ACT DIGITAL, aware of the importance and necessity of adapting its personal data processing operations to the new and extensive regulation on the subject, specifically the General Data Protection Law (Law 13,709/2018 – “LGPD”), approved in August 2018, initiated its compliance process with the new law in 2019.
This Privacy and Personal Data Protection Policy, hereinafter referred to as “POLICY,” aims to guide the management of personal data of individuals processed by the Company, focusing on the protection of personal data and the various activities and operations of personal data processing existing at ACT DIGITAL.
This document is part of ACT DIGITAL’s compliance program with the LGPD.
In conducting the activities outlined in its bylaws, ACT DIGITAL carries out personal data processing operations in the best interest of the data subjects, respecting their rights. Depending on the definitions provided by the LGPD, ACT DIGITAL may act as a Personal Data Controller, Personal Data Processor, or both, reinforcing its commitment to complying with applicable privacy and personal data protection rules in all positions it occupies.
- DEFINITIONS:
PERSONAL DATA PROCESSING AGENTS: The controller and the processor of personal data.
ANONYMIZATION: The use of technical means, reasonable and available at the time of personal data processing, by which data loses the possibility of association, directly or indirectly, with an individual. Anonymized data is not considered personal data for the purposes of the LGPD.
NATIONAL DATA PROTECTION AUTHORITY (“ANPD”): A public administration body responsible for overseeing, implementing, and monitoring compliance with the LGPD throughout the national territory. The ANPD was established by the LGPD as a federal public administration body with technical autonomy, integrated into the Presidency of the Republic, defined as temporary and subject to transformation by the Executive Power into an indirect federal public administration entity, under a special autarchic regime and linked to the Presidency of the Republic.
PERSONAL DATA CONTROLLER: A natural or legal person, of public or private law, responsible for making decisions regarding the processing of personal data.
PERSONAL DATA: Information related to an identified or identifiable natural person. Personal data also includes data used to form the behavioral profile of a specific natural person.
SENSITIVE PERSONAL DATA: Personal data concerning racial or ethnic origin, religious belief, political opinion, trade union membership, or membership in a religious, philosophical, or political organization, data related to health or sexual life, genetic data, or biometric data when linked to a natural person.
DATA PROTECTION OFFICER (“DPO”): A natural or legal person designated by the Processing Agent to act as a communication channel between the Controller, the data subjects, and the National Data Protection Authority.
GENERAL DATA PROTECTION LAW (“LGPD”): A normative legal framework (Law 13,709, of August 14, 2018) that regulates the processing of personal data in digital or physical media by natural or legal persons, of public or private law, aiming to protect data subjects while allowing the use of data for various purposes, balancing interests and harmonizing the protection of human beings with technological and economic development.
PERSONAL DATA PROCESSOR: A natural or legal person, of public or private law, that processes personal data on behalf of the Controller.
DATA SUBJECT: A natural person to whom the personal data being processed pertains.
PERSONAL DATA PROCESSING (“PROCESSING”): Any operation performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, control of information, modification, communication, transfer, dissemination, or extraction.
- PURPOSE:
This Policy establishes ACT DIGITAL’s guidelines for safeguarding and using personal data processed in its activities, with reference to the LGPD, among other national and international regulations related to privacy and personal data protection.
The company ACT DIGITAL, being a Brazilian entity, strictly follows the guidelines established by the General Data Protection Law (LGPD), Law No. 13.709/2018, in force in its country of origin.
- RECIPIENTS:
This Policy applies to:
ACT DIGITAL employees; All third parties, whether natural or legal persons, who act for or on behalf of ACT DIGITAL in operations involving the processing of personal data carried out within the scope of activities conducted by ACT DIGITAL; External personal data processing agents who are in any way related to ACT DIGITAL; and Data subjects whose personal data are processed by ACT DIGITAL. Adherence to ACT DIGITAL’s compliance program with personal data protection laws and the resulting regulatory frameworks, including this Policy, is mandatory for all the recipients listed above as they relate to ACT DIGITAL. All operations involving the processing of personal data conducted within the scope of ACT DIGITAL’s activities are subject to these regulations.
- APPLICABILITY:
This Policy establishes guidelines and rules to ensure that its recipients understand and comply with laws regarding personal data protection in all interactions with current and future data subjects, third parties, and external personal data processing agents related to ACT DIGITAL.
Beyond the concepts defined by regulations concerning privacy and personal data protection, the information covered by this Policy includes all data held, used, or transmitted by or on behalf of ACT DIGITAL, in any type of media. This includes personal data recorded on paper, maintained in computer systems or portable devices, as well as personal data transmitted orally.
- MAIN OBJECTIVES:
The main objectives of this Privacy and Personal Data Protection Policy are to outline the responsibilities of ACT DIGITAL and the necessary guidelines to ensure and reinforce the Company’s commitment to complying with applicable personal data protection laws. It also describes the rules to be followed in conducting personal data processing activities and operations carried out by ACT DIGITAL and the recipients of this Policy within the scope of ACT DIGITAL’s activities, ensuring compliance with applicable personal data protection laws, especially the LGPD.
This Policy is intended to be reviewed in conjunction with the obligations outlined in the following documents, which address information in general and complement it where applicable:
Employment contracts of ACT DIGITAL employees and other comparable documents that set forth confidentiality obligations regarding the Company’s information; Information security policies and procedures, as well as terms and conditions of use that address confidentiality, integrity, and availability of ACT DIGITAL’s information; All internal regulations regarding personal data protection that may be developed and updated from time to time.
- PRINCIPLES OF PRIVACY AND PERSONAL DATA PROTECTION:
ACT DIGITAL will adhere to the following principles of personal data protection when processing personal data:
PURPOSE: ACT DIGITAL will process personal data only for legitimate, specific, explicit, and informed purposes, without the possibility of further processing in a manner incompatible with those purposes. ADEQUACY: ACT DIGITAL will process personal data in a manner compatible with the purposes informed to the data subject and in accordance with the context of the processing. NECESSITY: ACT DIGITAL will limit personal data processing to the minimum necessary to achieve its purposes, covering relevant, proportional, and non-excessive data in relation to the purposes of the processing. FREE ACCESS: ACT DIGITAL will ensure that data subjects have facilitated and free access to information on the form and duration of the processing, as well as the entirety of their data. DATA QUALITY: ACT DIGITAL will ensure that data subjects have accurate, clear, relevant, and up-to-date data, according to the necessity and for the fulfillment of the purposes of their processing. TRANSPARENCY: ACT DIGITAL will provide data subjects with clear, precise, and easily accessible information about the processing and the respective personal data processing agents, while respecting trade and industrial secrets. SECURITY: ACT DIGITAL will use technical and administrative measures to protect personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, communication, or dissemination. PREVENTION: ACT DIGITAL will adopt measures to prevent damage due to personal data processing. NON-DISCRIMINATION: ACT DIGITAL will ensure that personal data processing is not conducted for illicit or abusive discriminatory purposes. ACCOUNTABILITY: ACT DIGITAL is committed to demonstrating the adoption of effective measures capable of proving compliance with personal data protection regulations and the effectiveness of these measures.
- LEGAL BASES FOR PERSONAL DATA PROCESSING:
All personal data processing operations within the activities conducted by ACT DIGITAL will have a legal basis that legitimizes their execution, specifying the purpose and designating those responsible for the processing.
ACT DIGITAL commits to periodically evaluating the purposes of its processing operations, considering the context in which these operations occur, the risks and benefits to the data subject, and the legitimate interests of the Company.
Personal data processing operations by ACT DIGITAL may be performed:
With the consent of the data subject; For compliance with a legal or regulatory obligation; When necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party; For the regular exercise of rights in judicial, administrative, or arbitration processes; For the protection of the life or physical safety of the data subject or third parties; When necessary to meet the legitimate interests of ACT DIGITAL or third parties; For the protection of credit. ACT DIGITAL will maintain records of its processing operations based on categories of processing, each described by its purpose(s), to aid and support periodic evaluations of compliance with the regulatory framework of personal data protection.
The records of personal data processing operations may be consulted by the data subject as well as by relevant public authorities for access and retention of data on their behalf, safeguarding the rights of the data subject.
- LEGAL BASES FOR THE PROCESSING OF SENSITIVE PERSONAL DATA:
ACT DIGITAL acknowledges that the processing of sensitive personal data poses higher risks to the data subject. Therefore, the Company commits to special safeguards and care in the processing of sensitive personal data.
This commitment includes sensitive personal data as enumerated in Article 5, Item II of the LGPD, as well as financial data, which for the purposes of this Policy and the LGPD Compliance Program of ACT DIGITAL, will have the same status as sensitive personal data.
The personal data of children and adolescents will be processed with the same level of care required and provided to sensitive personal data and will also be subject to the specific provisions set forth in Chapter II, Section III, of the LGPD, and other applicable specific regulations.
The processing of sensitive personal data by ACT DIGITAL will only be performed:
When the data subject or their legal representative consents, specifically and separately, for specific purposes; Without the data subject’s consent, in cases where the processing is indispensable for: Compliance with a legal or regulatory obligation by ACT DIGITAL; Conducting studies when ACT DIGITAL is in the position of a Research Organization, ensuring, whenever possible, the anonymization of sensitive personal data; The regular exercise of rights, including in contracts and judicial, administrative, and arbitration processes; Protection of the life or physical safety of the data subject or third parties; Ensuring fraud prevention and security of the data subject in the processes of identification and authentication of registration in electronic systems.
- RIGHTS OF DATA SUBJECTS:
Within the context of its personal data processing activities, ACT DIGITAL reaffirms its commitment to respect the rights of data subjects, which include:
RIGHT TO CONFIRMATION OF THE EXISTENCE OF PROCESSING: The data subject can inquire with ACT DIGITAL if there are processing operations related to their personal data. RIGHT OF ACCESS: The data subject can request and receive a copy of all collected and stored personal data. RIGHT TO CORRECTION: The data subject can request the correction of incomplete, inaccurate, or outdated personal data. RIGHT TO ERASURE: The data subject can request the deletion of their personal data from databases managed by ACT DIGITAL, unless there is a legitimate reason for their retention, such as a legal obligation to retain data or research study by a research organization. In the event of deletion, the Company reserves the right to choose the deletion procedure employed, committing to use a method that ensures security and prevents data recovery. RIGHT TO REQUEST SUSPENSION OF UNLAWFUL PERSONAL DATA PROCESSING: At any time, the data subject may request from ACT DIGITAL the anonymization, blocking, or deletion of their personal data that has been recognized by a relevant authority as unnecessary, excessive, or processed in non-compliance with the LGPD. RIGHT TO OBJECT TO PERSONAL DATA PROCESSING: In cases of personal data processing not based on consent, the data subject may present an objection to ACT DIGITAL, which will be analyzed based on the criteria set forth in the LGPD. RIGHT TO DATA PORTABILITY: The data subject may request that their personal data be made available to another service or product provider by ACT DIGITAL, respecting the Company’s trade secrets and technical limits of its infrastructure. RIGHT TO WITHDRAW CONSENT: The data subject has the right to withdraw their previously given consent. However, it is noted that this will not affect the legality of any processing carried out before the withdrawal. In the event of consent withdrawal, it may not be possible to provide certain services. If this is the case, the data subject will be informed. ACT DIGITAL reaffirms its commitment to the rights of data subjects to transparency and adequate information, highlighting the provision of:
Information on public and private entities with which ACT DIGITAL has shared data; Information about the possibility of not providing consent and the consequences of refusal.
- DUTIES FOR THE PROPER USE OF PERSONAL DATA:
The duties of care, attention, and proper use of personal data extend to all recipients of this Policy in the course of their work and activities at ACT DIGITAL, committing to assist the Company in fulfilling its obligations in implementing its privacy and personal data protection strategy.
10.1. SPECIFIC DUTIES OF DATA SUBJECTS:
Data subjects are responsible for notifying ACT DIGITAL of any modifications to their personal data in their relationship with the Company, preferably notifying in the following order:
By email addressed to the responsible person in Human Resources at ACT DIGITAL; By email addressed directly to the DPO of ACT DIGITAL; and By physical means addressed directly to the DPO of ACT DIGITAL.
10.2. SPECIFIC DUTIES OF ACT DIGITAL EMPLOYEES:
The sharing of personal data of data subjects among the Units of ACT DIGITAL is permitted, provided that its purpose and legal basis are respected, observing the principle of necessity, with personal data processing always associated with authorized activities by ACT DIGITAL.
10.3. DUTIES OF ACT DIGITAL EMPLOYEES, PERSONAL DATA PROCESSING AGENTS, AND THIRD PARTIES:
Do not provide or guarantee access to personal data maintained by ACT DIGITAL to any unauthorized or incompetent individuals according to company standards. Obtain the necessary authorization for data processing and have the necessary documents demonstrating their competence for lawful data processing operations. Comply with the rules, recommendations, information security guidelines, and prevention of information security incidents published by the Company (e.g., Information Security Policy, Information Security Incident Response Plan, password management guidelines, among others).
10.4. DUTIES OF ALL RECIPIENTS OF THIS POLICY:
All recipients of this Policy have a duty to contact the DPO of ACT DIGITAL in case of suspicion or actual occurrence of the following actions:
Personal data processing operations performed without a legal basis justifying them; Processing of personal data without authorization from ACT DIGITAL within the scope of its activities; Personal data processing operations conducted in non-compliance with the Information Security Policy of ACT DIGITAL; Unauthorized elimination or destruction by ACT DIGITAL of personal data from digital platforms or physical archives in all facilities of the Company or used by it; Any other violation of this Policy or any of the data protection principles outlined in item 7 above.
- DUTIES FOR THE APPROPRIATE USE OF PERSONAL DATA:
LGPD establishes that liability in cases of property, moral, individual, or collective damages resulting from violations of personal data protection legislation is joint and several, meaning that all agents involved in personal data processing can be held responsible for any damages caused.
In this regard, the possibility of ACT DIGITAL being held responsible for the actions of third parties implies the need to employ the best efforts to verify, evaluate, and ensure that such third parties comply with applicable data protection laws.
Therefore, all contracts with third parties must contain clauses related to personal data protection, establishing duties and obligations involving the topic, and certifying the third parties’ commitment to applicable personal data protection legislation.
Furthermore, these contracts will be reviewed and submitted for approval by the ACT DIGITAL’s DPO and their technical team, in accordance with the current regulatory framework.
All third parties must sign the acceptance term of this Policy, the Information Security Policy, and the Incident Response Plan, submitting the contracted activities within the scope of the relationship with ACT DIGITAL to these regulations as well.
ACT DIGITAL is not responsible for any illegal or unauthorized use of the information, whether by you or someone authorized on your behalf, due to misuse or violation of your access credentials, negligence, or misconduct, as well as for the misuse or undue loss of personal data that it does not have access to or control over.
- COMPLIANCE PROGRAM WITH PERSONAL DATA PROTECTION LAWS:
The LGPD Compliance Program aims to ensure ACT DIGITAL’s commitment to safeguarding the appropriate processing of personal data for legitimate purposes related to its activities and reinforces its commitment to good privacy and data protection practices through the following actions:
Production and dissemination of information, regardless of format, describing the individual responsibilities of the recipients of this Policy regarding privacy and personal data protection. Providing training, guidance, and advice to ACT DIGITAL employees and third parties, including but not limited to online courses, workshops, internal meetings, regular discussions, lectures, and other initiatives; sharing content provided in digital and in-person formats. Incorporating concerns and care in the processing of personal data at all stages of its activities, including but not limited to administrative routines, research activities, service provision, academic activities, among others. Identification and thorough assessment of risks that may compromise ACT DIGITAL’s objectives in the area of privacy and personal data protection; defining, creating, and implementing action plans and policies to mitigate identified risks; and maintaining ongoing assessment of scenarios to evaluate whether implemented measures require new guidelines and approaches. Upon the LGPD’s entry into force, ACT DIGITAL’s DPO, assisted by their technical team, will have the following responsibilities:
Conducting the LGPD Compliance Program at ACT DIGITAL, ensuring its oversight; Monitoring compliance with applicable personal data protection laws, in accordance with ACT DIGITAL’s policies; Guiding recipients of this Policy on ACT DIGITAL’s privacy and personal data protection regime; Ensuring that rules and guidance regarding data protection are informed/incorporated into ACT DIGITAL’s routines and practices; Organizing training sessions on personal data protection at ACT DIGITAL; Providing clarifications, offering information, and presenting reports on personal data processing operations and their impacts to relevant public authorities (e.g., Public Prosecutor’s Office, National Data Protection Authority, etc.); Responding to requests and complaints from data subjects whose data has been processed by an ACT DIGITAL unit; Assisting in audits or any other evaluation and monitoring measures involving data protection; Developing privacy and data protection impact reports, technical opinions, and document reviews concerning data protection.
- INFORMATION SECURITY:
The information security standards and prevention against personal data incidents are contained in ACT DIGITAL’s Information Security Policy and internal regulations and documents related to the topic.
ACT DIGITAL reaffirms its commitment, as outlined in its Information Security Policy, to employ appropriate technical and organizational measures in handling personal data and to make efforts to protect the personal data of data subjects against unauthorized access, loss, destruction, unauthorized sharing, among other scenarios.
Our website and affiliated pages use a cloud server with appropriate security measures aimed at protecting against loss, improper handling, or unauthorized alteration of personal information that we may have collected through the sites.
The instances have a secure connection with SSL certificates that ensure data transmission security through encryption. Access to this information is only allowed to individuals in our company who have a legitimate purpose to use it to provide better products and services to you, ensuring their privacy and confidentiality. However, please be aware that data transmissions over the internet may not be completely secure against unauthorized interceptions.
13.1. WEBSITE:
ACT DIGITAL’s website and its affiliated pages do not collect personal information unless you provide it. You can visit and search for information and services on our pages without having to provide any personal information. However, ACT DIGITAL and affiliated pages may collect some personal information through the following means:
Registration Form: Visitors who wish to obtain more information about services, solutions, or information through means other than the website (such as email or phone) will have to register through the contact page or other related pages. The forms may require some personal information, including but not limited to your name, email address, mailing address, phone number, company name, job/department, and/or interests in services, among other requested information.
Communication: If the visitor or company wants to communicate through the website, email, or phone, ACT DIGITAL will collect all relevant personal information to enhance communication quality.
External Website Links: Our website and its affiliated pages may contain links to other websites; please be aware that we are not responsible for their privacy practices. External links may lead to sites that use “cookies,” and we recommend that you read the privacy policies available on these external sites before providing any personal information.
For website navigation purposes, the following information may be collected:
name; gender; CPF [individual taxpayers’ ID]; email address; mailing address; phone number; date of birth; information about the browser and device operating system; IP address; pages visited; and links and buttons clicked.
13.2 COOKIES:
ACT DIGITAL’s website and affiliated pages use cookies to record user navigation information. A cookie is information that can be sent to your computer through our web server and stored in your browser. This information is very useful for ACT DIGITAL’s website and affiliated pages to offer a better online experience according to the user’s browsing conditions. The user can manage cookies and enable or disable them directly through the browser.
13.3 USER EXPERIENCE:
We may use Google’s user experience analysis tools to improve the navigability, interface, and quality of information on our platforms and applications. These tools provide usage data of the website and apps in a confidential and aggregated manner, without access to users’ confidential information.
- INTERNATIONAL TRANSFER OF PERSONAL DATA:
In cases where ACT DIGITAL is authorized to process personal data without the data subject’s consent, ACT DIGITAL may transfer personal data to other countries provided that, alternatively:
The country is classified as having an adequate level of data protection assigned by the ANPD, or the transfer is authorized by the ANPD; Until a list of countries with an adequate level is published by the ANPD, the country is classified by the European Commission, through an Adequacy Decision, as a country with an adequate level according to GDPR criteria; The country has legislation similar to Brazilian law; The international data processing agent offers ACT DIGITAL at least one of the following safeguards: Codes of Conduct regularly issued or approved “binding corporate rules” by the European Commission; Standard Contractual Clauses issued by the ANPD or the European Commission; Seals and Certificates of compliance or adequacy to personal data protection granted by entities recognized by the ANPD or the European Commission. Explicit and highlighted consent is obtained from data subjects for international transfer operations of personal data, with prior information about the international nature of the operation and highlighting that the country does not have a recognized adequate level of data protection or that there are no safeguards from the processing agent’s compliance, as the case may be. In cases where ACT DIGITAL is authorized to process personal data based on consent, ACT DIGITAL may transfer personal data to other countries provided it obtains explicit and highlighted consent from data subjects for international transfer operations of personal data, with prior information about the international nature of the operation.
- TRAINING:
The recipients of this Policy commit to participating in the training, workshops, meetings, and capacity-building proposed by ACT DIGITAL’s EPD to expand the culture of personal data protection in the Company.
ACT DIGITAL’s employees whose roles require regular personal data processing or those responsible for implementing this Policy commit to participating in additional training to help them understand their duties and how to fulfill them.
- MONITORING:
It is reiterated that ACT DIGITAL recognizes its commitment to ensuring proper handling of personal data for legitimate purposes that may be the subject of its activities and reinforces its commitment to good privacy and data protection practices, committing to keep its LGPD Compliance Program updated with standards and recommendations issued by the ANPD or other relevant authorities.
ACT DIGITAL commits to revisiting this Policy periodically and, at its discretion, making modifications that update its provisions to reinforce the Company’s ongoing commitment to privacy and personal data protection, with all changes communicated promptly through the Company’s official channels.
Document Privacy and Personal Data Protection Policy
Dimension Normative Structure of Procedures
Type of Normative Instrument Policy
** Subject Category** Control and Compliance
Subject Compliance System
Identification PP.001.2024
Contact
**REVIEWED BY **
Name: Israel Aires da Silva
Position: IT Coordinator | DPO
Version: 1.0/2024\
**APPROVED BY **
Name: Paulo Victor Couto Quites
Position: Director of Operations
Internal Notice #001/2024 - 05/23/2024