PRIVACY POLICY

A) Provision of professional services

As part of providing professional services to our clients, we collect and use personal data in connection with those services as required for their performance. In this context, we also process personal data from people who are not directly our clients (e.g., employees, customers, or suppliers of our clients). For example, if we do a due diligence for a client’s acquisition of an entity, we will obtain personal data about its employees, management, and customers.

Most of the personal data we collect and use to provide our services is provided voluntarily by our clients or collected by us from third party sources at the request of our clients. For this reason, if you are a RRP client, you will know what personal data we collect and use.

We require confirmation from our clients that they have the authority to provide us with personal data related to the execution of the services and that any personal data they provide to us has been processed in accordance with applicable law.

Given the diversity of the services we provide, we process many categories of personal data, such as:

– Personal data of the individual client and his/her family members, including names, addresses and demography, contact information, birth dates and tax identifiers, including social security numbers and e-mail addresses

– Personal data of the clients’ employees, including names, contact information and e-mail addresses

– Personal data contained in documents and files of the client or third parties, such as identification documents (birth certificates, marriage licenses, school documents and diplomas and copies of the passport) and tax declarations: Liability, dates produced and sent, settlement amounts and taxes paid

– Personal data contained in documents drawn up in the framework of the provision of services

– Personal data contained in documents drawn up in the context of the representation of clients to third parties, in particular courts within the framework of the legal obligation

– Immigration data: Work permit questionnaires, work permit status, copy of application form, copy of work permit, copy of visa, copy of passport and other immigration documents

For certain services, we also process special categories of data. For example, the provision of tax reporting services involves the handling of payment details made by our client, by his/her spouse and dependent to trade unions, political parties, for medical treatments or religious charities. Such data are intentionally collected and will be used only when necessary for the provision of the service for which the data were collected, such as the determination of the correct taxation of our client’s income and to claim the correct tax deduction for such payments.

In addition, we also collect and process personal data as part of the processes of acceptance and verification of the good repute of our clients, including independence, anti-money laundering, conflicts, reputation, and financial verifications, and to comply with any other legal or regulatory requirements to which we are subject. These verifications may include identity verification and declaration of the effective beneficiary of the Company and other legal entities, conflict verification, anti-money laundering, proceeds of crime and terrorist financing, politically exposed persons (PEP) verification: persons with prominent roles in government, judicial system, courts, central banks, embassies, armed forces and state-owned enterprises, including their relatives and closely associated persons, adverse media verifications, government sanctions list verifications, and independence controls.

These verifications are made for legal, regulatory, or commercial reasons and need to be repeated during our commitment. As part of these verifications, we are obliged to process special categories of data (for example, to verify whether you are a politically exposed person or to collect information about criminal convictions when it is necessary for the purpose of money laundering laws). It is important that we are provided with all the necessary information and documents, as it affects our ability to provide the services.

We use this information to:

• to provide our services
• in our legitimate interest in managing and maintaining our contractual relations
• in our legitimate interest in marketing and business development actions
• in our legitimate interest in ensuring that services are provided with continuity, consistency, and quality
• to comply with our legal and regulatory obligations, for example in accounting and fiscal matters
• to establish, exercise or defend legal rights
• for historical and statistical purposes.

B) Suppliers

We process personal data about our suppliers (including subcontractors and individuals associated with our suppliers) to manage our relationship and contract, and to receive services from them.

The personal data we process is generally limited to contact information (name, employer name, telephone number, email and other contact information) and financial information (payment-related information).

In addition, we also use data about our suppliers to check whether there are any conflict of interest or a restriction of audit independence to hire a supplier. Before we contact a new supplier, we also conduct independent audits and other background checks required by law or regulation, for example, adverse means, bribery and corruption, and other financial crime verifications.

We use this information to:

• performance of a contract
• in compliance with a legal or regulatory obligation
• in our legitimate interest in managing payments, fees, and charges, and in collecting and recovering amounts due
• in our legitimate interest in understanding any conflict of interest or challenge in relation to legislation regarding independence
• in our legitimate interest in protecting us from inadvertent manipulation of the proceeds of criminal activities or assistance in any other illegal or fraudulent activity (e.g., terrorism).

C) Business and professional contacts

We process personal data about business and professional contacts, such as past, current, and potential clients and individuals employed by, or associated with, such clients, and other business or professional contacts, such as former employees, consultants, regulators, and journalists. Newsletters, marketing materials, event information or learning opportunities, surveys and event invitations may be sent to these contacts.

The personal data we process is generally limited to contact information (such as name, title, address, email address, telephone, and fax), the name of the employer or organization to which the individual is associated, as well as any user preferences regarding our communications that you have expressed and in responses to invitations and interactions that have existed.

We do not knowingly collect sensitive category data unless it is voluntarily provided to us for a specific purpose (for example, special dietary requirements that reveal your religious affiliation or any food allergy, in the context of participating in one of our events).

Business and professional contact data will be maintained if there is a need for its use and will be deleted when no longer needed or sooner, if required by law.

We use this information to:

• in our legitimate interest in managing the relationship with our business contacts and providing information about RRP, our services and events we organize
• to give expression to the explicit consent received from the contacts concerned.

D) Website users (rrp.pt)

We collect personal information that is voluntarily provided to us through our site, for example, by completing online contact forms, registering to receive our newsletters, participating in surveys, or registering for participation in events that we organize. The information we collect in this context include name, position, hierarchical level or job function, education, company or organization, contact information, including primary email, e-mail address and phone numbers, demographic information, such as industry, country, postal code, preferences and interests, other information relevant to the purposes described, information obtained through event forms, such as food restrictions, information about hotels and flights, status of registration/participation, participation in media interviews, experience of previous events and gender.

We do not knowingly collect data from sensitive categories unless it is voluntarily provided to us for a specific purpose (e.g., food restrictions). Although there are free text boxes on our site, where the free entry of any information is permitted, it is not our intention to process sensitive information, therefore, the provision of this information is not mandatory and should not be done in the free text boxes. By voluntarily providing any sensitive personal information this way, you acknowledge that you agree to the collection and processing of such sensitive information.

This data will be maintained if there is a need for its use and will be deleted when no longer needed or sooner, if required by law.

We also analyze personal data collected on our site, to manage it, including identity confirmation and authentication, and preventing unauthorized access to restricted areas, to analyze visitor data and site traffic information, collect metrics about the user history within our site, monitor and enforce compliance with applicable terms of use, and perform quality analysis and risk management. For more information on this, please refer to our Cookie Policy.

We use this information to:

• in our legitimate interest in the effective delivery of information and services and the effective and legal operation of our business
• in our legitimate interest in developing and improving our site and your user experience
• to give expression to the explicit consent received from the site visitors concerned.

E) Job applicants

We collect information from and about candidates regarding the professional collaboration opportunities available at RRP. The information we collect includes CV, identification documents, academic records, work history, employment information and references.

We use this personal data to tailor the skills, experience and education provided to the specific opportunities available at RRP. This information is passed on to the people involved in the recruitment process to decide if the candidate should be interviewed. RRP will collect more information if the candidate is invited to the interview phase (or equivalent) and later. Such information includes interview notes, assessment results, feedback and job offer details.

In relation to our recruitment activities, including applications and onboarding, we also collect data from special categories of candidates where we have an obligation to do so, by virtue of a legal enforcement, arising from labor law. For example, where permitted and/or imposed by applicable law, we will collect information about an individual’s disabilities to analyze the diversity of our workforce, with consent. Once professional collaboration is established, the provision of individual information on disabilities will also be used to provide an appropriate working environment. Criminal background checks will also be required for certain candidates to assess their eligibility to work at or for RRP clients.

We collect personal data about applicants from the following sources:

Directly – for example, information that candidates provide when applying for a position directly through the RRP website

Recruitment agencies – for example, when a recruitment agency that has the candidate details contacts us to suggest it as a potential candidate

Through publicly available sources online – for example, professional profiles posted online (including on your current employer’s website or on a professional networking site, such as LinkedIn)

By reference – for example, through a reference from a former employee or employer, or a reference that you have identified

We use this information to:

• to give expression to the applicant’s explicit consent
• in our legitimate interest in attracting, identifying, and seeking employees
• in our legitimate interest in the treatment and management of applications for job opportunities at RRP, including screening and selection of candidates
• in our legitimate interest in hiring and integrating candidates, making an offer to approved candidates and carrying out pre-hiring screening checks
• in compliance with legal or regulatory obligations regarding the recruitment of employees.

F) Email senders to RRP

RRP uses a variety of tools to maintain the security of our IT infrastructure, including e-mails. Examples of such tools are:

1. Systems that check incoming e-mail to RRP recipients for suspicious attachments and URLs to prevent malware attacks
2. Tools that provide end point threat detection to detect malicious attacks
3. Tools that block certain content or websites.

RRP tools to maintain the security of its IT infrastructure analyze messages sent by e-mail to an RRP recipient. RRP persons other than the intended e-mail recipient might read its content.

We use this information to:

• in our legitimate interest in protecting our IT infrastructure from unauthorized access or leakage of information
• in our legitimate interest in analyzing e-mail traffic.