The Compliance Policy of this Company has among its objectives to ensure that activities are conducted in accordance with applicable standards. In this sense, according to art. 38, caput, of Law 13,709, of August 14, 2018, or the General Law for the Protection of Personal Data (LGPD), at any time, the Personal Data Protection Authority (ANPD) may determine that it prepare a report on the impact of the protection of personal data, including sensitive data.
Thus, the need to prepare this document arose.
The Company daily processes1 personal data relating to an identified or identifiable natural person (art. 5, I, LGPD). There are also sensitive personal data, which concern racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data, when linked to a natural person (art. 5, II, LGPD).
Considering the fundamentals2 of the protection of personal data (Article 2 and items, LGPD), good faith and other principles3 to be observed in personal data processing activities (Article 6 and items, LGPD), the Company has different systems of internal controls, which vary according to the nature of the personal data, to mitigate possible risks of failure to protect personal data. However, despite the high degree of maturity of risk management, it is not possible to guarantee the total elimination of risks that, in case of materialization, would impact the privacy of personal data existing on an internal basis.
This section describes the processes for processing personal, digital or physical data, which may pose risks to civil liberties and fundamental rights, involving the specification of the nature4, scope5, context6 and purpose7 of the treatment.
1 “processing”: Any operation carried out with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction (art. 5, X, LGPD).
2 “fundamentals”: Art. 2nd The discipline of personal data protection is based on: I – respect for privacy; II – informative self-determination; III – freedom of expression, information, communication and opinion; IV – the inviolability of intimacy, honor and image; V – economic and technological development and innovation; VI – free enterprise, free competition and consumer protection; and VII – human rights, the free development of personality, dignity and the exercise of citizenship by natural persons.
3 “principles”: Art. 6 The personal data processing activities must observe good faith and the following principles: I – purpose: carrying out the treatment for legitimate, specific, explicit and informed purposes to the holder, without the possibility of further processing in a way incompatible with these purposes; II – adequacy: compatibility of the treatment with the purposes informed to the holder, according to the context of the treatment; III – necessity: limitation of the treatment to the minimum necessary for the accomplishment of its purposes, with coverage of the relevant, proportional and not excessive data in relation to the purposes of the data processing; IV – free access: guarantee, to the holders, of facilitated and free consultation on the form and duration of the treatment, as well as on the integrality of their personal data; V – data quality: guarantee, to the holders, of accuracy, clarity, relevance and updating of the data, according to the need and for the fulfillment of the purpose of its treatment; VI – transparency: guarantee, to the holders, of clear, precise and easily accessible information about the execution of the treatment and the respective treatment agents, observing the commercial and industrial secrets; VII – security: use of technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination; VIII – prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data; IX – non-discrimination: impossibility of carrying out the treatment for illicit or abusive discriminatory purposes; X – accountability and rendering of accounts: demonstration, by the agent, of the adoption of effective measures capable of proving compliance with the rules for the protection of personal data and, even, the effectiveness of these measures.
4 “nature”: Represents how the Company intends to treat or treat personal data.
5 “Scope”: Refers to the scope of data processing.
6 “context”: Highlights a broader scenario, including internal and external factors that may affect the expectations of the personal data subject or the impact on data processing.
7 “purpose”: It is the reason or reason why you want to process personal data, justifies the treatment and provides the elements to inform the data subject.
The internal Information Security Policy aims to prevent the risks to which information assets are subject to jeopardize the activities and the fulfillment of the business mission.
Information assets comprise the means of storing, transmitting and processing information; the equipment necessary for this; the systems used to do so and the places where these means are located.
With regard specifically to personal information, the internal control systems implemented vary according to the type of support (physical or digital), as well as the nature of the information.
2.1.1. Nature of treatment
Technical and administrative measures are adopted to protect personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination. Access to databases is controlled by network groups and access is limited to certain user profiles.
As an administrative measure adopted, the signing of liability agreements is requested for access to systems by formal request or by e-mail, for the storage of physical or digital documents.
2.1.2. Data processing
There are several ways of processing personal data in the Company, considering the definition of the LGPD:
2.1.3. Data Source
The ways of collecting data in the company are:
2.1.4. Data Sharing
Data sharing only occurs internally for exclusively essential operational functions related to the standard commercial routine that covers, in short, purchasing processes, distribution logistics, invoicing and financial processing, with employees being aware of the importance of the data involved being manipulated in their respective sectors. operational.
2.1.5. Security measures
The security measures adopted are valid for any type of information, as follows:
2.1.6. Data flow
It has an essentially linear characteristic, where the pertinent data collected are limited to registration functions for routine commercial standard fulfillment of the finished product, which extend from the purchase, sale, financial and accounting processing process.
The Company has complex processes related to the execution of surgical procedures that involve considerable physical volume (paper). These documents are necessary for its operation and fulfillment of its mission. However, these documents involving sensitive personal data are transitory and destroyed after scanning and storage on an internal server only for the mandatory legal period. All operations relating to physical documents that carry these personal data are carried out exclusively internally at the Company’s facilities.
2.3.1. Data types
The scope represents the scope of data processing. The following sections show details on extending the scope for digital data. Regarding the data contained in physical documents, as seen above, they receive the same treatment as digital ones, since, as mentioned earlier, they are digitized as soon as they are processed.
In a nutshell, for Individuals or Legal Entities, for customers, suppliers and employees, they include the following mandatory registration information and exclusively for mandatory contractual treatments: CPF/CNPJ number, IE number; identity number, CTPS number and serial, full name/corporate name; birth date; complete address; telephone; code and description of the nature of the main occupation; code and description of the main occupation; enrollment date; salary and banking information.
This data is stored in a central database and operated via ERP, in its own facilities.
2.3.2. Data volume
In its area of activity, the database has approximately 10100 records, with 2 to 8 new records being received daily.
2.3.3. Frequency of data processing
Sensitive to market behavior (trade).
2.3.4. Data retention
The data is retained for the entire duration of the contractual term, until the end of financial and accounting obligations or until the expiration of mandatory legal deadlines relevant to the area of activity of this Company.
2.3.5. Holders affected by the processing of data
Any natural or legal person, customer, supplier or collaborator/employee may be affected by the processing of data in this Company.
This Company treats personal data in accordance with legitimate and specific purposes in a manner compatible with its purpose, whose character is of interest to all parties, and aims to perform legal powers or fulfill the legal attributions of its area of activity.
2.4.1. Processing of data involving children and adolescents
Only information related to identification as a patient, being the full name, is handled by this Company.
2.5. Purpose of treatment
The purpose of data processing by the Company is related to strict compliance with legal or regulatory obligations.
The processing of data is limited to the minimum necessary to carry out the purposes informed to the holder. When necessary, it covers the relevant data, proportionate and not excessive in relation to the purposes of data processing. The treatment is carried out only when it is essential and for the purpose of complying with legal and contractual obligations. In order to ensure that the operator processes personal data in accordance with the LGPD and respects the criteria established by the company, every employee is informed about this obligation and the regulatory parameters.
Due to the basic registration characteristics demanded by the Company’s area of activity, sensitive personal data is not processed outside the legal obligations relevant to the commercial context.
Among the types of operational risk and data depth, it is not considered to have an impact on the holder of personal data. Even so, they must be categorized for better identification.
As a reference, possible failures should be categorized as follows:
The following are non-exhaustive initial examples of identified and measured risks, in accordance with the operational risk management methodology for the protection of personal data:
It was demonstrated, in general terms, how personal data are collected, processed, used, shared, as well as the measures adopted for the treatment of risks that may affect civil liberties and the fundamental rights of the holders of these data. In addition, information was presented that denote the current stage of compliance of this Company with the LGPD. This Report will be reviewed and updated annually or whenever any type of change is implemented that affects the processing of personal data. There is a concern to continually assess the risks of processing personal data that arise as a result of the dynamism of changes in the technological, regulatory and political scenarios.