TORTORO, MADUREIRA E RAGAZZI ADVOGADOS 

Law No. 13,709/2018, Brazilian General Data Protection Law – “LGPD”, has as one of its central pillars the implementation of Information Security measures that can bring to public and private entities, a culture of greater awareness in the area. The LGPD  considers that, more serious than suffering an attack or experiencing a data leak, is not to prevent or adopt the necessary and possible measures and practices for the protection of your data and of all those who are affected by any unauthorized access.  

The activity of compliance with the rules of the General Data Protection Law is not limited to the employment of technological measures and security standards. It also includes the need to elaborate, maintain and review documents that, in addition to ensuring compliance with the aforementioned Law, are also measures that can bring greater organization and optimization to internal processes, as well as protect the reputation of the Firm and its reputation, its Partners, Lawyers, Trainees, Collaborators, Suppliers, Clients and Third Parties.  

In the Technological Age, with the popularization of personal computers and the ease of access to the Internet, the dependence on digital processes for the maintenance of business models or compliance with legal obligations is increasingly observed. 

The convenience, cost reduction, and time savings that come with the computerization of processes bring with them security risks that should not be overlooked.  With enough time and resources, any system can be compromised.  

That’s why this Firm has issued this privacy notice, which is intended to: 

Give a brief presentation of the main concepts, principles, rights and duties of data subjects and processing agents; 

Enable the data subject to understand the indicators of the suitability of the firm to the legal determinations brought with the LGPD; 

Indicate what processing activities the firm, their purposes, and data retention times perform; 

Inform the contact details of the Data Protection Officer (DPO) and communication channels through which the data subject can contact the office to seek information about his/her rights. 

Definitions 

TERMS AND DEFINITIONS 

  • Processing agents: corresponds to the controller and processor together.  
  • Anonymization: the use of reasonable and available technical means by which a data loses the possibility of association, directly or indirectly, with an individual; 
  • Attack: Vulnerability exploitation event. It occurs when an attacker tries to perform malicious actions, such as breaking into a system, accessing sensitive information, or making a service inaccessible; 
  • Brazilian Data Protection Authority – “ANPD”: the national public administration body responsible for supervising and ensuring compliance with the General Data Protection Law throughout the country; 
  • Controller: a natural or legal person, governed by public or private law, who is responsible for making decisions regarding the processing of personal data; 
  • Personal data: any information relating to an individual that can be used to identify him/her, directly or indirectly, or to contact him/her, either on its own or when combined with other information; 
  • Sensitive Personal Data: personal data that relates to racial or ethnic origin, religious belief, sexual practice, or orientation, medical or health information such as medical history and physical or electronic medical records, genetic or biometric information, political or philosophical beliefs, political or union membership, social security number, health insurance card number, and banking information. 
  • Data Protection Officer (“DPO”): a natural person designated by the controller, responsible for ensuring compliance with applicable local legislation and acting as a channel of communication between the controller, the data subjects, and the Brazilian Data Protection Authority (“ANPD”); 
  • Incident: any act, suspicion, threat, or circumstance that compromises the confidentiality, integrity, or availability of information that is in the Firm’s possession or that it may have access to; 
  • IP: Internet Protocol, a number used to identify an information technology device on a network, or Internet; 
  • LGPD: acronym used to identify the Brazilian General Data Protection Law, Law No. 13,709/2018, which regulates Data Processing activities in Brazil. 
  • Log: the process of recording relevant events in a computer system; 
  • Processor: a natural or legal person, under public or private law, who performs data processing on behalf of the controller. The processor will always be a separate person from the controller; 
  • Systems: hardware, software, data networks, media storage and other systems used, acquired, developed, accessed, controlled, assigned, or operated by JUCEMG to support the execution of its activities. 
  • Processing: Any operation or set of operations which is performed upon data, whether or not by automated means, including, but not limited to, the collection, recording, organization, structuring, alteration, use, disclosure, copying, transfer, storage, deletion, combination, restriction, adaptation, retrieval, consultation, destruction, or anonymization;  
  • Data Leak: any breach of confidentiality or dissemination of data that may result, criminally or otherwise, in the loss, alteration, sharing, access, transmission, storage, or unauthorized processing of data; 
  • Violation of privacy: any violation of applicable law or conduct and event that results in the accidental or unlawful destruction of the data, as well as its loss, theft, alteration, unauthorized disclosure or access, damage, or misuse in its processing. 
  • Virus: a program or part of a computer program, usually malicious, that spreads by inserting copies of itself and becoming part of other programs and files. 

Legal Basis 

Legal bases are the legal grounds for processing personal data. All processing of Personal Data performed by the firm is based on one or more of the 10 legal bases defined in the LGPD, namely: 

Consent 

Compliance with Legal or Regulatory Obligation 

Public Policy Execution 

Studies by research organizations 

Contract Execution 

Regular exercise of right 

Protection of life or physical safety 

Health Protection 

Legitimate Interest 

Credit protection 

Your Personal Data 

Tortoro, Madureira e Ragazzi Law Firm, either as controller or processor, is concerned about, respects or is committed to protecting the privacy of your personal data, observing the applicable laws, and following the best market practices in its protection. 

In order to provide greater transparency in our relationship with clients, collaborators, suppliers, business partners, visitors to our website, and other data subjects, we present in a clear and detailed manner, all information necessary for a proper understanding of the processing of your personal data by the firm.  

We will clarify: 

What personal data we process; 

How we collect your personal data; 

What we process your personal data for; 

What are the legal bases applicable to each processing activity; 

How long we store your personal data; 

Where we store your personal data; 

How we protect your personal data; 

With whom we share your personal data. 

It is very important that you read this Notice carefully so that you can be aware of the processing of your personal data, know your rights as a data subject, and know how you can exercise them. If you have any questions, feel free to contact us so that we can clear them up. 

What personal data do we process? 

The processing of your personal data (and, depending on the context, sensitive personal data) takes place from the moment our firm gains access to it. Such processing will only occur in full compliance with the legal requirements presented here. 

The personal data, or sensitive personal data, that we process or may process depends on the nature of your relationship with the firm (client, collaborator, supplier, business partner, visitor to our website, prospective collaborator, etc.). We will only process personal data that is strictly necessary and appropriate to fulfill the purpose of the processing. 

If you are our client: 

Personal data that allows us to prove your identity and qualification, including, but not limited to: full name, date of birth, gender, marital status, date of birth, nationality, place of birth, parentage, public identity documents (ID Card, Individual Taxpayer Register – CPF, Driver’s License, Brazilian Bar Association – OAB, Regional Council of Medicine – CRM, Regional Council of Engineering and Agronomy – CREA, passport and/or other similar documents), voter’s registration card, profession, identification document from the country of origin such as a passport (if foreign), photo, identification of legal dependents, spouse, among others depending on the purpose of the processing; Personal data for contact including, but not limited to, complete residential and/or tax address, personal/professional e-mail, telephones (landline, cellular and for messages), among others, depending on the purpose of the processing; 

Professional data including, but not limited to, the name of the company where you work and have worked, position/function, remuneration, benefits, address, business contact, working time, professional documents such as CTPS (social-security card), NIS (Social Identification Number), NIT (Worker Identification Number), PIS/PASEP (Social Integration Program / Civil Service Asset Formation Program) etc; 

Financial data including, but not limited to, banking, investment, tax and income data; 

Personal data contained in documents necessary for the firm to provide legal services, such as expert advice or representation in legal and administrative proceedings, including sensitive personal data such as, but not limited to, membership in unions and political parties, race or ethnic origin, physical characteristics, present or past health data, biometric data; 

Any other data, of any nature, provided by you, necessary and appropriate for the purpose of the processing activities conducted in the course of providing our professional services; 

Images captured by an internal video monitoring system (CFTV) if you access our facilities; 

If you are our collaborator: 

Personal data required for registration in the firm and the competent legal bodies including, but not limited to, full name, date of birth, gender, marital status, full address, parents’ names, public identity documents (ID Card, CPF, CNH, OAB, CRM, CREA, passport and/or other similar documents), voter’s registration card, military service status certificate, professional documents such as CTPS, NIS, NIT, PIS/PASEP, photo, identification of legal dependents and spouse; 

Data related to your professional and academic life, including, but not limited to, proof of education, memberships in councils (OAB, CRM, CREA etc.), academic background, previous work experiences, name of companies you have worked for, position/function, time worked, references; 

Personal contact information including, but not limited to, full residential and/or tax address, personal e-mail, telephone numbers (landline, mobile, and for messages); 

Sensitive personal data including, but not limited to, health data, including current or historical medical certificates, licenses, reports, and medical examinations of yourself or dependents/spouses, biometric data, and union membership; 

Bank details; 

Data for biometric identification such as fingerprint and photo; 

Images captured by an internal video monitoring system (CFTV); 

If you are our supplier or business partner: 

Personal data that allow us to prove your identity and qualification, including, but not limited to full name, public identity documents (RG, CPF, CNH, OAB, CRM, CREA, passport and/or other similar documents), identification document from the country of origin such as passport (if foreign); 

Personal contact information including, but not limited to, full residential and/or tax address, personal/professional e-mail, and telephone numbers (landline, mobile, and voicemail); 

Personal data contained in the qualifications of the partners in the Articles of Organization and proxies in any power of attorney; 

Data for biometric identification, such as fingerprint and photo, if you provide services in our facilities; 

Bank details; 

Images captured by an internal video monitoring system (CCTV), if you access or provide services in our facilities; 

If you are a visitor of our website: 

Browsing data, including, but not limited to, date/time of access, pages of our website visited and dwell time, and files downloaded; 

Connection data, including but not limited to IP address, provider data, and geolocation data of the access, information of the browser used, information about device and operating system used for access; 

Identification and contact data through the form in the “Contact” area of our website: name, contact e-mail, as well as any personal data that you may voluntarily include in the subject field and/or in the content of the message you send us; 

Identification and registration data to receive newsletters, articles, publications, client alerts and newsletters: contact name and e-mail; 

Personal data for recruitment and selection purposes (such as the data on your personal resume) received by e-mail that you voluntarily submit to us when you access the “Work with Us” section; 

How we process your personal data 

The way the Firm processes or may process personal data depends on the nature of your relationship with the firm (client, collaborator, supplier, business partner, visitor to our website, prospective collaborator, etc.). Thus, personal data may be collected for processing directly from the data subject, by third parties authorized by the data subject, third party data controllers (e.g., from the company where you work or have worked, regulatory authorities, suppliers, and other business partners), or from public sources. 

If you are our client: 

In the course of providing the services contracted with the firm, copies of personal documents may be necessary, contractual instruments and registration forms may require the inclusion of your personal data in internal and/or third-party systems, such as courts of law, offices of notary publics, public administration agencies, financial institutions and those involved in negotiations promoted/intermediated by the firm. 

During the voluntary completion of registration forms on our website to receive communications sent by the firm, such as alerts, news, and contacts by email; 

During contacts made by the firm to update your personal data registered in our databases, in order to ensure its quality and accuracy; 

During visits to our facilities, when filling out a visitor identification form and through the capture of images by our internal camera monitoring system (CFTV); 

If you are our collaborator: 

In the course of our recruitment and selection processes, by filling out forms to register and apply for one of our vacancies or by receiving resumes for analysis; 

In the course of the admission process, by receiving personal and professional documents necessary for your registration as a collaborator (employee, trainee, partner, consultant, etc.), the filling out of personal collaborator records with third-party service providers (for example, providers of transportation allowance, meal tickets, health plan, accounting service providers, banks, etc.), the entering of data, including sensitive personal data, into access systems of the firm premises, etc; 

During access to our facilities, through the use of personal identification cards or biometric controls; 

During your stay in our facilities, your images can be captured by our internal camera monitoring system (CFTV). 

If you are our supplier or business partner: 

In the course of service contracting processes, by submitting bids, company articles of organization, and filling out supplier forms; 

During visits to our facilities, by capturing images from our internal camera monitoring system; 

During visits to our facilities, when filling out a visitor identification form and through the capture of images by our internal camera monitoring system (CFTV); 

If you are a visitor of our website: 

During access to our website, through the use of cookies, as described in the “Cookies” section of this Policy, by filling out various forms including, but not limited to, registration to receive communications sent by the firm, such as newsletters, alerts, news and email contacts, forms to send resumes to apply for vacancies and forms to request information and contact; 

What we process your personal data for / What legal bases apply to each processing activity / How long we store your personal data 

The Firm only processes personal data that is necessary and appropriate for a clear specific purpose, with a legal basis that justifies and permits the processing, and for an appropriate time. The purpose and legal basis of processing, as well as the length of time personal data is retained, depends on the nature of your relationship with the firm (client, collaborator, supplier, business partner, visitor to our website, prospective collaborator, etc.). 

If you are our client: 

Purpose (what we process them for):  

Your personal data are processed: 

So that we can perform the contracted services with the firm; 

To respond to your requests; 

To make contacts and communicate of various kinds; 

To perform billing and collections for services rendered; 

To meet specific legal obligations to which the Firm is subject by virtue of its general activity or on the specific occasion of a particular contracted service; 

Legal basis applied: 

Contract execution; 

Compliance with a legal or regulatory obligation; 

For the regular exercise of rights in judicial, administrative or arbitration proceedings; 

Legitimate interest; 

Retention time: 

Your data will be deleted 5 years after the end of the contractual relationship; 

As for the images captured by the internal video monitoring system (CFTV), the retention period will be 60 days after the recording. 

If you are our collaborator: 

Purpose (what we process them for):  

Your personal data are processed: 

In order for us to fulfill legal and/or regulatory obligations related to the professional relationship you have with the firm; 

For the purpose of evaluating and selecting candidates for job positions; 

For the purpose of maintaining a temporary bank of professional resumes; 

To make salary payments, grant entitlements and benefits, fulfill tax obligations; 

For the purposes of recording access and working time (clock in/out), when applicable; 

For the purpose of contact and communications with you; 

For the purpose of legally exercising your rights and defending yourself in possible legal claims. 

Legal basis applied: 

Contract execution; 

Compliance with a legal or regulatory obligation; 

Legitimate interest (*) 

Retention time: 

Your data will be deleted 7 years after the end of the contractual relationship; 

Regarding job applicants, resumes will be eliminated six (6) months after collection/receipt; 

As for the images captured by the internal video monitoring system (CFTV), the retention period will be 60 days after the recording. 

If you are our supplier or business partner: 

Purpose (what we process them for):  

Your personal data are processed: 

So that we can comply with legal and/or regulatory obligations; 

For contract execution; 

For payment transactions; 

For authorization to enter our facilities; 

To perform any activities that are inherent to the commercial relationship established with the firm. 

Legal basis applied: 

Contract execution; 

Compliance with legal or regulatory obligation 

Legitimate interest (*) 

Retention time: 

Your data will be deleted 5 years after the end of the contractual relationship; 

As for the images captured by the internal video monitoring system (CFTV), the retention period will be 60 days after the recording. 

If you are a visitor to our facilities: 

Purpose (what we process them for):  

Your personal data are processed: 

For entrance authorization to our facilities and access control; 

For personal and physical security care in our facilities; 

Legal basis applied: 

Legitimate interest (*) 

Retention time: 

As for the identification information for access to our environment, the information is kept for 60 days after your visit; 

As for the images captured by the internal video monitoring system (CFTV), the retention period will be 60 days after the recording. 

If you are a visitor of our website: 

Purpose (what we process them for):  

Your personal data are processed: 

For the purpose of communicating with you, at your request; 

For the purpose of receiving your application for possible professional opportunities, at your discretion; 

To identify the visitor’s areas of interest and to be able to supply them with information of possible interest (e.g. Newsletters, Client Alerts and other communications that are available on our website); 

So we can constantly improve our website in terms of content, responsiveness, presentation, content, etc. 

Legal basis applied: 

Consent; 

Legitimate interest (*). 

Retention time: 

Your data related to professional opportunities (including the resumes you may send us) will be deleted after 6 (six) months from collection/reception; 

Your data related to contact requests will be kept indefinitely or until you ask us to delete it. 

(*) The legal basis of Legitimate Interest applies to the capture of images made in our premises, which meets the need for access control and security of clients, collaborators, and business partners. 

Where do we store your personal data? 

The Firm stores or may store your personal data in appropriate physical and/or digital storage solutions, of its own or contracted with third parties, structured and maintained in our physical facilities or in the facilities of third parties, in Brazil or, if indispensable or if it offers a higher level of security to your data, in another country, provided that such country has appropriate regulations that provide a degree of protection of personal data adequate to the provisions of the Brazilian General Data Protection Law (LGPD). 

Your personal data will be stored securely and will only be accessible to persons duly authorized and related to the defined purpose(s) of processing and substantiated by a legal basis.  

The Firm will use reasonable efforts to ensure that only personal data essential to the processing is stored, that it is kept as current as possible, only as long as necessary or required by law, and that it is deleted from storage (disposed of) appropriately. 

The locations, systems, and services where your personal data is or may be stored may change over time because of new technologies, security best practices, and operational needs. Currently, we use: 

Own file servers located on the firm premises; 

External Electronic Document Management System, hosted in the vendor’s cloud; 

Microsoft’s cloud-based corporate email service; 

Microsoft’s enterprise cloud storage service; 

Corporate ERP system hosted on the vendor’s infrastructure; 

Encrypted backup storage media, kept on the firm premises and/or with third-party custodial service specialists; 

Physical files kept on the firm premises in appropriate areas. 

How do we protect your personal data? 

The Firm recognizes the importance of protecting the privacy of your personal data and is committed to providing the highest levels of security possible. To this end, we implement, by our own means or through third-party contractors, controls, technical and administrative measures guided by the best information security practices to preserve the integrity, confidentiality, and availability of the information throughout the processing, and to protect personal data from unauthorized access and accidental or illicit destruction, loss, alteration, communication or diffusion. 

In the event of a proven occurrence of a data privacy incident involving your personal data, we undertake to notify you promptly in accordance with the terms described in the Brazilian General Data Protection Law, and to implement appropriate identification, containment, eradication, remediation, and recovery measures, as well as to promote and cooperate with any investigative efforts in accordance with our Information Security and Data Privacy Incident Response Plan. 

If you would like to learn more about our protection measures, simply send an e-mail with your request to pmoraes@tortoromr.com.br

With whom do we share your personal data? 

The Firm may share personal data with third parties to fulfill the specific purposes of the processing, with full transparency and supported by a legal basis as defined in the Brazilian General Data Protection Law. Sharing will depend on the processing activity arising from your relationship with the firm. Our partners are chosen based on criteria of capability, service quality, legal compliance, and operational transparency, with preference given to those with national recognition. 

In this regard, we may share your personal data in part or in whole with: 

Third parties, when necessary to carry out client instructions and professional services contracted with the firm; 

Third-party consultants in specific areas, acting under the Firm’s responsibility or not, in order to obtain the professional opinion needed to conduct the contracted services; 

Third parties to whom the data should be presented as part of the professional services provided by the firm; 

Competent legal bodies officially requesting access to personal data or to which we have to submit them by virtue of our professional activity and/or legal or regulatory obligation; 

The firm’s outsourced service providers (e.g. companies that handle our corporate accounting and billing, the banking and financial benefits and services offered to collaborators, communication with clients, suppliers and business partners, external auditing, the hiring of collaborators, etc.); 

Various third parties, to enable access to our facilities; 

Providers of information technology solutions that provide service to the firm (e.g., cloud storage, corporate email service; case management system, etc.); 

Third-party digital marketing monitoring service providers, to collect access, behavior and navigation data on our website and organize this information into various reports (Google Analytics). 

International Data Transfer 

The Firm uses specific cloud service providers to handle its data more efficiently and securely. Some of these providers can offer their services from structures located outside the national territory, either as a form of core service offering or as a contingency solution to guarantee the continuity of the contracted services. In such cases, we always check and only work with third parties whose services take place in countries with appropriate regulations that provide a degree of protection of personal data adequate to the provisions of the Brazilian General Data Protection Law (LGPD). 

Cookies 

Cookies are small text files created and maintained on a user’s device from the moment he or she visits a website. They contain, among other things, data about your access to the site, in order to improve your browsing experience. Depending on their duration, they can be either session cookies, when they last only while you are accessing the site and disappear as soon as you close your browser, or persistent cookies, when they remain on your device for a specific amount of time, even after you close your browser or reboot your device. A cookie can be either our own (primary), when generated and maintained exclusively by our domain, or third-party, when owned and managed by other companies, our partners or service providers. 

Our website makes use of cookies related to the activities carried out by visitors, to better understand their behavior and to be able to improve their experience, as well as to enable internal statistical analysis. Session and/or persistent, own (primary) and third-party cookies are used, among other purposes, to identify the user, remember their preferences, record their activity on our website (such as most visited pages, most accessed and/or downloaded files, main searches in our content, access location, etc.), improve our services and generate statistical data that can be used in our marketing services. 

You can set and change your preferences regarding the use of cookies through your browser settings. Most browsers automatically accept cookies. So, if you don’t want cookies to be used, you may have to actively delete or block cookies. If you reject the use of cookies, you can visit our website, but some of the functions may not work properly. 

You can also visit www.allaboutcookies.org for more details on how to delete or reject cookies and for additional information about cookies in general. 

By using our website, you agree to the terms set out here on our use of cookies. 

Rights of the Data Subject and how to exercise them 

The LGPD guarantees the Data Subject (you!) rights arising from the processing of his/her personal data, in order to enable his/her verification, correction, blocking and eventual cancellation. They are: 

Confirmation of the existence of processing; 

Data Access; 

Correction of incomplete, inaccurate, or outdated data; 

Anonymization, blocking or elimination of data that is unnecessary, excessive or processed in violation of the provisions of this Law; 

Data portability to another service or product provider, upon express request, in accordance with the regulations of the national authority, observed commercial and industrial secrets; 

Deletion of personal data processed with the consent of the holder, except in the cases foreseen in art. 16 of the Law; 

Revocation of consent, pursuant to § 5 of art. 8 of the Law; 

Information about public and private entities with which the controller has shared data use; 

Opposition to processing; 

Information on the possibility of not providing consent and on the consequences of refusal; 

Right to petition to the ANPD (Brazilian Data Protection Authority); 

Automated decision review. 

How to exercise your rights? 

Should you wish to exercise any of your rights as a Data Subject, please contact our Data Protection Officer:  

Name: Suzana Maria Pimenta Catta Preta Federighi 

E-mail: scattapreta@tortoromr.com.br 

Address: Alameda Santos, 787, 7th floor 

Jardim Paulistano, São Paulo/SP 

Zip code: 01419-001 

Tel.: +55 (11) 3018-4848