Privacy and data protection policy
| Controller | Fotomoment Lda. |
| Address | Sitio da Calçada, no 199D, 8150-021 São Brás de Alportel |
| Data Protection Officer (DPO) | Macher Tecnologia, representado por Alexandre Antabi |
|
Contact (DPO) |
antabi@machertecnologia.com.br tgoncalves@photomemoriesgroup.com |
1. Introduction
This Policy outlines the guidelines implemented at FOTOMOMENT LDA to ensure compliance with the General Data Protection Regulation (“GDPR”) and other applicable regulations regarding privacy, data protection, and information security concerning the Personal Data of its Clients (park visitors).
Fotomoment is committed to the privacy of its clients, employees, partners, and suppliers, and believes that Personal Data must be protected to ensure the peace of mind of the Data Subjects.
Fotomoment has established a Personal Data Privacy and Protection Management Program, adopting various policies, norms, and procedures that define how Personal Data is processed throughout its lifecycle, ensuring the privacy of Data Subjects in accordance with Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”) and market best practices.
By visiting a park where our services are provided and/or becoming a customer of the company, various personal details are entrusted to us. This document aims to help you understand: (i) the Program implemented in the Company; (ii) which information is collected, why, whether it is shared and with whom; (iii) how to exercise your rights as a data subject; (iv) how to handle third-party Personal Data in your professional activity.
It’s important to understand that many of Fotomoment’s daily activities involve Personal Data, which are details related to an identified or identifiable Data Subject — meaning any information that reveals the identity of a person (such as full name) or allows identification through other elements (like an employee ID number or a customer photograph).
Even when in possession of such data, Fotomoment does not own it — ownership remains with the Data Subject. This may include employees, directors, interns, apprentices, or client/supplier representatives (in the case of legal entities), or the actual client/supplier (if a natural person).
Fotomoment, while holding Personal Data, performs various Processing operations — any action involving Personal Data, whether or not automated, including: collection, production, reception, classification, usage, access, reproduction, transmission, distribution, processing, storage, deletion, modification, communication, transfer, disclosure, or extraction.
Thus, Fotomoment is considered a Data Processing Agent. Any part of its activities involving Personal Data may be subject to audit by the national data protection authority.
Fotomoment’s Personal Data Privacy and Protection Management is guided by fundamental principles and supported by policies, norms, and documents that define rules for processing personal data, which must be respected by all employees. Other local regulations may also apply.
We request all clients to read this document before using our services. Additional privacy policies may apply to specific services.
2. Guiding Principles
Fotomoment is committed to the following principles in the Processing of Personal Data:
-
Lawfulness, fairness, and transparency – Data is processed lawfully, fairly, and transparently in relation to the Data Subject;
-
Purpose limitation – Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
-
Data minimization – Only personal data that is adequate, relevant, and limited to what is necessary for the purposes is processed;
-
Accuracy – Data is accurate and, where necessary, kept up to date. All reasonable measures will be taken to ensure that inaccurate data is erased or rectified without delay;
-
Storage limitation – Data is stored in a form that permits identification of data subjects only for as long as necessary for the purposes for which the data is processed;
-
Integrity and confidentiality – Data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures;
-
Accountability – Fotomoment is responsible for compliance with these principles and must be able to demonstrate it.
3. Purposes for Processing Personal Data
The Personal Data of Clients (park visitors) is processed for the following purposes:
-
Collection and processing of images to offer photos as a memento of the park experience;
-
Managing contractual relationships with clients, including invoicing, billing, and customer support;
-
Compliance with legal and regulatory obligations;
-
Responding to requests or exercising data subject rights;
-
Continuous improvement of services, based on anonymized data and statistics;
-
Physical security and access control to operational areas, where applicable.
4. Legal Bases for Processing
Fotomoment processes Personal Data based on one or more of the following legal grounds provided under the GDPR:
-
Data Subject’s consent, when required;
-
Performance of a contract or pre-contractual measures;
-
Compliance with a legal or regulatory obligation;
-
Legitimate interests of Fotomoment or third parties, provided these do not override the Data Subject’s fundamental rights and freedoms;
-
Protection of vital interests of the Data Subject or another individual.
5. Sharing Personal Data with Third Parties
Personal Data may be shared with third parties when necessary and in the following contexts:
-
Partner or subcontracted companies, solely for the provision of contracted services;
-
Public authorities or regulatory bodies, under legal obligation.
In all cases, contractual measures will be adopted to ensure appropriate handling of Personal Data by third parties.
6. Retention of Personal Data
Personal Data is retained only for as long as necessary to fulfill the purposes for which it was collected, respecting applicable legal and regulatory timeframes. After this period, the data will be securely deleted or anonymized.
-
Clients: Only physical and digital formats are retained during the daily work period; at the end of each day, all photographs—printed and digital—are deleted.
-
Suppliers and employees: Data is retained only for the duration of the contractual relationship between the parties.
7. Data Subject Rights
Under the GDPR, the Data Subject has the following rights regarding their Personal Data:
-
Right of access to their data;
-
Right to rectify inaccurate data;
-
Right to erasure of data (“right to be forgotten”);
-
Right to restriction of processing;
-
Right to object to processing;
-
Right to data portability;
-
Right to withdraw consent at any time (where processing is based on consent);
-
Right to lodge a complaint with the competent supervisory authority (in Portugal, the CNPD – Comissão Nacional de Proteção de Dados).
To exercise these rights, the Data Subject may contact Fotomoment’s Data Protection Officer (DPO), as indicated in section 9.
8. Information Security
Fotomoment adopts appropriate technical and organizational measures to ensure the security of Personal Data, including:
-
Control of physical and logical access;
-
Data encryption and anonymization, where applicable;
-
Implementation of internal privacy and information security policies;
-
Continuous training for employees on data protection best practices;
-
Regular monitoring and audits.
9. Contacting the Data Protection Officer (DPO)
Fotomoment’s Data Protection Officer (DPO) may be contacted for clarifications or to exercise the rights of Data Subjects via the following emails:
tgoncalves@photomemoriesgroup.com
antabi@marchertecnologia.com.br
Glossary
-
Personal Data: Information relating to an identified or identifiable natural person.
-
Data Subject: The natural person to whom the personal data relates.
-
Processing: Any operation performed on personal data, such as collection, recording, organization, storage, adaptation, consultation, use, disclosure, or deletion.
-
GDPR: General Data Protection Regulation (Regulation (EU) 2016/679).
-
Consent: A freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they agree to the processing of personal data.
-
DPO: Data Protection Officer.
-
Client: A person who acquires Fotomoment’s services in the context of park/aquarium visits.
-
Processor: A third-party entity that processes personal data on behalf of Fotomoment.
Updated version: April 10, 2025