1. Scope
Establish the guidelines for the processing of personal data carried out by the AlmavivA do Brasil Group as a Data Controller agent. In this way, the AlmavivA do Brasil Group, when in the role of data operator agent, reiterates to the interested parties involved in the processing of personal data (“Holders”) that the data related to the identified or identifiable natural person (“personal data”) processed due to its commercial partnerships, will be processed in accordance with current legislation on the protection of personal data, and in accordance with the appropriate instructions of its client (“Controller”), who will have more information regarding the said processing in your privacy policy.
2. Application field
This policy applies to all employees, third parties, suppliers who use the processing environment or access information belonging to the AlmavivA do Brasil Group.
3. References
• Lei Federal nº 13.709/2018 – LGPD (Lei Geral de Proteção de Dados Pessoais)
• Lei Federal nº 12.965 – Marco Civil da Internet
• NBR ISO/IEC 27001:2022 – Segurança da informação, segurança cibernética e proteção à privacidade — Sistemas de gestão da segurança da informação — Requisitos
• NBR ISO/IEC 27002:2022 – Segurança da informação, segurança cibernética e proteção à privacidade — Controles de segurança da informação
• NBR ISO/IEC 27701:2019 – Técnicas de segurança – Extensão da ABNT NBR ISO/IEC 27002 para gestão da privacidade da informação – Requisitos e diretrizes
• PSI-002 – Política de Segurança da Informação Pública.
4. Definitions
• Controller – natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data
• Personal data – information related to an identified or identifiable natural person, such as: name, ID number, CPF, date of birth, photo, telephone number, geolocation, among others
• Sensitive personal data – category of personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person
• Director (DPO) – person appointed by the Controller/Operator to act as a communication channel between the Controller, the data subjects and the National Data Protection Authority (ANPD)
• Personal data security incident – any confirmed adverse event related to a personal data security incident, such as unauthorized, accidental or illicit access that results in the destruction, loss, alteration, leakage or any form of data processing inappropriate or illicit, which may pose a risk to the rights and freedoms of holders
• Operator – natural or legal person, governed by public or private law, who processes data in accordance with the instructions of the Controller
• Holder – natural person to whom the personal data subject to processing refer
• Processing – any operation carried out with personal data, such as those referring to the collection, production, reception, handling, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, diffusion or extraction
• Technical measures – those related to technologies and controls that can be implemented in relation to information security and improvements for an assertive and efficient execution of the principles of the General Data Protection Law
• Organizational measures – measures related to policies, procedures, guides, manuals, awareness activities (such as training and communications) and documents, in general, that guide the user regarding the Privacy and Personal Data Protection guidelines.
5. Responsibilities
The Executive Board is responsible to:
• Promote and approve the activities of the Information Security and Privacy Management System.
It is the responsibility of the Information Security and Privacy Committee to:
• Conduct a periodic assessment of Data Protection and Privacy
• Ensure the availability of the necessary resources for effective privacy management and personal data protection
• Disseminate the culture of Information Security and Privacy
• Align the strategic objectives of Information Security and Privacy with the business objectives of the AlmavivA do Brasil Group
• Support and approve continuous improvement activities of the Information Security and Privacy Management System
Decide on the application of sanctions when non-compliance with this policy and other policies established by the Information Security and Privacy area is observed.
It is the responsibility of the Personal Data Officer (DPO) to:
• Promote and approve Privacy Program activities
• Value and protect the interests of all data subjects with whom the AlmavivA Group has relationships
• Receive communications and updates from ANPD to pass them on internally, as well as maintain the relationship between the parties.
Responsible for the Information Security and Privacy area to:
• Establish information security and privacy guidelines
• Aware relevant stakeholders about information security and privacy
• Identify and report risks relating to Information Security and Privacy
• Establish controls to mitigate risks
• Maintain and continuously improve the information security management system.
It is up to Employees, Third Parties, Suppliers and other relevant interested parties to:
• Comply with the guidelines of this policy and other policies established by the Information Security and Privacy area
• Ensure the security of company information, reporting any abnormalities noticed to the Information Security and Privacy area.
6. Guidelines
6.1 General information
The AlmavivA do Brasil Telemarketing e Informática S.A. Group, a legal entity under private law, with headquarters at Rua Bela Cintra, nº 1149, sobreloja, Consolação, São Paulo, CEP 01415-000, CNPJ/MF nº 08.174.089/0001-14, is one of the largest Contact Center companies and one of the main CRM BPO companies in the country, having mastery in collection services through CRC – Credit Recovery Center and innovation through Almawave, both companies belonging to the conglomerate.
The Company values the privacy and freedom of rights of all holders involved in its ecosystem, ensuring that the processing of your personal data is in accordance with the provisions of Federal Law No. 12,965 of April 23, 2014 (Marco Civil da Internet), with Federal Law No. 13,709, of August 14, 2018 (General Personal Data Protection Law – LGPD), and other legislation applicable to the topic of privacy and data protection. Furthermore, the AlmavivA do Brasil Group adopts the best market practices for the application of technical and organizational measures, including specialized personnel, exclusively for the purposes of complying with its legal and contractual obligations.
This Privacy Policy provides guidelines for the processing of personal data carried out by the AlmavivA do Brasil Group as a Data Controller agent. In this way, the AlmavivA do Brasil Group, when in the role of data operator agent, reiterates to the interested parties involved in the processing of personal data (“Holders”) that the data related to the identified or identifiable natural person (“personal data”) processed due to its commercial partnerships, will be processed in accordance with current legislation on the protection of personal data, and in accordance with the appropriate instructions of its client (“Controller”), who will have more information regarding the said processing in your privacy policy.
Additionally, the guidelines for the processing of personal data of employees and dependents are disclosed through a specific internal notice.
If you have any questions about this Policy, the Person in Charge of Personal Data Processing (“DPO”) of the AlmavivA do Brasil Group can be contacted via email: [email protected].
6.2 Personal Data Involved
The AlmavivA do Brasil Group only collects the information provided by the Holders. This information includes:
• Contact details: name, email, telephone and address
• Professional data: company, market segment, position, academic and professional history
• Other data necessary to fulfill contractual obligations.
The AlmavivA do Brasil Group processes personal data received for a period no longer than necessary to fulfill the objectives set out in this Policy.
6.3 Cookies
Cookies are files used on websites to identify and store information about their visitors. Therefore, while browsing a website, the user may have certain personal data collected through such cookies.
The AlmavivA do Brasil Group website makes use of the Cookies described below, which can be consulted at any time by users in the cookie management center, using the icon available in the bottom corner of this page.
List of Cookies used on our website
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device, to remember information about you, such as your language preference or login information. These cookies are set by us and are called first-party cookies. We also use third-party cookies – which are cookies from a domain other than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:
• Strictly necessary cookies
These cookies are necessary for the website to function and cannot be turned off in our systems. Typically, they are only configured in response to actions taken by you that correspond to a request for services, such as setting your privacy preferences, logging in or filling out forms. You can set your browser to block or alert you about these cookies, but some parts of the website will not work. These cookies do not store any personally identifiable information.
• Performance Cookies
These cookies allow us to count visits and traffic sources, so that we can measure and improve the performance of our website. They help us know which pages are the most and least popular and see how visitors move around the website. All information collected by these cookies is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our website.
• Advertising cookies
These cookies may be set through our website by our advertising partners. They may be used by these companies to build a profile of your interests and show you relevant advertisements on other websites. They do not directly store personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Cookies settings can be consulted using the icon available in the bottom left corner of the page.
6.4 Purpose of processing personal data
Personal data processed by the AlmavivA do Brasil Group may be used to:
a. Compliance with legal obligations or execution of contractual clauses
The AlmavivA do Brasil Group, when acting as an Operator, processes personal data for the purpose of executing contracts on behalf of large companies, from different areas of activity such as health, finance, telecommunications, retail, among others, which they constitute as customers. The Company also, in accordance with the Brazilian legal system, processes personal data in order to comply with legal obligations, for the period stipulated by the legislation in question in the civil, labor, tax, corporate spheres, among others.
b. Communication with holders
The AlmavivA do Brasil Group maintains a contact list (containing email addresses and other contact information provided by Holders by email or by filling out the specific form on the portal) to allow communication with those who have expressed interest in its services (hereinafter “services”). The AlmavivA do Brasil Group may also contact Holders to respond to their requests and satisfy any other needs expressed by them.
c. Commercial purposes
The AlmavivA do Brasil Group may also contact Holders, who have previously demonstrated interest, to send commercial communications relating to its services, including through distance communication techniques, such as e-mail messages and text messages. .
Additionally, we may collect your information to fulfill each of our activities and obligations. Therefore, we use your data to manage commercial relationships; prevent and detect fraud; ensure market intelligence mechanisms and enable effective and adequate customer service.
In this sense, part of the data processing activities are carried out to fulfill our legitimate interest of providing an effective and safe service, always within the limits of your expectations, and never to the detriment of your interests, rights and fundamental freedoms.
Furthermore, the AlmavivA do Brasil Group may also use personal data to fulfill our services, respecting the purposes explained to the Holders and any authorizations previously granted by such Holders, when there is a legal requirement to collect this.
d. Recruiting and selection
The AlmavivA Group, through its digital channels, receives the registration of candidates for job vacancies at the Company, which are stored in approved tools and for a pre-determined period sufficient to carry out the purpose of collecting the data in question.
6.5 Rights of holders
Holders may exercise their right of access, rectification, integration, opposition, exclusion, limitation and portability of their personal data at any time by filling out the form on the page https://www.almavivadobrasil.com.br/pt-br/politica-de-si-para-fornecedores-direitos-dos-titulares-de-dados-pessoais/.
6.6 Responsibilities
The AlmavivA do Brasil Group strives to ensure organizational and technological controls as a way of protecting the personal data it processes, as well as mitigating information security and privacy risks and threats that may impact its business. This responsibility extends to partners, subcontracts and third parties through compliance with regulations, legislation and contractual terms agreed between the parties involved.
However, there are no absolute guarantees regarding the protection of this information against threats such as malware, hackers, and other digital threats.
The AlmavivA do Brasil Group reserves the right to modify the contents of the websites and this legal information, at any time and without prior notice.
6.7 Access to linked external websites
The AlmavivA do Brasil Group does not assume responsibility for third-party websites and their respective content and operation, regardless of whether it is possible to access them through the links indicated on this website. Anyone who visits a website through a link indicated on the AlmavivA do Brasil Group website is responsible for adopting all necessary measures against viruses or other destructive elements, and the AlmavivA do Brasil Group is not responsible for any risks arising from this access. Links to other websites do not imply a link between the AlmavivA do Brasil Group and any of these websites.
6.8 Intellectual property
All content (text, graphics, files, tables, images and information of any nature), as well as the products and brands mentioned on this website, are protected under current regulations regarding intellectual and industrial property.
Reproduction, in any medium, of published materials may only be carried out if expressly permitted and for exclusively personal, non-profit and non-directly or indirectly commercial use.
6.8 Data sharing
The AlmavivA do Brasil Group may share personal data received with other companies, partners in the Direct Marketing process. The other treatments use internal teams, to return requests made on the Portal or to manage it.
Everything received through the email addresses indicated on the portal or sent through the portal (for example, requests, suggestions, ideas, information, documents) will not be considered confidential information. It is your responsibility to ensure that the information you submit does not violate the rights of third parties and that it is correct and truthful information. In any case, the AlmavivA do Brasil Group cannot be held responsible for the content of the messages it receives on its channels.
6.10 International data storage and transfer
Personal data held by the AlmavivA do Brasil Group is retained within the national territory, and cross-border transfers are not carried out.
Note: in exceptional cases, the risk and authorization from the board must be assessed.
6.11 Storage period
We will keep your Personal Data for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of providing services and complying with any legal, contractual, accountability obligations or requests from competent authorities.
To determine the appropriate retention period for Personal Data, we consider the nature of the data, the purpose for which we process it, and the potential risk of storing it.
It should be noted that, if there is a request from the Holder, the Interested Party to delete their personal data must make a formal request for deletion, through the communication channels identified in this policy, according to the topic on Holder Rights above.
6.12 Policy update
This Privacy Policy may be updated as a result of possible regulatory updates, changes in the processing of personal data or as a result of the continuous improvement of our management systems carried out by the AlmavivA do Brasil Group, which is why you are invited to periodically consult this section.
6.13 Continuous improvement
The continuous improvement of the Information Security and Privacy Management System is a commitment of everyone in the AlmavivA do Brasil Group and interested parties.
6.14 Legislation and Court
This Privacy Policy is governed in accordance with Brazilian law. Any disputes or controversies arising from any acts carried out in connection with the use of the Website, including in relation to non-compliance with this Privacy Policy or violation of the rights of the AlmavivA do Brasil Group, including intellectual property rights, confidentiality and personality, will be processed in the District of the Capital of the State of São Paulo.
7. Final dispositions
Any need for action that does not comply with the rules established in the Information Security Policy, the Privacy Policy and its complementary policies must be directed to Information Security for risk analysis, registration, and submission for consideration by the competent authority and/ or Information Security and Privacy Committee.
Any employee who makes improper or unauthorized use of company resources, violates security controls, or in any way acts in violation of the terms of this policy, is subject to the application of legally stipulated disciplinary measures, which may result in criminal, civil and/or criminal liability. or administrative, in accordance with current legislation.
8. Annex
Not applicable.