General Data Protection Regulation

Framework with Regulation (EU) 2016/679 and Law No. 58/2019


Taking into account Law No. 58/2019 which ensures the implementation, in the national legal order, of Regulation (EU) 2016/679 of the Parliament and of the Council, of April 27, 2016, on the protection of individuals with regard to the processing of personal data and the free movement of such data (GDPR), which replaced directive 95/46/EC introduced into the Portuguese legal system in Law no. 67/98 of 26 October.

This document is presented in an interpretative manner, clarifying the obligations arising from this Law and the way in which GoFox – Tecnologias de Informação Unipessoal, Lda. (hereinafter referred to as “GoFox”) follows them as Controller/Responsible (Data Controller ), i.e., responsible for data processing and Processor/Subcontractor (Data Processor).

Due to its scope and the subjects for whom it is intended, it is therefore important to start by distinguishing, in accordance with article 4 of the GDPR:

Controller(s)/Responsible for data processing and Processor/Subcontractor(s)

Data Controller - (Controller(s) or Responsible for processing) – Will be a natural or legal person, public or private entity, agency, institution or any other body that decides how and why data is processed. Therefore, natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.

According to article 5 of the GDPR, the Controller(s)/Responsible for processing is responsible for proving compliance with the principles relating to the processing of personal data as bound.

Data Processor (Processor or Subcontractor) - This will be a natural or legal person, public or private entity, agency, institution or any other body that processes personal data by account of the person responsible for processing these (Processor). In other words, the one that processes personal data on behalf of the Controller(s)/Responsible for the processing.

By article 28 of the GDPR, processing can be carried out on behalf of the Controller(s)/Responsible for the processing, but the latter is responsible for subcontracting only those Processors/Subcontractors that provide sufficient guarantees of compliance with the GDPR, i.e. Processor(s)/Subcontractor(s) who have evidence of the implementation of appropriate technical and organizational measures, such that the processing satisfies the requirements of the regulation.

Thus, all entities within the EU or even outside the EU, such as Controller(s)/Data Controller(s) or Processors/Subcontractors, must implement the necessary controls to ensure compliance with the GDPR, Law no. 58/2019 in Portugal, as long as the data to be processed is about an EU citizen. This responsibility is shared between the Controller(s)/Data Controller(s) and Processor(s)/Subcontractor(s), (fines may be applied to both).

Therefore, under the terms of GDPR/Law No. 58/2019, GoFox is:

• Controller/Responsible for processing all data collected from its customers and for providing the subscribed services and respective support.

• Processor/Subcontractor as an agent for hosting your data, providing development services and possible adjacent products, registering domains or selling SSL certificates.


Context and obligations of GoFox as Processor/Subcontractor (Data Processor)

A – Information and history

It becomes the responsibility of the Controller(s)/Responsible(ies) for data processing to implement effective measures capable of demonstrating the compliance of data processing activities, even if, as we have already seen, the processing is carried out by a Data Processor/Subcontractor on behalf of the Controller(s)/Responsible for the processing, in which case this will be shared responsibility.

Then, the Controller(s)/Responsible(ies) for data processing become(s) responsible for ensuring that the rights guaranteed by the GDPR are effectively fulfilled , namely the most relevant:


1 - Information about the data collected, its purpose and consent

As a Processor/Subcontractor, the data entrusted to you is made available by the Data Controller (GoFox client) with the aim or objective of GoFox providing you with the service contracted when subscribing. When subscribing to the service, with possible data migration and/or its incremental creation or deletion, the Data Controller (GoFox client) understands and accepts that the final objective of their action is to receive the provision of the subscribed service, as per described on the GoFox website on the date/time you subscribed. To do this, a confirmation email will be sent to you on the date/time of your subscription, as well as at the time of payment and service activation. All these emails will be stored in the GoFox customer area, accessible for consultation by the person responsible for the treatment (GoFox customer).


2 - Right to access

As a Processor/Subcontractor, GoFox does not access the data entrusted to it by the Data Controller (GoFox client), unless and only for as long as it is strictly necessary to provide the contracted service. This time, access to this data will be available at all times and within the customer`s sphere, through the means and information agreed/sent at the time of subscription/activation.

It may be the case that access contingencies occur motivated by technical factors that lead to unavailability of service, with GoFox conduct being as provided for in the terms of its general/special conditions of service provision by GoFox to which This privacy policy is complementary and constitutes a mandatory annex. In terms of technical unavailability of access to the service, access may be blocked for: i) Security of the data itself against illegitimate access, for example when there are excessive failed login attempts; ii) Data preservation security, when GoFox is aware that the content is at risk of being corrupted by remaining available online; iii) To comply with a court order or another with the same compulsory force; iv) Under the terms of the law when GoFox is aware of activity or information whose illegality is manifest.


3 - Right to portability

As a Processor/Subcontractor, not knowing, by nature, the personal data it processes, it limits itself to providing permanent access to its customers – Controller(s)/Responsible(ies) for data processing - so that they can make copies of the content at any time, as well as migrate the content hosted on its servers to any other service provider or to a storage device to be made available by it. Also in services related to data hosting and which may also contain personal data, such as domain names, the customer can transfer them at any time, however, if they only want to remove the domain name, this will have to be requested to the registry. Given the huge number of existing TLDs with different rules, and since GoFox is also a Subcontractor here, the Data Controller (GoFox client), if he wishes, should request this and other information about the intended TLD in the upon subscribing.


4 - Right to be forgotten

As Processor/Subcontractor regarding the data hosted on its servers by the Data Controller (GoFox client), despite being agnostic to the type of data (i.e., whether or not they are personal) GoFox considers it to be intrinsically linked to the mandatory processing time retention of backups, if applicable, so this will be the legal limit for the right to be forgotten in this type of services. In other information hosting services, where there are no backups, the right to be forgotten will be exercised whenever expressly requested or, automatically, after the service end date, considering the days of retention with a view to the recovery defined for the respective service, never exceeding 30 days.


5 - Pseudonymization and anonymization

As Processors/Subcontractors we are completely agnostic to the data hosted in our infrastructure, being limited to processing the data, which is entrusted to us by the Controller(s)/Responsible for processing, under the terms necessary for the pursuit of its obligations to provide the contracted service. Therefore, you will be responsible for maintaining information security as proposed, preventing data from being accessed improperly, whether through physical, logical or social engineering means. To guarantee this obligation, GoFox will take all appropriate technical security measures to protect data, which includes the possible pseudonymization of data that may be accessed in the normal course of providing services, such as the names given to physical servers or data required by means of contact where identity confirmation is not viable, on the other hand, the complete anonymization of the data hosted by the Controller(s)/Responsible Person(s) as they are not known to GoFox.


6 - Right to object to automated decision-making and profiling

GoFox does not provide services in the area of profiling, therefore, there is no automated processing, including the definition of profiles that produce decisions with legal effects.


B – Accountability

1 - Obligation to use privacy by design, privacy by default and Data Minimization

As Processor/Subcontractor, GoFox guarantees:

· Physical access to its infrastructure, controlled by Closed Circuit Television, is controlled 24 hours a day by the personnel responsible for security. There are cameras in common areas both indoors and outdoors and access to technical rooms is completely prohibited; global control system for detecting the presence of intruders in the building. Security is based on the presence of 24x7 personnel who have all the necessary systems to control all areas of the building from the control post. Security is also responsible for the human registration of accesses to which RFID control is added;

· Our network is made up of transit from several Tier 1 operators, presence in several traffic exchange points (GigaPix, ESpanix, DE-CIX), as well as multiple private peering agreements;

· The various Datacenters are interconnected, allowing public and private traffic to be exchanged securely and with reduced latencies. As an option, we provide a VPN service, whether “client to site” or “site to site”, allowing secure access via a private network to services and infrastructure hosted in the various Datacenters;

· The entire infrastructure is monitored 24x7x365 from our supplier`s NOC, providing graphs with metrics and latency of access to services for the various customers (services that include it). In the event of events, the operations team is notified and the necessary actions are taken to normalize the service. We have an efficient SIEM (security information and event management) as well as a vulnerability management policy, with 24x7x365 monitoring.


2 - Data Protection Officer (“DPO - Data Protection Officer”) is responsible for the processing and protection of personal data.

The appointment of a DPO will be mandatory for public authorities, with the exception of courts or independent judicial authorities, when acting in the exercise of their judicial functions. In addition to public authorities, a DPO will be mandatory for all Controller(s)/Responsible for processing and Processor/Subcontractor, whose main activities consist of data processing operations in a regular and systematic manner and on a large scale or when such data belong to special categories – sensitive data. According to art. unequivocally, data relating to health or data relating to a person`s sex life or sexual orientation.

The DPO must be appointed based on their professional qualifications with a special focus on technical knowledge of data protection legislation and practices.

The DPO is responsible for compliance and process management with a view to data security. It is also responsible for dealing with crisis situations, such as information leaks or other critical problems for business continuity regarding the maintenance and processing of personal and confidential data.

Even in entities where the DPO is not mandatory, the entity must designate a data controller, that is, an entity, whether an employee or not, who, individually or jointly with others, determines the purposes and means of processing data. personal data.

GoFox has a DPO who can be contacted directly by email at


3 - Responsibility for the collection and processing of data

As Processor/Subcontractor, GoFox guarantees to all its customers that it carries out appropriate technical and organizational measures to comply with the law and to ensure information security and the defense of the data subject rights. As Processor/Subcontractor, all data stored on our servers was received based on contracting said service and thus prevails as long as the service/contract prevails. Outside this time, there is a residual obligation, also arising from the contract itself, to maintain backups of previously hosted content for the defined times.


4 - Account for GDPR compliance – Accountability

In the sense of the GDPR, accountability is proof of an entity`s compliance with the regulation itself. In this same logic, responsibility is accompanied by measures to show the reality of data protection. It is important to note these two aspects of responsibility: the responsible implementation of the GDPR and the “report”. In this context, the GDPR requires the Controller(s)/Responsible for processing to adapt their operation in order to guarantee (and be able to show - “render accounts” if we translate the term literally), that their processing of personal data complies the law.


5 - Information leaks and security breaches - data breaches

GoFox as Processor/Subcontractor together with suppliers adjacent to the services provided has always used a policy of transparency towards its customers, therefore the obligation to communicate will be carried out under the previously defined terms, this time complying with the stipulated procedure . Considering and analyzing, in abstract, the various types of information and their criticality, their possible exposure to unauthorized third parties and the consequent potential impact in the case of an event of this type, an Information Leakage Event Policy was drawn up. This policy establishes specific procedures, with clear work instructions so that, faced with a specific fact, any subject is able to analyze and react efficiently and quickly, responding to the need to contain and solve the problem in the shortest possible time. Taking into account the specific obligations concerning specific personal data, in order to better adapt the reaction to a privacy incident, a specific procedure was created for managing Information Security and Privacy incidents.

This procedure is what guarantees a balanced and properly guided analysis of the event, which, in strict compliance with the GDPR, allows the need for subsequent actions to be assessed, such as whether or not it is mandatory to communicate this event to the client and the NDPC. All these actions are duly recorded as well as their respective justifications in order to serve as evidence and support for any subsequent investigation action.


C – Supervision

1 - National control authority defined by Law No. 58/2019

National Data Protection Commission (NDPC) is the national control authority for the purposes of the GDPR.

The NDPC is defined in law as an independent administrative entity, with legal personality under public law and powers of authority, endowed with administrative and financial autonomy to control and monitor compliance with the GDPR and other laws, as well as other legal provisions and regulations on the protection of personal data with a view to defending the rights, freedoms and guarantees of natural persons in the context of the processing of personal data.

To this end, all entities subject to the GDPR and this law have a duty to collaborate in order to assist in any process in which it is required, except for the exceptions provided for in the law itself.

Thus, the NDPC defines that under the terms of paragraph 1 of article 35 of the GDPR, the processing of personal data that may pose a high risk to the rights and freedoms of natural persons must be preceded by a DPIA – (Data Protection Impact Assessment). Considering, by way of example, three types of situations that meet the requirements of this obligation of the data controller, art. 35.º/3 of the GDPR, the NDPC is the entity responsible for listing, in accordance with the assumptions of no. of article 35 are part of a complementary list that is now presented with the obligation to be preceded by a DPIA - Regulation no. 1/2018 regarding the list of personal data processing subject to Data Protection Impact Assessment. This is not a non-exhaustive list, but a dynamic one, just as the information society is the duty of all those responsible for processing personal data to be aware of this list, without prejudice to suggesting to everyone that others, despite not appearing on this list to carry out a DPIA.

Considering that (art. 35) the GDPR intends to require the data controller to create a Data Protection Impact Assessment (DPIA) in cases where there is a high risk to the rights and freedoms of natural persons, depending on the nature, scope, context and purpose of the data and the type of processing given to it, also establishes specific factors that help determine what could be considered high risk. Therefore, to determine whether a DPIA is necessary, a data controller must consider these factors, together with those set out in the list of processing of personal data subject to a Data Protection Impact Assessment.

As Processor/Subcontractor, there is no service provided by GoFox, which, by its nature, necessarily requires the creation of an DPIA by GoFox or by the Controller/Responsible for data processing that uses it. The analysis of the need for a DPIA will depend on the details and context of how the Controller/Data Controller uses the subscribed services.

Like this:

• GoFox does not provide resources to carry out certain automated data processing, but as it does not know the data it hosts or what is done with it, it leads to the investigation of the need to respond to this requirement to the Controller/Responsible for data processing personal data;

• No specific service marketed by GoFox is prepared or intended to process special categories of personal data, therefore GoFox services, in their nature, do not enhance or increase the risk inherent in the processing of a Controller/Responsible for processing of personal data. Naturally, nothing prevents the Controller/Responsible for the processing of personal data from using GoFox services to process special categories of data (contained in art. 53/3 or in the list of personal data processing subject to Data Protection Impact Assessment;

In line with these considerations, the Controller/Responsible for data processing must carry out an analysis of the type of data and treatment given to them to assess whether or not a DPIA is necessary.


Want to be contacted?

a Budget?

Want to be contacted?