Privacy Policy

Information on the Processing of Personal Data

This Privacy and Personal Data Protection Policy applies to the collection and processing of personal data provided to Green One Capital, SCR, S.A., hereinafter abbreviated as GOC, with registered office at Avenida da Liberdade, no. 245, 3rd Floor B, 1250-145 Lisbon, registered with the Commercial Registry Office of Lisbon under the single registration and corporate taxpayer number 513 885 445, with a share capital of €175,000.00 (one hundred and seventy-five thousand euros).

This policy is of a general nature and, therefore, the information contained herein may be supplemented by other, more specific policies in the context of the processing of certain types of personal data.

1. Definition of Personal Data

Personal data means any information relating to an identified or identifiable natural person (data subject).

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, online identifiers, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Definition of Data Processing

The processing of personal data is defined as any operation or set of operations performed on personal data or on sets of personal data, by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction.

3. Categories of Data Processed

The personal data provided to GOC are processed in accordance with the applicable legal provisions and are, in particular:

a) Processed lawfully, fairly and in a transparent manner in relation to the data subject;

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) Accurate and, where necessary, kept up to date, with GOC taking all appropriate measures to ensure that inaccurate data are erased or rectified without delay;

e) Kept in a form which permits identification of data subjects only for as long as is necessary for the purposes for which they are processed;

f) Processed in a manner that ensures their security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

The table below sets out the main categories of personal data that GOC may process:

Data CategoryExamples
Identification and contact detailsName, identification document number, signature, address, telephone contact, email address
Biographical dataDate of birth, gender, nationality, place of birth, marital status, information on household composition, academic qualifications, profession-related data
Financial dataAssets, income, liabilities in the financial sector, salary amount
Segments and profilesCommercial segment, investor profile, propensity to acquire financial products
Website usageVisits to GOC’s website, including information on IP address, geographical location and browser used

4. Legal Bases and Purposes of Data Processing

GOC processes personal data for the following purposes and on the following legal bases:

PurposeLegal Basis
Performance of a contract entered into with the data subject or taking steps prior to entering into a contract at the request of the data subjectPerformance of a contract and pre-contractual steps; legitimate interest of the controller
Accounting and financial reportingCompliance with legal and regulatory obligations
Provision of information and responses to requests from public authoritiesCompliance with legal and regulatory obligations
Legal obligations relating to retention, payment or reporting for tax purposesCompliance with legal and regulatory obligations
Prevention of money laundering and terrorist financing offencesCompliance with legal and regulatory obligations
Fraud preventionCompliance with legal and regulatory obligations
Provision of regulatory information to clientsCompliance with legal and regulatory obligations
Client segmentationCompliance with legal and regulatory obligations
ProfilingCompliance with legal and regulatory obligations
Development of products and servicesLegitimate interest of the controller
Production of control and management informationLegitimate interest of the controller
Improvement and monitoring of service qualityLegitimate interest of the controller
Operational risk managementLegitimate interest of the controller
Management of litigation proceedingsLegitimate interest of the controller
Use of cookies on GOC’s websiteConsent

5. Retention Periods and Processing of Personal Data

GOC shall process and retain personal data for the purposes referred to above only for the period that proves necessary or mandatory for the fulfilment of those purposes, applying a personal data retention criterion appropriate to each processing activity and in line with the legal and regulatory obligations to which it is subject.

Once the relevant retention period has expired, GOC shall delete or anonymise the personal data, whenever such data should not be retained for another purpose that may continue to apply.

GOC may retain personal data for periods longer than the duration of the contractual relationship, whether on the basis of the data subject’s consent, to safeguard rights or obligations related to the contract, or because it has legitimate interests justifying such retention, but always for the period strictly necessary to achieve the respective purposes and in accordance with the guidelines and decisions of the Portuguese Data Protection Authority.

PurposeRetention Period
Contractual performancePeriod of validity of the contract. GOC may retain the data for periods longer than the duration of the contractual relationship on the basis of the consent of the respective data subject.
Legal, tax or regulatory obligationStatutory limitation and expiry periods associated with legal, tax or regulatory obligations. Legal periods provided for in specific legislation, for example, 7 years after the end of the contractual relationship, pursuant to the provisions of the Law on the Prevention of Money Laundering and Terrorist Financing.
Development and customisation of products and servicesUp to 1 year after the end of the contractual relationship.

6. Disclosure of Personal Data

GOC may be required to disclose personal data or grant access to such data to other entities so that they may process them on its behalf and for its account. In such cases, GOC shall adopt the necessary contractual measures to ensure that the processors respect and protect the personal data transmitted, in accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

Personal data may also be transmitted to third parties — entities other than GOC or its processors — such as, for example, companies with which GOC develops partnerships, where the data subject has given consent, or entities to which the data must be disclosed by law, such as the tax authority.

GOC shall only transmit personal data to the following categories of recipients:

i. Companies belonging to the same group, namely where they act as service providers;

ii. Entities and authorities to which personal data must be disclosed pursuant to a legal obligation, such as, for example, the Portuguese Securities Market Commission, the Tax Authority, courts and law enforcement authorities;

iii. GOC’s processors, for example, depositary entities and placement agents.

7. Automated Individual Decision-Making and Segmentation

GOC does not make automated individual decisions based on the segmentation of personal data.

8. Rights of the Personal Data Subject

With regard to the processing of personal data, the data subject has the following rights:

a) Right of access

Whenever the data subject so requests, they may obtain confirmation as to whether their personal data are being processed by GOC.

The data subject may also access their personal data and obtain the following information:

i. The purposes for which their personal data are processed;

ii. The type of personal data being processed;

iii. The entities to whom their personal data may be disclosed, including entities located in countries outside the European Union or international organisations, in which case the data subject shall be informed of the safeguards applied to the transfer of their data and the means of obtaining a copy of such safeguards, or where they have been made available;

iv. The retention period for their data or, where this is not possible, the criteria used to determine that period;

v. The rights they hold in relation to the processing of their personal data;

vi. Where the personal data have not been collected directly from the data subject, information on their source and the type of data concerned;

vii. The existence of automated individual decision-making, including profiling, and, in such case, information on the logic involved in such processing, as well as the significance and envisaged consequences of such data processing for the data subject.

b) Right to rectification

Whenever the data subject considers that their personal data, namely objective personal data provided by them, are incomplete or inaccurate, they may request that such data be rectified or completed, for example address, tax identification number, email address, telephone contacts or other data.

c) Right to erasure of data or “right to be forgotten”

The data subject has the right to obtain the erasure of their personal data, provided that there are no valid grounds for their retention.

The data subject may therefore request the erasure of their personal data in the following cases:

i. Where the personal data are no longer necessary for the purpose for which they were collected or processed;

ii. Where the consent on which the data processing was based has been withdrawn;

iii. Where the data subject expressly objects to the processing of their data and no legitimate interest of GOC prevails to justify the continuation of the data processing;

iv. Where the personal data have been collected in the context of the offer of information society services.

GOC is, however, subject to several legal and regulatory obligations, which may limit the right to erasure of personal data in the following situations:

i. Exercise of the right of freedom of expression and information;

ii. Compliance with a legal obligation requiring processing to which GOC is subject;

iii. Reasons of public interest in the area of public health;

iv. Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, insofar as the exercise of the right to erasure is likely to seriously impair the achievement of the objectives of such processing;

v. Establishment, exercise or defence of legal claims.

d) Right to restriction of processing

The right to request the restriction of the processing of personal data allows the data subject to request that the controller restrict the scope of access to and processing of their personal data or suspend processing activities.

The data subject may request the restriction of the processing of their personal data in the following cases:

i. If they contest the accuracy of their personal data, for a period enabling GOC to verify the accuracy of the data;

ii. If GOC no longer needs the personal data for processing purposes, but such data are required by the data subject for the establishment, exercise or defence of legal claims;

iii. If they have objected to the processing, pending verification as to whether GOC’s legitimate interests override those of the data subject.

The data subject may request the suspension of processing or the restriction of the scope of processing to certain categories of data or processing purposes.

e) Right to data portability

The data subject may request that GOC provide them, in a structured, commonly used and machine-readable format, with the personal data provided by them. The data subject also has the right to request that GOC transmit such data to another controller, where technically feasible.

The right to data portability applies only in the following cases:

i. Where the processing is based on explicit consent or on the performance of a contract;

ii. Where the processing in question is carried out by automated means.

f) Right to object

The data subject has the right, at any time, to object to the processing of their personal data, on grounds relating to their particular situation, in the following circumstances:

i. Where the data processing is based on GOC’s legitimate interest;

ii. Where the data processing is carried out for purposes other than those for which the data were collected, but which are compatible with those purposes;

iii. Processing of data for direct marketing purposes, including profiling.

In such cases, GOC shall cease processing the personal data, unless it has legitimate grounds for carrying out such processing which override the interests of the respective data subjects.

g) Right not to be subject to exclusively automated individual decisions

GOC shall not make decisions affecting the personal data subject based solely on automated processes.

h) Right to withdraw consent

The data subject may withdraw consent at any time in cases where the processing of data is based on their consent.

Where consent is withdrawn, the personal data shall no longer be processed, unless there is another legal basis, such as the contract, legal and regulatory obligations or GOC’s legitimate interest, which justifies such processing.

i) Right to lodge complaints with the supervisory authority

If the data subject wishes to lodge a complaint regarding matters related to the processing of their personal data, they may do so with the Portuguese Data Protection Authority, the competent supervisory authority in Portugal. For further information on the Portuguese Data Protection Authority, please visit www.cnpd.pt.

9. Indirect Collection of Personal Data

In certain circumstances, GOC may collect personal data through third parties.

In such cases, the relevant entity shall provide the data subject, at the first point of contact, with the necessary information regarding the protection and processing of their personal data.

10. Security of Personal Data

GOC adopts appropriate technical and organisational measures to protect personal data against accidental or unlawful loss, destruction or damage, as well as to ensure that the data provided are protected against access or use by unauthorised third parties.

11. Cookies

GOC uses cookies on its website to improve the user experience and to enable certain operations to be carried out securely. For further information, please refer to the Cookie Policy.

11. Exercise of Rights and Data Protection Officer

The exercise by the personal data subject of the rights set out above is free of charge, unless the request is manifestly unfounded or excessive, in which case a reasonable fee may be charged, taking into account the associated costs.

A response to requests from personal data subjects shall be provided within a maximum period of one month, unless the request is particularly complex, in which case this period may be longer.

To assist in this process, GOC has appointed a Data Protection Officer, whose responsibilities include, in particular, monitoring the compliance of the data processing carried out by GOC with the applicable legislation.

In the event of any questions relating to the processing of your personal data, or to the exercise of your rights, you may contact the Data Protection Officer through the following channels:

  • Email: welcome@greenonecapital.com
  • Post: To the attention of the Data Protection Officer of Green One Capital SCR, S.A., Avenida da Liberdade no. 245, 3rd Floor B, 1250-145 Lisbon

The information contained in this document may be subject to change over time. However, so that you may always be informed of the processing carried out in relation to your personal data, the information contained herein shall remain updated at all times.