Personal Data Protection Policy of the Multicert Website

The purpose of this personal data protection policy is to inform the user on how Multicert processes personal data while using Multicert Website (hereinafter "Website") and to comply with the provisions of the legislation on personal data protection, particularly, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, "GDPR"), regarding the information to be provided to the user, the data subject.

When using the Website, Multicert processes personal data as a Data Controller for its own purposes (as listed below).

1. Identity and contact details of the Controller and Data Protection Officer.

• Name: Multicert - Serviços de Certificação Electrónica, S.A. ("Multicert")
• Head office Rua Soeiro Pereira Gomes, Lote 1, 1649-031 Lisboa, Portugal
• Share Capital: EUR 2.250.000,00
• Legal Person Number: 767.457
• Data Protection Officer: DataProtectionOfficer@sibs.com

 

2. Purposes and legal basis of processing, personal data categories and retention periods.

When using the Website, Multicert collects personal data from the user (some of which are essential and mandatory and some of which are optional, otherwise some features will not work):

Purpose	Legal basis	Personal Data	Retention period
Customer support	Performance of a contract (cf. Article 6(1)(b) GDPR)	Email address	Retention for the period necessary to prove compliance with legal obligations.
Sending commercial electronic communications about news, offers or promotions of Multicert’s solutions.	Consent of the data subject (see Article 6(1)(a) GDPR).	Email address | Name	5 years counting from the date on which the user has revoked its consent or the period necessary to prove compliance with legal obligations.
Online Store - Sale of Multicert Products and Provision of Multicert Services.	Performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR).	Address | Company name | Email address | Name | Tax identification number (NIF) | Telephone number	Retention for the period necessary to prove compliance with legal obligations.
Response to contact requests	Performance of a contract (pre-contractual measures at data subject’s request) (see Article 6(1)(b) GDPR)	Email address | Name | Telephone number |	Retention for the period necessary to prove compliance with legal obligations.
Security and resilience of the Website	Legitimate interest in ensuring security and preventing fraud (Article 6(1)(f) GDPR)	Activity or traffic data | Address | Device ID | Device name | IP address | Geolocation | Make and model of the user's device | Operating System of device| Service status	5 years (Article 118(1)(c) of the Portuguese Criminal Code).
Selection and recruitment (receipt of applications for employment positions and internships)	Performance of a contract (pre-contractual measures at data subject’s request) (see Article 6(1)(b) GDPR)	Email address | Name | Telephone number	Retention for the period necessary to prove compliance with legal obligations.

 

The user can withdraw consent at any time (without affecting the lawfulness of the processing conducted on the basis of the consent previously given).

 

Multicert only stores personal data in order to allow the identification of data subjects for the period necessary or required for the fulfilment of the purposes indicated.

 

3. Data recipients.

In order to comply with legal obligations Multicert may have to share personal data with third parties, e.g. judicial or administrative authorities, as well as supervisory or regulatory bodies.

4. Service providers.

Multicert may use other Multicert Group companies, or third parties to provide certain services involving the processing of personal data on the Website, exclusively according to prior documented instructions given by Multicert.

 

5. International data transfers.

Personal data is processed within the territory of the European Union/European Economic Area (EU/EEA). Multicert may transfer personal data outside the EU/EEA in a secure and legal manner, ensuring that data is only transferred under the mechanisms provided for in Chapter V of the GDPR.

 

6. Data processing security.

Multicert has implemented the appropriate technical and organisational security measures to ensure the security of the personal data provided to it, in order to prevent its alteration, loss, processing and/or unauthorized access to it, taking into account the current state of the technology, the nature of the data processed and the risks to which they are exposed, and the user being aware that security measures are not impregnable.

 

7. Exercise of data subject rights.

Under the applicable terms of the legislation on the protection of personal data, the user may exercise, free of charge and at any time, the rights of: access; rectification; erasure ("right to be forgotten"); restriction; portability; object; by a written request addressed to the Multicert Data Protection Officer to the address indicated above, or to the following e-mail address: DataProtectionOfficer@sibs.com.

 

8. National supervisory authority.

The user has the right to lodge a complaint regarding personal data protection to Comissão Nacional de Proteção de Dados (CNPD).

 

9. Third-party websites and social networks

The Website may contain advertising, hyperlinks or other content that redirects the user to partner or third-party websites and/or social networks.

Multicert does not control the content of these websites and/or social networks and is therefore not responsible for it, or for the practices of said websites or social networks. Multicert therefore recommends users to consult the personal data protection policy of these websites, or social networks, and their terms and conditions of use.

 

10. Updating the Personal Data Protection Policy.

This personal data protection policy is reviewed and updated periodically and whenever necessary.

 

Updated on: 20/08/2025.