1. Preamble

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”), combined with Law no. 58/2019, of 8 August, which guarantees the implementation, in the Portuguese legal order, of the aforementioned Regulation, sets out the legal framework application to personal data processing.

The GDPR strengthened the rights and obligations of data controllers, processors, data subjects, and also the recipients of personal data.

Within the scope of its business, the law firm António Frutuoso de Melo e Associados, Sociedade de Advogados, SP RL, with registered office at Avenida da Liberdade, 38-1º - 1250-145 Lisboa, legal person no. 504022571, telephone number +(351) 213 218 600 (hereinafter “AFMA”), processes the personal data of its clients and other contacts.

For the purposes of this Policy, the following definitions apply:

  • “Client(s)”: means any natural or legal person that is a client of AFMA; the term includes the staff of clients (companies);
  • “Contact(s)”: means any natural or legal person that has relations with AFMA but is not a Client (potential clients, counterparties, partners, applicants, etc.);
  • “Data Controller”: means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data; for the purposes of this Policy, the data controller is AFMA;
  • “Processor”: means a natural or legal person which processes personal data on behalf of the controller; in this case, these are service providers which AFMA works with and which may, within the scope of their service provision, perform personal data processing operations on data controlled by AFMA;
  • “Data Subjects”: means natural persons who are identifiable or can be identified, directly or indirectly; within the scope of this Policy, the data subjects are defined as “Clients” or “Contacts”;
  • “Recipients”: means a natural or legal person to which personal data are disclosed, whether a third party or not. In this case, the recipients of personal data may be both internal to AFMA or external to it (providers of support services (accounting, IT, etc.), judicial and ancillary bodies (courts, enforcement agents, etc.), etc.).

Pursuant to the provisions of Article 12 of the GDPR, the data controller shall provide Data Subjects with information on their rights in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

2. Object

To meet the needs of its business, AFMA processes personal data relating to its Clients and Contacts.

The aim of this policy is to ensure compliance with the obligation to inform to which AFMA is subject and, also, to formalise the rights and obligations of its Clients and Contacts with regard to the processing of their personal data.

3. Scope

This personal data protection policy applies within the scope of the processing of Data Subjects’ personal data.

This policy applies solely to processing where AFMA acts as the Data Controller.

Personal data processing may be performed directly by AFMA or by means of a Processor designated for such purpose.

4. General principles and commitment

AFMA only processes the personal data of Data Subjects that have been collected within the scope of the provision of its services and for the purpose of providing those services, or that are processed in connection with said services, and always in strict compliance with the general principles of the GDPR.

Any other processing, amendment or elimination of existing personal data processing will be made known to the Data Subjects by an amendment to this Policy.

5. Types of data collected

AFMA may process the following categories of personal data:

NON-TECHNICAL DATA (as appropriate)

  • Identification: name, surname, title, function, pseudonym, date of birth, sex, citizen’s card number, passport number, taxpayer number, place of birth, nationality, marital status;
  • Contact Details: Telephone, mobile, e-mail address, postal address, etc.;
  • Education and professional experience: education, qualifications, certifications, languages, curriculum vitae, information from a previous employer;
  • Professional data: position, function, description of the function, company, office address;
  • Professional activity data: business activities, information relating to processes and files, information relating to actions;
  • Personal life (family or assets);
  • Invoicing data: bank details, fees, costs of travel and communications on behalf of the client.

TECHNICAL DATA (as appropriate)

Identification details (IP)

Connection details (namely logs)

AFMA does not process special categories of personal data, as set out in Article 9 of the GDPR, unless “processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”, pursuant to the provisions of Article 9(2) f) of the GDPR.

6. Source of data

AFMA collects data from Data Subjects through the following means:

  • Data supplied by the Data Subjects within the scope of a case, process or file handed over to AFMA so that the latter may ensure the respective legal representation, counsel and advice;
  • Personal cards.

Data Subjects’ personal data may be collected by several means, namely in paper format, e-mail, postal mail, in person.

7. Purposes of processing

As applicable, AFMA processes Data Subjects’ personal data for the following purposes:

  • Provision of legal practice services: handling of cases, processes or files handed over to AFMA so that the latter may ensure the respective legal representation, counsel and advice (includes opening of the client file, recording of service proposals presented, communications with the Client, with other parties and/ or public entities, including courts, filing of documents in digital format and on a physical medium);
  • Management of the Client relationship;
  • Sending of information (legal alerts);
  • Provision of information (by telephone or e-mail);
  • Processing of accounts (includes expense accounting, cost control and reimbursements (e.g., travel expenses to be paid by clients), invoicing and management of current accounts, maintenance of files of accounting records and supporting documents);
  • Replies to public tenders or calls for proposals;
  • Recruitment and selection;
  • Sending of greetings and other courtesy messages by AFMA;
  • Improvement of our services;
  • Compliance with legal obligations, in particular those related to anti-money laundering and terrorist financing (ML-TF);
  • Ensuring network and information security (provision of technical assistance, fraud prevention and detection, etc.);
  • Statistical analysis.

8. Bases of lawfulness

The above-mentioned purposes of processing have the following bases of lawfulness:

a) Consent of the Data Subject for the processing of his personal data for one or more specific purposes;

b) Processing necessary for the performance of a contract to which the Data Subject is party, or steps prior to entering into a contract taken at the request of the Data Subject;

c) Processing necessary for Compliance with a legal obligation to which AFMA is subject;

d) Processing necessary for the purposes of the legitimate interests pursued by AFMA or by third parties, except where such interests are overridden by the interests of fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.

9. Recipients of data

AFMA guarantees that personal data is only accessed by internal recipients or authorised external recipients.

AFMA may share the Data Subjects’ personal data with the following entities:

Internal recipients:

  • Lawyers, including trainee lawyers;
  • Administrative staff.

External recipients:

  • Counterparties;
  • Courts, regulatory authorities, government institutions, enforcement agents, judicial administrators, other lawyers, experts, inspectors, etc.;
  • Public authorities, the Bar Association;
  • Public administration (Institute of Registration and Notary Affairs, Commercial Registry Offices, Land Registry Offices, Motor Vehicle Registry Offices, the Tax Authority, etc.);
  • Service providers (translation services, IT services, communications services, digital and physical filing services, etc.).

Where the transfer of personal data to the above entities involves an international transfer of personal data (i.e. outside the European Union), AFMA:

(i) will perform the transfer on the basis of an adequacy decision from the Commission, in the terms of which the country or international organisation in question ensures an adequate level of protection of personal data equivalent to that resulting from the European Union legislation; or

(ii) in the absence of an adequacy decision from the Commission, will ensure that those transfers of data are performed in strict compliance with the legal provisions and that appropriate safeguards are implemented to ensure protection of the personal data.

10. Storage period

AFMA defines the storage period for personal data in accordance with the legal and contractual constraints on such data, namely the statutory limitation periods for civil liability.

In line with the purposes of processing, the storage periods for personal data are:

  • Legal practice services: 20 (twenty) years after the contractual relationship has ended.
  • Compliance with legal obligations regarding ML-TF: 7 (seven) years counting from the date on which the identification was processed or, in the case of business relations, after the end thereof.
  • Invoicing and accounts management: 10 (ten) years.
  • Recruitment and selection: 2 (two) years, counting from the application or curriculum vitae being handed over, if no relationship is established with the applicant.

11. Right of access

Data Subjects have the right to obtain from AFMA confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to their personal data.

Data Subjects have the right to request from AFMA a copy of their personal data undergoing processing. For any further copies requested by the data subject, AFMA may charge a reasonable fee based on administrative costs. Where the Data Subjects make the request by electronic means, and unless otherwise requested, the information shall be provided in electronic form.

Data Subjects are informed that the right of access does not apply to confidential information or data or data the communication of which is not permitted by law. The right of access does not allow access to documents handed over to AFMA that are subject to professional secrecy.

12. Updating and Rectification

Data Subjects have the right to obtain from AFMA rectification of inaccurate personal data concerning them. Taking into account the purposes of processing, Data Subjects have the right to have incomplete personal data completed, including by means of a supplementary statement.

Data Subjects shall exercise this right with their usual interlocutor or, alternatively, by sending their request by e-mail to:

Data Subjects are responsible for updating their personal data with AFMA.

13. Right to erase data

The right to erasure of Data Subjects’ personal data will not apply when processing is necessary for compliance with a legal obligation or also for the establishment, exercise or defence of legal claims.

Except for the above-mentioned situation, Data Subjects have the right to obtain from AFMA the erasure of their personal data, where one of the following grounds applies:

a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) Data Subjects withdraw the consent on which the processing is based and there is no other legal ground for processing the said data;

c) Data Subjects object to their personal data being processed on the basis of AFMA’s legitimate interests and there are no overriding legitimate grounds for the processing.

14. Right to restriction of processing

Data Subjects have the right to obtain from AFMA restriction of processing, where one of the following applies:

a) They contest the accuracy of the personal data, for a period enabling AFMA to verify their accuracy;

b) The processing is unlawful and the Data Subjects oppose the erasure of the personal data and request the restriction of their use instead;

c) AFMA no longer needs the personal data for the purposes of the processing, but they are required by the Data Subjects or for the establishment, exercise or defence of legal claims;

d) The Data Subjects have objected to processing, pending the verification whether the legitimate grounds of AFMA override those of the Data Subjects.

15. Right to data portability

AFMA guarantees Data Subjects the right to portability of personal data concerning them, provided such data have been provided directly by the Client or by the Contact, as applicable, and the processing is based on the consent of the Data Subjects or on a contract to which they are party. In this case, the personal data will be communicated by AFMA in a structured, commonly used and machine-readable format.

16. Right to object

Data Subjects have the right to object, on grounds relating to their particular situation, at any time, to processing of personal data concerning them, namely that which is based on the legitimate interests pursued by AFMA.

Where Data Subjects exercise the right to object, AFMA will no longer process the personal data, unless there are compelling legitimate grounds for such processing which override the interests, rights and freedoms of the Data Subjects, or for the purposes of the establishment, exercise or defence of legal claims.

17. Right to withdraw consent

Where consent is required by law for the processing of personal data, Data Subjects have the right to withdraw their consent at any time.
Withdrawal of consent does not affect the lawfulness of processing by AFMA based on consent previously given, nor subsequent processing of the same data, based on another basis of lawfulness, such as performance of a contract or compliance with a legal obligation to which AFMA is subject.

18. Automated individual decision-making

AFMA does not use automated individual decision-making.

19. Post-mortem right

Data Subjects may, in the applicable legal terms, specify the conditions under which they wish the rights of access, rectification and erasure to be exercised after their death, and may also determine the impossibility of exercising the rights referred to in the previous paragraph.

Specific post-mortem instructions and the exercise of rights by Data Subjects shall be communicated by e-mail to: or by postal mail to the following address: António Frutuoso de Melo e Associados - Sociedade de Advogados, SP RL, Avenida da Liberdade, 38-1º - 1250-145 Lisboa, accompanied by a copy of the identification document duly signed by the Data Subjects.

20. Exercise of rights

Pursuant to the applicable legislation on the subject of personal data protection, the afore-mentioned rights that Data Subjects enjoy are rights of an individual nature that may only be exercised by the interested parties in relation to their own personal data. To comply with this obligation, AFMA will require that interested parties prove their identity.

If the Data Subjects wish to exercise any of their rights, they should contact AFMA, sending their request in writing to the following address: António Frutuoso de Melo e Associados, SP, SL, Avenida da Liberdade, n.º 38 – 1.º andar, 1250-145 Lisboa or by e-mail: The request must be presented by the person themself, accompanied by a copy of a valid identification document.

21. Optional or mandatory nature of replies

Data Subjects are informed, in each of the means of collection, of the mandatory or optional nature of the replies by the insertion of an asterisk.

Where the replies are mandatory, AFMA will inform Data Subjects of the consequences of not supplying such data.

22. Right of use

The Data Subjects grant AFMA a right to use and to process their personal data for the purposes indicated above.

However, data which are produced by AFMA from the original personal data, as a result of processing and analysis performed by AFMA, are the exclusive property of AFMA (analysis, statistics, etc.).

23. Processing

AFMA may engage any Processor of its choice within the scope of processing of Data Subjects’ personal data.

If it engages a Processor, AFMA will guarantee that the Processor complies with its obligations arising from the GDPR and other applicable legislation.

AFMA agrees to enter into a written contract with its Processors, pursuant to which the latter agree to comply with the same obligations as AFMA. Moreover, AFMA reserves the right to carry out audits and/or inspections, directly or through a third party mandated for such purpose, at the Processors, with a view to verifying compliance with the obligations to which the latter are subject.

24. Security and Confidentiality

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, AFMA has defined and implemented appropriate technical and organisational measures to ensure an appropriate level of security, to safeguard namely against accidental or unlawful destruction, loss and alteration of, and unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.

The measures adopted by AFMA include, namely:

  • The use of security measures for physical access to the premises;
  • Security for access to computers and mobile phones (regular changing of the access code);
  • Login and password for all professional applications;
  • Management of access to the IT server (access limited according to the areas of activity - financial and accounting department);
  • Access by VPN for remote connections;
  • Complex password for access to the office WIFI network, which is regularly changed.

For this purpose, AFMA uses an external service provider, and may also request any third party of its choice, as often as it sees fit, to conduct vulnerability audits and intrusion tests.

Within the scope of outsourcing of a part or all of the personal data processing, AFMA agrees to contractually require the Processors to ensure the security of the personal data by implementing technical measures to protect such data and having adequate human resources.

AFMA also respects the confidentiality of the personal data it collects within the scope of its business. As such, it does not sell, distribute or otherwise make available by commercial means the Data Subjects’ information to any third party. AFMA assumes the commitment to keep the Data Subjects’ information confidential in line with this Policy and the applicable legislation.

25. Personal data breach

In the event of a personal data breach, AFMA agrees to notify the National Data Protection Authority (CNPD) of that fact, where feasible, up to 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the Data Subjects.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of the Data Subjects, AFMA agrees to notify the Data Subjects of the personal data breach, including a description of the nature of the personal data breach and providing the following information:

  • The name and contact details of the contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken or proposed by AFMA to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

26. “Personal data” contact point

AFMA has designated an internal contact point for matters related to personal data processing.

The “personal data” contact point is:

Rita Nina

António Frutuoso de Melo e Associados - Sociedade de Advogados, SP RL

Avenida da Liberdade, 38-1º, 1250-145 Lisboa, Portugal

Tel (351)213218600


27. Recording of processing activities

AFMA has no legal obligation to keep records of the processing activities for which it is responsible.

28. Right to lodge a complaint with the CNPD

Data Subjects are informed that they have the right to lodge a complaint with the CNPD if they consider that the processing of personal data concerning them is not in line with the legislation in force on personal data protection, making such complaint to the following address:

Comissão Nacional de Protecção de Dados - CNPD

Av. D. Carlos I, 134 - 1.º 1200-651 Lisboa

Tel: +351 213928400

Fax: +351 213976832


29. Amendments

AFMA may amend or add to this Policy at any time in the event of changes to the legislation, case law developments, decisions and recommendations of the CNPD or customs.

Any new version of this Policy will be brought to the knowledge of Data Subjects by any means of communication chosen by AFMA, including electronic means (sent by e-mail or made available on AFMA’s website).

30. Further information

For any further information, you may contact our “personal data” contact point at the following e-mail address:

For general information on data protection you may consult the CNPD website:

Updated on 30 September 2020