The “Ocean Terrace” development is a real estate project owned by PLACE2LIVE – EMPREENDIMENTOS IMOBILIÁRIOS – SIC IMOBILIÁRIA ESPECIAL FECHADA, S.A. (“PLACE2LIVE”), a real estate investment undertaking incorporated in corporate form, formally authorised and supervised by the Portuguese Securities Market Commission (CMVM), with commencement of activity on 19 January 2022.
The management and representation of PLACE2LIVE are carried out by its management company, Blue Marlin Asset Management – SCR, S.A., with registered office at Praça do Liége 189, 4150-455 Porto, which acts as the legal representative for all legal purposes. Accordingly, this Personal Data Protection Policy and Procedures apply to the Ocean Terrace development.
The Board of Directors, senior management and all employees of Blue Marlin Asset Management – Sociedade de Capital de Risco, S.A., hereinafter referred to as “Blue Marlin” or the “Company”, are committed to complying with the applicable personal data protection legislation in force in Portugal.
In pursuit of these objectives, Blue Marlin has developed, documented, implemented, maintains and continuously improves its Personal Data Protection Policy and Procedures (hereinafter referred to as “PPDP”), of which this Personal Data Protection Policy forms an integral part. The documents comprising Blue Marlin’s PPDP may be consulted at the location referred to in Section 20 of this Policy.
In the course of its activities, Blue Marlin collects and processes personal data.
The scope of the PPDP takes into account Blue Marlin’s organisational structure and the data processing activities carried out and applies to the entire Blue Marlin organisation.
This Personal Data Protection Policy and Procedures, together with the remaining documents that comprise the PPDP, reflect Blue Marlin’s commitment and responsibility to maintain a level of protection for the data collected that complies with applicable legal standards, promoting the involvement of all its employees and collaborators/external workers (temporary workers and service provider personnel) with regard to their motivation and commitment to maintaining the confidentiality of the personal data processed.
a) The purpose of this Personal Data Protection Policy is to maintain a high level of protection (security) of the data collected, in accordance with applicable legal standards, and to promote the involvement and motivation of Management/Directors, employees, service providers, suppliers and clients regarding the need to maintain the confidentiality of the personal data collected.
b) Likewise, this Policy aims to define the rules and procedures for the processing of personal data by employees and third parties who have access to personal data as a result of the performance of their duties.
c) The existence of this Personal Data Protection Policy and Procedures presupposes its regular consultation by employees who carry out activities involving the processing of personal data.
d) It is also intended that employees who process personal data regularly consult the Person Responsible for Personal Data Processing, hereinafter referred to as the “DPO”, in order to ensure compliance with the provisions of this Personal Data Protection Policy.
For the purposes of the PPDP, the following definitions apply:
i. Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, electronic identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
ii. Processing of Personal Data: any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
iii. Personal Data Protection: a fundamental right protected not only by national legislation but also by European legislation.
iv. Sensitive Personal Data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, or data concerning a person’s sex life or sexual orientation.
v. Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.
vi. Data Subject: any identified or identifiable natural person whose personal data are held by Blue Marlin.
vii. Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
viii. Consent: any freely given, specific, informed and explicit indication of the data subject’s wishes by which the data subject, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
ix. Legitimate Purpose: the purposes for which Personal Data may be processed by Blue Marlin.
This Policy applies to all Blue Marlin employees, who must consult it, be familiar with it, comply with and enforce its provisions, and make known to other stakeholders Blue Marlin’s commitment to the protection of personal data.
Any amendments shall be notified to employees through internal communication (via email) and made available online on the website for disclosure to all interested parties.
Blue Marlin shall at all times process personal data in accordance with the legislation in force and in compliance with the highest ethical, deontological and conduct standards, with the permanent objective of regulatory compliance and adequacy.
In other words, Blue Marlin shall comply with this Policy, other internal policies and regulations, as well as applicable legislation, in each instance of data collection and processing.
Blue Marlin shall process Personal Data only where at least one of the following conditions applies:
a) Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
b) The data subject has given consent freely, specifically, informedly and explicitly for the processing of their personal data for one or more specific purposes;
c) Processing is necessary to protect the vital interests of the data subject or of another natural person;
d) Processing is necessary for compliance with a legal obligation to which the controller is subject;
e) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;
f) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where processing is carried out on the basis of the legitimate interests of the controller or a third party (paragraph e) above), and given the theoretical and interpretative complexity of this concept, prior consultation with Blue Marlin’s Data Protection Officer is recommended, who shall issue an opinion on the request.
Blue Marlin documents the legal bases for the lawfulness of data processing activities in its specific internal register, which is available for internal consultation upon written request to the Data Protection Officer.
Where Blue Marlin processes special categories of personal data (sensitive data), it shall do so rigorously and in accordance with this Policy and applicable legal standards. As a general rule, Blue Marlin does not collect and/or obtain sensitive data.
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic and biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a person’s sex life or sexual orientation is prohibited, except for the legally provided exceptions set out in Article 9 of the General Data Protection Regulation (GDPR).
For further information or clarification regarding the processing of special categories of data, the Person Responsible for Data Processing should be consulted.
When processing personal data, Blue Marlin shall ensure that the processing is based on one of the legal grounds referred to in Section 3 above. All employees, suppliers and partners of Blue Marlin who use personal data are individually responsible for complying with applicable legal and regulatory provisions.
Employees are required to ensure the confidentiality of personal data as an integral part of their duties, as provided for in their employment contracts. Employees must also comply with all information and training received and follow all guidelines defined in this Policy.
Failure to comply with the obligations set out in this Policy may result in disciplinary consequences and must be reported to Blue Marlin’s Data Protection Officer.
Personal data processing activities at Blue Marlin are carried out in accordance with the data protection principles set out in the GDPR:
a) Personal Data must be processed lawfully, fairly and transparently. The GDPR introduces the transparency requirement whereby the controller informs data subjects about the data collected from them. Information must be communicated in an intelligible manner, using clear and plain language. Blue Marlin provides information to data subjects through Privacy Notices. The specific information to be provided, the rules for disclosure and the requirements relating to the Privacy Notices used by Blue Marlin are defined in a procedure on the provision of information to data subjects, which forms part of the PPDP;
b) Personal data may only be collected for specified, explicit and lawful purposes and shall not be further processed in a manner incompatible with those purposes;
c) Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, in accordance with the data minimisation procedure;
d) Personal data must be accurate and kept up to date. Data subjects must notify Blue Marlin of any changes to enable personal records to be updated accordingly. Instructions for updating records are contained in the various Privacy Notices;
e) Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing;
f) Personal data must be processed in a manner that ensures appropriate security and confidentiality;
g) The GDPR introduces the principle of accountability, whereby the Controller is not only responsible for ensuring compliance but must also be able to demonstrate that each processing operation complies with the GDPR. At Blue Marlin, demonstration of compliance is supported by this Policy and the related documents (Section 20).
Data protection must be considered in every new processing activity from its inception and by default. Accordingly, in designing any new processing activity, Blue Marlin commits to applying data protection principles by design and by default (including, where applicable, measures such as data minimisation, adequacy, encryption, pseudonymisation, etc.), in accordance with the procedure on data protection in new projects (“Privacy by Design”).
Blue Marlin understands “consent” as an agreement and/or authorisation whereby the data subject has been fully informed of the intended processing of their data and has agreed thereto, in a sound state of mind and without external pressure.
However, with regard to employee consent, the processing of their personal data does not require consent where:
i) the processing results in a legal or economic benefit for the employee; or
ii) such processing is covered by the performance of a contract.
Consent may be withdrawn at any time, in which case Blue Marlin shall immediately cease processing the data. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal. Before giving consent, the data subject is informed of this right, namely through a Privacy Notice.
Any request by a data subject not to have their personal data used for direct marketing purposes shall be respected, and the Data Protection Officer shall be notified of any such request.
Where direct marketing materials are to be sent electronically, it must be ensured that the data subject has previously given consent or that there is a relevant and appropriate relationship between the data subject and Blue Marlin, for example where the data subject is a client or an employee, supporting the existence of a legitimate interest. In any event, the existence of a legitimate interest requires a careful assessment, particularly as to whether the data subject may reasonably expect, at the time and in the context in which the personal data are collected, that such data may be processed for that purpose. Accordingly, direct marketing communications should preferably be overseen by the person responsible within the organisation for personal data protection.
All direct marketing communications must provide the data subject with a simple means of requesting that their data no longer be used for direct marketing purposes (unsubscribe link).
Under the GDPR, new processing activities using new technologies that are likely to result in a high risk to the rights and freedoms of data subjects, given their nature, scope, context and purposes, must be subject to a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR. A DPIA is always mandatory where there is systematic evaluation of personal data based on automated processing, AI, large-scale processing of special categories of data, or systematic monitoring of publicly accessible areas on a large scale.
Blue Marlin is aware of the risks associated with its personal data processing activities. For any new high-risk processing activity, Blue Marlin commits to assessing, in advance, the impact on the security and confidentiality of personal data and determining the need to carry out a DPIA and the measures to be adopted where the DPIA outcome is unsatisfactory.
Whether employees or third parties, all individuals whose personal data are processed by Blue Marlin have the right to:
i) Request access to information held about them and to whom it has been disclosed, and request rectification of inaccurate data;
ii) Object to the processing of data based on Blue Marlin’s legitimate interests where such processing may cause harm or risk;
iii) Object to the processing of data for direct marketing purposes;
iv) Request rectification, restriction, erasure, including the right to be forgotten, of inaccurate data;
v) Be informed about automated decision-making mechanisms that significantly affect them and not be subject to such decisions;
vi) Claim compensation for damages suffered as a result of a GDPR violation;
vii) Receive their personal data in a structured, commonly used format and transmit such data to another entity;
viii) Lodge a complaint with Blue Marlin regarding the processing of their personal data or directly with the supervisory authority – the Portuguese Data Protection Authority (CNPD).
Data subjects may exercise their rights as described in the Privacy Notices, and such requests shall be handled by Blue Marlin in accordance with the applicable procedure.
Contact details for the Data Controller:
Blue Marlin has appointed a Data Protection Officer (DPO) as defined in Article 37 of the GDPR. The appointment of a DPO is mandatory for public authorities or bodies and for organisations whose core activities consist of large-scale processing of special categories of data or regular and systematic monitoring of data subjects. Accordingly, Blue Marlin is required to appoint a DPO. The duties and responsibilities of the DPO are described in a separate document forming part of Blue Marlin’s PPDP (Annex I).
Blue Marlin ensures that the DPO does not receive instructions regarding the performance of their tasks and shall not be dismissed or penalised for performing their duties, reporting directly to senior management.
The DPO is bound by confidentiality obligations and may perform other duties, provided that no conflict of interest arises.
Blue Marlin collects personal data only for specific, legitimate and explicitly defined purposes.
Personal data collected must always be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
Blue Marlin has implemented appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and other unlawful forms of processing.
Manual records containing personal data must not be stored where they may be accessed by unauthorised personnel and must not be removed from Blue Marlin’s premises without explicit written authorisation from Management.
Personal data shall be accessible only to those who need to use them and shall generally be stored:
Where processed electronically, personal data must be protected in accordance with Blue Marlin’s Security Policies, including network segregation, malware protection, controlled access credentials and permission levels.
Access to personal data must be limited to what is strictly necessary to fulfil the applicable purpose.
Third-party access to personal data is only permitted where a contract and/or confidentiality agreement is in place providing appropriate data protection safeguards. In case of doubt, the DPO must be consulted.
Where a legitimate purpose exists, Blue Marlin may disclose personal data only to specific categories of recipients, including public authorities, processors, service providers and partners.
When transferring personal data, Blue Marlin requires proof of GDPR compliance by recipients and the inclusion of appropriate data protection clauses in contracts, where applicable.
Where personal data need to be transferred, stored or processed in a country other than Portugal or the European Economic Area (EEA), such transfers are carried out in compliance with GDPR requirements.
In particular, the use of website analytics and management tools such as Google Tag Manager (GTM) and Google Analytics may involve the transfer of personal data to countries outside the EEA, including the United States of America.
Such transfers are safeguarded through appropriate technical and organisational measures, including binding corporate rules, standard contractual clauses or explicit consent.
Blue Marlin retains personal data only for the period necessary to fulfil the legitimate purposes for which they were collected or as required by law.
Personal data are retained and subsequently destroyed in accordance with the applicable retention procedures and schedules.
All employees, suppliers, partners and data subjects are required to report actual or potential personal data breaches to the DPO, enabling Blue Marlin to investigate, take corrective measures, maintain breach records and notify the supervisory authority within the legally applicable timeframe.
Each functional area manager is responsible for ensuring compliance with this Policy. Employees must be familiar with and comply with its provisions.
The person responsible for data protection within the organisation is responsible for establishing, reviewing, communicating and monitoring compliance with this Policy and for investigating reported breaches.
Blue Marlin promotes training sessions on this Policy and on data protection matters, with the frequency determined by the DPO.
Non-compliance with this Policy may result in disciplinary action where its provisions are flagrantly or repeatedly violated, in accordance with applicable labour legislation.
The main documents comprising Blue Marlin’s PPDP are available for consultation on Blue Marlin’s internal network or upon request to the Data Controller.
The Data Protection Officer is responsible for ensuring that this procedure is reviewed in accordance with GDPR requirements.
The latest version of this document is published and available for consultation on Blue Marlin’s shared network or upon request to the Data Controller.
This procedure was approved by the Board of Directors of Blue Marlin on 1 October 2025.
Version No.: 1.0
Description of change: Approval of the Personal Data Protection Policy and Procedures Manual and respective annexes
Approval date: 01/10/2025
