FREE SHIPPING ON ORDERS OVER 50€

Your cart

Your cart is empty

Check out these collections.

Lip Masks
Blush
Giftcard
Get 10% off

Join us

Signup and get 10% off your first purchase

By completing this form, you are signing up to receive our emails and can unsubscribe at any time

Privacy policy

 

Last Revised and Effective Date: July 1, 2024

Introduction

The Privacy Policy was developed to support Maria Maia Unipessoal LDA, a legal entity with VAT number  516 247 298, headquartered at Rua Manuel Assunção Falcão, Armazém 9 4475-088 Maia, – hereinafter Maria Maia Beauty, in adapting its activity to the General Data Protection Regulation, approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“RGPD”).

This policy is complemented by others on security, which are relevant to the company's business, describing, together, Maria Maia Beauty's approach to information security and privacy.

The terms ‘Privacy’, ‘Data Privacy’ and ‘Data Protection’ can be used interchangeably as they are associated with a complex set of legal requirements that apply to Personal Data, which goes beyond data security and confidentiality. For example, it includes requirements on transparency of data use and retention.

Compliance with this policy is mandatory and therefore all Professionals and Partners have the individual responsibility to ensure their compliance with it and, if necessary, should seek clarification from their team leaders.

It is Maria Maia Beauty's responsibility to define the appropriate mechanisms to achieve compliance with this policy.

Compliance with this policy may be monitored through inspections, audits and/or requests for written confirmations of compliance, with all areas being responsible for regularly assessing their compliance with it within their area of ​​responsibility.

Accordingly, any employee found to have violated this policy is subject to disciplinary action.

This policy is based on the principles set out in the GDPR. However, there are national differences in the applicability of Maria Maia's data protection and privacy when processing personal data outside the EU, when receiving personal data from outside the EU or when processing personal data of non-EU citizens.

If in doubt, contact Maria Maia Beauty using the contact details provided.

Data Protection Principles

As part of our business, we process Personal Data: whether we receive Personal Data in the course of our business opportunities, our customer engagements, marketing activities or a range of other related and supporting activities. The data may be received directly from a Data Subject (e.g. in person, by post, email, telephone or other sources), including from our customers, partners, subcontractors, joint controllers, support service providers and credit reference agencies.

All professionals and partners must only request Personal Data from a Data Subject that is relevant and necessary to fulfill a specific business purpose and task.

Maria Maia Beauty is committed to complying with the Personal Data protection principles set out in the GDPR, namely:

Lawfulness, fairness and transparency: this means that we must have a legitimate reason for processing Personal Data, for example, the Data Subject’s consent, compliance with a legal obligation to which we are subject. It also means that we must clearly inform the Data Subject about the processing;

Purpose Limitation: we must only request Personal Data for specific, explicit and legitimate purposes and not process it beyond the purpose for which it was requested;

Data Minimization: the Personal Data processed must be adequate, relevant and limited to what is necessary;

Accuracy: we have an obligation to ensure that Personal Data is accurate and to update it whenever necessary;

Retention Limitation: we must not retain Personal Data for a period longer than is necessary for the purposes for which it is processed, although we may retain some for historical and statistical purposes;

Integrity and Confidentiality: we must have in place adequate security controls to protect data against unauthorized and unlawful processing, loss, destruction or damage, including technical and organizational measures, such as defined processes, training and awareness;

Lawful transfer outside the European Economic Area: We only transfer Personal Data outside the EEA where there are appropriate safeguards in place, such as a contractual basis;

Data Subject Rights: Data Subjects have a number of rights that we must respect (for example, the right to access a copy of the data we hold and the right to withdraw consent given for direct marketing purposes).

Lawfulness and fairness in processing

Whenever Personal Data is collected, it is necessary to have a legal basis for the inherent processing. According to the GDPR, we must identify at least one of the following reasons for processing Personal Data:

Consent: The Data Subject has given consent for the same to be processed for one or more specific purposes;

Contractual: The processing is necessary for the execution of a contract to which the Data Subject is a party or for pre-contractual steps;

Legal: The processing is necessary to comply with a legal obligation to which the Data Controller is subject;

Vital interests: The processing is necessary to protect the vital interests of the Data Subject;

Public interest: The processing is necessary for the performance of a task carried out in the public interest;

Legitimate interests: The processing is necessary for the legitimate interests of the Data Controller, except where such interests or fundamental rights and freedoms of the Data Subject prevail.

When we act as a Data Controller, we must ensure that we have a legitimate basis for collecting and processing Personal Data.

In some situations, we may act as a Processor on behalf of our client, in which case it is the client’s responsibility to ensure that they have a legitimate reason for processing Personal Data, which they must share with us. However, we must take steps to ensure that our contract is clear about our responsibilities in this regard and that, if we collect Personal Data directly from Data Subjects on the client’s behalf, we have a legitimate basis for doing so.

Where a Special Category of Data is processed there is an additional set of conditions that must be met. Please contact Maria Maia Beauty for further guidance.

The GDPR requires that we provide Data Subjects with information about the processing in order to ensure fair and transparent processing. Whenever we collect Personal Data, we must ensure that we adequately explain why we need the information and how we are going to process it. Where information is collected through our website this information is provided via a ‘Privacy Notice’.

Any other information that you provide when collecting personal data must also be provided online. Please see our Privacy Policy and Cookies Policy for further information.

Processing for specific purposes only

Whenever we collect and process Personal Data we must ensure that we only use it for the specific purposes that have been communicated to the Data Subject.

Maria Maia Beauty must never process Personal Data for additional purposes that have not been communicated to the Data Subject. Only then will we be clear about the purpose of the processing and we must understand the purposes for which our customers may have collected the Personal Data or contact the Privacy Officer.

Adequate, relevant and limited processing

When we collect and process Personal Data we must follow the principle of data minimisation. This means that we must collect only the minimum amount of Personal Data necessary to perform a specific task.

Additionally, we must ensure that we have an adequate amount of personal data to perform a specific task properly. For example, collecting data that is only necessary to identify a person.

This also applies to any sharing and other processing activities. It is important to minimise the data that is held and processed; we must ensure that if we share data internally or externally or use it in activities such as testing, we only use/share the minimum amount in each case.

Accuracy of personal data

We are obliged to ensure that Personal Data is kept accurate and up to date. We must ensure that appropriate processes are in place to keep data accurate where necessary (for example, of current and potential professionals or clients held by the relevant areas).

When acting as a Data Controller in relation to a client, we will not be required to implement mechanisms to keep such data up to date; this will be the responsibility of the Data Controller, i.e. our client.

Retention of Personal Data

Personal Data should not be retained for longer than necessary. This means that we must define and apply maximum retention periods for the Personal Data we process and implement processes to erase it upon expiry. Therefore, the following retention periods may apply:

(i) for as long as is necessary for the relevant activity or services;

(ii) any retention period required by law;

(iii) the end of the period in which disputes or investigations may arise in relation to the services; or

(iv) for the minimum period provided for in the contract.

Data Subject Rights

The GDPR requires us to inform individuals about the Personal Data we collect, the purposes and means for which it is processed. This information is provided in the form of a ‘Privacy Notice’.

a) Right of Access

The Data Subject has the right to request to see the Personal Data we hold about them, the purposes of the processing and the categories of data concerned.

We must notify the Data Subject of the recipients with whom we are going to share their data, especially if the recipient is in another country or is part of an international organisation.

Where possible, we will define the period for which the data will be retained to meet business purposes.

We must inform the Data Subject of the existence of the right to object to the processing and of their right to rectification and erasure.

We must inform the Data Subject of the existence of their right to complain to a supervisory authority.

Where data is collected from someone other than the Data Subject, we must inform the Data Subject of the source of that data.

We must ensure that we have processes in place to identify and respond to Data Subject access queries without undue delay and within one month at the latest.

b) Right to rectification

Data Subjects have the right to have inaccurate data rectified, and Maria Maia Beauty will make every effort to do so promptly.

c) Right to erasure

Data Subjects have the right to obtain from the Controller the erasure of their data (‘right to be forgotten’). Maria Maia Beauty will do its best to erase any data held promptly, except where there is a legal requirement to retain it. If you receive a request from a Data Subject, please contact the Privacy Officer first before erasing any data.

d) Children’s rights

All individuals, including children, are protected by the GDPR. For children under the age of 13, we must not process their Personal Data based on their consent, unless authorised by their holders of parental responsibility. e) Marketing

We may sometimes send our customers and partners marketing material to inform them of services, upcoming events or other activities that may be of interest to them, in which case we must provide them with the right to withdraw their consent at any time if they do not wish to be contacted in this way.

We must also ensure that we have processes in place to ensure that all participation preferences are recorded and respected.

Security of Retained Data

Maria Maia Beauty will maintain the security of data by protecting the Confidentiality, Integrity and Availability of Personal Data, where:

Confidentiality means that only authorised persons can access the data;

Integrity means that Personal Data must be accurate and adequate for the purposes for which it is processed;

Availability means that authorised users must be able to access the data if they need it for the authorised purposes.

Disclosure of Data

All professionals and partners must avoid any inappropriate disclosure of Personal Data and comply with our general duties in relation to Confidentiality.

You are permitted to:

a) Disclose Personal Data to third parties only on instruction or where we have a legitimate basis to do so and there are no restrictions in place.

b) Disclose Personal Data to third parties in the event that we sell or buy any business or assets, or where we are a joint controller as part of a joint venture.

c) Share Personal Data with a third party who is processing data on our behalf, which may include transferring data to a third country.

Generally, Personal Data may be disclosed:

a) To Professionals or agents so that they can perform their functions as such.

b) Where non-disclosure would prejudice the prevention or detection of crime, the prosecution of offenders, or the assessment or collection of any tax or duty. Maria Maia Beauty must have adequate grounds to disclose data under this category in order to avoid criminal prosecution. All disclosures must be justified and documented.

For legal purposes data may be disclosed if:

a) Required by law, statute or court order.

b) For the purpose of obtaining legal advice;

c) In the context of or for the purposes of legal proceedings or when necessary to defend a legal claim.

d) To safeguard national security.

International transfer of Personal Data

Maria Maia Beauty may transfer any Personal Data to a third country or international organization. Personal Data held by us may also be processed by employees operating in a third country or for one of our suppliers.

We must ensure that at least one of the following conditions applies:

a) The country to which the Personal Data is transferred ensures an adequate level of protection for the rights and freedoms of Data Subjects, as decided by the EU Commission.

b) Appropriate safeguards are provided (e.g. standard data protection clauses).

c) The Data Subject has given explicit consent to the transfer after having been informed of the possible risks.

d) The transfer is necessary for one of the reasons set out in the GDPR, including the performance of a contract between Maria Maia Beauty and the Data Subject, or to protect the vital interests of the Data Subject.

e) The transfer is legally required for important reasons of public interest or for the establishment or defence of legal claims.

Log information, cookies and web beacons

The Maria Maia Beauty website uses cookies to distinguish its users. Maria Maia Beauty collects standard internet log information, including your IP address, browser type and language, access times and referring website addresses.

To ensure that our website is well managed and to make navigation easier, Maria Maia Beauty or its service providers may also use cookies (small text files stored in a user’s browser) or web beacons (electronic images that allow our website to count visitors who access a website and certain cookies) to collect aggregated data.

Employee Information

Collection and Storage

As an employer, Maria Maia Beauty collects, processes and stores personal data of employees, contractors, consultants and candidates. The Human Resources Department and other departments that process Personal Data of employees must verify and document the legal basis for their processing. Personal Data of employees should only be processed where there is a valid and legitimate purpose for doing so.

Personal data relating to our employees is collected through a variety of channels and formats, such as: application forms; electronic web forms (e.g. during the recruitment process); data logs; CCTV images; team photographs, including identification cards; data from other sources (e.g. previous employers); credit checks and security checks; etc.

The creation and storage of personal data relating to our employees occurs through various channels and formats, such as: pay slips; assessment records; employment contracts; emails; sickness records; etc.

Training and Awareness

We are committed to providing appropriate training on personal data protection to all staff. Where necessary, we will provide tailored training and awareness to individuals based on their role.

Process design and change

For all proposed new business systems and procedures involving Personal Data, consideration should be given to whether a privacy and information security impact assessment is required to identify risks and controls.