Privacy Policy
- 1. Objective
- 2. Reference documents
- 3. Definitions
- 4. Description
- 4.1. Processing of personal data
- 4.2. Data collected, purpose of collection and legal bases
- 4.3. Retention period for personal data
- 4.4. Data security
- 4.5. Storage servers
- 4.6. Data veracity
- 4.7. Rights of the holder of personal data
- 4.8. Sharing data with third parties
- 4.9. International transfer
- 4.10. Sending e-mail marketing and withdrawing consent
- 4.11. Automated decisions
- 4.12. Data on minors
- 4.13. Sensitive data
- 4.14. Notification of incidents
- 4.15. Applicable law and jurisdiction
- 4.16. Communication
1. Objective
The purpose of this Privacy Policy is to demonstrate Algar Tech’s (companies: Algar TI Consultoria S/A.; Algar Tecnologia e Consultoria S/A) commitment to the protection of privacy and personal data in the processing of such data by the organization in its processes, systems and services, in such a way as to establish the rules regarding the collection, recording, storage, use, sharing, enrichment and elimination of the data collected, in accordance with the legislation in force.
This policy applies to all holders of personal data processed by Algar Tech, which are: Job Applicants, Associates, Customers, Suppliers, Partners and Visitors.
2. Reference documents
- ISO 27001:2013;
- Information Security Policy – Algar Tech;
- Logical Access Control Policy – Algar Tech;
- General Data Protection Law (LGPD) – Law No. 13,709/2018.
3. Definitions
The definitions of the terms Personal Data, Sensitive Personal Data, Treatment, Holder, Controller, Operator, Data Controller are specified in the General Data Protection Law – Law 13.709/2018, made available on the website: http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm.
4. Description
4.1. Processing of personal data
4.1.1. In the general context of the services performed by Algar Tech, personal data may be processed for the purposes listed below, always respecting and observing the principles set forth in the General Data Protection Law:
- To sell a product or service, collect debts, resolve doubts, indicate technical assistance or various requests from clients, clients of its clients or potential clients of its clients.
- Solve problems related to information security in the Algar Tech environment.
- Accessing information on a team’s employees in order to evaluate the data and manage the team.
- Recruiting and selecting potential associates or even discarding CVs.
- Approve vacation, travel and purchasing requests.
- Obtain various reports.
- Controlling physical access to the Algar Tech environment, as well as monitoring this access via the internal security filming system.
- Record customer service calls made by associates to their clients.
- Updating area indicators.
- Managing SLA indicators.
- Investigating internal investigations.
- Generate performance reports.
- Generate leads.
- Improving and increasing the efficiency of the services provided.
- Analyzing tenders, RFIs, RFQs and RFPs.
- Updating registration data.
- Prospecting new clients.
- Managing judicial, extrajudicial and administrative proceedings.
- Entering into contracts and legal instruments.
- Hiring suppliers and partners.
- Carrying out judicial and extrajudicial summonses.
These purposes are justified by contractual or legal issues or by the legitimate interest of Algar Tech.
4.2. Data collected, purpose of collection and legal bases
The data is collected in the various treatments carried out by Algar Tech in its systems and services, and personal data such as name, CPF, RG, e-mail, address, telephone, user, bank details, data relating to employment contract, automobile data, position/profession, network login, education, photograph, biometrics, among others, can be collected, always with the specific purpose and legitimation according to current legislation.
A detailed table of the types of data processed, their purposes and legitimation can be requested by emailing dataprivacy@algartech.com.
4.3. Retention period for personal data
4.3.1. Storage
4.3.1.1. Personal data will be kept for the period necessary to fulfill the purposes of processing. Therefore, whenever appropriate, unnecessary or excessive or anonymized personal data will be deleted or when expressly requested by the data subject or the National Authority. Information required to comply with legal and regulatory obligations or to exercise rights in administrative, judicial or arbitration proceedings will be preserved.
4.3.1.2. Physical storage of personal data
The physical storage of personal data informed in this item 4.3 and its sub-items, will also respect the deadlines informed therein for proper disposal.
4.3.2. Deletion of data
4.3.2.1. Data may be deleted before the deadlines set out above, if requested by the data subject. However, it may happen that the data needs to be kept for a longer period, under the terms of article 16 of the General Data Protection Law, in order to comply with a legal or regulatory obligation, fulfill a contract, transfer it to a third party (respecting the data processing requirements set out in the same law). At the end of the period and the legal need, they will be deleted using secure disposal methods or used in an anonymized form for statistical purposes.
4.4. Data security
4.4.1. Algar Tech undertakes to use its best efforts to protect information, especially personal data, applying and adopting the necessary administrative and technical protection measures and establishing good governance practices through the resources available at the time, demanding from its suppliers and customers the same acceptable level of Information Security, based on best market practices, based on contractual clauses.
4.5. Storage servers
4.5.1. The data collected will be stored on Algar Tech’s own servers located in Brazil, as well as in an environment of use of resources or servers in the cloud (cloud computing), which allows, in the latter case, transfer or processing of data outside Brazil, complying with provisions on international data transfer, according to article 33 of the General Data Protection Law or other applicable rules.
4.6. Data veracity
4.6.1. Algar Tech is not responsible for the accuracy, veracity or lack of veracity of the information provided by the holder of the personal data, or for its outdatedness, since the person who provided it is responsible for providing it accurately and/or updating it.
4.6.2. Algar Tech is not obliged to process or treat any of your data if there is reason to believe that such treatment may impute to it infractions of any applicable legislation, as well as for illegal, illicit or contrary to morality purposes.
4.7. Rights of the holder of personal data
4.7.1. It is the responsibility of those collecting the data to ensure that the Data Subject can exercise their rights over the data collected.
4.7.2. Data subjects have the right to request confirmation that their data is being processed, to request access to their data, the correction of any that is incorrect, incomplete or out of date, to request the anonymization, blocking or deletion of unnecessary or excessive data, to request portability and to demand the deletion of their personal data. You also have the right to request details of who your data has been shared with, to receive information on the consequences of refusing to provide your consent and to withdraw previously granted consent at any time.
4.7.3. 4.7.3 Any request must be made at the express request of the data subject or their legally constituted representative, in which case, in the event of any request or complaint or any possible doubts regarding their respective personal data, the data subject or their representative should contact Algar Tech’s DPO directly, dataprivacy@algartech.com..
4.7.4. In the event of updates to this document that require a new collection of consent, Algar Tech will notify the holder of the personal data by the means of contact provided.
4.7.5. In addition, in any situation, the holder of the personal data has the right to file a complaint with the competent data protection authority.
4.8. Sharing data with third parties
4.8.1. Corporate instruments, powers of attorney and copies of the personal documents of ALGAR TECH’s legal representatives may be shared by e-mail with associates, clients and suppliers as a means of proving the veracity of identification and qualification information.
4.8.2. Physical and scanned copies of documents that will be used to instruct processes, referring to judicial, extrajudicial and administrative summonses and subpoenas may be requested by Algar CSC for the instruction of processes, which may be shared with law firms and outsourced experts.
4.8.3. Personal documents and documents of legal representatives necessary for the preparation of legal instruments, in cases of updating corporate instruments, may be shared with third parties, including those granted to external attorneys, such as lawyers and accountants.
4.8.4. The Legal department uses reports generated by ALGAR CSC to manage the accruals required by ALGAR TECH’s accounting management, so that the personal data contained in the reports in question is shared with ALGAR CSC’s accounting department, which manages ALGAR TECH’s accounting.
4.8.5. Because it works with a client base, the GRC area operates with databases that its clients share. These involve a large number of data subjects and personal data, many of which are processed automatically or enriched by ALGAR TECH’s suppliers.
4.8.6. Documents and personal data of associates with ALGAR TECH clients may be shared when necessary for the execution of the contract or preliminary procedures related to the contract, in the event that the data is shared through portals made available by clients and/or suppliers, the assessment of the Information Security area will be required by means of a ticket registered in the current ticket management tool.
4.8.7. Personal data may be shared with Public Authorities, government entities with legal competence requiring ALGAR TECH to share specific Personal Data, such as an investigation, we will share, unless we understand there is an abuse of power.
4.8.8. Personal data may be shared with partner companies and suppliers for the development of activities and provision of services that are duly contractually supported.
4.9. International transfer
4.9.1. Personal data may be transferred to other countries (international transfer), in projects involving cloud services, to the extent that the servers of the provider that carries out this service, AWS, are located in the United States of America and Europe, which requires the adequacy of the contract with said provider to ensure that Chapter V of the LGPD is complied with.
4.10. Sending e-mail marketing and withdrawing consent
4.10.1. The purpose of the RD Station tool is to automate the actions of the Marketing area after lead generation, managing the sending of marketing emails to the people listed in the mailing list.
4.10.2. Its configuration is shared between ALGAR TECH and the solution provider when the marketing area itself arranges for emails to be sent, as requested by the area. All marketing emails allow the data subject to stop receiving them (“opt out”), although they are only excluded from the active list and do not actually have their data removed from the RD Station database or other mailing lists, unless requested.
4.10.3. The Data Subject, at any time, has the right to withdraw consent to the sending of e-mail marketing previously granted.
4.11. Automated decisions
4.11.1. With regard to Algar Tech’s security solutions, detections may be automated by means of monitoring software deployed internally.
4.11.2. Personal data required to create users in Active Directory is accessed automatically, through the integration of internal solutions.
4.11.3. The purpose of the RD Station tool is to automate the actions of the Marketing area, as per item 4.10.1.
4.12. Data on minors
4.12.1. The member’s employment contract must contain specific provisions for underage dependents, since the consent of parents or legal guardians is required for the processing of personal data of minors.
4.12.2. The same applies when minors visit Algar Tech’s facilities, at which time their legal guardian must sign a data collection consent form authorizing the processing of the minor’s data.
4.13. Sensitive data
4.13.1. Algar Tech may occasionally collect sensitive data relating to racial or ethnic origin, religious conviction, political opinion, trade union membership, data relating to health or life, genetic and biometric data. The processing of this data expressly follows the provisions of current legislation, always taking into account the purpose of the processing, as well as respecting the necessary legal bases. Personal data and other information is anonymized through encryption and restricted access control.
4.13.2. Leads are intended to obtain personal data from employees of a company who have decision-making power or influence over the contracting of a service provided by ALGAR TECH in order to initiate contact.
4.14. Notification of incidents
4.14.1. If Algar TECH verifies or becomes aware of any violation or incident that results in the destruction, loss, alteration, disclosure or unauthorized access during the respective processing of the data that results in potential data to the data subject, this company undertakes to investigate the incident, notify the data subject within a legally specified period and take reasonable measures to mitigate or minimize any damage resulting from this incident and/or violation.
4.14.2. Notifications of incidents will be delivered to the data subject by any means Algar TECH selects, including electronic means, so it is the sole responsibility of the data subject to ensure that Algar TECH has accurate contact information.
4.14.3. The owner of the data, whether an associate, supplier, customer, among others, who becomes aware of any possible improper use/access, incident or violation of their data related to the services and which are related to Algar TECH, must notify Algar TECH immediately.
4.15. Applicable law and jurisdiction
4.15.1. This Privacy Policy shall be governed by and interpreted in accordance with Brazilian law, in the Portuguese language.
4.16. Communication
4.16.1. The Holder of the personal data recognizes that all communication made by e-mail to the addresses informed in their registration, SMS (short message service””), instant communication applications or any other digital and virtual form are also valid as documentary evidence, being effective and sufficient for the disclosure of any matter referring to the services provided by Algar Tech, as well as the conditions of its provision or any other matter addressed therein, except for the provisions expressly provided for in this Policy.
Any questions, requests or requests may be sent to the Data Protection Officer/DPO, Mr. Carlos Eduardo Lopes, via e-mail to dataprivacy@algartech.com.
Algar Tech reserves the right to change the content of this Policy at any time, according to the purpose or need, such as for the adequacy and legal compliance of a provision of law or rule that has equivalent legal force, and it is up to the holder of personal data to verify this with Algar Tech through the website www.algartech.com.br.