Privacy and Data Protection Policy

INTRODUCTION

The purpose of this Privacy and Personal Data Protection Policy (“Policy”) is to provide guidance on how to manage the various activities and operations of personal data processing existing in ISOQualitas Engenharia de Sistemas Ltda. This document is part of ISOQualitas’ compliance program with the General Law on the Protection of Personal Data (according to applicable national law) and other sectoral laws on the matter. ISOQualitas, imbued with the importance and need to adapt its personal data processing operations to a new and extensive regulation on the subject, in this case, the Personal Data Protection Law approved by the country’s authorities, which ISOQualitas establishes special attention and faithful compliance with the legislation. In compliance with its internal regulatory acts, ISOQualitas carries out various data processing operations seeking the best interest of the owners of personal data, and respecting their rights in accordance with the definitions of the Personal Data Protection Law, reinforcing, in all relations with persons and entities that are related to the operations of ISOQualitas and its commitment to compliance with privacy and privacy regulations. Protection of applicable personal data.

1. DEFINITIONS

DATA PROCESSORS:

The person responsible for and the operator of the personal data.

ANNYMIZATION:

Use of technical, reasonable means available at the time of processing personal data, through which the data loses the possibility of direct or indirect association with an individual. In accordance with the law, and in this way, anonymized data is not considered personal data.

ANATIONAL DATA PROTECTION AUTHORITY (“ANPD”):

Public administration body responsible for ensuring, implementing and supervising compliance with the GLPD throughout the national territory. The ANPD was created by the GLPD as an organ of the federal public administration with technical autonomy, dependent on the Presidency of the Republic, defined as transitory and subject to transformation by the Executive Branch into an indirect entity of the indirect federal public administration, subject to a special autarchic regime and linked to the Presidency of the Republic.

PERSONAL DATA CONTROLLER:

A natural or legal person (including ISOQualitas), under public or private law, who is responsible for decisions regarding the processing of personal data.

PERSONAL DATA:

Information relating to an identified or identifiable natural person. Personal data is also considered to be data used to form the behavioral profile of a given natural person.

SENSITIVE PERSONAL DATA:

Personal data of racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data related to health or sex life, genetic or biometric data when linked to a natural person.

DATA PROTECTION OFFICER (“DPO”):

Natural or legal person appointed by the Data Protection Officer to act as a communication channel between the Data Controller, the data subjects and the National Data Protection Authority. It will be responsible for implementing the Compliance Program for personal data protection laws and carrying out activities related to the protection of personal data within the scope of ISOQualitas’ operations.

SUPPLIERS:

For ISOQualitas, suppliers are the other contracted and subcontracted third parties, whether they are natural or legal persons, even if they are not classified as business partners.

PERSONAL DATA OPERATOR:

Natural or legal person, under public or private law, who processes personal data on behalf of the data controller.

CUSTOMERS:

Customers are all organizations that have established the acquisition of training, consulting or current contracts for the use of software.

THIRD PART:

Any natural or legal person who has an active contract with ISOQualitas to develop or assist in the development of its activities, both as suppliers of goods or services, and as business partners.

OWNER OF THE PERSONAL DATA (“OWNER”):

Natural person to whom the personal data subject to processing refers.

PROCESSING OF PERSONAL DATA (“PROCESSING”):

Any operation carried out with personal data, such as those relating to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, information control, modification, communication, transfer , diffusion or extraction.

2. SCOPE

This Policy establishes ISOQualitas’ general guidelines for the safeguarding and use of personal data that may be processed in its activities, with reference to the General Data Protection Law, among other national and international standards related to privacy and personal data protection, with special attention to the General Data Protection Regulation.

3. RECIPIENTS

This Policy applies (i) to ISOQualitas employees; (II) to all third parties, whether natural or legal persons acting on behalf of or on behalf of ISOQualitas in operations involving the processing of personal data that are carried out within the scope of ISOQualitas’ operations; (III) personal data processing agents external to ISOQualitas that in any way relate to the organization; and (IV) to the owners of the personal data, whose data are processed by ISOQualitas.

4. APPLICABILITY

This Policy sets out guidelines and rules to ensure that its recipients understand and comply with laws dealing with the protection of personal data in all interactions with current and future owners of personal data, third parties, and personal data processing agents external to ISOQualitas within the scope of their operations.

In addition to the concepts defined by the regulations dealing with privacy and protection of personal data, the information referred to in this Policy includes all data held, used or transmitted by or on behalf of ISOQualitas, in any type of medium. This includes personal data recorded on paper, stored on computer systems or portable devices, as well as personal data transmitted orally.

5. OBJECTIVES

The objectives of ISOQualitas’ Privacy and Personal Data Protection Policy are:

  1. Establish the guidelines and responsibilities of ISOQualitas that ensure and reinforce the organization’s commitment to compliance with applicable legislation on the protection of personal data;
  2. Describe the rules to be followed in the performance of the personal data processing activities and operations carried out by ISOQualitas and the recipients of this Policy, within the scope of ISOQualitas’ operations, which ensure their compliance with applicable personal data protection laws and, in particular, with the GLPD.

This Policy shall be read in conjunction with the obligations set forth in the documents listed below, which deal with information in general, and shall supplement it where appropriate:

  1. Employment contracts of ISOQualitas employees and other comparable documents, which establish confidentiality obligations in relation to the information held by the organization;
  2. Information security policies and standards, as well as terms and conditions of use, which deal with the confidentiality, integrity and availability of the information maintained by ISOQualitas;
  3. All internal rules on the protection of personal data that may be drawn up and updated periodically.

6. PRIVACY AND PERSONAL DATA PROTECTION PRINCIPLES

ISOQualitas will comply with the following personal data protection principles when processing personal data:

PURPOSE:

ISOQualitas will process personal data only for legitimate, specific, explicit purposes and informed to the owner of the personal data, without the possibility of subsequent processing in a manner incompatible with these purposes;

ADEQUACY:

ISOQualitas will process personal data in a manner compatible with the purposes informed to the interested party, and in accordance with the context of the processing;

NECESSITY:

the processing of personal data carried out by ISOQualitas will be limited to the minimum necessary for the achievement of its purposes, with the scope of the relevant data, proportionate and not excessive in relation to the purposes of the processing;

FREE ACCESS:

ISOQualitas will guarantee the owners of personal data an easy and free consultation on the form and duration of the processing, as well as on the integrity of their data;

DATA QUALITY:

ISOQualitas will guarantee the accuracy, clarity, relevance and updating of the data to the owners of the personal data, in accordance with the need and for the fulfillment of the purpose of its processing;

TRANSPARENCY:

ISOQualitas will guarantee the owners of personal data clear, accurate and easily accessible information on the processing and the respective agents for the processing of personal data, observing commercial, intellectual, knowledge and industry secrets;

SECURITY:

ISOQualitas will use technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;

PREVENTION:

ISOQualitas will adopt measures to prevent the occurrence of damage due to the processing of personal data;

NON-DISCRIMINATION:

ISOQualitas will guarantee the impossibility of processing personal data for discriminatory, illegal or abusive purposes;

ACCOUNTABILITY AND ACCOUNTABILITY:

ISOQualitas is committed to demonstrating the adoption of effective measures capable of demonstrating compliance with and compliance with personal data protection regulations, and the effectiveness of these measures.

7. BASES LEGALES PARA EL TRATAMIENTO DE DATOS PERSONALES

All personal data processing operations within the scope of the activities carried out by ISOQualitas will have a legal basis that legitimises their performance, with stipulation of the purpose and designation of the data controllers.

ISOQualitas assumes as an institutional commitment the periodic evaluation of the purposes of its operations, considering the context in which these operations are inserted, the risks and benefits that may be generated for the owner of the personal data, and the legitimate interest of the organization.

The processing of personal data by ISOQualitas may be carried out:

  1. Prior formal consent of the owner of the personal data;
  2. To comply with a legal or regulatory obligation;
  3. To carry out studies by a research organization;
  4. When it is necessary for the performance of a contract or preliminary procedures related to a contract to which the owner of the personal data is a party;
  5. For the regular exercise of rights in judicial, administrative or arbitration proceedings;
  6. When necessary to meet the legitimate interests of ISOQualitas or a third party.
  7. For credit protection in the context of ISOQualitas’ financial operations.

ISOQualitas will carry out records of your processing operations based on categories of processing, each of them described according to its purpose(s), serving as help and support for your periodic evaluation of compliance with the regulatory framework for the protection of personal data.

The records of personal data processing operations may be consulted by the owner of the personal data, as well as by the competent public authorities for access to and storage of data on his behalf, safeguarding the rights of the owner of the personal data

8. LEGAL BASES FOR THE PROCESSING OF SENSITIVE PERSONAL DATA

ISOQualitas recognizes that the processing of sensitive personal data represents greater risks for the owner of the personal data and for this reason the organization is committed to safeguarding and taking special care in the processing of sensitive personal data.

This commitment incorporates the sensitive personal data listed in Article 5, paragraph II of the GDPR, as well as the financial data that, for the purposes of this Policy and the ISOQualitas GLPD Compliance Program, will have the same status as sensitive personal data.

The personal data of children and adolescents, even if they are not applicable in the operations of the organization, will be treated with the same level of care required and offered to sensitive personal data, but will also be subject to the specific provisions established in the personal data protection law and other specific applicable regulations.

The processing of sensitive personal data by ISOQualitas may only be carried out:

  1. When the owner of the personal data or his legal guardian consents, in a specific and prominent manner, for specific purposes;
  2. Without the consent of the owner of the personal data, in cases where the processing is essential to:
    a) Comply with a legal or regulatory obligation on the part of ISOQualitas
    b) The carrying out of studies when ISOQualitas is in the position of Research Body, ensuring, whenever possible, the anonymization of sensitive personal data;
    c) The regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings;
    d) Protection of the life or physical safety of the holder of personal data or third parties;
    e) Health protection, exclusively, in a procedure carried out by health professionals, health services or health authority; or
    f) Guarantee of fraud prevention and security of the holder of personal data, in the processes of identification and authentication of registration in electronic systems.

9. RIGHTS OF PERSONAL DATA SUBJECTS

ISOQualitas, in the context of its personal data processing activities, reinforces its commitment to respect the rights of personal data subjects, which are:

RIGHT TO CONFIRMATION OF THE EXISTENCE OF TREATMENT:

The holder of personal data can ask ISOQualitas whether processing operations are carried out relating to their personal data;

RIGHT OF ACCESS:

the holder of personal data may request and receive a copy of all personal data collected and stored;

RIGHT TO CORRECTION:

the holder of personal data may request the correction of personal data that is incomplete, inaccurate or out of date;

RIGHT OF ELIMINATION:

the owner of the personal data may request the deletion of their personal data from the databases managed by ISOQualitas, unless there is a legitimate reason for their maintenance, such as a possible legal obligation to keep data or study by a research organization. In the event of deletion, the Institution reserves the right to choose the deletion procedure used, undertaking to use means that guarantee security and prevent the recovery of the data;

RIGHT TO REQUEST THE SUSPENSION OF THE UNLAWFUL PROCESSING OF PERSONAL DATA:

At any time, the owner of the personal data may request from ISOQualitas the anonymity, blocking or deletion of his/her personal data that have been recognized by the competent authority as unnecessary, excessive or processed in breach of the provisions of the Personal Data Protection Law;

RIGHT TO OBJECT TO THE PROCESSING OF PERSONAL DATA:

In the event of processing of personal data not based on obtaining consent, the owner of the personal data may file an objection with ISOQualitas, which will be analyzed based on the criteria present in the GLPD;

RIGHT TO DATA PORTABILITY:

The owner of the personal data may request ISOQualitas that his/her personal data be made available to another service or product provider, respecting the commercial and industrial secrecy of the organization, as well as the technical limits of its infrastructure;

RIGHT TO REVOKE CONSENT:

The owner of the personal data has the right to revoke their consent. However, it should be noted that this will not affect the lawfulness of any processing done prior to the withdrawal. In the event of a revocation of consent, it may not be possible to provide certain services. If so, the owner of the personal data will be informed.

ISOQualitas reiterates its commitment to the rights of personal data subjects to transparency and adequate information, highlighting the provision of:

  1. Information about the public and private entities with which ISOQualitas has shared data;
  2. Information on the possibility of not giving consent and on the consequences of refusal.

10. DUTIES FOR THE PROPER USE OF PERSONAL DATA

The duties of care, attention and appropriate use of personal data are extended to all recipients of this Policy in the development of their work and activities in ISOQualitas, committing to assist the Institution in the fulfillment of its obligations in the implementation of its privacy and personal data protection strategy.

10.1 SPECIFIC DUTIES OF PERSONAL DATA SUBJECTS

It is the responsibility of the owners of the personal data to notify ISOQualitas of any modification to their personal data in their relationship with the Institution (for example, change of address), preferably notifying it in the following order:

  1. Through the platform made available by the ISOQualitas Unit with which the holder is related;
  2. By e-mail addressed to the head of the ISOQualitas Unit with which the holder is related;
  3. By email addressed directly to ISOQualitas DPO, when appointed; and
  4. By physical means (e.g. letter) addressed directly to ISOQualitas DPO, when appointed.

10.2 SPECIFIC DUTIES OF ISOQUALITAS OFFICIALS

The exchange of personal data of the owners of personal data between the ISOQualitas Units is permitted, provided that its purpose and legal basis are respected, observing the principle of necessity, and the processing of personal data is always restricted to the development of activities authorized by the Institution.

10.3 DUTIES OF THE ORGANIZATION'S EMPLOYEES, PERSONAL DATA PROCESSING AGENTS AND THIRD PARTIES

  1. Not to make available or guarantee access to personal data held by ISOQualitas to unauthorized or competent persons in accordance with the Institution’s standards.
  2. Obtain the necessary authorisation for the processing of the data and have the necessary documents that prove the designation of its competence to carry out the lawful operation of processing the data. datos, en los términos del protocolo normativo ISOQualitas.
  3. Comply with the standards, recommendations, information security guidelines and prevention of information security incidents published by the Institution (e.g. Information Security Policy, Information Security Incident Response Plan, password management guidelines, among others).

10.4 DUTIES OF ALL RECIPIENTS OF THIS POLICY

All recipients of this Policy have the duty to contact the DPO of ISOQualitas, when the following actions are suspected or occur:

  1. Operation of processing personal data carried out without legal basis that justifies it;
  2. Processing of personal data without authorization by ISOQualitas within the scope of its operations;
  3. Personal data processing activities that are carried out in breach of ISOQualitas’ Information Security Policy;
  4. Unauthorized deletion or destruction by ISOQualitas of personal data from digital platforms or physical collections in all the facilities of the organization or used by it.
  5. Any other violation of this Policy or any of the data protection principles set out in point 7 above.

11. RELATIONSHIP WITH THIRD PARTIES

The Personal Data Protection Law establishes that liability in the event of property, moral, individual or collective damages arising from violations of personal data protection legislation is joint, i.e., all agents in the chain involving the processing of personal data can be held liable for the damages caused. In this regard, the possibility that ISOQualitas may be held liable for the actions of third parties implies the need to employ best efforts to verify, evaluate and ensure that such third parties comply with applicable data protection laws.

Thus, all contracts with third parties must contain clauses referring to the protection of personal data, which establish duties and obligations involving the subject, and which accredit the commitment of third parties to the applicable legislation on the protection of personal data. It should also be noted that these contracts will be reviewed and submitted for approval by the DPO and its ISOQualitas technical team, in accordance with the current regulatory protocol.

All third parties must subscribe to the term of acceptance of this Policy, the Information Security Policy and the Security Incident Response Plan, subjecting the activities contracted within the scope of the relationship with ISOQualitas also to these regulations.

12. PERSONAL DATA PROTECTION COMPLIANCE PROGRAM

The GLPD Compliance Program aims to ensure ISOQualitas’ commitment to ensure the correct processing of personal data for legitimate purposes that may be the subject of its activities and reinforces its commitment to good privacy and data protection practices with the following actions:

  1. Production and dissemination of information, regardless of format, describing the individual responsibilities of the recipients of this Policy in the area of privacy and protection of personal data;
  2. Provision of training, guidance and advice to ISOQualitas employees and third parties, including, but not limited to, online courses, workshops, internal meetings, periodic conversations, talks, among other initiatives; Share content available in digital and face-to-face formats.
  3. Incorporation of concerns and care in the processing of personal data in all stages of its activities, including, but not limited to, administrative routines, research activities, provision of services, academic activities, among others.
  4. Identification and deepening of the risk assessment that may compromise the achievement of ISOQualitas’ objectives in the field of privacy and personal data protection; define, create and implement action plans and policies to mitigate the identified risks; in addition to maintaining a continuous evaluation of the scenarios in order to assess whether the measures implemented do not require new guidelines and attitudes.

From the entry into force of the GLPD, the DPO of ISOQualitas, also known as the Data Protection Officer, assisted by his technical team, will have the following responsibilities:

  1. Carry out the GLPD Compliance Program in ISOQualitas, ensuring its inspection;
  2. To monitor compliance with applicable personal data protection laws, in accordance with ISOQualitas policies;
  3. To guide the recipients of this Policy regarding the privacy and personal data protection regime of ISOQualitas;
  4. Ensure that data protection standards and guidelines are informed and incorporated into ISOQualitas routines and practices;
  5. Organize training on personal data protection in ISOQualitas;
  6. Provide clarifications, offer information and submit reports on personal data processing operations and their impacts to the competent authorities (e.g. Public Prosecutor’s Office, National Authority for the Protection of Personal Data, etc.);
  7. To respond to requests and complaints from the owners of personal data whose data has been processed by an ISOQualitas unit.
  8. Collaborate in audits or any other evaluation and monitoring measure related to data protection;
  9. Prepare privacy and data protection impact assessments, technical opinions and review of data protection documents.

13. INFORMATION SECURITY

The standards for information security and prevention against personal data incidents are contained in the ISOQualitas Information Security Policy and in the internal regulations and documents related to the matter.

ISOQualitas reinforces the commitment embodied in its Information Security Policy to employ appropriate technical and organizational measures in the handling of personal data, and to make efforts to protect the personal data of the owners of personal data against unauthorized access, loss, destruction, unauthorized sharing, among other hypotheses.

14. TRAINING

The recipients of this Policy undertake to participate in the trainings, workshops, meetings and trainings proposed by the DPO to expand the culture of personal data protection in the organization.

ISOQualitas employees whose functions require the regular processing of personal data, or those responsible for the implementation of this Policy, undertake to participate in complementary training to help them understand their obligations and how to comply with them.

15. MONITORING

It is reiterated that ISOQualitas recognizes its commitment to ensure the proper processing of personal data for legitimate purposes that may be the object of its activities and reinforces its commitment to good privacy and data protection practices, committing to keep its GLPD Compliance Program updated with the rules and recommendations issued by the competent authorities.

ISOQualitas undertakes to review this Policy periodically and, at its discretion, to promote modifications that update its provisions in order to reinforce the Institution’s permanent commitment to privacy and the protection of personal data, and all changes made from time to time will be communicated through the Institution’s official channels.