Montesanto Tavares Group (GMT)
The purpose of this Policy is to provide information about the collection, use, sharing and general handling of personal data, whether in digital or physical media, in order to ensure greater transparency regarding how and for what purposes the data is used by GMT, in addition to disclosing how the data subjects can access and update their personal information, or exercise their rights in relation to such data.
This policy applies to all business units of Grupo Montesanto Tavares and its employees, former employees and business partners.
Grupo Montesanto Tavares is responsible for ensuring compliance with the Brazilian General Data Protection Law (LGPD), providing for the proper processing of personal data that may be the object of its activities for legitimate purposes, and reinforcing its commitment to good privacy and data protection practices. Stemming from this commitment, the following responsibilities are assigned to the data steward.
• Carry out integrated actions to ensure compliance with LGPD.
• Monitor compliance with the applicable personal data protection legislations.
• Provide guidance to the parties subject to the application of this policy regarding the legal framework for privacy and personal data protection.
• Clarify, and make available information on the operations of personal data processing and its impact to the relevant public authorities (Public Prosecutor’s Office, National Authority for Personal Data Protection etc.).
• Respond to requests and complaints from data subjects whose personal data has been processed by a business unit of GMT.
The other employees of GMT, in addition to the duties set forth in item 14 of this Policy, are responsible for safeguarding, storing, handling and protecting the data of other employees, former employees, and business partners of which they may have become aware, and for maintaining the strictest confidentiality in relation to any information to which they may have access, including that created by themselves, and for not disclosing, extracting a copy or transmitting such information, in any physical or digital form, in disregard of the GMT guidelines, express authorizations and/or internal rules and policies.
4.1 Acronyms and Concepts
Anonymization: Process and technique through which data loses the possibility of association, either directly or indirectly, with an individual. Anonymized data is not considered as Personal Data.
Consent: Free, informed and unequivocal manifestation by which the data subject agrees with the processing of his/her personal data for a specific purpose.
Controller: natural or legal person, under public or private law, who is responsible for decisions regarding the processing of personal data.
Personal Data: any information relating to an identified or identifiable natural person who can be identified, either directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Personal Data: data consisting of racial or ethnic origin, political opinion, religious belief, membership of a trade union or a religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
Data Protection Officer (DPO): the individual designated as the formal/official data protection officer as provided for in data protection laws (LGPD) for a given territory. The DPO can be a staff member or a third party.
LGPD: Brazilian Law 13,709/2018, commonly known as General Data Protection Law (Lei Geral de Proteção de Dados), which regulates Personal Data Processing activities and also amends Articles 7 and 16 of the Brazilian Civil Rights Framework for the Internet.
Operator: natural or legal person under public or private law, who performs the processing of personal data on behalf of the controller.
Data Subject: Identified or identifiable natural person to whom specific personal data relates.
Processing of Personal Data or Treatment: any operation or set of operations performed with personal data or sets of personal data, including by manual or automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
ANPD: Agência Nacional de Proteção de Dados (National Data Protection Authority), public administration body responsible for ensuring, implementing, and enforcing compliance with the General Data Protection Law throughout the national territory.
Cookies: files sent by the website server to the computer, cell phone, tablet, or any other device used by the data subject, which are intended to collect access data to the GMT’s digital environments and personalize navigation.
Automated Decision-Making: decision made through the use of algorithms, with no human intervention.
IP: (Internet Protocol) the set of numbers and letters that identifies the device used to access digital environments.
5. GENERAL GUIDELINES
5.1 Processing of personal data
The data collected and processed by GMT are common personal data, primarily for identification purposes, such as name, Individual Taxpayers’ Register Number (CPF), profession, address, in short, data required for the preparation, management, and fulfillment of service agreements, granting of benefits to employees’ dependents, contracting of suppliers, service providers, customers, producers, brokers, and third parties.
5.2 Purpose of data collection
Only the personal data necessary and adequate for the purposes on which data collection is based are processed, always in compliance with the lawful grounds for data processing. The purposes for which the data will be processed will vary according to the relationship with GMT and the data processed will be used, for example, to:
• Allow the payment of bills/invoices.
• Receive payments for the sale of products and services.
• Manage purchases from suppliers.
• Purchase coffee and maintain the relationship with suppliers and new producers.
• Improve customer attraction.
• Allow the management and defense in legal and administrative proceedings.• Comply with determinations for the regular exercise of rights.
• Meet the legitimate interest.
• Ensure the safety of GMT operations.
The personal data collected is not subject to analysis by artificial intelligence that generates or may generate biased or discriminatory treatment. The personal data processing operations do not include automated decision making using personal data of any of the related parties.
GMT does not perform SPAM practices, that is, it does not send commercial e-mails unless previously requested or authorized by the user. In al communications, the user has the option of canceling his/her express consent. Personal data will not be processed for any purpose other than those described, except for legal obligation or compliance with court orders.
5.3 Legal grounds used
The entire data processing chain, operated by GMT, is underpinned by some of the grounds provided for in the General Data Protection Law. GMT may also use the data for the exclusive purpose of fulfilling legal obligations, such as informing tax agencies about invoices issued, or may keep the data stored exclusively for exercising the right to defend the company in judicial or administrative proceedings.
5.4 Data sharing
GMT requires that everyone with whom it may share personal data comply with data protection rules and LGPD provisions, including those regarding the disposal, fulfillment of data subject’s rights, confidentiality requirements, and information security rules. Under no circumstances the Group sells or exchanges data with other individuals or companies. Data can be shared with relevant judicial, administrative or government authorities and regulatory agencies to comply with a legal determination, requirement, request, or court order. It is also possible that data needs to be shared with professionals appointed by the Group, such as lawyers, accountants, auditors etc., to meet the scope of a contract.
5.5 International transfer of data
In order to better perform its activities, GMT may, in some circumstances and where necessary, disclose personal data to other companies within the group. In addition, data may be shared with partners and suppliers based in other countries, always in compliance with applicable law and in accordance with the relevant contractual clauses. GMT does not authorize the transfer of data by third-party contractors without the proper consent and validation.
5.6 Data retention and disposal
Personal data is stored for the legal retention periods or as long as necessary to fulfill the purposes for which it was collected, except where there is any other reason for keeping it, such as compliance with any legal, regulatory, contractual or other obligations, provided that there is a legal basis for doing so. Once the purposes of processing have been achieved, the data may be kept based on the regular exercise of rights in lawsuits, for the time required by law, counted from the end of the legal relationship. Full integrity and security is ensured to data stored in the databases.
5.7 Cookies (data collected on the website)
5.8 Rights of the data subject
• Access: right to be informed and to have access to personal data being processed by GMT.• Correction and updating: right to request that outdated, incomplete or incorrect personal data be updated or corrected.• Elimination: right to have personal data deleted from databases, except where otherwise required by law.
• Anonymization or blocking: right to request anonymization of personal data that are excessive to the processing, or to have this excessive processing suspended.
• Portability: right to request the transfer of personal data being processed by GMT to another service provider appointed by the data subject.
• Revocation of consent: right to revoke the consent granted.
5.9 Information security measures
GMT adopts proper administrative and technical security measures to keep the employees’ personal data safe and secure from unauthorized access and unintentional or unlawful destruction, loss, alteration, disclosure, or any form of inappropriate or unlawful processing. Such measures include but are not limited to:
• Establishment of strict control over the processing of personal data.• Use of individual logins and passwords, with express prohibition of password sharing.
• Storage of documents in locked files with access restricted to employees with need-to-know status.
The security of personal data is a serious matter and a right of all data subjects. To this end, GMT has technical and administrative measures in place to protect personal data against unintentional or unlawful distribution, loss, alteration, communication or unauthorized disclosure or access, in addition to ensuring that the physical or digital environment used for data processing is structured to meet the security requirements, the standards of good practice and governance, and the general principles set forth in the Law.
The DPO appointed by GMT is in charge of the communication channel between the holding company, the personal data subjects (suppliers, customers, third parties, officers and employees), the stakeholders and the ANPD, and may provide the necessary clarifications about this Policy and its application and exceptions, as well as on the good practices to be adopted on a permanent basis. All communications and requests regarding the processing of personal data may be sent by the data subjects directly to the DPO, at the following e-mail address: firstname.lastname@example.org.