Privacy policy

CP - Comboios de Portugal, E.P.E. (from now on CP), as the entity responsible for the processing of personal data provided to it under Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April 2016, commonly referred to as General Data Protection Regulation (GDPR), with Law no. 58/2019 of 8 August, and other applicable domestic and EU legislation, has adopted the Privacy Policy, disclosed in this document, which sets out how it handles Personal Data, ensuring its confidentiality, integrity, availability and security.

This Personal Data Privacy Policy applies to all personal data CP processes through various forms and channels.

When information of a personal nature, designated as "Personal Data", is requested from data subjects, they are made aware of this Privacy Policy and CP's Terms and Conditions of use and provision of services.

Processing operations CP carries out to comply with the fundamental principles of data protection, which ensure the smooth running of processes, trust with customers and partners, and the image with the public.

Personal Data is:

CP ensures that all personal data is processed lawfully, i.e. in strict compliance with the grounds of lawfulness provided for in the GDPR. Such grounds for lawfulness exist when at least one of the following situations arises:

- The data subject has given their consent to the processing of their personal data for one or more specific purposes;

- It is for the performance of a contract to which the data subject is a party, or for pre-contractual steps at the request of the data subject;

- Processing is necessary for compliance with a legal obligation to which the controller is subject;

- Processing is necessary to protect the vital interests of the data subject or another natural person;

- Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller;

Processing is necessary for the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require personal data protection.

The Personal Data transmitted by the holder, in the different means of interaction with CP, is intended for one or more of the following purposes:

• Concluding the transport contract and manage the contractual relationship established with customers, including the validation, inspection and issuing of notices;
• Handling and responding to requests for information, suggestions and complaints;
• Delivery of lost property;
• Providing the SIM service (Integrated Mobility Service, available to people with reduced mobility);
• Receiving spontaneous applications and recruitment processes;
• Improve browsing experience on the www.cp.pt website and CP App (cookies);
• Providing information related to changes or occurrences with the services provided (e.g., traffic changes);
• Providing information on CP and its partners' products, services and promotions, sending newsletters and holding competitions;
• Conducting customer satisfaction surveys;
• Answering service evaluation questionnaires;
• Managing the relationship with the client (e.g. tailor-made services), consulting all interactions of the data subject with CP;
• Customer segmentation, to improve the offer of services or tariffs and loyalty programmes according to tastes and preferences in the use of the services provided;

The processing of Personal Data transmitted by the data subject may require their express consent according to its intended purpose. In these cases, permission is given freely, specifically, informed and unambiguously by the data subject in each different means of interaction with CP.

CP requires the data subject's consent for the following processing purposes in particular:

1. To carry out the interconnection of the data subject's data and profiling, given the history of interactions with CP, to allow CP to provide personalised customer service at any of its points of contact;
2. CP loyalty programme and personalised offers.

For art. 8(1) of the GDPR and article 16(2) of Law 58/2019 of 8 August regarding the direct offer of services of the so-called information society, CP guarantees that children under 13 years are not asked for personal data unless the prior express consent of the respective holders of parental responsibilities has been obtained, who should have been aware of this Privacy Policy.

The data holder may request the withdrawal of any of the consents to the processing at any time.

The withdrawal of consent concerning particular processing of personal data shall not affect the lawfulness of the processing previously carried out based on that consent previously given.

The data subject may withdraw through the website, in their myCP personal area or by filling out the specific form, available and to be delivered at the box office or customer support office upon unequivocal identification of the data subject.

CP shall adopt administrative, technical, physical and organisational measures to ensure the security, integrity and privacy of the personal data of the data subjects, appropriate to the risk of each process and consistent with established practices in the European Union. These measures protect personal data against destruction, loss, alteration, unauthorised disclosure or access.

Partners and subcontractors, who have access to personal data, must adopt the organisational and technical security measures and protocols needed to protect such data.

The data used to make payments relating to credit/debit cards is provided directly on the platforms of the respective service providers. CP does not have access to such data.

The data subject guarantees that the personal data they provide is true and accurate and undertakes to notify of any changes. Any damage caused to CP or any third party through the provision of erroneous, inaccurate or incomplete information will be the sole responsibility of the person who entered or provided it.

The data subject undertakes not to disclose their username and password. If they choose to share them with anyone, they are fully responsible for all activities carried out through their personal area of myCP.

CP's provision of information or services may eventually imply the transmission of or access to personal data by partners and subcontractors. CP shall only use entities that provide sufficient guarantees of implementation of appropriate technical and organisational measures so that the processing ensures compliance with applicable law, regulating the processing carried out by such entities through a contract with them. The categories of partners and subcontractors include:

• Other rail operators;
• Transport operators complementary to the railway service;
• Vehicle rental companies;
• Accommodation units;
• Ticketing and customer care services (Travel Agencies, Helpline);
• Electronic mail services;
• Information Technology Services, namely management and administration of applications, infrastructure supply and analytics;
• Auditing services and other similar services;
• Payment and fraud control services;
• Other service providers in the areas of support and consultancy to the activity of CP.
• The data provided may also be transferred to official entities in compliance with legal obligations.

CP only transfers personal data to entities located in a country outside the European Economic Area (EEA) in compliance with legal obligations or if compliance with national and EU legal standards is ensured.

CP does not sell, buy, or trade in personal data.

Data protection legislation grants the data subject the right to information on the purposes and processing of their data, as well as the right to access, rectify, erase, limit the processing, as well as the right to data portability and to oppose the processing of their data and not be subject to automated individual decisions, as applicable.

To exercise the rights described above, the data subject should contact the CP Data Protection Officer: protecaodado@cp.pt.

If the data subject has only provided their personal data through myCP, the deletion of his registration is equivalent to the erasure of their data, except for those that must be kept, particularly for compliance with legal obligations. Deletion of myCP registration will mean you cannot access your personal data and purchases. In this case, all after-sales operations (e.g. reissues/refunds) must be done in person at a ticket or customer support office.

The data subject can also complain to the competent national supervisory authority.

Whenever there is no specific legal requirement, Personal Data will be kept only for the time strictly necessary to fulfil its intended purposes.

The time the data is kept depends on the purpose for which the information is processed, after which it will be deleted, subject to appropriate technical and functional guarantees, as documented in each of the relevant processes.

CP includes hyperlinks on its website to other web pages or resources managed by third parties, including its partners.

CP accepts no responsibility for the content, integrity, availability and privacy practices of such web pages or external resources. It neither accepts nor is directly or indirectly responsible for any damage, loss or infringement caused, or presumably caused, or related to the use of these Internet pages or external resources.

The cp.pt website uses cookies to collect and store information to provide more personalised service. A cookie is a small information file placed on the user's device (e.g. PC, mobile phone). It allows the user to remember their choices, dates and previous routes, i.e. it stores the user's preferences regarding the use of the site, personalising their experience, so it is not necessary to re-configure the site each time they visit.

Type of cookies used

Essential cookies

Some cookies are essential to access specific areas of the website. They allow navigation on the site and its applications, such as accessing secure areas of the site through login. Without these cookies, services that require them cannot be provided.

Analytical cookies

These cookies gather information regarding your use of the website, for example: which pages you access most frequently. This data can help optimise our web pages and make navigation easier. These cookies do not collect information that identifies you. All information gathered by these cookies is aggregated and, therefore, anonymous.

Function cookies

These cookies enable website pages to remember the choices you make when you are browsing, i.e. they save your preferences regarding the use of the website so that you do not need to re-configure the website each time you visit.

Advertising cookies

These cookies help measure the effectiveness of advertising. However, they do not identify the user.

In most cases, cookies are deleted when you close your browser (session cookies). Some more persistent cookies remain in your browser until you delete them or they expire.

You can modify your browser settings to block or delete cookies or to notify you when a new cookie is stored on your computer so that you can decide whether to accept or decline it. If you choose to block or delete our cookies, you may not be able to access the full range of our services, and it may have some effect on the performance of our website on your system.

You can find more information about each type of browser (e.g. Firefox, Chrome, Explorer, Opera) on the respective institutional websites.

The data subject may contact us for questions on the application of the General Data Protection Regulation and other applicable legislation on data protection by CP, through the website, on the Customer Information/Contacts page, by email at protecaodado@cp.pt, or by post to:

Data Protection Officer
CP- Comboios de Portugal
Calçada do Duque, nº 20
1249-109, Lisbon, Portugal

CP may alter this Privacy Policy at any time, without prior notice and with immediate effect, to ensure the adequacy of the document.

These changes will be duly publicised on the website www.cp.pt and at ticket offices.

This Privacy Policy was updated on 24 March 2022.