DrOnline Privacy Policy

1 January 2022

Data Protection and Privacy Commitment

DrOnline, Lda. is implementing technical and organisational measures necessary for compliance with applicable EU and national legal regulations on data protection, privacy and information security, in particular those contained in the General Data Protection Regulation.

Person responsible for processing personal data

DrOnline, Lda. is the entity responsible for the treatment of all the personal data that are transferred to it for the provision of the services that are requested by the holder of the same or his legal representative.

Collection and Processing of Personal Data

DrOnline, Lda. processes personal data strictly necessary for the provision of information, for administrative procedures within the scope of its attributions and competences, and for the dissemination of its activities, according to the interactions through the different customer service and communication channels.

The personal data collected by DrOnline, Lda. is treated electronically, with the protection, privacy and security assured in the terms of the legislation in force.

Legal Principles

All data processing operations are guided by the fundamental legal principles applicable in the field of data protection and privacy, particularly with regard to their circulation, lawfulness, fairness, transparency, purpose, minimization, conservation, accuracy, integrity and confidentiality, with DrOnline, Lda. being available to demonstrate its responsibility towards the data subject or any other third party that has a legitimate interest in this matter.

Lawfulness and purpose of processing

The data processing operations carried out by DrOnline, Lda. fall within the scope of one or more specific purposes, the grounds for legitimacy being the consent of the data subject and the processing being considered necessary for:

- The performance of a contract for the provision of services in which the data subject is the contracting party;

- the fulfilment of a legal obligation to which the controller is subject;

The personal data collected may also possibly be processed for statistical purposes, for the dissemination of information or promotional activities and for communication actions, through direct communication, whether by correspondence, e-mail, messages or any other electronic communications service.

However, while prior information and express authorisation are always ensured for the latter purposes, citizens may at any time exercise their right to object to the use of their personal data for other purposes.

Data Retention Periods

Personal data shall be kept for the period necessary for the purposes for which they were collected or subsequently processed, with a view to ensuring compliance with all applicable legal provisions on filing.

Communication of Data to Other Entities

The availability of information, through the various attendance and communication channels, may eventually imply the use of services of subcontracted third parties, which may imply access to personal data by these entities.

Under these circumstances and whenever necessary, DrOnline, Ltd. will only contract with entities that provide sufficient guarantees of the execution of technical and organizational measures that are adequate to meet the applicable standards. Such guarantees will be formalized in a contract signed between DrOnline, Ltd. and each of these third parties.

Data Recipients

Except in the framework of the fulfilment of legal obligations, in no case will personal data be communicated to third parties that are not subcontracted entities or legitimate recipients, nor will any communication be made for purposes other than those mentioned above.

Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, all of its (sub)contractors shall implement the necessary technical and organisational measures to ensure a level of security appropriate to the risk.

To this end, various security measures may be adopted in order to protect personal data against disclosure, loss, misuse, alteration, unauthorised processing or access, as well as any other form of unlawful processing.

The data subject is solely responsible for keeping access codes secret and not sharing them with third parties, and, in the particular case of the computer applications used to access the channels, must also keep and maintain the access devices in safe conditions and follow the security practices recommended by the manufacturers and/or operators, namely as regards the installation and updating of the necessary security applications, among others, antivirus applications.

If it is necessary to outsource services to third parties that may have access to the personal data of the data subject, DrOnline, Lda.'s subcontractors are required to adopt security measures and protocols, as well as other technical measures to protect the confidentiality and security of personal data, to prevent unauthorized access, loss or destruction of personal data.

Exercise of Rights by Data Subjects

As data subjects, they may at any time exercise their data protection and privacy rights, including rights of access, rectification, erasure, portability, limitation or opposition to processing, under the terms and within the limitations set out in the applicable rules.

Any request for the exercise of data protection and privacy rights must be addressed to DrOnline, Lda.in writing by the respective data subject in accordance with the procedure and contact details described below.

Complaints and Suggestions

Data subjects have the right to lodge complaints, either by registration in the complaints book or by lodging a complaint with the regulatory authorities.

They can also make suggestions by sending an e-mail to the following address: dpo@dronline.io

Incident Communications

DrOnline, Lda.has appointed a Data Protection Officer and proceeded with implementation within the scope of data protection, privacy and information security.

Data Protection Officer:

Priscila Vilhena Ganga

dpo@dronline.io

In the event that data subjects wish to report the occurrence of any personal data breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, they may contact the Data Protection Officer in accordance with the instruction and contact details described above.

Amendment of the Privacy Policy

DrOnline, Lda. may, at any time, make changes that are deemed appropriate to this Data Protection and Privacy Policy, in order to ensure its update, development and continuous improvement, and these changes will be duly announced publicly to ensure transparency and information.