Privacy Policy

The Companies of CTT Group(1) ("CTT") are committed to protecting the security and privacy of their Clients' personal data. In this context, CTT has drafted this Privacy Policy, to disclose the terms on which it collects and processes personal data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (General Regulation on Data Protection - "GRDP") and other related legislation on the protection of personal data.

The data processing covered by this Policy relates, namely, to personal data collected (i) from clients of CTT Products and Services ("Products and Services") and (ii) from users of CTT websites, applications, products and digital services (“Platforms"(2)) – collectively referred to as "Clients".

CTT seeks to follow all best practices concerning data protection and security. Please check below how your personal information is handled:

  • WHO IS THE DATA CONTROLLER FOR THE PROCESSING OF YOUR PERSONAL DATA?
  • WHAT PERSONAL DATA ARE COLLECTED BY CTT?
  • WHAT ARE THE PURPOSES FOR COLLECTING YOUR PERSONAL DATA AND THE BASIS FOR THEIR PROCESSING?
  • FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?
  • WHAT ARE THE RIGHTS OF THE DATA SUBJECTS?
  • WHAT ARE THE SECURITY MEASURES ADOPTED?
  • WHEN DO WE DISCLOSE DATA TO THIRD PARTIES?
  • UNDER WHICH CIRCUMSTANCES DO WE TRANSFER DATA?
  • CONTACT US
  • CHANGES TO OUR PRIVACY POLICY

 

WHO IS THE DATA CONTROLLER FOR THE PROCESSING OF YOUR PERSONAL DATA?

Any CTT Group company that markets Products and / or Services also through any of the Platforms available, is the Data Controller for that data processing, under the GRPD.

Details on each of the data controller’s identity and contact details are provided when the personal data are collected from the data subject.

With respect to Banco CTT, it acts, in the scope of its activity, as a Data Controller for the processing of its Clients’ personal data. This data processing is carried out in a segregated manner and in compliance with this Privacy Policy and the confidentiality duties to which Banco CTT is subject under the provisions of the Regime Geral das Instituições de Crédito e Sociedades Financeiras (Decree-Law no. 298/92, of December 31 - "RGICSF") (General Regime of Credit Institutions and Financial Companies – “GRCIFC”)

 

WHAT PERSONAL DATA ARE COLLECTED BY CTT?

CTT collects and processes, directly or indirectly through partners or suppliers and service providers, or through other sources of information (e.g. databases or publications released by official entities or third parties’ databases concerning the prevention of fraud or the prevention of money laundering and terrorist financing, as well as information published by the media or made public on websites and social networks by the data subject), the personal data necessary (i) for the marketing of its Products and provision of its services (ii) to guarantee access to the Platforms, (iii) to fulfill legal and regulatory obligations, and (iv) to the exercise of CTT - Correios functions of public interest as the provider of the Universal Postal Service and the fulfilment of other legitimate interests.

CATEGORIES OF DATA EXAMPLES
Identification and Contact details Name, numbers and expiration dates of civil, tax or bank identification documents (and their images), payment data, addresses (correspondence, residence and tax), telephone contacts, e-mail address, photograph, signature, birth date, gender, nationality, place of birth, affiliation, marital status, marriage status, spouse identification, household composition, political office.
Professional situation Occupation, employment status, name of employer, type of contract, remuneration, education.
Health Degree of disability
Products and Services Products and services contracted, Client’s instructions.
Credit and solvency Banking transactions, causes for not granting credit, earned income, value of assets, regular expenses, tax data, of compliance obligations assumed by Clients regarding other credit agreements with Banco CTT or with other Banks.
Usage Data on the Platforms Content and services accessed, IP address, geographical location, cookies or similar technologies, activity logs, unique identifier and brand and model of mobile device.
Complaints submitted to CTT Content of the complaint, name, address, personal or professional contacts details (e-mail and telephone).
Fraudulent behavior Description of Suspicious Behaviour and Client Identification Data.
Biometrics Electronic signature and fingerprint.
Voice and image records Call and video recordings and photos.

 

WHAT ARE THE PURPOSES FOR COLLECTING YOUR PERSONAL DATA AND THE BASIS FOR THEIR PROCESSING?

The CTT Clients’ personal data are used within the provision and management of the contracted services, the management and execution of the contractual/commercial relationship, the processing of claims and suggestions, pre-contractual procedures, compliance with legal obligations, as well as to study, improve and adapt the services to the Client’s needs and interests. The Client may, however, supply his or her personal data and consent that they are used for other purposes, such as to (i) receive institutional information from CTT, (ii) take part in activities and market surveys, (iii) receive marketing communications (particularly campaigns and promotions on Services and Products).

Thus, we process the personal data for the following purposes:

PURPOSES DESCRIPTION LEGITIMACY BASIS
Provision of Services, including postal services provision, and marketing of Products Establishment of business relationships between the data subjects and CTT Execution of the contract or pre-contractual proceedings
Management and execution of the provision of Services and Product marketing Performance of public interest duties by CTT-Correios as the provider of the Universal Postal Service
Invoicing, collection and payment management Compliance with legal obligations
Recording of calls to serve as evidence of commercial transactions and communications within the contractual relationship  
Quality control  
Provision of banking and financial services Establishment of business relationships between the data subjects and Banco CTT Execution of the contract or pre-contractual proceedings
Management and execution of the provision of Services and Product marketing  Compliance with legal obligations
Invoicing, collection and payment management  
Recording of calls to serve as evidence of commercial transactions and communications within the contractual relationship   
Quality control  
Insurance mediation (in the context of the sale of products and services marketed as insurance mediators) Management and execution of the provision of Services and Product marketing Compliance with legal obligations
Marketing Marketing or promotion of new Products or Services Consent
Adapting and developing new Products or Services
Use of statistical techniques and definition of profiles to customize the offer and the communications to be made therein
Client relationship management   Management of client contacts, information requests and claims Execution of the contract or pre-contractual proceedings
Client support Performance of public interest duties by CTT - Correios as the provider of the Universal Postal Service
Recording of calls to monitor the quality of service Compliance with legal obligations
Account opening  
Management of legal proceedings and disputes (including bad debt recovery) Management of legal proceedings and disputes (including bad debt recovery proceedings) Execution of the contract
Compliance with legal obligations
Compliance with legal obligations Answering and reporting to judicial, tax, and regulatory and supervisory authorities Compliance with legal obligations
Fraud control Fraud identification and detection Compliance with legal obligations
Legitimate interest in implementing fraud combat mechanisms
Information security Access management, logs CTT legitimate interest in ensuring information security
Backup management Compliance with legal obligations
Security incident management  
Safety of people and goods Installation and management of CCTV systems CTT legitimate interest in ensuring the safety of people and goods
Compliance with legal obligations
Commercial evaluation and / or risk analysis of current or future credit operations Credit risk analysis Execution of the contract
Assessment of the clients’ solvency Compliance with legal obligations

 

FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?

The personal data collected are processed in strict compliance with the applicable legislation and stored in databases set up for the purpose.

CTT processes and keeps the personal data according to the respective purposes and complying with the applicable time limits.

Therefore, whenever there is no specific legal requirement, the data shall be stored and kept only for the adequate period and as far as necessary for the purposes they were collected, except if you exercise, within the legal limits, the right to object or the right to erasure, or if you withdraw your consent.

 

WHAT ARE THE RIGHTS OF THE DATA SUBJECTS?

Under the applicable legislation, you may exercise the following rights:

  • Right of Access: the right to obtain confirmation as to whether or not your personal data are being processed and obtain a copy of the personal data undergoing processing. In the latter case, CTT may charge a reasonable fee based on administrative costs.
  • Right to Rectification: the right to obtain the rectification of your personal data when these are inaccurate or to have incomplete personal data concerning you completed.
  • Right to Erasure: the right to obtain the erasure of your personal data, as long as there are no valid basis for holding them.
  • Right to Restriction of Processing: the right to obtain restriction of processing of your personal data, requesting the suspension or the restriction of the processing to certain categories of data or the purposes of the processing.
  • Right to Data Portability: the right to receive the personal data you provided us in a commonly used, machine-readable digital format, or to have the personal data transmitted to another data controller.
  • Right to Object: the right to object at any time to processing of personal data, such as where data are processed for marketing purposes.
  • Right to Oppose decision-making based solely on automated processing: the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

For exercising your rights, please go to a CTT post office, a postal agency, or, in the case of Banco CTT, a Banco CTT branch.

Under the law you may also withdraw your consent to the authorised processing of the data by the abovementioned means or, in the case of consent given online, you may withdraw it by the same means. However, withdrawal of consent does not invalidate the processing carried out until that date on the basis of the consent previously given.

Without prejudice to any other administrative or judicial appeal, the data subject has the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) or any other competent supervisory authority under the terms of the law, should you consider that your data are not being duly processed by CTT under the applicable law and the terms of this Policy.

 

WHAT ARE THE SECURITY MEASURES ADOPTED?

CTT is committed to ensure the confidentiality, protection and security of the personal data of its Clients by implementing adequate technical and organizational measures that protect your data against any form of undue or illegitimate processing and against accidental loss or destruction of these data.

For that purpose, CTT carries out its activity using systems to guarantee the security of the personal processed, creating and updating procedures to prevent unauthorized access, accidental loss and / or destruction of personal data, undertaking to comply with the legislation on the protection of personal data of its Clients and processing said data solely for the purposes they were collected, and to ensure that such data are processed with appropriate levels of security and confidentiality.

 

WHEN DO WE DISCLOSE DATA TO THIRD PARTIES?

Within the context of the provision of services, CTT may use third parties who have access to personal data of its Clients.

These entities – subcontractors – may have access to personal data and follow, for that purpose, the indications of CTT. These entities are mainly partners or suppliers of goods and providers of services, including intragroup contracting, as well as providers of IT services, archiving, back-office support, consulting, private security, contact center, credit intermediaries, and banking promoters.

CTT ensures that such subcontractors offer sufficient guarantees to undertake adequate technical and organizational measures so that the processing complies with the applicable legal requirements and ensures the security and protection of the data subjects’ rights, in accordance with the subcontracting agreement entered into with said subcontractors.

CTT may also disclose personal data of its Clients to third parties where such disclosure is necessary or adequate (i) under the applicable law, (ii) to comply with legal obligations / court orders, (iii) to respond to requests from public or governmental authorities, or (iv) when you have given your consent.

These third parties include legal and judicial entities or public authorities (e.g. the Tax Authorities, ANACOM – National Communications Authority, AdC – Competition Authority, the Bank of Portugal, the Portuguese Securities Market Commission, the Supervisory Authority for Insurance and Pension Funds, the judicial and administrative courts or the criminal police bodies), law firms, partners (e.g. in the field of payment services, consumer credit mortgage loans or insurance mediation), other companies of the CTT Group or other providers of postal, banking or financial services.

 

UNDER WHICH CIRCUMSTANCES DO WE TRANSFER DATA?

The provision of services by CTT may entail the transfer of your personal data to third countries (which are not members of the European Union or part of the European Economic Area), particularly when the offer and provision of Services and Products involves the transfer of data to other providers of postal, banking or financial services.

In those situations, the necessary and adequate measures will be adopted to ensure the protection of the Clients’ personal data. For further information, please write to privacidade.cliente@ctt.pt, or, in the case of Banco CTT, to protecao.dados@bancoctt.pt.

 

CONTACT US

For any queries or doubts on how CTT processes your personal data, you may contact the Data Protection Officer (“DPO”) by e-mail to  privacidade.cliente@ctt.pt or, in the case of Banco CTT, to protecao.dados@bancoctt.pt.

 

CHANGES TO OUR PRIVACY POLICY

CTT reserves the right to modify or update the Privacy Policy at any time. Such changes shall be duly communicated in the Platforms, the CTT post offices, postal agencies or, in the case of Banco CTT, the Banco CTT branches.

 

Lisbon, 24 May 2018

 

 

(1) CTT - Correios de Portugal, S. A. – Public Company (“CTT - Correios”); Banco CTT, S.A. (“Banco CTT”); Payshop (Portugal), S.A.; CTT Contacto, S.A.; Mailtec Comunicação, S.A.; CTT Expresso - Serviços Postais e Logística, S.A.; Tourline Express Mensajería S.L.U.; Transporta – Transportes Porta a Porta, S.A.; Escrita Inteligente, S.A.
(2) Within the scope of the ViaCTT service, you may also exercise the right to restriction of processing and rectification of the data in the ViaCTT Platform through the channels indicated in the General Conditions of the Service.