Privacy notice
The Shrine of Our Lady of the Rosary of Fatima (hereinafter, Shrine of Fatima) is committed to ensuring the security of personal data processed under its responsibility. In this context, this Privacy Notice is intended to inform you of how your personal data is collected and used within this Institution, in accordance with Regulation (EU) 2016/769 of the European Parliament and of the Council of 27 April 2016 (hereinafter, GDPR) and Law no. 58/2019 of 8 August 2019, which establishes its implementation in the national legal order.
In compliance with the principles of transparency and fairness, we answer the main questions about the processing of personal data carried out in the various activities of the Shrine of Fatima, in order to ensure its accuracy, integrity and confidentiality, guaranteeing that such processing is lawful, fair, transparent and limited to the purposes for which it is carried out.
1. Who is responsible for processing?
The Shrine of Fatima is the entity responsible for collecting and processing personal data and, in this context, decides which data is collected, as well as the grounds, purposes and means of processing. It also ensures that those authorised to process personal data have undertaken a commitment to confidentiality or are subject to it by appropriate legal obligations.
Given its commitment in this area, the Shrine of Fatima has appointed a Data Protection Officer and set up a Data Protection Committee. Therefore, for questions regarding the content of this Privacy Notice, the following contacts are available:
• Address: EPD – Santuário de Fátima – Rua de Santa Isabel, 360 – 2495-424 Fátima
• Email: dpo@fatima.pt
• Phone: (+351) 249 539 600
2. What personal data do we collect?
“Personal data” means the set of information that relates to a specific data subject and allows them to be identified, directly or indirectly. In this case, the following can be collected:
• identification and contact details, such as name, tax identification number, age, date of birth, telephone number, email address, address, payment details and electronic identifiers;
• profile data, such as history of products purchased or favourite items.
3. What are the purposes for collecting data?
Personal data will be processed exclusively for the purposes described when it was collected, or for purposes compatible with the initial aim, namely:
• Online – As part of the online account, personal data is used to allow the user to buy items remotely and access his/her purchase history.
• Transaction management – Whenever a user provides his/her tax identification number in a purchase, it will need to be registered and transmitted to the Tax Authority.
• Direct marketing – Contact details (email address, telephone number...) will be required so that we can send you information about news, campaigns and offers, discounts or benefits, whether generic or targeted. This service will be subscribed to with your consent, which may be withdrawn at any time.
4. What are the grounds for data processing?
Personal data will only be processed when there is a legal basis for doing so, such as:
• execution of a contract you have signed with the Shrine of Fatima, through the purchase and sale of acquired products;
• to fulfil a legal obligation;
• with the consent of the data subject, for direct marketing purposes.
5. How long will the data be stored?
The personal data collected and processed is stored in specific databases for this purpose, taking into account his/her purpose and respecting the applicable legal deadlines.
In cases where a legal deadline does not apply, such data will only be stored and kept for the appropriate period and to the extent necessary, taking into account the purposes for which they were collected, unless at any time the data subject, within the legal limits, exercises his/her rights of opposition or erasure, or withdraws his/her consent.
6. What security measures are in place?
The Shrine of Fatima has implemented appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, dissemination or unauthorised access. An adequate level of security is considered to be in place with regard to the risks presented by the processing, given the nature of the data to be protected and in accordance with the legislation on the protection of personal data.
The following security measures are indicated, among others:
• protection of information technology systems through firewalls, in order to prevent unauthorised access to your personal data;
• permanent monitoring of access to information technology systems in order to prevent, detect and stop the misuse of your personal data;
• the localisation of servers within the European Economic Area.
7. What are the data subject’ rights?
With regard to personal data concerning the data subject, under the terms and conditions laid down by law, they may exercise the following rights:
• Right of access: to obtain confirmation as to whether or not your personal data is being processed and, if so, to access it.
• Right to rectification: to obtain the rectification of inaccurate personal data concerning you and request that incomplete personal data be completed.
• Right to erasure: to obtain the erasure of your personal data, except in cases where there are grounds for validating its retention.
• Right to restriction of processing: to obtain restriction of the processing of personal data when it relates to certain categories or purposes of processing.
• Right to portability: to receive the personal data provided in a structured, commonly used and machine-readable format, as well as to request the transmission of your personal data to another data controller.
• Right to object: to object at any time to certain processing of your personal data, for example in the case of processing of personal data for direct marketing purposes.
• Right not to be subject to automated individual decisions, including profiling: not to be subject to any decision taken solely on the basis of automated processing, including profiling, which produces effects in your legal sphere or significantly affects you in a similar way.
In addition, the data subject has the right to withdraw his/her consent whenever they have given it, without, however, invalidating the processing carried out up to the date of the request.
8. How can data subjects exercise their rights?
Under the legal terms in force, namely those established by the GDPR, including the exceptions and limitations to which they are subject, data subjects may exercise their rights by submitting a written request to the Shrine of Fatima, to the contacts indicated in point 3.1.
In addition, the data subject has the right to lodge a complaint with the National Data Protection Commission or other competent supervisory authority, as well as to resort to any other judicial remedy, if he or she considers that his or her personal data is not being processed lawfully by the Shrine of Fatima, under the terms of the legislation in force and this notice.
9. Is personal data shared?
Within the scope of its activity, the Shrine of Fatima may have recourse to subcontractors, who will access and process personal data at its request, in accordance with duly established policies and instructions. These third parties may be public authorities, partners, suppliers, service providers, among others.
The Shrine of Fatima requires that such subcontractors and third parties offer guarantees of confidentiality and prove that they have in place appropriate technical and organisational measures to comply with the requirements of the GDPR and other applicable legislation, as well as to defend the rights of the personal data subjects.
The Shrine of Fatima may also share personal data when this is necessary or appropriate in the light of the applicable legislation:
• to fulfil legal obligations;
• to respond to requests from public authorities;
• to defend the vital interests of the data subject or third parties;
• to protect the rights and property of the Shrine of Fatima;
• or when informed consent is given.
9.1. Transfers of personal data to third countries
The activities carried out by the Shrine of Fatima may involve the transfer of personal data to third countries located outside the European Union or which do not belong to the European Economic Area. In such situations, all necessary and appropriate measures will be taken to ensure the protection of personal data.
9.2. Cookies policy
Cookies are used on the digital platforms of the Shrine of Fatima, which may mean that third parties have access to users’ personal data. Specific information on this topic is described in our Cookie Notice.
10. Updating this Privacy Notice
The Shrine of Fatima reserves the right to make adjustments or changes to this Privacy Notice at any time, and such changes will be duly updated and publicised on the appropriate physical or digital platforms, namely on the online shop page.
By continuing your relationship with the Shrine of Fatima following a change to the Privacy Notice that has been communicated by this means, you assume that you have learnt of it and accept its terms.
Fatima, 1st December 2023