DATA PROTECTION AND PRIVACY POLICY
Purpose
This policy describes how personal data should be treated and controlled to meet the company's data protection standards and comply with the law.
Objective
DOXA ADVISERS, hereinafter referred to as the company, needs to process certain information about natural persons. This includes consultants, suppliers, business contacts, employees and any other natural persons with whom the organization has a relationship or holds personal information.
This policy describes how such personal data should be treated and controlled to meet the company's data protection standards and comply with the law.
This data protection policy ensures that the company:
Comply with data protection laws and follow good practices and codes of conduct
Protect the rights of all living persons whose data you control and process
Unrestricted reporting on how the organization controls and processes the data of a living natural person
Protect yourself from the risks of data breaches and information leaks
Protect your proprietary information.
The main goal is to guarantee the privacy of people's personal data and allow greater control over it. In addition, the Law creates clear rules on the processes of collecting, storing and sharing this information, helping to promote technological development in society and the defense of the rights of data subjects and consumers in general.
The Data Protection Act
The General Data Protection Law – LGPD No. 13,709 of August 14, 2018 – was created and implemented to meet an urgent need for data protection, with a view to more objectively penalizing the improper use of personal data by companies.
The regulation gives more prominence to the data owner and makes clear and objective the need for explicit consent from the owner of the information, giving them control over the use, processing, modification, portability and elimination of this data in a practical and unbureaucratic way.
This will prevent companies from using tactics such as making data usage terms available in an obscure manner, without making it clear to the user what will be done and the objectives of collecting the information.
The LGPD describes how organizations, including companies, must collect, process and store personal information.
LGPD Principles
The LGPD, in its Article 6, requires that personal data be processed lawfully and transparently. In addition to informing and guaranteeing citizens compliance with the Law and the correct processing of their personal data, it establishes 10 measures:
1. PURPOSE
The LGPD requires that there be a specific purpose for the processing of personal data. The company cannot simply collect personal data for indefinite purposes. In addition, the company must inform the data subject, clearly and objectively, why it is collecting and how it is using their data. And it cannot change the reason after informing them.
2. ADEQUACY
The company must only collect data that is compatible with the context and purpose informed to the data subject. For example, if the data collected is to enroll in a course, you must guarantee the data subject that the data will only be used for the purpose of formal enrollment in the course and compliance with specific legislation.
3. NEED
Personal data must be of an appropriate volume, suitable for the purpose and cannot exceed the amount necessary to perform the data processing. In other words, in addition to ensuring that the data is adequate, the controller, that is – the company – must obtain only the minimum amount of personal data necessary to carry out the purposes informed to the data subject.
4. FREE ACCESS
The company must offer free and open access so that the data subject can consult their data, how they are being processed, and the time during which they will be processed.
5. DATA QUALITY
The data subject can check whether their data is accurate, clear, relevant and updated according to the need and compliance with the purpose of the processing. The company must ensure that the personal data is accurate and up to date, taking into account the purposes for which they are processed, and correct them if necessary.
6. TRANSPARENCY
The company must provide the data subject with clear, accurate and easily accessible information about how the processing is carried out and who the agents responsible for the processing are. Commercial and industrial secrets are not required to be presented in this case.
7. SECURITY
The company must provide adequate technical and administrative guarantees to ensure the security of personal data, including protection against unauthorized or unlawful processing, loss, destruction or accidental damage, by adopting appropriate technologies.
8. PREVENTION
In addition to security, it is essential that the company presents the measures adopted to prevent the occurrence of damage due to the processing of personal data.
9. NON-DISCRIMINATION
The collection of personal data cannot be used for discriminatory, unlawful or abusive purposes.
10. RESPONSIBILITY AND ACCOUNTABILIT
The agent must demonstrate, when requested, the adoption of effective measures capable of proving compliance with and observance of personal data protection rules and, including, the effectiveness of these measures.
Individual Rights
The LGPD is dedicated, in Chapter III, to the rights of personal data holders. However, before delving into its specific examination, it is important to highlight that, in the previous chapters, the LGPD has already addressed several of these rights.
For the sake of systematization, the list of rights of holders that had already been provided for in the first articles of the law is initially presented:
It is important to highlight that several of the rights of personal data holders arise directly from the principles that the LGPD contemplates in its art. 6, such as the following:
Finally, it is important to highlight that, starting with art. 7, the LGPD already begins to address several issues involving the rights of data subjects:
In this document we are addressing the following rights for individuals:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to profiling and automated decision-making.
Scope
This policy applies to:
To the company headquarters
To all branches of the company
To the entire team and all employees of the company
To all contractors, suppliers and other people working on behalf of the company
It applies to all data that the company holds in relation to individuals who can be identified, even if that information is technically outside the scope of the LGPD. This may include, but is not limited to:
Any other information that can be used to infer an individual's identity
Genetic and biometric information
Information about physical or mental health
Information about political, religious or philosophical beliefs
Company proprietary information
Any proprietary information belonging to third parties that the Company is contractually obligated to protect.
Data Protection Risks
This policy helps protect the company from some data security risks, including:
Breaches of confidentiality. For example, the improper distribution of information in an inappropriate manner.
No choice. For example, all individuals should have the freedom to choose how the company uses the data related to them.
Damage to reputation. For example, the company could suffer if hackers gain access to confidential data.
Damage to business operations caused by disclosure of proprietary information
Legal actions arising from incidents of breach of personal data confidentiality, as exemplified above.
Responsibilities
Everyone working for or with the company has some responsibility for ensuring that data is controlled and treated accordingly.
Any group that handles sensitive data must ensure that it is treated in accordance with this policy, good data protection practices or any applicable regulations or standards.
Roles
The law details the roles of four different agents: the data subject, the controller, the operator and the person in charge.
-
The controller: is the company or natural person that collects personal data and makes all decisions regarding the form and purpose of the data processing. The controller is responsible for how the data is collected, what it is being used for and how long it will be stored.
-
The operator: is the company or natural person that processes personal data under the orders of the controller.
-
The person in charge (DPO - Data Protection Officer): is the natural person appointed by the controller and who acts as a communication channel between the parties (controller, data subjects and the national authority), in addition to guiding the controller's employees on data processing practices. The DPO is responsible for overseeing the strategy and implementation of data protection to ensure compliance with the requirements not only of the LGPD, but also of other international standards to which the company may be subject when it assumes the role of controller or operator, receiving, processing and resolving complaints and communications from data subjects and the national authority and guiding employees and third parties regarding best practices regarding the processing of personal data. In other words, his/her role will be to educate on compliance requirements, train all those involved, conduct regular security audits, maintain comprehensive records of all activities and act as an interface between the organization, data subjects and the National Data Protection Agency (ANPD). The standard does not include a list of credentials for the DPO, but it is strongly recommended that it be a professional, or a company, that has specialized knowledge of data protection laws and practices, that is aligned with the organization's operations, infrastructure and information technology systems and, most importantly, that is aware of the risks involved in this particular case, considering the specificities of the business and the company. Ideally, the DPO should have management skills and the ability to interact with internal staff, third parties, data subjects and government agencies. The DPO’s identity information and contact details must be publicly available and disclosed in a clear and objective manner.
Senior management is responsible for ensuring that the company complies with its legal obligations.
The information security function is responsible for:
-
Keeping the board up to date on data protection responsibilities, risks and issues.
-
Reviewing all data protection procedures and related policies in accordance with an agreed timetable.
-
Organising data protection training and advice for those covered by this policy.
-
Answering data protection questions from staff and any other person covered by this policy.
-
Dealing with requests from individuals to see the data the company holds about them, known as data subject access requests.
-
Reviewing and approving any contracts or agreements with third parties that may handle the company’s confidential data.
The IT department is responsible for:
-
Ensuring that all systems, services and equipment used to store data meet acceptable security standards.
-
Performing regular debugging and checks to ensure that security hardware and software are working properly.
-
Evaluating the security of any third-party services that the company is considering using to store or process data. For example, cloud computing services.
The marketing department is responsible for:
-
Approving all data protection statements attached to communications, such as emails and letters.
-
Addressing any data protection questions raised by journalists or media outlets such as newspapers.
-
Working with other team members, where necessary, to ensure that marketing initiatives comply with data protection principles.
General Team Responsibilities:
-
The only people who can access the data covered by this policy should be those who absolutely need it to perform their job.
-
Data should not be shared informally. When access to confidential information is necessary, employees can request it from their line managers.
-
The company will train all employees to help them understand their responsibilities when handling data, in accordance with the Training Policy.
-
Employees must ensure the security of all data, following the guidelines of the information security policies and company procedures.
-
Passwords must be managed as stipulated in the Password Policy.
-
Personal data must never be disclosed to unauthorized persons, whether inside or outside the company.
-
If an employee suspects a security breach or incident, they must report it to the information security department.
-
Data should be reviewed regularly and updated if out of date. If it is no longer required, it should be deleted and disposed of as set out in the Disposal Procedure.
-
Employees should seek advice from their line manager, information security department, or Data Protection Officer if they are unsure about any aspect of data protection.
-
Be aware of and use all applicable policies.
Training
All staff will be trained on this policy, its supporting policies and company procedures. When a new person joins the team, they will be trained as part of the induction process. Additional training will be provided periodically or whenever there is a significant change in the Law or policies and procedures.
Records of these trainings will be maintained as part of the Training Policy and stored in the training records.
The Principles of Data Protection
Fair, legal and transparent conditions for processing:
The company will ensure that any processing of personal data has a documented legal basis. All parties responsible for processing personal data will be made aware of the conditions for processing. The conditions for processing will be made available to data subjects in the form of a privacy notice or a notice of legitimate processing.
Privacy Notices
To ensure legitimate, lawful and transparent processing, privacy notices and legitimate processing notices must be issued to data subjects so that they are aware of how the company intends to use and protect their data.
These notices must:
Declare the purposes of data processing.
Inform the information that must be kept
Indicate the legal basis for data processing, state the period of time the data will be retained
Declare the measures taken to protect all data
Indicate the third parties that can access this data
Provide the contact details of the Data Protection Officer (DPO)
Provide contact details of the third party Data Protection Officer (DPO)
Inform data subjects about their rights
Precision
When collecting or processing data, the company must follow the Data Quality Assurance Procedure when collecting and ensuring that any personal data processed is correct and up to date.
Data subjects have a responsibility to take reasonable steps to ensure that the company's personal data is accurate and kept up to date as necessary.
For example, if their personal circumstances change, they must inform the company so that their records can be updated.
Adequacy and Relevance
The company must ensure that all personal data collected is used only for the purpose for which it was obtained. Personal data obtained for one purpose must not be used for any unrelated purpose unless the individual concerned has given consent or there is a legal obligation to do so.
Data Retention
The Company will not retain personal data for longer than necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons for which the personal data was obtained, but should be determined in a manner consistent with the Company’s data retention guidelines. The Company’s Information Asset Register log contains information on the retention period for each asset. This retention does not affect the data subject’s right to erasure. Assets must be disposed of in accordance with the Disposal Procedure.
Data Security
The company must keep confidential data safe from loss, misuse or unauthorized disclosure. Where other organizations process personal data as a service on the company's behalf, there must be contractual provisions to provide the same level of data protection as the company. To provide a consistent level of information protection across the company, the Information Security Policy must be implemented and enforced through the use of supporting policies and procedures, training and appropriate technologies.
Privacy by Design and Default
The company is required to adopt data protection measures from the creation of any new technology or product, right from its conception. The DPO will be responsible for conducting privacy impact assessments and ensuring that all IT projects already include a privacy plan. When relevant, and when there is no negative impact on the data subject, privacy settings will be set by default to the most private.
Data Protection Impact Assessment
{DPIA – Data Protection Impact Assessment}
Where the processing of personal information may result in a risk to the rights and freedoms of data subjects, a data protection impact assessment must be carried out and the findings must be implemented and incorporated into the design. Records of all DPIAs must be stored and the assessment must be carried out in accordance with the Data Protection Impact Assessment Procedure.
Data Storage
All company-controlled data must be stored securely. Where data is stored on paper, it must be stored in a secure location away from unauthorized access. Paper data must be shredded when no longer required, in accordance with the Disposal Procedure standards. Data stored on a computer must be protected as outlined in the Information Security Policy. Data stored on CDs or memory cards must comply with the Removable Media Policy guidelines. Data must be backed up regularly in accordance with the company's Continuity and Disaster Recovery Plans. All servers containing sensitive data must be approved and protected by strong security software and firewalls.
International Data Transfer
It is only permitted in the cases provided for in the LGPD, which include transfer to countries with an adequate level of protection (to be defined by the ANPD) or through the use of standard contractual clauses, global corporate standards, seals and certificates and codes of conduct approved by the ANPD, among other cases;
Data Subject Rights
Article 17 of the LGPD provides that “Every natural person is assured ownership of their personal data and is guaranteed the fundamental rights of freedom, intimacy and privacy, under the terms of this Law.
Next, art. 18 states that “The holder of personal data has the right to obtain from the controller, in relation to the data of the holder processed by him, at any time and upon request:
I – confirmation of the existence of treatment;
II – access to data;
III – correction of incomplete, inaccurate or outdated data;
IV – anonymization, blocking or deletion of unnecessary, excessive data or data processed in non-compliance with the provisions of this Law;
V – portability of data to another service or product provider, upon express request and in compliance with commercial and industrial secrets, in accordance with the regulations of the controlling body;
VI – deletion of personal data processed with the consent of the holder, except in the cases provided for in art. 16 of this Law;
VII – information on public and private entities with which the controller shared data;
VIII – information on the possibility of not providing consent and on the consequences of refusal;
IX – revocation of consent, pursuant to § 5 of art. 8 of this Law.”
The company must respect the rights of the data subject established in the LGPD. Any request from an individual must be handled by the DPO and a response issued within 15 days. In justified cases, this period may be extended.
Consent
The LGPD imposes specific requirements for consent, which must consist of a prior, free, informed and unequivocal manifestation, for a specific purpose, and may be revoked at any time;
Where a company uses consent as the legal basis for processing data, there must be a record of the data subject’s active consent. Consent must be obtained in the manner described in the Consent Management Procedure. The data subject has the right to withdraw that consent at any time. This right does not affect any of the other rights.
Where sensitive personal data is processed, the explicit consent of the data subject to this processing will be required, unless exceptional circumstances apply or there is a legal obligation to do so (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
If the data subject is under 16 years of age, the company must obtain authorization from the individual's legal guardian.
The right to be informed
Under the LGPD, data subjects have the right to be informed about how their data is processed. To comply with this right, the company provides the necessary information in its legitimate processing notice.
The right of access
With regard to the LGPD, the right of access to data is complemented by Art. 19, according to which “Confirmation of existence or access to personal data will be provided, upon request by the holder:
I – in simplified format, immediately; or
II – by means of a clear and complete declaration, indicating the origin of the data, the non-existence of registration, the criteria used and the purpose of the processing, taking into account commercial and industrial secrets, provided within a period of up to 15 (fifteen) days, counting from the date of the holder’s request.”
§ 1 of Art. 19 further reinforces that “Personal data will be stored in a format that favors the exercise of the right of access”, with § 2 determining that “Information and data may be provided, at the discretion of the holder:
I – by electronic means, secure and suitable for this purpose; or
II – in printed form.”
The LGPD's intention is clear, through the aforementioned devices, to facilitate access to data in all forms.
These requests must be passed on to the DPO for processing.
When dealing with such requests, a response must be sent to the data subject within 15 days. Requests must be logged and monitored and the Data Subject Access Request Procedure process must be followed.
The right to data portability
The LGPD provides, in its art. 18, V, the right to “portability of data to another service or product provider, upon express request and observing commercial and industrial secrets, in accordance with the regulations of the controlling body”.
This is, therefore, a right that has as one of its main objectives the empowerment and reinforcement of the data subject's informational self-determination. In effect, portability seeks to enable the data subject to effectively control his/her data for a variety of purposes, enabling it to be managed and reused, including with the aim of facilitating the data subject's migration to competing services. This prevents consumers from being tied to a particular provider (lock-in effect) due to difficulties or even high switching costs that would result from the “loss” of data.
Hence the idea that the right to portability, to achieve such purposes, must be easy, free and guaranteed in a way that allows the usability of data efficiently and securely.
Therefore, the data subject should have the right to receive a copy of their data in a structured format upon request. Such requests should be worked on within one month, provided that there is no undue burden and the privacy of others is not compromised. A data subject may also request that their data be transferred directly to another system. This should be done free of charge.
Under the LGPD, the data subject may request that their personal data be transferred from one data controller to another.
These requests must be passed on to the DPO for processing.
With regard to these requests, a response must be sent to the data subject within one month. Requests must be recorded and monitored and the process described in the Data Portability Procedure must be followed.
The right to rectification
Given the growing importance of data in people's lives, it is essential to establish a type of legal process in relation to data, enabling data subjects to correct errors, inaccuracies or outdated information that may cause them harm. Under the terms of the LGPD, data subjects may request that stored personal information be corrected.
Under the terms of § 6 of Art. 18 of the LGPD, the CONTROLLER (DPO) must immediately inform the processing agents with whom he/she has shared data of the correction, thereby ensuring the full effectiveness of the aforementioned right.
With regard to these requests, a response must be sent to the data subject within 15 days. Requests must be recorded and monitored and the process described in the Data Subject’s Rectification Request Procedure must be followed.
The right to erasure
Under the LGPD, the data subject may request that stored personal information be erased or deleted, and any third party that processes or uses that data must also comply with the request. An erasure request may only be refused in exceptional cases.
These requests must be passed on to the Data Protection Officer (DPO) for processing. With regard to these requests, a response must be sent to the data subject within one month. Requests must be recorded and monitored and the process described in the Data Subject Erasure Request Procedure must be followed.
The right to restrict processing
Under the LGPD, data subjects may request a restriction on the processing of their personal data in cases where the subject of such data does not wish their data to be erased, but does not want the data to be processed.
These requests must be passed on to the DPO for processing. A response to these requests must be sent to the data subject within 15 days. Requests must be recorded and monitored and the process outlined in the Restriction of Processing Procedure must be followed.
The right to object
Under the LGPD, data subjects may object to processing if they suspect that their data is being processed unlawfully. Following an objection, the data controller is required to investigate the claim and communicate the results to the data subject.
These requests must be passed on to the Data Subject’s Data Protection Officer (DPO) for processing. When handling these requests, a response must be sent to the data subject within one month. Requests must be recorded and monitored and the process outlined in the Data Subject Objection Request Procedure must be followed.
Rights in relation to profiling and automated decision-making
Under the LGPD, data subjects have the right to be informed if they are subject to automated decisions and of the possible consequences that such automated decision may have on them. To comply with this right, the necessary information must be provided in your lawful processing notice and the collection and documentation of consent must be carried out as described in the Collection Consent Procedure.
Compliance Monitoring
Everyone must observe this policy. The DPO has full responsibility for this policy. There must be ongoing monitoring to ensure that this policy is being adhered to.
Data Auditing and Recording
Data audits will be carried out regularly to manage and mitigate risk and provide a data registry. This will contain information about what data is stored, where it is stored, how it is used, who is responsible for it and any other retention rules or schedules that may be relevant.
Reporting violations
All team members have an obligation to report existing or potential data protection non-compliances. This enables us to: -
Investigate the failure and take corrective action if necessary
Keep a record of compliance failures
Notify the Supervisory Authority [SA] of any compliance failures that are material in their own right or as part of a pattern of failures.
Consequences of non-compliance
When an employee has violated company policies or procedures, the following actions may be taken:
Written Warning - An official warning that any further violations will lead to further action.
Removal of privileges - The employee may be prohibited from performing certain actions, accessing certain systems or using certain devices.
Corrective action - Instruct the employee to act so that no further infraction occurs, for example, through training.
Termination of employment relationship - The employee may have his/her relationship with the company terminated.
Civil action – The employee may suffer legal sanctions and have to pay compensation in accordance with the law.
Criminal action - The company will pass details of the offence to the authorities with a view to pressing charges.
Third Party Contractors
In cases where a contracted third party has breached contractual obligations relating to data protection, the following actions may be taken:
Written Warning - An official warning that any further violations will lead to further action
Removal of privileges - The contracted third party will be prohibited from performing certain actions, accessing certain systems or using certain devices
Corrective action - Instruct the contracted third party to act so that no further infringement occurs, for example, through training.
Security Audit - An audit of third party contracted systems to ensure they still meet their obligations.
Termination of contract - The third party contractor must no longer be hired to work for the company
Civil action - A legal claim for damages can be made against the contracted third party
Criminal action l - The company will pass the details of the violation to the authorities with the intention of filing a complaint.