PRIVACY POLICY

GENERAL

1.1. COLLECTION AND PROCESSING OF USER/CUSTOMER DATA

The SUSHICAFÉ GROUP, composed of various companies, namely: Esfera Janota, Lda with VAT number 513487174, Ásia Café Original, Lda with VAT number 513023089, Sushicafé Original, Lda with VAT number 508595614, Sushicorner, Lda with VAT number 509520910, Izanagi, Lda with VAT number 515233374, Carbon Neutrality, Lda with VAT number 516499653, Oeste Road, Lda with VAT number 517850923, Sceogest, Lda with VAT number 510996043, all headquartered at Doca de Santo Amaro, warehouse 0, 1350-353 Lisbon, and registered at the Lisbon commercial registry.

To provide its Customers with meal services, information, and access to www.gruposushicafe.pt, recruitment forms, and contact request forms, newsletters, the Group may request that the Customer provides data that allows their identification, henceforth referred to as “Personal Data”.

These data will be requested upon registration on the website, when filling out and submitting job application forms or information requests, when subscribing to newsletters and services, purchasing a specific product, or registering for activities or events provided by the SUSHICAFÉ GROUP.

For purposes of personnel selection, recruitment, and employment contract execution, only the necessary personal data will be collected according to the legal basis.

Whenever Personal Data is collected, the SUSHICAFÉ GROUP will inform the Customer about the reason for collecting the data, its purpose, and how the data will be processed.

In the case of using the Group's Wi-Fi network, the IP address may also be collected.

The SUSHICAFÉ GROUP also collects and processes information about your hardware and software, as well as information about the pages visited by the Customer on the Site. This information may include: your browser type, domain name, access times, and hyperlinks through which the user/customer accessed the Site (“Usability Information”). We use this information only to improve the quality of your visit to our Site and/or Application.

Usability Information and Personal Data are referred to in this Privacy Policy as “Personal Data”.

The SUSHICAFÉ GROUP and its constituent companies are responsible for processing personal data, drafting the Privacy Policy, and have appointed a data protection officer responsible for implementing and ensuring compliance with the privacy policy, who can be contacted at: geral@gruposushicafe.com.

1.2. SUBCONTRACTED ENTITIES

In the context of processing user/customer data, the SUSHICAFÉ GROUP uses or may use third-party entities subcontracted by it to process user/customer data on its behalf, in accordance with the instructions provided by it, in compliance with the law and this Privacy Policy.

These subcontracted entities may not transfer user/customer data to other entities without prior written authorization from the SUSHICAFÉ GROUP, and are also prohibited from subcontracting other entities without prior authorization from the SUSHICAFÉ GROUP.

The SUSHICAFÉ GROUP is committed to subcontracting only entities that provide sufficient guarantees of implementing appropriate technical and organizational measures to ensure the defense of user/customer rights. All subcontracted entities by the SUSHICAFÉ GROUP are bound by a written contract that regulates, among other things, the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, and the rights and obligations of the parties.

At the time of personal data collection, the SUSHICAFÉ GROUP provides the user/customer with information regarding the categories of subcontracted entities that may process data on behalf of the SUSHICAFÉ GROUP in specific cases.

1.3. DATA COLLECTION CHANNELS

The SUSHICAFÉ GROUP may collect data directly (i.e., directly from the user/customer) or indirectly (i.e., through partner entities or third parties). The collection may be made through the following channels:

  • Direct Collection: in person, by phone, by email, and through the Site;

  • Indirect Collection: through partners or group companies, through the data subject's responsible party if they are legally incapable of giving consent, and official entities.

2. GENERAL PRINCIPLES APPLICABLE TO USER/CUSTOMER DATA PROCESSING

Regarding the general principles applicable to personal data processing, the SUSHICAFÉ GROUP is committed to ensuring that the user/customer data it processes are:

  • Processed lawfully, fairly, and transparently concerning the user/customer;

  • Collected for specified, explicit, and legitimate purposes, and not processed further in a manner incompatible with those purposes;

  • Adequate, relevant, and limited to what is necessary for the purposes for which they are processed;

  • Accurate and, where necessary, kept up to date, with appropriate measures taken to ensure that inaccurate or incomplete data are erased or rectified, considering the purposes for which they are collected or for which they are processed further;

  • Kept in a form that allows the identification of the user/customer only for as long as necessary for the purposes for which the data are processed;

  • Processed in a manner that ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

The data processing carried out by the SUSHICAFÉ GROUP is lawful and legitimate when at least one of the following situations occurs:

  • The user/customer has given their free and explicit consent for the processing of their data for one or more specific purposes;

  • The processing is necessary for the performance of a contract to which the user/customer is a party or for pre-contractual steps at the user's/customer's request;

  • The processing is necessary for compliance with a legal obligation to which the SUSHICAFÉ GROUP is subject;

  • The processing is necessary to protect the vital interests of the user/customer or another natural person;

  • The processing is necessary for the purposes of the legitimate interests pursued by the SUSHICAFÉ GROUP or by a third party (unless the interests or fundamental rights and freedoms of the user/customer that require the protection of personal data prevail).

The SUSHICAFÉ GROUP ensures that the processing of user/customer data is carried out only under the conditions listed above and respecting the principles mentioned above.

When the processing of user/customer data is based on the user's/customer's consent, the user/customer has the right to withdraw their consent at any time. The withdrawal of consent does not compromise the lawfulness of the processing carried out by the SUSHICAFÉ GROUP based on the previously given consent.

3. USE AND PURPOSES OF USER/CUSTOMER DATA PROCESSING

In general, the SUSHICAFÉ GROUP uses user/customer data for the following purposes:

  • Management of contacts with the user/customer;

  • Billing and collection from the user/customer;

  • Registration of the user/customer on the Site and the Application;

  • Informing the user/customer, upon their request, of new products and services available on the Site, special offers and campaigns, updated information on the SUSHICAFÉ GROUP's activity, and for marketing purposes through any communication means, including electronic support;

  • Allowing access to restricted areas of the Site, according to previously established terms;

  • Ensuring that the Site meets the user/customer's needs, through the development and publication of content tailored as closely as possible to requests and the type of user/customer, improving the Site and Application's search capabilities and functionalities, and obtaining aggregated or statistical information regarding the user/customer's profile (profiling);

  • Controlling user/customer access;

  • Providing Services and other services, such as newsletters, opinion surveys, or other information or products requested or purchased by the user/customer;

  • Using the user/customer's image for marketing, promotion, and team-building activities through any medium, when the image has been collected at events, parties, or other events promoted by the SUSHICAFÉ GROUP in which the user/customer participated;

  • Personnel selection and recruitment and managing the respective contractual relationship established with the SUSHICAFÉ GROUP.

The SUSHICAFÉ GROUP may combine Usability Information with anonymous demographic information for research purposes, and we may use the result of this combination to provide more relevant content on the Site. In certain restricted areas of the Site, the SUSHICAFÉ GROUP may combine Personal Data with Usability Information to provide the user/customer with more personalised content (profiling).

The user/customer data collected by the SUSHICAFÉ GROUP is not shared with third parties without the user/customer's consent, except in the situations referred to in the following paragraph. However, if the user/customer contracts services from the SUSHICAFÉ GROUP that are provided by other entities responsible for personal data processing, the user/customer's data may be consulted or accessed by these entities to the extent necessary for providing the referred services.

Under applicable legal terms, the SUSHICAFÉ GROUP may transmit or communicate user/customer data to other entities if such transmission or communication is necessary for the performance of the contract established between the user/customer and the SUSHICAFÉ GROUP or for pre-contractual steps at the user/customer's request, if it is necessary for compliance with a legal obligation to which the SUSHICAFÉ GROUP is subject, or if it is necessary for the legitimate interests pursued by the SUSHICAFÉ GROUP or a third party (e.g., in case of sale or transfer of part or all of the SUSHICAFÉ GROUP or its assets, between entities owned or related to the SUSHICAFÉ GROUP, or for debt collection purposes from the user/customer to the SUSHICAFÉ GROUP). In the event of user/customer data transmission to third parties, reasonable efforts will be made to ensure that the transferee uses the transmitted user/customer data appropriately under the Privacy Policy.

4. TECHNICAL, ORGANIZATIONAL, AND SECURITY MEASURES IMPLEMENTED

To ensure the security of user/customer data and maintain maximum confidentiality, we treat the information you provide with absolute confidentiality, following our internal security and confidentiality policies and procedures, which are periodically updated as needed, as well as in accordance with the legally stipulated terms and conditions.

Given the nature, scope, context, and purposes of data processing, as well as the risks arising from the processing for the rights and freedoms of the user/customer, the SUSHICAFÉ GROUP is committed to applying the necessary and appropriate technical and organizational measures to protect user/customer data and comply with legal requirements. It also ensures that, by default, only data that is necessary for each specific processing purpose is processed, and that such data is not made available without human intervention to an indeterminate number of people.

Communication between the user/customer's device and the SUSHICAFÉ GROUP's website is carried out through secure channels using the HTTPS protocol and the SSL security standard. Nevertheless, in general terms, the SUSHICAFÉ GROUP adopts the following measures:

  • Regular audits to assess the effectiveness of implemented technical and organizational measures;

  • Awareness and training of staff involved in data processing operations;

  • Pseudonymisation and encryption of personal data;

  • Mechanisms to ensure the confidentiality, availability, and ongoing resilience of information systems;

  • Mechanisms to ensure timely restoration of information systems and access to personal data in the event of a physical or technical incident.

5. TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION

The personal data collected and used by the SUSHICAFÉ GROUP are not made available to third parties established outside the European Union. If, in the future, such a transfer takes place for the reasons mentioned above, the SUSHICAFÉ GROUP is committed to ensuring that the transfer complies with applicable legal provisions, particularly regarding determining the adequacy of such a country concerning data protection and the applicable requirements for such transfers.

6. CODES OF CONDUCT AND CERTIFICATION PROCEDURES

Not applicable.

7. USE OF COOKIES

When you visit our Site, you will be asked for your consent to create and store a text file (Cookie) on your computer. This file will allow you to access the Site more easily and quickly, as well as personalise it according to your preferences. Most browsers accept these files (Cookies), but the user/customer can delete them or automatically set their blocking. In the "Help" menu of your browser, you will find how to configure these settings. However, if you do not allow the use of cookies, some functionalities of the Site and Application may not be available.

USER/CUSTOMER RIGHTS (DATA SUBJECTS)

Under applicable legal terms, the user/customer has the following rights:

8. RIGHT TO INFORMATION

8.1. Information provided to the user/customer by the SUSHICAFÉ GROUP (when data is collected directly from the user/customer):

  • The identity and contact details of the SUSHICAFÉ GROUP, responsible for the processing and, if applicable, its representative;

  • The contact details of the Data Protection Officer;

  • The purposes of the processing for which the personal data are intended, as well as, if applicable, the legal basis for the processing;

  • If the processing is based on the legitimate interests of the SUSHICAFÉ GROUP or a third party, an indication of such interests;

  • If applicable, the recipients or categories of recipients of the personal data;

  • If applicable, an indication that the personal data will be transferred to a third country or an international organisation, and whether or not there is a Commission adequacy decision or reference to appropriate or suitable transfer guarantees;

  • The period for which the personal data will be stored;

  • The right to request access to and rectification or erasure of personal data, as well as the restriction of processing or the right to object to processing, and the right to data portability;

  • If the processing is based on the user/customer's consent, the right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal;

  • The right to lodge a complaint with the CNPD or another supervisory authority;

  • An indication of whether the communication of personal data constitutes a legal or contractual obligation, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failing to provide such data;

  • If applicable, the existence of automated decision-making, including profiling, and information about the underlying logic, as well as the significance and expected consequences of such processing for the data subject.

If the user/customer data is not collected directly by the SUSHICAFÉ GROUP from the user/customer, in addition to the information referred to above, the user/customer is also informed about the categories of personal data processed and, where applicable, the source of the data and whether they originate from publicly accessible sources.

If the SUSHICAFÉ GROUP intends to carry out further processing of the user/customer data for a purpose other than that for which the data was collected, it will provide the user/customer with information about that purpose and any other relevant information, as mentioned above.

8.2. Procedures and measures implemented to comply with the right to information

The information referred to in 8.1. is provided in writing (including electronically) by the SUSHICAFÉ GROUP to the user/customer before the processing of personal data in question. Under applicable law, the SUSHICAFÉ GROUP is not required to provide the user/customer with the information mentioned in 8.1. when and to the extent that the user/customer already knows it.

The information is provided by the SUSHICAFÉ GROUP at no cost.

9. RIGHT OF ACCESS TO PERSONAL DATA

The SUSHICAFÉ GROUP ensures the means that allow the user/customer to access their personal data.

The user/customer has the right to obtain confirmation from the SUSHICAFÉ GROUP as to whether or not personal data concerning them are being processed and, if so, the right to access their personal data and the following information:

  • The purposes of the processing;

  • The categories of personal data concerned;

  • The recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organisations;

  • The period for which the personal data will be stored;

  • The right to request rectification, erasure, or restriction of processing of personal data, or to object to such processing;

  • The right to lodge a complaint with the CNPD or another supervisory authority;

  • If the data was not collected from the user/customer, the available information about the source of the data;

  • The existence of automated decision-making, including profiling, and information about the underlying logic, as well as the significance and expected consequences of such processing for the data subject;

  • The right to be informed about the appropriate safeguards related to data transfer to third countries or international organisations.

Upon request, the SUSHICAFÉ GROUP will provide the user/customer, at no cost, with a copy of the personal data undergoing processing. The provision of other copies requested by the user/customer may incur administrative costs.

10. RIGHT TO RECTIFICATION OF PERSONAL DATA

The user/customer has the right to request, at any time, the rectification of their personal data and to have incomplete personal data completed, including by means of an additional declaration, whether through specific internet addresses for this purpose, specific areas of the Site, or by email (geral@gruposushicafe.pt), according to the terms of the Privacy Policy.

In case of data rectification, the SUSHICAFÉ GROUP will notify each recipient to whom the data has been disclosed of the respective rectification, unless such communication proves impossible or involves a disproportionate effort for the SUSHICAFÉ GROUP.

11. RIGHT TO ERASURE OF PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)

The user/customer has the right to obtain from the SUSHICAFÉ GROUP the erasure of their data when one of the following reasons applies:

  • The user/customer data is no longer necessary for the purpose for which it was collected or processed;

  • The user/customer withdraws the consent on which the data processing is based, and there is no other legal basis for the processing;

  • The user/customer objects to the processing under the right to object, and there are no overriding legitimate grounds for the processing;

  • The user/customer data has been processed unlawfully;

  • The user/customer data must be erased to comply with a legal obligation to which the SUSHICAFÉ GROUP is subject;

  • The user/customer data has been collected in the context of offering information society services to children.

Under applicable legal terms, the SUSHICAFÉ GROUP is not required to erase the user/customer data to the extent that processing is necessary for compliance with a legal obligation to which the SUSHICAFÉ GROUP is subject or for the establishment, exercise, or defence of legal claims.

In case of data erasure, the SUSHICAFÉ GROUP will notify each recipient/entity to whom the data has been disclosed of the respective erasure, unless such communication proves impossible or involves a disproportionate effort for the SUSHICAFÉ GROUP.

When the SUSHICAFÉ GROUP has made user/customer data public and is obliged to erase it under the right to erasure, the SUSHICAFÉ GROUP will take reasonable steps, including technical measures, considering available technology and implementation costs, to inform data controllers processing the personal data that the user/customer has requested the erasure of any links to or copies or replication of such personal data.

12. RIGHT TO RESTRICTION OF PROCESSING OF PERSONAL DATA

The user/customer has the right to obtain from the SUSHICAFÉ GROUP the restriction of processing of their data if one of the following situations applies (the restriction consists of marking stored personal data with the aim of limiting its processing in the future):

If the accuracy of the personal data is contested by the user/customer, for a period enabling the SUSHICAFÉ GROUP to verify the accuracy of the personal data;

  • If the processing is unlawful, and the user/customer opposes the erasure of the personal data and requests the restriction of their use instead;

  • If the SUSHICAFÉ GROUP no longer needs the personal data for the purposes of the processing, but they are required by the user/customer for the establishment, exercise, or defence of legal claims;

  • If the user/customer has objected to processing, pending the verification whether the legitimate grounds of the SUSHICAFÉ GROUP override those of the user/customer.

When the processing of user/customer data is restricted, except for storage, such data will only be processed with the user/customer's consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest.

The user/customer who has obtained the restriction of processing of their data in the cases mentioned above will be informed by the SUSHICAFÉ GROUP before the restriction of processing is lifted.

In case of restriction of processing of data, the SUSHICAFÉ GROUP will communicate the respective restriction to each recipient to whom the data has been transmitted, unless such communication proves impossible or involves a disproportionate effort for the SUSHICAFÉ GROUP.

13. RIGHT TO DATA PORTABILITY

The user/customer has the right to receive the personal data concerning them, which they have provided to the SUSHICAFÉ GROUP, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another data controller, if:

  • The processing is based on consent or on a contract to which the user/customer is a party; and

  • The processing is carried out by automated means.

The right to data portability does not include inferred or derived data, i.e., personal data that are generated by the SUSHICAFÉ GROUP as a consequence or result of the analysis of the data being processed.

The user/customer has the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right to data portability is without prejudice to the right to erasure of data.

14. RIGHT TO OBJECT TO PROCESSING

The user/customer has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them, which is based on the legitimate interests pursued by the SUSHICAFÉ GROUP, or when the processing is carried out for purposes other than those for which the data was collected, including profiling, or when personal data are processed for statistical purposes.

The SUSHICAFÉ GROUP will cease the processing of user/customer data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the user/customer, or for the establishment, exercise, or defence of legal claims.

The user/customer has the right to object at any time to the processing of personal data concerning them for direct marketing purposes, including profiling to the extent that it is related to such marketing. If the user/customer objects to the processing for direct marketing purposes, the SUSHICAFÉ GROUP will cease the processing of personal data for that purpose.

The user/customer also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them in a similar way, except if the decision:

  • Is necessary for entering into, or the performance of, a contract between the user/customer and the SUSHICAFÉ GROUP;

  • Is authorised by Union or Member State law to which the SUSHICAFÉ GROUP is subject;

  • Is based on the user/customer's explicit consent.

15. PROCEDURES FOR EXERCISING USER/CUSTOMER RIGHTS

As data subjects, user/customers are guaranteed the right to access, rectification, update, restriction, and erasure of their personal data (except for data that are indispensable for providing the services by the SUSHICAFÉ GROUP, duly identified as mandatory, or for complying with legal obligations to which the controller is subject), the right to object to their use for commercial purposes by the SUSHICAFÉ GROUP, and to withdraw consent without affecting the lawfulness of processing based on consent before its withdrawal, as well as the right to data portability.

The user/customer exercises their rights, directly or by written request to the SUSHICAFÉ GROUP, through the contact geral@gruposushicafe.com provided for this purpose.

The SUSHICAFÉ GROUP will respond in writing (including electronically) to the user/customer's request within a maximum period of one month from the receipt of the request, except in cases of special complexity, where this period may be extended to two months.

The SUSHICAFÉ GROUP reserves the right to charge administrative costs or refuse to follow up on the request if the user/customer's requests are manifestly unfounded or excessive, particularly due to their repetitive nature.

16. IMAGE RIGHTS

As they correspond to a legitimate interest in commercial disclosure pursued by the SUSHICAFÉ GROUP, it is considered that the collection and processing of the user/customer's image are lawful if the user/customer has given their consent. Whenever the user/customer participates in an event promoted by the SUSHICAFÉ GROUP, including parties, sports activities, or any other, including "Open Day", "Open Week", and "Birthday Dinners", and without prejudice to the right to honour, privacy, and self-image, as well as other applicable legislation to which the SUSHICAFÉ GROUP is subject, the user/customer's image may be collected, according to usual practices, for marketing, promotion, and team-building activities, including photographs, images, and sound. Also, within a legitimate interest in commercial disclosure, the SUSHICAFÉ GROUP may use such data in photos or videos displayed on its own communication media, including internet pages, Facebook pages, and other social networks, projectors, and LCDs installed in the Restaurants, newsletters, etc. The user/customer has the right to object to the use of their image by the SUSHICAFÉ GROUP under applicable legal terms and to request the SUSHICAFÉ GROUP to remove the user/customer's images from its communication media.

Occasionally, filming or photo sessions may take place within the Restaurants for promotional or other purposes, with notices posted in the Restaurants and specific areas where such sessions are taking place. In these cases, the user/customer also has the right to object to the use of their image under applicable legal terms, and should contact the SUSHICAFÉ GROUP for this purpose.

If the user/customer does not consent to the use of their image by the SUSHICAFÉ GROUP, they may not participate in any of the above-mentioned events, as the SUSHICAFÉ GROUP cannot ensure that the user/customer's image will not be collected.

17. PERSONAL DATA BREACHES

In the event of a data breach, and to the extent that such a breach is likely to result in a high risk to the rights and freedoms of the user/customer, the SUSHICAFÉ GROUP undertakes to communicate the personal data breach to the user/customer concerned within 24 hours of the incident.

Under legal terms, communication to the user/customer is not required in the following cases:

  • If the SUSHICAFÉ GROUP has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, particularly measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

  • If the SUSHICAFÉ GROUP has taken subsequent measures to ensure that the high risk to the rights and freedoms of the user/customer is no longer likely to materialise; or

  • If communication to the user/customer would involve disproportionate effort for the SUSHICAFÉ GROUP. In such cases, the SUSHICAFÉ GROUP will make a public communication or take a similar measure through which the user/customer will be informed.

CONCLUSION

18. AMENDMENTS TO THE PRIVACY POLICY

The SUSHICAFÉ GROUP reserves the right to amend this Privacy Policy at any time. In case of modification of the Privacy Policy, the date of the last amendment, available at the top of this page, is also updated. If the amendment is substantial, a notice will be placed on the Site.

19. CONTACT

Without prejudice to the provisions of clause 15 regarding the exercise of the rights conferred on the user/customer under legal terms, if you wish to ask questions or complaints related to the Privacy Policy, you can do so through the email geral@gruposushicafe.com.

20. APPLICABLE LAW AND JURISDICTION

The Privacy Policy, as well as the collection, processing, or transmission of user/customer data, are governed by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and the applicable legislation and regulations in Portugal.

Any disputes arising from the validity, interpretation, or execution of the Privacy Policy, or related to the collection, processing, or transmission of user/customer data, must be submitted exclusively to the jurisdiction of the judicial courts of the district of Lisbon, without prejudice to applicable mandatory legal norms.