Compliance with the General Data Protection Law (LGPD) and with the National Data Protection Authority (ANPD).

LAW No. 13,709, OF AUGUST 14, 2018
General Personal Data Protection Act (LGPD). LAW No. 13,853, OF JULY 8, 2019

Amends Law No. 13,709, of August 14, 2018, to provide for the protection of personal data and to create a National Data Protection Authority; and takes other measures.

​​

1⦁  PURPOSE

The LGBANK Personal Data Protection Privacy Policy is the license to our Personal Data Protection and Privacy Governance Program.

​

This Policy is to establish a business culture that observes national and international standards for the protection of personal data, identifying as main premises to be observed that allow LGBANK to handle personal data properly. BANK is committed to the high standards of business and to all LG principles and fundamental freedoms according to its ethics, data, rules, business rules, to follow the terms of LG rights holders No. 13.709, General Data Protection Law (“LGPD”) and Law No. 13.853/19, which creates the National Data Protection (“ANPD”) that provides for the protection of personal data, changing in part to ( “LGPD”).

​

2⦁ SCOPE

This Policy applies to all employees and third parties who somehow process personal data, or on behalf of LGBANK, regardless of direct link with the company, or the nature of the treatment. Understand LG Collaborator's employees, regardless of the charge by our Company 'services', while all service providers, workers, partners, suppliers and company representatives.

​

This national policy is defined as valid for the treatment of the unit responsible for the territory, inside or outside the territory. 'Data processing' is understood to mean any operation carried out with personal data, as it refers to the production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, management, evaluation or control of information, transmission, communication, transfer, transmission or sending. In turn, 'Owner' is the natural person to whom the personal data being processed is referred to.

In such cases, we apply without the highest standard protection in relation to the data relationship, either throughout this policy or established by applicable law.

Variations arising from local laws and/or industry regulations will be made annexed to this Policy, and should be interpreted in conjunction with this Policy.

​

3. DEFINITIONS

​

3.1 Personal Data
Information to an identified or identifiable natural person.

​

 

3.2 Sensitive Personal Data
Given racial origin or, when affiliated with, or religious organization, personal opinion of racial origin or, affiliated with religious life, or given political person regarding religious health, or a person genetics or religious biofunctionality.

3.3 Anonymized Data
Data relating to the data subject that cannot be identified, considering the use of practical means available at the time of its treatment.

3.4 Controller
Natural or legal person, of public or private law, who are responsible for decisions regarding the processing of personal data.

3.5 Operator
Natural or legal person, governed by public or private law, who processes personal data on behalf of the controller.

3.6 DPO “Data Protection Officer”
Person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD).

3.7 International Data Transfer
Transfer of personal data to a foreign country or international organization of which the country is a member.

​

3.8 National Data Protection Authority (“ANPD”)
Public administration body responsible for overseeing, implementing and monitoring this Law throughout the national territory.

3.9 Privacy by design
Consider the privacy implications of data processing from the beginning of its creation;

 

4. GENERAL RULES

Processing personal data is, and this treatment can generate risks for LGBANK. Therefore, we must respect all policies and procedures in an appropriate manner. They want questions about how to interpret the area and should be taken to the knowledge policy manager, including the DPO “Data Protection Officer”.

​

4.1 Principles
All activity on LGBANK must observe good faith in data processing, and the following principles:
⦁   Have a specific, declared and declared purpose to the holder;
⦁   Adapt the processing of data carried out for purposes registered to the holder;
⦁   Retain personal data only for as long as necessary;
⦁   Collect data only to meet the purposes of treatment, restricting ourselves to minimal and proportional information;
⦁   Allow data subjects to access their data free of charge and easily;
⦁   Ensuring clarity, updating and updating of processed data
⦁   Provide clear and accurate information to data subjects on aspects of the processing of their personal data, through easy access;

⦁   Protect treated individuals with measures capable of maintaining data confidentiality, availability and confidentiality of processed data from accidental interference or willful misconduct;
⦁   Prevent owner damage that can be portrayed by the processing of their personal data;
⦁   Make sure that the treatments carried out do not result in reports, illicit, or abusive discrimination, revisiting as treatment operations always necessary to assess whether there is a possibility of discrimination;
⦁   Be responsible for the correct application of these principles in all treatment activities that you carry out;
⦁   Adopt measures to demonstrate compliance with data protection rules throughout LGBANK, allowing accountability for the processing of personal data.

4.2 Registration of Personal Data Processing Activities
LGBANK is legally obliged to map its personal data processing activities, and to keep this Personal Data Processing Activities Register updated, which can be done using the Flow for Updating the Personal Data Processing Activities Register as a guideline. All those who process personal data must contribute to the update of this upload of personal data by informing suspected new processing activities, and the registration of old processing activities to the DPO “Data Protection Officer” (Person in Charge). The DPO “Data Protection Officer” is responsible for ensuring the complete and periodic updating of this record.

 

4.3 Processing of Personal Data
The entire LGBAN Privacy and Protection Governance process must be addressed in the LGBAN Privacy and Protection Governance Program. Thus, LGBANK must implement privacy guarantees as long as LGBANK's data is protected, both internal and external to LG. Privacy describes data collection data, and how it must be known prior to data collection.

​

In addition, any treatment must consider privacy issues from the beginning of the project. Adopting a privacy by Design practice is essential so that the processing activities of other data protection activities that may be applied are used. In certain cases, the area responsible for the activity must carry out a Data Protection Impact Report (“RIPD”), documentation that contains a description of the personal data processing processes that may generate risks to civil liberties and fundamental rights, as well as such as measures, safeguards and risk mitigation mechanisms to demonstrate that the activity is appropriate and does not offer data subjects rights.

​

Data naturally has a greater potential for harm to holders. Therefore, there are more elaborate hypotheses to be used. In certain cases, it may be necessary to request the consent of the holders for the activity, in accordance with the Policy on Collection, Use and Management of Consent. When the identity of the subject no longer matters, but the information is still useful for studies, we must anonymize his data, to protect him and ourselves. Throughout the data lifecycle, we must protect the means they are protected by technical, organizational and organizational

​

4.4 Data Sharing

It is our guarantee that the data that must be verified to the LGPD Equally, it is our responsibility that we receive the personal data that we collect and that we collect in accordance with the LGPD. In Personal Sharing, we must be diligent when choosing partners, data such as information sent to the minimum necessary to carry out the activity. For this, we employ clauses against privacy and protection of personal data and with the support of LGBANK. In cases where the destination data crosses national data, additional care may need to be taken, according to the country of certain information.

​

4.5 Personal Data Incidents
If a data incident is suspected, call the DPO "Data Protection Officer" immediately to have this incident occur and take steps to initiate the company's response plan. Our Incident Response Plan includes details on how to make this notification and other information in the event of an incident at LGBANK Every employee will be notified of the occurrence of eventual Security incidents by the DPO “Data Protection Officer” (Person in Charge) and in the middle of the email: contact@lgbank.io

​

4.6 Generation of Evidence and Governance Structure

Every compliance program must generate evidence. In the event that a data subject, or the ANPD, question the implementation of the Privacy and Personal Data Protection Governance Program, we must be able to produce documents that attest to the existence of our program. Our program is composed of policies and procedures that should guide the use of personal data in LGBANK, with the main documents listed below: