ACT DIGITAL, aware of the importance and need to adapt its personal data processing operations to a new and broad regulation on the subject — in this case the General Data Protection Law (Law 13,709/2018 - “LGPD”), passed in August 2018 —, began, in 2019, its process of compliance with the new Law.
This document is part of the ACT DIGITAL compliance program with the LGPD.
In conducting the activities provided for in its statutes, ACT DIGITAL carries out personal data processing operations seeking the best interest of the holders of personal data, always respecting their rights, and can be characterized as Controller of Personal Data, Operator of Personal Data, Controller and Personal Data Operator, in accordance with the LGPD definitions, reinforcing, whatever the position it occupies, its commitment to compliance with applicable privacy and personal data protection rules.
PERSONAL DATA PROCESSING AGENT: The controller and operator of personal data.
ANONYMIZATION: Use of technical means, reasonable and available at the time of processing personal data, through which data loses the possibility of association, directly or indirectly, with an individual. Anonymized data is not considered personal data for the purposes of the LGPD.
NATIONAL DATA PROTECTION AUTHORITY (“ANPD”): Public administration body responsible for ensuring, implementing, and supervising compliance with the LGPD throughout Brazil. The ANPD was established by the LGPD as a body of the federal public administration with technical autonomy, part of the Presidency of the Republic, and its nature was defined as transitory and subject to transformation by the Executive Branch into an entity of the indirect federal public administration, subject to a special autarchic regime, linked to the Presidency of the Republic.
PERSONAL DATA CONTROLLER: Natural person or legal entity, public or private, who is responsible for decisions regarding the processing of personal data.
PERSONAL DATA: Information related to an identified or identifiable natural person. Data used to form the behavioral profile of a certain natural person are also considered personal data.
SENSITIVE PERSONAL DATA: Personal data about racial or ethnic origin, religious conviction, political opinion, affiliation to union or organization of a religious, philosophical, or political nature, data referring to health or sexual life, genetic or biometric data when linked to a natural person.**
DATA PROTECTION OFFICER (“DPO”): Natural person or legal entity appointed by the Data Processing Agent to act as a communication channel between the Controller, data subjects, and the National Data Protection Authority.
GENERAL DATA PROTECTION LAW (“LGPD”): Normative text (Law 13,709, dated August 14, 2018) that provides for the processing of personal data in digital or physical means carried out by a natural person or legal entity, legally public or private, with the objective of defending the holders of personal data and at the same time allowing the use of data for different purposes, balancing interests and harmonizing the protection of the human person with technological and economic development.
PERSONAL DATA OPERATOR: Natural or legal person, public or private, who processes personal data on behalf of the Controller.
HOLDER OF PERSONAL DATA (“HOLDER”): Natural person to whom the personal data subject to processing refer.
PROCESSING OF PERSONAL DATA (“PROCESSING”): Any operation carried out with personal data, such as those related to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, information control, modification, communication, transfer, diffusion, or extraction.
This Policy establishes ACT DIGITAL’s guidelines for the protection and use of personal data that may be processed in its activities, with reference to the LGPD, among other national and international standards related to privacy and protection of personal data.
This Policy applies:
- a) to employees of ACT DIGITAL;
- b) to all third parties, whether natural persons or legal entities that act for or on behalf of ACT DIGITAL in operations involving the processing of personal data that are carried out within the scope of activities conducted by ACT DIGITAL;
- c) to personal data processing agents external to ACT DIGITAL who in any way relate to it; and
- d) holders of personal data whose data are processed by ACT DIGITAL. Adherence to ACT DIGITAL’s compliance program with the personal data protection laws and the resulting normative diplomas, including this Policy, is mandatory for all recipients indicated above insofar as they relate to ACT DIGITAL. All operations involving processing of personal data that are carried out within the scope of activities conducted by ACT DIGITAL are subject to such regulations.
This Policy establishes guidelines and rules to ensure that its recipients understand and comply with the legislation that addresses the protection of personal data in all interactions with current and future holders of personal data, third parties, and personal data processing agents external to ACT DIGITAL.
In addition to the concepts defined by the rules that deal with privacy and protection of personal data, the information covered by this Policy includes all data held, used, or transmitted by or on behalf of ACT DIGITAL, in any type of media. This includes personal data recorded on paper and held on computer systems or portable devices, as well as personal data transmitted orally.
5. MAIN OBJECTIVES
The main objectives of this Privacy and Personal Data Protection Policy are to address the responsibilities of ACT DIGITAL, and the necessary guidelines to ensure and reinforce the Company’s commitment to compliance with applicable personal data protection legislation and to describe the rules to be followed in carrying out the activities and operations of processing personal data carried out by ACT DIGITAL and by the recipients of this Policy, within the scope of the activities of ACT DIGITAL, which guarantee its compliance with the applicable personal data protection legislation and, in particular, with the LGPD.
This Policy is written to be analyzed in conjunction with the obligations set forth in the documents described below, which deal with information in general and complement it when applicable:
- i. Employment contracts of ACT DIGITAL’s employees and other comparable documents, which provide for confidentiality obligations in relation to information held by the Company;
- ii. Policies and standards of information security procedures, as well as terms and conditions of use, dealing with confidentiality, integrity, and availability of ACT DIGITAL information;
- iii. All internal rules regarding the protection of personal data that may be drawn up and updated from time to time.
6. PRINCIPLES OF PRIVACY AND PROTECTION OF PERSONAL DATA
ACT DIGITAL will comply with the following personal data protection principles when processing personal data:
- a) PURPOSE: ACT DIGITAL will process personal data only for legitimate, specific, and explicit purposes, which will be informed to the holder of personal data, with no possibility of further processing in a way that is incompatible with those purposes.
- b) ADEQUACY: ACT DIGITAL will process personal data in a manner compatible with the purposes informed to the data subject and in accordance with the context of the treatment.
- c) NECESSITY: the processing of personal data carried out by ACT DIGITAL will be limited to the minimum necessary for the fulfillment of its purposes, with the scope of relevant data, proportional and not excessive in relation to the purposes of the treatment.
- d) FREE ACCESS: ACT DIGITAL will guarantee the holders of personal data free and easy consultation on the form and duration of treatment, as well as on the completeness of their data.
- e) QUALITY OF DATA: ACT DIGITAL will guarantee to the holders of personal data the accuracy, clarity, relevance, and updating of the data, according to the need and for the fulfillment of the purpose of its treatment;
- f) TRANSPARENCY: ACT DIGITAL will guarantee to the holders of personal data clear, precise, and easily accessible information about the processing and the respective personal data processing agents, observing commercial and industrial secrets.
- g) SECURITY: ACT DIGITAL will use technical and administrative measures able to protect personal data from unauthorized access and accidental or illegal situations of destruction, loss, alteration, communication, or dissemination.
- h) PREVENTION: ACT DIGITAL will adopt measures to prevent the occurrence of damages due to the processing of personal data.
- i) NON-DIGITAL: ACT DIGITAL will guarantee the impossibility of processing personal data for illicit or abusive discriminatory purposes.
- j) RESPONSIBILITY AND ACCOUNTABILITY: ACT DIGITAL undertakes to demonstrate the adoption of effective measures capable of proving compliance with personal data protection rules and the effectiveness of these measures.
7. LEGAL BASIS FOR PROCESSING PERSONAL DATA
All personal data processing operations within the scope of activities conducted by ACT DIGITAL will have a legal basis that legitimizes their performance, with stipulation of the purpose and designation of those responsible for the treatment.
ACT DIGITAL assumes as an institutional commitment the periodic evaluation of the purposes of its treatment operations, considering the context in which these operations are inserted, the risks and benefits that may be generated to the holder of personal data, and the legitimate interest of the Company.
The carrying out of personal data processing operations by ACT DIGITAL may be carried out:
- a) upon the provision of consent by the holder of personal data;
- b) for compliance with a legal or regulatory obligation;
- c) when necessary for the performance of a contract or preliminary procedures related to a contract to which the holder of personal data is a party;
- d) for the regular exercise of rights in judicial, administrative, or arbitration proceedings;
- e) for the protection of life or physical safety of the holder of personal data or third parties;
- f) when necessary to meet the legitimate interests of ACT DIGITAL or third parties; and
- g) for credit protection.
ACT DIGITAL will register its treatment operations based on treatment categories, each one described based on its purpose(s), serving as an aid and support for its periodic assessment of compliance with the regulatory framework of the personal data protection.
The records of personal data processing operations may be consulted by the holder of the personal data, as well as by competent public authorities for accessing and retaining data on their behalf, safeguarding the rights of the holder of personal data.
8. LEGAL BASIS FOR PROCESSING SENSITIVE PERSONAL DATA
ACT DIGITAL recognizes that the processing of sensitive personal data poses higher risks to the holder of personal data and, for this reason, the Company is committed to safeguarding and taking special care with regard to the processing of sensitive personal data.
This commitment incorporates the sensitive personal data listed in Article 5, Item II, of the LGPD, as well as the financial data that, for the purposes of this Policy and the LGPD Compliance Program of ACT DIGITAL, will have the same status as sensitive personal data. The personal data of children and adolescents will be treated with the same level of care required and offered to sensitive personal data, but will also be subject to the specific provisions established in Chapter II, Section III, of the LGPD, and other specific applicable rules. The processing of sensitive personal data by ACT DIGITAL can only be carried out:
- a) when the holder of personal data or his legal guardian consents, in a specific and prominent way, for specific purposes; and
- b) without consent from the holder of personal data in cases where the processing is essential for:
- i. compliance with a legal or regulatory obligation by ACT DIGITAL;
- ii. carrying out studies when ACT DIGITAL is the research body, ensuring, whenever possible, the anonymization of sensitive personal data;
- iii. the regular exercise of rights, including in contracts and in judicial, administrative, and arbitration proceedings;
- iv. protection of the life or physical safety of the holder of personal data or of third parties; and
- v. ensuring the prevention of fraud and the security of the holder of personal data in processes of identification and authentication of registration in electronic systems.
9. PERSONAL DATA HOLDER RIGHTS
ACT DIGITAL, in the context of its personal data processing activities, reinforces its commitment to respect the rights of holders of personal data, namely:
- a) RIGHT TO CONFIRM THE EXISTENCE OF PROCESSING: The holder of personal data may ask, together with ACT DIGITAL, whether there are processing operations related to their personal data.
- b) RIGHT OF ACCESS: The holder of personal data may request and receive a copy of all personal data collected and stored.
- c) RIGHT TO CORRECTION: The holder of personal data may request the correction of personal data that are incomplete, inaccurate, or out of date.
- d) RIGHT OF ELIMINATION: The holder of personal data may request the deletion of their personal data from databases managed by ACT DIGITAL, unless there is a legitimate reason for their maintenance, such as a possible legal obligation to retain data or study by research body. In the event of deletion, the Company reserves the right to choose the disposal procedure used, committing to use means that guarantee security and avoid data recovery.
- e) RIGHT TO REQUEST THE SUSPENSION OF ILLEGAL PROCESSING OF PERSONAL DATA: At any time, the holder of personal data may request from ACT DIGITAL the anonymization, blocking, or elimination of personal data that have been recognized by the competent authority as unnecessary, excessive, or treated in violation of the provisions of the LGPD.
- f) RIGHT TO OPPOSITION TO TREATMENT OF PERSONAL DATA: In cases of processing of personal data not based on obtaining consent, the holder of personal data may submit an opposition to ACT DIGITAL, which will be analyzed based on the criteria present in the LGPD.
- g) RIGHT TO DATA PORTABILITY: The holder of personal data may request ACT DIGITAL that their personal data be made available to another service or product provider, respecting the commercial and industrial secret of the Company, as well as the technical limits of its infrastructure.
- h) RIGHT TO REVOKE CONSENT: The holder of personal data has the right to revoke his consent. However, it should be noted that this will not affect the legality of any treatment carried out prior to the withdrawal. In the event of withdrawal of consent, it may not be possible to provide certain services. If this is the case, the holder of personal data will be informed.
ACT DIGITAL reiterates its commitment to the rights of holders of personal data to transparency and adequate information, highlighting the provision of:
- i. information from public and private entities with which ACT DIGITAL shared data; and
- ii. information on the possibility of not providing consent and on the consequences of the refusal.
10. DUTIES FOR PROPER USE OF PERSONAL DATA
The duties of care, attention, and proper use of personal data extend to all recipients of this Policy in the development of their work and activities at ACT DIGITAL. They shall commit to assist the Company in fulfilling its obligations in the implementation of its privacy strategy and personal data protection.
10.1. SPECIFIC DUTIES OF THE HOLDERS OF PERSONAL DATA:
It is up to the holders of personal data to communicate to ACT DIGITAL about any changes in their personal data in their relationship with the Company, preferably notifying it in the following order:
- a) by email addressed to the person in charge of Human Resources at ACT DIGITAL;
- b) by e-mail addressed directly to the EPD of ACT DIGITAL; and
- c) by physical means addressed directly to the EPD of ACT DIGITAL.
10.2 SPECIFIC DUTIES OF ACT DIGITAL’S EMPLOYEES:
The sharing of personal data of holders of personal data between the units of ACT DIGITAL is allowed, provided that its purpose and legal basis are respected and the principle of necessity is observed, with the processing of personal data always being attached to the development of activities authorized by ACT DIGITAL.
10.3. DUTIES OF ACT DIGITAL’S EMPLOYEES, PERSONAL DATA PROCESSING AGENTS, AND THIRD PARTIES:
- a) Do not make available or guarantee access to personal data maintained by ACT DIGITAL to any unauthorized or competent person in accordance with the Company’s rules.
- b) Obtain the necessary authorization for the processing of data and have the necessary documents that demonstrate the designation of its competence to carry out the lawful data processing operation.
- c) Comply with the standards, recommendations, information security guidelines, and prevention of information security incidents published by the Company (e.g., Information Security Policy, Information Security Incident Response Plan, password management guidelines, among others).
10.4. DUTIES OF ALL RECIPIENTS OF THIS POLICY:
All recipients of this Policy have a duty to contact ACT DIGITAL’s Data Protection Officer when the following actions are suspected or actually occur:
- a) Personal data processing operation carried out without a legal basis that justifies it.
- b) Processing of personal data without authorization by ACT DIGITAL in the scope of the activities it develops.
- c) Personal data processing operation that is carried out in breach of ACT DIGITAL’s Information Security Policy.
- d) Unauthorized deletion or destruction by ACT DIGITAL of personal data from digital platforms or physical collections in all Company’s facilities or used by it.
- e) Any other violation of this Policy or any of the data protection principles set out in item 7 above.
11. DUTIES FOR PROPER USE OF PERSONAL DATA
The LGPD establishes that liability in the case of property, moral, individual, or collective damages derived from violations of the personal data protection legislation is joint and several, and all agents in the chain involving the processing of personal data may be held responsible for any damage caused.
In this sense, the possibility of ACT DIGITAL being held responsible for the actions of third parties implies the need to use the best efforts to verify, evaluate, and guarantee that such third parties comply with the applicable data protection legislation. In this way, all contracts with third parties must contain clauses referring to the protection of personal data, establishing duties and obligations involving the subject, and attesting the commitment of third parties with the applicable personal data protection legislation. It should also be noted that these contracts will be reviewed and submitted for approval by the EPD of ACT DIGITAL and its technical team, in accordance with the current regulatory framework.
All third parties must sign the term of acceptance of this Policy, the Information Security Policy, and the Security Incident Response Plan, subjecting the contracted activities within the scope of the relationship with ACT DIGITAL to these regulations as well.
12. PERSONAL DATA PROTECTION LAW COMPLIANCE PROGRAM
The LGPD Compliance Program aims to guarantee ACT DIGITAL’s commitment to ensure the proper treatment of personal data for legitimate purposes that may be the object of its activities, reinforcing its commitment to good privacy and data protection practices with the following actions:
- a) Production and dissemination of information, regardless of format, describing the individual responsibilities of the recipients of this Policy in the scope of privacy and protection of personal data.
- b) Providing training, guidance, and advice to ACT DIGITAL’s employees and third parties, including, but not limited to, online courses, workshops, internal meetings, regular conversations, lectures, among other initiatives; sharing content available in digital and face-to-face format.
- c) Incorporation of concerns and care in the processing of personal data in all stages of its activities, including, but not limited to, administrative routines, research activities, provision of services, academic activities, among others.
- d) Identification and deepening of the assessment of risks that may compromise the achievement of ACT DIGITAL’s objectives in the area of privacy and protection of personal data; defining, creating, and implementing action plans and policies to mitigate identified risks; in addition to maintaining a continuous evaluation of the scenarios in order to assess whether the implemented measures do not require new guidelines and attitudes.
As of the entry into force of the LGPD, the Data Protection Officer of ACT DIGITAL — also referred to as Data Protection Officer (DPO) —, assisted by its technical team, will have the following responsibilities:
- a) To conduct the LGPD Compliance Program at ACT DIGITAL, ensuring its supervision.
- b) To monitor compliance with applicable personal data protection legislation, in accordance with ACT DIGITAL’s policies.
- c) To guide the recipients of this Policy regarding the privacy and personal data protection regime of ACT DIGITAL.
- d) To ensure that the rules and guidelines relating to data protection are informed/incorporated into the routines and practices of ACT DIGITAL.
- e) To organize training on personal data protection at ACT DIGITAL.
- f) To provide clarifications, provide information, and submit reports on the processing of personal data and their impacts to the competent public authorities (e.g., Public Ministry, National Authority for the Protection of Personal Data, etc.);
- g) To respond to requests and complaints from holders of personal data whose data have been processed by an ACT DIGITAL unit.
- h) To assist in audits or any other evaluation and monitoring measure involving data protection.
- i) To prepare impact reports on privacy and data protection, technical opinions, and review of documents with regard to data protection.
13. INFORMATION SECURITY
Standards of information security and prevention against personal data incidents are contained in ACT DIGITAL’s Information Security Policy and in internal regulations and documents related to the subject.
ACT DIGITAL reinforces the commitment embodied in its Information Security Policy to employ appropriate technical and organizational measures in dealing with personal data, and to make efforts to protect the personal data of holders of personal data against unauthorized access, loss, destruction, unauthorized sharing, among other hypotheses.
14. INTERNATIONAL TRANSFER OF PERSONAL DATA
In cases where ACT DIGITAL is authorized to process personal data regardless of the consent of the data subject, ACT DIGITAL may transfer personal data to other countries, provided that, alternatively:
- a) the country is classified as having an adequate level of data protection assigned by the ANPD or the transfer is authorized by the ANPD;
- b) as long as there is no list of countries with an adequate level disclosed by the ANPD, the country is classified by the European Commission, through an Adequacy decision, as a country with an adequate level for the LGPD criteria;
- c) the international personal data processing agent offers ACT DIGITAL at least one of the safeguards below: i. Codes of conduct regularly issued or “binding corporate rules” approved by the European Commission. ii. Standard contractual clauses issued by the ANPD or the European Commission. iii. Seals and certificates of conformity or adequacy to the protection of personal data granted by entities accredited by the ANPD or the European Commission. d) explicit and highlighted consent is obtained from the holders of personal data to carry out international transfer operations of personal data, with prior information on the international character of the operation and highlighting that the country does not have an adequate level of data protection recognized or that there are no processing agent compliance safeguards, as applicable.
In cases where ACT DIGITAL is authorized to process personal data based on consent, ACT DIGITAL may transfer personal data to other countries, provided that it obtains explicit and highlighted consent from the holders of personal data to carry out international transfer operations of personal data, with prior information on the international character of the operation. If the country does not have an adequate level of recognized data protection or there are no safeguards for the compliance of the processing agent, such information should be provided to the holder of personal data in advance, so that they consent to the risks of the operation.
The recipients of this Policy undertake to participate in training, workshops, meetings, and qualifications proposed by ACT DIGITAL’s Data Protection Officer to expand the culture of personal data protection in the Company. **ACT DIGITAL’**s employees whose tasks require the regular processing of personal data, or those responsible for implementing this Policy, undertake to participate in additional training to help them understand their duties and how to fulfill them.
It should be reiterated that ACT DIGITAL acknowledge its commitment to ensure the proper processing of personal data for legitimate purposes that may be the object of its activities and reinforces its commitment to good practices of privacy and data protection, committing itself to keep its LGPD Compliance Program updated with the rules and recommendations issued by the ANPD or other relevant authorities.
ACT DIGITAL assumes the commitment to revisit this Policy from time to time and, at its discretion, make changes in order to update its provisions and reinforce the Company’s permanent commitment to privacy and protection of personal data, with all changes made in due course being communicated through the Company’s official channels.
**PREPARED BY **
Name: Mariley Alves Silva Position: Administrative Finance Director Version: 1.0/2021
**APPROVED BY **
Name: Paulo Victor Couto Quites Position: Director of Operations Internal Notice #004/2021 - 04/27/2021
**Document ** Privacy and Personal Data Protection Policy
Dimension Normative Structure of Procedures
Type of Normative Instrument Policy
** Subject Category** Control and Compliance
Subject Compliance System