1. Introduction
In order to carry out its activities, Intelliway Tecnologia needs to gather and process information obtained from natural persons such as suppliers, business partners, employees and others with whom the organization relates.
2 - Objectives
Establish guidelines for the treatment of personal data collected by Intelliway Tecnologia from users of its services, Comply with legislation (such as the General Data Protection Law - LGPD) and applicable best practices;
Protect the rights of the organization's members, its customers and business partners;
Protect the company from the risk of being the victim of a security incident.
3 - Scope
This policy applies to all types of personal data processed (name, document numbers, postal address, email address, telephone number, financial data and others), and, to all types of treatment conducted by Intelliway Tecnologia.
4 - Definitions
Refers to the General Data Protection Act.
Use of reasonable technical means available at the time of Processing, through which data loses the possibility of association, directly or indirectly, with an individual.
Data Protection Officer (DPO)
Person appointed by the Company to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD).
Treatment Activity
Any operation carried out with Personal Data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer , diffusion or extraction.
Natural or legal person, public or private, who is responsible for decisions regarding the processing of Personal Data.
Natural or legal person, public or private, who processes Personal Data on behalf of the controller.
Structured set of data established in one or several places, in electronic or physical support.
Natural person to whom the personal data that are the subject of processing activities refer.
Data Inventory and Processing Activities
It refers to the registration of all the systems or contexts in which the personal data collected is processed by the company.
5 - Data Protection Principles
Intelliway Tecnologia is committed to treating the data collected (including from employees and other members of the organization) in accordance with the responsibilities and obligations brought by the LGPD.
Personal data at Intelliway Tecnologia will be:
The. treated only: I - if they are obtained with the consent (free, unequivocal and informed) on the part of its holder; II - for the fulfillment of an obligation or regulation; III – for the execution of a contract or related preliminary procedures; IV – for the regular exercise of rights in judicial, administrative or arbitration proceedings; V – for the protection of the health of individuals; VI – for purposes of legitimate interest of third parties or of the activity carried out by Intelliway Tecnologia, especially for the benefit of its customers.
B. treated in accordance with the law, fairly and transparently towards individuals;
ç. collected for specific, explicit and legitimate purposes, and will not be further processed incompatible with those purposes;
d. stored in such a way as to ensure its accuracy, clarity, relevance and, where necessary, kept up to date; all reasonable efforts will be made to ensure that those with inaccuracies, taking into account the purposes for which they are processed, are promptly erased or corrected;
and. kept in a way that allows the identification of data subjects only for the time necessary to fulfill the purpose for which they were collected; if they are stored beyond this period, it will be exclusively for archiving purposes in order to comply with a legal obligation on the part of the company; AND
f. handled by means capable of ensuring adequate security of personal data collected by the company, including forms of protection against unauthorized or unlawful processing and against accidental loss of data, destruction or damage, through appropriate technical or organizational measures.
6 - General Provisions
The. This policy applies to all personal data (including those belonging to employees and other members of the organization) processed by Intelliway Tecnologia and present in its databases.
B. The responsible person will assume responsibility for the Company's continued compliance with this policy.
ç. This policy must be reassessed periodically, at intervals no longer than twelve months.
d. The organization will provide adequate training to all its employees to help them understand their responsibilities related to the protection of personal data.
and. Intelliway Tecnologia employees should request help from their superiors or the company's Data Protection Officer (DPO) in cases where they have questions about any aspect related to data protection.
f. All third parties who have access to and manipulate personal data controlled by Intelliway Tecnologia must have adequate security standards to carry out their treatment, and observe the same data privacy principles that guide the conduct of Intelliway Technology.
7 - Legal, Fair and Transparent Processing
The. To ensure that data processing is carried out in accordance with the law, in a fair and transparent manner, Intelliway Tecnologia will keep a record of the treatments carried out by the company (Inventory of Data and Processing Activities) .
B. The method and adequacy of records shall be reviewed at least annually.
ç. Holders have the right to access their data and any requests made to the company will be answered within 30 days.
8 - Legal Purposes
The. All data processing activities conducted by Intelliway Tecnologia are carried out in accordance with one of the following legal bases: consent, contractual compliance, legal or regulatory obligation, for legal or administrative defense, or, for interests legitimate.
B. Intelliway Tecnologia identifies the appropriate legal bases and records them in its Inventory of Data and Processing Activities.
ç. If consent is identified as the appropriate legal basis for the processing activity, the evidence proving its granting is duly documented and filed.
d. When communications are sent to individuals based on their consent, the possibility of revoking their consent is guaranteed in an easy and accessible way, and the request can be made by email, telephone or Virtual Assistant located on the Intelliway Tecnologia website.
and. The relevant systems operate properly to ensure that the revocation is accurately reflected in Intelliway Tecnologia's systems.
9 - Risks Related to Data Privacy
The. Breach of confidentiality – for example, when information is provided inappropriately or to the wrong recipient. To eliminate this risk, permission to access data is controlled and controllers and operators are trained before handling them, always doing so within the limits established in this Policy. In addition, access to the systems is subject to auditing and tracking, making it possible to identify any deviations.
B. Failure to guarantee free and informed choice – for example, all holders must be given the possibility to freely choose how the company will use the information collected from them (when the legal basis used is consent free, unambiguous and informed of the holder). To reduce this risk, consents are always free, unambiguous and informed to the holder. When, for any reason, the holder wants to change his permissions, he can do so using one of our channels.
ç. Reputational damage – for example, in case of cyber-attacks allowing unauthorized access to sensitive data relating to data subjects. To mitigate this risk, Intelliway Tecnologia uses technological tools such as granting and monitoring access, firewall, endpoint management tools and other techniques to hinder the action of malicious access.
10 - Responsibilities
All those who work for or with Intelliway Tecnologia have a certain degree of responsibility for ensuring that the collection, storage and processing of personal data is done properly.
All sectors of the organization that handle personal data must ensure that they do so in compliance with this policy and the data privacy principles present here and brought by the LGPD.
Some roles have key responsibilities:
The. Senior Management members, who are responsible for:
i. Assegurar o cumprimento desta policy;
ii._cc781905-5cde-3194-bb3b-136bad5 of Personal Data are available;
iii._cc781905-5cde-3194-bb3b-136bad5cf and this Policy;
iv._cc781905-5cde-3194-bb3b-136bad5cf58d Ensure your desired results are achieved;
v. Promover a melhoria contínua the Personal Data Privacy Management System;
vi._cc781905-5cde-3194-bb3b-136bad5cf management system of Personal Data Privacy.
B. Those responsible for the Administrative and Financial areas of Intelliway Tecnologia, who:
i. _cc781905-5cde- 3194-bb3b-136bad5cf58d_Manipulate contract data;
ii. Cuidam de pagamentos e receipts;
iii. Realizam contato com clientes , suppliers, business partners and employees;
iv. Cuidam de garantir que the company complies with its legal obligations.
c. The Data Protection Officer (DPO) is responsible for:
i. _cc781905-5cde- 3194-bb3b-136bad5cf58d_Manter administração da Intelliway Tecnologia atualizada em relação a responsabilidades, riscos e questões conexas à _cc781905-5cde- 3194-bb3b-136bad5cf58d_ data privacy;
ii. Revisar periodicamente políticas e procedures related to data privacy;
Provide adequate data protection training for the individuals contemplated in this policy;
_cc781905-5cde-3194-bb3b-136badiv5cf58d_ Respond to data privacy inquiries from employees or other relevant individuals;
v. Lidar com requisições de information, alteration, deletion, portability and access to personal data made by individuals ;
vi. Evaluating (and advising Management on) any contract or agreement with third parties that handle sensitive data -bb3b-136bad5cf58d_ _cc781905 -5cde-3194-bb3b-136bad5cf58d_ controlled by Intelliway Technology.
d. The person responsible for the Information Technology function is responsible for:
i. _cc781905-5cde -3194-bb3b-136bad5cf58d_Ensure that all systems, services and equipment used for data storage meet standards _cc781905-5cde-3193-bb5cc5b-171 5cde-3194-bb3b-136bad5cf58d_ _cc781905-5cde-3194-bb3b -136bad5cf58d_ safety acceptable;
ii. Realizar checagens e varreduras periódicas para garantir que os respectivos hardwares e softwares de segurança estão _cc781905- 5cde-3194-bb3b-136bad5cf58d_ _cc781905-5cde-3194-bb3b -136bad5cf58d_working properly;
iii. Avaliar qualquer serviço offered by a third party to store or process personal data (and its security level), such as, _cc781-905-5cde 3194-bb3b-136bad5cf58d_ por exemplo, serviços de computação em nuvem.
and. Those responsible for the Commercial function, who are responsible for:
i. _cc781905-5cde- 3194-bb3b-136bad5cf58d_Contact customers using various means of communication, such as email, telephone and messaging applications;
ii. Elaborar propostas comerciais;
iii. Acessar contratos;
iv. Acessar outras informações do customers' environment.
11 - Storage of Personal Data
The. Any doubt about the safe storage of data must be forwarded to the DPO, through the formal means available, so that it addresses those responsible for the Information Technology function or whoever has control of the data.
b. The data stored physically are filed in a secure location, preventing access by unauthorized persons.
c. With regard to printed information, the following precautions are taken:
i. Quando não exigido highest level of security, physical files are kept in a lockable place.
ii. Colaboradores devem assegurar que nenhum papel ou impressão é deixado à vista de pessoas não autorizadas, como _cc781905 -5cde-3194-bb3b-136bad5cf58d_ _cc781905-5cde-3194- bb3b-136bad5cf58d_ forgotten in the printer.
iii. Dados impressos devem ser unusable and properly disposed of when no longer needed.
d. Digitally stored personal data is protected from unauthorized access, accidental deletion and malicious intrusion attempts. Some precautions taken:
i. _cc781905-5cde- 3194-bb3b-136bad5cf58d_ If personal data is stored on removable media (such as a USB stick or disk), the media must be stored in such a way -bb3b-136bad5cf58d_ segura enquanto not in use.
ii. _cc781905-5cde- 3194-bb3b-136bad5cf58d_ Personal data should only be stored on authorized disk drives and servers, and only _cc781905-5cde-3194-bb3b5cc-183 -5cde-3194-bb3b-136bad5cf58d_ _cc781905-5cde-3194- bb3b-136bad5cf58d_ podem ser carregados para serviços de computação em nuvem autorizados.
iii. _cc781905-5cde- 3194-bb3b-136bad5cf58d_ Servers containing personal data must be placed in a secure location, segregated from the regular environment 5cde-3194-bb3b-136bad5cf58d_ _cc781905-5cde-3194-bb3b -136bad5cf58d_ _cc781905-5cde-3193-bb8doffice
iv. _cc781905-5cde- 3194-bb3b-136bad5cf58d_ Personal data should not be saved directly on laptops or other mobile devices such as tablets or _cc781905-5cde-3193-bb5cc5cc-178 -5cde-3194-bb3b-136bad5cf58d_ _cc781905-5cde-3194- bb3b-136bad5cf58d_ _cc781905- 5cde-3194-bb3b-136bad5cf58d_smartphones.
v. _cc781905-5cde- 3194-bb3b-136bad5cf58d_ Todos os servidores e computadores que contenham dados pessoais devem estar devidamente protegidos por softwares _cc781905-5cde-3194 -bb3b-136bad5cf58d_ _cc781905 -5cde-3194-bb3b-136bad5cf58d_de security and firewalls.
12 - Use of Personal Data
Personal data are only useful to Intelliway if they are relevant to the business activity it develops.
Personal data processing operations carry with them risks of data loss, corruption and theft. To mitigate such risks, some measures are recommended:
a. Collaborators must lock their computer screens whenever they are not using the equipment.
B. Personal data should not be shared informally, especially by email, as such means of communication are not secure.
ç. Personal data must be, whenever possible, adequately encrypted before any electronic transfer is carried out. Any questions related to sending data to an external party can be addressed to the person responsible for the Information Technology function.
d. Personal data must not be transferred to countries whose data privacy laws do not match national requirements.
e. Contributors must not save copies of personal data on their own computers. You must always access and update a central copy of your personal data.
13 - Integrity of Stored Personal Data
It is the responsibility of everyone who handles personal data to take adequate care to ensure that its integrity is preserved.
Personal data should be stored in as few different locations as possible.
Only authorized persons should have access to personal data. This control is carried out through system tools, such as access by login and password and permission by access groups.
Anyone, employee, business partner, service provider, who accesses personal data that is not part of the scope of their work or routine, must immediately notify the DPO so that it can take the necessary measures.
14 - Request for Access by the Holder
The. Every holder of personal data stored by the organization has the right to:
i. _cc781905-5cde- 3194-bb3b-136bad5cf58d_ Question what information Intelliway Possesses about them, and why.
ii. _cc781905-5cde- 3194-bb3b-136bad5cf58d_Question how he could have access to such information;
iii. Ser informado sobre como stay up-to-date on the progress of your order;
iv. Ser informado sobre os esforços que a companhia está destinando para se manter em conformidade com suas obrigações _cc781905 -5cde-3194-bb3b-136bad5cf58d_ related to the protection of personal data collected and processed by it;
v. Solicitar alterações ou exclusão data, when framed by the law.
B. The person in charge (Foreman – DPO) must make every effort to respond to the holder's request within a maximum of 30 days.
ç. The person in charge (DPO), in order to prevent the undue (unintentional) sharing of personal data, must always verify the identity of the applicant before granting him access to any information
15 - Sharing of Personal Data with Public Authorities
The. In some circumstances, the LGPD allows personal data to be shared with public authorities without the respective consent of the data subject.
B. When any of these circumstances require it, Intelliway Tecnologia will share the relevant data with the competent authority. However, the company will ensure that the request is legitimate, seeking assistance from its data privacy consultancy and legal counsel where necessary.
16 - Provision of Information
The. Intelliway Tecnologia will ensure that the holders of personal data are aware that their data is being processed by the company, and , that they know how their data is being used and how they can exercise their rights before the company.
B. For this purpose, the company has a Privacy Statement and Terms of Service, detailing how the personal data collected from the respective holders are used by the company.
17 - Minimization of Personal Data
The. Intelliway Tecnologia works to ensure that personal data is accurate, relevant and its collection and storage limited to what is necessary based on the purposes for which they are processed.
B. When applicable, techniques for anonymization and pseudo-anonymization will be used on the data processed by the organization.
ç. As soon as the purpose for which the personal data was collected no longer persists, and there is no longer any obligation or interest legal to keep it, it will be promptly excluded from the personal data base processed by Intelliway Tecnologia.
18 - Filing / Removal
The. To ensure that personal data is not kept longer than necessary, the organization will put in place a archiving/retention policy for each area in which personal data is processed. This process must be reviewed at least annually.
B. The archive/retention policy should consider what data can/should be kept, for how long and why.
ç. Some minimum terms that must be observed and that are detailed in the aforementioned archiving/retention policy:
i._cc781905-5cde -3194-bb3b-136bad5cf58d_ For at least 5 (five) years after the end of the contractual relationship with consumers of the services offered by _cc781905-5cde-3b -136bad5cf58d_ _cc781905-5cde -3194-bb3b-136bad5cf58d_ Intelliway Tecnologia (due to the statute of limitations in article 27 of the Defense Code) Consumer);
ii._cc781905-5cde -3194-bb3b-136bad5cf58d_ As long as the purpose for which certain personal data was collected remains, and for the cases in which it was _cc781905-5cde- 3194-bb3b-136bad5cf58d_ obtained through the consent of the holder, who has not withdrawn his consent, or, for cases in which a _cc78190 -3194-bb3b-136bad5cf58d_ _cc781905-5cde-3194-bb3b-13 6bad5cf58d_ _cc781905-5cde- 3194-bb3b-136bad5cf58d_ processing activity being carried out is not based on its legitimate interest_cc 5cde-3194-bb3b-136bad5cf58d_ _cc781905-5cde-3194-bb3b -136bad5cf58d_ _cc781905-5cde -3194-bb3b-136bad5cf58d_ _cc781905-5cde-31 94-bb3b-136bad5cf58d_exercido your right to object to the treatment in question;
19 - Security
The. Intelliway Tecnologia continuously invests in technology and processes so that personal data is stored safely, keeping its environment monitored and constantly updated.
B. Access to personal data is limited to employees and business partners who actually need it, and adequate security measures have been taken implemented to prevent unauthorized sharing of this information.
ç. Personal data should not be shared informally. If they need access to confidential information, the employee must request such access from their superior.
d. Deletion of personal data must be done securely so as to make deleted data unrecoverable.
and. “Strong” passwords are used on Intelliway Tecnologia's systems and never shared. In addition, when possible, OTP (double factor authentication) is used.
f. _cc781905-5cde-3194-bb3b-136bad5cf58d access to personal persons must not be shared with them , whether from outside or inside the company.
g. Appropriate catastrophe/disaster recovery and back-up solutions are properly implemented. Such tools have their effectiveness evaluated periodically.
20 - Breach of Security
In the event of a breach of security leading to accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data, the company will promptly assess the risk to the rights and freedoms of the holders, reporting, if applicable, the incident of security to the National Data Protection Authority (ANPD) or the relevant authority.
21 - Final Provisions
This document will be evaluated annually and may be amended at any time and at any discretion.
Persons who violate this policy will be subject to appropriate legal and/or disciplinary action.
This policy takes effect on the date of its publication, revoking provisions to the contrary.
To clarify doubts about how Intelliway Tecnologia treats personal data, the following channels are available:
Virtual Assistant at site www.intelliway.com.br
Call Center on phone 27 3376-0163
Person in charge of Personal Data Processing (DPO): Evando Lopes da Fonseca Filho
E-mail: evando@intelliway.com.br
22 - Reference Document
Law No. 13.709/2018 - General Data Protection Law (LGPD)
Update History:
Modification Date - 09/18/2020
Activity - Publication of the Document
Responsible - Evando Fonseca (DPO)