CODE OF CONDUCT

1. Data safety

1.1. MODATEX owns a data safety management system hereinafter referred to as SGSI.

1.2. SGSI establishes, implements, maintains and continuously improves the necessary requirements for the system.

1.3. SGSI preserves the confidentiality, integrity and availability of data through the application of a risk management process and provides confidence to stakeholders that risks are adequately managed.

1.4. It is importante that SGSI is part of and integrated with the organisation's processes and the overall management structure and that data safety is considered in the design of processes, information systems and controls.

1.5. MODATEX’s SGSI is composed of a set of policies that ensure trust and security in information.

1.6. The previous points ensure that the Third Party recognises the need for security and protection of personal data in all exchanges and operations carried out in the development of the business relationship with MODATEX.

1.7. The Third Party commits to respect and enforce the security required by MODATEX, as set out in this document. 

 

2. Access control

2.1. In the course of business needs, MODATEX may authorise access by a Third Party to resources of its clients, trainees, trainers and employees, hereafter referred to as Resource.

2.2. The Third Party can only access the Resource after having been authorised by MODATEX and for as long as necessary to solve the problem in question. Privilege allocation is temporary and never permanent.

2.3. The Third Party cannot store data related to the authentication process (“login”), use Keyloggers or request a password to access the Resource, which must always be introduced by a MODATEX employee.

2.4. The Third Party must keep a log of all users who have access to any Resource, and such a list can be requested by MODATEX.

2.5. MODATEX may revoke the right of access to the Resource without informing the Third Party.

2.6. All access rights that are not explicitly authorised are forbidden.

2.7. Only individuals who need to have access to the information can have access rights.

2.8. MODATEX monitors the service provision of the Third Party and the Third Party must deliver a report of the executed service after completion.

 

3. Transfers

3.1. The transfer of any Resource to the Third Party due to the impossibility of technical support on site shall be safeguarded through security mechanisms such as encryption.

3.2. Cleartext transmission of any Resource is not allowed and is a clear violation of this agreement.

3.3. The Third Party ensures security mechanisms such as access control and restriction while the Resource is in its possession.

3.4. Upon resolution of the problem, the Third Party is obliged to permanently remove the Resource from its systems. 

 

4. Controls

4.1. To ensure the continuity of its business and, indirectly, that of MODATEX, the Third Party must have implemented a business continuity plan indicating the critical services that must be recovered and the respective deadlines.

4.2. To ensure the protection of organisational assets, the Third Party must maintain a set of controls including physical controls, controls to protect against malicious code, physical protection controls, controls to protect the integrity, availability and confidentiality of information, controls to ensure the return or destruction of information assets after use, controls to prevent the copying and distribution of information, and as accurately specified change management process.

 

5. Incidents

5.1. Whenever there is a breach of security that causes, accidentally or unlawfully, the destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or subject to any other type of processing and/or the confidentiality integrity and availability of information of a Resource, the Third Party must notify MODATEX in writing within 72 hours, describing the nature of the occurrence, the categories of data and data subjects affected, as well as the technical and organizational measures applied before the occurrence and those that will be applied in order to mitigate the breach occurred. 

 

6. Auditing right

6.1. The Third Party expressly acknowledges and accepts that MODATEX acquires the right to:

6.1.1. Access all information stored or processed by the Third Party on its behalf, including the right to audit or monitor the use of business information and the execution of the agreement at the Third Party's premises.

6.1.2. Access financial reports, internal and external audit reports and other reports related to the Third Party's business operations, which may be relevant to MODATEX with regards to data protection.

6.1.3. Monitor and revoke any activity related to MODATEX’s assets.

6.2. MODATEX may appoint a third party to carry out the audit on its behalf, giving at least 8 (eight) days' notice to the Third Party. 

 

7. Training

7.1. The Third Party ensures that its employees are competent and that they have the relevant education, training or experience when service is provided to MODATEX. 

 

8. Trade secret

8.1. Information that cumulatively fulfils the following requirements is considered a trade secret:

8.1.1. secret in the sense that it is not generally known among or easily accessible to people within the circles that normally deal with the type of information in question, either in its entirety or in the precise configuration and connection of its constituent elements.

8.1.2. Have commercial value because it is secret.

8.1.3. having been subject to reasonable diligence under the circumstances to be kept secret by the person lawfully exercising control over it.

8.2. Protected, confidential or trade secret information refers to any information which, independently of the medium used, is contained in:

8.2.1. Unpublished works of any kind, namely graphic, written or audio.

8.2.2. Original compilations and selections of information.

8.2.3. Non-financial documentation.

8.2.4. Know-how, technological data, methods, formulae, demonstrations, samples or studies.

8.2.5. Computer programes or programming blocks in source or object code form.

8.2.6. Commercial documents, namely list of clients.

8.2.7. Reports, Drafts and memos.

8.2.8. Any intelectual assets, as a set of any and all research results, whether or not protected by any industrial property right.

8.2.9. «Personal data», information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

8.2.10. Customer data, namely databases, passwords, e-mail addresses, local and remote accesses to programmes and equipment, authentication processes and files.

8.3. MODATEX classifies all its information in four categories: SECRET, CONFIDENTIAL, INTERNAL USE, and PUBLIC.

8.4. Information classified as Secret or Confidential can only be accessed with the approval of the Business Unit Manager or the Director generating the information.

8.5. The respective Third Party must protect MODATEX’s information, using the same degree of care that is used to prevent the unauthorised dissemination and publication of its own information. 

 

9. Subcontracting

9.1. To subcontract with other entities, the Third Party must communicate in writing to MODATEX, clearly and unequivocally identifying the subcontracted entity and its contact data. The subcontracting may be carried out if MODATEX does not express objection within 8 (eight) working days.

9.2. The subcontractor shall be subject to the same security and data protection controls as the Third Party, which shall be responsible for ensuring that they are applied by the subcontractor. 

 

10. Confidentiality

10.1. Protected or confidential information, hereinafter referred to as "Information", means all information, irrespective of the medium used, contained in the items mentioned in 8.2.1 to 8.2.10, as well as any other information disclosed orally, in writing or by any other means whatsoever, in the said context, between the parties.

10.2. Confidential information disclosed orally shall be summarily transposed into written form by the Issuing Party, with reference to the date of its disclosure, and submitted to the Receiving Party within a maximum period of 15 (fifteen) days after the respective disclosure, with the identification referred to in number 1.1.

 

11. Purpose of disclosure and duty of confidentiality

11.1. The Information is disclosed for the sole purpose of providing both parties with a long-lasting business relationship and enabling the provision of technical support services.

11.2. MODATEX and the Supplier or the Third Party promise not to use, disclose or assign in any way the information disclosed by the other party to any other distinct purpose, in Portugal or abroad, unless authorised in writing by the respective Issuing Party.

11.3. The respective Receiving Party shall protect the information disclosed by the Issuing Party using the same degree of care as it usually uses to prevent the unauthorised dissemination and publication of its own information, and in accordance with the existing best practices in Information Security.

11.4. The respective Receiving Party shall adopt all necessary measures to prevent the undue use of the information by any person that has access to it, and shall ensure the appropriate means to prevent the loss of the information, always informing the Issuing Party of the occurrence of incidents of this nature, even though this communication does not exclude its responsibility.

11.5. The respective Receiving Party is obliged to return any copy, excerpt or part of the elements of the Information within 8 (eight) days, by request of the Issuing Party. It is also obliged to return all information released by the Issuing Party at the end of this agreement, at the request of the latter and, simultaneously, to permanently delete the corresponding digital files that it may hold in its information assets.

 

12. Information ownership and integrity

12.1. The Information is the exclusive property of the respective Issuing Party or third parties, natural or legal persons with whom it maintains commercial relations or of any other kind.

12.2. The disclosure of the Information to the respective Receiving Party does not grant it any intellectual property right, legitimacy to request protection over any rights or license over any registration or application for registration of industrial property rights related to that information, under penalty of the application of the provisions of paragraph a) of Article 34, no. 1 of the Portuguese Industrial Property Code.

12.3. Within the scope of this agreement, the respective Issuing Party does not guarantee, directly or indirectly, the protection of the Information with regards to, namely, copyright or industrial property rights.

12.4. The Receiving Party accepts and acknowledges that the present agreement does not limit the Issuing Party's right to modify the respective information without prior notice.

12.5. Such modifications do not imply any liability for the Issuing Party, nor does it force to develop, advertise, deliver, maintain or finance any products or business plans based on that Information.

 

13. Internal Disclosure of Information 

13.1. The respective Receiving Party shall limit the disclosure of Information to the respective employees or collaborators within the scope of what is strictly necessary for the purpose set forth in this agreement, providing them with the appropriate instructions for such purpose and agreeing with them a written confidentiality agreement, being fully responsible before the Issuing Party as to the compliance, by the latter, of the commitments set forth herein, which may, at any time, request from the other party proof of the execution of such agreements.

 

14. Length

14.1. These clauses shall come into force upon the first exchange of information and/or provision of services between both parties, and the receiving party shall be bound by this confidentiality agreement under the exact terms stipulated herein.

14.2. After the end of the collaboration, the parties are obliged to keep confidential and classified information and trade secrets protected after the expiry of the business relationship.

14.3. The aforementioned confidentiality will only cease to be admissible from the moment which the protected information is already in the public domain, without any of the parties having been responsible for this.

14.4. After the end of the collaboration, the Third Party returns all confidential information, personal data processed and equipment used during the provision of the service and disposes of any copies in its possession to MODATEX or to any other entity defined by them.

14.5. The Parties may, by agreement and at any time, revoke or amend, in whole or in part, the provisions of this Agreement, provided that the confidentiality of the Information is not affected.

14.6. Its effects may also terminate upon the execution of any contractual commitment between the Contracting Parties that stipulates the confidentiality of the same information, thus replacing the terms of this agreement, without prejudice to the provisions of the following clause.

14.7. Under no circumstance, however, are the parties bound by this agreement to conclude any legal transactions in the future.

 

15. Liability

15.1. The Receiving Part is liable before the Issuing Party for any damages or losses, including consequential damages and loss of profits resulting from the breach or partial compliance with its confidentiality obligations, without prejudice to any criminal liability it may incur in the event of breach of such obligation, under the terms of the applicable Portuguese Law and the payment to the Issuing Party of the fees that may be due as Penalty Clauses that may have been contracted between the parties

 

16. Exceptions to the confidentiality duty

16.1. The following shall not be covered by the duty of confidentiality:

16.1.1. Information whose disclosure has been expressly authorised by the Issuing Party. Such authorization shall be requested to the Issuing Party and granted in writing within eight (8) business days, after which, in the absence of a reply, the authorization shall be deemed to have been rejected;

16.1.2. Information that has been published, made public or otherwise cannot be ignored as being in the public domain up to the moment of disclosure;

16.1.3. Information made public after disclosure or belonging to the public domain for a reason not attributable to the Receiving Party, by deceit or negligence;

16.1.4. Information that the Receiving Party can prove, by written evidence, to be in its possession prior to its receipt by the Issuing Party;

16.1.5. Information received by the Receiving Party from third parties with no confidentiality duty, as long as these parties are entitled to provide such information and that it has not been obtained by them directly or indirectly from the Issuing Party under condition of confidentiality;

16.1.6. Information that the Receiving Party is required to disclose by law or court order, provided that the Receiving Party promptly notifies the Issuing Party and reasonably cooperates with efforts undertaken by the Issuing Party to contest or limit the scope of such disclosure;

16.1.7. Information that is independently created by the Receiving Party.

16.2. The burden of proof for all exceptions to the confidentiality obligation lies with the respective Receiving Party.

16.3. Confidential information should not be considered as part of the public domain merely because it is known to some people who may have an interest, and the combination of part of that information should not be considered as public domain simply due to the fact that each part of that combination is considered to be available separately.

 

17. Contractual Terms

17.1. The Subcontractor promises to strictly and punctually comply with Article 28 of the General Data Protection Regulation, (GDPR), approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

17.2. The Subcontractor promises to strictly and punctually comply with the necessary contractual documents arising from compliance with the previous clause, namely, but not exclusively, the document "Contractual Clauses - Treatment of Personal Data – Subcontractor-Supplier" if the nature of the services provided requires to be signed.

 

18. Other specific obligations

18.1. The Supplier or Partner, Third Party or Subcontractor promises to:

18.1.1. Comply with all laws and applicable regulations

18.1.2. Accept that all information provided and accessed is confidential, during and after termination of the contractual relationship with MODATEX, and may not be used for any purpose other than that for which it was provided.

18.1.3. Abstain from any behaviour that may be regarded as corruption or bribery, including payments or any other form of conferring benefits to any official of a public or private entity so as to influence decision-making in their favour.

18.1.4. Promote equal opportunities for, and the treatment of their employees regardless of their ethnicity, race, social status, background, disability, sexual orientation, political or religious beliefs, gender;

18.1.5. Respect personal dignity, privacy and each person’s rights;

18.1.6. Not employ anyone against their own will;

18.1.7. Not tolerate any unacceptable treatment of workers, such as sexual harassment or discrimination;

18.1.8. Prohibit behaviour, including gestures, language or physical contact, which is considered sexual, coercive, threatening, abusive or exploitative;

18.1.9. Ensure the payment of the applicable national minimum wage;

18.1.10. Comply with the maximum number of working hours foreseen in the applicable laws;

18.1.11. Recognise, to the extent legally required, the right of workers to free association and neither favour nor discriminate against members of workers' organisations or trade unions.

18.1.12. Not employ workers below the legal minimum age.

18.1.13. Comply with health and safety standards at work as required by law;

18.1.14. Minimise risks and take possible precautions against accidents and occupational hazards;

18.1.15. Implement or use a health and safety management system.

18.1.16. Act in accordance with the legal standards with regards to environmental protection.

18.1.17. Minimise environmental pollution and make continuous improvements in environmental protection, whenever required by applicable law.

18.1.18. Implement or use a reasonable environmental management system.

18.1.19. Promote the principles set out in this Code of Conduct among its suppliers.

18.1.20. Comply with the principles of non-discrimination regarding the selection and treatment of suppliers.

18.1.21. Ensure that the Personal Data with which it may come into contact in the context of the provision of services is lawfully, fairly and transparently processed in relation to the Data Subject and that it is collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes, and always in strict compliance with the GDPR – General Data Protection Regulation.

 

19. Liability

19.1. The Supplier or Partner, Third Party or Subcontractor is liable to MODATEX for any damage or loss, including consequential damage and loss of profit resulting from the non-fulfilment or partial fulfilment of its obligations of confidentiality, protection of personal data, performance of the services, non-performed, untimely or incorrect transactions and other contracted activities, without prejudice to the possible criminal liability it incurs in the event of breach of this obligation under the terms of the applicable Portuguese Legislation.