1. Policy Purpose
The purpose of this policy is to outline how the data provided by whistleblowers using the internal reporting channel made available by PayPay is processed and used.
At an organizational level, this policy represents PayPay’s leadership commitment to uphold data processing principles and the rights of data subjects in compliance with Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), as well as with Law No. 58/2019, of August 8, which implements this regulation in Portugal.
2. Risks and Implications
The disclosure of personal information defined in this policy is subject to penalties under Portuguese and European law (GDPR and Law No. 58/2019). Violations of this policy may indicate serious (Article 38) or very serious (Article 37) offenses under Law No. 58/2019, which could result in fines.
3. Policy Scope
This policy applies to the processing of all personal data related to individuals. Personal data is defined as:
"any information, of any kind and regardless of format, including sound and image, related to an identified or identifiable natural person;"
"(…) information relating to an identified or identifiable natural person (‘data subject’),” where an “identifiable natural person” is someone who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, online identifiers, or one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.” (Article 4 of the GDPR).
According to Article 2 of the GDPR, this policy applies to “(…) the processing of personal data by wholly or partly automated means, as well as to the processing of personal data by non-automated means if contained in or intended to be part of a filing system,” carried out in Portugal or in a broader context (Article 2 of Law No. 58/2019), by both public and private entities.
4. Purpose of Data Processing
Data collected in non-anonymous reports is intended for the processing and investigation of submitted reports.
5. Responsibilities
The Compliance Director (CD) and the Data Protection Officer (DPO) are responsible for defining and implementing this policy. The DPO ensures data processing compliance with applicable legislation and verifies adherence to this Data Protection Policy.
All PayPay employees are responsible for following the defined rules and reporting any anomalies or violations of this policy to the DPO. The DPO also collaborates with the Portuguese Data Protection Authority (CNPD) "at the request of the CNPD in fulfilling its duties," particularly on matters related to sensitive information held by the company.
6. When and How Data is Collected
PayPay collects the personal data of non-anonymous whistleblowers through the information provided by the non-anonymous whistleblower after completing the reporting form (name, email, and phone number). PayPay assumes that the data collected was entered by the respective owner or authorized for entry by the owner and that the data is true and accurate.
It should be clarified that only data provided by the whistleblower, as specified on the form on the platform, will be collected.
7. Data Retention Period
Personal data will be retained only for the period necessary for the purposes for which it was collected or subsequently processed, in compliance with all applicable legal archiving rules.
8. Data Subject Rights
Under current legislation, data subjects are guaranteed the right to access, update, rectify, or delete their personal data at any time, as well as the right to object to the use of data for marketing purposes. To do so, they should submit a request using the contact information provided on ACIN’s various platforms. If a data subject believes their data is not being processed in accordance with applicable law, they have the right to file a complaint with the CNPD.
To exercise these rights, data subjects can contact us:
- By Email: dpo@paypay.pt;
- By Postal Mail: to our headquarters at Estrada Regional 104, No. 42-A, 9350-203 Ribeira Brava, Madeira.
9. Technical and Organizational Measures
PayPay adopts all necessary technical and organizational measures to protect personal information entrusted to it, in line with Article 35 of the Portuguese Constitution, the General Data Protection Regulation 2016/679, of April 27, 2016, and its application in Portugal under Law No. 58/2019, of August 8.
10. Security Measures
PayPay is committed to implementing appropriate security measures to prevent accidental or unauthorized destruction, loss, alteration, access, or disclosure of information, such as:
- Regular system security tests;
- Use of encryption mechanisms for data storage and transmission, based on secure protocols and algorithms (TLS and SHA256);
- Encrypted connections for forms collecting personal or confidential data;
- Adoption of physical and logical security measures deemed essential for protecting customers’ personal data at the infrastructure level provided by the DataCenter used to store information managed by PayPay systems.
PayPay cannot be held responsible for any unlawful acts that are beyond its control to prevent and/or foresee.
In the event of a security breach, PayPay’s leadership, together with the DPO and Compliance Directorate, will work to notify the national supervisory authority (Article 51 of the GDPR) and request assistance to mitigate damage resulting from the breach.
PayPay may disclose personal data to third parties under the following circumstances:
- To comply with a legal obligation, a ruling from the National Data Protection Commission (CNPD), or a court order;
Only properly authorized users, based on the principles of need to know and least privilege, may access resources and information provided by PayPay-managed or developed applications.
PayPay ensures data deletion once it is no longer legally, financially, or administratively necessary.