Personal Data Privacy Policy – BRAVO GRC

Atualizada em 02 de setembro de 2022.

1. PURPOSE

This Personal Data Privacy Policy (“Policy” or “Privacy Policy”) aims at establishing rules and guidelines on the processing of personal data collected by Bravo GRC LTDA. (“BRAVO GRC”) pursuant to the applicable regulations.
When consenting to this Privacy Policy, the data subject agrees with the terms hereunder and the processing of personal data for the purposes described herein

2. SCOPE

This Policy applies to activities involving the processing of personal data and covers all BRAVO GRC’s websites, portals, applications, and forms.

3. TERMS AND DEFINITIONS

For understanding this policy, we must consider definitions and terminologies according to the detailing below:

Processing agents: the controller and the operator.

Anonymization: the use of reasonable technical means available at the moment of processing, through which a piece of data loses the possibility to be directly or indirectly associated with an individual.

National Authority/National Data Protection Authority – ANPD: a public administration body responsible for ensuring, implementing, and inspecting compliance with the General Data Protection Law (LGPD) throughout the national territory.

Database: a structured set of data, established in one or several places, in electronic or physical media.

Blocking: a temporary interruption in any processing operation upon the protection of the personal datum or database.

Employees: persons hired to form part of BRAVO GRC’s staff.

Consent: a free, informed, and unequivocal statement through which the data subject agrees with the processing of their personal data for a certain purpose.

Controller: an individual or legal entity of public or private law responsible for the decisions regarding the processing of personal data.

Cookies: files containing small parts of data that are shared between a technological device and a web server in order to make browsing more friendly and improve user experience.

Anonymized Datum (a): a piece of data related to the data subject other that cannot be identified, given the use of anonymization at the time of its processing.

Personal Datum (a): information related to an identified or identifiable individual.

Sensitive Personal Datum(a): any personal datum (a) on the racial or ethnic origin, religious conviction, political opinion, membership to a union or a religious, philosophical, or political organization, datum (a) on health or sexual life, genetic or biometric datum (a), when related to an individual.

Elimination: the removal of a datum or a set of data stored in a database regardless of the procedure used.

Personal Data Processing Supervisor (“Supervisor”)/DPO (Data Protection Officer): a person appointed by the controller and the operator to act as a communication channel between the controller, the data subjects, and the ANPD.

Purpose: the reason why the data subject’s personal datum (a) is processed.

General Data Protection Law (LGPD): Law No. 13,709/2018 or the LGPD, which provides for the processing of personal data of individuals, regardless of medium, by an individual or a legal entity of public or private law, aiming at protecting the fundamental rights to freedom and privacy and the free development of the personality of the individual.

Operator: an individual or a legal entity of public or private law that processes personal data on the controller’s behalf.

Opt-In: a statement from the data subject to express, previously and explicitly, their consent to receive a specific communication or authorization for the processing of personal data.

Opt-Out: the opposite of opt-in, that is, the revocation of a consent previously given.

Research Agency: a direct or indirect public administration agency or entity or a nonprofit legal entity of private law lawfully organized under the laws of Brazil with its principal place of business in and under the jurisdiction of the Country that includes in its institutional mission or in its corporate or statutory purpose basic or applied historical, scientific, technological, or statistical research.

Impact on Personal Data Protection Report (RIPD): documentation of the controller that contains the description of the processing of personal data that may create risks to civil freedoms and fundamental rights, as well as measures, safeguards, and risk mitigation mechanisms.

Site/Website: an online address of an individual or a legal entity, composed of a set of web pages.

Data Subject/User: an individual to which personal data subject to processing are related.

International Transfer of Data: transfer of personal data to a foreign country or an international organization of which the country is a member.

Processing: all operations conducted on personal data, such as those related to the collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, assessment or control of information, modification, communication, transfer, diffusion, or extraction.

Shared Use of Data: communication, diffusion, international transfer, interconnection of personal data or shared processing of personal databases by public agencies and entities while performing their legal powers, or between private entities, reciprocally, upon a specific authorization, for one or more types of processing allowed by these public entities, or between private entities.

4. PURPOSE OF PERSONAL DATA PROCESSING

Personal data processed by BRAVO GRC aim at fulfilling several purposes, depending on the relationship of the data subject with BRAVO GRC. Thus, we present below, not exhaustively, the main cases in which we shall process the data subject’s personal information:

• For the performance of a legal obligation (art. 7, ¶ II of the LGPD): when resulting from a legal and/or regulatory determination imposed upon BRAVO GRC.
• When required for contract performance (art. 7, ¶ V of the LGPD): performance of specific contracts by BRAVO GRC with several companies (suppliers and/or service providers).
• For the creation, preparation, and monitoring of specific programs, events, and projects, and other contracts or preliminary procedures:
  • Relationship and provision of information related to BRAVO GRC’s programs, events, and projects;
  • Registration for access to BRAVO GRC’s platforms;
  • Specific assistance provided by BRAVO GRC;
  • Provision of support to users, employees, suppliers, service providers.
• For the regular exercise of rights, including for administrative, legal, and arbitral proceedings:
  • To conduct the processes of receipt of complaints by Ombudsmen;
  • To receive and prepare responses to complaints and proceedings before government entities;
  • In the storage of information for defense in legal, administrative, or arbitration proceedings.
• In the persecution of BRAVO GRC’s legitimate interest, always to the limit of their expectation, and never to the prejudice of the data subject’s interests and fundamental rights and freedoms;
• Through an authorization granted by the data subject (“Consent”).

The database composed by the collection and storage of personal data of the data subject is owned and a responsibility of BRAVO GRC, provided that its use, access, and sharing, when necessary, shall be made within the limits and purposes of its business, and may, in this regard, be made available for consultation, shared, and assigned to suppliers and authorities, as long as pursuant to the the provisions in this Privacy Policy and the applicable regulations.

No document, information, and/or personal datum shall be disclosed and/or shared under any circumstances, unless expressly authorized by the user for purposes of performance of the services contracted or upon a judicial order or by legal determination.

It may be necessary to transfer the user’s personal data to other BRAVO GRC entity, a partner, or a third-party service provider. BRAVO GRC requires its service providers to process such data in compliance with this Privacy Policy and the applicable regulations only.

Internally, user data are accessed by employees duly authorized only, meeting the principles of purpose, adequacy, need, and other principles inherent in the processing of personal data, always for BRAVO GRC’s goals, in addition to keeping confidentiality and preserving privacy pursuant to this Privacy Policy.

5. TYPES OF PERSONAL DATA SUBJECTS

The subjects of personal data processed by BRAVO GRC are categorized as follows:

• Users;
• Clients;
• Employees;
• Trainees;
• Supervisors;
• Leads;
• Suppliers;
• Service Providers;
• Candidates to positions and roles in BRAVO GRC;
• Stakeholders.

6. DATA COLLECTED

The collection of some information on the subject is essential so that BRAVO GRC fulfills its corporate purpose. Therefore, personal data provided directly by the data subject or their legal guardians (upon specific consent authorizing the processing of a child’s personal data), companies, or third parties, or collected automatically, according to the preparation and monitoring of specific programs or projects, or any other type of relationship of the data subject with BRAVO GRC. See the types of collection of personal data below:

Personal data provided directly by the data subject: all personal data inserted or sent when accessing one of BRAVO GRC’s channels (websites or applications) shall be collected.

Personal data provided by companies: aiming exclusively at the performance of a legal obligation (art. 7, ¶ II of the LGPD) or when required for the execution of contracts and/or preliminary procedures in which the data subject is a party (art. 7, ¶ V of the LGPD).

Personal data provided by third parties: BRAVO GRC may receive personal data through third parties that have some type of relationship with the data subject, namely, partners, suppliers, or service providers. BRAVO GRC may also collect data from public databases made available by authorities (such as the Federal Revenue Service, for example) or by third parties, or even data made public by the subject on websites or social media, always in compliance with privacy.

Personal data collected automatically: BRAVO GRC may also collect a series of information automatically and, to do so, uses some market technologies (cookies, for example) to improve the browsing experience of the users in BRAVO GRC’s websites and applications, according to their habits and preferences.
The following essential rules shall always be complied with for all collection of personal data:

• Personal data collected shall be used to fulfill the purposes informed to the data subject only;
• If necessary, we will ask for authorization or notify the data subject of the collection of new data, accompanied by the due justification.

The processing of personal data of children and teenagers shall be conducted upon specific, separate consent of one of the parents or the legal guardian only.

Data processed by BRAVO GRC shall be stored for the time necessary for the fulfillment of the purposes they were collected for, or, furthermore, for meeting legal and regulatory requirements. BRAVO GRC shall delete data once the period of data retention ends or upon request of the subject.

7. SHARING DATA WITH THIRD PARTIES

Personal data processed by BRAVO GRC may be accessed by third parties, as established below.

For our purposes

BRAVO GRC may share data with third parties for its own purposes. BRAVO GRC shall share personal data strictly necessary for providing or otherwise fulfilling its corporate purpose, as well as for several internal goals linked with the same purpose.

For strategic reasons

BRAVO GRC may share all data categories listed in item 6 with partners and other entities that provide some services to BRAVO GRC or help with internal functions, such as data analysis and maintenance of the security of internal systems, or ensure performance of legal provisions. For example, BRAVO GRC may share information with audit firms, law firms to obtain legal assistance, booking firms, or other professionals. Other entities that may receive personal data for such purposes include information security service providers, data analysis companies, quality assurance assessors, among others.

For legal and regulatory reasons

BRAVO GRC may share all personal data categories informed in item 6 with partners, service providers, and other entities whenever necessary to perform legal or regulatory obligations, including compliance with any applicable law, lawsuit, or administrative proceeding. BRAVO GRC may also share information to protect and defend the rights of related parties, personal data subjects, or any other person, to protect them against fraudulent or malicious activities, enforce the terms and conditions of BRAVO GRC, or cooperate with law inspecting authorities.

When the data subject consents to the disclosure

BRAVO GRC may share certain information with partners or other entities when the data subject instructs the company to share it or otherwise consent to share this information, and any and all consent stated by the subject must be prior and express.

8. DATA SUBJECTS’ RIGHTS AND REQUIREMENTS

BRAVO GRC ensures to data subjects, pursuant to the applicable regulations, the following rights:

• Confirmation of existence of the processing;
• Access to their data;
• Correction of incomplete, inaccurate, or outdated data;
• Anonymization, blocking, or elimination of data that are unnecessary, excessive, or processed not in compliance with the applicable regulations;
• Portability of data to other service providers or products, upon express request, according to the ANPD regulations;
• Elimination of personal data processed upon the consent of the data subject, except as provided for in the applicable regulations;
• Information on public and private entities with which BRAVO GRC shared data;
• Information on the possibility not to provide consent and the consequences of the denial;
• Revocation of consent, pursuant to the applicable regulations;
• Review of automated decisions.

Data subjects’ rights provided for in the applicable regulations and this Policy may be exercised upon express request of the data subject or their legal guardian, and such request may be made through the relationship channel available on the privacy website or the privacy notice.

The user is notified, through this document, that any request for exclusion of information essential to manage their registration in BRAVO GRC, when it may apply, shall entail the termination of their contractual/business relationship.

BRAVO GRC shall use all reasonable efforts to meet the requirements made by the data subject within the shortest time possible. However, excusable factors may delay or prevent quickly meeting such requirements, provided that, in case of delay, the due reasons shall be presented to the data subject.
The data subject is responsible for providing correct and updated information. BRAVO GRC is not responsible for the accuracy, veracity, or lack of it, of the information provided, and it may, at its discretion, suspend and/or cancel the registration of the user at any time, if any inaccuracies are identified.

Finally, the data subject must be aware that their request may be lawfully rejected, whether for formal (for example, its inability to prove their identity) or legal (for example, the request for exclusion of data whose maintenance is the free exercise of rights by BRAVO GRC), provided that, in case of the impossibility to meet such requirements, the reasonable justifications shall be presented to the data subject.

9. SECURITY

Any personal datum (a) in possession of BRAVO GRC shall be stored according to the strictest safety standards adopted by the market, which includes the adoption of measures such as:

• Protection against unauthorized access;
• Restricted access to the site in which personal information is stored;
• Adoption of procedures with employees, service providers, and suppliers that conduct the processing of personal data as to commit to keeping the absolute confidentiality of information, adopting the best practices for the handling of these data, as provided by the corporate policies and procedures.

In addition to technical efforts, BRAVO GRC also adopts institutional measures, aiming at protecting personal data, so it keeps a governance and privacy program that applies to its activities and governance structure and is constantly updated.

In any way, in the remote case of such an event, BRAVO GRC ensures full effort to remediate the consequences of the event, always ensuring due transparency to the data subject.

10. LINKS TO OTHER WEBSITES

BRAVO GRC may make links to other websites deemed relevant and corporate agreements available, or due to regulatory, judicial, or administrative imposition. It is worth mentioning that BRAVO GRC does not assume responsibility for the privacy policy adopted by these websites. Third parties have their own policy for the collection, use, sharing, and any type of processing of data related to the services of such third parties and they shall be responsible for the due maintenance of data. BRAVO GRC recommends reading the policies of these third parties.

11. COOKIES

Cookies are files that can be stored in the user’s device, containing small parts of data that are shared when a device accesses or uses BRAVO GRC’s online services.

Information collected, usually, the name of the website that originated it, its lifetime, and an amount created randomly, is interpreted and executed by BRAVO GRC’s websites or applications, which enables the recognition of the user and the future identification of their interests and needs.

TYPES OF COOKIES	WHAT DO THEY DO?
REQUIRED	Cookies that are essential for the website or application accessed to work correctly. This type of cookie does not store identifiable personal information and is usually configured in response to a request for services by the user, such as defining their privacy preferences, beginning a session, or filling out forms. This type of cookie cannot be deactivated in BRAVO GRC’s websites and applications, and the user may set their browser to block them. Nonetheless, it is worth mentioning that this action will impact some website and application features.
PERFORMANCE	Cookies that enable accounting for accesses and traffic sources, aiming at measuring and improving the performance of our websites and applications. All information collected by this type of cookie is anonymous. The user may prohibit the execution of such cookies, but BRAVO GRC will be unable to understand how the user interacts with the websites and applications, without provision of information on the areas accessed, access time, and any problems found, such as error messages, for example.
FUNCTIONALITY	Cookies that enable the website or application to memorize the user’s choices, providing a customized experience. They may be established by BRAVO GRC or by suppliers whose services we added to our websites and applications. The user may prohibit the execution of these cookies, but some of these features, or even all of them, may not work as designed.
ADVERTISING	Cookies that may be established in BRAVO GRC’s websites and applications through our marketing partners. They will be used by these partners to build a profile and show content that is more relevant to the user’s interest, as well as measure the efficacy of the advertising campaigns. They do not store personal information, but they are based on the exclusive identification of your browser and the device used to access. The user may prohibit the execution of these cookies, but they will receive less targeted advertising.
SOCIAL MEDIA	Cookies that are established by third parties and added to the BRAVO GRC’s websites and applications for monitoring social media users that access our pages and enable you to share our content with your list of friends and acquaintances. They are also capable to track your browsing through other websites and create a profile about your interests. That may affect the content and the messages that you see on other websites that you access. If you do not allow cookies, maybe you cannot use or see these sharing tools.

The user may revoke their authorization as to the use of cookies at any time, accessing, in order to do so, the settings of the browser of your preference. However, we emphasize that, according to the settings executed, certain features of our services may not work in the ideal way, as well as information security aspects.

12. EMAIL MARKETING

When registering for receiving BRAVO GRC’s email marketing, the user states that they agree that BRAVO GRC makes a customized compilation of news and offers, as well as evaluates the use standards of the platforms for a customized notice that meets the needs and interests of the user.

In case the user wants to interrupt the receipt of this type of notice, they may cancel the registration at any time. In order to do so, the user may click on the opt-out link on the website itself and/or in the emails received to be directed to the process of cancellation or use one of the means of communication mentioned in this Privacy Policy.

13. APPLICABLE LAW AND GENERAL PROVISIONS

This document was prepared based on the applicable regulations on information security, privacy, and data protection, including (whenever applicable) the Constitution of the Federative Republic of Brazil, the Brazilian Consumer Protection Code, the Brazilian Civil Code, the Brazilian Civil Rights Framework for the Internet (Federal Law No. 12,965/2014), its regulatory decree (Decree No. 8,771/2016), the General Data Protection Law (Federal Law No. 13,709/2018), and other sectoral or general rules on the topic.

This policy is bound to the Terms of Use, available at the privacy portal or privacy notice, and shall be construed pursuant to the Brazilian laws and regulations, in the Portuguese language, and the parties elect the Central Court of the Judicial District of São Paulo to settle any litigations, issues, or subsequent questions, to the express exclusion of any other court, however privileged it may be.

In case any provision in this Privacy Policy is deemed illegal or illegitimate by a public authority, the other conditions shall remain in full force and effect.

The user acknowledges that any communication by email (to the addresses informed by them), text message, instant communication applications, or any other digital and online means is also valid as documentary evidence, and is efficient and sufficient to disclose any topic related to the services provided by BRAVO GRC, as well as the conditions of their provision, except for as expressly provided for otherwise in this Privacy Policy.

14. CONTACT US

In case the data subject wants to clarify any other questions, we gently ask you to contact us through the relationship channels available at the privacy portal or the privacy notice or, if you prefer, directly with the personal data processing supervisor – Data Protection Officer (DPO), through email dpo@bravogrc.com.

15. UPDATES OF THIS POLICY

BRAVO GRC’s Privacy Policy, available in the channels referred to in the privacy portal or the privacy notice, is the lastest version of the document. BRAVO GRC may, however, at any time and at its sole discretion, update the Policy, aiming at improving security, enhancing our services, or for the performance of legal, regulatory, or administrative obligations.

BRAVO GRC encourages the data subject to review this Privacy Policy from time to time to keep themselves updated about how their data is being processed.

If the user does not accept and does not agree with this Privacy Policy, including any amendments, they shall not access or use BRAVO GRC’s platforms, services, and products.