- Introduction
The company R.C. Sanches, S.A. (hereinafter “Company”), as an entity that operates restaurant establishments under the name “Grupo Multifood”, assumes as the highest and core commitment of its business activity, to process the personal data of its Customers (hereinafter “Data Subjects”), ensuring total respect for their privacy, and the protection, and security of personal data in the face of external threats and improper internal usage, in accordance with Regulation 2016/679 of the European Parliament and Council, of 27 April 2016 (hereinafter “RGPD”).
Consequently, the Data Subjects are made aware and have the right to be informed, within the scope of the corresponding contract, on how the Company gathers, organises, maintains, shares, searches, uses, edits, stores, processes, protects and deletes the Subjects’ Personal Data provided to it.
This Personal Data is provided through the website, the provision of services / complaint made at the corresponding restaurant establishment.
The legitimate purposes for which the Company processes Personal Data are a result of compliance stemming from relevant legislation, requiring the Company to ensure that legal conditions are in place for properly processing the Subjects’ Personal Data. In the specific case of the Company, the Data Subjects that are the object of this process are the Company Employees/Service Providers, which are subject to an internal privacy policy, and Customers and Potential Employees.
In addition, Data Subjects also have the right to be informed regarding how their Personal Data is handled for other purposes that are relevant within the scope of business carried out by R.C. Sanches, circumstances which the Company intends to make the Subjects aware of, under the terms of this Privacy Policy.
Therefore, the Company has placed its privacy policy on the website, where any Data Subject can and should access and carefully review this privacy policy, written clearly and simply to facilitate its understanding by Data Subjects and the exercise of their rights (also known as ARCO Rights – Rights to Access, Rectification, Cancellation and Opposition).
- Scope of Application and Responsibility for Processing
This privacy policy applies to personal data processed by the Company, directly or indirectly, within the scope of its business activity, obtained through all the tools at its disposal – website, restaurant establishment.
Within the scope of processing the personal data indicated above, the Company may define, specifically, concrete privacy policies that improve, develop or specify concrete aspects of processing personal data, carried out for the purposes indicated or any new purposes that may be developed or undertaken by the Company, which commits to ensuring compliance with the RGPD regarding those new business developments.
In compliance with the applicable legal dispositions, these sectoral privacy policies will be made known to the Data Subjects, through the means agreed upon between the Parties and available for said purpose, in accordance with the applicable legal and contractual provisions.
The following entity is responsible for processing Personal Data of the Subjects:
R.C.SANCHES, LDA., with headquarters at Avenida D. João II, n.º 30, 4.ºB, 1990-092 Lisbon, parish of Parque das Nações, municipality of Lisbon, registered at the Commercial Registry Office under the single registration and corporate tax number 503981796, with a share capital of €350.000,00 (three hundred and fifty thousand euros)
You may contact the Company regarding any issues related to this privacy policy, using the following contact information for the Head of Data Protection:
E-mail address: rgpd@multifood.pt
Dedicated Telephone Line: 218166590
Registered Post with Advice of Delivery:
C/O Head of Data Protection
R.C. Sanches, S.A.
Avenida D. João II, nº30, 4ºB
Parque das Nações 1990-092 Lisbon.
In addition to the foregoing, the head of data processing may, in specific and particular cases – the object of sectoral privacy policy – subcontract third parties to carry out the personal data processing in question, always ensuring, at all times, the rights and guarantees of Data Subjects and the compliance, by said subcontractors, of all applicable legal, regulatory and contractual obligations.
In this specific situation, the Company subcontracts management and maintenance services regarding the IT platform and website.
- Purposes for Processing and Legal Grounds
The Personal Data of Employees and Service Providers is processed by the Company under the terms of the Internal Privacy Policy in effect and which is made known to these Data Subjects, as part of the process of making work contracts or contracts for the provision of existing services.
The Personal Data of Customers and, in particular, Potential Employees that is the object of processing – within the scope of potential recruitment procedures carried out over the website or other tools – includes:
- Regarding Customers:
- On the website: Customer’s full name, telephone number and email;
- At the Restaurant: Image Data resulting from video surveillance and tax identification number and bank data obtained by POS (if applicable);
- Other personal data that is particularly technical in nature may be obtained when accessing the website (see Chapter 12 below).
- Regarding Potential Employees:
- On the Website: Full name of the Potential Employee, telephone number and email and personal data provided in a Curriculum Vitae (full name, mailing address, email, telephone, academic and professional background, among others);
- Other personal data that is particularly technical in nature may be obtained when accessing the website (see Chapter 12 below).
All personal data identified is appropriate, pertinent and limited to the corresponding purposes, thereby fully respecting the essential principles of the RGPD.
The Company processes the personal information of the Data Subjects in an automated manner, for the specific purposes, strictly and fully observing the legal grounds provided for in the RGPD, applicable as appropriate.
In this manner and in summary terms, excluding the processing regarding Employees and Service Providers – the object of an autonomous internal privacy policy – the purposes for which the processing of Personal Data is carried out and the corresponding legal condition are as follows:
Purpose for Processing | Legal Basis |
Recruitment process regarding contract of Potential Employees for exercising operational or administrative functions. | Execution of a contract or precontractual proceedings at the request of the Data Subject |
Processing of Personal Data of Potential Employees and Customers, for the control and security in various facilities under the management of the Video Surveillance Head. | Processing necessary for the protection of legitimate interests pursued by the Companies |
Processing of Customers’ Personal Data within the scope of providing services provided by the Companies, a legal relationship established with the Customer and a billing process. | Execution of a contract or precontractual proceedings at the request of the Data Subject |
Processing of Customers’ Personal Data for the purposes of marketing, including but not limited to (i) giving information regarding any updates of the Company’s social activity (Newsletters), (ii) issuance of promotional discounts and (iii) other institutional information | Consent granted by the Data Subject for these specific purposes |
Processing of Customers’ Personal Data for the statistical analysis and business management of the Company. | Processing necessary for the protection of legitimate interests pursued by the Companies |
Processing of Customers’ Personal Data for the purposes of Complaints | Compliance with the Company’s legal obligations |
Processing of Technological Personal Data (cookies) | Consent granted by the Data Subject for this specific purpose |
- Communication of Personal Data
The Company grants access to Data Subjects’ Personal Data to third parties exclusively subcontracted for the purpose of ensuring the provision of services necessary for managing and maintaining the Website, specifically in managing programmes that include the aforesaid platforms and their current and future developments.
Within the scope of that which is described above, the Company, in compliance with the applicable legal and regulatory obligations, requires the above-mentioned subcontracted entities to commit to taking all necessary security precautions, given the nature of Personal Data and the risks presented by its processing, to protect the security of Personal Data provided by Data Subjects and, specifically, to guarantee as far as possible it is not distorted or corrupted and accessed by unauthorised third parties.
- Subcontractors
The Company grants access to Data Subjects’ Personal Data to third parties exclusively subcontracted for the purpose of ensuring the provision of services necessary for managing and maintaining the website, in accordance with that which is set forth in Chapter 4.
Within the scope of recruiting Potential Employees, the Company R.C.SANCHES, LDA may also grant access and share Data Subjects’ Personal Data with Companies in its Business Group.
Within the scope of that which is described above, the Company, in compliance with the applicable legal and regulatory obligations, requires the above-mentioned subcontracted entities or those that are part of the same Business Group to commit to taking all necessary security precautions, given the nature of Personal Data and the risks presented by its processing, to protect the security of Personal Data provided by Data Subjects and, specifically, to guarantee as far as possible it is not distorted or corrupted and accessed by unauthorised third parties.
- International Transfers of Personal Data
The Company and the entities described in Item 5 above shall fully carry out the corresponding processing of Personal Data of Data Subjects in the European Economic Area (EEA), and as such does not foresee making any international transfer of Personal Data.
- Retention Period
The Company shall retain Data Subjects’ Personal Data only for the time necessary to carry out the purpose for which it was gathered, at which time Personal Data is deleted after the clear and autonomous communication presented by the Data Subject, under the terms provided for in the next Chapter.
Generally, and except for the defence of legitimate interests by Companies, the retention periods in effect are as follows:
Purpose for Processing | Retention Period |
Recruitment process regarding contract of Potential Employees for exercising operational or administrative functions. | Until the end of the recruitment process or, should there be consent granted by the end of the consent renewal period defined by the Company (5 years) or the revocation of consent. |
Processing of Personal Data of Potential Employees and Customers, for the control and security in various facilities under the management of the Video Surveillance Head. | External Personal Data related to the recording of images in Company restaurant facilities or establishments are the object of processing for a period of 30 (thirty) days, unless it is shown to be fundamentally necessary for guaranteeing the compliance of the Company’s legal obligation or legitimate interest. |
Processing of Customers’ Personal Data within the scope of providing services provided by the Companies, a legal relationship established with the Customer and a billing process. | In fulfilment of the Company’s legal obligation or legitimate interest, the Personal Data obtained will be maintained for the period necessary for guaranteeing the applicable tax obligations. |
Processing of Customers’ Personal Data for the purposes of marketing, including but not limited to (i) giving information regarding any updates of the Company’s social activity (Newsletters), (ii) issuance of promotional discounts and (iii) other institutional information | The Customers’ Personal Data that allows the fulfilment of the described purpose will be retained until the request is made for deleting the Subject’s Personal Data or in the event of account inactivity for a period longer than 5 years. |
Processing of Customers’ Personal Data for the statistical analysis and business management of the Company. | The Customers’ Personal Data that allows the fulfilment of the described purpose will be retained until the request is made for deleting the Subject’s Personal Data or during the period necessary for guaranteeing the Company’s legal obligations. |
Processing of Customers’ Personal Data for the purposes of Complaints | The Customers’ Personal Data that allows the fulfilment of the described purpose will be retained until the request is made for deleting the Subject’s Personal Data or during the period necessary for guaranteeing the Company’s legal obligations. |
Processing of Technological Personal Data (cookies) | The Customers’ Personal Data that allows the fulfilment of the described purpose will be retained until the request is made for deleting the Subject’s Personal Data or during the period necessary for guaranteeing the Company’s legal obligations. |
- ARCO Rights of Data Subjects
Any Data Subject who provides his personal data to the Company may, if he or she so wishes, at any time and tending to be free of charge – in fulfilment of applicable legislation – carry out his rights to access, correct, delete (or deindex) personal data or even, depending on the applicability of that option, the right to limit or oppose the processing or transfer of the Personal Data.
Similarly, regarding the processing of Personal Data that was the object of consent by the Data Subjects, the Company guarantees the possibility of the subjects’ exercising their right to revoke consent, observing all the applicable legal provisions.
All the rights indicated above may also be exercised through the following platforms and subject to available technology:
E-mail address: rgpd@multifood.pt
Dedicated Telephone Line: 218166590
Registered Post with Advice of Delivery:
C/O Head of Data Protection
R.C. Sanches, S.A.
Avenida D. João II, nº30, 4ºB
Parque das Nações 1990-092 Lisbon.
The Company scrupulously complies with and will comply with all the obligatory information rights provided for in the applicable legislation, within the scope of the corresponding contractual relationships entered into between the Company and the Data Subjects.
The Company commits, always and in every case, to comply with the legally established periods for fulfilment and execution resulting from the exercise of the ARCO rights by any Data Subject.
The Company reserves the right to exercise, in accordance with the corresponding legal and regulatory standards, all the rights of exception conferred by applicable legislation, for the full/partial execution of the Data Subjects’ ARCO rights.
In any case, if the Data Subject believes that the Company infringed or may have infringed his rights under the terms of the applicable legislation on data protection, he or she may file a complaint with the Data Protection National Commission.
- Responsibility of Data Subjects
The Data Subjects pledge to use maximum prudence, on any of the technology tools made available by the Company, to avoid any unauthorised access to their Personal Data, keeping confidential any passwords and information that may be in their personal accounts (if any).
Should the Data Subject or any other user of any one of the technology tools made available by the Company provide false or incorrect information to the Company, the latter shall not be held liable in this case.
- Mandatory Character of Requested Personal Data
The Personal Data which, in the forms provided by the Company, are not properly identified as “optional” must be completed in order to meet the corresponding purposes specified above.
Consequently, if the Data Subject does not provide the necessary Personal Data to meet the purposes specified above, the Company cannot fulfil that request.
- Personal Data Protection Measures
Keeping in mind the great concern and commitment the Company shows in safeguarding privacy issues, several safety measures were adopted that are technical and organisational in character, in order to protect personal data that is provided to us against its disclosure, loss, improper use, change, or unauthorised processing or access, as well as, against any other type of illegal processing.
In this regard, the forms for collecting personal data require encrypted sessions and all personal data provided will be stored securely on the systems contracted for by the Company with additional access control and the inability to extract information, protected by all physical and logical security measures that we believe to be essential for protecting your Personal Data.
For further clarification, please contact the Company’s Head of Data Protection using the contact information listed in Item 2 above.
- Cookies Policy
The website uses cookies. Learn more about cookies and accept or deny their use on the aforesaid website.
For further clarification, please contact the Company’s Head of Data Protection using the contact information listed in Item 2 above.
- Law Applicable
This Privacy Policy is drawn up in accordance with and fully subject to Portuguese Law and RGPD.
- Changes to the Privacy Policy
The Company reserves the right to change its Privacy Policy described here or any terms and conditions of Sectoral Privacy Policies, always in strict observance of applicable national and Community legislation.
Last Revision: February 2019