Specific Conditions of the Server Service


Specific Conditions
of the Server Service

Server Service – Dedicated, Virtual or Cloud Server Service

CG – Mixlife General Conditions of Service

PUA – Acceptable Use Policy

PP – Privacy Policy

1 – These conditions must be attached and combined with the general conditions of service provision, hereinafter CG, available at https://www.mixlife.pt/termos-e-condicoes , PUA and PP.

2 – If the combination of these specific conditions, hereinafter CE/SD, and the CG results in a contradiction, the former must prevail over the latter, thus safeguarding the specificity of the service.

3 – Subjects and object:

3.1 – These CE/SD are intended to legally govern the terms and conditions under which the provision of the respective service will take place.

3.2 – Within the scope of these specific conditions, contracted Service(s) are understood to be the server service subscribed by the CONTRACTOR on the Mixlife online page and which will be added to their file in the customer area.

3.3 – With confirmation of the subscription form, the CONTRACTOR expressly accepts, without reservations or reservations, any and all of these clauses, the CG, PUA and PP.

3.4 – Payment relating to the renewal of the server service is considered as acceptance, without reservations or reservations, of the present clauses, the CG, PUA and PP, establishing the renewal of the same under the present special conditions and maintaining the same duration.

3.5 – Hereby and in these terms, Mixlife undertakes to provide the contracted server service in a diligent and responsible manner.

4 – Service provision:

4.1 – The customer will have to, in due course, create a customer file or make an existing one available where the SERVICE(s) will be added by the current contractor(s).

4.2 – Regarding the customer area, the access and management processes will be those established in the GC, except in the case of any specific specificity that must be expressly indicated to the CONTRACTING PARTY.

4.3 – Service and support to the CONTRACTING PARTY is governed by the terms of the CG. Support is provided 24/7 via helpdesk and email, as well as telephone and online support from our website on weekdays from 9am to 10pm and weekends from 10am to 7pm.

4.4 – More extensive support may be contracted and must be included in a maintenance plan to be subscribed to in addition to this service.

4.5 – Backups, monitoring and maintenance of the server(s) are not included in the server service per se, and these may be contracted separately as an extra to the server service.

4.6 – Mixlife does not guarantee the security of the internet nor assumes any responsibility for information, computer programs, services or any other materials that the CONTRACTOR may obtain via the internet, except for those contracted with Mixlife.

4.7 – It is the CONTRACTOR's sole responsibility to certify that the computer programs, operating and security systems, as well as the respective equipment and installations are as established by these CE/SD

4.8 – All those provided by Mixlife to the CONTRACTOR and which as such form part of their record in the customer area are excluded from the certification responsibility referred to in 4.7. 

4.9 – Access, connections and use of the service(s) CONTRACTED here must be carried out appropriately, in accordance with the instructions and protection and security procedures applicable to the use of the respective equipment or computer program. 

4.10 – The CONTRACTOR is fully responsible for complying with the provisions set out in 4.9, as well as complying with applicable legislation regarding the use of the service and the advertising of content.

 4.11 – The CONTRACTOR is also responsible for ensuring that what is described in 4.9 and 4.10 is equally complied with by its guests, workers, collaborators, administrators, representatives and others who access the service under its auspices or permission. 

5 – THE CONTRACTOR Understands and Accepts: 

5.1 – Communications made between Mixlife and the CONTRACTOR will be carried out by email to the email address(es) provided for customer area contact details, safeguarding all communications that, by law, provide for another form .

 5.2 – To find out what it is, make changes or add more email addresses to the general email, the 1st Contractor may: 

  1. Enter your customer area, carrying out the desired actions; 
  2. Request it by email to [email protected] from the authorized email address.
  3. If there are difficulties in identifying which is your authorized email, you can ask Mixlife, through its customer service, to provide a partial and indecipherable indication for the eyes of third parties, so that the owner can identify which email address is allocated as general email. 

5.3 – Mixlife can only control the systems that are part of its network, therefore it cannot guarantee, at all times, a flawless service provision, nor guarantee the total and permanent technical quality of connection to all networks that support other equipment, programs or systems that are not under the direct control of Mixlife. 

5.4 – Mixlife reserves the right to suspend any or all of the services contracted hereunder if the CONTRACTOR fails to comply with any of its obligations or responsibilities in these stipulated clauses as well as in the GC. 

5.5 – Mixlife will be forced to suspend any or all of the services contracted herein if requested to do so by court or by an authority empowered to do so. 

5.6 – In the cases provided for in 5.4 and 5.5, Mixlife, before suspending the service, if it is not urgent for preventive reasons, will notify the CONTRACTOR via email in accordance with 5.1 and 5.2, that the service will be suspended within 24 hours if the situation is not regularized by the CONTRACTOR. 

5.7 – Under the terms of 5.4, when there is a need, as a preventive measure, to immediately suspend the service in question, the CONTRACTOR will be notified, in the same way, but after suspension of the service and will remain so until the situation is regularized . 

5.8 – Mixlife may, if necessary and for as little time as possible, have to interrupt the provision of the service to carry out maintenance, repair, expansion and development of services and equipment.

5.9 – In the cases provided for in 5.6, Mixlife is obliged to notify the CONTRACTOR via email in accordance with 5.1 and 5.2.

5.10 – The CONTRACTOR is solely responsible for the IP addresses assigned to him by Mixlife, for the duration of this contract. The CONTRACTOR is, therefore, aware that whenever Mixlife is questioned about the user of the IP allocated to it, Mixlife will identify it without it being considered a violation of the duty of secrecy or privacy.

5.11 – In compliance with the provisions of 5.8 and 5.9, Mixlife will notify, via email, the CONTRACTING PARTY whenever cases of abuse are detected or reported, granting a reasonable period of time to resolve the problem.

5.12 – Server services, due to security and prevention of cases of abuse, fraud and sending SPAM, have ports 25 and 465 blocked, so if it is essential for the CONTRACTOR that these be unblocked, they must request it to [email protected ] , presenting legitimate justification for its use. Considering the reputation of your IPs and the management of your network, Mixlife will, in these cases, be the sole arbiter in analyzing the acceptance of the unblocking request.

5.13 – In the cases provided for in 5.10, the CONTRACTOR undertakes to remedy the abuse or other problem reported within the period offered.

5.14 – If the CONTRACTING PARTY does not comply with the stipulations in 5.11, there will be a forced intervention by Mixlife, which the CONTRACTING PARTY declares to authorize, in order to only investigate and try to resolve the situation.

5.15 – When there is forced intervention on the part of Mixlife in order to resolve a problematic situation resulting from the CONTRACTOR's failure to comply with what is stipulated here regarding antivirus security rules and as described in 5.8, 5.9 and 5.10, this intervention will be charged within this way:

Abuses related to “Phishing” – €50.00

Abuse related to SPAM – €50.00

Other types of abuse – €50.00 /hour

Virus troubleshooting – €50.00/hour

The amounts charged for Mixlife's forced intervention will be invoiced with VAT at the legal rate in force, immediately, and the invoice must be paid in advance. 

5.16 – In the event of repeated non-compliance by the CONTRACTOR with what is imposed by 5.11, Mixlife reserves the right to suspend the services contracted herein, communicating to you via email. 

5.17 – The CONTRACTOR is responsible for controlling consumption and usage variables, except when contracted as unlimited. When excesses are made to the contractor, Mixlife will debit the amounts, duly detailed on the next invoice.  

5.18 – The CONTRACTOR is solely responsible for the management and security of the content and information that the CONTRACTOR hosts on the server, except when contracted for a duly specified service.

5.19 – The CONTRACTOR cannot make profound changes to the installed system, particularly those that conflict with the functioning, as contracted, of the server. 

5.20 – In cases where the CONTRACTOR does not respect 5.14, even if a maintenance service is contracted, Mixlife is not responsible for data and content stored on the server, as well as service failures or unavailability.

6 – Mixlife backups, support and monitoring:

6.1 – Mixlife support is available 24/7 via helpdesk and email.

6.2 – Telephone and online support via the website on weekdays from 9:00 am to 7:00 pm and weekends from 10:00 am to 7:00 pm. Support may go beyond what is indicated if subscribed in conjunction with the server service.

6.3 – Mixlife is not limited to monitoring the CONTRACTING PARTY's services, unless the maintenance service is subscribed alone or in conjunction with this service.

6.4 – Mixlife is not obliged to make backups of any data and content held by the CONTRACTOR, unless expressly contracted and under such terms.

6.5 – When Backups are contracted, the CONTRACTOR understands and accepts:

  1. Backups are, by their nature, corruptible files, and therefore despite Mixlife complying with the contracted routine and policy, its backups may, exceptionally, be corrupted, and as such unsuitable for restoration at the desired date/time. To this end, it is advisable for the CONTRACTOR to have more than one restoration point in its policy to guarantee redundancy and reduce the probability of failure.
  2. The CONTRACTOR, understanding what is indicated above, understands that, out of caution and to mitigate the risk of loss of content, it must continuously and uninterruptedly carry out backups of its data and content, and must do so under its professional and financial.

and third party computer programs

7.1 – The programs provided by Mixlife to the contracting party, as part of the provision of the server service, regardless of whether they belong to Mixlife or third parties, remain in the possession of the respective holder during the term of the contract.

7.2 – In order for the CONTRACTOR to be able to enjoy the programs referred to in the previous paragraph, they will be licensed to use them, in a non-transferable manner and with a duration limited to the period of provision of the server service, if another is not provided for at the time of subscription.

7.3 – The CONTRACTOR is strictly prohibited from using these programs for purposes for which their use has not been licensed.

7.4 - Partial or full copying of these programs, as well as any other form of violation of property rights, is completely prohibited.

8 – Duration, change and end of the provision of server services: 

8.1 – The provision of the server service will last for the duration established by the customer at the time of subscription.

8.2 – The obligation to provide the server service is renewed under the same terms, as established in point 3.5 of these CE/SS if the contractor pays the price indicated in the notification email.

8.3 – Once the provision of the server service has begun, there is no need to terminate the contract, except in the case of repeated non-compliance with the present conditions, the GC and the AUP, as well as the cases provided for by law.

8.4 – Under the terms of DL 82/2008, art. or configured to serve the concrete objectives of clients.

9 – Communications, Law and Forum: 

9.1 – Communications: 

9.1.1 – For the purposes of service within the scope of legal action, namely aimed at fulfilling pecuniary obligations arising from the subscription to this service, the parties agree on the address indicated in the act of subscription as the address for the customer area file. 

9.1.2 – The CONTRACTING PARTY is obliged, as already stipulated in 4.2, to communicate any change to the indicated address, and, for the purposes of notification, if it does not do so within a maximum period of thirty days, it will run the risk of being considered mentioned in the address contained in the customer area file. 

9.1.3 – Mixlife reserves the right, at any time, to present changes to these conditions, CG and AUP as long as it notifies the CONTRACTING PARTY five days in advance, via email. 

9.1.4 – The changes referred to in 9.1.2 will only come into effect for subscribed or renewed services after their publication on the Mixlife page.

9.1.5 - If the CONTRACTOR understands that the CONTRACTOR understands that there is enough reason to give up the server service, he may do so, but only when the changes do not result from regulatory impositions and it is proven that they conflict with the usual way in which the server service is being provided by Mixlife to the CONTRACTING PARTY. 

9.1.6 – If termination under 9.1.3 is carried out, the CONTRACTOR will be reimbursed for the unused service time, and for reimbursement purposes the value of the day will be calculated without taxes or fees and excluded from this calculation the value provided for licenses, IP, domains or related services.

9.2 – Law and forum: 

  1. Mixlife is not subject to an obligation to monitor the information that the CONTRACTOR transmits or stores through it, nor can it be held responsible for this, under the terms of DL no. 7/2004 of January 7th. 
  2. The declaration of nullity, invalidity or ineffectiveness of one of the clauses of these GC by a legally recognized Court does not affect the validity and effectiveness of the remaining clauses and the maintenance of the contract. 
  3. In the case provided for in 9.2 b), the maintenance of the contract regarding the part infected with defects is subject to the applicable supplementary rules, with recourse, if necessary, to the rules for the integration of legal transactions, as provided for in article 16/2 of the DL no. 446/85, of October 25th. 
  4. When the provisions of 9.2 b) are not used or, when their use results in an imbalance of services that seriously undermines good faith, in accordance with article 14 of DL nº 446/85, of 25 October, the regime for reducing legal transactions. e) – To resolve any dispute, which is so provided for, the provisional dispute resolution provided for in article 16 DL 7/2004 of 7 January must be taken into account.
  5. For the resolution of disputes between the parties that cannot be resolved according to 9.2 e) only the court of the district of Abrantes should be considered competent.

9.3 – The provision of the service is governed by the present CE/SD, CG, PUA, PP and other Portuguese legislation.


Mixlife's framework and obligations as Processor or Subcontractor

A – Information and history

It becomes the responsibility of the Controller(s)/Responsible(ies) for data processing to implement effective measures capable of demonstrating the compliance of data processing activities, even if, as we have already seen, the processing is carried out by a Processor /Data processor on behalf of the Controller(s)/Responsible for processing, in which case this will be shared responsibility.

Then, the Controller(s)/Responsible(s) for data processing become(s) responsible for ensuring that the rights guaranteed by the GDPR are effectively fulfilled, namely the most relevant:

1 – Information about the data collected, its purpose and consent

The request for consent for the collection and processing of data must be carried out in a way that is intelligible to the common man, containing within it or in an annex its objective, purpose or basis. Therefore, consent must be clear and distinguishable from other matters, easily accessible, using clear and simple language. Allowing the data subject not only to understand what they are consenting to and when they are doing it, but also in the same way, or with similar access and ease, to withdraw their consent.

At all times, the Controller(s)/Responsible for data processing must have a history in order to be able to prove that consent was acquired legitimately and in accordance with the GDPR.

As Controller(s)/Responsible(ies) for the processing, Mixlife guarantees, to this day, and in fact since always, that consent to the collection of data from the subscribing client, when filling out their client form, is obtained actively and consciously. However, and bearing in mind the principle of clarity that the new regulation advocates, by practical action, Mixlife now separates, from the outset, consent to the receipt of generalized information from the acceptance of general contractual clauses, as set out in part II of this PP.

As a Processor/Subcontractor, the data entrusted to you is made available by the Data Controller (Mixlife client) with the aim or objective of Mixlife providing you with the service contracted at the time of subscription. When subscribing to the service, with possible data migration and/or its incremental creation or deletion, the Data Controller (Mixlife client) understands and accepts that the final objective of their action is to receive the provision of the subscribed service, as per described on the Mixlife website on the date/time you subscribed. To do this, a confirmation email will be sent to you on the date/time of your subscription, as well as at the time of payment and service activation.

2 – Right to access

One of the rights that was expanded with the GDPR was the right of subjects to access their personal data, edit and rectify it. This right extends its scope, now including the right to know at all times whether or not your data is being processed, where and for what purpose. Furthermore, the Controller(s)/Responsible for processing must provide a copy of personal data, free of charge, and in an exportable format.

As Controller(s)/Responsible(s) for data processing, Mixlife enables permanent access to data, at all times, by its holder and through its reserved area, he or she can also change it, always safeguarding the correction of these data. Due to tax obligations, typically, when Mixlife customer data is found to be incongruous, there is proactive contact from us requesting correction. You can find out more about compliance with this obligation in PART II of this PP.

As a Processor/Subcontractor, Mixlife does not access the data entrusted to it by the Data Controller (Mixlife client), unless and only for as long as it is strictly necessary to provide the contracted service. This time, access to this data will be available at all times and within the customer's sphere, through the means and data sent at the time of subscription/activation.

It may be the case that access contingencies occur motivated by technical factors that lead to unavailability of service, with Mixlife's conduct being as provided for in the terms of its general/special conditions for the provision of Mixlife's service to which this policy of privacy is complementary, constituting a mandatory annex. In terms of technical unavailability of access to the service, access may be blocked for: i) Security of the data itself against illegitimate access, for example when there are excessive failed login attempts; ii) Data preservation security, when Mixlife is aware that the contents are at risk of being corrupted by remaining available online; iii) To comply with a court order or another with the same compulsory force; iv) In accordance with the law when Mixlife is aware of activity or information whose illegality is manifest.

3 – Right to portability

Intrinsically linked to the right to access, the right to portability takes on a different form. The data holder, in addition to access, now has the right to demand a copy in a commonly used format, exportable and importable automatically/digitally, thus acquiring a differentiated autonomy as he or she can transmit this data to other(s) Controller(s)/Responsible for the treatment, that is, it breaks the induction of friction to the change caused by the Controller(s)/Responsible for the treatment.

Mixlife, as Controller/Responsible for processing, allows the data subject, through its customer area, to export all of their personal data in a universal format that can thus be imported by any software. You can find out more and how in PART II of this PP.

As a Processor/Subcontractor, not knowing, by nature, the personal data it processes, it is limited to providing permanent access to its clients – Controller(s)/Responsible(ies) for data processing – so that they can make copies of the content at any time, as well as migrating the content hosted on its servers to any other service provider or to a storage device to be made available by it. Also in services related to data hosting and which may also contain personal data, such as domain names, the customer can transfer them at any time, however, if they only want to remove the domain name, this will have to be requested to the registry. Given the huge number of existing TLDs with different rules, and since Mixlife is also a Subcontractor here, the Data Controller (Mixlife client), if he wishes, should request this and other information about the intended TLD in the upon subscription.

Mixlife will only have access to this data when this is the only technically viable means, and only for as long as it is strictly necessary to provide the contracted service. In these cases, Mixlife will communicate with the Data Controller (Mixlife client) the technical terms in which this was and/or will be done and will urge the latter to maintain the necessary care to ensure the security of the information. When Mixlife indicates these good practices, it is expected that the person responsible for the treatment (Mixlife client) will follow it, this will prevent security breaches, as well as exempt Mixlife from any responsibility for action or omission arising from normal development. of its tasks, as it obliges the Data Controller (Mixlife client) to audit and verify all work carried out, as well as the security, compliance and integrity of the information. Thus, the person responsible for the treatment (Mixlife client) will be obliged to report in a timely manner (ie, immediately after Mixlife's intervention) any anomalies or deviations that they may have diagnosed as a result of this mandatory audit, so that they can be promptly corrected and treated, or, if applicable, duly forwarded for processing in accordance with the information and personal data leakage policy.

Good Practices: Normally, you will be sent an email with necessary interventions, the good practices to be used for the specific situation. It is hereby assured and guaranteed by Mixlife as Subcontractor, and accepted by the Data Controller (Mixlife client), that access to certain data does not equate to consultation or manipulation by the Mixlife team.

The Data Controller (Mixlife client) understands and accepts that, within the scope of its professional obligations, Mixlife may have to access the data that the Data Controller (Mixlife client) has hosted on Mixlife's infrastructure, in order to carry out carry out an action that is required of you, and for this to be possible it may be necessary to access login data for a service, and consequently access to data hosted on the service.

As both parties understand that this type of information is sensitive and should only be known to the respective holder, Mixlife undertakes to request access only when strictly necessary. In these cases, even if our platforms are secure, the Data Controller (Mixlife client) must take additional precautions before providing us with access data: i) Change the current password to a random one before sending it to our support; ii) After the incident has been resolved, the password must be changed again; iii) If root access is requested (dedicated services), the public access keys will be made available and must be authorized; v) If you use a firewall, please inform us so that we can send a list of IP addresses to be authorized; vi) Immediately after Mixlife's intervention, you must audit and verify the work carried out, as well as the security, compliance and integrity of the information, immediately reporting any anomaly or data inconsistency; vii) We urge the Data Controller (Mixlife client) to keep the hosted software and/or code used duly updated so as not to present vulnerabilities or security flaws that expose the information to risk, as well as regularly carrying out audits security of its contents; viii) We urge the Data Controller (Mixlife client) to have a strict password hygiene and security policy, as well as a backup copy of hosted content; iv) In any case when offering personal data appears insurmountable to obtain support from Mixlife, you should be aware that, in these contact routes, there is always greater exposure to risk. The processing and processing of this data will be governed by part II of the PRIVACY POLICY and, in this case, to exercise the right to forget communications or to report any situation concerning a risk or breach of data security, please do so by email addressed to [email protected] , indicating the name/code/date/time/medium/ of the communications you want to be forgotten.

4 – Right to be forgotten

The right to be forgotten or “Right to erasure” is one of the key changes introduced by the GDPR. Whereas previously the burden of proof was on the data subject as to whether their data, when being processed or disseminated, was a direct cause of harm or suffering for them, now the burden is reversed, with the right now being invocable at all times. all the time.

Therefore, the holder can always claim it, and it is the responsibility of the Controller(s)/Responsible for the processing to prove a legally substantiated reason for not doing so.

The principle underlying this change in law is to facilitate and speed up the deletion, end of processing or dissemination of personal data of those who do not wish to do so and when there is no justified reason to do so.

These justified reasons that allow the Controller(s)/Responsible for processing to deny the exercise of this right to the data subject must therefore always be evaluated in light of an exercise of reasonableness that obliges us to weigh the importance of the legitimate interests of the Controller(s)/Responsible for processing, in light of the interests or fundamental rights and freedoms of the data subject.

The data subject will have the undeniable right to have their data deleted and processing stopped when:

• The original purpose, or the purpose for which the personal data was intended, does not exist and the data itself is no longer necessary for any purpose known or transmitted to it;

• When the individual did not consent regardless of the purpose;

• When there is no legal support for this;

• If the data processed is from services provided to a child;

• In any case where data is processed in violation of GDPR.

The Controller(s)/Responsible for the processing may refuse to delete or alter the data, providing, in turn, the restriction of access and/or processing when:

• The accuracy of personal data is contested by the data subject, however, its accuracy cannot be determined or proven;

• Personal data that is intended to be deleted or changed must be kept for evidentiary purposes. In any case, the Controller(s)/Responsible for processing is (are) responsible for communicating, in writing, to the data subject, their refusal to rectify or delete personal data or the restriction of your treatment, as well as the reasons for refusal. It is also a fact that the law itself may provide for the exclusion of this obligation on the part of the controller(s)/person(s) responsible for the processing, whenever this is a necessary and proportionate measure for a democratic rule of law and, therefore, always having and duly take into account the fundamental rights and legitimate interests of the data subject. Non-exhaustive examples of these exclusions are all cases in which the deletion or alteration of data may:

• Avoid harming the prevention, detection, investigation or enforcement of criminal offenses or the enforcement of criminal sanctions;

• Compromise public safety;

• Compromise national security;

• Compromise the rights and freedoms of others;

• Prevent or obstruct official/legal investigations or procedures.

However, the Controller(s)/Responsible for processing is obliged to inform the data subject of the possibility of submitting a complaint to a supervisory authority or lodging legal action before their refusal of this right.

For the Controller(s)/Responsible(ies) for processing and processor/Subcontractor entities, compliance with the use of this right has several implications, starting with increasing their need for the ability to maintain records of processing activities, as well as evidence of the relevance and the need for all data they control or process, which includes the purposes of processing, categories involved and expected deadlines. This information must be communicated to the data subject and records must be maintained in such a way that they can be made available to the supervisory authority upon request for evidence for any matter relating to a personal data matter.

Mixlife, as Controller(s)/Responsible(ies) for the treatment, provides the customer with the right to be forgotten either through its reserved area or by request via email, as provided for in PART II of the PP.

Regarding the forgetfulness of the data collected as Controller(s)/Responsible(ies) for the processing, Mixlife, in an exercise of reasonableness, assessed the meager data it collects in light of its contractual obligations and the defense of its legitimate interests, as well as compliance of the law, namely tax law, may refuse to delete or alter the data, providing, in turn, the restriction of its access and/or processing in order to preserve it as evidence. This data is, however, stored, not processed, and only with restricted and justified access – archive file.

As Processor/Subcontractor regarding the data hosted on its servers by the Data Controller (Mixlife client), despite being agnostic to the type of data (ie, whether or not they are personal) Mixlife considers it to be intrinsically linked to the mandatory backup retention time , if applicable, so this will be the legal limit for the right to be forgotten in this type of services. In other information hosting services, where there are no backups, the right to be forgotten will be exercised whenever expressly requested or, automatically, after the service end date, considering the days of retention with a view to the recovery defined for the respective service, never exceeding 30 days.

The Data Controller (Mixlife client) understands and accepts that it is not their direct responsibility to guarantee the exercise of the right to be forgotten by the data subject when this is different from the Data Controller himself (Mixlife client), as this would involve accessing and manipulate data to which you do not have legitimate access. This obligation will be the sole responsibility of the person responsible for the treatment (Mixlife client) who must ensure that it is carried out in accordance with the law.

Despite there being an express request for forgetfulness by the data subject, or even if this obligation results from the calculation of time, Mixlife may be obliged to preserve data, when there is an express order from a judicial authority with powers to do so or in a preventive manner to ensure the preservation of evidence that could jeopardize public or national security, the rights and freedoms of others, or for your own protection and defense.

5 – Pseudonymization and anonymization

The GDPR recommends pseudonymization to reduce the risks of exposure of the data subjects concerned, which, in itself, also provides additional security for those responsible for processing and the Processor(s)/Subcontractor(s). Although the GDPR encourages the use of pseudonymization, pseudonymized data is still considered personal data and therefore remains covered by the GDPR.

The GDPR defines pseudonymization as the processing of personal data carried out in such a way that it cannot be attributed to a specific subject or data without the use of additional information. To efficiently pseudonymize a data set, additional information must be kept separately and subject to technical and organizational measures that ensure it is not attributed to an identified or identifiable person.

Pseudonymization techniques differ from anonymization techniques. With anonymization, data is erased for any information that could serve as an identifier of a data subject. Pseudonymization, as we have seen, does not remove all identifying information from data, but only reduces the linkage of a data set to an individual's original identity, using, for example, encryption, which makes the original data unintelligible and the process cannot be reversed without access to the correct decryption key or tokenization, which is another approach to protecting data by replacing it with others, called tokens.

The legal distinction between anonymized and pseudonymized data is their categorization as personal data. Pseudonymized data still allows for some form of re-identification (even indirect and remote), while anonymous data cannot be re-identified.

Both pseudonymization and anonymization are recommended by the GDPR, which aspires to and encourages their widespread and recurring use.

Therefore, the Controller(s)/Responsible for processing and the Processor(s)/Subcontractor(s) of personal data are invited to implement one or another of these techniques to minimize the risk and, since the two techniques differ, given the GDPR, the choice should depend on the degree of risk and how the data will be processed.

As Controller/Responsible for processing, Mixlife uses pseudonymization, and the use of customer ID, service ID, payment ID or ticket ID are ways for the Mixlife customer to identify, identify, identify a service, a particular transaction of payment or interaction with on/support. Internally, and when processing information, typically, the normal operator only needs to know the client's authorized email, for identification, since all other matters, from then on, are handled using the aforementioned ID, See PART II of this PP.

As Processors/Subcontractors, we are completely agnostic to the data hosted in our infrastructure, being limited to processing the data entrusted to us by the Controller(s)/Responsible for processing, under the terms necessary to carry out their obligations. to provide the contracted service. Therefore, you will be responsible for maintaining information security as proposed, preventing data from being accessed improperly, whether through physical, logical or social engineering means. To guarantee this obligation, Mixlife will take all appropriate technical security measures to protect data, which includes the possible pseudonymization of data that may be accessed in the normal course of providing services, such as the names given to physical servers or data required by means of contact where identity confirmation is not feasible, on the other hand, the complete anonymization of the data hosted by the Controller(s)/Responsible Person(s) as they are not known to Mixlife.

6 – Right to object to automated decision-making and profiling

Automated decision making and profiling are two distinct, but often intertwined, concepts.

Profiling is a form of automated processing of personal data used to analyze or predict issues relating to an individual, for example, analyzing their financial situation, health, interests or location.

Automated decision making is the ability to make decisions without involving human deliberation.

The two concepts are interconnected in that profiling can, in the vast majority of cases, be the precursor to automated decision-making. In practice, this can happen in two ways, but first there must always be data collection to draw up a general profile, then individuals are segmented into different groups based on the analysis of the data collected.

Starting from here, based on this profile, the following can be taken:

• Human decisions – where a human makes a decision based on the individual’s profile;

• Exclusively automated decision making – where an algorithm makes a decision, without human intervention.

The GDPR prohibits certain types of automated decision-making, that is, actions based exclusively on automatic decision-making that produce legal effects or that, similarly, significantly affect an individual are prohibited. Considering, therefore, that all acts that significantly affect the individual are acts that conflict with the rights of the individual, affect their legal status or their rights as a party to a contract. In practice, and by way of example, whether or not you may be entitled to housing benefits, entry across a national border, automatic refusal of an online credit application, electronic recruitment without any human intervention, profile-segmented advertising that leads to different people may be charged at different prices, etc.

Exemptions from this prohibition are cases where they are necessary for the performance of a certain task, there is explicit consent from the data subject or they are provided for in a contract and even when they are authorized by law.

In this case, maintaining profiling, decision-making will require certainty regarding the form of decision-making and, naturally, the impact and consequences for the individual.

In addition to this prohibition, the obligation of safeguards and transparency is also stipulated. That is, individuals must be notified when a decision has been made using automated decisions exclusively, and they are always granted the right to request a review of that decision. The review must necessarily be carried out by a human with appropriate authority and capabilities to change the decision and must consider all relevant data and all additional information provided by the individual, in addition to the data collected by profiling.

Furthermore, data subjects always have the right to object to the use of profiling, or any automated form of processing of personal information, with the aim of evaluating and classifying them. At Mixlife there is no automated processing, including the definition of profiles that produce decisions with legal effects.

B – Accountability

1 – Obligation to use privacy by design, privacy by default and Data Minimization

Privacy by design – privacy by design – as a concept becomes part of a legal requirement of the GDPR. Privacy by design requires the inclusion of data protection from the beginning of systems design, therefore it must be designed into the development of business processes for any product or services, defining high standard privacy settings and using technical and security measures. procedures capable of ensuring that processing, throughout the entire life cycle of the data, is in compliance with the regulation.

It is also required that those responsible for processing maintain and process only the data absolutely necessary to fulfill their duties and to fulfill the purposes for which they were collected and processed (data minimization), as well as that access to personal data is limited. to those who need to carry out the processing.

The GDPR also ensures that all mechanisms and techniques are put into practice that can guarantee that, by default, only the necessary amount of personal data will be collected, used and preserved taking into account its purpose. This obligation must be considered throughout the life of the data and its processing, as well as during its legal conservation period, considering in both cases the different requirements necessary for its accessibility. This obligation aims to ensure that personal data is not made available en masse or to an indefinite number of people or without human intervention.

All these measures bring increased responsibility to the Controller(s)/Responsible(s) for the processing/processor/Subcontractor who is thus bound, from the conception and throughout the time in which they process or control personal data, to guarantee the privacy of data subjects, which will necessarily lead to minimizing exposure to risk.

As Controller(s)/Responsible(ies) for the treatment, Mixlife complies with the requirements inherent to what is understood as privacy by design and by default, using adapted security means, with security certificates and pseudonomization since the service subscription , data encryption, firewall, antivirus & antimalware, controlled, restricted and staggered VPN-authenticated access, reduced file, not saving password and with a strict policy of cleaning internal systems cyclically.

As Processor/Subcontractor, Mixlife guarantees:

· Physical access to its infrastructure, controlled by Closed Circuit Television, is controlled 24 hours a day by the personnel responsible for security. There are cameras in common areas both indoors and outdoors and access to technical rooms is completely prohibited; global control system for detecting the presence of intruders in the building. Security is based on the presence of 24×7 personnel who have all the necessary systems to control all areas of the building from the control post. Security is also responsible for human registration of accesses to which RFID control is added;

· Our network is made up of transit from several Tier 1 operators, presence in several traffic exchange points (GigaPix, ESpanix, DE-CIX), as well as multiple private peering agreements;

· The various Datacenters are interconnected, allowing public and private traffic to be exchanged securely and with reduced latencies. As an option, we provide a VPN service, whether “client to site” or “site to site”, allowing secure access via a private network to services and infrastructure hosted in the various Datacenters;

· The entire infrastructure is monitored 24x7x365 from our NOC, providing graphs with metrics and service access latency for the various customers (services that include you). In the event of events, the operations team is notified and the necessary actions are taken to normalize the service. We have an efficient SIEM (security information and event management) as well as a vulnerability management policy, with 24x7x365 monitoring.

2 – Data Protection Officer (“DPO – Data Protection Officer”) is responsible for the processing and protection of personal data.

The appointment of a DPO will be mandatory for public authorities, with the exception of courts or independent judicial authorities, when acting in the exercise of their judicial functions. In addition to public authorities, a DPO will be mandatory for all Controller(s)/Responsible for processing and Processor/Subcontractor, whose main activities consist of data processing operations in a regular and systematic manner and on a large scale or when such data belong to special categories – sensitive data. According to art. 9 of the GDPR, sensitive data is all data that reveals racial or ethnic origin, political opinions, religious or philosophical convictions, or trade union membership, as well as the processing of genetic data, biometric data to identify a person unequivocally, data relating to health or data relating to a person's sex life or sexual orientation.

The DPO must be appointed based on their professional qualifications with a special focus on technical knowledge of data protection legislation and practices.

The DPO is responsible for compliance and process management with a view to data security. It is also responsible for dealing with crisis situations, such as information leaks or other critical problems for business continuity regarding the maintenance and processing of personal and confidential data.

Even in entities where the DPO is not mandatory, the entity must designate a data controller, that is, an entity, whether an employee or not, who, individually or jointly with others, determines the purposes and means of processing personal data.

Mixlife has a DPO who can be contacted directly at [email protected] .

3 – Responsibility for the basis of data collection and processing

Data cannot be collected or processed without a legal basis justifying it.

In terms of complexity, the essential basis will always be the express consent of the holder, who cannot be generalist, but rather list and specify each of the purposes for which it is intended.

Apart from consent, processing, as it is essential for the provision of a service or sale of a product, may appear to be necessary and this need will be intrinsic to the need to process the data for the preparation and execution of a contract, agreement , proposal or other official or legally binding document.

Processing is always necessary and justified to comply with a legal obligation to which the Controller(s)/Responsible for processing is subject or to safeguard the vital interests of the data subject or even of others who depend on them.

All processing that fulfills obligations necessary to carry out a task of public interest and to defend the legitimate interests of the Controller(s) Responsible for the processing/processor/Subcontractor has full legal basis and justification. Bearing in mind that the consideration of these legitimate interests must always be done taking into account the fundamental rights, freedoms and guarantees of the data subject, since, in cases where the latter prevail, the protection of personal data is above all required, in particular if the data subject is a child.

In addition to these, it is intrinsic to its functions that data processing is carried out legitimately, in the act of exercising the official authority of the Controller(s)/Responsible(ies) for processing (DPO or person responsible for processing and protection of personal data), so in this case, access and processing will be protected from the outset.

As Controller/Responsible for processing, Mixlife, in addition to minimizing data collection to what is strictly necessary, has its legal basis in subscribing to services through general contractual clauses, and sometimes, in the intrinsic need for their provision. Apart from the data necessary for subscribing to the service and to establish contact with the customer, Mixlife does not collect or process any other data and all that may be provided by the holder on a voluntary and discretionary basis are ignored and excluded from processing, such as provided for in Part II of this Privacy Policy.

As Processor/Subcontractor, Mixlife guarantees to all its customers that it carries out appropriate technical and organizational measures to comply with the law and to ensure information security and the defense of the data subject's rights.

As Processor/Subcontractor, all data stored on our servers was received based on contracting said service and thus prevails as long as the service/contract prevails. Outside of this time, there is a residual obligation, also arising from the contract itself, to maintain backups of previously hosted content for the defined times.

The Data Controller (Mixlife client) understands and expressly authorizes in general that Mixlife, as its subcontractor, respecting the conditions imposed by law, may subcontract services, which by their nature require it, such as licensing; domain names; SSL certificates; backup and email filtering systems (hosted in Mixlife’s infrastructure); attack mitigation systems, etc. Safeguarding that in all these services access to personal data will only be provided to the extent strictly necessary for:

1 – Registration or change of data regarding domain names;

2 – Subscription and installation of S/MIME certificates (PersonalSign);

The Data Controller (Mixlife client), by accepting this privacy policy when subscribing to one of the services that requires it, will also be authorizing this subcontracting, and any information about Mixlife's subcontractors will be offered to the Data Controller ( Mixlife client) whenever requested and any changes to these subcontractors will be communicated to them enabling their opposition. To comply with this obligation, whenever it intends or needs to change the subcontractors that may have access to personal data of the Data Controller (Mixlife client), Mixlife will communicate to the Data Controller (Mixlife client) via informative email, having o Data controller (Mixlife customer) five days to oppose this change with regards to their personal data.

The Data Controller (Mixlife client) understands and accepts that in order to provide these specific services that Mixlife is obliged to subcontract, it may have to send, in a confidential manner, the personal data it collects, to external service providers. The Data Controller (Mixlife client) also understands and accepts that in order to provide the subscribed service, Mixlife will have to send the data necessary for this purpose to external service providers, Mixlife subcontractors, based in the EU or outside the EU, specifically USA or registrar/y of the country of origin of the subscribed ccTLD. Considering that, without the transfer of this data, the service cannot be provided, acceptance of this privacy policy and subscribing to the service are proof that the Data Controller (Mixlife client) accepts these terms.

By accepting the general contractual clauses in which this Privacy Policy is inserted, when subscribing to the service, a contractual link is established between Mixlife as Processor/Subcontractor and the Data Controller (Mixlife client), under the terms of artº28/6 and 9 of the GDPR. Thus, on that date, as the object of the contract, the nature and purpose of data processing, the contracted service, the duration of processing, the chosen frequency are established, and it is also defined that Mixlife is unaware of it, because it is not necessary or made known the type of personal data, as well as the categories of data holders.

As this PP sets out the obligations and rights of the Data Controller (Mixlife client), Mixlife undertakes to:

• Only process the data to provide the subscribed service, in accordance with its General/Specific Conditions and this PP and will delete it after the provision of the service has been completed, with the customer being able to access it before the end date to do so. copy or migration, as they are always at your disposal (with the exception of the situations described above that are exceptions);

• Assist, within the limits of their powers, the Data Controller (Mixlife client), demonstrating compliance with their obligations under the GDPR and providing the necessary information and evidence so that the latter can respond to inspections and audits. It is also your obligation to communicate to the person responsible for the treatment (Mixlife client), whenever the fulfillment of this duty may eventually constitute, in itself, a violation of legal obligations.

• It will always provide access to the Data Controller (Mixlife client) to the data stored in Mixlife's infrastructure, in order to be able to fulfill the obligations to which it is bound by the GDPR (except for exceptions duly provided for and listed above), as well as when this requested, Mixlife will act within the limits of its powers, in order to assist the Data Controller (Mixlife client) in fulfilling its obligations to respond to the rights of data subjects

• That all Mixlife employees and collaborators are subject to the obligation of secrecy and confidentiality, as well as having received and receiving training and information on confidentiality and information security and good practices. They are also obliged to an information security policy that obliges them to:

– Make backup copies, against the risk of accidental loss

– Protect systems against malicious software (viruses, malware, phishing, ransomware, adware, etc.);

– Restrict and control physical access to work equipment;

– Save passwords in encrypted software; – Ensure the composition of strong security passwords;

– Use secure VPN connections and do not use open networks when remotely accessing Mixlife’s infrastructure;

– Do not share and keep passwords and access codes to installations and systems protected;

– Do not share or grant access to third parties to your email for professional purposes;

– Do not record passwords automatically in systems and browsers;

– Do not use the same passwords for Mixlife systems and for personal use;

– Do not write passwords or any personal data on paper, or other easily accessible support, or if you do, ensure that it is duly destroyed immediately after its purpose.

– Protect all work files that contain personal data, using a password for opening and editing;

– Do not install unauthorized software on any computer or other device you use as part of your professional activity;

– Use email prudently and thoughtfully.

– Do not open email messages of unknown origin or with attachments that include executable files, unless they have a trustworthy origin and do not indicate phishing or malware;

– Always check recipients’ addresses;

– Do not follow links to suspicious email links;

– Send critical or sensitive information, whenever possible, in encrypted format, or in a format spread across more than one means of contact;

– If a virus is detected on the computer or abnormal behavior, turn off the internet and disconnect the network cable if there is one, do not turn off the computer, contact someone in the IT area;

– Do not use public email, file transfer and/or cloud services to exchange organization data, unless authorized;

– Do not use tools or social networks (WhatsApp, or others) to communicate matters containing personal data relating to professional matters, nor send organization information via non-institutional emails;

– Do not register your professional email address on social networks;

– Do not create copies or files containing personal data, unless previously and expressly authorized;

– Do not collect images or sounds of people within the company's facilities, except in situations provided for in internal regulations, by decision of the person responsible or previously authorized by the owners;

– Do not publish images or sounds of third parties on websites or social networks, without this being duly and previously authorized by the respective owners;

– Communicate to superiors if you detect that you have access to personal data outside of your role;

– Report any actual or potential breach of personal data to the DPO. – Lock the computer whenever you are away;

– Do not take screenshots or photographs or personal data;

– Do not store sensitive data locally on the computer;

– Keep all folders with personal data in a safe place with restricted access (cabinets with locked doors);

– Keep the workstation tidy and comply with the “clean desk” principle;

– Do not provide any information with personal data over the telephone, unless it is possible to certify the identity of the person requesting the information;

– Collect prints to the network printer as quickly as possible;

– Do not collect, process and/or store personal data without being authorized to do so;

– Do not collect, process and/or store personal data without appropriate security measures;

– Do not disclose personal data to third parties, except other Mixlife colleagues and only when strictly necessary to carry out the activities assigned to you;

– Collect only personal data that is strictly necessary to carry out the activity and following the established procedures, using pseudonomization whenever possible;

4 – Account for GDPR compliance – Accountability

In the sense of the GDPR, accountability is proof of an entity's compliance with the regulation itself. In this same logic, responsibility is accompanied by measures to show the reality of data protection. It is important to note these two aspects of responsibility: the responsible implementation of the GDPR and the “report”.

The GDPR redefined that “personal” data is data used to identify a person: “a person who can be identified directly or indirectly (…), including by reference to an identifier, e.g. name, identification number, location data or online identifier, or to one or more specific elements of your physical, physiological, genetic, psychological, economic, cultural or social identity.”

In this context, the GDPR requires the Controller(s)/Responsible for processing to adapt their operation in order to guarantee (and be able to show – “render accounts” if we translate the term literally), that their processing of personal data complies the law.

In practical terms, this obligation of accountability brings with it the role of the DPO and the person responsible for the processing and protection of personal data, but above all it forces these entities to maintain a documentary record of the processing carried out under the responsibility of the Controller(s). (s)/Responsible for the treatment or Processor/Subcontractor and to analyze the concrete consequences of this data processing, presenting, in conclusion, the particular risks with regard to the rights and freedoms of the holders of this data.

In short, the regulation intends that the Controller(s)/Data Controller(s) must be able to prove that they comply with all data protection obligations and that all appropriate measures have been taken to effectively protect data. collected data.

As Controller/Responsible for data processing and as Processor/Subcontractor, Mixlife guarantees compliance with the GDPR and Law No. 67/98 of 26 October. To this end, the necessary measures within its scope were taken, in addition to those already indicated, and those that will be further indicated in part II of this Privacy Policy, the following policies and processes were created or adapted:

- Privacy Policy;

– Information Security and privacy incident management process that includes the terms of analysis, reaction and communication;

– BP (Backup Policy), backup policy for internal devices used to provide customer support and service; backup policy defined by service and in accordance with the contract.

– Adequacy of the AUP (Acceptable Use Policy), Acceptable Use Policy;

– Information leak event policy that aims to define action methodologies when faced with the possibility of an information leak event in order to quickly contain, mitigate and resolve it.

– Adequacy of operational management and service management processes through which procedures and work instructions are defined to orchestrate the technical management of the infrastructure and customer support, this time in order to guarantee the strengthening of security measures and their compliance with usual work;

– Adequacy of internal regulations to reinforce the adoption of information security measures and good practices among employees;

5 – Information leaks and security breachesdata breaches

The GDPR defines a personal data breach as “a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Personal data breaches can be divided into three types and a single data breach can involve one, two or even all three categories, namely:

· Breach of confidentiality, when there is unauthorized or accidental disclosure or access to personal data;

· Violation of availability, when there was a loss of access or destruction of personal data;

· Breach of integrity, when there is unauthorized or accidental change to personal data.

With the GDPR, the Controller(s)/Responsible for processing, more than being responsible for preventing security breaches from happening, also have the legal obligation to verify the severity of the breach and notify the supervisory authority without undue delay. Unless the data breach does not in any way constitute a personal data breach and is therefore not likely to result in a risk to the rights and freedoms of individuals by having a significant detrimental effect on the affected individuals, i.e. that may result in discrimination, reputational damage, financial loss, loss of confidentiality or other significant economic or social disadvantages. Apart from this exception, the Controller(s)/Responsible for processing has a maximum period of 72 hours after becoming aware of the data breach to make the report and communicate it to the supervisory authority.

When this harmful effect is proven, the Controller(s)/Responsible for the treatment must also notify the affected subjects. The notification must be made in clear and simple language with a concrete explanation of the occurrence. The obligation to notify data subjects is waived if the Controller(s)/Responsible for data processing has implemented appropriate technical and organizational protection measures that render personal data unintelligible to any person that is not authorized to access them, such as pseudonymization or anonymization or if it takes subsequent measures that eliminate the risk of affecting the rights and freedoms of data subjects.

Mixlife, as Controller/Responsible for processing and as Processor/Subcontractor, has always adopted a policy of transparency towards its customers, therefore the obligation to communicate will be carried out under the previously defined terms, this time complying with the stipulated procedure. Considering and analyzing, in abstract, the various types of information and their criticality, their possible exposure to unauthorized third parties and the consequent potential impact in the case of an event of this type, an Information Leakage Event Policy was drawn up. This policy establishes specific procedures, with clear work instructions so that, faced with a specific fact, any subject is able to analyze and react efficiently and quickly, responding to the need to contain and solve the problem in the shortest possible time. Taking into account the specific obligations concerning specific personal data, in order to better adapt the reaction to a privacy incident, a specific procedure was created for managing Information Security and Privacy incidents.

This procedure is what guarantees a balanced and properly guided analysis of the event, which, in strict compliance with the GDPR, allows the need for subsequent actions to be assessed, such as whether or not it is mandatory to communicate this event to the client and the CNPD. All these actions are duly recorded as well as their respective justifications in order to serve as evidence and support for any subsequent investigation action.

C – Supervision

1 – Control authority National control authority defined by Law Law No. 58/2019

National Data Protection Commission (CNPD) is the national control authority for the purposes of the GDPR.

The CNPD is defined in law as an independent administrative entity, with legal personality under public law and authority powers, endowed with administrative and financial autonomy to control and monitor compliance with the GDPR and other laws, as well as other legal and regulatory provisions in matters of protection of personal data with a view to defending the rights, freedoms and guarantees of natural persons in the context of the processing of personal data.

To this end, all entities subject to the GDPR and this law have a duty to collaborate in order to assist in any process in which it is required, except for the exceptions provided for in the law itself.

Thus, the CNPD defines that under the terms of paragraph 1 of article 35 of the GDPR, the processing of personal data that may pose a high risk to the rights and freedoms of natural persons must be preceded by a DPIA – (Assessment Impact on Data Protection). Considering, by way of example, three types of situations that meet the requirements of this obligation of the data controller, art. 35.º/3 of the GDPR, the CNPD is the entity responsible for listing, in accordance with the assumptions of no. of article 35 are part of a complementary list that is now presented with the obligation to be preceded by a DPIA – Regulation no. 1/2018 regarding the list of personal data processing subject to Data Protection Impact Assessment. This is not a non-exhaustive list, but a dynamic one, just as the information society is the duty of all those responsible for processing personal data to be aware of this list, without prejudice to suggesting that others, despite not appearing on this list, to carry out a DPIA.

Considering that (art. 35) the GDPR intends to require the data controller to create a Data Protection Impact Assessment (AIPD) in cases where there is a high risk to the rights and freedoms of natural persons, depending on the nature, scope, context and purpose of the data and the type of treatment given to it, it also establishes specific factors that help determine what could be considered high risk. Therefore, to determine whether a DPIA is necessary, a data controller must consider these factors, together with those set out in the list of processing of personal data subject to a Data Protection Impact Assessment.

– The type of data collected by Mixlife as Controller/Responsible for the processing of personal data is not covered by the AIPD obligation;

– As a Processor/Subcontractor, there is no service provided by Mixlife, which, by its nature, necessarily requires the creation of an AIPD by Mixlife or by the Controller/Data Controller who uses it. The analysis of the need for a AIPD will depend on the details and context of how the Controller/Data Controller uses the subscribed services.

Like this:

• Mixlife does not provide resources to carry out certain automated data processing, but as it does not know the data it hosts or what is done with it, it refers the investigation of the need to respond to this requirement to the Controller/Responsible for the processing of personal data;

• No specific service marketed by Mixlife is prepared or intended to process special categories of personal data, therefore Mixlife services, in their nature, do not enhance or increase the risk inherent in the processing of a Controller/Responsible for the processing of personal data . Naturally, nothing prevents the Controller/Responsible for processing personal data from using Mixlife's services to process special categories of data (contained in art. 53/3 or in the list of personal data processing subject to Data Protection Impact Assessment;

• While Mixlife's services may allow the Mixlife customer to track or process any type of data, including special categories of personal data, or to systematically monitor areas accessible to the public on a large scale, as a Processor/Subcontractor, Mixlife does not have control over the use given to the services it provides, concluding that it is up to the data controller, for a majority of logical reasons and due to the impossibility of being otherwise, to determine the appropriate use of the data.

In line with these considerations, the Controller/Data Controller must carry out an analysis of the type of data and treatment given to them to assess whether or not a DPIA is necessary.

If it appears necessary, the Controller/Data Controller must take into account that to carry out a DPIA, it must, in short, include factors such as:

I – the types of data processed;

II – how long the data will be kept;

III – Indicate the location where the data is stored;

IV – If and where they can be transferred;

V – Who may, in addition to the Controller/Responsible for data processing, have access to this data;

VI – A balancing judgment that assesses the need proportionally regarding the processing operations and their purposes;

VII – Assessment of risks to the rights and freedoms of individuals;

VIII – Description and evidence that the measures envisaged to deal with risks, including guarantees, security measures and mechanisms to guarantee the protection of personal data were carried out. In this case, the Mixlife client, Controller/Responsible for processing, will be able to find the necessary information from Mixlife as Processor/Subcontractor, in this privacy policy, and may also request additional information by email [email protected]

If you consider that the processing of your personal data violates applicable data protection legislation, you may file a complaint with the National Data Protection Commission – CNPD – www.cnpd.pt

Part II

Framework and obligations of Mixlife as Controller(s)/Responsible(s) for data processing

Mixlife is committed to protecting your privacy as a CONTRACTOR, as well as that of all users of its digital platforms and, as such, only collects personal information from those who voluntarily provide it, and also only uses it for the purposes for which which were provided.

All data collected will be listed in this policy in a transparent manner and with full respect for the rights of its holder.

Concept of Personal Data:

In accordance with article 4 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL, of April 27, 2016, translated into Portuguese regulations through Law no. 58/2019 of August 8, personal data is :

“Information relating to an identified or identifiable natural person (“data subject”); An identifiable natural person is considered to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, electronic identifiers (E-mail) or a or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

1 – Collection, registration and use of Personal Data:

The data will be collected and recorded in accordance with and for the purposes described below and with the legalities set out below:

a) Cookies and tracking: The cookies used by Mixlife can be consulted in the cookie policy and in no case are personal data collected. From time to time, we may use Pixel Tags to help us measure the effectiveness of our advertising and allow us to provide more targeted marketing communications, in which case any personal data collected will remain confidential, even if the research is conducted by a third-party service provider. on our behalf.

b) Data for service provision: Personal data collected by Mixlife is processed automatically and is intended for managing the CONTRACTOR's file, its services and its requests for commercial contact, support and assistance. The collection and processing of personal data is also intended to be used for contact by Mixlife for the purposes of:

Ensure the normal functioning of the contracted service, namely, providing data for its management, payment and billing;

• Communicate planned interventions, report problems and/or other situations of relevance and/or impact on your services or support pathways;

• Promote the contractually required communication, using the means stipulated for this purpose (General Conditions of Service Provision);

• Sending quality questionnaires which the user may freely decline to complete.

• Create niches for registering domains that are delivered to the registrar/registry without being stored by Mixlife. Maintaining only the legal basis for requesting registration – request.

c) Continue with the creation of CONTRACTING PARTY account subcontacts: At least one alternative contact email to the general one will be collected, and other data that the account holder chooses to provide about their authorized contact may be added. These subcontacts presuppose that the account holder has been given authorization for this purpose, in any case, if they do not agree or if there is identity theft on the part of the account holder, the subcontact must communicate their displeasure to Mixlife to [email protected] to your contact may be deleted.

d) Support to the CONTRACTING PARTY: Any personal data that is sent to us at our discretion by email, telephone or livechat will be treated with viable and appropriate security for the medium in which it is transmitted to us, however, and to guarantee the privacy of personal data, we urge that it be Avoid sending personal data through these channels. If the offer of personal data appears to be insurmountable, you should be aware that, in these forms of contact, there is always greater exposure to risk. The treatment and processing of this data will be governed by this PRIVACY POLICY and, in this case, to exercise the right to forget communications or to report any situation concerning a risk or breach of data security, please do so by email addressed to [email protected] and indicating the name/code/date/time/medium/ of the communications you want to be forgotten.

We also remind you that any email address that allows you to identify an individual is considered personal data, so if you want your contact to be forgotten, please make sure you inform us in the terms above, avoiding offering more data through signatures. personalized or other ways.

e) Instant communication tools: Mixlife provides its CONTRACTOR with support through instant communication tools and, when using them, we urge you to avoid sending personal data, including emails that could be considered as such. If the provision of personal data appears essential to follow up on the support request, you should be aware that, in these forms of contact, there is always greater exposure to risk. The data collected in this way will only be used for the purpose for which it is intended, without prejudice to the CONTRACTOR indicating otherwise, or being data that coincides with others already collected on another basis and lawfulness. The processing and processing of this data will be governed by this PRIVACY POLICY and, in this case, to exercise the right to be forgotten, please do so by email addressed to [ email protected] and indicating the name/code/date/time/means communications that you want to be forgotten.

f) Response to commercial contacts: upon authorization and request from the data subject, a commercial proposal may be prepared, using the data offered and collected for this purpose. In these cases, the commercial proposal will be stored in a dedicated location, protected by a firewall, antivirus & antimalware, enabling secure access via SSL certificate, VPN authentication and other appropriate technical measures, as well as restricted and escalated access privileges. This data will be kept for six months, with a view to possible adjudication, unless the holder exercises the right to be forgotten.

• All rejected commercial proposals are forgotten, as well as all those whose CONTRACTOR does not respond after three update requests within a maximum period of six months without a response, unless the CONTRACTOR expressly indicates that they want us to wait for their decision for longer.

• All data regarding commercial proposals or with a view to awarded commercial transactions will be maintained under the terms established for the type or types of services to which they refer.

• All registered commercial proposals, in addition to mere email contact, will be reviewed within a maximum period of seven years, so if the provision of any of the services in question is no longer ongoing, they will be forgotten.

g) Investigation of Legitimacy and Fraud: For the purposes of verifying legitimate ownership, changing authorized email, confirming tax data or detecting fraud, the CONTRACTOR may be asked to provide additional information about their identity, such as proof of address, number of identification or others. In these cases, Mixlife undertakes to collect the minimum necessary to:

• Ensure that you are the legitimate owner of the services you are claiming under the service provision contract to which you are bound when subscribing to services;

• Guarantee fiscal veracity as required by tax law;

• Remove the possibility of fraudulent subscription or that appears to be intended to commit illegal acts in order to protect the rights of Mixlife and third parties.

This data will be collected through normal support channels. At the end of the process, given Mixlife's legitimate interests and the obligation to maintain evidence, the collected data will be preserved and duly pseudonomized. Pseudonymization means that associated with the CONTRACTING PARTY an alphanumeric code will be indecipherable except through access to an archive file with restricted authorization and only if justified.

h) Contact forms: All contact forms on Mixlife's online pages will collect the necessary contact data so that we can respond to you, as well as all those that are discretionary included in the body of the email/form. This form will be integrated into a ticketing platform protected with firewall, antivirus & antimalware, enabling secure access via SSL certificate and other appropriate technical measures, as well as restricted and escalated access privileges. This entry will be pseudonymized and cannot, due to abstraction, be easily found.

To ensure the privacy of personal data, we urge you to avoid sending personal data in these ways. If the offer of personal data appears to be insurmountable, you should be aware that, in these forms of contact, there is always greater exposure to risk. To request that communications be forgotten in this situation, or to report any situation concerning a risk or breach of data security, please send an email to [email protected] and indicate the date/time/email address of the communications that wants them to be forgotten.

We also remind you that any email address that allows you to identify an individual is considered personal data, so if you want your contact to be forgotten, please make sure you inform us in the terms above, avoiding offering more data through signatures. personalized or other ways.

i) Recruitment: If you send a spontaneous application or respond to a job offer, be aware that all CVs and personal data collected in this way will be integrated and stored in a dedicated location protected with firewall , antivirus & antimalware SSL certificate and other appropriate technical measures as well as restricted and escalated access privileges. All applications that are not of interest are eliminated after evaluation. All candidates who could potentially be called remain available for 12 months after which, if they are not called, their candidacy will be eliminated. The 12 months are justified to evaluate the candidate's career path as well as the possible future hiring opportunity in the legitimate interests of the company and the candidate. All approved applications will result in registered contact with the candidate, with a view to future recruitment efforts. These will result in justified hiring or rejection, in which case, through human action, they will be forgotten in an archive, with restricted access and only justified, being eliminated after 5 years. Storage in a segregated and restricted environment for 5 years is justified for the purposes of procedural assessment of recruitment in the interests of the company.

j) Social Networks; hobbies; offers and training: All interactions that are made through the following channels:

• Mixlife's social networks as well as sharing on social networks of content disseminated through Mixlife's Website, blogs and other digital platforms are governed by the PRIVACY POLICY of the company that provides the resource used for sharing or interaction, and the user can obtain more information by consulting Annex I to this PRIVACY POLICY.

• Participation in competitions: Mixlife may promote the collection of data by completing online or paper contact forms, in order to enable the submission of user participation in online or offline competitions or competitions organized by it.

• Subscription to alerts/notifications: Collection of data to enable the sending of alerts and notifications of services accepted free of charge or on a trial basis by users.

• Participation in events or training: Collection of data with the aim of enabling the registration and management of participants in company events or in which the company participates. All data collected under the responsibility of Mixlife and solely through its own means, without the use of social networks, will be treated in accordance with this PRIVACY POLICY with regard to the rights enjoyed by its holder.

The processing of personal data made available to us via social networks, entities external to Mixlife, must be treated in accordance with the privacy policies of the respective companies, considering Annex I to this policy.

k) Interactions in Forums and Blogs: Any information that you may disclose in forums or other public areas of the Mixlife website or the Internet, even if linked to Mixlife, becomes public information. Therefore, caution when deciding to disclose personal information in these public areas will be up to the individual who does so. In these cases, to remove the personal information disclosed, you must send an email to [email protected] indicating article / date / time / medium / email so that you can be identified. However, it may be the case that Mixlife is unable to remove your personal information because it does not have access to the server or service (external to Mixlife). In these cases we will promptly inform you that we are unable to do so and why.

l) Commercial communication: The sending of general and advertising information in relation to Mixlife and the services provided by it is subject to a request for segregated and differentiated consent, meaning that the collection of personal data for commercial and contractual purposes does not legitimize or enable sending this type of communication. If the user wishes to receive this information, they must, by action, subscribe or consent to its sending.

m) IP addresses: The IP address, when its use or identification alone does not allow the identification of its holder or the location from which a certain action is carried out, cannot be considered private data. The way in which the IP service is provided and collected, as information, by Mixlife does not make it possible to identify an individual, however, given the possibility of risk this is pseudonomized, so within the scope of this PRIVACY POLICY we will avoid to consider it as private data.

2 – Database Compliance:

The data provided is integrated into a database duly regularized with the National Data Protection Commission CNPD, and its processing is automated, organized and maintained directly by Mixlife in accordance with data protection laws.

3 – Contracts and Communication with Minors:

Access to purchases for minors under 18 years of age is prohibited. Minors who wish to contact Mixlife, to access the platforms or make their personal data available, must obtain authorization from their parents or guardians.

4- Rectification, portability and deletion of the data provided:

• Data rectification: Under applicable legislation, the user has the right to access and rectify their data, so Mixlife offers the CONTRACTOR permanent access to their data, enabling their rectification at all times. The CONTRACTING PARTY's accessibility to their data is guaranteed through a reserved area, duly protected, first by mandatory authentication and then by an SSL , as well as other appropriate technical measures, in order to ensure that the CONTRACTOR's personal data are safe from unauthorized access by unauthorized third parties. This reserved area is subject to a strict backup policy that you can consult, thus eliminating the risk of partial or complete loss or corruption. In this reserved area, the CONTRACTOR will be able to update their personal data with the exception of the general email and the Tax Number, the first because it is the unique authenticator that legitimately titles its user as owner of the services and the second to guarantee tax veracity. To change these fields, you must send an email to [email protected] , ensuring, at the outset, whether or not you want this request to be forwarded, after being processed, to oblivion.

• Data maintenance time, Forgetting and Deletion: Mixlife is committed to keeping your data properly protected with firewall , antivirus & antimalware , providing secure access via SSL VPN authentication and other appropriate technical measures , as well as restricted and escalated access privileges. You can exercise the right to be forgotten automatically and directly in your area at any time, and you cannot have any active service to do so. If there are active services, the forgetting will only be carried out when Mixlife's contractual obligations towards you are extinguished, therefore, Mixlife will continue to provide the service until its end. Mixlife has no direct relationship with individuals whose personal data is provided, processed or obtained by Mixlife Resellers. Subjects seeking access, or seeking to correct, alter or delete inaccurate data must direct their query to the person responsible for data processing – Reseller.

• Forgetting and Backups : After the service has been provided, your request for forgetting will be granted, however, backup contents will persist for the time defined in the backup policy. This data is, for security and privacy, stored, unprocessed, with restricted and justified access and will only be used if there is an insurmountable need to restore a backup that includes your data.

• Forgetfulness and deletion: In the exercise of reasonableness, evaluating the limited data we collect in relation to contractual obligations and the defense of its legitimate interests, as well as compliance with the law, namely tax law, Mixlife avoids the deletion or alteration of data, providing , in turn, the restriction of its access and/or processing in order to preserve it as evidence of its legitimate interest. This data is, however, stored, not processed, and only with restricted and justified access. Therefore, whenever there is a legitimate interest in protecting your rights or those of third parties, Mixlife will carry out the forgetting action before deletion. Forgetfulness means moving all data to an archive with reserved access, not authorized except by reasoned justification and to be recorded. To comply with the law, particularly tax law, forgetfulness may last up to a maximum of 12 years, after which your data will be deleted. Your data will be kept out of oblivion for a maximum period of eight years after total inactivity, however, it may be moved at any time as long as you exercise your right to be forgotten. For all personal data arising from communications, the data subject must exercise their right to be forgotten by email to [email protected] indicating code or ID/date/time/medium/email so that they can be identified and forgotten.

5- Security and use of your information

• Security in storage and access The personal data that Mixlife collects is properly protected with firewall , antivirus & antimalware , enabling secure access via SSL VPN authentication and other appropriate technical measures, as well as restricted access privileges and phases, among other appropriate technical measures. Additionally, we use pseudonymization in contact with the CONTRACTING PARTY in order to avoid exposure to risk, this time to contact support, you must indicate your CONTRACTING PARTY ID instead of the name, service ID instead of the hostname or domain, ID payment code instead of description or payment information or ticket ID instead of shipping email address. To guarantee your authentication, you should always use the general email or authorized contact. Therefore, to avoid the risk of using an email address that could constitute personal data, we encourage you to provide a general email that does not contain any personal data such as name or date of birth, or alternatively use PIN support to authenticate yourself. In cases where the CONTRACTOR is unable to identify or remember the general email associated with their customer file, to speed up support, but without compromising information security, Mixlife may give you a clue about this email. To this end, the operator may use, in writing, to camouflage the email address by replacing some characters with symbols such as * or #. On the phone, the operator may indicate the domain associated with the email or give a clue by omitting parts of the entire address. Still prioritizing security, but avoiding entropy in direct contact, with regard to identity verification, so that we can provide immediate responses, even if with no impact, you may be asked, in addition to your customer ID, for a customer identification by two or three factors. In this case, you may be asked to indicate the general email address of the account, the associated taxpayer number, some of the services in your account, address details, service IDs, or others that may show that the person who is contacting us contact is in fact the CONTRACTOR.

• Security in support – good practices: In certain situations, within the scope of support, in order for us to be able to analyze and resolve a problem, the username and password of your service may be necessary. We understand that this type of information is sensitive and should only be known to the respective holder. With this in mind, we only request access when it is strictly necessary.

Even though our platforms are secure, the CONTRACTOR must take some additional precautions before providing us with data:

1. Change the password to a random one before sending it to our support;

2. After the incident has been resolved, the password must be changed again;

3. The password must be sent in response to the email that has secure access;

root access is requested (dedicated services), the public access keys will be made available and must be authorized;

5. If you use a firewall, please inform us so that we can send you a list of IP addresses to be authorized.

If you are unable to provide access data, you should open a ticket at our helpdesk so that we can find safe alternatives. If the offer of personal data appears to be insurmountable in order to obtain support, you should be aware that, in these contact methods, there is always greater exposure to risk. The processing and processing of this data will be governed by this PRIVACY POLICY and, in this case, to exercise the right to forget communications or to report any situation concerning a risk or breach of data security, please do so by email addressed to [email protected] and indicating the name/code/date/time/medium/ of the communications you want to be forgotten.

• Subcontacts of the CONTRACTOR's account: To add subcontacts to your CONTRACTOR's account, please be aware that you must confirm that you have obtained authorization from this contact for this purpose, knowing that, for validation, this may be requested by email so that you can confirm it and therefore , your account holder details will also be disclosed to you.

6 – Sending or transferring information:

• Commitment: Mixlife undertakes not to sell or rent to third parties any personal data sent by users of our digital platforms, without prejudice to doing so with the user's authorization or when legally obliged.

• Legal Obligations: Mixlife may access, preserve and share the CONTRACTOR's information with companies, organizations, government entities or individuals external to Mixlife, as it is in good faith that the law requires it. These are non-exhaustive cases: judicial authorities, arbitration centers, entities to which the law attributes powers at the level of criminal investigation, or whose mission is to monitor and prevent compliance with legislation within the scope, namely, of protecting consumer rights, intellectual property, communications, security, public health and general business practices, etc. Mixlife may also access, preserve and share CONTRACTOR information when necessary to: establish or exercise Mixlife's legal rights or defend itself against any legal claim, including claims and threats involving Mixlife as the managing entity of a domain based on anonymity of its holder; investigate, prevent, or take action regarding suspected fraud or other illegal activities; prevent death or serious physical harm to any person; or investigate violations of Mixlife's general/special conditions of service.

• To provide specific services that depend on third parties: Mixlife may have to confidentially send the personal data it collects to external service providers, namely to enable the provision of security certificates and domain registration and transfer services. These partners are based in the EU and, therefore, in compliance with current privacy laws, or when they are from outside the EU they also declare their compliance. In these cases, Mixlife is forced to request and send your domain name registration data to a domain registration provider, Registry or Registrar, to fulfill its requirements and proceed with the domain registration, renewal or transfer. In some cases, domain names, mainly for natural persons, can already be registered confidentially, and it is still possible to change from public to confidential or vice versa at any time. However, Mixlife will always have to collect and send registration data to these entities. If you would like to be informed about the PRIVACY POLICY of a Registry/Registrar entity of a specific TLD, please contact us indicating which one.

• WHOIS: In certain jurisdictions or under Domain Name Assignment Corporation rules or certain registries, Domain Name Registration Information must be available and accessible to the public through a “WHOIS” search. The WHOIS database is publicly accessible and lists the domain name registration information for a specific domain name, the name server(s) to which the domain name points, and the expiration and expiration date. domain name creation. The domain name registration information you provide is hosted by Mixlife and/or a third-party service provider and made publicly available through WHOIS lookups. In some domain names, registration may be confidential and it can be changed at any time. If your WHOIS data must be made publicly available and is used for contact by third parties, please be aware that these communications do not come from Mixlife and Mixlife does not control the use of WHOIS information by third parties.

• Business management, taxation and statistics: In addition to sharing information with service providers in a confidential manner, as described above, Mixlife may share with third parties, in a manner contractually stipulated as confidential, various identification information, aggregated into categories, with personal data isolated and non-directable, obtained through research with customers and partners, considering: statistical purposes, analysis of marketing campaigns, response to requirements for the provision of subcontracted services, financial and tax audits, quality, security, etc.

7 – Profile and automated decisions: At Mixlife there is no automated processing, including the definition of profiles that produce decisions.

8 – Privacy by design and by default: Mixlife ensures that, as far as is required and feasible, appropriate technical measures have been adopted and organized to protect personal data against accidental or illicit destruction, alteration and/or dissemination.

Any violation of the privacy of personal data will be assessed and reported within 72 hours to the competent entity CNPD, as well as to the data subject(s) according to the established security and privacy incident management process. If you find any risk or inconsistency in the management of Mixlife's personal data, you should alert us to [email protected] , and you can always lodge a complaint with the CNPD – National Data Protection Commission.

If you find any risk or inconsistency in the management of Mixlife's personal data, you should alert us to [email protected] , and you can always lodge a complaint with the CNPD – National Data Protection Commission.

9 – Payments

Mixlife takes all necessary precautions to ensure the protection of the information collected from the CONTRACTOR and guarantees that all payment data entered is automatically encrypted using SSL – Secure Sockets Layer technology, with a view to guaranteeing complete security in payments made. To be able to verify that the information is being transmitted securely, note that the image of a closed lock/padlock will appear next to the URL, which indicates that the connection is secure. Mixlife does not store payment data. The data provided by the CONTRACTING PARTY to make payments, particularly those relating to credit cards, are never stored by Mixlife, being used only at the time of processing the transaction, which is carried out from a secure banking entity page and with appropriate technologies to ensure that there is no risk. Therefore, not only can we guarantee that the CONTRACTING PARTY's data is not exposed to any intrusion attempts but, in particular, by not storing payment data we can guarantee that, in extremis, if there were illegitimate access this would never jeopardize access to payment data.

10 – Responsible Entity

The entity responsible for processing the Database is Mixlife Lda , with headquarters at Mixlife Lda, Rua Manuel de Almeida Lopes, Lote 129, Loja A 3510-900 Viseu, legal entity nº 507 851 870, with share capital of €5,000 , and anyone interested can contact her through the following contacts:

• Telephone: 232 283 933 (Call to the national landline network) , with opening hours: Monday to Friday from 9am to 1pm and from 2pm to 7pm

• Address: Mixlife Lda, Rua Manuel de Almeida Lopes, Lote 129, Loja A 3510-900 Viseu

• Email: [email protected]

11 – Limits of Applicability

This PRIVACY POLICY does not apply to personal data or information that may be submitted or collected by third-party websites, hosted on Mixlife's infrastructure or to domain names registered by third parties with Mixlife, or registered by Mixlife. As such content or domain names are not the legitimate property of Mixlife, Mixlife has no control over them. With regard to this data, Mixlife will only be SUBCONTRACTOR and will respond only as such and therefore remember that the privacy policies of such third party sites must be evaluated by the USER/CONTRACTOR before sending their personal data. It is also important to inform that our responsibility, as SUBCONTRACTORS, ends with the security of the infrastructure, therefore any security and privacy incident that originates from CONTRACTOR code vulnerabilities, plugins, compromised email accounts, infected emails or other files, and any content of the CONTRACTING PARTY, it will be the responsibility of the content manager who must monitor them to take preventive action against a possible vulnerability or act in reaction to the incident in the terms recommended by applicable legislation on privacy and processing of personal data.

12 – The Law

This PRIVACY POLICY respects the provisions of applicable legislation on privacy and processing of personal data. In this sense, it may be reviewed at any time depending on changes to the legal regulations that support it, as well as recommendations from national and international entities competent in the matter.

When there are changes to this privacy policy that alter its version, the CONTRACTOR will be notified via general email. The information we collect and send helps us to be able to provide the best purchasing and service experience, so we encourage our users to participate by offering us their consent

Let's work together!

We have a passion for innovation, brilliant ideas and projects that involve us in a beautiful experience.



email: [email protected]

Social Links