Transdata Privacy Policy
Your privacy is of paramount importance to us. Therefore, we dedicate numerous efforts to ensure compliance with all privacy and data protection regulations, always aiming to safeguard the personal data we handle and, consequently, the data subject, ensuring that such data is used appropriately and transparently. In this Privacy Statement, you will find Transdata's general privacy guidelines.
For inquiries, suggestions, complaints, or requests, please do not hesitate to contact us at privacidade@itstransdata.com. We will be delighted to assist you. Our Data Protection Officer is:
FCL Advocacia
Andréa Leal Barbosa
privacidade@itstransdata.com | +55 81 99821 0084
Av.General MacArthur, 418 - Empresarial Unicenter, Salas 503/504, Imbiribeira, Recife- PE
Privacy Principles Guiding Our Work
1. Purpose of the Document
In this policy statement, we will establish the rules and commitments adopted by Transdata regarding its data processing routines associated with its business processes, in accordance with applicable laws. This document is associated with Transdata's Corporate Governance Policy and reinforces the organization's commitment to ensuring that the relationship between Transdata and its Data Subjects is guided by the principles of purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability in relation to all personal data processing activities we perform as a Data Controller in compliance with Brazil’s General Data Protection Law (LGPD - Law No. 13,709/18).
When interacting with Transdata during the execution of any business process or operational routine of any nature, as a Data Subject (internal or external to our company), you are subject to, covered by, and agree to the parameters defined in this document since it is public and available to all on our corporate website via the following link: https://www.itstransdata.com/privacidade
2. Glossary
To better understand this document, we provide the following meanings for some terms and acronyms used herein:
i. ANPD: National Data Protection Authority. It is the government body responsible for overseeing, implementing, and enforcing compliance with the General Data Protection Law (LGPD - Law No. 13,709/18) throughout the Brazilian national territory.
ii. Artifact or Data Artifact: These are records, documents, or databases that aggregate one or more Data or Personal Data. Example: Transdata's customer database is an artifact that contains, among other things, the name and email (personal data) of its customers.
iii. Information Assets: These are the physical or digital tools or means that Transdata uses to manage its Data Artifacts. Example: Microsoft Exchange is an Information Asset we use to store email messages (artifacts).
iv. Compliance and LGPD Committee: A multidisciplinary group of Transdata employees responsible for governance and strategy decisions related to privacy and information security in our company.
v. Account: This is how the Data Subject is represented when accessing certain restricted areas and exclusive features of websites, applications, and services offered by Transdata, typically corresponding to a set of data that uniquely represents the Data Subject, supplemented with other relevant data to ensure a more appropriate and complete relationship between Transdata and the Data Subject.
vi. Data Controller: Any natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data.
vii. Cookies: Small files or data packets sent by Transdata to the Data Subject's device to identify and collect information to improve the browsing experience on our website.
viii. Credentials: The set of data that the Data Subject uses to authenticate themselves to access certain restricted areas and/or exclusive features of websites, applications, and services offered by Transdata, typically represented by a username and password but may include additional data to assist in the authentication process.
ix. Data: Anonymized Data and Personal Data sets.
x. Anonymized Data: Information that, alone or in combination with other Anonymized Data, does not allow the identification of a person, considering the use of reasonable and available technical means at the time of processing. It may include gender, age, approximate geolocation (such as the city in which it is located), and statistical data.
xi. Personal Data: Information related to an identified or identifiable natural person. It may include, for example, name, address, email, phone number, debit/credit card number, IP address, and geolocation data.
xii. Data Protection Officer (DPO): An individual designated by Transdata who is responsible for serving as a communication channel between our company, the Data Subject, and government authorities regarding this Privacy Policy and the use, collection, and processing of Data by Transdata.
xiii. IP Address: Internet Protocol address associated with the device used by the Data Subject. Each IP Address corresponds to an alphanumeric set that, along with other information, helps uniquely identify the device that the Data Subject is using to access the internet and, therefore, to access websites, applications, and services provided by Transdata.
xiv. Applicable Law: Refers to the laws applicable to the relationship between Transdata and the Data Subject, which may vary due to (i) the location of service provision; (ii) the residence or address of one of the Parties, including the Data Subject themselves; (iii) other factors indicated in specific legislation.
xv. Logs: Records of Data Subjects' activities on websites, applications, and services provided by Transdata.
xvi. Transdata: Refers to the parent company and/or all subsidiary companies of Transdata represented by the legal entity Transdata.
xvii. Data Processor: Any natural or legal person, public or private, that carries out, in whole or in part, the processing of personal data in accordance with the policies and guidelines of the Data Controller.
xviii. Privacy Policy: Refers, collectively, to this document and its attachments, as well as other documents expressly referenced herein.
xix. Security Policy: Refers, collectively, to internal documents and their attachments that internally determine the protocols and technical security measures that Transdata's physical and virtual environments implement to ensure the security of personal data processed within the company.
xx. Business Process: Administrative or technical routines that include activities carried out by Transdata to meet specific management objectives. Business processes are executed through automated or manual routines and generate artifacts that house the Data and Personal Data processed by our company. These artifacts are managed by the Data Assets used by the organization to carry out activities within a Business Process.
xxi. Data Subject: Individuals, whether internal or external to Transdata, who access or interact with the features offered by websites, applications, business processes, and services provided or executed by our company. The Data Subject must have the legal capacity to accept and consent to this Privacy Policy and other related documents from Transdata. If you do not have such capacity, you declare that you have previously obtained all the necessary authorizations to accept this Privacy Policy and other documents presented by Transdata.
xxii. Data Processing: any operation carried out by Transdata involving Personal Data, including but not limited to, collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, or control of information, modification, communication, transfer, circulation, or extraction.
3. Roles and Responsibilities in Information and Data Privacy Management
This policy, its appendices, and any other documents or agreements related to privacy and information security are the responsibility of a multidisciplinary team at Transdata responsible for creating, defining, and maintaining all aspects outlined here.
This team is composed of the following parties that interact with each other:
i. Compliance and LGPD Committee: A multidisciplinary group of Transdata employees responsible for governance and strategy decisions related to privacy and information security in our company.
The primary responsibilities of the Compliance and LGPD Committee include:
• Evaluate existing data processing and protection mechanisms and proposing and approving policies, strategies, and goals for operational compliance in accordance with the guidelines established in the Brazilian Law 13,709, of August 14, 2018;
• Define principles and guidelines for data management and proposing their regulation;
• Oversee the implementation of plans, projects, and actions approved by the Committee to facilitate the implementation of the guidelines provided in the Brazilian Law 13,709, of August 14, 2018;
• Provide guidance on data processing and protection in accordance with the guidelines established in the Brazilian Law 13,709, of August 14, 2018, and in internal company policies;
• Promote internal and external communication about the data protection measures adopted, either proactively or upon request;
• Support the Data Protection Officer (DPO) in their duties.
ii. DPO: Our Data Protection Officer serves as the focal point of communication between our company, Data Subjects, our Data Processors, other controllers associated with Transdata, and the National Data Protection Authority (ANPD).
The primary responsibilities of our DPO include:
• Act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD);
• Serve as a member of the Compliance and LGPD Committee of the entity and providing guidance on LGPD-related matters;
• Accept complaints and communications from data subjects, providing explanations, and taking necessary measures;
• Receive communications from the national authority and taking appropriate measures;
• Providing guidance to the entity's employees and contractors regarding practices to be adopted concerning the protection of personal data; and
• Perform other duties determined by the controller or established in complementary regulations.
You can contact our DPO via email at privacidade@itstransdata.com, and all information about this agent can be obtained on our corporate website through the link https://www.itstransdata.com/.
iii. Security Team: Transdata's technical team focusing on the Technical Security Measures in use within the company and on operational and technical procedures in the event of security and privacy incidents.
The primary responsibilities of the Security Team include:
• Implement Technical Security Measures that ensure high levels of reliability in the Information Assets used by Transdata;
• Monitor the Information Assets used by Transdata and taking preventive actions to mitigate security and privacy risks;
• Define, maintain, and monitor the results of Transdata's Security Policy;
• Implement effective actions for addressing security and privacy incidents;
• Provide guidance to Transdata employees, Data Processors, and other controllers associated with our company regarding the levels and Technical Security Measures to be adopted in the relationships between entities;
• Support the Data Protection Officer (DPO) in their duties.
Any questions that may arise regarding this Privacy Policy, its appendices, or any other aspect related to privacy and information security can be directed to our DPO. Instructions for accessing them are posted on our corporate website at the following link: https://www.itstransdata.com/.
4. Initial Provisions
All products and services offered by Transdata to its clients and all operational routines executed by our team are guided by the principle that it is our responsibility to safeguard the privacy of Data Subjects associated with our company.
This commitment undertaken by Transdata is put into practice not only by the rules established in our Policies but also by the fact that we adopt as a norm that privacy is a central matter in our projects and relationships, through the implementation of the privacy standard from conception (or privacy by design), formed by the following pillars that guide our activities:
i. Legality: We only process data in accordance with applicable privacy and data protection regulations, so any unlawful processing is prohibited in Transdata's activities.
ii. Purpose: There must always be a legitimate, specific, and explicit purpose for the processing of personal data, known to the data subject.
iii. Coherence: The processing of personal data always aligns with the purpose informed to the data subject.
iv. Necessity: We only process data necessary to achieve the purposes informed to the data subject.
v. Free Access: We ensure data subjects have access to information about the processing of their personal data.
vi. Data Quality: We work to ensure accuracy, clarity, and relevance of the personal data we process.
vii. Transparency: We process personal data transparently so that data subjects have access to clear, accurate, and accessible information about the processing.
viii. Security: We employ technical and administrative measures to provide security and protection for the personal data we process, following best practices in information security, especially against unauthorized access or accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination.
ix. Prevention: We adopt preventive measures to avoid damages due to the processing of personal data.
x. Non-discrimination: We do not process personal data in ways that may constitute unlawful or abusive discrimination.
xi. Accountability: We employ internal measures to demonstrate and prove Transdata's compliance with privacy and personal data protection regulations.
5. Regarding Data Processing
For Transdata to offer its services, products, and comply with other legal requirements and regulations to which it is subject, our organization processes Personal Data of Data Subjects in various business processes, both digitally and physically.
These Data Processing activities control the Data Lifecycle, which consists of the following stages and is governed by their respective rules:
Data Collection:
i. Data is collected:
• When voluntarily entered or submitted by Data Subjects on Transdata's websites and services, such as contact forms on the website, the use of the company's integrity channel, browsing, interacting with content, and acquiring services;
• When Data Subjects submit them from third parties to Transdata. In this case, we may use them in accordance with this Privacy Policy, with the Data Subject declaring that they have obtained the necessary consent and authorization from the relevant third parties to submit this Personal Data for Transdata's knowledge and record-keeping, holding Transdata harmless;
• When they are collected automatically and without the need for any action by Data Subjects, such as through cookies;
• From partners who have obtained authorization to share them with Transdata;
• When Data Subjects provide personal data to Transdata through service channels such as telephone, email address, or by completing a physical artifact inside or outside our company's premises; or
• When personal data is provided to Transdata by other individuals or companies for the processing of personal data collected by it, in which case Transdata will act as a processor and comply with the instructions and guidance of the controller.
ii. The data that Transdata collects may include, but is not limited to:
• Name;
• Gender;
• CPF (Brazilian tax ID);
• Email address;
• Postal address;
• Phone number;
• Date of birth;
• Information about the device's browser and operating system;
• IP address;
• Visited pages;
• Clicked links and buttons;
• Contact list;
• Biometric personal data (such as, but not limited to: facial photo and video and voice recordings in online meetings);
• Information about the company where the Data Subject works or represents;
• Position held by the Data Subject.
iii. Other data collected by Transdata will always be in accordance with the organization's business purposes or other legal obligations. For more details, please refer to the "Data Subject Rights" section in this Privacy Policy.
iv. Transdata is not responsible for the accuracy or inaccuracy of the information and data provided by the Data Subject. It is the responsibility of the Data Subject to provide accurate and up-to-date information.
Data Usage:
i. The data collected from Data Subjects will always be used to allow Transdata to fulfill its role as an organization within legal limits and to meet at least one of the following hypotheses:
• To comply with legal or regulatory obligations pertaining to Transdata;
• When necessary for the execution of a contract or preliminary procedures related to a contract of which the Data Subject is a party;
• For the regular exercise of Transdata's rights in a judicial or administrative process;
• To support and promote Transdata's activities as an organization within legal limits;
• To ensure the protection, concerning the Data Subject, of the regular exercise of their rights or the provision of services that benefit them.
ii. The Data Subject acknowledges and agrees that Transdata may use the data, exclusively for internal purposes and without sharing with entities external to Transdata, to profile the Data Subject in order to improve its services or comply with the applicable legislation, including but not limited to know your customer (KYC) obligations.
iii. In case Transdata processes Data for any purpose other than those listed above, we will seek the explicit consent of the Data Subject before carrying out such processing.
iv. For more information about the purposes of Data Processing used by Transdata (and their respective legal bases), please refer to the "Data Subject Rights" section in this Privacy Policy.
Data Storage:
i. The collected data will be stored in a secure and controlled environment, internally governed by our Security Policy.
ii. Data obtained from the Data Subject may be stored on Transdata's own server or on a third party contracted for this purpose, whether located in Brazil or abroad. They may also be stored through cloud computing technology and/or other emerging technologies, always aiming to improve and enhance Transdata's activities.
iii. Transdata will ensure that third parties that may maintain the servers on which the data is stored comply with security and control standards in accordance with the applicable legal standards and the definitions of our Security Policy and this Privacy Policy.
iv. For data stored in physical media, such as printed documents, storage will be carried out at addresses owned by Transdata or at third-party addresses contracted for this purpose.
v. Transdata will ensure that the third parties that may maintain physical documents containing data comply with security and control standards in accordance with the applicable legal standards and the definitions of our Security Policy and this Privacy Policy.
Data Sharing
i. Transdata shares data of its Data Subjects with third-party entities in the following scenarios:
• to comply with a legal or regulatory obligation pertaining to Transdata;
• to support and promote Transdata's activities as an organization, within legal limits;
• when necessary for the execution of a contract or preliminary procedures related to a contract of which the Data Subject is a party;
• for the regular exercise of Transdata's rights in a judicial or administrative process;
ii. In all the aforementioned cases, data sharing is carried out in full compliance with all the requirements outlined in this Privacy Policy, in accordance with the technical aspects of our Security Policy, and in strict compatibility with the specific purposes associated with the sharing, always respecting the principles of requirement and security.
iii. Sensitive data of the Data Subject, understood as personal data regarding racial or ethnic origin, religious belief, political opinion, membership of a trade union or religious, philosophical, or political organization, data relating to health or sex life, genetic or biometric data when linked to a natural person, will be shared exclusively with the prior consent granted by the Data Subject.
iv. Transdata does not share Data Subject data to support and promote Transdata's activities as an organization without the prior consent of the Data Subject.
Data Deletion and Right to be Forgotten:
i. Data is deleted whenever it is no longer necessary to fulfill its purposes and in compliance with the maximum storage period allowed for each of these purposes.
ii. The Personal Data of the Data Subject will be deleted when they are no longer necessary, except in the case of a legal or contractual justification for their maintenance (for example, to fulfill any legal data retention obligation or the need to preserve such data to protect the rights and legitimate interests of one of the parties involved in the contract).
iii. Transdata may retain Anonymized Data and an anonymized version of Personal Data for statistical and research purposes, even after the Data Subject's request for deletion or after the legal retention period has expired. It is worth noting that, in this case, when Personal Data becomes Anonymized Data, it is no longer considered Personal Data, as the Data Subject's privacy is guaranteed because they can no longer be identified by that Anonymized Data.
iv. The Data Subject has the right to request the deletion of their Personal Data (or their "forgetfulness") at any time. For more information on this, please refer to the "Rights of Data Subjects" section in this document.
v. However, even if the Data Subject has requested the deletion of their data and revoked their consents, in some specific cases, Transdata may be subject to laws and regulations that prevent the deletion/revocation of data or consents.
6. Regarding Technical Security Measures:
To ensure the right to privacy of Data Subjects and mitigate security risks in the protection of their data, our Security Team employs Technical Security and Prevention Measures that are compatible with worldwide best practices in Information Technology and as defined in our Policies established by the Compliance and LGPD Committee.
These Technical Security and Prevention Measures aim to maximize the level of reliability of our Information Assets through which data is processed.
We manage the reliability level of our Information Assets based on the combined level of the following parameters:
i. Confidentiality: the property that data is not available or disclosed to unauthorized individuals, entities, or processes;
ii. Integrity: the property of safeguarding the accuracy and completeness of data, ensuring that data is not subject to unauthorized alteration;
iii. Availability: the property of data being accessible and usable when demanded by an authorized entity.
Among our Technical Security Measures, we employ, not exclusively, the following practices:
i. Detection of hardware and software vulnerabilities: our Information Assets are constantly monitored to ensure quick detection of possible vulnerabilities so that we can take immediate action towards their solution;
ii. Backup copies: we perform data backups through a continuous and intelligent strategy, ensuring the possibility of data recovery in case of loss;
iii. Access control: we use physical and logical mechanisms combined for data access control, such as the use of firewalls and physical access control to locations that store physical artifacts. We also operate under a robust access matrix, ensuring that only individuals who need access to specific data have access to it.
Internally, data will only be accessed by professionals duly authorized by Transdata, in accordance with the principles of purpose, adequacy, necessity, and others provided for in the Applicable Law for the company's objectives. This access also adheres to the commitment to confidentiality and the preservation of privacy as outlined in this Privacy Policy and our Security Policy.
Transdata's entire information security strategy is documented in our internal Security Policy. It is fully compatible with this Privacy Policy and an integral part of the Corporate Governance of the company.
7. Regarding security and privacy incidents
In an effort to mitigate security incidents, in addition to the Administrative and Technical Measures employed by Transdata, our Security Team and DPO regularly conduct risk analysis and impact assessment on privacy and personal data protection routines. These routines aim to anticipate issues and minimize the likelihood of information security incidents. Any identified opportunities for improvement in these analyses are promptly implemented within the organization.
However, despite our team's relentless efforts to implement Administrative and Technical Measures to mitigate risks, in the event of a security incident that may result in significant risk or harm to the Data Subject, Transdata will notify the ANPD (the Brazilian Data Protection Authority) and the Data Subjects involved in the incident.
This communication will be made within a reasonable timeframe and will contain, at a minimum, the following information:
i. A description of the nature of the affected personal data.
ii. Information about the data subjects involved.
iii. Indication of the technical and security measures used to protect the data, while respecting commercial and industrial secrets.
iv. Risks related to the incident.
v. The reasons for any delay in case the communication was not immediate.
vi. Measures that have been or will be taken to reverse or mitigate the effects of the damage.
The notification sent to the ANPD will comply with the parameters established by the entity according to current rules.
In parallel with the notification procedures, our Security Team will work tirelessly to restore the ideal status of the products, services, and Information Assets associated with the incident and mitigate the impacts resulting from any incidents that may occur, following the criteria established in our Security Policy.
8. Regarding the Rights of Data Subjects
We acknowledge all the rights of Data Subjects established by law and provide them with business processes that offer channels for each Data Subject to exercise these rights.
Our Data Subjects' rights embody our company's commitment to remain in compliance with the principles of free access and transparency in data processing:
i. Free Access: We ensure that data subjects have easy and free access to information about the manner and duration of their data processing, as well as the completeness of this data.
ii. Transparency: We guarantee clear, precise, and easily accessible information to data subjects regarding the data processing activities and the respective data processing agents, while respecting Transdata's commercial secrets.
Through the channels made available at the following link: https://www.itstransdata.com/privacidade, data subjects can contact Transdata to:
i. Request confirmation of the existence of their data, access the data, including its display, and request to rectify incomplete, inaccurate, or outdated data.
ii. Request anonymization, deletion/removal of all your Personal Data collected and processed by Transdata, provided that any contractual clauses still in force between the data subject and our company are respected, and the minimum legal period is guaranteed for compliance with legal obligations that we must fulfill in relation to other legal provisions.
iii. Request details about the processing carried out by Transdata (or third parties on our behalf) concerning your data.
iv. Consult and revoke consents associated with Data Processing granted to Transdata, emphasizing that this will not affect the legality of the processing of Personal Data carried out before the revocation, based on the consent previously given.
v. Request the portability of your data.
vi. Request a review of decisions made solely based on automated data processing that affect your interests, including decisions aimed at defining your personal, professional, consumption, and credit profile or aspects of your personality.
All requests from data subjects will be handled in compliance with legal deadlines.
9. Regarding cookies used by Transdata
To enable browsing on our corporate website (https://www.itstransdata.com/pt/home/), we use cookies.
To learn more about all the rules applicable to the use of cookies on our website, please refer to our Cookie Policy, a document that should be considered an addendum to this Privacy Policy and published at the link https://www.itstransdata.com/cookies.
10. General provisions
Transdata is responsible for the creation, supervision, and maintenance of this Privacy Policy, which is an integral part of its Privacy and Data Protection Management System (SGPD).
The content of this Privacy Policy may be updated or modified at any time, according to Transdata's purposes or convenience, as well as for compliance with legal provisions or regulations with equivalent legal force. It is the responsibility of the Data Subject to check it whenever they access the websites, applications, or services provided by our company.
In case of updates to this document, Transdata will notify the Data Subject through the tools available on the websites, applications, and services provided by our company and/or the means of contacts provided by the Data Subject. The Data Subject will be bound by the new terms of this document upon receiving the notification of the updates.
When Transdata uses an Operator to carry out part or the entirety of a specific Data Processing activity, this third party must adhere to the conditions stipulated here, as well as to all the definitions of the Privacy and Data Protection Management System (SGPD) in force at Transdata, as a mandatory requirement. This commitment is documented in contractual clauses defined in the contracts signed between Transdata and our suppliers.
When Transdata assumes the role of Operator for an external Controller, we operate in accordance with the Privacy and Security Policies of that Controller, while always seeking compatibility with our corporate governance, including privacy and data protection matters.
If any provision of this Privacy Policy is considered illegal or illegitimate by an authority in the location where the Data Subject resides or their internet connection is established, the other remaining conditions will remain in full force and effect.
This Privacy Policy and further information on how we handle the privacy of Data Subjects in our operation can be found on the company's official website at https://www.itstransdata.com/privacidade.
11. Applicable Law and Jurisdiction
This Privacy Policy will be interpreted in accordance with Brazilian law, in the Portuguese language, with the venue of the city of Campinas/SP being elected to settle any dispute or controversy involving this document, unless for specific exceptions of personal, territorial, or functional capacity under the Applicable Law.
If you believe that Transdata has violated any legal provision or this Privacy Policy, the Data Subject has the right to file a complaint with the appropriate supervisory authority, in addition to contacting Transdata directly through the channels listed here.