The protection of the personal data of natural persons is protected in Portugal by Law no. 58/2019 of 8 August and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("General Data Protection Regulation" or "GDPR"), which ensure the protection of natural persons with regard to the processing of personal data and the free movement of such data. "Personal data" means any information of any nature and regardless of its medium, including sound and image, relating to an identified or identifiable natural person, so the protection does not cover the data of legal persons (Companies etc.). An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity (for example, their name associated with their telephone number or email address.
The personal data we collect and process through the Website above will only be used for the following purposes:
a) To conclude the transport contract and manage the contractual relationship established with customers, including validation, inspection and official reports;
b) To deal with and respond to requests for information, suggestions, compliments, complaints, refunds and the defence of fines;
c) To manage the procedures for handing in lost objects;
d) To provide the SIM service (Integrated Mobility Service available to people with reduced mobility);
e) To receive spontaneous applications and recruitment processes;
f) To improve the browsing experience on the cp.pt website and CP App (cookies);
g) To provide information related to changes or occurrences with the services provided (e.g. traffic changes);
h) To provide information on CP and its partners' products, services and promotions, sending newsletters and running competitions;
i) To carry out customer satisfaction surveys;
j) To answer service evaluation questionnaires;
k) To manage the relationship with the Customer s(e.g. tailor-made services) by consulting all the data subject's interactions with CP;
l) To segment customers to improve the offer of services or tariffs and loyalty programmes according to the tastes and preferences for using the services provided.
CP guarantees the confidentiality of all data provided. Although CP collects and processes data in a secure manner that prevents its loss or manipulation, using the most appropriate techniques for this purpose, it should be borne in mind that collecting data on open networks does not allow personal data to circulate in conditions of absolute security, with the risk of it being accessed and used by unauthorised third parties.
Failure to give data marked as mandatory may mean that it is impossible to respond to the data subject's request.
CP processes Users' personal data when:
The User guarantees that the information provided is true, accurate, complete and up-to-date and is responsible for any damage or loss, direct or indirect, that may be caused as a result of the breach of this guarantee.
If the data provided belongs to a third party, the User guarantees that they have informed the third party of the aspects contained in this document and obtained their authorisation to provide their data to CP for the purposes indicated.
CP only keeps and processes your personal data for as long as it is necessary or obligatory for the fulfilment of the purposes described above, applying information retention criteria appropriate to each processing and confirming the applicable legal and regulatory obligations.
CP stores personal data in its systems according to the following criteria:
At the end of the retention period, CP will delete it, subject to the appropriate technical and functional guarantees, as documented in each of the relevant processes.
In addition to the communications carried out to meet legal obligations, the personal data of the Data Subject may be known, apart from CP, by partners and subcontractors, exclusively for the purpose of providing the contracted service, including:
The data provided may also be transferred to official entities to meet legal obligations.
The entities in question may vary according to the specific service, and the data subject can obtain information about these services and CP's partners from its commercial area.
Personal data may also be disclosed exclusively for the purposes indicated above, in accordance with the consent granted by the data subject.
The personal data collected will be processed within the European Economic Area, and there will be no international data transfers to third countries or international organisations.
In the event that personal data is processed outside the European Economic Area, this will only take place subject to the adoption of appropriate guarantees and the required level of protection, in accordance with legislation on personal data protection.
CP has implemented the appropriate technical and organisational security measures to guarantee the security of the personal data Users provide to prevent its alteration, loss, processing and/or unauthorised access, taking into account the current state of technology, the nature of the data stored and the risks to which they are exposed.
Personal data is processed with the level of protection legally required to guarantee its security and prevent its alteration, loss, processing or unauthorised access, taking into account the state of the technology. The Users are aware and accept that Internet security measures are not impregnable.
Whenever CP accesses personal data, it undertakes to:
The data used to make payments, namely that relating to credit/debit cards, is provided directly on the platforms of the respective service providers. CP does not have access to this data.
If CP subcontracts other entities to provide services involving the transfer of personal data, these entities will be obliged to adopt the necessary technical and organisational measures to protect personal data against destruction, loss, alteration, disclosure, unauthorised access or any other type of unlawful processing.
In accordance with the provisions of the GDPR, Users may exercise their rights of access, rectification, erasure, restriction of processing, portability, opposition and revocation of consent directly in their Client Area or by requesting it in writing by any of the following means, specifying the right or rights they wish to exercise:
Postal address: Calçada do Duque, 20, 1249-109 Lisbon
Users also have the right to lodge a complaint with the National Data Protection Commission (CNPD) regarding matters relating to the exercise of their rights and the protection of their personal data through www.cnpd.pt.
The Website may contain advertising, links or other content that link or redirect to pages and services of suppliers, advertisers, affiliates, CP sponsors and other third parties.
Searching or interacting on any other website, including those that have an external link to the website, is subject to the terms and conditions of that website and CP is not in any way liable for any access and use thereof.
Updated on 21 September 2023