Scope of collection
Night Shift® collects and treats the personal data of the users only with the scope and focus on the information needed to celebrate the contracted service as listed below:
- Oder’s process and delivery.
- Direct marketing actions such as emailing campaigns and sms.
What data does Night Shift® collect?
We collect various data through automatic and electronic forms that guarantee greater security and a better experience for the users of our website.
To Night Shift® provide its services, the user should provide:
- Full name
- Full Address
- Taxpayer Number (NIF)
- Email address
- Mobile number
- Birthday date
- Payment method
- Preferences and settings set through the customer area.
How we use the data?
- We use the location the user provide so that we can deliver the products ordered.
- We use the mobile number to inform the user/client via sms and/or call about the status of the order and for direct marketing promotional campaigns, advertisement of new products and services, and special discounts.
- We use the e-mail address to communicate the various updates of the order, promotional actions such as our newsletter as well as other interactions with Night Shift®.
- We use the name and tax number to issue the invoice / receipt if requested.
- We use the payment method to reorder future orders and expedite the process.
Transmission, Disclosure and Treatment
The user authorizes Night Shift® to automatically process the personal data provided in the order for the purposes related to the creation of the contract with the user, for management, registration and execution of orders, access control, which includes the use of "cookies" technology.
This information may also be accessed by Night Shift® service providers and suppliers, namely by accounting, taxation and audit firms. In order to comply with legal requirements, Night Shift® cannot delete names and tax numbers (NIFs) found in invoices that have already been used in a legally accepted billing document.
The user’s data may also be transmitted to subcontractors for them to handle technical updates in the software on behalf of Night Shift®. In this case, Night Shift® shall take the necessary contractual measures.
In order to the various couriers can deliver the orders placed by the users of the website, Night Shift® discloses the following information to them:
- Delivery Address
- Mobile phone of the user
- Products ordered
- Any special order requests
Once the order is delivered to the user, the data is automatically deleted from the internal app used by the courier.
Any direct marketing action (Emailing campaigns, Newsletter or Sms Marketing) will always be performed directly by Night Shift® and only for users who wish so. We remind that the user/client can update, change or delete its preferences at any time accessing the customer area.
Night Shift® is committed to ensure the privacy, security, and confidentiality of your data and to never provide such data to third parties or to companies for advertising or marketing purposes.
In compliance with any law or governmental request, Night Shift® may disclose the collected data whenever legally required. Apart from the legal obligation stated before, Night Shift® will never disclose the data collected to third parties.
How long do we keep your data
There are cases in which the law requires the processing and maintenance of data for a minimum period, namely: The data necessary to inform the Tax Authority (Autoridade Tributária) for accounting or tax purposes must be kept for 10 years. Apart from this, and when there is no specific legal obligation, the data will be processed only for the period necessary to fulfill its purposes that led to their collection and preservation, always in accordance with the CNPD's (Comissão Nacional de Protecção de Dados – the Portuguese Data Protection Authority) law, guidelines and decisions, as stated below:
Night Shift® will treat and maintain your personal data as long as Night Shift® has a contractual relationship with you. Night Shift® may maintain other personal data for longer periods than the duration of the contractual relationship, whether based on the user's consent, or to ensure rights or duties related to the contract, or because it has legitimate interests that support it, in accordance with the guidelines and decisions of the CNPD.
Examples are the contact for marketing and sales purposes, the preservation of data within the scope of invoice claim procedures, legal procedures, for the term in which they are pending. The data collected is maintained according to the duration of the service agreement. The user / client may cancel their account at any time and the data will be deleted from the Night Shift® databases.
Rights, Access, Rectification, Cancellation
In compliance with the provisions of the personal data protection law, the user may, at any time, exercise the right of access, rectification of the information, cancellation and communication of his data through our Customer Support Form, clearly indicating his name , nicknames and address.
The user have the right to make a complaint to a data protection control authority regarding the collection and processing of data by Night Shift®. In Portugal the user can exercise their rights with Comissão Nacional de Protecção de Dados – the Portuguese Data Protection Authority.
In summary, the user's rights are:
Right to access (Art. 15 GDPR):
1 - The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2 - Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3 - The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4 - The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Right to rectification (Art. 16 GDPR):
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure commonly known as “Right to be forgotten” (Art. 17 GDPR):
1 - The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
• the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
• the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2 - Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3 - Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise or defence of legal claims.
Right to data portability (Art. 20 GDPR):
1 - The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
• the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
• the processing is carried out by automated means.
2 - In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3 - The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. 2That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4 - The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Right to object (Art. 21 GDPR):
1 - The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2 - Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3 - Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4 - At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5 - In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6 - Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Right to restriction of processing (Art. 18 GDPR)
1 - The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2 - Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3 - A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Newsletters and Direct Marketing
If the user subscribe to our Newsletter, it will receive by e-mail informations about our promotions, launches, new products, campaigns and other content strictly related to Night Shift® activity. If the user does not wish to receive more Newsletters, it can at any time remove the address from our mailing list by clicking the link shown in the footer of each newsletter. If the user is a registered customer it can modify the personal data at any time by accessing it reserved area.
All data collected is managed following best security practices in order to safeguard all information from improper access and / or loss. Night Shift® or its subcontractors have implemented the appropriate logical, physical, organizational and security measures necessary and sufficient to protect your personal data from destruction, loss, alteration, dissemination, unauthorized access or any other form of accidental or unlawful treatment. Night Shift® has implemented:
• logical requirements and security measures, such as the use of firewalls and intrusion detection systems in their systems, the existence of a strict policy on access to systems and information and the recording of actions taken by Night Shift® employees on personal data of its customers or users;
• means of data protection from design ("privacy by design") using technical means such as mask, encryption, pseudonymization and anonymization of personal data (privacy by default );
• scrutiny, audit and control mechanisms to ensure compliance with security and privacy policies;
• an information and training program for Night Shift® employees;
• access rules for employees to certain tools of the site, such as the introduction of a password to strengthen the control and security mechanisms.
Unfortunately there are no measures that can guarantee 100% safety, therefore Night Shift® can not guarantee the security of the information and the user should be aware of the inherent risks.
Minors of Age
Night Shift® service is not intended to be used by persons under 18 years of age. The order of alcoholic beverages is prohibited to minors of 18 years. Night Shift® employees can request identification to the user whenever it is necessary to confirm the age of the user / client.
Last update: 24/06/2019
A/c Data Protection Officer
Avenida do Brasil, nº 43, 11º dtº
1700 - 062 Lisboa