Privacy and Personal Data Protection Policy
Sousa Grilo & Associados – Sociedade de Advogados, SP, RL (hereinafter referred to as the “Firm” or the “Controller”), in the course of providing legal services, processes personal data relating to clients, potential clients, employees, partners and visitors to its website.
This Privacy and Personal Data Protection Policy (hereinafter the “Policy”) is intended to inform data subjects, in a transparent and accessible manner, about the processing practices adopted by the Firm, in strict compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “GDPR”), Law No. 58/2019 of 8 August, which ensures the implementation of the GDPR in the Portuguese legal system, and any other applicable supplementary legislation.
The Firm attaches particular importance to the protection of privacy and the security of the personal data entrusted to it, and undertakes to process such data lawfully, fairly and transparently, in accordance with the principles set out in Article 5 of the GDPR.
01. Identity and contact details of the controller
For the purposes of Article 4(7) of the GDPR, the Controller is:
| Corporate Name | Sousa Grilo & Associados – Sociedade de Advogados, SP, RL |
| Tax Identification Number | 507 037 197 |
| Registered Office | Largo Dr. José Novais, n.º 134, 1.º direito, Barcelos, Portugal |
| Registration with the Portuguese Bar Association | No. 46/04 |
| geral@sousagrilo.com | |
| GDPR Contact Point | geral@sousagrilo.com |
Pursuant to Article 37 of the GDPR, the Firm has assessed whether it is required to appoint a Data Protection Officer (DPO). Considering that the Firm’s main activities do not involve, on a large scale, the processing of the special categories of data referred to in Article 9 of the GDPR or data relating to criminal convictions and offences referred to in Article 10 of the GDPR, nor the regular and systematic monitoring of data subjects on a large scale, none of the mandatory appointment situations provided for in Article 37(1) of the GDPR are currently applicable. The Firm has not appointed a DPO. Without prejudice to the foregoing, the contact point indicated above handles data protection matters.
02. CATEGORIES OF PERSONAL DATA PROCESSED
The Firm processes personal data relating to the following categories of data subjects, depending on the context of the relationship established:
Clients and Potential Clients (natural persons)
- Identification data: full name, Citizen Card number, tax identification number, date of birth, place of birth and nationality;
- Contact data: address, telephone number, email address;
- Economic and financial data: asset position, income and accounting information, insofar as relevant to the mandate;
- Procedural and legal data: facts underlying the legal relationship, evidentiary documents and judicial and extrajudicial correspondence;
- Special categories of data (Article 9 GDPR), namely data relating to health, racial or ethnic origin, religious beliefs or trade union membership, where strictly necessary for the exercise of the mandate.
Representatives of Corporate Clients
- Identification and contact data of legal representatives, attorneys and designated interlocutors;
- Functional and representation data required for the performance of the mandate.
Counterparties, Witnesses and Third Parties
- Identification and contact data, to the extent strictly necessary for the mandate;
- Procedural information communicated within the scope of the service provided.
Website Visitors
- Technical browsing data: IP address, browser type, operating system, pages visited, date and time of access;
- Data provided through the contact form: name, email address, subject and message;
- Cookie data and similar technologies (see Section 9).
Job Applicants and Employees
- Curriculum data: academic qualifications, professional experience, additional training;
- Identification and contact data;
- Data required to comply with employment and tax obligations, in the case of employees.
Partners and Suppliers
- Identification and contact data of interlocutors of entities that have commercial or contractual relationships with the Firm.
03. PURPOSES OF PROCESSING AND LEGAL BASES
The Firm processes personal data for the purposes identified below, supported by the respective legal bases provided for in Article 6 of the GDPR and, in the case of special categories of data, Article 9 of the GDPR:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provision of legal services and management of the mandate (court representation, legal advice, drafting of legal opinions) | Performance of a contract or pre-contractual steps – Article 6(1)(b) |
| Compliance with professional duties (Statute of the Portuguese Bar Association, Law No. 145/2015), tax and accounting obligations, and prevention of money laundering (Law No. 83/2017) | Legal obligation – Article 6(1)(c) |
| Management of recruitment processes and performance of employment or traineeship contracts. | Performance of a contract and legal obligation – Article 6(1)(b) and (c) |
| Sending newsletters, event invitations and information communications regarding legislative changes, relevant case law or publications. | Consent – Article 6(1)(a); or legitimate interests – Article 6(1)(f), with the right to object guaranteed in each communication |
| Management, improvement and security of the website (traffic analysis, detection of technical failures) | Legitimate interests – Article 6(1)(f), or consent – Article 6(1)(a) |
| Response to enquiries and requests for information submitted through the available channels | Pre-contractual steps or legitimate interests – Article 6(1)(b) and (f) |
| Processing of special categories of data (e.g. health data), only where essential to the mandate | Establishment, exercise or defence of legal claims – Article 9(2)(f); for health data essential to the mandate: Article 9(2)(h), in conjunction with Article 29 of Law No. 58/2019; and, where applicable, explicit consent – Article 9(2)(a) |
The Firm does not adopt automated decision-making, including profiling, with significant impact on data subjects, within the meaning of Article 22 of the GDPR.
04. DATA RETENTION PERIODS
Personal data are retained for the period strictly necessary to pursue the purposes that justified their collection, without prejudice to mandatory statutory periods:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Legal mandate – clients | For the period necessary to fulfil the mandate and legal obligations; indicative maximum period of 20 years – Article 309 of the Portuguese Civil Code, unless a special period applies | Article 309 of the Portuguese Civil Code (indicative maximum period) |
| Accounting and tax documents | 10 years | IRC Code / VAT / General Tax Law |
| Prevention of money laundering | 7 years after termination | Law No. 83/2017, Article 51 |
| Non-selected applicants | 12 to 24 months (and up to 5 years with express consent for a longer period) | GDPR / recruitment period |
| Employees | Variable according to the nature of the document: minimum of 5 years after termination for general administrative data; specific periods applicable to tax, social security, occupational medicine and potential litigation documents | Labour Code and social security legislation |
| Browsing data / logs | Up to 13 months | CNPD recommendation |
| Marketing / analytics cookies | Up to 13 months | ePrivacy / GDPR |
| Contact forms | 6 months (or duration of the mandate) | Legitimate interests |
After the applicable retention period has expired, the data are securely deleted or irreversibly anonymised, in accordance with the Firm’s internal procedures.
05. RECIPIENTS AND DATA SHARING
The Firm does not sell, assign or transfer personal data to third parties for commercial purposes. Data may be shared, to the extent strictly necessary, with the following categories of recipients:
Judicial and Administrative Authorities
Courts, Public Prosecutor’s Office, Registry Offices, Tax and Customs Authority, Social Security, Bank of Portugal, CMVM, ACT and other public authorities, where required by law or within the scope of the mandate.
Portuguese Bar Association
Transmission of data necessary to comply with professional duties and disciplinary proceedings, pursuant to the Statute of the Portuguese Bar Association.
Processors
Service providers that process data on behalf of the Firm, namely providers of case management software, web hosting and cloud computing services, accounting and auditing services, translation and notarial services, and secure electronic communication platforms. These processors are bound by contracts compliant with Article 28 of the GDPR.
Other Lawyers and Consultants
Lawyers from foreign jurisdictions, experts, mediators and other consultants involved in matters requiring external collaboration, under a duty of confidentiality.
Transfers to Third Countries
Where necessary, the Firm ensures that transfers of data outside the European Economic Area (EEA) are carried out under: (i) an adequacy decision by the European Commission; (ii) standard contractual clauses approved by the European Commission; or (iii) another legitimate mechanism provided for in Chapter V of the GDPR. The data subject may request a copy of the safeguards implemented through the contact indicated in Section 1.
06. RIGHTS OF DATA SUBJECTS
Pursuant to Articles 15 to 22 of the GDPR, data subjects have the following rights:
| Right | Content |
|---|---|
| Right of Access (Article 15) | Confirmation as to whether the data are processed and, if so, access to the data and the right to obtain a copy. |
| Right to Rectification (Article 16) | Rectification of inaccurate or incomplete data without undue delay |
| Right to Erasure (Article 17) | Erasure where the data are no longer necessary, consent is withdrawn, the objection is upheld or the processing is unlawful. This does not apply where processing is necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims. |
| Right to Restriction (Article 18) | Restriction of processing where accuracy is contested, processing is unlawful without erasure, data are required for legal claims, or an objection is pending verification. |
| Right to Data Portability (Article 20) | Receipt of data in a structured, commonly used and machine-readable format, where processing is based on consent or contract and is carried out by automated means. |
| Right to Object (Article 21) | Objection to processing based on legitimate interests or for direct marketing purposes. In the event of objection to marketing, the Firm immediately ceases processing for that purpose. |
| Withdrawal of Consent (Article 7(3)) | Withdrawal at any time, without affecting the lawfulness of processing carried out before withdrawal. |
| Right to Lodge a Complaint (Article 77) | Lodging a complaint with the CNPD (www.cnpd.pt), without prejudice to any other administrative or judicial remedy. |
Pursuant to Article 23 of the GDPR and Article 20 of Law No. 58/2019, the exercise of certain rights may be limited where necessary to safeguard lawyers’ professional secrecy, the rights of third parties or the public interest.
07. DATA SECURITY
The Firm implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, namely:
- Pseudonymisation and encryption of personal data, where applicable;
- Ability to ensure the confidentiality, integrity, availability and resilience of processing systems;
- Regular and tested backup procedures;
- Access control restricted to authorised personnel, using strong authentication;
- Regular training and awareness-raising of employees regarding data protection and information security;
- Periodic testing and evaluation of the effectiveness of the security measures adopted;
- Procedure for notifying breaches to the CNPD within 72 hours (continuous period, without suspension on weekends or public holidays), and to affected data subjects, pursuant to Articles 33 and 34 of the GDPR.
08. PROFESSIONAL SECRECY AND CONFIDENTIALITY
All data processed in the context of a legal mandate are subject to lawyers’ professional secrecy, pursuant to Article 92 of the Statute of the Portuguese Bar Association. This duty remains in force after the termination of the mandate and also binds all employees and processors of the Firm who, by reason of their duties, have access to such data.
Professional secrecy is both a right and a duty of the lawyer, and its breach may give rise to disciplinary, civil and criminal liability. The exercise of data subjects’ rights may be limited, refused or deferred where and to the extent necessary to safeguard lawyers’ professional secrecy, the rights of third parties, the confidentiality of the mandate or the establishment, exercise or defence of legal claims, pursuant to the GDPR, Law No. 58/2019 and the Statute of the Portuguese Bar Association.
09. COOKIE POLICY
What are cookies?
Cookies are small text files stored on the visitor’s device when accessing the website. They allow the website to recognise the device on subsequent visits and remember certain preferences.
Types of cookies used
| Identifier | Category | Purpose | Duration | Provider | Legal basis, Law No. 41/2004 | Legal basis, GDPR, where applicable |
|---|---|---|---|---|---|---|
| consentMode | Strictly necessary | Store the user’s consent status | Persistent until manually changed | Sousa Grilo & Associados | Strict necessity for the provision of the requested service, pursuant to Article 5(2) | Compliance with a legal obligation, pursuant to Article 6(1)(c) |
| _ga | Analytics | Distinguish users in Google Analytics 4 | 2 years | Prior consent, pursuant to Article 5(1) | Consent, pursuant to Article 6(1)(a) | |
| _ga<ID> | Analytics | Maintain the GA4 container status | 2 years | Prior consent, pursuant to Article 5(1) | Consent, pursuant to Article 6(1)(a) | |
| Google Tag Manager | Technical, tag management | Management of scripts and tags published on the website | Not applicable as a persistent cookie | Strict necessity or consent, depending on the tags actually published | According to the underlying purpose of each tag |
Management and withdrawal of consent
On the first visit to the website, a cookie notice (cookie banner) will be displayed, allowing the visitor to accept, reject or customise the categories of non-essential cookies. Consent may be withdrawn or changed at any time through the cookie settings available on the website or through the user’s browser settings.
Third-party cookies
The website may include third-party features that may install their own cookies. These entities have their own privacy policies, for which the Firm is not responsible. The list of third-party providers whose cookies may be installed on the website will be kept up to date and made available in the cookie notice.
10. CHANGES TO THE PRIVACY POLICY
The Firm reserves the right to update this Policy whenever necessary, namely as a result of legislative changes, new processing operations or changes to the services provided. The Policy is reviewed at least once a year.
Updated versions will be published on the website indicating the date of entry into force. In the event of substantial changes affecting the rights of data subjects, the Firm will endeavour to communicate them directly, where possible and appropriate.
11. EXERCISE OF RIGHTS AND CONTACTS
To exercise any of the rights provided for in Section 6, or to ask any question relating to the processing of personal data, the data subject may contact the Firm through the following means:
| geral@sousagrilo.com | |
| Postal address | Largo Dr. José Novais, n.º 134, 1.º direito Barcelos, Portugal |
Response Period
The Firm will respond to the request without undue delay and, in any event, within one month of receipt (Article 12(3), GDPR). This period may be extended by a further two months in the case of complex or numerous requests, with communication to the data subject of the reasons for the extension. The exercise of rights is free of charge, except in the case of manifestly unfounded or excessive requests, pursuant to Article 12(5) of the GDPR.
Identity Verification
To protect personal data against unauthorised access, the Firm may request proof of identity when processing requests relating to the exercise of rights. This information is used exclusively for verification and will not be retained for other purposes.
Complaint to the Supervisory Authority
Without prejudice to exercising rights with the Firm, the data subject has the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD):
| Address | Av. D. Carlos I, 134 – 1.º, 1200-651 Lisbon |
| Website | www.cnpd.pt |
| Telephone line | (+351) 213 928 400 |
| geral@cnpd.pt |
Last updated: 26 de May de 2026