PRIVACY POLICY

1. INTRODUCTION AND IDENTIFICATION OF THE DATA CONTROLLER

1.1. PURPOSE OF THE POLICY

This Privacy Policy applies exclusively to the website Melanda.law, operated by Pedro Melanda, lawyer, and aims to provide users of this website with clear and transparent information.
This Policy describes the purposes and legal grounds for processing, the categories of personal data processed, and the rights of data subjects, as well as the means available to exercise those rights, in accordance with Regulation (EU) 2016/679 (GDPR), Law n.º 58/2019 of 8 August, and other applicable data protection legislation.
This website has an exclusively informational and institutional purpose, aimed at providing content related to the legal services offered by this law office, as well as allowing users to get in contact with it.

This Policy does not apply to third-party websites or services to which this website may contain links (such as Google Maps or other external services). Users are advised to consult the respective privacy policies.

1.2. DATA CONTROLLER

The controller responsible for the processing of personal data is:

• Name: Pedro Melanda
• Tax Identification Number: 217258263
• Contact email: geral@melanda.law
• Address: Rua Figueira da Foz, nº 5, 5º Esq., Coimbra. Apartado 246.
                  3001-903 Coimbra, Portugal
• Telephone: (+351) 239 837 705 (call to the national landline network)

Data Protection Officer (DPO):

No Data Protection Officer has been appointed, as there is no legal obligation to do so. Any matter related to data protection may be addressed directly to the controller using the contact details provided above.

2. PRINCIPLES AND LEGAL GROUNDS FOR DATA PROCESSING

2.1. PROCESSING PRINCIPLES

The processing of personal data carried out through this website is conducted in accordance with the principles laid down in Article 5 of Regulation (EU) 2016/679 (GDPR) and Law No. 58/2019 of 8 August, ensuring that personal data are:

• Processed lawfully, fairly and transparently in relation to the data subject;

• Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;

• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

• Accurate and kept up to date where necessary, with all reasonable steps being taken to ensure that inaccurate data are erased or rectified without delay;

• Kept only for the period strictly necessary for the purposes for which they are processed;

• Processed in a manner that ensures appropriate security, integrity and confidentiality, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

The controller ensures, and is able to demonstrate, compliance with these principles, in accordance with the accountability principle established under the GDPR.

2.2. LEGAL GROUNDS FOR PROCESSING (LAWFUL BASIS)

The processing of personal data carried out through the Melanda.law website is always based on one of the lawful grounds provided for in Article 6 of Regulation (EU) 2016/679 (GDPR), ensuring that no processing operation is undertaken without an appropriate legal basis.

The main applicable legal bases, depending on the nature and purpose of the processing, are the following:

• Consent of the data subject: when the user voluntarily provides their data, for example, by completing a contact form or subscribing to communications;

• Performance of pre-contractual or contractual steps: when processing is necessary to respond to contact requests, provide legal services or fulfil obligations arising from a contractual relationship;

• Compliance with a legal or professional obligation: when processing is required by legal or regulatory provisions, namely those imposed by the Portuguese Bar Association (Ordem dos Advogados) or applicable tax legislation;

• Legitimate interests of the controller: when processing is necessary for the legitimate purposes of the law firm, such as website security, fraud prevention or statistical analysis of website performance, provided that such interests do not override the rights and freedoms of the data subject.

The specific legal basis applicable to each category of data and each specific purpose is detailed in the following section.

3. CATEGORIES OF DATA, PURPOSES, LAWFUL BASIS AND RETENTION

Access to and browsing on the Melanda.law website does not require the provision of personal data.

However, personal data may be collected and processed in specific circumstances, as indicated below:

3.1. Contact

Category of Personal Data:

Contact Data (name, email, telephone number and any other information voluntarily provided).

Purpose of Processing:

•         Management of contact requests, enquiries and/or user submissions.

•         Provision of legal services (where applicable) and client follow-up.

•         Compliance with legal and professional obligations, including those imposed by the Portuguese Bar Association (Ordem dos Advogados).

Lawful Basis (Art. 6 GDPR):

•         Pre-contractual steps and consent of the data subject (Art. 6, 1., (a) and (b) GDPR).

•         Performance of a contract or pre-contractual steps (Art. 6, 1., (b) GDPR).

•         Compliance with a legal obligation (Art. 6, 1., (c) GDPR).

Retention Period:

For the period strictly necessary to respond to the request and, at most, 12 months after the last interaction, unless it results in a professional relationship or a legal obligation, in accordance with legal deadlines and the retention rules imposed by the Portuguese Bar Association.

3.2. Browsing Data and Cookies.

Category of Personal Data:

Browsing Data and Cookies (IP address, device type, browser, pages visited, date and time of access).

Purpose of Processing:

•         Administration, maintenance and improvement of the website, as well as security management and fraud prevention.

•         Management of analytical and statistical cookies (where applicable).

Lawful Basis (Art. 6 GDPR):

•         Legitimate interest of the controller (Art. 6, 1., (f) GDPR).

•         Consent of the data subject and legitimate interest of the controller (Art. 6, 1.,(a) and (f) GDPR).

Retention Period:

According to the periods defined in the Cookie Policy (available in the respective section of this website) and in system records (logs).

Sensitive data (special categories of personal data, as defined in Article 9 GDPR) are neither requested nor processed, except where the user voluntarily provides such data in the context of professional contact. In such cases, the data will be processed in strict confidence and in accordance with the lawyer’s professional duty of secrecy.

All processing is carried out in accordance with the principles of lawfulness, fairness and transparency, and is limited to the specific purposes indicated above.

Retention periods may be adjusted in accordance with specific legal obligations or the existence of a professional relationship with the data subject, always respecting the applicable legal deadlines and the retention rules imposed by the Portuguese Bar Association.

4. DISCLOSURE OF DATA TO THIRD PARTIES

Personal data collected through the Melanda.law website is not shared with third parties, except in the situations described below and always in accordance with the principle of data minimisation, the lawyer’s professional duty of confidentiality, and the applicable legal and ethical rules.

4.1. PROCESSORS (ART. 28 GDPR)
Certain support services for this website are subcontracted, meaning that specific data may be processed by entities providing services to the controller, namely:
• Web hosting services;
• Technical maintenance providers;
• Email service providers or communication platforms;
• Technological tools strictly necessary for the operation of the website.

As all these entities act as processors, they are bound by a data processing agreement ensuring:

• data confidentiality;
• compliance with appropriate technical and organisational measures;
• limitation of the processing to the controller’s instructions.

4.2. OTHER RECIPIENTS

Personal data may also be transmitted to the following entities, strictly when legally required or necessary:

• Courts and judicial authorities;

• The Bar Association (ethical obligations);

• Tax or regulatory authorities;

• Other public or private entities, where required for compliance with legal obligations or for the establishment, exercise or defence of legal claims by the controller or the data subject.

In all cases, the transmission will be limited to what is strictly necessary and carried out in accordance with professional confidentiality obligations.

5. INTERNATIONAL DATA TRANSFERS

5.1. TRANSFER SITUATION

As a general rule, personal data is not transferred outside the European Union (EU) or the European Economic Area (EEA), since the servers used are located within the EU territory.

However, should any technical provider used in the future (for example, an email server or hosting service) be located outside the EU/EEA, an international transfer of data may occur.

5.2. SAFEGUARDING MECHANISMS (ARTICLES 44–49 GDPR)

If an international transfer of data outside the European Union (EU) becomes necessary, it will only take place where one of the following protection mechanisms is ensured:

• An Adequacy Decision issued by the European Commission, guaranteeing a level of protection equivalent to that of the EU;

• Standard Contractual Clauses (SCCs) approved by the European Commission;

• Binding Corporate Rules (BCRs), where applicable;

• Other appropriate safeguards provided for in the GDPR.

If none of these safeguards can be applied, the transfer will only occur on the basis of the data subject’s explicit consent or under one of the derogations provided for in Article 49 of the GDPR.

6. RIGHTS OF THE DATA SUBJECT

Data subjects have the right to exercise the following rights at any time, under the terms set out in Chapter III of the GDPR, by contacting the controller:

6.1. RIGHT OF ACCESS (ART. 15)

The data subject has the right to obtain confirmation as to whether or not their personal data are being processed and, where that is the case, to access such data and obtain additional information relating to the processing.

6.2. RIGHT TO RECTIFICATION (ART. 16)

The data subject may request the rectification or updating of inaccurate data, or that incomplete data be completed.

6.3. RIGHT TO ERASURE ("RIGHT TO BE FORGOTTEN") (ART. 17)

The data subject may request the erasure of their data when:

• the data are no longer necessary for the purpose for which they were collected;

• consent is withdrawn (where applicable);

• they object to the processing;

• the data have been unlawfully processed;

• other applicable legal grounds in this context.

This right may be restricted where processing is necessary for compliance with legal obligations or for the establishment, exercise or defence of legal claims.

6.4. RIGHT TO RESTRICTION OF PROCESSING (ART. 18)

The data subject may request restriction of processing in several situations provided for in the Regulation, such as where the accuracy of the data is contested and must be verified by the controller, or where the controller no longer needs the data for the stated purpose but they are required by the data subject for the establishment, exercise or defence of legal claims.

6.5. RIGHT TO DATA PORTABILITY (ART. 20)

The data subject has the right to receive the personal data concerning them, in a structured, commonly used and machine-readable format, and to transmit those data to another controller, where processing is based on consent or on a contract and is carried out by automated means.

6.6. RIGHT TO OBJECT (ART. 21)

The data subject may object, at any time, to the processing of their personal data when the processing is based on legitimate interests or is carried out for direct marketing purposes.

6.7. RIGHT TO WITHDRAW CONSENT

Where processing is based on consent, the data subject may withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

6.8. METHODS FOR EXERCISING RIGHTS

To exercise any of these rights, the data subject may contact the controller using the following means:

• Email: geral@melanda.law

• Postal Address: Rua Figueira da Foz, nº 5, 5º Esq., Apartado 246, 3001-903 Coimbra, Portugal.

The request will be handled within the legally applicable timeframe.

6.9. RIGHT TO LODGE A COMPLAINT

The data subject also has the right to lodge a complaint directly with the Comissão Nacional de Proteção de Dados (CNPD), the competent supervisory authority in Portugal.

7. DATA SECURITY

The controller adopts appropriate technical and organisational measures to ensure the protection of the personal data processed, in accordance with Article 32 of the GDPR. These measures aim to ensure a level of security appropriate to the risk and include, in particular:

• Encryption and secure communications (SSL/TLS): The website uses encryption protocols that ensure the security of data transmission between the user and the server.

• Access control: Access to personal data is limited to authorised persons and subject to duties of confidentiality and professional secrecy.

• Logical security measures: Use of firewalls, intrusion detection systems and other tools that prevent unauthorised access, misuse or improper disclosure.

• Backups: Regular backups are performed to ensure data recovery in the event of security incidents or accidental loss.

• Continuous monitoring and assessment: Security measures are periodically reviewed to ensure their effectiveness, taking into account technological developments and the risks associated with processing.

Despite the measures implemented, the data subject should be aware that no electronic transmission or storage system is entirely fail-safe. Nevertheless, all reasonable efforts are made to minimise risks and ensure the highest possible level of protection for personal data.

8. COOKIE POLICY

The website uses cookies and other tracking technologies to ensure its proper functioning, improve the user experience and carry out statistical analyses.

The use of cookies is governed by the Cookie Policy, available in the corresponding section of the website.

In that Policy, the user may consult detailed information on the types of cookies used, their purposes, retention periods and the mechanisms for managing or disabling them.

9. CHANGES TO THE PRIVACY POLICY

The controller reserves the right to update or amend this Privacy Policy at any time, whenever necessary to ensure its legal compliance or to reflect changes in the way personal data is processed.
The most recent version of the Policy will be permanently available on the website and includes the corresponding update date.

Last update: 03 November 2025.