Privacy and Data Protection Policy

1. INTRODUCTION

 

Before hiring and/or using any of our services or utilities, you should read this Privacy and Data Protection Policy.

 

If you are a Client of CADIA Consulting do Brasil, Ltda (CADIA), this Privacy and Data Protection Policy will be incorporated into the contract that governs your relationship with CADIA, in order to guarantee the security of the data you provide to us as Data Subject or Data Controller.

 

In the event that you are only a User of our Website, you should read this Privacy and Data Protection Policy whenever you browse it and prior to sending data through the forms provided for this purpose in our Website. CADIA Consulting do Brasil, Ltda, with registered office located at Av. Eng. Luis Carlos Berrini, 1091 Edifício ARS - 2º andar 04571-010 - Brooklin, São Paulo - SP, Brasil, is the owner of the Website www.cadia-consulting.com.br, hereinafter the “Website”, this policy also applies to data that may be collected through the Website.

 

This Privacy and Data Protection Policy includes the guidelines and performance principles of CADIA for the treatment of the personal data that you provide us with. In this Privacy and Data Protection Policy, CADIA informs you about how it collects your data and how your data are processed. CADIA may change the terms established in this Privacy and Data Protection Policy, both partially and totally, in order for this document to be updated at any time and in accordance with the requirements established in national and international regulations.

 

When you are a Client and CADIA makes changes to the terms of this Privacy and Data Protection Policy, we will inform you as a Client of the Company, so that you may be aware of any terms that may affect you.

 

This policy will be valid until it is modified, amended and replaced by another policy. In this case, the new policy will be published in our Website.

 

2. CADIA AND ITS COMMITMENT TO PRIVACY

 

CADIA is a company committed with ethics, honesty and transparency. For this reason, CADIA is deeply committed to the protection of personal data, the security and the privacy of Users/Clients.

 

CADIA complies with current legislation on Data Protection - General Law on Protection of Personal Data (LGPD) - LEI Nº 13.709 -. CADIA has adopted the necessary technical and organizational measures to prevent the loss, misappropriation, alteration, unauthorized access and theft of the personal data provided, taking into account the state of technology, the nature of the data and the risks to which they are exposed.

 

CADIA will only obtain personal data when it is adequate, pertinent and not excessive in relation to the specific, explicit and legitimate purpose for which it was obtained. In other words, CADIA will only collect data that are strictly necessary for each of the purposes pursued.

 

You, as the Data Subject and/or Data Controller of the personal data that you provide us with, must comply with this Data Protection Privacy Policy.

 

CADIA commitment to privacy is reflected in the following guidelines:

 

CADIA respects the privacy of the Users and Clients as well as their choices at any time, for this reason, it incorporates respect for privacy in each of its actions.

 

CADIA will never send commercial communications unless you have expressly consented it. You can change your mind about your preferences at any time, and CADIA will respect and guarantee this option.

 

CADIA will not at any time offer and sell the data you provide us with.

 

Your data will be secure and protected. CADIA will always guarantee its confidentiality. Therefore, CADIA only accepts high standards of quality and trust in its relationships.

 

We will never use your data for purposes other than those for which they were collected.

 

3. LIABILITIES

 

As the Data Subject or Data Controller, you are responsible for ensuring that the data you provide are accurate, complete and up to date. Therefore, you will be the sole responsible in the event that the data you have provided us with are false, inaccurate, incomplete or out of date, or are personal data relating to third parties for whom you have not obtained their express consent or have not informed them of their processing.

 

In the specific event that, during the contractual relationship, the Client provides CADIA with the personal data of employees or third parties, the Client, as the Data Controller, must have previously informed them of the processing of their personal data, of the purpose of the same, and have obtained the consent from the Data Subjects. You undertake to notify any change or modification of the data.

 

Any loss or damage caused to CADIA as the Data Controller or Data Processor by the communication of erroneous, inaccurate, incomplete or third party information without its informed consent, whether in the contractual relationship or in the registration forms, shall be the sole responsibility of the Client and/or User.

 

In the event that CADIA acts as Data Processor for the processing of personal data for which the Client is the Data Controller, both parties undertake to collaborate to guarantee the protection of such data and the effective exercise of the rights of their Data Subjects.

 

The Client undertakes not to provide CADIA at any time with special categories of personal data, nor with any information or personal data that are not necessary or relevant for the execution of the contractual relationship.

 

4. WHAT IS PERSONAL DATA?

 

Personal data means any information concerning identified or identifiable individuals. In other words, personal data are data that identify a natural person (e.g. name or surname) or that make it possible to identify that person (e.g. address).

 

Information relating to companies or legal entities is not considered personal data.

 

If you are a CADIA Client, the Personal Data that can be collected for the execution of the service can be: name and surname, telephone, e-mail, official identity document, professional data. All this depending on the type of the service provided by CADIA.

 

The personal data collected by CADIA are strictly necessary for the purpose pursued or the provision of the service.

 

In the event that you are a User of our Website, the personal data that may be collected through it will be the following: name and surname, e-mail, professional data and telephone.

 

CADIA will never collect personal data of special categories.

 

5. COLLECTION AND USE OF PERSONAL DATA

 

Before providing us with your data, you must know the purposes for which it was processed, the Data Controller, the Data Processor (if applicable), the legitimate basis, the recipients of the data (if applicable) and their rights, among other aspects.

 

6. WHO CAN ACCESS YOUR DATA?

 

Companies of CADIA:

Depending on the services contracted, the data may be processed by companies of CADIA on the legal basis of the legitimate interest of the Group, for the provision of the service and for administrative and/or legal purposes.

 

Trusted suppliers:

We also sign contracts with trusted suppliers, from whom we demand compliance with current Data Protection regulations, for the provision of certain services and to carry out a variety of commercial operations on our behalf. We only provide them with the information they need to perform the service, and we require them not to use your personal data for any other purpose. In the event that the Client does not authorize the provision of a service by a trusted provider, we may choose between contracting with another provider or not to provide the service.

 

Authorities:

Depending on the services that the Client finally hires, we can communicate their data to certain authorities to comply with the service of tax compliance or management of registrations at the National Insurance, among others. CADIA will always inform the Client in advance about who can have access to their data, depending on the services contracted.

 

7. YOUR RIGHTS AND HOW TO EXERCISE THEM

 

As the Data Subject, you may exercise your rights of access, rectification, erasure, limitation of data, portability and opposition, as well as the right to be forgotten, by sending an e-mail to cadia@cadia-consulting.com.br, indicating in the subject “Exercise of rights”, or by post to Av. Eng. Luis Carlos Berrini, 1091 Edifício ARS - 2º andar 04571-010 - Brooklin, São Paulo - SP, Brasil, in both cases accompanied by a copy of your official identity document proving your identity.

 

Below, we detail the content of each of your rights for your easy understanding. However, please refer to the General Law on Protection of Personal Data (LGPD) - LEI Nº 13.709 for further information on your rights.

 

Right of access: The Data Subject has the right to obtain confirmation from the Controller of the processing whether or not personal data concerning him are being processed and, if so, the right of access to the personal data.

 

Right of rectification: The Data Subject shall have the right to have rectified inaccurate personal data concerning him/her rectified without delay from the Controller.

 

Right of erasure (right of oblivion or right to be forgotten): The Data Subject shall have the right to obtain the erasure of personal data concerning him without delay from the Controller. It should be noted that this is not an absolute right, as there may be legal or legitimate grounds for retaining them.

 

Right to opposition: The Data Subject has the right to oppose the processing of his/her data at any time.

 

Right to restriction of processing: The Data Subject shall have the right to obtain from the Controller the restriction of processing of the data. This right can only be exercised in specific circumstances defined by the General Law on Protection of Personal Data (LGPD) - LEI Nº 13.709.

 

Right to data portability: The Data Subject shall have the right to receive the personal data concerning him/her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format, and to transmit them to another Controller without being prevented by the Controller to whom they were provided, in the circumstances provided for in the General Law on Protection of Personal Data (LGPD) - LEI Nº 13.709.

 

Also, as the Data Subject, we inform you of the following rights concerning you:

 

Right to information: You have the right to clear, transparent and easy to understand information about how we use your personal data and about your rights. This right to information is given effect through this Privacy and Data Protection Policy

 

Right to withdraw consent at any time when data processing is based on consent: You may withdraw your consent to the processing of your personal data when the processing is based on your consent. Such withdrawal of consent shall not affect the legality of processing based on consent prior to its withdrawal. If you wish to withdraw your consent, please contact us by the methods indicated above.

 

Right to file a complaint to a supervisory authority: You have the right to file a complaint to the National Data Protection Authority (ANPD) regarding CADIA Privacy and Data Protection practices. However, please contact us before making such a claim by the methods indicated above.

 

8. INTERNATIONAL DATA TRANSFERS

 

CADIA does not carry out international data transfers at any time. In the event that, in order to provide a contracted service, it is necessary to make a transfer outside Brazil, the Client will be notified in advance so that they can give their consent to the transfer; they will also be informed that all of our subsidiaries and suppliers are obliged to comply with Brazilian Data Protection regulations, wherever they are located.

 

9. HOW LONG DO WE STORE YOUR PERSONAL DATA?

 

CADIA will only keep your personal data for the time necessary to comply with the purposes for which they were collected or to comply with legal obligations.

 

CADIA, at the Client’s choice, will delete or return the personal data to the Client at the end of the service, all without prejudice to the fact that due to legal obligations, regulations, court orders, administrative authorities, etc., it has to keep them.

 

The personal data obtained by giving your consent for the execution of the commercial relationship and/or for the sending of communications, services, news, etc., will be maintained until you inform us that you wish us to delete your data, exercising your rights as explained above.

 

The personal data obtained in recruiting processes will be kept until the candidate unilaterally decides that we should delete them (exercising the rights explained above) or after 1 year from the selection process.

 

CADIA will permanently and securely delete personal data after the end of the purpose for which it was granted or the period during which it must comply with a legal obligation.

 

10. SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

 

In order to guarantee the security and confidentiality of your data, CADIA has adopted the security levels required for the protection of personal data, having installed the technical and personal measures at its disposal to prevent the loss, misuse, alteration, unauthorized access and theft of the personal data provided.

 

The personal data that CADIA may collect, derived from the contractual relationship that joins you with us or through the different communications that maintain with the Client/User will be treated with absolute confidentiality.

 

The technical and organizational measures implemented by CADIA to guarantee the security of your data are detailed below. All measures are implemented in the Group’s subsidiaries, regardless of whether or not they process personal data of persons resident in Brazil.

 

Organizational controls

 

CADIA has implemented a Privacy and Data Protection Policy, as well as a Privacy and Data Protection Manual, which is available to all employees in the organization. Reviewing everything periodically. Employees also receive regular training on data protection and security.

 

All CADIA employees and suppliers sign confidentiality agreements, guaranteeing in this way the duty of secrecy that they must maintain in all their actions with and/or for CADIA.

 

Physical data access controls

 

With regard to measures to control physical access to personal data, CADIA keeps the data in a place with restricted access and with the appropriate security measures. In this way, access to unauthorized persons is prevented, restricting access to the centers where the data is stored.

 

In addition, CADIA has measures to ensure the safe disposal of documents or files containing personal data. For this reason, in the case of paper documentation, CADIA provides its employees with the use of paper shredders.

 

System access controls

 

Regarding the access control to the systems, CADIA has a system of user authentication and password for access to them. At the same time, for a better control, we have a list of people/users who have access to the data processing systems for authentication purposes, identifying each one of the accesses.

 

All data processing systems are password protected to prevent unauthorized access to personal data.

 

All employees receive training on how to protect their computer equipment, ensuring that the information contained therein is always up to date. The computer equipment is programmed so that, after detecting inactivity in the computer equipment in a short period of time, they are blocked to prevent unauthorized access to the system. The account is also blocked after multiple sequential unsuccessful login attempts.

 

Security systems

 

As for the security systems used to guarantee the security of the data, CADIA has established a control system to ensure that only authorized equipment are used when providing the service. Remote access is done through VPN, with connection audits available.

 

CADIA also has technical security measures such as antimalware, automatic backups, antivirus and perimeter security.

 

Business Continuity

 

In CADIA, backup copies are created. These copies are stored in protected environments. CADIA also has the ability to restore data from these backups.

 

11. INCIDENT MANAGEMENT

 

CADIA has established a procedure for the management of incidents, so that if a violation or breach of security occur, it can be communicated to the National Data Protection Authority (ANPD) and/or the Data Subject within 72 hours.

 

12. CONTACT

 

If you have any questions regarding the protection of personal data, please write to us at cadia@cadia-consulting.com.br or by post to our Legal Department located at our Branch: Av. Eng. Luis Carlos Berrini, 1091 Edifício ARS - 2º andar 04571-010 - Brooklin, São Paulo - SP, Brasil, writing in the subject LGPD.

 

Do not forget that if you wish to exercise your rights, you must write in the subject “Exercise of rights” and attach a copy of your official identity document to your communication.