principle of data minimisation, namely:

i) Name;

ii) Email address;

iii) Phone number;

iv) Nationality;

v) IP addresses, operating system, access device, language, and information collected via cookies;

vi) Personal data such as qualifications, certifications, held positions, employer data, all resulting from CVs if submitted.

6. HOW AND WHEN DO WE COLLECT AND PROCESS YOUR DATA ON OUR WEBSITE?

a) Your personal data may be collected:

i) When you subscribe to the CoLAB BIOREF newsletter via email or our website;

ii) When you fill in the "Contact Us" form on our website;

iii) When you sign up for or participate in one of our events;

iv) When you apply for a job at CoLAB BIOREF via email or the form available on our website.

b) The collected data is processed electronically and stored in databases, strictly complying with applicable European and national data protection laws.

c) We only process your data for specific, legitimate purposes determined at the time of collection. Data will not be further processed for purposes incompatible with the original unless for archival, scientific, historical, or statistical purposes, which are not considered incompatible under the GDPR.

d) If we collect and process special categories of personal data ("sensitive data"), it will only be done in accordance with the exceptions set out in Article 9(2) of the GDPR.

e) If such data is collected based on your consent, you will be informed of your right to withdraw consent at any time.

f) Please note that withdrawing consent does not affect the lawfulness of prior processing based on that consent.

7. FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA?

a) Your personal data is processed for the following purposes:

i) Management and execution of contractual relationships;

ii) Recruitment, when applying spontaneously or via open calls, including applications submitted by recruitment agencies;

iii) Sending relevant information and communications related to our work;

iv) Responding to information requests;

v) Handling and responding to your queries or complaints;

vi) Compliance with legal obligations;

vii) Exercising or defending legal rights in any legal proceedings;

viii) Monitoring website security, optimising browsing and customisation;

ix) Organising and managing events we host or co-organise.

8. WHAT LEGAL GROUNDS DO WE USE TO PROCESS YOUR DATA?

a) We only process your personal data in strict compliance with the principle of lawfulness.

b) Depending on the context, your data may be processed on the following legal bases:

i) Performance of a contract or pre-contractual steps at your request;

ii) Compliance with legal obligations to which we are subject;

iii) Our legitimate interests;

iv) Your freely given, specific, informed, and unambiguous consent;

v) Protection of your vital interests.

9. TO WHOM MAY WE DISCLOSE YOUR DATA?

a) CoLAB BIOREF does not normally disclose your data to third parties, except when necessary for the purposes described in this policy.

b) Data may be shared to comply with legal obligations or for services like sending newsletters, with your consent.

c) When we use processors who process data on our behalf, we ensure legal agreements are in place, guaranteeing adequate safeguards and compliance with our instructions.

d) These processors are evaluated for data protection compliance and are subject to periodic audits as contractually agreed.

e) If data is transferred outside the EU/EEA, and there is no adequacy decision by the European Commission, we ensure appropriate legal and security measures are in place in compliance with current law.

10. HOW LONG DO WE KEEP YOUR DATA?

a) The retention period varies according to the processing purpose. For instance, spontaneous applications are kept for one year.

b) Legal obligations may require minimum retention periods, such as for tax purposes.

c) If no legal retention period applies, data will only be kept for as long as necessary for its intended purpose and will then be securely deleted or anonymised.

11. WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?

a) Under the GDPR, we ensure, through internal organisational measures, that your rights are respected and fulfilled within legal deadlines.

b) Your rights include:

i) Right of Access – You may request information about whether and how your data is being processed. A copy can be provided, and additional copies may incur a reasonable fee.

ii) Right to Rectification – You may request the correction or completion of inaccurate or incomplete data without undue delay.

iii) Right to Erasure (“right to be forgotten”) – In certain circumstances, you may request the deletion of your data from our records.

iv) Right to Object – You may object to certain types of data processing, including direct marketing, in which case we will stop processing for that purpose.

v) Right to Data Portability – You may request the transfer of your data to another organisation or to receive it in a structured, commonly used, and machine-readable format.

vi) Right to Restrict Processing – You may request the restriction of processing in cases such as contesting the accuracy of your data or when data is no longer needed but required for legal claims.

vii) Right to Lodge a Complaint – In Portugal, the competent authority is the CNPD – Comissão Nacional de Proteção de Dados (www.cnpd.pt)

viii) Right to Compensation – If you suffer material or non-material damage from a GDPR violation, you have the right to compensation from the controller or processor.

ix) Right not to be subject to Automated Decisions – You have the right not to be subject to decisions based solely on automated processing, including profiling, which significantly affects you.

x) Right to Withdraw Consent – Easily withdraw your consent at any time.

c) To exercise these rights, please refer to the “Contacts” section of this Privacy Policy.

d) Once we receive your request, we will send you our "Data Subject Rights Request Form" without delay.

e) We will respond within 30 (thirty) days with a reasoned reply.

f) This period may be extended to 60 (sixty) days for complex or numerous requests.

g) If your requests are manifestly unfounded or excessive (especially due to their repetitive nature), we may:

i) Charge a reasonable fee based on administrative costs;

or

ii) Refuse to act on your request.

12. WHAT SECURITY MEASURES HAVE WE IMPLEMENTED?

a) We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, regularly reviewed and improved, to protect your personal data in terms of availability, authenticity, integrity, and confidentiality, and to prevent loss, misuse, alteration, unauthorised access or unlawful processing.

b) Our security commitment involves measures to mitigate risks of data breaches, as required by Article 32 of the GDPR, considering context, risk, and purpose:

i) Pseudonymisation and encryption of personal data;

ii) Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

iii) Restoring data availability and access in a timely manner in the event of a physical or technical incident;

iv) Regular testing, assessment, and evaluation of the effectiveness of security measures.

c) The implemented security level considers risks such as accidental or unlawful destruction, loss, alteration, disclosure, or unauthorised access to transmitted, stored, or processed personal data.

d) Please note that despite all our efforts, we cannot fully guarantee the inviolability of data shared over open networks such as the internet.

13. LINKS TO OTHER WEBSITES

a) Our website may contain links that direct you to other websites.

b) CoLAB BIOREF is not responsible for, nor endorses or supports, the content or policies of those websites.

c) For your information, we advise reading the privacy policies of any website linked from CoLAB BIOREF’s website.

14. INTERNATIONAL DATA TRANSFERS

If we transfer your personal data to third countries or international organisations, we will comply with applicable legal provisions and assess the adequacy of the country or organisation. Where no adequacy decision exists, we will apply appropriate safeguards to ensure enforceable rights and effective legal remedies as per the GDPR.

15. USE OF COOKIES

To learn more about cookies and how we use them on our website, please see our Cookie Policy.

16. CONTACTS

a) If you have questions about how we collect and process data, you can contact us. We will respond within the applicable legal deadlines:

Email: [email protected]

b) To protect your privacy, we may need to verify your identity and may request limited additional information for this purpose.

c) To exercise your rights, please contact us using the above information. We will send you our "Data Subject Rights Request Form", which should be returned via email or post to the addresses above.

d) All responses will comply with legal deadlines.

17. REVIEW OF OUR PRIVACY POLICY

We reserve the right to change our Privacy Policy content without notice. Any changes will be published on our website and will become part of this Policy.