1. Initial Considerations​

The Compliance Policy of this Company has among its objectives to ensure that activities are conducted in accordance with applicable standards. In this sense, according to art. 38, caput, of Law 13,709, of August 14, 2018, or the General Law for the Protection of Personal Data (LGPD), at any time, the Personal Data Protection Authority (ANPD) may determine that it prepare a report on the impact of the protection of personal data, including sensitive data.

Thus, the need to prepare this document arose.

The Company daily processes1 personal data relating to an identified or identifiable natural person (art. 5, I, LGPD). There are also sensitive personal data, which concern racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data, when linked to a natural person (art. 5, II, LGPD).

Considering the fundamentals2 of the protection of personal data (Article 2 and items, LGPD), good faith and other principles3 to be observed in personal data processing activities (Article 6 and items, LGPD), the Company has different systems of internal controls, which vary according to the nature of the personal data, to mitigate possible risks of failure to protect personal data. However, despite the high degree of maturity of risk management, it is not possible to guarantee the total elimination of risks that, in case of materialization, would impact the privacy of personal data existing on an internal basis.

This section describes the processes for processing personal, digital or physical data, which may pose risks to civil liberties and fundamental rights, involving the specification of the nature4, scope5, context6 and purpose7 of the treatment.


1 “processing”: Any operation carried out with personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction (art. 5, X, LGPD).

2 “fundamentals”: ​​Art. 2nd The discipline of personal data protection is based on: I – respect for privacy; II – informative self-determination; III – freedom of expression, information, communication and opinion; IV – the inviolability of intimacy, honor and image; V – economic and technological development and innovation; VI – free enterprise, free competition and consumer protection; and VII – human rights, the free development of personality, dignity and the exercise of citizenship by natural persons.

3 “principles”: Art. 6 The personal data processing activities must observe good faith and the following principles: I – purpose: carrying out the treatment for legitimate, specific, explicit and informed purposes to the holder, without the possibility of further processing in a way incompatible with these purposes; II – adequacy: compatibility of the treatment with the purposes informed to the holder, according to the context of the treatment; III – necessity: limitation of the treatment to the minimum necessary for the accomplishment of its purposes, with coverage of the relevant, proportional and not excessive data in relation to the purposes of the data processing; IV – free access: guarantee, to the holders, of facilitated and free consultation on the form and duration of the treatment, as well as on the integrality of their personal data; V – data quality: guarantee, to the holders, of accuracy, clarity, relevance and updating of the data, according to the need and for the fulfillment of the purpose of its treatment; VI – transparency: guarantee, to the holders, of clear, precise and easily accessible information about the execution of the treatment and the respective treatment agents, observing the commercial and industrial secrets; VII – security: use of technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination; VIII – prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data; IX – non-discrimination: impossibility of carrying out the treatment for illicit or abusive discriminatory purposes; X – accountability and rendering of accounts: demonstration, by the agent, of the adoption of effective measures capable of proving compliance with the rules for the protection of personal data and, even, the effectiveness of these measures.

4 “nature”: Represents how the Company intends to treat or treat personal data.

5 “Scope”: Refers to the scope of data processing.

6 “context”: Highlights a broader scenario, including internal and external factors that may affect the expectations of the personal data subject or the impact on data processing.

7 “purpose”: It is the reason or reason why you want to process personal data, justifies the treatment and provides the elements to inform the data subject.

2. Description of treatment​

The internal Information Security Policy aims to prevent the risks to which information assets are subject to jeopardize the activities and the fulfillment of the business mission.

Information assets comprise the means of storing, transmitting and processing information; the equipment necessary for this; the systems used to do so and the places where these means are located.

With regard specifically to personal information, the internal control systems implemented vary according to the type of support (physical or digital), as well as the nature of the information.

2.1. Digital Data

2.1.1. Nature of treatment

Technical and administrative measures are adopted to protect personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination. Access to databases is controlled by network groups and access is limited to certain user profiles.
As an administrative measure adopted, the signing of liability agreements is requested for access to systems by formal request or by e-mail, for the storage of physical or digital documents.

2.1.2. Data processing

There are several ways of processing personal data in the Company, considering the definition of the LGPD:

  • Collected/Sent: The data is collected mainly through information systems and by capturing information from other companies, either as a result of regulation or contractual obligations. Data are generally received via telephone or email.
    Retained/Stored: Data is maintained in the following ways:
    – In corporate database, in dedicated infrastructure, restricted and monitored by security cameras;
    – Files (eg Excel spreadsheets, Word documents).
  • Used: Data is used in processes in a variety of ways. One can cite the use of ERP to handle the entry of purchase orders from suppliers or invoicing sales to customers.
  • Deleted: Data can be deleted through actions in information systems, SQL commands in the databases (in the case of the database) and file deletion. In the case of a database, the administrator performs it upon direct request from those responsible for internal sectors. For the deletion of files, it is delegated to the collaborators in their respective dealings when the purpose of using the data to free up space is ended.


2.1.3. Data Source

The ways of collecting data in the company are:

  • Customers and suppliers: by telephone or electronically via email.
  • Internal collaborators: telephone or face-to-face, electronically or on paper.


2.1.4. Data Sharing

Data sharing only occurs internally for exclusively essential operational functions related to the standard commercial routine that covers, in short, purchasing processes, distribution logistics, invoicing and financial processing, with employees being aware of the importance of the data involved being manipulated in their respective sectors. operational.

2.1.5. Security measures

The security measures adopted are valid for any type of information, as follows:

  • File Transfer: To transfer electronic files internally, the following should be used:
    – Shared folders located on file server;
    – Telephone means
  • For the transfer of electronic files to/from external recipients, the following can be used:
    – E-mail attachments, if there is no need to guarantee delivery. If the information is sensitive, the attachment must be encrypted, with the file’s password being transmitted by another means, such as a telephone.
    Removable media (pendrive, CD, DVD or external HD) can be used to transfer corporate files upon justification and with the consent of the immediate supervisor, especially in case of impossibility of using the technological means described above. In this case, encryption is mandatory for information protection whenever technologically feasible. Not considered suitable means for transferring electronic files are: shared folders on workstations (desktops and notebooks), private e-mail and third-party Internet services (eg Dropbox, Google Drive and Onedrive).
  • File servers: File servers have storage areas reserved for each sector. The head of each sector is responsible for requesting permission from the server administrator to grant access to folders and files, observing the principles of need to know and least privilege.
  • Document printing: Corporate electronic files must not be printed outside the Company’s premises.
    Disposal of information Disposal of corporate information recorded on any media must be done in a way that prevents its retrieval.
  • Monitoring: For audit trail purposes, it is performed for access, creation and last change of records.
    It is the responsibility of each sector to ensure the correct and efficient use of the storage area reserved for it, periodically checking that:
    – Only files necessary for the unit’s work processes are stored;
    – There are no files that infringe copyright or present other legal risks, such as music, movies and books that have not been acquired by the company.


2.1.6. Data flow
It has an essentially linear characteristic, where the pertinent data collected are limited to registration functions for routine commercial standard fulfillment of the finished product, which extend from the purchase, sale, financial and accounting processing process.

  • Purchase: Collection of data exclusively necessary for the registration of payment/tax obligations until the end of these obligations.
  • Sale: Collection of data exclusively necessary for collection until the end of these obligations.
  • Financial: exclusive use for reference to existing purchase or sales documents/data on an internal basis and execution of relevant routines.
  • Accounting: exclusive use for reference to purchase or sale documents/data already existing on an internal basis for the treatment of relevant obligations.

2.2. Physical data

The Company has complex processes related to the execution of surgical procedures that involve considerable physical volume (paper). These documents are necessary for its operation and fulfillment of its mission. However, these documents involving sensitive personal data are transitory and destroyed after scanning and storage on an internal server only for the mandatory legal period. All operations relating to physical documents that carry these personal data are carried out exclusively internally at the Company’s facilities.

2.3. Treatment scope

2.3.1. Data types

The scope represents the scope of data processing. The following sections show details on extending the scope for digital data. Regarding the data contained in physical documents, as seen above, they receive the same treatment as digital ones, since, as mentioned earlier, they are digitized as soon as they are processed.
In a nutshell, for Individuals or Legal Entities, for customers, suppliers and employees, they include the following mandatory registration information and exclusively for mandatory contractual treatments: CPF/CNPJ number, IE number; identity number, CTPS number and serial, full name/corporate name; birth date; complete address; telephone; code and description of the nature of the main occupation; code and description of the main occupation; enrollment date; salary and banking information.
This data is stored in a central database and operated via ERP, in its own facilities.

2.3.2. Data volume
In its area of ​​activity, the database has approximately 10100 records, with 2 to 8 new records being received daily.

2.3.3. Frequency of data processing
Sensitive to market behavior (trade).

2.3.4. Data retention
The data is retained for the entire duration of the contractual term, until the end of financial and accounting obligations or until the expiration of mandatory legal deadlines relevant to the area of ​​activity of this Company.

2.3.5. Holders affected by the processing of data
Any natural or legal person, customer, supplier or collaborator/employee may be affected by the processing of data in this Company.

2.4. Treatment context

This Company treats personal data in accordance with legitimate and specific purposes in a manner compatible with its purpose, whose character is of interest to all parties, and aims to perform legal powers or fulfill the legal attributions of its area of activity.

2.4.1. Processing of data involving children and adolescents
Only information related to identification as a patient, being the full name, is handled by this Company.

2.5. Purpose of treatment
The purpose of data processing by the Company is related to strict compliance with legal or regulatory obligations.

3. Necessity and proportionality

The processing of data is limited to the minimum necessary to carry out the purposes informed to the holder. When necessary, it covers the relevant data, proportionate and not excessive in relation to the purposes of data processing. The treatment is carried out only when it is essential and for the purpose of complying with legal and contractual obligations. In order to ensure that the operator processes personal data in accordance with the LGPD and respects the criteria established by the company, every employee is informed about this obligation and the regulatory parameters.

4. Risks to the Protection of Personal Data

Due to the basic registration characteristics demanded by the Company’s area of activity, sensitive personal data is not processed outside the legal obligations relevant to the commercial context.
Among the types of operational risk and data depth, it is not considered to have an impact on the holder of personal data. Even so, they must be categorized for better identification.

4.1. Risk categories

As a reference, possible failures should be categorized as follows:

  • A. Unauthorized access: Access to personal data without the prior express, unequivocal and informed consent of the holder, except for legal exceptions.
  • B. Unauthorized Modification: Modification of personal data without the consent of the holder. It violates the principle of security.
  • C. Loss Destruction or loss of personal data: Violates the principles of security and prevention.
  • D. Appropriation: Misappropriation or misuse of personal data. Possibilities of fraud and intentional data leakage. It violates the principles of safety and prevention.
  • E. Unauthorized Removal: Withdrawal of personal data without authorization from the holder.
  • F. Excessive Collection Extraction of more data than is necessary to perform the work, or what is provided for by law or authorized by the user. It violates the principle of necessity.
  • G. Insufficient information on the purpose of treatment: The stated purpose for the use of personal information is unsatisfactory, non-specific or may give rise to different interpretations.
  • H. Processing without consent of the holder of personal data: Processing of personal data without the due prior express, unequivocal and informed permission of the holder, except for legal exceptions.
  • I. Sharing or distributing personal data with third parties without the consent of the holder of the personal data: Sharing of personal data with other private entities without the proper permission of the holder.
  • J. Unnecessary prolonged retention of personal data: Keep the data subject’s personal data beyond what is necessary or what was consented/authorised. It violates the principle of necessity.
  • K. Linking or improper association, direct or indirect, of personal data to the holder: Error when linking data from the real holder to another. It violates the principle of data quality.
  • L. Processing failure or error: Imperfect or mistaken data processing. Eg: execution of a database script that updates personal data with wrong information, lack of validation of input data, etc. It violates the principle of data quality.

4.2. Risk identification

The following are non-exhaustive initial examples of identified and measured risks, in accordance with the operational risk management methodology for the protection of personal data:

  • intentional leakage of personal data;
  • intentional alteration of personal data;
  • improper permission to access personal data;
  • theft of confidential information;
  • unauthorized disclosure of personal data contained in documents and files;
  • unauthorized breach of bank secrecy;
  • invasion to collect personal data.

5. Final considerations

It was demonstrated, in general terms, how personal data are collected, processed, used, shared, as well as the measures adopted for the treatment of risks that may affect civil liberties and the fundamental rights of the holders of these data. In addition, information was presented that denote the current stage of compliance of this Company with the LGPD. This Report will be reviewed and updated annually or whenever any type of change is implemented that affects the processing of personal data. There is a concern to continually assess the risks of processing personal data that arise as a result of the dynamism of changes in the technological, regulatory and political scenarios.