The Privacy Policy was developed to support Winning in adapting its activity to the General Data Protection Regulation, approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).

This policy applies to all Winning Professionals and Partners and, when identified, to third parties who access the assets of the Winning Group.

The terms ‘Privacy’, ‘Data Privacy’ and ‘Data Protection can be used in the same sense as they are associated with a complex set of legal requirements that apply to Personal Data, which goes beyond data security and confidentiality. For example, it includes requirements on the transparency of data use and on data retention.

Compliance with this policy is mandatory and, therefore, all Professionals and Partners have individual responsibility to ensure their compliance with it and, if necessary, must request clarification from the leaders of their respective teams.

It is Winning’s responsibility to define the appropriate mechanisms to achieve compliance with this policy, being responsible for the operational implementation of the teams, with the support of Information and Communications Technology (ICT).

Compliance with this policy can be monitored through inspections, audits and/or requests for written confirmations of compliance, with all areas being responsible for regularly assessing their compliance with it within their area of ​​responsibility.

Accordingly, any Employee or Partner who has violated this policy is subject to disciplinary action.

This policy is based on the principles established in the GDPR. However, there are national differences in the applicability of Winning’s data protection and privacy in Portugal, when processing personal data outside the EU, when receiving personal data from outside the EU or when processing personal data of non-EU citizens. community.

In case of doubt, contact ICT.

Data protection principles

As part of our activity, we process Personal Data: whether we receive personal data in the course of our business opportunities, our commitments to customers, marketing activities or a series of other related and support activities. Data may be received directly from a Data Holder (for example, in person, via mail, e-mail, telephone or other sources), namely from our customers, partners, subcontractors, joint Data Controllers, support service providers and credit reference agencies.

All Professionals and Partners should only request personal data from a Data Holder that is relevant and necessary to fulfil a certain business purpose and task.

Winning undertakes to comply with the principles of personal data protection defined by the GDPR, namely:

  • Lawfulness, loyalty and transparency: means that we must have a legitimate reason by virtue of which we process Personal Data, for example, consent of the Data Holder, compliance with a legal obligation to which we are subject. It also means that we must clearly inform the Data Holder about the data processing;
  • Limitation of Purposes: we must only request Personal Data for specific, explicit and legitimate purposes and not treat it beyond the purpose for which it was requested;
  • Data Minimization: Personal Data being processed must be adequate, relevant and limited to what is necessary;
  • Accuracy: we have an obligation to ensure that Personal Data is accurate and to update it whenever necessary;
  • Retention limitation: we must not retain Personal Data for a period longer than necessary for the purposes for which it is processed, although we may retain some for historical and statistical purposes;
  • Integrity and Confidentiality: we must have adequate security controls in place to protect data against unauthorized and illegal processing, loss, destruction or damage, including technical and organizational measures such as defined processes, training and awareness;
  • Legal transfer outside the European Economic Area: we only transfer Personal Data outside the EEA provided that adequate safeguards exist, such as a contractual basis;
  • Data Holder Rights: Data Holders have various rights that we must respect (for example, the right to access a copy of the data we archive and the right to withdraw the consent given for direct marketing purposes).

Legality and loyalty in treatment

Whenever Personal Data is collected, it is necessary to have a legal basis for such processing. According to the GDPR, we must identify at least one of the following reasons for processing Personal Data:

  • Consent: The Data Holder has given consent for the data to be processed for one or more specific purposes;
  • Contractual: The processing is necessary for the execution of a contract of which the Data Holder is part or for pre-contractual measures;
  • Legal: Treatment is necessary to comply with a legal obligation to which the Data Manager is subject;
  • Vital interests: Processing is necessary to protect the Data Holder’s vital interests;
  • Public interest: Treatment is necessary for the performance of a task performed in the public interest;
  • Legitimate interests: The processing is necessary for the legitimate interests of the Data Controller, except where interests or fundamental rights and freedoms of the Data Holder prevail.

When acting as a Data Controller (see definition in Annex A) we must ensure that we have a legitimate basis for collecting and processing Personal Data.

In some situations, we may act as a Subcontractor on behalf of our client, in which case it is the client’s responsibility to ensure that they have a correct reason for the processing of Personal Data, which they must share with us. However, we must take steps to ensure that our contract is clear about our responsibilities in this regard and that if we collect Personal Data directly from Data Holders on behalf of the customer, we have the basis for doing so legitimately.

When a Special Category of Data is handled (cf. definition in Annex A) there is an additional set of conditions that must be met. Please contact ICT for further guidance.

The GDPR requires that Data Holders be provided with information about the treatment in order to ensure fair and transparent treatment. Whenever we collect Personal Data, we must ensure that we properly explain why we need the information and how we will handle it. When information is collected through our website this information is given through a ‘Privacy Notice’.

Any other information to be provided when collecting personal data must also be provided on the internet. Please see the ‘Cookie Policy’ for more information or contact ICT.

Treatment for specific purposes only

Whenever we collect and process Personal Data, we must ensure that we only use it for the specific purposes that were communicated to the respective holder.

Winning must never process Personal Data for additional purposes that have not been communicated to the Data Holder. Only then will we be clear about the purpose of the processing and we must understand the purposes for which our customers may have collected Personal Data.

Proper, relevant and limited treatment

When we collect and process Personal Data, we must follow the principle of data minimization. This means that we must only collect the minimum Personal Data necessary to perform a specific task.

Additionally, we must ensure that we have an adequate amount of personal data to properly perform a specific task. For example, collecting the data needed just to identify a person.

This also applies to any sharing and other treatment activities. It is important to minimize the data kept and processed; we must ensure that whether we share data internally or externally or if we use it in activities such as testing, we must only use/share the minimum amount in each case.

Accuracy of personal data

We have an obligation to ensure that Personal Data is kept accurate and up to date. We must ensure that adequate processes are in place to maintain accurate data whenever necessary (for example, from professionals or current and potential customers maintained by the relevant areas).

When acting as a Data Controller in relation to a customer we will not be required to implement mechanisms to keep this data up to date; this will be the responsibility of the person responsible for the treatment, that is, our client.

Conservation of personal data

Personal Data must not be kept any longer than necessary. This means that we must define and apply maximum retention periods for the Personal Data that we process and implement processes to erase them at its term. Therefore, the following retention periods may apply:

  • for as long as is necessary for the relevant activity or services;
  • any retention period required by law;
  • the end of the period in which disputes or investigations may arise in relation to the Services; or
  • for the minimum period provided for in the contract.

Data holders right

The GDPR requires us to inform people about the Personal Data we collect, the purposes and means for which they are processed. Such information is given in the form of a ‘Privacy Notice’.

  1. a) Right of Access
  • The Data Holder has the right to ask to see the Personal Data we hold about him, the purpose of the processing and the categories of data in question.
  • We must notify the Data Holder of the recipients with whom we will share your data, especially if the recipient is in another country or belongs to an international organization.
  • Wherever possible, we will define data retention times to meet business objectives.
  • We must communicate to the Data Holder the existence of the right to object to the processing and of its right to rectification and erasure.
  • We must communicate to the Data Holder the existence of his right to complain to a Controlling Authority.
  • When data is collected from someone other than the Data Holder, the source of the data must be communicated to him.
  • We must ensure that we have processes in place to identify and respond to Data Holder access issues without undue delay and within a maximum period of one month.
  1. b) Right of rectification
  • Data Holders have the right to rectify inaccurate data, and Winning shall make every effort to do so immediately.
  1. c) Right to deletion
  • The Data Holder has the right to obtain from the Data Controller the deletion of his data (‘right to be forgotten’). It is up to Winning to do everything possible to immediately erase the data held, except when there is a legal requirement for its preservation. If you receive a request from a Data Holder please contact the ICT first before deleting any data.
  1. d) Children’s rights
  • All individuals, including children, are protected by the GDPR. For children under 13 years of age, we must not process their Personal Data based on their consent, unless authorized by the respective holders of parental responsibilities.
  1. e) Marketing
  • We may sometimes send our customers and partners marketing material to inform them of services, upcoming events or other activities of interest to them, in which case we must indicate the right to withdraw consent at any time if they wish not to be contacted again in those terms.
  • We must also ensure that we have processes in place to ensure that all participation preferences are recorded and respected.

For all questions regarding Data Holders’ rights please contact the ICT.

Security of retained data

Winning will maintain data security by protecting the Confidentiality, Integrity and Availability of Personal Data, as follows:

  • Confidentiality means that only authorized people can access the data;
  • Integrity means that Personal Data must be accurate and adequate for the purposes inherent in the processing;
  • Availability means that authorized users must be able to access the data if they need it for the authorized purposes.

You can find more complete information about our security policies here.

Data disclosure

All Professionals and Partners must avoid any inappropriate disclosure of Personal Data and comply with our general obligations regarding Confidentiality.

It’s allowed to:

  1. Share Personal Data that we maintain with any company in the Winning Group, provided that we have a legitimate basis for doing so and there are no additional restrictions;
  2. Disclose Personal Data to third parties only upon instruction or when we have a legitimate basis for doing so, and there are no restrictions in effect;
  3. Disclose Personal Data to third parties in the event that we sell or buy any business or assets, or when we are a joint Data Controller as part of a joint venture;
  4. Sharing Personal Data with a third party that is processing data on our behalf, which may include transferring data to a third country.

Generally Personal Data may be disclosed:

  1. To Professionals or agents so that they can perform their functions as such;
  2. In cases where non-disclosure could impair the prevention or detection of crimes, the deduction of charges against offenders, or the assessment or collection of any tax or fee. Winning must have adequate reasons for disclosing data under this category in order to avoid criminal prosecution. All disclosures must be justified and documented.

For legal purposes, data may be disclosed if:

  1. Required by law, statute or court order;
  2. In order to obtain legal advice;
  3. In the context or for the purposes of a judicial process or when necessary to defend a legal right; or
  4. To safeguard national security.

International transfer of personal data

Winning may transfer any Personal Data to a third country or international organization. The personal data we hold may also be processed by employees operating in a third country, for example Spain.

We must ensure that at least one of the following conditions applies:

  1. The country to which the Personal Data are transferred guarantees an adequate level of protection for the rights and freedoms of Data Holders, as decided by the EU Commission;
  2. Appropriate safeguards are provided (e.g. standard data protection clauses);
  3. The Data Holder has given explicit consent to the transfer after being informed of the possible risks;
  4. The transfer is necessary for one of the reasons set out in the GDPR, including the execution of a contract between Winning and the Data Holder, or protection of the vital interests of the Data Holder;
  5. The transfer is legally required for important reasons of public interest or for the filing of legal actions or defence within the scope thereof.

Log, cookies and web beacons information

The Winning website uses cookies to distinguish its users. Winning collects standard Internet registration information, including the user’s IP address, browser type and language, access times and referring website addresses. To ensure that our website is well managed and to facilitate navigation, Winning or its service providers may also use cookies (small text files stored in the user’s browser) or web beacons (electronic images that allow our website to count the visitors who access a website and certain cookies) to collect aggregated data.

Professionals information

Collection and Conservation

  • Winning, as an employer, collects, processes and retains personal data of workers, contractors, consultants and candidates. The Human Resources Department and other departments that process Personal Data of professionals must verify and document the legal basis inherent in the processing they carry out. Professionals’ Personal Data should only be processed when there is a valid and legitimate purpose for this purpose.
  • The collection of personal data related to our employees takes place through different channels and formats, such as: application forms; electronic web forms, (e.g. during the recruitment process); data records; CCTV images; team photographs including identification cards; data from other sources (e.g. past employers); credit checks and security checks; etc.
  • The creation and storage of personal data related to our professionals takes place through various channels and formats, such as: payment receipts; assessment records; employment contracts; emails; disease records; etc.

Training and Awareness

  • We are committed to providing adequate training on personal data protection to all professionals. If necessary we will provide personalized training and awareness for people taking into account their roles.

Process design and modification

  • For all proposed new systems and business procedures involving Personal Data, consideration should be given to whether an assessment of the impact on information privacy and security is required to identify risks and controls.
  • For this purpose, all Professionals and Partners must contact the ICT before adopting new procedures

Annex A - Definitions







Confidentiality is a characteristic that applies to information. Protecting and preserving the confidentiality of information means ensuring that it is not made available or disclosed to unauthorized entities. In this context, entities include people and processes.

Control authorities

It means an independent public authority established in Portugal – National Data Protection Commission.

Data Disclosure

Means sharing or providing access to Personal Data, whether to the Data Subject, the Joint Data Controller, Subcontractor or any other Third Party.

Data Holder

Means the person who is the subject of the Information to be processed, that is, the individual(s) to whom the Information refers, for example customers of retail services or employees of the customer.


It means workers and natural persons hired by a company of the Winning Group, permanent or temporary, excluding Partners.


It covers all knowledge and data communicated or received about a particular fact or circumstance. The Information of a Winning Group company includes all information, whether identified or not confidential, in any form, written or oral, that the Team or Partners may have access to about the companies, their Professionals or Partners.

Information Integrity

The accuracy and completeness of the Information and the methods used to process and manage it.

Information Security Incident

Means any adverse event, occurrence or suspicious event that may affect the confidentiality, availability or integrity of any of the Winning Assets.

Limitation of Treatment

The marking of personal data stored in order to limit its treatment in the future.


Used to describe Equity Partners and other types of Partners.

Personal Data

Any information relating to an identified or identifiable natural person (i.e. ‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or another specific physical, physiological, genetic, mental, identity factor. cultural or social status of that person.

Personal Data Violation

A breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data transmitted, retained or otherwise processed.


It is how we collect, retain and handle Personal Data in accordance with the expectations of our customers and employees and a complex set of legal and regulatory requirements. Also known as Privacy and/or Data Protection, although in the US the term Data Protection generally focuses on data security rather than broader legal requirements.


Means the processing of personal data that cannot be attributed to a specific Data Subject without the use of additional information, provided that such information is kept separately and is subject to technical and organizational measures to ensure that it does not become identifiable.

Responsible for Treatment

The natural or legal person, public authority, agency or any other body that, individually or together with others, determines the purpose and means of the Processing of Personal Data; If the purposes and means of processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be designated by Union law or by the law of the Member States.

Special Categories of Personal Data

Corresponds to Personal Data that reveal:

• racial or ethnic origin;

• political opinions;

• religious and philosophical convictions;

• union membership;

• physical or mental health;

• genetic and biometric data;

• data relating to sex life and sexual orientation; and

• criminal convictions and infractions or alleged offences, including any criminal proceedings or court sentences relating to a person.


Means a natural or legal person, public authority, agency or other body, to whom personal data is disclosed, whether third party or not.


A set of interactive or interdependent components, including people, processes and technology that work together to produce an intended result.

Third Parties

External suppliers, organizations or individuals contracted by Winning to use, manage or handle assets of a Winning Group company or provide services for or on behalf of Winning. Third parties and suppliers under this policy include, but are not limited to:

• outsourced suppliers;

• service providers (e.g. for data hosting management, for network infrastructure and for management);

• hardware and software suppliers and support and maintenance team;

• IT or business process companies and consultants;

• External service providers.


Any operation or set of operations that are performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, registration, organization, structuring, adaptation or alteration of storage, retrieval, consultation, dissemination of use by transmission, dissemination or otherwise made available, alignment or combination, restriction, erasure or destruction.