Privacy policy

• Name: CP – Comboios de Portugal, E.P.E. (hereinafetr “CP”).
• Head office: Calçada do Duque, 14, 16, 18 and 20, 1249-109 Lisbon.
• NIPC: 500 498 601.
• Email:  institucional@cp.pt.
• Telephone: 808 109 110.

The protection of the personal data of natural persons is protected in Portugal by Law no. 58/2019 of 8 August and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("General Data Protection Regulation" or "GDPR"), which ensure the protection of natural persons with regard to the processing of personal data and the free movement of such data. "Personal data" means any information of any nature and regardless of its medium, including sound and image, relating to an identified or identifiable natural person, so the protection does not cover the data of legal persons (Companies etc.). An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity (for example, their name associated with their telephone number or email address.

By reading this Privacy Policy, Users are informed about the processing of personal data carried out by CP through cp.pt

The personal data we collect and process through the Website above will only be used for the following purposes:

   a) To conclude the transport contract and manage the contractual relationship established with customers, including validation, inspection and official reports;

   b) To deal with and respond to requests for information, suggestions, compliments, complaints, refunds and the defence of fines;

   c) To manage the procedures for handing in lost objects;

   d) To provide the SIM service (Integrated Mobility Service available to people with reduced mobility);

   e) To receive spontaneous applications and recruitment processes;

   f) To improve the browsing experience on the cp.pt website and CP App (cookies);

   g) To provide information related to changes or occurrences with the services provided (e.g. traffic changes);

   h) To provide information on CP and its partners' products, services and promotions, sending newsletters and running competitions;

   i) To carry out customer satisfaction surveys;

   j) To answer service evaluation questionnaires;

   k) To manage the relationship with the Customer s(e.g. tailor-made services) by consulting all the data subject's interactions with CP;

   l) To segment customers to improve the offer of services or tariffs and loyalty programmes according to the tastes and preferences for using the services provided.

CP guarantees the confidentiality of all data provided. Although CP collects and processes data in a secure manner that prevents its loss or manipulation, using the most appropriate techniques for this purpose, it should be borne in mind that collecting data on open networks does not allow personal data to circulate in conditions of absolute security, with the risk of it being accessed and used by unauthorised third parties.

Failure to give data marked as mandatory may mean that it is impossible to respond to the data subject's request.

CP processes Users' personal data when:

• The data subject has given their consent to the processing of their personal data for one or more specific purposes;
• It is for the performance of a contract to which the data subject is a party or for pre-contractual steps at the request of the data subject;
• Processing is necessary for the fulfilment of a legal obligation to which the controller is subject;
• Processing is necessary for the defence of the vital interests of the data subject or of another natural person;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• Processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail.

The User guarantees that the information provided is true, accurate, complete and up-to-date and is responsible for any damage or loss, direct or indirect, that may be caused as a result of the breach of this guarantee.

If the data provided belongs to a third party, the User guarantees that they have informed the third party of the aspects contained in this document and obtained their authorisation to provide their data to CP for the purposes indicated.

CP only keeps and processes your personal data for as long as it is necessary or obligatory for the fulfilment of the purposes described above, applying information retention criteria appropriate to each processing and confirming the applicable legal and regulatory obligations.

CP stores personal data in its systems according to the following criteria:

• for a period of time not exceeding the fulfilment of the purposes for which they were collected, provided that legal or contractual obligations do not provide otherwise;
• to fulfil specific legal or contractual obligations;
• when applicable and legitimate until the eventual request for opposition or deletion by the Data Subject.

At the end of the retention period, CP will delete it, subject to the appropriate technical and functional guarantees, as documented in each of the relevant processes.

In addition to the communications carried out to meet legal obligations, the personal data of the Data Subject may be known, apart from CP, by partners and subcontractors, exclusively for the purpose of providing the contracted service, including:

• Other railway operators;
• Transport operators complementary to the railway service;
• Vehicle hire companies;
• Accommodation units;
• Transport ticket sales and assistance services (travel agencies, helpline);
• Electronic mail services;
• Information technology services, namely application management and administration, infrastructure provision and analytics;
• Auditing and other similar services;
• Payment and fraud control services;
• Other support and consultancy service providers in the areas of CP's activity.

The data provided may also be transferred to official entities to meet legal obligations.

The entities in question may vary according to the specific service, and the data subject can obtain information about these services and CP's partners from its commercial area.

Personal data may also be disclosed exclusively for the purposes indicated above, in accordance with the consent granted by the data subject.

The personal data collected will be processed within the European Economic Area, and there will be no international data transfers to third countries or international organisations.

In the event that personal data is processed outside the European Economic Area, this will only take place subject to the adoption of appropriate guarantees and the required level of protection, in accordance with legislation on personal data protection.

CP has implemented the appropriate technical and organisational security measures to guarantee the security of the personal data Users provide to prevent its alteration, loss, processing and/or unauthorised access, taking into account the current state of technology, the nature of the data stored and the risks to which they are exposed.

Personal data is processed with the level of protection legally required to guarantee its security and prevent its alteration, loss, processing or unauthorised access, taking into account the state of the technology. The Users are aware and accept that Internet security measures are not impregnable.

Whenever CP accesses personal data, it undertakes to:

• Store them by means of legally required security measures of a technical and organisational nature that guarantee their security, preventing alteration, loss, processing or unauthorised access, in accordance with the state of the technology at any given time, the nature of the data and the possible risks to which they are exposed;
• Use the data exclusively for the purposes previously defined;
• Implement physical security measures to protect the facilities;
• Ensure that data is only processed by employees whose intervention is necessary to meet the request of the data subject and who are bound by the duty of secrecy and confidentiality. If the information may be disclosed to third parties for these purposes, they are obliged to maintain due confidentiality in accordance with the provisions of this document.

The data used to make payments, namely that relating to credit/debit cards, is provided directly on the platforms of the respective service providers. CP does not have access to this data.

If CP subcontracts other entities to provide services involving the transfer of personal data, these entities will be obliged to adopt the necessary technical and organisational measures to protect personal data against destruction, loss, alteration, disclosure, unauthorised access or any other type of unlawful processing.

In accordance with the provisions of the GDPR, Users may exercise their rights of access, rectification, erasure, restriction of processing, portability, opposition and revocation of consent directly in their Client Area or by requesting it in writing by any of the following means, specifying the right or rights they wish to exercise:

Email: protecaodado@cp.pt
Postal address: Calçada do Duque, 20, 1249-109 Lisbon

Users also have the right to lodge a complaint with the National Data Protection Commission (CNPD) regarding matters relating to the exercise of their rights and the protection of their personal data through www.cnpd.pt.

The Website may contain advertising, links or other content that link or redirect to pages and services of suppliers, advertisers, affiliates, CP sponsors and other third parties.

CP does not control the content or links that appear on those pages and is not responsible for the practices used by those pages or websites. CP advises Users to visit the privacy policy of these pages and read their terms and conditions.

Searching or interacting on any other website, including those that have an external link to the website, is subject to the terms and conditions of that website and CP is not in any way liable for any access and use thereof.

CP reserves the right to revise this Policy at any time it deems appropriate, so Users are recommended to check this privacy policy regularly and/or each time they access the Website.

Updated on 21 September 2023