In the daily life of the Beontag holding, whether conducting business, in the search for new products, services and opportunities, or organizing its internal structure, personal data the processing is an indispensable part of this reality. Processing personal data is instrumental to our activities, and Beontag understands that it must act responsibly and transparently, taking care of such information and providing it with technical and administrative security measures.
This Policy provides guidelines and rules related to the privacy and protection of personal data of customers, employees, and third parties during the processing of personal data by the Beontag holding, and in dealings with third parties where personal data are shared or the use thereof is shared.
This document from the Beontag is intended to comply with the applicable data protection standards, promoting transparency and good faith before data subjects by protecting their personal data and civil rights and liberties, including Act No. 13.709/2018 (“GDPL”), and bringing the best practices to their fingertips.
The Policy applies to the entire Beontag holding, and particularly to the business and operating areas, as well as third parties with which the Beontag holding shares personal data, both in Brazil and abroad.
§ General Personal Data Protection Law (“GDPL”) – Act No. 13,709/2018;
§ General Data Protection Regulation (“GDPR”) – Regulation (EU) 2016/679;
§ ANPD: National Data Protection Authority
§ Beontag : Beontag holding
§ Controller or controllers: natural or legal persons under public or private law, that are responsible for decisions regarding the processing of personal data.
§ Anonymized Data: data related to the data subject, that cannot be identified, considering the use of reasonable technical means available at the time of processing.
§ Personal data: information related to an identified or identifiable natural person. That is, information that identifies a natural person, either directly (name, surname, Tax ID, fingerprint, e-mail address, telephone number) or indirectly, from associations and profiling (postal address, marital status, job, income, financial history, credit rating).
§ Sensitive personal data: personal data about racial or ethnic origin, religious conviction, political opinion, affiliation to a union or an organization of a religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data, when linked to a natural person. Otherwise, personal data that reveal information related to the Data Subject’s privacy, which may lead to discrimination. Sensitive personal data entails higher risks than personal data and vulnerabilities to the rights and freedoms of the Data Subjects.
§ Data Protection Officer (DPO): at Beontag holding, the person acting as the communication channel between the controller, the data subjects and ANPD.
§ Personal data processing flow (“Flow”): any operation carried out by an area at Beontag, which involves the processing of personal data for a specific purpose.
§ Deletion: removal of data or a data set stored in databases or physical documents.
§ Security incident: an event related to the technical or administrative security of personal data, and which may pose risks or damage to the Data Subjects. Examples of incidents include data leakage, unauthorized access, destruction or change of personal data, among others.
§ Minors: refers to children (up to twelve years years of age) and adolescents (between twelve and eighteen years of age).
§ Program: refers to Beontag´s personal data protection compliance program.
§ Operator or operators: natural or legal person(s), under public or private law, that process(es) personal data on behalf of the controller.
§ RIPD, or Impact Report: the impact report on the protection of personal data, provided for in the GDPL, and mandatory for the cases listed in the Form for Registration of New Personal Data Processing.
§ Third Parties: includes natural and legal persons, as suppliers, service providers, commercial representatives, partners, brokers, among other legal relationships, that process personal data on behalf of the Beontag holding.
§ Legitimate Interest Proportionality Test: a four-phase test to be conducted in parallel with the Impact Report, whenever the treatment hypothesis is in the legitimate interest of the Beontag holding. The test is provided for in the Form for Registration of New Personal Data Processing.
§ Data Subject or Data Subjects: natural person(s) to whom the personal data that are processed by the Beontag holding refer, including, e.g., customers, employees, directors, shareholders, and partners of third parties.
§ International transfer or international data transfer: transfer of personal data to another country, at any time during processing, including for mere storage purposes. A transfer is not to be confused with the transmission, which is merely using a medium (e.g. e-mail with a server abroad), to a recipient in Brazil.
§ Processing: all operations carried out with personal data and sensitive personal data, from collection to disposal, including the mere access and viewing of the data.
§ Shared Use of Data: Communication, dissemination, international transfer, interconnection of personal data, or shared processing of bases of personal data by public bodies and entities in compliance with their legal powers, or between these and private entities, on a reciprocal basis, under specific authorization, for one or more processing modes allowed by these public entities, or between private entities.
§ Users – all people who visit and access CCRR Group websites or software applications. We may also refer to the User as “you.”
5. GENERAL PROVISIONS
5.1. General Concepts
5.1.1. Processing of Personal Data
The processing of personal data includes: “every operation performed with personal data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archival, storage, disposal, information evaluation or control, modification, communication, transfer, diffusion or extraction.”
Under the broad legal definition, any action listed above involving personal data constitutes a processing activity. Applying an effective conduct with personal data, or resulting in a different product, is not necessary. Mere viewing, based on the access to personal data, characterizes processing.
The Beontag holding, concerned with the compliance of each processing performed under our responsibility, seeks to raise awareness of our employees and third parties and continuously adopt security measures.
§ Collection, reception, use, and storage of personal data to register new customers and keep the base of existing customers;
§ Use and communication of personal data in official reports to regulatory bodies;
§ Control of employee information and transmission to public bodies, in compliance with the applicable laws;
§ Archival of third-party personal data during the law-mandated period;
§ Deletion of personal data of terminated employees, after the mandatory storage period has elapsed.
5.1.2. Information collected
The Beontag holding collects data and information from Users on our websites or software applications when provided by the User, and pursuant to the legal basis for processing under the GDPL, by filling out registration forms.
To facilitate the use of the website or software application, the Beontag holding may also collect data from the User’s navigation or device by tracking (cookies), authorizations granted to websites or software applications that provide geographic location, Internet protocol address, information on the date and time of use of the website by the User, information regarding pages accessed, the number of clicks, and the User’s attempts to use the Website.
We emphasize that any non-sharing of data by the User may impact the usability and experience of accessing the website or software applications.
Any consent from the User for the purpose of processing personal data is collected on an individual, clear, and specific basis. The User may, at any time, change his/her consent to the processing of his/her data, either by granting new permissions or restricting consent to the current permissions. Other information and guidelines related to User consent may be identified in the Consent Management Policy.
The CCRR Group provides a communication channel to Data Subjects, publicly accessible on our website. It can be accessed at https://www.contatoseguro.com.br/beontag
5.1.3. Importance of collecting your information
Information collection is intended to provide necessary services and improve the products and services offered, to facilitate the User experience, enable support and service to Users, in addition to complying with and performing legal, contractual, and regulatory obligations, provide security, and allow the regular exercise of rights by the User and the Beontag.
Cookies are Internet files that store what the Internet user is visiting on websites at any given time.
Cookies can be used to allow access to and operation of websites or software applications; authentication cookies, recognize Users, enabling their access to restricted areas of websites or software applications, and provide contents, offers and/or services of the Beontag or partners.
The Cookies available on the Beontag holding websites allow users to have a personalized, faster browsing experience and improved content customization.
5.1.5. Disabling cookies
The User can disable cookies in his/her browser and in the settings of the operating system of his device or equipment used to access websites or software applications.
However, we don’t recommend disabling operating cookies, as they can block or prevent the functionalities and even the use of websites or software applications, especially those related to the user experience customization, hindering browsing through Beontag holding websites.
5.1.6. Processing agents
There are two categories of agents involved in processing operations, namely controllers and operators. Controllers are responsible for the decisions to be made when processing personal data, while operators conduct the processing activities as ordered by the controller.
5.2. Principles and legal basis
The CCRR Group only carries out processing operations in line with the GDPL requirements, mainly in relation to our processing principles and hypotheses (legal basis).
5.2.1. Legal basis
Personal data will only be processed under the following circumstances:
When required for preliminary procedures or for the performance of an agreement – at the request of the Data Subject – to which the Data Subject is a party; or
LEGAL OR REGULATORY OBLIGATIONS
If a legal or regulatory obligation exists, which results in the need to process personal data in order to comply therewith; or
For credit protection, also concerning the provisions of the applicable law; or
REGULAR EXERCISE OF RIGHTS
For the regular exercise of rights in judicial, administrative, or arbitration proceedings, also during a limitation period;
If related to the execution of a public policy by the government, under a scenario where the Beontag holding is legally bound; or
To meet the legitimate interests of the controller or a Third Party, provided that it meets the requirements of the legitimate interest proportionality test; or
When the preceding hypotheses do not apply, and the Data Subject has provided consent for the precise purpose of the processing in question.
The processing operations must comply with the aspects indicated in the Data Mapping, especially regarding the purposes.
As a rule, the CCRR Group does not process sensitive personal data, except under the following circumstances:
LEGAL OR REGULATORY OBLIGATIONS
If a legal or regulatory obligation exists, which results in the need to process personal data in order to comply therewith; or
REGULAR EXERCISE OF RIGHTS
For the regular exercise of rights related to an agreement or for judicial, administrative, or arbitration proceedings, also during a limitation period;
If related to the execution of a public policy by the government, under a scenario where the CCRR Group is legally bound; or
FRAUD PREVENTION AND DATA SUBJECT SECURITY
To ensure fraud prevention and for the Data Subject’s security, specifically in the identification and authentication procedures for registration in electronic systems; or
When the preceding hypotheses don’t apply and the Data Subject has provided consent in a specific and prominent manner for a specific purpose linked to the processing of sensitive personal data.
All processing operations should observe the GDPL principles, especially with regard to the following guidelines:
Under no circumstances may personal data and sensitive personal data be treated in a discriminatory manner among the Data Subjects of a certain category.
(ii) Purpose, Suitability, and Need
In all operations, Beontag will process the minimum necessary amount of personal data compatible with legitimate, specific, explicit purposes, reported to the Data Subject, in addition to complying with the applicable legal basis.
(iii) Open Access, Data Quality, and Transparency
Beontag will ensure to the Data Subjects easy, free-of-charge query on the processing form and duration, as well as accurate, informative details regarding the processing itself and the agents involved, as long as it does not violate the trade or industrial secret of the institution or a Third Party.
We also ensure the quality of the personal data used, enabling the Data Subjects to update these to improve their accuracy and to bring these in line with the processing.
(iv) Security, Prevention, and Accountability
The Beontag adopts security standards commensurate to our operations, especially when they involve the processing of personal data, in order to prevent security incidents.
5.3. Rights of Data Subjects
The Beontag holding ensures compliance with the rights of the Data Subjects when processing personal data, pursuant to the provisions mentioned below:
§ Right of Access/Explanation: the subjects of personal data processed by the Beontag holding may have access and request information such as the confirmation that their data is being processed by the company, as well as information on said processing. The replies to such requests will be given in an abridged or full manner, as provided for in law, within fifteen (15) days as of the Data Subject’s request, except for industrial secrets;
§ Right to Rectification: The subject of personal data may request rectification of the registration of his/her personal data, such as inaccurate, incorrect or outdated data;
§ Right to Erasure: The Data Subject may request the erasure, blocking or anonymization of his/her personal data processed by the Beontag when the data is excessively or illegally processed. The Data Subject will also be entitled to request the erasure of his/her personal data when the legal basis for processing is based on consent, except in cases of storage provided for in law;
§ Right to Opposition: the data subject may object to the processing of his/her personal data if s/he has not consented to such processing;
§ Right to Portability: the data subject may request the portability of his/her personal data to another service or product provider, upon express request, pursuant to ANPD regulations and the regulatory agencies.
To meet the Data Subjects’ requests, the CCRR Group has tools and mechanisms in place intended to make the response or compliance with these rights expedite and effective, and to provide the proper filing of the actions taken regarding such request.
To this end, we make available a communication channel for Data Subjects, publicly accessible on our website. It can be accessed at https://www.contatoseguro.com.br/beontag.
6. SPECIFIC GUIDELINES
6.1. International Transfer
The Beontag adopts a restrictive conduct regarding the international transfer of personal data, performing it only when strictly necessary to carry out its activities or when there is a security standard in place compatible with our guidelines.
In these cases, the Beontag holding observes the local laws of the target country of transfer, for due compliance. The CCRR GROUP also ensures the prior knowledge of the Data Subjects on the possibility of international transfer of their personal data, based on contractual clauses or specific consent, on a case by case basis.
The Beontag also complies with the GDPL requirements for the possibility of international transfer:
§ Personal data is transferred to countries with an adequate degree of protection, in line with ANPD guidelines;
§ Personal data is transferred when the Beontag is able to take responsibility. In this case, in addition to observing the rights and duties provided for in the GDPL, the CCRR Group will use specific contractual clauses or standards; global corporate standards; and the Personal Data Protection Compliance Program.
6.2. Processing of Personal Data of Minors
The Beontag does not, as a rule, process the personal data of minors. However, there are times when processing such data is necessary. In these cases, the data will be processed in the best interest of the minor.
In these cases, the specific and explicit consent of the parents of the subject of the personal data is mandatory, except when the legal basis of the processing includes the regular exercise (defense) in judicial, administrative, or arbitration proceedings, only when referring to the processing of adolescents’ data.
The personal data of children and adolescents, as well as their sensitive data, should be subject to stronger protection compared to other personal data. In this way, sensitive personal data should be prominently classified.
6.3. Privacy by Design
Taking into consideration the principle of Privacy by Design, all products and services designed by the Beontag are reviewed from the outset for guaranteed privacy and protection of personal data of the Data Subjects.
The review begins with the area responsible for the innovation completing the Form for Registration of New Personal Data Processing, and is discussed by the Data Protection Committee, which ensures compliance with the principle in question.
7. FINAL PROVISIONS
This document should be read and construed in conjunction with the other Policies and Procedures used by the Beontag, as well as related laws and regulations.
Suzane Oliveira Silva
Email: [email protected]