The purpose of this Privacy and Personal Data Protection Policy (“Policy”) is to provide guidance on how to manage the various activities and operations of personal data processing existing in ISOQualitas Engenharia de Sistemas Ltda. This document is part of ISOQualitas’ compliance program with the General Law on the Protection of Personal Data (according to applicable national law) and other sectoral laws on the matter. ISOQualitas, imbued with the importance and need to adapt its personal data processing operations to a new and extensive regulation on the subject, in this case, the Personal Data Protection Law approved by the country’s authorities, which ISOQualitas establishes special attention and faithful compliance with the legislation. In compliance with its internal regulatory acts, ISOQualitas carries out various data processing operations seeking the best interest of the owners of personal data, and respecting their rights in accordance with the definitions of the Personal Data Protection Law, reinforcing, in all relations with persons and entities that are related to the operations of ISOQualitas and its commitment to compliance with privacy and privacy regulations. Protection of applicable personal data.
The person responsible for and the operator of the personal data.
Use of technical, reasonable means available at the time of processing personal data, through which the data loses the possibility of direct or indirect association with an individual. In accordance with the law, and in this way, anonymized data is not considered personal data.
Public administration body responsible for ensuring, implementing and supervising compliance with the GLPD throughout the national territory. The ANPD was created by the GLPD as an organ of the federal public administration with technical autonomy, dependent on the Presidency of the Republic, defined as transitory and subject to transformation by the Executive Branch into an indirect entity of the indirect federal public administration, subject to a special autarchic regime and linked to the Presidency of the Republic.
A natural or legal person (including ISOQualitas), under public or private law, who is responsible for decisions regarding the processing of personal data.
Information relating to an identified or identifiable natural person. Personal data is also considered to be data used to form the behavioral profile of a given natural person.
Personal data of racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data related to health or sex life, genetic or biometric data when linked to a natural person.
Natural or legal person appointed by the Data Protection Officer to act as a communication channel between the Data Controller, the data subjects and the National Data Protection Authority. It will be responsible for implementing the Compliance Program for personal data protection laws and carrying out activities related to the protection of personal data within the scope of ISOQualitas’ operations.
For ISOQualitas, suppliers are the other contracted and subcontracted third parties, whether they are natural or legal persons, even if they are not classified as business partners.
Natural or legal person, under public or private law, who processes personal data on behalf of the data controller.
Customers are all organizations that have established the acquisition of training, consulting or current contracts for the use of software.
Any natural or legal person who has an active contract with ISOQualitas to develop or assist in the development of its activities, both as suppliers of goods or services, and as business partners.
Natural person to whom the personal data subject to processing refers.
Any operation carried out with personal data, such as those relating to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, information control, modification, communication, transfer , diffusion or extraction.
This Policy establishes ISOQualitas’ general guidelines for the safeguarding and use of personal data that may be processed in its activities, with reference to the General Data Protection Law, among other national and international standards related to privacy and personal data protection, with special attention to the General Data Protection Regulation.
This Policy applies (i) to ISOQualitas employees; (II) to all third parties, whether natural or legal persons acting on behalf of or on behalf of ISOQualitas in operations involving the processing of personal data that are carried out within the scope of ISOQualitas’ operations; (III) personal data processing agents external to ISOQualitas that in any way relate to the organization; and (IV) to the owners of the personal data, whose data are processed by ISOQualitas.
This Policy sets out guidelines and rules to ensure that its recipients understand and comply with laws dealing with the protection of personal data in all interactions with current and future owners of personal data, third parties, and personal data processing agents external to ISOQualitas within the scope of their operations.
In addition to the concepts defined by the regulations dealing with privacy and protection of personal data, the information referred to in this Policy includes all data held, used or transmitted by or on behalf of ISOQualitas, in any type of medium. This includes personal data recorded on paper, stored on computer systems or portable devices, as well as personal data transmitted orally.
The objectives of ISOQualitas’ Privacy and Personal Data Protection Policy are:
This Policy shall be read in conjunction with the obligations set forth in the documents listed below, which deal with information in general, and shall supplement it where appropriate:
ISOQualitas will comply with the following personal data protection principles when processing personal data:
ISOQualitas will process personal data only for legitimate, specific, explicit purposes and informed to the owner of the personal data, without the possibility of subsequent processing in a manner incompatible with these purposes;
ISOQualitas will process personal data in a manner compatible with the purposes informed to the interested party, and in accordance with the context of the processing;
the processing of personal data carried out by ISOQualitas will be limited to the minimum necessary for the achievement of its purposes, with the scope of the relevant data, proportionate and not excessive in relation to the purposes of the processing;
ISOQualitas will guarantee the owners of personal data an easy and free consultation on the form and duration of the processing, as well as on the integrity of their data;
ISOQualitas will guarantee the accuracy, clarity, relevance and updating of the data to the owners of the personal data, in accordance with the need and for the fulfillment of the purpose of its processing;
ISOQualitas will guarantee the owners of personal data clear, accurate and easily accessible information on the processing and the respective agents for the processing of personal data, observing commercial, intellectual, knowledge and industry secrets;
ISOQualitas will use technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;
ISOQualitas will adopt measures to prevent the occurrence of damage due to the processing of personal data;
ISOQualitas will guarantee the impossibility of processing personal data for discriminatory, illegal or abusive purposes;
ISOQualitas is committed to demonstrating the adoption of effective measures capable of demonstrating compliance with and compliance with personal data protection regulations, and the effectiveness of these measures.
All personal data processing operations within the scope of the activities carried out by ISOQualitas will have a legal basis that legitimises their performance, with stipulation of the purpose and designation of the data controllers.
ISOQualitas assumes as an institutional commitment the periodic evaluation of the purposes of its operations, considering the context in which these operations are inserted, the risks and benefits that may be generated for the owner of the personal data, and the legitimate interest of the organization.
The processing of personal data by ISOQualitas may be carried out:
ISOQualitas will carry out records of your processing operations based on categories of processing, each of them described according to its purpose(s), serving as help and support for your periodic evaluation of compliance with the regulatory framework for the protection of personal data.
The records of personal data processing operations may be consulted by the owner of the personal data, as well as by the competent public authorities for access to and storage of data on his behalf, safeguarding the rights of the owner of the personal data
ISOQualitas recognizes that the processing of sensitive personal data represents greater risks for the owner of the personal data and for this reason the organization is committed to safeguarding and taking special care in the processing of sensitive personal data.
This commitment incorporates the sensitive personal data listed in Article 5, paragraph II of the GDPR, as well as the financial data that, for the purposes of this Policy and the ISOQualitas GLPD Compliance Program, will have the same status as sensitive personal data.
The personal data of children and adolescents, even if they are not applicable in the operations of the organization, will be treated with the same level of care required and offered to sensitive personal data, but will also be subject to the specific provisions established in the personal data protection law and other specific applicable regulations.
The processing of sensitive personal data by ISOQualitas may only be carried out:
ISOQualitas, in the context of its personal data processing activities, reinforces its commitment to respect the rights of personal data subjects, which are:
The holder of personal data can ask ISOQualitas whether processing operations are carried out relating to their personal data;
the holder of personal data may request and receive a copy of all personal data collected and stored;
the holder of personal data may request the correction of personal data that is incomplete, inaccurate or out of date;
the owner of the personal data may request the deletion of their personal data from the databases managed by ISOQualitas, unless there is a legitimate reason for their maintenance, such as a possible legal obligation to keep data or study by a research organization. In the event of deletion, the Institution reserves the right to choose the deletion procedure used, undertaking to use means that guarantee security and prevent the recovery of the data;
At any time, the owner of the personal data may request from ISOQualitas the anonymity, blocking or deletion of his/her personal data that have been recognized by the competent authority as unnecessary, excessive or processed in breach of the provisions of the Personal Data Protection Law;
In the event of processing of personal data not based on obtaining consent, the owner of the personal data may file an objection with ISOQualitas, which will be analyzed based on the criteria present in the GLPD;
The owner of the personal data may request ISOQualitas that his/her personal data be made available to another service or product provider, respecting the commercial and industrial secrecy of the organization, as well as the technical limits of its infrastructure;
The owner of the personal data has the right to revoke their consent. However, it should be noted that this will not affect the lawfulness of any processing done prior to the withdrawal. In the event of a revocation of consent, it may not be possible to provide certain services. If so, the owner of the personal data will be informed.
ISOQualitas reiterates its commitment to the rights of personal data subjects to transparency and adequate information, highlighting the provision of:
The duties of care, attention and appropriate use of personal data are extended to all recipients of this Policy in the development of their work and activities in ISOQualitas, committing to assist the Institution in the fulfillment of its obligations in the implementation of its privacy and personal data protection strategy.
It is the responsibility of the owners of the personal data to notify ISOQualitas of any modification to their personal data in their relationship with the Institution (for example, change of address), preferably notifying it in the following order:
The exchange of personal data of the owners of personal data between the ISOQualitas Units is permitted, provided that its purpose and legal basis are respected, observing the principle of necessity, and the processing of personal data is always restricted to the development of activities authorized by the Institution.
All recipients of this Policy have the duty to contact the DPO of ISOQualitas, when the following actions are suspected or occur:
The Personal Data Protection Law establishes that liability in the event of property, moral, individual or collective damages arising from violations of personal data protection legislation is joint, i.e., all agents in the chain involving the processing of personal data can be held liable for the damages caused. In this regard, the possibility that ISOQualitas may be held liable for the actions of third parties implies the need to employ best efforts to verify, evaluate and ensure that such third parties comply with applicable data protection laws.
Thus, all contracts with third parties must contain clauses referring to the protection of personal data, which establish duties and obligations involving the subject, and which accredit the commitment of third parties to the applicable legislation on the protection of personal data. It should also be noted that these contracts will be reviewed and submitted for approval by the DPO and its ISOQualitas technical team, in accordance with the current regulatory protocol.
All third parties must subscribe to the term of acceptance of this Policy, the Information Security Policy and the Security Incident Response Plan, subjecting the activities contracted within the scope of the relationship with ISOQualitas also to these regulations.
The GLPD Compliance Program aims to ensure ISOQualitas’ commitment to ensure the correct processing of personal data for legitimate purposes that may be the subject of its activities and reinforces its commitment to good privacy and data protection practices with the following actions:
From the entry into force of the GLPD, the DPO of ISOQualitas, also known as the Data Protection Officer, assisted by his technical team, will have the following responsibilities:
The standards for information security and prevention against personal data incidents are contained in the ISOQualitas Information Security Policy and in the internal regulations and documents related to the matter.
ISOQualitas reinforces the commitment embodied in its Information Security Policy to employ appropriate technical and organizational measures in the handling of personal data, and to make efforts to protect the personal data of the owners of personal data against unauthorized access, loss, destruction, unauthorized sharing, among other hypotheses.
The recipients of this Policy undertake to participate in the trainings, workshops, meetings and trainings proposed by the DPO to expand the culture of personal data protection in the organization.
ISOQualitas employees whose functions require the regular processing of personal data, or those responsible for the implementation of this Policy, undertake to participate in complementary training to help them understand their obligations and how to comply with them.
It is reiterated that ISOQualitas recognizes its commitment to ensure the proper processing of personal data for legitimate purposes that may be the object of its activities and reinforces its commitment to good privacy and data protection practices, committing to keep its GLPD Compliance Program updated with the rules and recommendations issued by the competent authorities.
ISOQualitas undertakes to review this Policy periodically and, at its discretion, to promote modifications that update its provisions in order to reinforce the Institution’s permanent commitment to privacy and the protection of personal data, and all changes made from time to time will be communicated through the Institution’s official channels.