Rede Ímpar
Santa Casa de Misericórdia da Bahia
Unidade Local de Saúde de Matosinhos
Sabará Hospital Infantil
Unilabs
Unimed Fortaleza
Centro Hospitalar de São João
Pró-Saúde
Luz Saúde
Notredame Intermédica
Pulido Valente
Hospital de Santa Maria
Hospital IGESP
Hospital LeForte
Hospital Pequeno Príncipe

Privacy Policy

SISQUAL® Workforce Management Lda. (“SISQUAL”) provides a platform through a Software as a Service (SaaS), On-Premises Application and Mobile Application models. At SISQUAL®, the privacy and security of our customers, users and visitors are very important. SISQUAL® is fully committed in protecting the data you share with us. This privacy policy explains how SISQUAL® processes information that can be used directly or indirectly to identify an individual (“Personal Data”) collected through use of its website and platform in accordance with the applicable regulation and standards identified in this Privacy Policy (such as GDPR for example).

For the purposes of this policy, SISQUAL® defines the term “Customer” as an entity with which SISQUAL® has an established relationship, the term “User” as any individual who responds to marketing campaigns by SISQUAL® or who is included as a contact in a customer’s account, and the term “Visitor” as an individual that visits our front-end website (for example www.sisqualwfm.com).

Any information stored on SISQUAL®’ platforms is treated as restricted. All information is stored securely and is accessed by authorized personnel only. SISQUAL® implements and maintains appropriate technical, security and organizational measures to protect Personal Data against unauthorized or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure.

Information we collect on our corporate website

 

In general, you may visit SISQUAL®’ website, www.sisqualwfm.com, without providing us with any directly identifiable personal data. However, we may collect indirectly identifiable (pseudonymous) information from you, which includes your IP address used to track unique visits to our site for analytic purposes. In order to grant you access to protected and secure resources we may collect your full name, postal address and email address, to fulfil your requests for information including white papers, or participate in feedback surveys. In other instances, we may ask you to provide us with information such as your product interests so that we can send you only the information that is useful to you, including articles, newsletters, product and service alerts, new product and service announcements and event invitations. When we collect your personal data, we will inform you as to why we are asking for information and how the information will be used. However, please note that providing directly identifiable personal data is optional. When you receive your confirmation email or when you receive any email from SISQUAL®, you will be given instructions on how to remove yourself from the list.

SISQUAL®’ accountability for personal data that it receives under the GDPR and subsequently transfers internally or to a third party outside the European Economic Area is described in further detail below. In particular, SISQUAL® remains responsible and liable under the GDPR if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the GDPR unless SISQUAL® proves that it is not responsible for the event giving rise to the damage.

Information we collect in our mobile applications

 

We collect, receive and store your Personal Data to enable you to have access to the service, to help you enjoy the different functions of the software. If you do not accept the Privacy Policy, we ask you not to use the service or download the application.

We collect the following Personal Data when you use our mobile applications:

The information we collect from you is all related to the services provided. These include, time and duration of any specific service and location from which the services were accessed.

You can customize your account with additional information such as a photo, phone numbers or other personal information that will be stored on the employer’s database server and can be integrated into the employer’s internal systems.

We collect your username, employee number and password to validate your identity on your employers’ authentication server.

The user is obligated to:

  1.  Not to substitute and/or impersonate any person, reserving the right of SISQUAL® to block your account in the assumption that someone substitutes another person, being SISQUAL® exempt from any kind of responsibility;
  2. Keep the password secure and confidential;
  3. Not to share, reveal or transfer your password to another person.

It is important to collect information related to the device you are using, device identifiers, IMEI, hardware type, and other software details such as the operating system version.

This is a free, full downloadable application, so there are no hidden fees for it.

Saving the location is part of the service when you register a new clocking record. This data is only stored with your permission and is only stored on your employers database server.

You need to enable the location so that the application can capture it (GPS coordinate and/or Wi-Fi SSID) and send it to your employer’s server to allow you to clock-in or clock-out.

It is important that you agree to the above points and you are solely responsible for authenticating the data that has been provided by you.

We do not sell or rent your Personal Data to third parties for marketing purposes.

The app is available from app distributors. The processing of Personal Data, the use of cookies or other devices are governed by the privacy policies and conditions of use of the distributors themselves: Apple Store, Google Play, Huawei AppGallery.

Information we collect in our mobile applications

 

We collect, receive and store your Personal Data to enable you to have access to the service, to help you enjoy the different functions of the software. If you do not accept the Privacy Policy, we ask you not to use the service or download the application.

We collect the following Personal Data when you use our mobile applications:

The information we collect from you is all related to the services provided. These include, time and duration of any specific service and location from which the services were accessed.

You can customize your account with additional information such as a photo, phone numbers or other personal information that will be stored on the employer’s database server and can be integrated into the employer’s internal systems.

We collect your username, employee number and password to validate your identity on your employers’ authentication server.

The user is obligated to:

  1.  Not to substitute and/or impersonate any person, reserving the right of SISQUAL® to block your account in the assumption that someone substitutes another person, being SISQUAL® exempt from any kind of responsibility;
  2. Keep the password secure and confidential;
  3. Not to share, reveal or transfer your password to another person.

It is important to collect information related to the device you are using, device identifiers, IMEI, hardware type, and other software details such as the operating system version.

This is a free, full downloadable application, so there are no hidden fees for it.

Saving the location is part of the service when you register a new clocking record. This data is only stored with your permission and is only stored on your employers database server.

You need to enable the location so that the application can capture it (GPS coordinate and/or Wi-Fi SSID) and send it to your employer’s server to allow you to clock-in or clock-out.

It is important that you agree to the above points and you are solely responsible for authenticating the data that has been provided by you.

We do not sell or rent your Personal Data to third parties for marketing purposes.

The app is available from app distributors. The processing of Personal Data, the use of cookies or other devices are governed by the privacy policies and conditions of use of the distributors themselves: Apple Store, Google Play, Huawei AppGallery.

Reasons to use data

SISQUAL® as a Data Processor

When providing our software and when providing SISQUAL® services to our corporate customers, SISQUAL® acts as a Data Processor, as defined by the GDPR. We need to collect and use Personal Data to enter into a contract with a customer or to fulfill our contractual obligations. We may also use such data in our legitimate business interests in order to enable us to administer our platforms, provide access to interfaces and features and to enforce our current usage policies and terms of service.

To the extent that our customers need to collect and share and permit us to process their employees’ Personal Data in order to provide our services, we will rely on our customers to provide the necessary privacy notices and obtain the necessary consents.

 

Log Data

We want to inform you that whenever you use our Service, in case of an app error, we collect data and information (through third party products) from your phone, called Log Data. This Log Data may include information such as the device’s Internet Protocol (IP) address, device name, operating system version, the application configuration when using our Service, the time and date you use the Service, and other statistics.

 

Security and Retention

SISQUAL® takes commercially reasonable steps to ensure the ongoing confidentiality, integrity, availability and resiliency of our systems and services that process Personal Data.

Namely, we have implemented comprehensive anti-virus, anti-spam, and spyware protection for the servers, along with a complete intrusion detection system, along with robust firewalls and alerting system in place.

Access and your Right to Privacy

If you are our client or potential client, you have increased rights under the GDPR, and you may access, correct or request the deletion of your Personal Data.

SISQUAL® respects the Rights of Data Subjects referred to in Articles 13 to 22 of the GDPR related to:

Right to be informed (about processing activities and applicable rights)

Right to access data (or obtain data subject to processing)

Right to rectify information (when outdated or incorrect)

Right to erasure (and to be publicly forgotten)

Right to object to processing (especially consent-based activities)

Right to restrict processing (when processing is considered unlawful)

Right to data portability (between proprietary systems in a common format)

Rights related to automated decision making (including decisions based on profiling activities)

 

SISQUAL® has implemented operational processes to fulfill all requests related to Data Subject Rights within 30 days of receipt, however, we may need to verify certain fields of Personal Data to ensure that we act on the correct data.

If your business contact details change, or if you wish to modify or remove your details or exercise any other rights, please contact quality@sisqual.com.

In addition, SISQUAL® obligates itself to disclose personal information in response to lawful requests by public authorities, including to meet national security requirements or law enforcement.

We value your trust in giving us personal information, so we strive to use all commercially acceptable means to protect it. But please remember that no method of transmission over the Internet or method of electronic storage is 100% secure and reliable, and we cannot guarantee your security at all.

 

International Data Transfers

All processing of Personal Data is carried out in accordance with privacy rights and regulations, following the GDPR and local legislation.

You have the right to know whether we maintain information about you, and if we do, you have access to that information and to demand that it be deleted, limited or corrected if it is inaccurate. This right can be exercised by contacting us at dpo@sisqual.com. We recommend that you contact us if you have any privacy-related complaints.

In compliance with the GDPR, SISQUAL® is committed to resolving complaints about our collection or use of your personal information.

 

Notification of Changes

SISQUAL® reserves the right to update or change this Privacy Policy from time to time.

Changes will be posted on this page. If we make a significant change in our privacy practices, we will provide notice on the website or by other means as appropriate.

Contact

If you have any questions, please contact quality@sisqual.com.

EPD/DPO Information

To contact the SISQUAL®’s Data Protection Officer use the email dpo@sisqual.com.

Cookie Information

SISQUAL uses cookies to help us understand more about our website visitor activity. For example, we can track data about visits to the website, including numbers of visitors and visits, geo-location data, length of time spent on the site, pages clicked on or where visitors have come.

If you do not want us to track this information you can turn off cookies within your browser, follow the instructions here: https://cookies.insites.com/disable-cookies/.

Cookies are files with a small amount of data that are commonly used as anonymous unique identifiers. These are sent to your browser from the websites that you visit and are stored on your device’s internal memory.

We, our service providers, and/or non-affiliated third parties, may use “cookies” or similar technologies such as “pixel tags” on our digital properties. We and our partners use cookies or similar technologies in order to analyse trends, administer the websites, and track users’ movements around our digital properties. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service.

We use these technologies with our website visitors in a de-identified fashion. We may also use third-party analytics and marketing integration services such as those by Google, to help us track and optimize our website performance and customer-facing marketing. These third parties may also use both cookies and pixels to help us better manage content on our site by informing us what content is effective. These third parties are prohibited from using collected data for any purpose other than as a service provider to us.

Cloud Privacy Policy

SISQUAL is truly committed to complying with applicable data protection legislation and regulation (including the GDPR), and the contractual terms agreed with its cloud service customers.
Our cloud service is provided on a Software as a Service (SaaS) model, where the customer only accesses and uses our WFM software in the cloud. This Policy only applies to service provision with the SaaS model. Exceptions to this service model and any specific resulting liabilities will be detailed in the contract.
We have appointed a Data Protection Officer (DPO) who acts as a point of contact for our customers with regard to the protection of personal data, who can be contacted via this email address: dpo@sisqual.com

Cooperation with regard to the rights of data subjects
Our WFM software (as of version 7) includes functionalities that enable our clients to comply with their obligation to facilitate the exercise of data subjects’ rights of access, correct and/or delete personal data concerning them. Please refer to the document “RGPD SISQUAL WFM” for further details and also for information on any situations that the client relies on us to facilitate the exercise of data subject rights.

Purpose of processing
We do not process any personal data stored by you or your end users in the WFM database for any purpose not included in the cloud service agreement, unless you instruct us to do so. We also do not use such personal data for marketing and advertising purposes.

Notification of disclosure
We will notify the service customer, in accordance with any procedure and winding period agreed in contract, of any legally binding request for disclosure of personal data by a law enforcement authority, unless such notification is otherwise prohibited (for example, to preserve the confidentiality of a law enforcement investigation).
We will consult with the service customer where legally permissible before then any disclosure of personal data and will accept any contractually agreed requests for the disclosure of personal data that are authorised by the service customer.
We will make a record of all exposures of personal data to third parties, such as those arising from legal investigations or external audits, including what data was disclosed, to whom, at what time, and the source of the authority for the purpose of the disclosure.

Notification of data breaches
We will promptly notify you in the event of unauthorised access to personal data or unauthorised access to processing equipment or facilities resulting in the loss, disclosure or alteration of personal data, and will provide the information necessary for you to comply with your obligation to notify the relevant authorities. This notification obligation does not extend to a data breach caused by you or a data subject or within the system components for which they are responsible.
In the event that a breach involving personal data has occurred, we will keep a detailed record of the incident, including a description of the data compromised, if known, and any notifications made in accordance with applicable laws and regulations.

Return, transfer and deletion
In the event of termination of the contract, after receiving and complying with a request to return personal data to you, transfer it to another cloud provider or to another personal data controller (for example as a result of a merger), we will ensure secure deletion of all data (by us and any of our authorised sub-contractors) from wherever it is stored, including for backup and business continuity purposes, as soon as it is no longer required by the specific customer.
Information on sub-contractors
The use of subcontractors participating in personal data processing is indicated in the contract with the client. We will inform you in good time of any intended changes in this regard so that you have the ability to object to such changes or to terminate the contract. We will inform you of the names of our relevant sub-contractors, the countries in which they may process data and the means by which those sub-contractors are obliged to meet or exceed our own obligations.
We will also inform our customers of the countries where personal data may be stored arising from the use of sub-processors. Any intended changes in this respect will be informed to the customer in good time so that the customer has the ability to object to such changes or to terminate the contract.

Technical and organisational measures
SISQUAL has implemented and continuously improves technical and organisational measures in line with the guidelines and requirements of international standards ISO/IEC 27001, 27002, 27701 and 27018 to ensure that contracted security requirements are met and that personal data is not processed for any purpose regardless of customer instructions, as well as to ensure compliance with relevant security and personal data protection obligations imposed by applicable law and regulations such as the GDPR. We are finalising the certification process according to ISO/IEC 27701 and since 2020 we are certified according to the international standards ISO/IEC 27001, 27018, 20000-1 and ISO 9001.

Awareness, education and training
All our staff are informed of the possible negative consequences on data subjects, on our customers, on SISQUAL and its employees, of violating privacy or security rules and procedures, especially those on the processing of personal data and related assets.

User access management
SISQUAL WFM in the cloud is provided on a Software as a Service (SaaS) model, so the customer is responsible for all aspects of access management for users under their control, providing administrative rights to manage or terminate access.
We recommend that all our customers implement procedures for user registration and deletion to avoid situations where user access control is compromised, such as the corruption or compromise of passwords or other user registration data (e.g. as a result of inadvertent disclosure), in line with the guidelines and requirements of the international standards ISO/IEC 27001 and 27002.

Use of encryption
To enhance the protection of personal data we use HTTPS encryption.

Backups
We guarantee backup and restoration of all data residing in the cloud provider.

Audits
We conduct independent internal audits and are audited by an accredited certification body every year. These audits verify that information security and privacy are implemented and operated in accordance with our policies and procedures.

PUBLIC INFORMATION – Cloud Privacy Policy – updated on 02/07/2021