Personal Data Privacy Policy

1. Framework

This Privacy Policy describes a set of guidelines, rules and principles that are observed by Edenred Portugal, S.A. (hereinafter “Edenred”) to ensure and guarantee data protection obligations, as well as the protection of the rights of data subjects.

Edenred undertakes to comply with its Personal Data Protection Policy in accordance with the rules introduced by the General Data Protection Regulation, approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “General Data Protection Regulation” or “GDPR”) and other applicable data protection legislation.

Edenred is also subject to the Guidelines issued by the Edenred Group on data protection and has implemented several compliance projects aimed at improving daily practices in this area within the organization.

In order to carry out its business, Edenred needs to process personal data, namely collecting, consulting, transmitting, processing and updating such data. This processing of personal data concerns more than one category of data subject, including our employees, suppliers, customers and potential customers, partners and potential partners and users of our Solutions.

To this end, Edenred regularly carries out an in-depth analysis of all its internal procedures, with a view to ensuring compliance and fulfillment of the obligations of the applicable legislation and in accordance with the best practices in the market, both in terms of privacy and data security, as well as based on the guidelines of the National Data Protection Commission.

Edenred strives to ensure that it processes all personal data in accordance with the regulations and laws in force and that it is stored securely.

2. Scope

This Policy covers the processing of various categories of personal data carried out by Edenred in the exercise of its activity as Data Controller.

All categories will also be referred to as personal data in this Policy, unless otherwise stated.

3. Who carries out processing operations in relation to personal data

In the course of its business, Edenred may collect, process and store personal data.

In accordance with European and Portuguese data protection legislation, Edenred has access to this data in a lawful, fair and transparent manner, ensuring that there is a legal basis for each of the processes carried out.

Edenred ensures that its employees have sufficient knowledge of data protection legislation and practices to be able to anticipate and identify any data protection issues that may arise. To this end, Edenred guarantees mandatory and continuous training for all employees, as well as workshops and awareness-raising activities in the area of data privacy and security.

Edenred ensures that the Data Subject is duly informed of how to guarantee and exercise his/her rights.

Edenred may share Data Subjects’ personal data with subcontractors, provided that this is necessary for the provision of its services, and in these situations it informs Data Subjects in good time of the subcontractors. Edenred guarantees that any access subcontractors may have to the shared personal data is duly provided for and regulated by a written contract signed with them, setting out all the obligations they must comply with. Edenred also guarantees that they have all the technical and organizational measures in place.

All subcontractors that Edenred hires are subject to a prior assessment and then a regular assessment throughout the term of the contract. The assessment consists of an analysis of evidence regarding compliance with the principles of privacy and data security and is approved by the internal teams responsible.

4. Personal data may be shared with the following entities:

  • Providers of IT, technical and operational support services;
  • Group entities;
  • Entities to which Edenred provides services;
  • Judicial bodies, criminal police bodies and administrative authorities.

5. Purposes and grounds for lawfulness of Processing operations:

Edenred guarantees that when processing personal data there is a legal basis for the processing and that the data subject is informed in a clear and transparent manner through the corresponding privacy policies. Personal data is processed for a clear, legitimate and predetermined purpose. Edenred ensures the principle of minimization by only processing data that is strictly necessary for carrying out the activity in question.

Edenred records all processing activities for which it is responsible.

6. Data Retention Period

Edenred keeps personal data for the period strictly necessary for the purposes for which it was processed, varying the length of time for which it is stored according to the purpose for which the information was collected and in accordance with the legal rules requiring its retention.

7. Right of Access and Exercise of Rights

As a rule, the holder of personal data has the following data protection rights: right of access, right to rectification, right to erasure, right to restriction, right to portability, right to object and right not to be subject to automated decisions. In cases where consent has been given for certain processing of their personal data, the data subject may withdraw it at any time, which does not compromise the lawfulness of the processing carried out on the basis of the consent previously given. Data Subjects may exercise their rights under the applicable data protection legislation directly with the Data Controller via the following link here or by email to utilizador.pt@edenred.com, or by registered letter with acknowledgement of receipt to Edenred, located at Edifício Adamastor, Torre B, Av. D. João II, n.º 9 i, piso 6 B, 1990-077 Lisboa, for which purpose they must provide proof of their identity.

For any other type of request or complaint, the User should contact the Data Protection Officer at dpo.portugal@edenred.com.

If necessary, the holder of personal data may also file a complaint with the National Data Protection Commission (CNPD).

8. Categories of Personal Data

1. Employees’ personal data

Edenred collects the personal data of its employees at the pre-contractual stage with a view to concluding the respective employment contracts and informs the employee of the type and purpose of the processing to be carried out within the scope of the employment relationship that has been established. Edenred is entitled to process the personal data of its employees, as Data Controller, under the terms and within the limits of the provisions of articles 17 to 22 of the Labor Code, approved by Law 7/2009, of February 12, and other national legislation that may be approved in this regard, as shown in the applicable privacy policy.

  • Personal data of suppliers, customers and potential customers, partners and potential partners

As part of its commercial relationship with suppliers, customers and potential customers, partners and potential partners, Edenred needs to collect some information about them, in particular, it needs to collect and store the contact details (name, telephone number, professional email address) of relevant people in the company concerned, for the purposes of sending or receiving a commercial proposal, sending service communications and managing the contractual relationship, where applicable.

Edenred may also access other data, such as bank details, for payment purposes.

The legitimacy of the processing, depending on the type of commercial relationship, is based on legitimate interest, consent or the contract concluded between the parties, as applicable, in accordance with points a), b) and f) of Article 6(1) of the GDPR.

  • Personal Data of Solution Users

In the solutions it sells, Edenred assumes the position of Data Controller:

(a) Edenred determines the purpose and means of its processing activities (products, services, values, hosting, operation of mobile applications);

(b) Edenred exercises its own independent judgment and has a high degree of expertise and autonomy in the performance of its activity, and does not act on the instructions of Clients;

(c) Edenred generally determines the categories of personal data to be collected or processed, the reason why they will be needed, the manner in which they will be processed and the associated retention periods;

(d) Edenred assumes legal obligations according to the legislation on social vouchers, and other legislation applicable to the provision of services, which influence the purposes and nature of the processing, independent of the Customers;

(e) Edenred performs the services associated with its solutions under its trademarks, and not on behalf of Clients, who make no mention of Edenred’s name;

(f) In many situations, Edenred interacts directly with Data Subjects (e.g. by creating an online profile that will be used on Edenred’s website or mobile applications).

As Data Controller, Edenred needs to access and process personal data in order to carry out its services: manage the operations associated with the Solution, allow the Card Holder to receive and activate the Solution, register and manage their account online, respond to requests and provide information related to the services provided, create a network of establishments where the Solution will be accepted, regardless of format, among many other functions. Edenred needs to access and process personal data of the Customer and users of the solution, such as name, tax number or internal employee number, and, in some cases, home address and email address. Edenred therefore acts as Data Controller from the moment it receives the Customer’s personal data. Edenred will only use the personal data to perform its obligations under the contract. If Edenred intends to process the personal data for any other purposes, it is responsible for ensuring the lawfulness and legitimacy of such processing as well as ensuring the collection of the necessary consents – where applicable – and complying with the other requirements of personal data legislation. Edenred is responsible for providing all information required under the law to data subjects regarding the processing activities for which it is responsible.

We will also use your personal information to send you direct marketing communications about our products, services and promotions that we believe may be of interest to you, if we have received your prior and explicit consent to do so.

You have the right to withdraw your consent to receive direct marketing communications at any time by clicking on the “unsubscribe” link in the emails we send you, or through the other ways described above in point 7, which we list again: through the link gdpr.edenred.pt or by email to utilizador.pt@edenred.com, or by registered letter with acknowledgement of receipt to Edenred Portugal, located at Edifício Adamastor, Torre B, Av. D. João II, n.º 9 i, piso 6 B, 1990-077 Lisboa, for which you must provide proof of your identity.

Edenred has appointed a Data Protection Officer, who can be contacted at dpo.portugal@edenred.com.

***                                      ***                                      ***

Date last updated: April 12, 2024.

It may be amended by decision of the Board of Directors and will be available on the Edenred website.

For the Administration,

Edenred Portugal