Article 1 – Purpose
This Policy establishes the principles, rules, and procedures governing the processing of personal data by QHSE FORMAÇÃO E CONSULTORIA, LIMITADA, hereinafter referred to as QHSE-FC, in accordance with Law No. 22/11 of June 17 – Personal Data Protection Law (LPDP), ensuring respect for the fundamental rights, freedoms, and guarantees of data subjects.
Article 2 – Scope of Application
This Policy applies to all personal data processing operations carried out by QHSE-FC in the course of its activities, including those performed via computer, digital, or manual means, and covers data of clients, employees, suppliers, partners, candidates, and users of its services or digital platforms.
Article 3 – General Principles of Processing
Personal data processing by QHSE-FC is conducted lawfully, fairly, and transparently. Data is collected for specific, explicit, and legitimate purposes and is not processed in a manner incompatible with those purposes. Only data that is adequate, relevant, and not excessive in relation to the purposes for which it is collected is processed. Data is accurate and updated whenever necessary. Data is retained only for the period strictly necessary to achieve the processing purposes.
Article 4 – Categories of Personal Data
QHSE-FC may process identifying data (such as name, ID number, date of birth), contact data (phone, address, email), financial data (tax ID, IBAN, bank account), professional data (position, qualifications, CV), and, when necessary, sensitive data under Article 6 of the LPDP, based on an appropriate legal ground and the explicit consent of the data subject.
Article 5 – Legal Basis for Processing
Personal data processing by QHSE-FC is based on the data subject’s consent, contract execution or pre-contractual steps, compliance with legal obligations, protection of vital interests of the data subject, performance of public interest functions, or legitimate interests of the Company that do not conflict with the rights of the data subject.
Article 6 – Data Subject Consent
Consent of the data subject is required when no other legal basis exists. It must be freely given, specific, informed, and explicit, in writing or by equivalent means, prior to processing. The data subject may withdraw consent at any time, without affecting the lawfulness of processing carried out beforehand.
Article 7 – Data Subject Rights
Under the LPDP, data subjects have the right to access, rectify, update, object, erase, anonymize, port, and restrict the processing of their data. They may also file a complaint with the Angolan Data Protection Agency (APD) in accordance with the law.
Article 8 – Notification to the Data Protection Agency
Under Article 27 of the LPDP, QHSE-FC commits to notify the Data Protection Agency in advance of all personal data processing operations it carries out, except for cases expressly exempted by law.
Article 9 – International Data Transfers
Personal data transfer outside Angola will only be conducted with prior authorization from the Data Protection Agency, ensuring that the destination country or recipient entity provides a level of protection equivalent to that provided under the LPDP, pursuant to Article 33 of the Law.
Article 10 – Subcontractors and Third-Party Access
QHSE-FC may engage subcontractors for processing operations, provided they comply with applicable data protection obligations. Third-party access will only occur under a contractual agreement and strict necessity for the intended purpose, ensuring confidentiality and data integrity.
Article 11 – Data Security
QHSE-FC adopts appropriate technical and organizational measures to protect personal data against destruction, loss, alteration, unauthorized access, or disclosure. Measures include access control, encryption of sensitive data, access logging, staff training, and internal information security policies.
Article 12 – Data Retention
Personal data is retained only for the period necessary to achieve the processing purposes or while a legal or contractual obligation justifies its retention. After this period, data is securely deleted, anonymized, or archived.
Article 13 – Personal Data Breaches
In the event of a personal data breach, QHSE-FC will notify the Data Protection Agency in accordance with Article 21 of the LPDP and, if applicable, the data subject, when the breach may seriously affect their rights or freedoms.
Article 14 – Record of Processing Activities
QHSE-FC maintains an up-to-date record of all processing operations under its responsibility, identifying the categories of data processed, purposes, recipients, retention periods, and security measures applied, pursuant to Article 31 of the LPDP.
Article 15 – Policy Review and Publication
This Policy is reviewed periodically or whenever relevant legislative, regulatory, or organizational changes occur. The updated version will be made available upon request and accessible via the Company’s institutional channels.
Article 16 – Contact for Exercising Rights
Data subjects may exercise their rights by contacting QHSE-FC in writing via email at geral@qhse.co.ao. The Company commits to respond within the legally established timeframe, clearly and transparently.
Article 17 – Institutional Commitment
QHSE-FC reaffirms its commitment to personal data protection as an integral part of its ethical and compliance culture, ensuring secure, responsible, and transparent processing of data for clients, employees, and partners.
Luanda, January 6, 2025
Revision: 00
