PRIVACY

Privacy Policy

Last updated: 21 May 2026

This Privacy Policy describes how GRPC — Gutman, Rattes, Pimenta & Cleistenes ("GRPC", "we") collects, uses and protects the personal data of visitors to this website, in compliance with Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR) and the Portuguese implementing law (Law 58/2019).

1. Data Controller

GRPC — Gutman, Rattes, Pimenta & Cleistenes
Av. da Liberdade, Braga, Portugal
Email: grpc@grpclaw.com
Phone: +351 915 611 893

2. Data we collect

2.1 Browsing data (cookies)

We collect technical browsing data through cookies — anonymized IP address, device type, browser language, pages visited, and time on each page. These data are used for aggregate statistics. Full details in our Cookies Policy.

2.2 Contact data (potential)

When you contact GRPC by email, phone or video conference, we collect your name, contact details and the content of the communication. The site currently does not provide a contact form; data collection happens only through these channels.

2.3 Admin session data

The /admin area is restricted to authorized GRPC staff. Authentication uses essential cookies (session and CSRF protection) with a maximum lifetime of 1 hour.

3. Purposes of processing

• Provision of legal services to clients;
• Institutional communication and dissemination of publications (newsletters);
• Aggregate traffic analysis to improve the website;
• Compliance with legal and regulatory obligations (Portuguese Bar Statute, deontological duties, document retention);
• Legal defense in court proceedings.

4. Legal basis (Article 6 GDPR)

• Consent (Art. 6(1)(a)) — for analytics cookies (Google Analytics);
• Contract performance (Art. 6(1)(b)) — client relationships;
• Legal obligation (Art. 6(1)(c)) — bar association and deontological duties;
• Legitimate interest (Art. 6(1)(f)) — site security, anti-fraud, and essential cookies.

5. Sharing with third parties

Your data may be shared with:

• Google Ireland Limited — Google Analytics 4, for statistical analysis. Transfer to the US under Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
• Hostinger International Ltd. — hosting provider (server located in the European Union).
• Judicial or administrative authorities, when legally required.

GRPC does not sell, rent, or transfer personal data for third-party direct marketing purposes.

6. Retention period

• Analytics cookies: up to 14 months (default GA4 setting);
• Server logs (nginx): 30 days;
• Client data: for the legally required period (Art. 14 of the Portuguese Bar Statute — 5 years after the end of the mandate);
• Email communications: per internal policy, deleted when they no longer serve a legitimate purpose.

7. Your rights

As a data subject, you may at any time exercise:

• Right of access (Art. 15);
• Right to rectification (Art. 16);
• Right to erasure ("right to be forgotten", Art. 17);
• Right to restriction of processing (Art. 18);
• Right to data portability (Art. 20);
• Right to object to processing (Art. 21);
• Right to withdraw consent at any time, without affecting the lawfulness of previous processing.

To exercise any of these rights, contact us: grpc@grpclaw.com. We will respond within a maximum of 30 days.

8. Data Protection Officer

Given the current size of the firm (fewer than 250 staff) and the nature of data processed, appointing a Data Protection Officer (DPO) is not mandatory under Article 37 GDPR. Data protection matters should be directed to firm management via grpc@grpclaw.com.

9. Complaint to supervisory authority

If you believe the processing of your data infringes GDPR, you may lodge a complaint with the CNPD — Portuguese Data Protection Authority:

Av. D. Carlos I, 134 — 1st floor · 1200-651 Lisbon
Email: geral@cnpd.pt
Website: www.cnpd.pt

10. Changes

GRPC may update this policy to reflect legal or operational changes. The version in force is always the one published at this URL, with the last-updated date shown at the top of the document.