Privacy Policy

This Privacy Policy applies to the processing of personal data collected as part of your interactions with Cruz, Salinas, Mayer & Associados - Sociedade de Advogados, SP, RL ("CCA"), whether through the website www.cca.law ("Website"), or by any other means, online or offline.

The provision of your personal data to CCA implies knowledge and acceptance of the conditions contained in this Privacy Policy.

For you to clearly understand how we process your personal data, in this Privacy Policy you will find information on the following:

  1. Who is the controller of your data?
  2. How do we collect your personal data?
  3. What data do we collect and what do we use it for?
  4. Communication of personal data to third parties
  5. Security of processing
  6. Data Subject’s Rights
  7. Contact us
  8. Changes to the Privacy Policy

 

1. Who is controller of your data?

The data controller is Cruz, Salinas, Mayer & Associados - Sociedade de Advogados, SP, RL ("CCA"), with registered offices at Edifício Diogo Cão, Doca de Alcântara Norte, 1350-352 Lisboa, Portugal, and with the NIPC 504046799.

Telephone: (+351) 213 223 590
E-mail (data protection contact point): dpo@cca.law

 

2. How do we collect your personal data?

We may collect your personal data in different contexts, including the following:

  • When we provide services to you or your organisation;
  • When third parties provide us with your data in the context of providing services to those third parties;
  • When you provide or offer to provide services to us;
  • When you use our Website or other platforms managed by us;
  • When you fill in our forms, either to subscribe to newsletters, or to register for seminars, training or other events;
  • When you take part in seminars, training or other events, or just when you visit our premises;
  • When you communicate with us in person, by telephone, e-mail, post or other means of electronic communication;
  • When you apply for a position with us, either directly, through our Website, through recruitment platforms, through recruiters or by spontaneous application;
  • From public sources or organisations, partners or other entities with whom we collaborate within the scope of our activity.

 

3. What data do we collect and what do we use it for?

The following table identifies the purpose of each processing activity carried out by CCA, the types of personal data usually processed and the respective grounds for lawfulness.

Purpose of processing

Personal Data

Legal basis

Provision of legal services

Identification contact data. Any other data which, in each case, may be needed in the context of the provision of services, and which may include special categories of data.

Pre-contractual due diligence/ service contract performance

Compliance with legal obligations

CCA's legitimate interests (relationship management and defence of rights)

Invoicing

Identification and contact data; payment data; data relating to the services provided.

Compliance with legal obligations

Purchase of services

Identification and contact data; data relating to the service you provide; data relating to your academic and/or professional background.

Pre-contractual due diligence / contract performance

Sending newsletters and informative communications

Identification and contact data; content preferences.

Explicit consent of the data subject;


CCA's legitimate interest in maintaining contact (communications about similar services sent to clients or former clients).

Answering requests for information and/or contact

Identification and contact data; other data that you have communicated to us in your request.

CCA's legitimate interest in responding to requests

Pre-contractual due diligence if the request is for a service proposal

Organisation and management of events

Identification and contact data; data relating to your academic and/or professional background; preferences regarding the event(s); attendance history; image and/or voice data of participants.

CCA's legitimate interest in organising and managing events

Data subject's consent to the recording and use of image and/or voice data

Management of institutional contacts

Identification and contact data, data relating to academic and/or professional career, history of interaction.

CCA's legitimate interest in maintaining professional relationships

Analysing and responding to applications - recruitment

Identification and contact data, data relating to academic and/or professional career, motivation letters, references, other data that you provide us with in your CV.

Pre-contractual enquiries at the request of the data subject

Consent from the data subject for CV storage beyond the current process

Provision of the website and analysis of your use and interaction with it (see our Cookies Policy)

IP address (anonymised), cookie identifiers, browser type, operating system, pages visited, browsing time,

Strictly necessary cookies: CCA's legitimate interest in guaranteeing the functionality of the Website

Non-essential cookies: user consent

Analysing your interaction with the communications we send you

Data relating to your interaction with the communications (e.g. whether they are opened, whether you click on any links, etc.)

CCA's legitimate interest in analysing the scope of communications

Protection of people and property / security of premises

Identification data, days/times of entry/exit, reason for visit

CCA's legitimate interest in ensuring the security of its premises

 

When the legal basis is our legitimate interest, we weigh up the respective interests and apply safeguards, ensuring the data subject's right to object.

CCA does not make exclusively automated decisions.

We keep data for the period necessary for the purposes described or for the legally required periods. As a rule: (i) client files and supporting documentation: for the duration of the relationship and for the subsequent legal period for the fulfilment of obligations and defence of rights; (ii) AML/CFT: for the periods provided for in the applicable legislation; (iii) applications: during the recruitment process and, with consent, for an additional period for future opportunities; (iv) marketing/newsletters: until you withdraw consent or exercise the right of opposition. Once the retention periods have expired, the data will be securely deleted or anonymised.

 

4. Communication of personal data to third parties

CCA may communicate your personal data to third parties, namely:

·       To third parties that we contract in the context of providing legal services (including lawyers, consultants, mediators, experts or other specialists, as well as other law firms for foreign opinions, translators, couriers and other entities necessary to provide you with the contracted services);

·       To service providers who process personal data on our behalf and according to our instructions, only for the purposes indicated in this Privacy Policy, always under subcontracting agreements (including information technology, communications, storage and technical support providers);

·       To HUBCCALX - BUSINESS SOLUTIONS, LDA. ("CCA Business HUB") - the entity that manages the coworking space and organises events in our building, for the purposes of holding meetings, training, conferences and other professional events.

·       To courts, police authorities, regulators, government entities, lawyers or other parties, when this is necessary within the scope of our provision of services, or for the fulfilment of our legal obligations, or for the exercise or defence of rights to which we are entitled;

·       In the context of corporate restructuring, merger, demerger or acquisition operations involving CCA.

Whenever the communication of personal data involves its transfer to countries outside the European Economic Area, CCA will ensure that it occurs only on the basis of adequacy decisions by the European Commission or through the adoption of appropriate guarantees, under the applicable law.

In any case, CCA will take all appropriate measures to ensure the protection of your personal data.

 

5. Security of processing

CCA implements a set of appropriate technical and organisational measures, in accordance with applicable law, to protect personal data under its responsibility, preventing accidental or unlawful access, use, disclosure, loss, destruction or alteration of such data.

These measures include, among others, access controls, internal security policies, encryption and pseudonymisation of data where appropriate, monitoring of systems, periodic audits and training of employees with access to personal data.

CCA emphasises that, despite all efforts to protect your personal data, no method of transmission or storage is totally secure or risk-free. For this reason, absolute security cannot be guaranteed.

CCA has security incident response plans that include assessing and mitigating impacts, as well as timely notification to the competent authorities and, where applicable, to the affected data subjects, under the terms required by law.

We are committed to periodically evaluating and reviewing our security measures to guarantee their effectiveness considering technological developments and the risks identified.

 

6. Data Subject’s rights

Under the terms of the applicable law, as the data subject, you may exercise your rights to access, rectify, erase, restrict processing, portability and object to the processing of your personal data.

The exercise of these rights may, however, be limited under the terms of the law, namely when the processing of the data is necessary for the fulfilment of legal obligations to which CCA is subject, for the exercise or defence of a right in legal proceedings, or when data covered by the duty of professional secrecy is involved.

You may also, at any time, withdraw the consent previously given for certain purposes, without jeopardising the lawfulness of the processing carried out based on that consent up to the date of its withdrawal.

To exercise any of these rights, you may contact CCA at the e-mail address dpo@cca.law or by post to the address of our head office indicated in this Privacy Policy.

Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with the National Data Protection Commission (CNPD) if you consider that the processing of your personal data violates the applicable law.

CNPD contacts:

Avenida D. Carlos I, n.º 134, 1º, 1200-651 Lisboa, Portugal
(+351) 213 928 400
geral@cnpd.pt
www.cnpd.pt

 

7. Contact us

If you wish to contact CCA regarding matters relating to the processing of your personal data, including the exercise of your rights, you may do so through the following means:

Data controller: Cruz, Salinas, Mayer & Associados - Sociedade de Advogados, SP, RL.

Postal address: Edifício Diogo Cão, Doca de Alcântara Norte, 1350-352 Lisboa, Portugal.

Telephone: (+351) 213 223 590
E-mail:
dpo@cca.law

 

8. Changes to the Privacy Policy

CCA may update this Privacy Policy at any time to reflect legal, regulatory or operational changes.

Any relevant changes will be published on our Website and, where legally required, communicated individually to data subjects via the contact details provided to us.

We recommend that you regularly consult this Privacy Policy to stay informed about how we process your personal data.

 

Published on: September 2025