This Company’s Compliance Policy has among its objectives to ensure that activities are conducted in accordance with applicable standards. In this sense, according to art. 38, caput, of Law 13,709, of August 14, 2018, or the General Law for the Protection of Personal Data (LGPD), at any time, the Personal Data Protection Authority (ANPD) may determine that it prepare an impact report on the protection of personal data, including sensitive data.
Thus, the need to prepare this document arose.
The Company daily processes1 personal data relating to an identified or identifiable natural person (article 5, I, LGPD). There are also sensitive personal data concerning racial or ethnic origin, religious conviction, political opinion, membership of a union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person (art. 5, II, LGPD).
Considering the fundamentals2 of personal data protection (art. 2 and items, LGPD), good faith and the other principles3 to be observed in personal data processing activities (art. 6 and items, LGPD), the Company has different internal control systems, which vary according to the nature of the personal data, to mitigate any risks of failure in the protection of personal data. However, despite the high degree of maturity of risk management, it is not possible to guarantee the total elimination of risks that, if materialized, would impact the privacy of personal data existing internally.
This section describes the processes for processing personal, digital or physical data, which may pose risks to civil liberties and fundamental rights, involving the specification of the nature4, scope5, context6 and purpose7 of the treatment.
DEFINITIONS
1 “processing”: Any operation carried out with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction (art. 5, X, LGPD).
2 “foundations”: Art. 2nd The discipline of personal data protection is based on: I – respect for privacy; II – informative self-determination; III – freedom of expression, information, communication and opinion; IV – the inviolability of privacy, honor and image; V – economic and technological development and innovation; VI – free initiative, free competition and consumer protection; and VII – human rights, the free development of personality, dignity and the exercise of citizenship by natural persons.
3 “principles”: Art. 6 Personal data processing activities must observe good faith and the following principles: I – Purpose: carrying out the processing for legitimate, specific, explicit and informed purposes to the data subject, without the possibility of subsequent treatment in a manner incompatible with these purposes; II – adequacy: compatibility of the treatment with the purposes informed to the holder, according to the context of the treatment; III – necessity: limitation of the treatment to the minimum necessary for the accomplishment of its purposes, with the scope of the relevant data, proportional and not excessive in relation to the purposes of the data treatment; IV – free access: guarantee, to holders, of facilitated and free consultation on the form and duration of treatment, as well as on the completeness of their personal data; V – data quality: guarantee, to the holders, of accuracy, clarity, relevance and updating of the data, according to the need and for the fulfillment of the purpose of its treatment; VI – transparency: guarantee, to holders, of clear, precise and easily accessible information about the performance of the treatment and the respective treatment agents, observing commercial and industrial secrets; VII – security: use of technical and administrative measures able to protect personal data from unauthorized access and accidental or illegal situations of destruction, loss, alteration, communication or dissemination; VIII – prevention: adoption of measures to prevent the occurrence of damage due to the processing of personal data; IX – non-discrimination: impossibility of processing for illicit or abusive discriminatory purposes; X – accountability and accountability: demonstration, by the agent, of the adoption of effective measures capable of proving compliance with and compliance with personal data protection rules, and even the effectiveness of these measures.
4 “nature”: Represents how the Company intends to treat or processes personal data.
5 “scope”: Refers to the scope of the treatment of
The internal Information Security Policy aims to prevent the risks to which information assets are subject from compromising activities and the fulfillment of the business mission.
Information assets comprise the means of storing, transmitting and processing information; the necessary equipment for this; the systems used for this and the places where these means are located.
With regard specifically to personal information, the internal control systems implemented vary according to the type of support (physical or digital), as well as the nature of the information.
Technical and administrative measures are adopted to protect personal data from unauthorized access and accidental or illegal situations of destruction, loss, alteration, communication or dissemination. Access to databases is controlled by network groups and limited access to certain user profiles.
As an administrative measure adopted, the signing of liability agreements is requested for access to systems by formal request or by email, for the safekeeping of physical or digital documents.
There are several ways of processing personal data in the Company, considering the definition of the LGPD:
Collected/Sent:
Data is collected mainly through information systems and by capturing information from other companies, either by regulatory force or by contractual obligations. The data is received, in general, via telephone contact or email.
Retained/Stored:
Data is maintained in the following ways:
– In corporate database, in dedicated infrastructure, restricted and monitored by security cameras;
– Files (eg Excel spreadsheets, Word documents).
used
Data is used in processes in a variety of ways. One can cite the use of ERP to handle entry of purchase orders from suppliers or sales billing to customers.
eliminated
Data can be eliminated through actions in information systems, SQL commands in databases (in the case of the database) and deletion of files. In the case of a database, the administrator performs it upon direct request from those responsible for internal sectors. For deletion of files, it is delegated to the collaborators in their respective dealings when the purpose of using the data to free up space is closed.
The forms of data collection in the company are:
Data sharing only takes place internally for exclusively essential operational functions related to the standard commercial routine that covers, in short, purchasing processes, distribution logistics, billing and financial processing, with employees aware of the importance of the data involved being manipulated in their respective operational sectors.
The security measures adopted are valid for any type of information, namely:
File transference:
For the transfer of electronic files internally, the following must be used:
– Shared folders located on the file server;
– Telephone means
For the transfer of electronic files to/from external recipients, the following can be used:
– Email attachments, if there is no need to guarantee delivery. If the information is sensitive, the attachment must be encrypted, with the file’s password being transmitted by another means, such as a telephone.
Removable media (pendrive, CD, DVD or external HD) can be used to transfer corporate files upon justification and with the consent of the immediate superior, especially in case of impossibility of using the technological means described above. In this case, the application of encryption to protect information is mandatory whenever technologically feasible. The following are not considered suitable means for transferring electronic files: shared folders on workstations (desktops and notebooks), private e-mail and third-party services on the Internet (eg Dropbox, Google Drive and Onedrive).
File servers: File servers have storage areas reserved for each sector. The leadership of each sector is responsible for requesting permission from the server administrator to grant access to folders and files, observing the principles of need to know and minimum privilege.
Document printing: Corporate electronic files must not be printed outside the Company’s premises.
Disposal of information The disposal of corporate information recorded on any media must be done in such a way as to prevent its recovery.
Monitoring: For the purposes of audit trails, runs for access, creation and last change of records.
It is the responsibility of each sector to ensure the correct and efficient use of the storage area reserved for it, periodically verifying that:
– Only files necessary for the unit’s work processes are stored;
– There are no files that infringe copyright or that present other legal risks, such as music, films and books that have not been acquired by the company.
It has an essentially linear characteristic, where the pertinent data collected are limited to registration functions for compliance with the standard commercial routine of the finished product, which extend to the process of purchase, sale, financial and accounting processing.
The Company has complex processes related to the execution of surgical procedures that involve considerable physical volume (paper). These documents are necessary for its operation and fulfillment of its mission. However, these documents involving sensitive personal data are transitory and destroyed after digitalization and storage in an internal server only for the mandatory legal period. All operations relating to physical documents that carry this personal data are carried out exclusively within the Company’s premises.
The scope represents the scope of data processing. The following sections detail the scope extension for digital data. With regard to the data contained in physical documents, as seen above, they receive the same treatment as digital ones, since, as previously mentioned, they are digitized as soon as they are processed.
In short, for Individuals or Legal Entities, for customers, suppliers and employees, they include the following mandatory registration information and exclusively for mandatory contractual treatments: CPF/CNPJ number, IE number; identity number, CTPS number and series, full name/company name; date of birth; complete address; telephone; code and description of the nature of the main occupation; code and description of main occupation; enrollment date; salary and bank information.
This data is stored in a central database and operated via ERP, in our own facilities.
In its area of operation, the database has approximately 10100 records, being received daily from 2 to 8 new records.
Sensitive to market behavior (trade).
The data is retained for the entire length of the contractual term, until the end of financial and accounting obligations or until the expiration of mandatory legal terms relevant to the area of operation of this Company.
Any natural or legal person, customer, supplier or collaborator/employee may be affected by data processing at this Company.
This Company treats personal data in accordance with legitimate and specific purposes in a manner compatible with its purpose, whose character is in the interest of all parties, and aims to execute the legal competences or fulfill the legal attributions of its area of operation.
Only information related to identification as a patient, being the full name, is processed by this Company.
The purpose of data processing by the Company is related to strict compliance with legal or regulatory obligations.
O tratamento de dados é limitado ao mínimo necessário para a realização das finalidades informadas ao titular. Quando necessário, tem abrangência dos dados pertinentes, proporcionais e não excessivos em relação às finalidades do tratamento de dados. O tratamento é feito apenas quando é indispensável e com propósito de cumprimento de obrigações legais e contratuais. Com o objetivo de assegurar que o operador realize o tratamento de dados pessoais conforme a LGPD e respeite os critérios estabelecidos pela empresa, todo colaborador é informado sobre esta obrigatoriedade e os parâmetros regulatórios.
Pelas características básicas cadastrais demandadas pela área de atuação da Empresa, não são tratados dados pessoais sensíveis fora das obrigatoriedades legais pertinentes ao contexto comercial.
Dentre os tipos de risco operacional e profundidade dos dados, não é considerado gerador de impacto sobre o titular de dados pessoais. Mesmo assim, devem ser categorizadas para melhor identificação.
Em caráter referencial, possíveis falhas devem ser categorizadas, a seguir:
Apresentam-se a seguir exemplos iniciais não exaustivos de riscos identificados e mensurados, de acordo com a metodologia de gerenciamento de riscos operacionais à proteção de dados pessoais:
Foram demonstrados, em linhas gerais, como os dados pessoais são coletados, tratados, usados, compartilhados, bem como as medidas adotadas para o tratamento dos riscos que possam afetar as liberdades civis e os direitos fundamentais dos titulares desses dados. Além disso, foram apresentadas informações que denotam o estágio atual de conformidade desta Empresa à LGPD. Este Relatório será revisto e atualizado anualmente ou sempre que for implementada qualquer tipo de mudança que afete o tratamento dos dados pessoais. Há a preocupação de avaliar continuamente os riscos de tratamento de dados pessoais que surgem em consequência do dinamismo das transformações nos cenários tecnológico, normativo e político.
We do not carry out commercial operations online or issue bank charges through the website.