This Privacy Policy of Unit LEGAL – Sociedade de Advogados, SP, RL (“Unit LEGAL”) regulates the collection and processing of personal data by Unit LEGAL.

1.1Data controller
Unit LEGAL is responsible for collecting and processing the personal data it collects, determining the purposes and means of its processing.

1.2 Purposes for processing personal data
Data is collected and processed for the following purposes.

Further processing of data for purposes other than those for which it was collected is only authorized when it is compatible with the purposes for which it was initially collected.

1.3 Datacollection
Unit LEGAL collects data directly (i.e., directly from the data subject) and indirectly (i.e., through Clients or third parties), under the following terms:

• Direct collection: in person, by telephone, by e-mail, by paper form and via the Unit LEGAL website. Any information or content that you transmit to the Unit LEGAL website is subject to this Privacy Policy.

• Indirect collection: through Clients and other third parties with whom Unit LEGAL has established contractual relations in the provision of legal and/or representation services.

1.4 Data retention period
The personal data collected is kept only for the period appropriate to the purposes for which it is processed, or for the period necessary under the law, without prejudice to legal obligations to retain data or exercise rights by the data subject – specifically, exercising the right to object, the right to erasure, withdrawal of consent or limitation of processing.

The period of retention of personal data varies according to the purpose of the processing, in the following terms, without prejudice to any disputes directly involving Unit LEGAL that may require its retention for a longer period:

1.5 Communication of data to other entities
Unit LEGAL may communicate personal data to:

• Subcontractors: natural or legal persons subcontracted by Unit LEGAL to process personal data on its behalf and in accordance with its instructions, in strict compliance with the subcontracting agreement signed with said entities, with the provisions of the law and this Privacy Policy, without prejudice to the legal obligation of professional secrecy;

• Third parties: if the data subject expressly consents to it or if the transmission or communication is, when such communications are necessary for the execution of a contract established between the data subject and Unit LEGAL, or for pre-contractual steps at the request of the data subject, if necessary for compliance with a legal obligation to which Unit LEGAL is subject, or within the scope of decisions of administrative authorities or in response to requests from them.

1.6 Transfer of data outside the European Union
In certain types of processing, personal data collected by Unit LEGAL may be made available to third parties, which may involve their transfer outside the European Union. In such cases, Unit LEGAL undertakes to ensure that the transfer complies with the applicable legal provisions, in particular with regard to determining the adequacy of such country with regard to data protection and the requirements applicable to such transfers, with additional measures being adopted by contract to ensure the confidentiality and protection of personal data.

1.7 Technical, organisational and security measures implemented
Unit LEGAL has implemented various technical and organisational measures to ensure, by default, adequate data protection with a view to guaranteeing the minimisation of processing, specifically, that only the personal data that is necessary for each specific purpose of the processing is processed and that such data is not made available without human intervention to an indeterminate number of people.

Unit LEGAL also adopts the following security measures, which are reviewed and updated periodically:

• Binding of service providers and workers to the duty of professional secrecy;
• Restricted access of people to the facilities, through access control;
• Use of antivirus, firewall with total security (EDR), anti-bot, anti-malware and other intrusion detection mechanisms;
• Use of VPN with information encryption;
• Differentiated access profiles depending on the role/position of the person accessing the information systems;
• Access to information systems through a user name and password, personal and non-transferable, with Multifactor Authentication (MFA) both when logging in and when accessing the office;
• Implementation of password quality rules;
• Eliminação mensal de perfis de utilizadores que cessem o seu vínculo (laboral ou outro) com a Unit LEGAL, bem como de todos os privilégios ou direitos de acesso concedidos a tais utilizadores;
• Detection of unauthorized access to information systems and facilities (alarm on the premises);
• Use of Web Control – restricting access to inappropriate or potentially dangerous URLs;
• Performing periodic daily backups;
• Realização de testes de intrusão em real time;
• Clean desk policy in offices;
• Existence of a policy for the use of IT resources and the implementation of security measures;
• Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems;
• Mechanisms that ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident (in the event of a physical or technical incident, the information is recoverable, through backup, as a general rule, on the next business day).

2.1 Data Subject Rights
When a certain data processing is carried out by Unit LEGAL based solely on the consent of the data subject, the data subject has the right to withdraw his/her consent at any time. The withdrawal of consent, however, does not compromise the lawfulness of the processing carried out based on the consent previously given.

2.2 Right to information
Unit LEGAL provides information on data processing free of charge, in writing (including by electronic means) to the data subject, prior to the processing of the personal data in question, when they are collected from the data subject, at the time of their collection, or, when they have not been collected from the data subject, within a reasonable period after obtaining the personal data, but at the latest within one month, taking into account the specific circumstances in which they are processed; if the personal data are intended to be used for the purposes of communication with the data subject, at the latest at the time of the first communication to the data subject; or if the disclosure of the personal data to another recipient is envisaged, at the latest at the time of the first disclosure of such data.
The right to information regarding personal data cannot be exercised in relation to matters covered by the duty of professional secrecy enforceable against the data subject.

2.3 Right of access
At the request of the data subject, Unit LEGAL confirms whether or not their personal data are being processed and, if so, the right to access their personal data and information regarding the purposes of their processing, categories of personal data, recipients or categories of recipients to whom the personal data have been or will be disclosed, retention period, rights of the data subject, right to request the controller to rectify, erase or restrict the processing of personal data concerning the data subject, or the right to object to such processing, right to complain, information about the origin of the data, when available information about such origin is not available, and the existence of automated decisions. For this purpose, Unit LEGAL will provide the data subject, free of charge, with a copy of the personal data that is being processed.
Unit LEGAL justifiably refuses not to provide the above information when the law imposes a duty of professional secrecy on it that is enforceable against the data subject.

2.4 Right to rectification
The data subject has the right to obtain from Unit LEGAL, at any time, the rectification of inaccurate personal data concerning him/her. In this case, Unit LEGAL will communicate the respective rectification to each recipient to whom the data has been transmitted, unless such communication proves impossible or involves a disproportionate effort for Unit LEGAL.

2.5 Right to erasure of data (“right to be forgotten”)
The data subject has the right to obtain, from Unit LEGAL, the erasure of his/her personal data when data processing is no longer necessary, when consent is withdrawn when it is the sole basis for processing, when the right to object is exercised and there are no prevailing legitimate interests that justify the processing, when an obligation to which Unit LEGAL is subject must be complied with.

Under applicable legal terms, Unit LEGAL is not obliged to erase the data subject’s data to the extent that processing is necessary for compliance with a legal obligation to which Unit LEGAL is subject or for the purposes of declaring, exercising or defending a right in legal proceedings.
In the event of data erasure, Unit LEGAL will notify each recipient/entity to whom the data has been transmitted of the respective erasure, unless such communication proves impossible or involves a disproportionate effort for Unit LEGAL.

2.6 Right to restriction of processing
The data subject has the right to obtain from Unit LEGAL the restriction of processing if the data subject contests the accuracy of the personal data, for a period enabling Unit LEGAL to verify the accuracy of the personal data; if the processing is no longer necessary, but the data is required by the data subject for the establishment, exercise or defense of legal claims and the data subject has objected to the processing, until it is verified that the legitimate grounds of Unit LEGAL prevail over those of the data subject.
In the event of limitation of data processing, Unit LEGAL will communicate the respective limitation to each recipient to whom the data has been transmitted, unless such communication proves impossible or involves a disproportionate effort for Unit LEGAL.

2.7 Right to data portability
The data subject has the right to receive the personal data concerning him/her that he/she has provided to Unit LEGAL, in a structured, commonly used and machine-readable format, and the right to transmit such data to another data controller without Unit LEGAL being able to prevent it, if the processing is based on consent or on a contract to which the data subject is a party; and this processing is carried out by automated means.
The data subject has the right to have personal data transmitted directly between controllers, where technically and legally feasible. The exercise of the right to data portability applies without prejudice to the right to erasure.

2.8 Right to object
The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her that is based on the exercise of legitimate interests pursued by Unit LEGAL, which shall cease unless compelling legitimate reasons for such processing are demonstrated which prevail over the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
Data subjects may object, at any time, to their data being used for marketing purposes.

2.9 Right to complain to a competent authority
The data subject has the right to lodge complaints with the National Data Protection Commission (CNPD) or another supervisory authority in matters of personal data protection. The CNPD’s contact details are as follows:

Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa
Tel: +351 213.928.400
Fax: +351 213.976.832
E-mail: geral@cnpd.pt.