PRIVACY POLICY

SUMARY

1. OBJECTIVE
2. APPLICATION
3. TERMS AND DEFINITIONS
4. PRINCIPLES OF THE GENERAL DATA PROTECTION LAW
5. COLLECTION AND USE OF PERSONAL DATA
6. SECURITY MEASURES
7. CUSTOMER ENVIRONMENT
8. SHARING DATA WITH SUPPLIERS AND PARTNERS
9. KNOW YOUR RIGHTS
10. CHANNEL FOR REQUESTS AND CONTACT MEANS
11. UPDATE
12. RESPONSIBILITIES
12.1. POLO IT AS DATA CONTROLLER
12.2. POLO IT AS A DATA CONTROLLER (CUSTOMER ENVIRONMENT)
12.3. DATA OFFICER (DPO)
12.4. DATA OPERATORS
13. REVIEW AND APPROVAL CONTROL
14. REFERENCES




1. OBJECTIVE

Polo iT Information and Technology’s Privacy Policy aims to declare the company’s commitment to the privacy and protection of personal data, as well as to clarify in general terms how personal data are treated, both in physical and digital media, and provide Data Subjects with bases for the regular exercise of rights, as stated by Federal Law 13.709/2018 – General Data Protection Law (GDPR).

2. APPLICATION

This Policy applies to every individual who has a relationship with Polo iT, classified in the following groups of data subjects: Partners, Employees, Interns, Customers (internal and external), Prospects, Suppliers, Service Providers, Partners and users of the institutional website and users of the company’s services and systems.

Personal Data: Any and all information related to an identified or identifiable natural person (name, age, date of birth, personal documentation, bank details, home address, telephone numbers, e-mail, location, bank details, etc.).

3. TERMS AND DEFINITIONS

Sensitive Personal Data: Data that contains personal information about racial or ethnic origin, religious belief, political opinion, sexual orientation, membership in trade unions, religious, philosophical or political organizations, data relating to health, genetics or biometrics.

Holder: It is the natural person to whom the personal data refers.

Data Handling: Any operation performed with personal data, which includes collecting, processing, storing, sharing, transferring, removing, merging and etc.

Consent: It is the free and unequivocal expression by the data subject, who demonstrates authorization to third parties, for the processing of their personal data.

Controller: Individual or legal entity governed by public or private law who administers and makes decisions regarding the processing of personal data.

Operator: Individual or legal entity governed by public or private law that processes personal data on behalf of the controller, such as suppliers, service providers, etc.

In charge: Person appointed by the Controller who should be responsible for communication between the controller, data subjects and the National Data Protection Authority – (ANPD)

4. PRINCIPLES OF THE GENERAL DATA PROTECTION LAW

Polo iT Information and Technology as Data Controller, assumes the commitment to processing personal data properly, in line with the principles of the GDPR:

  • Goal;
  • Adequacy;
  • Need;
  • Free access;
  • Data Quality;
  • Transparency;
  • Safety;
  • Prevention;
  • Non-Discrimination;
  • Accountability;

5. COLLECTION AND USE OF PERSONAL DATA

Polo iT performs the collection and processing of personal data, to operationalize its services and to materialize contractual relationships, always considering the interests of the holders and compliance with the guidelines established in the General Data Protection Law (GDPR).

Generally speaking, the collection of personal data takes place with your consent, where most of the data is provided by you. However, in accordance with article 11 of the GDPR, it is worth noting that your data may be collected and processed without formalized consent, in the following cases:

I – The data are necessary to comply with a legal or regulatory obligation by Polo iT;

II – The data are necessary for the execution of the contract or procedures preliminary relating to a contract to which you are a party;

III – When there is shared processing of data, necessary for execution by the public administration, of public policies provided for in laws or regulations;

IV – To be used by the company in the regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings, pursuant to Law No. 9,307, of September 23, 1996 (Arbitration Law);

In addition to the direct personal data we collect: first name, date of birth, address, phone number, email, ID and CPF, we collect some virtual data related to you when you use our systems, applications, website, such as: user login, access date and time, accessed locations, log information, IP address and the like.

We collect this data to ensure the company’s security in data processing and to give you access to our solutions. By reading and accepting this Policy, you automatically authorize the collection of this type of virtual information, as well as, declare that you are aware of the reasons why this data is collected.

We emphasize that the reasons why we collect personal data at Polo iT are in line with the legal bases of the GDPR that allow the processing, and for each information we collect, we respect the principles of purpose, adequacy and necessity.

If the company needs to collect data to improve your relationship experience with products and services, which exceed the minimum necessary to operationalize the provision of services and sign contractual relationships, you will be consulted for consent.

For more details about your personal data and the treatment we carry out, you can make a request using the means of contact disclosed in item 10 of this Policy.

6. SECURITY MEASURES

Polo iT has implemented an Information Security Policy, Procedures and Technical and Administrative Measures aimed at data security and privacy, in order to protect all information stored in the company, both in physical and digital media, especially personal data, against loss, theft, unauthorized access, misuse, illegal sharing, exposure, alteration or destruction of data, preserving your rights as a holder and the guidelines of the GDPR.

In Polo iT’s virtual environments, your data is kept monitored and protected by security devices that monitor all network and system traffic. The environments were structured based on the best information security techniques available in the market and regulations aimed at data security.

Access to virtual environments is segregated and allowed only to authorized personnel, remote connections happen through a Virtual Private Networking (VPN) or similar technology, we apply permission control in all the company’s network environments, restricting access to the minimum necessary

The company’s physical facilities are also strictly controlled through the physical security technologies adopted, in order to keep the Data Processing Center (DPC) and other information storage environments protected and inviolable.

All employees are constantly oriented and trained to carry out the processing of personal data in accordance with the internal Policies and Procedures established by Polo iT, in line with the obligations of the General Data Protection Law and other related legislation.

7. CUSTOMER ENVIRONMENT

We clarify that Polo iT, when processing data in customer database environments, during the provision of services, assumes the role of operator, and therefore, performs processing according to lawful requests and instructions, provided by the controller (customers), in accordance with the law. However, it is up to customers to verify the compliance and adequacy of their instructions with respect to applicable standards and legislation, including the GDPR.

As responsible treatment agents, we adopt security, technical and administrative measures to protect customer databases from unauthorized access and accidental or unlawful events.

Connections established with the customers’ environment for the provision of services are made through connection gateway servers, and connections via VPN can only be made from these servers, where all sessions of connected users are recorded for later audits, and also for keeping records of treatment operations. In this context, it is noteworthy that no Polo iT personal workstation has the ability to access any client’s virtual environment without first connecting to the servers.

Finally, in accordance with the GDPR, we will be jointly and severally liable for any (proven) damages in the customer’s environment, caused by our treatment, when we demonstrably fail to comply with the obligations of data protection legislation or when we have not followed the lawful instructions of the customers/controllers.

8. SHARING DATA WITH SUPPLIERS AND PARTNERS

Polo iT, in the position of Data Controller, may share your personal data with other organizations, in the following cases, aligned with the GDPR:

When other parties are involved in the provision of services, so that delivery takes place in accordance with the agreement made in the contract. In these cases, only the minimum data necessary to carry out the activities will be shared; When, in your relationship with the company, sharing is necessary to meet legal and regulatory obligations; Or, when sharing is necessary to promote public policies by the Public Administration.

When sharing, Polo iT observes the Privacy Policies and other rules adopted by third parties, with which, it aligns contractual clauses and security standards, guiding third parties in the proper treatment of shared data and in the adoption of security measures, which preserve your data.

According to the GDPR, other organizations with which data is shared adopt the role of operators when they receive the data, and once in this position, suppliers and partners must be aware that they will be held liable in case of incidents or wrongdoing related to the data shared, and shall be liable for damages when they fail to comply with the obligations of data protection legislation or the guidelines/intuitions determined by Polo iT.

To prevent data loss, the company can store its data in cloud environments located outside Brazil. However, we carefully select reliable providers in the market, and that comply with the laws of your country applicable to privacy and data protection, in line with Brazilian laws.

To prevent data loss, the company can store its data in cloud environments located outside Brazil. However, we carefully select reliable providers in the market, and that comply with the laws of your country applicable to privacy and data protection, in line with Brazilian laws.

By reading and accepting this Privacy Policy, you confirm awareness and authorization of data sharing performed by Polo iT. If you would like more specific information about the sharing of your data, you can contact us through the channels disclosed in item 10 of this Policy.

9. KNOW YOUR RIGHTS

According to the General Data Protection Law, in chapter III, Art. 17 and 18, you, as the owner of personal data, have the following rights, if you have any relationship with Polo iT:

I – Request and obtain confirmation of the existence of the processing of your personal data;

II – Request copies of the data about you that are being processed;

III – Request the correction of your data if they are incomplete, inaccurate or out of date;

IV – Anonymization, blocking or deletion of unnecessary, excessive or processed data in breach of the provisions of this Law;

V – Request data transfers to another organization;

VI – Request the deletion of your personal information.

VII – Request clarification on other organizations with which the company uses shared data;

VIII – Be informed about the possibility of not providing consent and the consequences of denial;

IX – Revoke the consent already provided, pursuant to § 5 of art. 8 of the GDPR.

Note: The right to delete data may not be granted to you in the following exceptions:

A – If we have a contractual obligation;

B – If we have a legal obligation;

C – If we have a legitimate interest, which does not harm their rights and fundamental freedom;

D – Or, if we need the data to perform an obligation with the public administration, for the execution of public policies.

Anyway, if you request the deletion of your data, you will be informed in detail about the reasons for the refusal, as well as possible consequences in cases where you continue to oppose treatment.

10. CHANNEL FOR REQUESTS AND CONTACT MEANS

To exercise your rights, as explained, you can contact us through our contact form. If you have any questions or any need for communication related to the topic, get in touch via e-mail: dpo@polo-it.bto.pt

11. UPDATE

Polo iT reserves the right to update this Privacy Policy whenever necessary, both for new directions from the National Data Protection Authority – (NDPA), as well as for review and new implementations at the company’s discretion.

We will keep you informed of changes and new versions.

12. RESPONSIBILITIES

12.1. POLO IT AS DATA CONTROLLER

Handle personal data in accordance with GDPR guidelines and other applicable laws and regulations;

Implement and maintain technical measures and procedures for data protection, safeguarding the rights of holders;

Take corrective measures as needed;

Meet the requests of data subjects that relate to the company, its products and services, and provide further clarification.

12.2. POLO IT AS A DATA OPERATOR (CUSTOMER ENVIRONMENTS)

Perform data processing in accordance with the instructions provided by the controllers (customers) and applicable legislation.

12.3. DATA PROTECTION OFFICER (DPO)

Act as a communication bridge between Polo iT, Data Subjects and the National Data Protection Authority;

Carry out the activities provided for in the GDPR in accordance with article 41.

12.4. DATA OPERATORS

Treat personal data according to Polo iT guidelines;

Implement security protocols guided by Polo iT;

Respond in case of incidents with data shared by Polo iT.

13. REVIEW AND APPROVAL CONTROL

Revision Revision Date Change History Elaboration Reviewer
01 19/07/2021 Emissão Inicial Vérica Almeida Joel Menezes

14. REFERENCES

Law 13.709/2018 – General Data Protection Law (GDPR)