Date Created/Amended: 11/22/2022 | Version 07
OBJECTIVE
This Privacy Policy aims to highlight the commitment of Algar Tech (companies: Algar TI Consultoria S/A.; Algar Tecnologia e Consultoria S/A) with the protection of privacy and personal data in the treatment of the same by the organization in its processes, systems and services, in order to establish the rules about the collection, registration, storage, use, sharing, enrichment and deletion of collected data in accordance with current legislation. This policy applies to all holders of personal data treated by Algar Tech, which are: Job Applicants, Employees, Customers,
Suppliers, Partners and Visitors.
REFERENCE DOCUMENTS
- ISO 27001:2013;
- Information Security Policy – Algar Tech;
- Logical Access Control Policy – Algar tech;
- General Data Protection Law – (LGPD) – Law No. 13.709/2018.
DEFINITIONS
The definitions of the terms Personal Data, Sensitive Personal Data, Treatment, Holder, Controller, Operator, Data Controller are specified in the General Data Protection Act – Law 13.709/2018, made available at: http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
DESCRIPTION
1.1. PROCESSING OF PERSONAL DATA
1.1.1 In the general context of the services performed by Algar Tech, personal data may be processed for the purposes listed below, always respecting and observing the principles set forth in the General Law of Data Protection:
- Selling a product or service, collecting debts, answering questions, indicating technical assistance or various requests from clients, clients of your clients or potential clients of your clients.
- Solve problems related to information security in the environment of Algar Tech;
- Access information of employees of a team, in order to evaluate the data and manage it;
- Recruit and screen prospective employees or even to discard resumes;
- Approve vacation, travel and purchasing requests;
- Obtain miscellaneous reports;
- Control the physical access to the environment of Algar Tech, as well as monitor these accesses via internal system of security footage;
- Record recordings of services provided by members to their customers;
- Create users within the Algar Tech network environment;
- Update area indicators;
- Manage SLAs indicators;
- Clear internal investigations;
- Generate performance reports;
- Generate Leads;
- Improve and increase the efficiency of the Services provided;
- Review bids, RFI, RFQ and RFPs;
- Update master data;
- Prospect new customers;
- Manage Judicial, Extrajudicial and Administrative Proceedings;
- Entering into contracts and legal instruments;
- Hire suppliers and Partners;
- Perform Citations and subpoenas Judicial and Extrajudicial.
Such purposes are justified by contractual, legal or legitimate interest of Algar Tech.
1.2. DATA COLLECTED, PURPOSE OF COLLECTION AND LEGAL BASIS
The data is collected in the various treatments performed by Algar Tech in its systems and services, which can be collected personal data such as name, CPF, ID number, e-mail, address, telephone, user, banking data, data related to employment contract, automobile data, position/profession, network login, education, photograph, biometrics, among others, always with the specific purpose and legitimization
according to the current legislation.
The detailed table on the types of data processed, their purposes and legitimations can be requested via e-mail: dataprivacy@algartech.com
1.3. PERIOD OF RETENTION OF PERSONAL DATA
1.3.1. STORAGE
4.3.1.1 Personal data will be kept for the period necessary to fulfil the purposes of the processing. Thus, whenever appropriate, unnecessary or excessive personal data will be deleted or anonymized or when expressly requested by the data subject or the National Authority information required for compliance with legal and regulatory obligations or for the exercise of rights in administrative, judicial or arbitration proceedings will be preserved
1.3.1.2 Physical storage of personal data
The physical storage of personal data reported in this item 4.3 and its sub-items, also respected the deadlines informed therein for proper disposal.
1.3.2 Exclusion of Data
4.3.2.1 Data may be deleted before the time limits established above, if requested by the data subject. However, it may occur that the data needs to be kept for a longer period, in accordance with article 16 of the General Data Protection Law, in order to comply with a legal or regulatory obligation, to fulfil a contract, or to transfer the data to a third party (in compliance with the data processing requirements set out in the same law). Upon expiry of the period and the legal requirement, they will be deleted using secure disposal methods or used in an anonymized form for statistical purposes.
1.4. DATA SECURITY
4.4.1 – Algar Tech commits to expend its best efforts for information protection, especially personal data, applying and adopting the necessary administrative and technical protection measures and establishing good governance practices through the resources available at the time, requiring from its suppliers and clients the same acceptable level of Information Security, based on best market practices, from contractual clauses.
1.5. STORAGE SERVERS
4.5.1 – The collected data will be stored in Algar Tech’s own servers located in Brazil, as well as in an environment of resource use or cloud servers (cloud computing), which allows, in the latter case, the transfer or processing of data outside Brazil, complying with provisions on international data transfer, according to article 33 of the General Law of Data Protection or other applicable rules.
1.6. ACCURACY OF DATA
4.6.1 Algar Tech is not responsible for the accuracy, veracity or lack of accuracy in the information provided by the owner of the personal data, or for its outdated, forwarded documents, since the person who provided them is the one responsible for providing them with accuracy and/or updating them. Algar Tech is not obliged to process or treat any of your data if there are reasons to believe that such treatment may impute to it violations of any applicable legislation, as well as for illegal, illicit or contrary to morality purposes.
1.7. RIGHTS OF THE DATA SUBJECT
1.7.1 It is the responsibility of those collecting the data to ensure that the Data Subject can exercise their rights over the data collected.
1.7.2 The data subject has the right to request confirmation that his or her data is being processed, to request access to his or her data, the correction of any which is inaccurate, incomplete or out of date, to request the anonymization, blocking or deletion of unnecessary or excessive data, to request portability and to request the deletion of his or her personal data. You also have the right to request details of who your data has been shared with, to receive information about the consequences of refusing to provide your consent and to withdraw previously given consent at any time.
1.7.3. Express their opposition and/or revoke consent as to the use of their Personal Data;
1.7.4 Every request should be made upon express request of the holder or his/her legally constituted representative, in such cases, should there be any request or complaint or any eventual doubts about his/her respective personal data, the holder or his/her representative should contact directly Algar Tech’s DPO, https://algartech.com/pt/politica-de-privacidade/.
1.7.5. Occurring updates in this document that require new consent collection, Algar Tech will notify the holder of the personal data through the contact means provided.
1.7.6 Moreover, in any situation, the holder of the personal data has the right to lodge a complaint with the competent data protection authority.
1.8. SHARING DATA WITH THIRD PARTIES
1.8.1. The corporate instruments, powers of attorney and copies of personal documents of the legal representatives of ALGAR TECH may be shared by email with employees, customers and suppliers, as a way to prove the veracity of the identification and qualification information.
1.8.2 Physical and scanned copies of documents that will instruct processes, regarding summonses and judicial, extrajudicial and administrative notifications may be requested by Algar CSC for instruction of processes, which may be shared with law firms and outsourced experts.
1.8.3. Personal documents and documents of the legal representatives necessary for the preparation of legal instruments may be shared, in cases of updating of corporate instruments, before third parties, including those granted to external proxies, such as lawyers and accountants.
1.8.4 The Legal area uses reports generated by ALGAR CSC to manage the accruals required by ALGAR TECH’s accounting management, so that personal data contained in the reports in question are shared with ALGAR CSC’s accounting that makes the accounting management of ALGAR TECH.
1.8.5 Because it works with a base of its customers, the GRC area operates with databases that its customers share. They involve a large amount of data holders and personal data, much of which is processed in an automated manner or enriched by ALGAR TECH suppliers.
1.8.6 Documents and personal data of employees with customers of ALGAR TECH may be shared when necessary for the implementation of the contract or preliminary procedures related to the contract, if the data are shared through portals provided by customers and / or suppliers, it will require the evaluation of the area of Information Security through a call recorded in the management tool of calls in force.
1.8.7. personal data may be shared with Public Authorities, government entities with legal powers requiring ALGAR TECH to share specific Personal Data, such as an investigation, we will share, except if we understand there is abuse of power.
1.8.8 Personal data may be shared with partner companies and suppliers for the development of activities and provision of services that are duly contractually supported.
1.9. INTERNATIONAL TRANSFER
1.9.1 – Personal data may be transferred to other countries (international transfer), in projects involving cloud services, to the extent that the servers of the supplier that performs this service, AWS, are located in the United States of America and Europe, which requires the adaptation of the contract with said supplier to ensure compliance with Chapter V of LGPD.
4.10. SENDING EMAIL MARKETING AND REMOVING CONSENT
1.10.1 – The RD Station tool is intended to automate the actions of the Marketing area, after generating leads, managing the sending of marketing emails to people listed in the mailing.
1.10.2 – Your configuration is shared between ALGAR TECH and the Outmarketing supplier when the marketing area itself provides the triggering of e- mails, as requested by the area. All emails marketing allow the owner of the data to stop receiving them (“opt-out”), although he is only excluded from the list of assets and not have their data, in fact, discarded from the database of RD Station or other mailing lists, except when requested.
1.10.3 – The Card Holder, at any time, has the right to withdraw the consent as to the sending of e-mail marketing previously granted.
1.11. AUTOMATED DECISIONS
1.11.1 – Regarding Security solutions at Algar Tech, detections can be automated, through monitoring software, such as Qradar or Sentinella tool.
1.11.2 – Personal data required for user creation in Active Directory is entered into an Excel Spreadsheet, so that the industry associate automates user and password creation.
1.11.3 – The RD Station tool is intended to automate the actions of the Marketing area, according to item 4.10.1
1.11.4 – The GRC operational area may request, by email or by opening a call through the CA Service Desk tool, the implementation of a tool for automated activities (“bot”), describing the business rules and purpose, which are, selling products and services, answering calls, debt collection. The developed and approved tool is tested before going into production, using a mass of internal tests, with real personal data (production base), which is sent by e-mail in Excel Spreadsheet format by the area that requested the bot, without being anonymized or pseudonymized (masked), so that the personal data involved in the tests can be the most varied, according to the purpose of the bot. Reports are generated describing the functionalities tested and any successes or errors found, including the CPFs of data owners used in that test.
1.12. DATA CONCERNING MINORS
1.12.1 – The member’s employment contract should contain specific provisions for underage dependents, since parental or legal guardian consent is required for processing the personal data of minors.
1.12.2 – The same occurs with the visitation of minors to Algar Tech’s facilities, when
their legal guardian must sign a consent form for data collection authorizing the treatment of the minor’s data.
1.13. SENSITIVE DATA
1.13.1 – Eventually, Algar TECH may collect sensitive data regarding racial or ethnic origin, religious belief, political opinion, union membership, and data concerning health or life, genetic and biometric data. The treatment of these data follows expressly the provisions in the current legislation, always meeting the purpose of treatment, as well as respecting the necessary legal bases. Personal data and other
information are anonymized through encryption and restricted access control.
1.13.2 – Leads is intended to obtain personal data of employees of a company that have decision-making power or influence on the hiring of a service provided by ALGAR TECH to initiate a contact. In some cases sensitive personal data such as religious beliefs, biometric or health data and personal data of children may be collected by social networks, and if they have been made available by the data subject, because they are considered sensitive or depend on specific consent, it is recommended to avoid such practice and remedy the past collections, by obtaining specific and appropriate consent or disposal of such personal data.
1.14. NOTIFICATION OF INCIDENTS
1.14.1 – In case Algar TECH verifies or becomes aware of any violation or incident that results in the destruction, loss, alteration, disclosure or unauthorized access during the respective treatment of data that results in potential data to the holder, this company undertakes to investigate the incident, notify the owner of the data within a legally specified period and take reasonable measures to mitigate or minimize any damage resulting from this incident and / or violation.
1.14.2 – The notifications of incidents will be delivered to the holder by any means that Algar TECH selects, including electronic means, so it is the sole responsibility of the holder to ensure that Algar TECH has the exact contact information.
1.14.3 – The owner of the data, whether an employee, supplier, customer, among others, who becomes aware of any possible use / misuse, incident or violation of their data related to the services and that have a relationship with Algar TECH should notify that company immediately.
1.15. APPLICABLE LAW AND JURISDICTION
1.15.1 – This Privacy Policy will be governed and interpreted according to the Brazilian legislation, in the Portuguese language.
1.16. COMMUNICATION
1.16.1 – The Holder of the personal data acknowledges that all communications made by e-mail to the addresses informed in his/her registration, SMS (“short message service”), instant communication applications or any other digital and virtual form are also valid as documentary evidence, being effective and sufficient for the disclosure of any matter referring to the services provided by Algar Tech, as well as the conditions of its provision or any other matter addressed therein, except for the provisions expressly provided in this Policy.
Any questions, requirements or requests may be directed to the Data Protection Officer/DPO, Mr. Carlos Eduardo Lopes, through the e-mail:
dataprivacy@algartech.com.
Algar Tech reserves the right to change the contents of this Policy at any time, according to the purpose or need, such as for adequacy and legal compliance of the law or standard provision that has equivalent legal force, being the owner of the personal data responsible for verifying it with Algar Tech through the site www.algartech.com.br.