Privacy Policy - Guarulhos Sucatas

Privacy Policy

GENERAL DATA PROTECTION POLICY (Rev.1:07/18/2023)

  1. OBJECTIVE

This Data Protection Policy describes the behavior expected of all GUARULHOS SUCATAS employees who use and process Personal Data. It also covers third-party contractors who process personal data on behalf of GUARULHOS SUCATAS.

  1. Application

This policy applies to all procedures and activities that, directly or indirectly, lead to the processing of Personal Data (of Individuals or Legal Entities) held by GUARULHOS SUCATAS:

  • Any Personal Data processed by employees, customers, service providers, local stakeholders, external consultants, business partners, and suppliers;
  • Any and all activities processing Personal Data, through partially or fully automated means, of personal data stored on physical media or in cloud services.
  1. DEFINITIONS
  • Consent: Any freely determined, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or explicit affirmative action, accepts the Processing of his or her Personal Data.
  • Natural Person: also known as a physical person, a human being with rights and responsibilities in the civil realm.
  • Legal Entity: an entity (company, society, organization, etc.) formed by one or more Natural Persons with specific purposes and goals and unique, characteristic rights and responsibilities.
  • Personal Data: information related to an identified or identifiable natural person;
  • Sensitive Personal Data: Personal Data about racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of religious, philosophical, or political character, data related to health or sexual gender option, genetic or biometric data, when linked to a natural person;
  • Anonymized Data: Data related to the data subject that cannot be identified, considering the use of reasonable technical means available when processed;
  • Natural Data Subject: natural person to whom the Personal Data being processed refers;
  • Natural or Legal Person in Control: The natural person or legal entity, whether in the public or private domain, responsible for making decisions regarding the processing of Personal Data;
  • Operator: Natural person or legal entity, whether in the public or private domain, that processes Personal Data on behalf of the controller;
  • Data Controller: Person appointed by the Person in Control and Operator to act as a channel of information between the Person in Control, the data subjects, and the National Data Protection Authority (ANDP)
  • Processing: Any operation realized with Personal Data, such as those referring to the collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, processing, archiving, storing, deletion, evaluation, or control of information, modification, communication, transfer, diffusion or extraction;
  • Anonymization: Use of reasonable technical means available at the time of processing, through which a piece of data loses the possibility of direct or indirect association with an individual:
  • National Data Protection Authority (ANDP): Public administration authority responsible for ensuring, implementing, and monitoring compliance with this Law in all the national territory.
  1. Guidelines

4.1 Data Management

Data management is designed to collect, maintain, and use data securely, efficiently, and economically.

Each area is responsible for diligently controlling and following formalized procedures.

4.1.1 Employee data management

Only data necessary for employee relationship processes, recruitment, and submission to relevant government bodies is collected.

The data can be collected through physical or digital means and is maintained in our archives throughout the working relationship and discarded 30 years after the termination of employment, as required by law.

All physical records with employee data that are processed daily are duly destroyed.

4.1.2. Treatment of Personal Data (Sensitive Data):

  • Biometric Data: Biometric data are collected at the time of admission for identification when clocking in and releasing the turnstile. They are stored for the duration of the working relationship and are discarded during the dismissal process.
  • Photos and Images: The collection of images or requests for photos is done throughout the working relationship; however, at the time of hiring or when participating in a project, a document will be presented where the image owner may or may not authorize the collection and/or dissemination of their images for an indefinite period.

4.1.3 Management of third-party data

GUARULHOS SUCATAS seeks to guarantee that Personal Data is only handled by authorized personnel and equipment, through the management and responsibility of the Person in Control and with the permission of the data subject in registration forms.

For candidates in the selective process, the processing of files with personal data collected in resumés submitted on the organization’s website (files, word processors, and spreadsheets) are stored in the Google Workspace corporate service cloud and have specific processing formalized in document PR-037.

 

All Contracts must contain provisions that establish clear and precise data protection obligations, in addition to common clauses that specify the purpose, the obligations of the contractor and the contracted party, the payment and duration of the contract, and if the contracted Legal Entity has internal data processing policies that comply with the law.

Data protection clauses that must appear in the contract:

  • A clause specifying questions related to the autonomy of the contracted person, stipulating the limits of this autonomy in line with the provisions of the LGPD (General Personal Data Protection Law) and responsibilities arising from the abusive or irregular use of it;
  • A clause that establishes the permissions conceded to the contracted, how they will be granted, for how long, in what respects, and liability arising from their misuse. Specify that the employed cannot use information obtained as a result of the contract for purposes other than those established in the document they signed;
  • A confidentiality clause (as mentioned above) that seeks to protect the interests not only of the (natural or legal) contracting party but also of the contracted person, establishing clear rules of professional secrecy during the use of data, in line with the text of the LGPD;
  • Clauses that define rules for sharing data when necessary and specify the requirements that must be observed in the specific case;
  • A clause stipulating the responsibility of the contracted worker to inform the contractor as soon as possible, of any security incidents or violations that could cause considerable damage to data subjects so that the Person in Control can adopt the appropriate legal measures within the timeframe required by law.

4.2 Data Security

GUARULHOS SUCATAS has technical measures and procedures to guarantee the adequate security of Personal Data and follows the orientation of the National Data Protection Authority (ANPD). For this, it adopts anti-invasion procedures so that personal data in possession of the Person in Control is not leaked and has a data protection system with a firewall, internal policies, and access control to processed personal data.

Employees are trained and made aware of their obligations relating to the processing of personal data and encouraged to report any incidents or vulnerabilities for immediate correction and treatment of risk when detected. They are also informed of and sign the confidentiality agreement covering the information and personal data this policy covers.

The systems are accessed through the authentication of logins and individual passwords that are not repeated. Our employees are oriented to not share passwords and logins for monitoring efficacy.

Access to personal data is based on permission levels so the rule is to comply with the job description so that all access to personal data is based on the criteria of need. Total access is restricted and monitored.

Our systems have an antivirus system that works together with the firewall; in addition to the conventional antivirus, we have the firewall antivirus that monitors everything in partnership with other tools. All ports of access that are not being used are closed and monitored continuously.

The Fortinet Firewall is the device that, through pre-established parameters, manages external data flow, increasing company security, for example, internet access policies, and external and internal access filters. Access to the system is restricted so employees cannot alter it without permission.

The contracted AWS cloud service has specific protections with security guarantees, rules and control for user access, and multi-factor authentication.

4.2.1. Vulnerability Management

In case of a cyberattack, the procedure adopted by the Data Controller and IT sector is:

Notify the ANPD about the data breach as soon as possible.

Inform affected data subjects about the breach if there is a risk or relevant damage to their rights and liberties.

Take measures to mitigate the effects of the breach and protect the personal data involved.

Conduct an internal investigation to understand the extent of the breach and identify any vulnerabilities.

Register details of the breach and the actions taken to resolve it in an internal report.

Notify law enforcement authorities.

4.2.2. Backup copies

Our backups are done in the cloud (Acronis)********* and manually in storage equipment.

Copies are made daily through incremental backup, and once a month another complete copy is created and overwritten the older one.

This data is encrypted, protected by a 256-bit password, and by firewall and antivirus protections.

4.3 Data Subject Rights

Data subjects must be informed by the Person in Control or Operator of how their Personal Data is being processed.

In general, Personal Data must be collected directly from the individual in question (Data Subject). When Personal Data is collected, whenever possible, the Data Subject must be aware of or informed about:

  • Who the Data Controllers are;
  • The purpose of Personal Data Processing
  • Third parties or categories of third parties to whom Personal Data may be transmitted.

The process for registering Consent must be documented by the Data Controller both for the provision of Consent and its possible revocation.

4.4. Privacy Policy and Cookies

When using the services and/or digital tools made available to Users through its Website [www.guarulhossucatas.com.br] or application for collecting data:

  • compliance with legal or regulatory requirements by Guarulhos Comérico de Sucatas;
  • study by a research body, guaranteeing, whenever possible, the anonymization of personal data;
  • transfer to third parties provided data processing requirements defined in law are respected;
  • exclusive use by Guarulhos Comércio de Sucatas provided that the data is anonymized.

GUARULHOS SUCATAS uses the above guidelines for all data processing and cookies per the LGPD legislation.

4.5 Review

This policy must be reviewed annually or when alterations are necessary.

COOKIES POLICY (AUG. 12, 2023)

  1. OBJECTIVE

This policy aims to comply with the principle of transparency and assist the data subject in understanding the processing of personal data collected through cookies.

  1. APPLICATION

This policy applies to data collected by digital tools or technologies made available to Users through its website [www.guarulhossucatas.com.br] or application.

  1. DEFINITIONS
  • Cookies: files installed on a user’s device that allow the collecting of certain information.
  • Necessary cookies: used for the site or application to perform essential functions and operate correctly.
  • Unnecessary cookies: related to non-essential functionality of the service, application, or webpage, for example, used to track behavior and measure the performance of the page or service, in addition to showing advertisements or other embedded content.
  • Legitimate interest: the legal hypothesis of legitimate interest authorizes the processing of non-sensitive personal data when necessary to address the legitimate interests of the controller or third parties.
  • Consent: any freely given, specific, informed, and explicit indication of the wishes of the Data Subject, by which he or she, by declaration or by an explicit affirmative action, agrees to the Processing of his or her Personal Data.
  • Natural Person: also known as a physical person, a human being with rights and responsibilities in the civil realm.
  • Legal Entity: an entity (company, society, organization, etc.) formed by one or more Natural Persons with specific purposes and goals and unique, characteristic rights and responsibilities.
  • Personal Data: information related to an identified or identifiable natural person;
  • Sensitive Personal Data: Personal Data about racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of religious, philosophical, or political character, data related to health or sexual gender option, genetic or biometric data, when linked to a natural person;
  • Anonymized Data: Data related to the data subject that cannot be identified, considering the use of reasonable technical means available when processed;
  • Natural Data Subject: natural person related to the Personal Data being processed;
  • Natural or Legal Person in Control: The natural person or legal entity, whether in the public or private domain, responsible for making decisions regarding the treatment of Personal Data;
  • Operator: Natural person or legal entity, whether in the public or private domain, that processes Personal Data on behalf of the controller;
  • Data Controller: Person indicated by the Person in Control and Operator to act as a channel of information between the Person in Control, the data subjects, and the National Data Protection Authority (ANDP)
  • Processing: Any operations realized with Personal Data, such as those referring to the collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, processing, archiving, storing, elimination, evaluation, or control of information, modification, communication, transfer, diffusion or extraction;
  • Anonymization: Use of reasonable technical means available at the moment of processing, through which a piece of data loses the possibility of direct or indirect association with an individual:
  • National Data Protection Authority (ANDP): Public administration authority responsible for ensuring, implementing, and monitoring compliance with this Law in all national territory.
  • User: All natural persons who will use or visit the Site(s) and/or Application(s), 18 (eighteen) years or older or emancipated and fully capable of practicing acts of civil life or the absolutely or relatively incapable duly represented or assisted.
  • Purpose: Objective, the purpose that Guarulhos Comércios de Sucatas wishes to achieve through each act of personal information processing.
  • Necessity: Justifying why it is strictly necessary to collect personal data to achieve a purpose while avoiding excessive collection.

 

  1. Guidelines

Cookies allow the storage of a series of data on users’ devices. Information collected and stored by cookies can refer directly to a natural person or allow them to be indirectly identified.

Much of this information is essential for the adequate and secure functioning of our website and application and for enabling the provision of services in the digital environment.

  • Purpose:

GUARULHOS SUCATAS values the privacy of its Users and uses information provided by them for the following purposes:

  • Carry out the contractual relationship with the User (or with the company where s/he works) and/or provide and improve our products and/or services requested by the User.
  • Communicate electronically with the user and send informative bulletins and institutional messages to the email registered on our site or application.
  • For legitimate interests, if these are not within the scope of executing a contract with a user or according to a legal obligation, as long as the user has no overriding privacy interest, including: Managing and administering our relationship with a user.

 

  • Dealing with job applications or subscriptions to any of our services or recruitment events and conducting research (statistical).
  • We may process user data for other specific ends after obtaining their consent (and, if necessary, explicit consent).
  • Execution of the various products, services, and/or digital tools contracted and made available to Users by GUARULHOS SUCATAS through the application. To fulfill this purpose, data entered into the application can be shared with partners and public agencies, as described in the current Cookies Policy.
  • Contact Users to confirm information that has been provided and request that any outstanding information be sent so that Guarulhos Comércios de Sucatas can adequately provide its services.
  • Send notices and/or institutional emails: this channel is used to send segmented content about our services and/or that of our partners.
  • In the event of a court decision requiring access to information stored by GUARULHOS SUCATAS, the respective data subject user will be notified so that they can arrange adequate defense measures.

The data can be used to manage and improve the application’s functionality, customize services offered, and conduct statistical studies.

  • Period:

Data collected through the application and in connection with services will be stored only for the time required by relevant regulations or until necessary for the purposes for which they were collected. Data will then be eliminated, in compliance with the law, except in the following cases:

  • Compliance with legal or regulatory obligations by GUARULHOS SUCATAS;
  • Study by a research body, ensuring the anonymization of personal data;
  • Transfer to a third party, provided that legal data processing requirements are followed; or
  • Exclusive use by GUARULHOS SUCATAS, provided the data is anonymized.

 

  • Data Collected

In carrying out its services, GUARULHOS SUCATAS through its site (www.guarulhossucatas.com.br) solicits and obtains the personal data of its Users in the Contact, Registration, and Ethics Channel forms. All these forms are optional for Users who wish to contact the company, register as a supplier, or lodge a complaint.

GUARULHOS SUCATAS also, through its Application, solicits and obtains the personal data of its Users in the Contact and Registration forms. All these forms are optional for Users who wish to contact the company or register as a supplier or team member. When the user – supplier or company employee – decides to register with the application, they begin to use its operational functionalities for the company’s activity.

Essentially, personal data are sent by Users when using services offered by GUARULHOS SUCATAS. Depending on the service used by the User, GUARULHOS SUCATAS may act as an operator, in which it will process personal data on behalf of the User, observing data protection legislation and the lawful instructions of the User. GUARULHOS SUCATAS may still act as a controller, in which case it will be responsible for decisions about data processing. In both cases, GUARULHOS SUCATAS is committed to privacy protection and promises to comply with personal data protection legislation.

Given the purpose of the services offered, personal data such as name, address, CPF or CNPJ, telephone number, ID number, driver’s license number, and email for contact, among others, may be demanded for the complete functioning of services.

  • Sharing with third parties

GUARULHOS SUCATAS is not responsible for the processing of personal data by third parties due to the use of their own systems, applications, websites, and platforms in general. Processing done by third parties will be governed by their respective Privacy Policies.

Before using systems, applications, websites, and platforms in general of any of GUARULHOS SUCATAS’s partners, Users should carefully read the respective Privacy Policy, being aware that GUARULHOS SUCATAS has no responsibility or management over the processing of personal data carried out by partners or any third party.

  • Data Security

Data collected by GUARULHOS SUCATAS are stored under the strictest information security practices in the databank of GUARULHOS SUCATAS or in databases kept “in the cloud” by service providers contracted by GUARULHOS SUCATAS, which are duly compliant with current data legislation.

The database is rigorously supervised and protected so that only authorized employees have access, who are contractually bound to secrecy and confidentiality. GUARULHOS SUCATAS will make its best efforts to ensure that the data are always handled according to the established Data Protection Policy.

Our applications respect the concept of privacy by design, in other words, we value user privacy throughout the process of developing and building our solutions.

However, though GUARULHOS SUCATAS uses security measures and monitors its system for vulnerabilities and attacks to protect Personal Data against unauthorized dissemination, misuse, or alteration, the User understands and agrees that GUARULHOS SUCATAS cannot guarantee that data protection and security will never be violated.

  • Data subject rights

Data subjects must be informed by the Person in Charge or operator of how their Personal Data is being processed.

In general, Personal Data should be collected directly from the individual concerned (Data Subject).

  • Service channel

Data subjects have rights under the LGPD concerning any personal data we process. The user can request that we take the following actions concerning the personal data that we possess:

  • Access: Provide information about the processing of their personal data and provide access to their personal data.
  • Confirmation: Confirm the existence of data processing.
  • Correction: Update or correct inconsistencies in their personal data.
  • Deletion: Delete their personal data in certain circumstances (right to be forgotten).
  • Export/Portability: Export/transfer a machine-readable copy of personal data to the user or third parties.
  • Restrict: Restrict the processing of personal data in certain circumstances.
  • Object: Object to processing when based on our legitimate interests.
  • Consent: If the processing of personal data was based on their consent for a specific purpose, the user can withdraw their consent for this purpose at any time. No legal restrictions apply in this respect.

The User may contact the DPO (Data Protection Officer) of GUARULHOS SUCATAS through the following channels:

Appointed Data Protection Officer: IT Officer

Email: ti@guarulhossucatas.com.br

Telephone: (11) 2402-2424

The User is required to maintain their email address updated in their registration, through which communications will be sent to them by GUARULHOS SUCATAS.

  • Review

This policy must be revised annually or when alterations are necessary.