Privacy and Data Protection Policy
- INTRODUCTION AND CONTEXT
Through this document, Hitalk intends to adapt its personal data processing operations to the legal regulations on the subject, and in particular to the LGPD approved in August 2018.
We emphasize that the LGPD is a comprehensive law and is aimed at different economic agents in Brazil, whether in the public, private and third sectors; and it brings legal prescriptions so that personal data can be used in the activities of these agents.
In May 2018, the General Data Protection Regulation (Regulation EU 2016/679 – “GDPR”) came into force . Considering that this regulation has points of contact with the activities carried out by Hitalk in the European Union, we understand that we should also embrace this regulation, adjusting to the LGPD conformities .
In the performance of some of the activities provided for in its bylaws, Hitalk carries out operations for processing personal data in line with the best interests and rights of the holders of personal data , and can be characterized as a Personal Data Controller, Personal Data Operator, Controller and Data Operator. Personal Data or Personal Data Co-Controller, in accordance with the definitions of the LGPD , reinforcing, in all positions it occupies, its commitment to compliance with the rules of privacy and protection of applicable personal data .
The compliance adjustments related to the LGPD compliance process include a work to interpret the Law to define the legal obligations, survey the relevant and pertinent facts for its application and measure the flows and processes that contribute or not to the adjustments to the legal standard .
- TERMS AND DEFINITIONS
PERSONAL DATA: Information related to the identified or identifiable natural person. Personal data are also considered those used to form the behavioral profile of a specific natural person.
SENSITIVE PERSONAL DATA: Personal data on racial or ethnic origin, religious beliefs, political opinion, union membership or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data when linked to a natural person .
NATIONAL DATA PROTECTION AUTHORITY (“ANPD”): Public administration body responsible for overseeing, implementing and monitoring compliance with the LGPD throughout the national territory. The ANPD was established by LGPD as an organ of the Federal Government with technical autonomy, member of the Presidency of the Republic, defined their nature as temporary and subject to change by the executive branch entity in the indirect federal public administration, subjected to special autarchic regime and linked the Presidency of the Republic.
GENERAL DATA PROTECTION LAW (“LGPD”): Normative diploma (Law No. 13,709, of August 14, 2018) that provides for the processing of personal data in digital or physical media carried out by a natural person or a legal person, under law public or private, aiming to defend the holders of personal data and at the same time allow the use of the data for different purposes, balancing interests and harmonizing the protection of the human person with technological and economic development.
PERSONAL DATA PROCESSING AGENTS: The controller and the personal data operator .
PERSONAL DATA CONTROLLER: Individual or legal entity, under public or private law, who is responsible for decisions regarding the processing of personal data .
PERSONAL DATA OPERATOR: Individual or legal entity, under public or private law, which processes personal data on behalf of the Controller .
TREATMENT OF PERSONAL DATA (“TREATMENT”): Any operation performed with personal data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, disposal, evaluation , information control, modification, communication, transfer, dissemination or extraction.
ANONIMIZATION: Use of technical means, reasonable and available when processing personal data , through which data loses the possibility of association, directly or indirectly, with an individual. Anonymized data is not considered personal data for the purposes of the LGPD .
PERSONAL DATA HOLDER (“HOLDER”): Natural person to whom the personal data that are being processed refer to.
IN CHARGE OR DATA PROTECTION OFFICER (“DPO”): Individual or legal entity appointed by the Treatment Agent to act as a communication channel between the Controller, data subjects and the National Data Protection Authority .
SUPPLIERS: In the context of Hitalk, suppliers are considered to be other contracted and subcontracted third parties , natural or legal persons, not classified as commercial partners .
THIRD PARTY: It is any natural or legal person hired by Hitalk to develop or assist in the development of its activities, both as suppliers of goods or services and as business partners .
COMMERCIAL PARTNERS: In the context of Hitalk, contracted third parties , whether individuals or legal entities, who act on its behalf: Consultants, Partners and Commercial Agents (those who indicate activities in which Hitalk may act as a contractor) are considered commercial partners .
- APPLICABILITY AND RECIPIENTS
Adherence to this Policy is mandatory for all the recipients indicated above as they relate to Hitalk. All operations involving the processing of personal data that are carried out in the exercise of activities conducted by Hitalk are subject to the legal rules and those set forth herein.
This Policy establishes concepts, guidelines and rules defined in order that its recipients understand and comply with the legal rules that address the protection of personal data, in a dynamic and comprehensive way, whether they refer to current or future holders of personal data , third parties and agents processing of personal data external to Hitalk as part of its activities.
The information covered by this Policy includes all data held, used or transmitted by or on behalf of Hitalk, in any type of media. This includes personal data recorded on paper, kept on computer systems or portable devices, as well as personal data transmitted orally.
The objectives of Hitalk ‘s Privacy and Data Protection Policy are:
• Define Hitalk guidelines and responsibilities that ensure and reinforce the commitment to comply with the applicable personal data protection laws;
• Determine the rules to be followed in conducting the activities and operations of personal data processing carried out by Hitalk and the recipients of this Policy, within the scope of Hitalk’s activities, which ensure its compliance with the applicable personal data protection laws and, in particular, with the LGPD .
This Policy must be analyzed in conjunction with the obligations provided for in the documents referred to below, which contain information in general, complementing it when appropriate:
- Privacy policies and information security rules, as well as terms and conditions of use, dealing with confidentiality, integrity and availability of Hitalk information;
- Employment contracts of Hitalk employees and other similar documents, which contain confidentiality obligations regarding the information maintained by the Institution;
- Any internal rules that deal with the protection of personal data, current or that will be periodically prepared and updated.
- PRINCIPLES OF PRIVACY AND PERSONAL DATA PROTECTION
Under the terms of the LGPD , Hitalk will comply with the following principles of protection of personal data when processing personal data :
• PURPOSE: Hitalk will process personal data only for legitimate, specific, explicit and informed purposes to the holder of personal data , with no possibility of further processing in a manner incompatible with those purposes;
• FITNESS: Hitalk will process personal data in a manner compatible with the purposes informed to the data subject, and in accordance with the context of the processing;
• NEED: the processing of personal data carried out by Hitalk will be limited to the minimum necessary for the accomplishment of its purposes, with the coverage of the relevant data, proportional and not excessive in relation to the purposes of the treatment;
• FREE ACCESS : Hitalk will guarantee holders of personal data easy and free consultation on the form and duration of treatment, as well as on the completeness of their data;
• DATA QUALITY : Hitalk will guarantee, to the holders of personal data , the accuracy, clarity, relevance and updating of the data, according to the need and for the fulfillment of the purpose of its treatment;
• TRANSPARENCY : Hitalk will guarantee to the holders of personal data clear, accurate and easily accessible information on the performance of the treatment and the respective personal data processing agents , observing the commercial and industrial secrets;
• SECURITY: Hitalk will use technical and administrative measures to protect personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;
• PREVENTION : Hitalk will adopt measures to prevent the occurrence of damages due to the processing of personal data ;
• NON-DISCRIMINATION : Hitalk will guarantee the impossibility of carrying out the processing of personal data for illegal or abusive discriminatory purposes;
• ACCOUNTABILITY AND ACCOUNTABILITY : Hitalk is committed to demonstrating the adoption of effective measures capable of proving the observance and compliance with the rules on the protection of personal data, and the effectiveness of these measures.
- INSTITUTIONAL COMMITMENT FOR THE PROCESSING OF PERSONAL DATA
Hitalk has an institutional commitment to periodically evaluate the purposes of its processing operations, considering the context in which these operations are inserted, the risks and benefits that can be generated to the holder of personal data , and the legitimate interest of the Institution.
Accordingly, they must be founded on a legal basis and the purpose for all operations of processing personal data within the scope of activities conducted by Hitalk must be defined.
The operations of processing personal data by Hitalk can only be carried out:
- By providing consent by the holder of personal data ;
- For the fulfillment of legal or regulatory obligation;
- For conducting studies by research body;
- When necessary for the execution of a contract or preliminary procedures related to a contract to which the holder of personal data is a party ;
- For the regular exercise of rights in judicial, administrative or arbitral proceedings;
- For the protection of the life or physical safety of the holder of personal data or of a third party;
- For the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority;
- When necessary to serve the legitimate interests of Hitalk or third parties;
- For credit protection.
The records of personal data processing operations may be consulted by the holder of the personal data , as well as by public authorities competent to access and retain the data on their behalf, with the rights of the holder of the personal data being safeguarded .
- INTITUTIONAL COMMITMENT TO THE PROCESSING OF SENSITIVE PERSONAL DATA
Hitalk is committed to safeguarding and taking special care in the handling of sensitive personal data and recognizes that this data presents higher risks to the holder of personal data .
In this sense, the sensitive personal data listed in art. 5, item II of the LGPD , as well as financial data, for the purposes of this Policy , will have the same status as sensitive personal data .
• The personal data of children and adolescents will be treated with the same level of care offered to sensitive personal data and will also be subject to the specific provisions established in Chapter II, Section III, of the LGPD, in addition to other specific applicable rules.
The operations of processing sensitive personal data by Hitalk can only be carried out:
- When the holder of personal data or his legal guardian consents, specifically and prominently, for specific purposes;
- Without providing consent from the holder of personal data , in cases where processing is indispensable for:
- Compliance with a legal or regulatory obligation imposed on Hitalk;
- Conducting studies when Hitalk is in the position of Research Body, ensuring, whenever possible, the anonymization of sensitive personal data ;
- The regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings;
- Protection of the life or physical safety of the holder of personal data or third parties;
- Guardianship of health, exclusively, in a procedure performed by health professionals, health services or health authority; or
- Ensuring the prevention of fraud and the security of the holder of personal data , in the identification and authentication processes of registration in electronic systems.
- RIGHTS OF PERSONAL DATA HOLDERS
In the context of its personal data processing activities , Hitalk reinforces its commitment to respect the rights of personal data holders , namely:
• RIGHT TO CONFIRM THE EXISTENCE OF THE TREATMENT : the holder of personal data can seek from Hitalk the confirmation of the existence of processing operations related to his personal data;
• RIGHT OF ACCESS : the holder of personal data can request and receive a copy of all personal data collected and stored;
• RIGHT OF CORRECTION : the holder of personal data may request the correction of personal data that is incomplete, inaccurate or out of date;
• RIGHT OF ELIMINATION : the holder of personal data may request the deletion of his personal data from databases managed by Hitalk, unless there is a legitimate reason for their maintenance, such as a legal obligation to retain data. In the event of elimination, the Institution reserves the right to choose the elimination procedure employed, committing itself to using means that guarantee security and avoid data recovery;
• RIGHT TO REQUEST SUSPENSION OF ILLEGAL PROCESSING OF PERSONAL DATA : the holder of personal data may request at any time from Hitalk the anonymization , blocking or deletion of his personal data that has been recognized by the competent authority as unnecessary, excessive or treated in nonconformity with the provisions of the LGPD.
• RIGHT OF OPPOSITION TO A PROCESSING OF PERSONAL DATA : in the event of processing personal data not based on obtaining consent, the holder of personal data may present an opposition to Hitalk, which will be analyzed based on the criteria present in the LGPD.
• RIGHT TO DATA PORTABILITY : the holder of personal data may request from Hitalk that his personal data be made available to another service or product supplier, respecting the Institution’s commercial and industrial secrets, as well as the technical limits of its infrastructure.
• RIGHT TO REVOCATE CONSENT : the holder of personal data has the right to revoke his consent. However, it is emphasized that this will not affect the legality of any treatment carried out before withdrawal. In the event of revocation of consent, it may not be possible to provide certain services. This being the case, the holder of personal data must be informed.
Hitalk reiterates its commitment to the rights of personal data holders to transparency and adequate information, highlighting the provision of:
- Information from public and private entities with which Hitalk made shared use of data;
- Information about the possibility of not giving consent and about the consequences of the refusal.
11. DUTIES FOR THE PROPER USE OF PERSONAL DATA
In the development of Hitalk’s work and activities, all the recipients of this Policy are extended the duties of care, attention and proper use of personal data, committing themselves to assist the Institution in fulfilling its obligations in the implementation of its privacy and protection strategy personal data.
• SPECIFIC DUTIES OF PERSONAL DATA HOLDERS:
It is incumbent on the holders of personal data to communicate to Hitalk about any changes in their personal data in their relationship with the Institution (eg change of address), notifying them preferably in the following order:
- Through the platform provided by Hitalk with which the holder relates;
(ii) By e-mail addressed to the person in charge of Hitalk with whom the holder relates;
• SPECIFIC DUTIES FOR Hitalk EMPLOYEES:
Provided that its purpose and legal basis are respected, the sharing of personal data of personal data holders between the Hitalk group is allowed, observing the principle of necessity, the treatment of personal data being always restricted to the objectives and similar activities authorized by the Institution.
• DUTIES OF Hitalk EMPLOYEES, PERSONAL DATA PROCESSING AGENTS AND THIRD PARTIES:
- To any person not authorized or competent according to the Institution’s rules, access to personal data maintained by Hitalk will not be made available or guaranteed.
- The necessary authorization for data processing must be obtained, as well as the necessary documents that demonstrate the designation of its competence to carry out the lawful data processing operation.
- Everyone must comply with the rules, recommendations, information security guidelines and prevention of information security incidents determined by the Institution.
• DUTIES OF ALL RECIPIENTS IN THIS POLICY:
Upon suspicion or the actual occurrence of the following actions, all recipients of this Policy have a duty to contact the Hitalk Officer :
- Absence of a legal basis that justifies the operation of processing personal data ;
- Processing of personal data without authorization by Hitalk in the scope of the activities it develops;
- Operation of personal data processing that is carried out in non- compliance with Hitalk’s Information Security Policy ;
- Elimination or destruction unauthorized by Hitalk of personal data from digital platforms or physical collections in all facilities of the Institution or used by it;
- Any other violation of this Policy or any of the data protection principles set out in item 7 above.
- RELATIONSHIP WITH THIRD PARTIES
The liability established by LGPD, in the case of property, moral, individual or collective damages resulting from violations of the personal data protection legislation is joint and several. This means that all agents in the chain involving the processing of personal data can be held responsible for any damages caused.
For this reason, the possibility of Hitalk being held responsible for the actions of third parties implies the need to use the best efforts to verify, evaluate and ensure that such third parties comply with applicable data protection laws.
• Thus, all contracts with third parties must contain clauses referring to the protection of personal data, establishing duties and obligations involving the subject, and attesting the third parties ‘ commitment to the applicable personal data protection laws. It is also noteworthy that these contracts will be reviewed and submitted for approval by Hitalk and its technical team, in accordance with the current regulatory framework.
• All third parties must sign the term of acceptance of this Policy , submitting the activities contracted within the scope of the relationship with Hitalk also to this rule.
13. CONFORMATION TO PERSONAL DATA PROTECTION LAWS
Hitalk seeks to conform to the LGPD rules and guidelines in order to guarantee its commitment to ensure the adequate treatment of personal data for legitimate purposes that may be the object of its activities and reinforces its commitment to good privacy and data protection practices with the following actions:
• Production and dissemination of information, regardless of format, that describes the individual responsibilities of the recipients of this Policy in terms of privacy and protection of personal data;
• Providing training, guidance and advice to Hitalk employees and third parties , including, but not limited to, online courses, workshops , internal meetings, regular conversations, lectures, among other initiatives; sharing content made available in digital and / or in person format.
• Incorporation of concerns and care in the treatment of personal data in all stages of its activities, including, but not limited to administrative routines, service provision, among others.
• Identification and in-depth assessment of risks that could compromise the achievement of Hitalk’s objectives in the area of privacy and protection of personal data; define, create and implement action plans and policies to mitigate the identified risks; in addition to maintaining a continuous assessment of the scenarios in order to assess whether the measures implemented do not require new guidelines and attitudes.
From the entry into force of LGPD , the charge of Hitalk – also referred to as Data Protection Officer ( Hitalk DPO ) – aided by its technical team, have the following responsibilities:
• Monitor compliance with applicable personal data protection laws, in accordance with Hitalk’s policies;
• Guide the recipients of this Policy regarding Hitalk ‘s privacy and protection of personal data ;
• Ensuring that data protection rules and guidelines are informed and incorporated into Hitalk’s routines and practices;
• Organize training on personal data protection at Hitalk;
• Provide clarifications, offer information and report on the operations of processing personal data and their impacts to the competent public authorities (eg Public Ministry, National Authority for the Protection of Personal Data , etc.);
• Respond to requests and complaints from holders of personal data whose data have been processed by a Hitalk unit.
• Assist in audits or any other assessment and monitoring measures involving data protection;
• Prepare reports on the impact of privacy and data protection, technical opinions and document review with regard to data protection.
14. INFORMATION SECURITY
The rules for information security and prevention of personal data incidents will be contained in Hitalk’s internal regulations and related documents.
Hitalk reinforces its commitment to employ appropriate technical and organizational measures in dealing with personal data , and to endeavor to protect the personal data of personal data holders against unauthorized access, loss, destruction, unauthorized sharing, among other hypotheses.
15. INTERNATIONAL TRANSFER OF PERSONAL DATA
In cases where the Hitalk is authorized to process personal data regardless of the consent of the data subject , the Hitalk may transfer personal data to other countries , provided that either:
- The country is classified as having an adequate level of data protection assigned by the ANPD or the transfer is authorized by the ANPD ;
- As long as there is no list of countries of an adequate level released by the ANPD , the country is classified by the European Commission, by means of an Adequacy decision, as a country of adequate level according to the GDPR criteria;
- The international personal data processing agent offers Hitalk at least one of the safeguards below:
- Codes of Conduct regularly issued or binding corporate rules approved by the European Commission;
- Standard Contractual Clauses issued by the ANPD or the European Commission;
- Seals and certificates of conformity or adequacy to the protection of personal data granted by entities recognized by the ANPD or by the European Commission.
- Obtain explicit and outstanding consent from the holders of personal data to carry out international personal data transfer operations , with prior information on the international character of the operation and emphasizing that the country does not have an adequate level of recognized data protection or that there are no safeguards for treatment agent compliance, as appropriate.
Hitalk may transfer personal data to other countries in the cases in which it is authorized to process personal data based on consent, provided that it obtains explicit and outstanding consent from the holders of personal data to carry out international personal data transfer operations , with prior information. on the international character of the operation.
• If the country does not have an adequate level of recognized data protection or there are no safeguards for the compliance of the processing agent, such information should be provided to the holder of personal data in advance, in order to consent to the risks of the operation.
Through its digital platforms, Hitalk undertakes to inform the holders of personal data about the occurrence of international personal data transfer operations , designating the set of forwarded data, the purpose of the shipment and its destination.
16. DATA PROTECTION CULTURE AND TRAINING
For the expansion of the culture of protection of personal data in the Institution, the recipients of this Policy undertake to participate in the training, workshops, meetings and training proposed by Hitalk.
In order to help them understand their duties and how to fulfill them, Hitalk employees whose duties require regular treatment of personal data, or those responsible for implementing this Policy undertake to participate in additional training.
17. PERMANENT FOLLOW-UP COMMITMENT
Hitalk is committed to ensuring the adequate treatment of personal data for legitimate purposes that may be the object of its activities and reinforces its commitment to good privacy and data protection practices, committing itself to keep updated the rules and recommendations issued by the ANPD or other competent authorities. In order to reinforce the Institution’s permanent commitment to privacy and the protection of personal data , Hitalk undertakes to revisit this Policy periodically and, at its discretion, to promote changes that update its provisions, with all changes made in due course being communicated. through the Institution’s official channels.