
Governance and GDPR Compliance
Compliance with the General Data Protection Law (LGPD) and with the National Data Protection Authority (ANPD).
LAW No. 13,709, OF AUGUST 14, 2018
General Personal Data Protection Act (LGPD). LAW No. 13,853, OF JULY 8, 2019
Amends Law No. 13,709, of August 14, 2018, to provide for the protection of personal data and to create a National Data Protection Authority; and takes other measures.
1⦁ PURPOSE
The LGBANK Personal Data Protection Privacy Policy is the license to our Personal Data Protection and Privacy Governance Program.
This Policy is to establish a business culture that observes national and international standards for the protection of personal data, identifying as main premises to be observed that allow LGBANK to handle personal data properly. BANK is committed to the high standards of business and to all LG principles and fundamental freedoms according to its ethics, data, rules, business rules, to follow the terms of LG rights holders No. 13.709, General Data Protection Law (“LGPD”) and Law No. 13.853/19, which creates the National Data Protection (“ANPD”) that provides for the protection of personal data, changing in part to ( “LGPD”).
2⦁ SCOPE
This Policy applies to all employees and third parties who somehow process personal data, or on behalf of LGBANK, regardless of direct link with the company, or the nature of the treatment. Understand LG Collaborator's employees, regardless of the charge by our Company 'services', while all service providers, workers, partners, suppliers and company representatives.
This national policy is defined as valid for the treatment of the unit responsible for the territory, inside or outside the territory. 'Data processing' is understood to mean any operation carried out with personal data, as it refers to the production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, management, evaluation or control of information, transmission, communication, transfer, transmission or sending. In turn, 'Owner' is the natural person to whom the personal data being processed is referred to.
In such cases, we apply without the highest standard protection in relation to the data relationship, either throughout this policy or established by applicable law.
Variations arising from local laws and/or industry regulations will be made annexed to this Policy, and should be interpreted in conjunction with this Policy.
3. DEFINITIONS
3.1 Personal Data
Information to an identified or identifiable natural person.
3.2 Sensitive Personal Data
Given racial origin or, when affiliated with, or religious organization, personal opinion of racial origin or, affiliated with religious life, or given political person regarding religious health, or a person genetics or religious biofunctionality.
3.3 Anonymized Data
Data relating to the data subject that cannot be identified, considering the use of practical means available at the time of its treatment.
3.4 Controller
Natural or legal person, of public or private law, who are responsible for decisions regarding the processing of personal data.
3.5 Operator
Natural or legal person, governed by public or private law, who processes personal data on behalf of the controller.
3.6 DPO “Data Protection Officer”
Person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD).
3.7 International Data Transfer
Transfer of personal data to a foreign country or international organization of which the country is a member.
3.8 National Data Protection Authority (“ANPD”)
Public administration body responsible for overseeing, implementing and monitoring this Law throughout the national territory.
3.9 Privacy by design
Consider the privacy implications of data processing from the beginning of its creation;
4. GENERAL RULES
Processing personal data is, and this treatment can generate risks for LGBANK. Therefore, we must respect all policies and procedures in an appropriate manner. They want questions about how to interpret the area and should be taken to the knowledge policy manager, including the DPO “Data Protection Officer”.
4.1 Principles
All activity on LGBANK must observe good faith in data processing, and the following principles:
⦁ Have a specific, declared and declared purpose to the holder;
⦁ Adapt the processing of data carried out for purposes registered to the holder;
⦁ Retain personal data only for as long as necessary;
⦁ Collect data only to meet the purposes of treatment, restricting ourselves to minimal and proportional information;
⦁ Allow data subjects to access their data free of charge and easily;
⦁ Ensuring clarity, updating and updating of processed data
⦁ Provide clear and accurate information to data subjects on aspects of the processing of their personal data, through easy access;
⦁ Protect treated individuals with measures capable of maintaining data confidentiality, availability and confidentiality of processed data from accidental interference or willful misconduct;
⦁ Prevent owner damage that can be portrayed by the processing of their personal data;
⦁ Make sure that the treatments carried out do not result in reports, illicit, or abusive discrimination, revisiting as treatment operations always necessary to assess whether there is a possibility of discrimination;
⦁ Be responsible for the correct application of these principles in all treatment activities that you carry out;
⦁ Adopt measures to demonstrate compliance with data protection rules throughout LGBANK, allowing accountability for the processing of personal data.
4.2 Registration of Personal Data Processing Activities
LGBANK is legally obliged to map its personal data processing activities, and to keep this Personal Data Processing Activities Register updated, which can be done using the Flow for Updating the Personal Data Processing Activities Register as a guideline. All those who process personal data must contribute to the update of this upload of personal data by informing suspected new processing activities, and the registration of old processing activities to the DPO “Data Protection Officer” (Person in Charge). The DPO “Data Protection Officer” is responsible for ensuring the complete and periodic updating of this record.
4.3 Processing of Personal Data
The entire LGBAN Privacy and Protection Governance process must be addressed in the LGBAN Privacy and Protection Governance Program. Thus, LGBANK must implement privacy guarantees as long as LGBANK's data is protected, both internal and external to LG. Privacy describes data collection data, and how it must be known prior to data collection.
In addition, any treatment must consider privacy issues from the beginning of the project. Adopting a privacy by Design practice is essential so that the processing activities of other data protection activities that may be applied are used. In certain cases, the area responsible for the activity must carry out a Data Protection Impact Report (“RIPD”), documentation that contains a description of the personal data processing processes that may generate risks to civil liberties and fundamental rights, as well as such as measures, safeguards and risk mitigation mechanisms to demonstrate that the activity is appropriate and does not offer data subjects rights.
Data naturally has a greater potential for harm to holders. Therefore, there are more elaborate hypotheses to be used. In certain cases, it may be necessary to request the consent of the holders for the activity, in accordance with the Policy on Collection, Use and Management of Consent. When the identity of the subject no longer matters, but the information is still useful for studies, we must anonymize his data, to protect him and ourselves. Throughout the data lifecycle, we must protect the means they are protected by technical, organizational and organizational
4.4 Data Sharing
It is our guarantee that the data that must be verified to the LGPD Equally, it is our responsibility that we receive the personal data that we collect and that we collect in accordance with the LGPD. In Personal Sharing, we must be diligent when choosing partners, data such as information sent to the minimum necessary to carry out the activity. For this, we employ clauses against privacy and protection of personal data and with the support of LGBANK. In cases where the destination data crosses national data, additional care may need to be taken, according to the country of certain information.
4.5 Personal Data Incidents
If a data incident is suspected, call the DPO "Data Protection Officer" immediately to have this incident occur and take steps to initiate the company's response plan. Our Incident Response Plan includes details on how to make this notification and other information in the event of an incident at LGBANK Every employee will be notified of the occurrence of eventual Security incidents by the DPO “Data Protection Officer” (Person in Charge) and in the middle of the email: contact@lgbank.io
4.6 Generation of Evidence and Governance Structure
Every compliance program must generate evidence. In the event that a data subject, or the ANPD, question the implementation of the Privacy and Personal Data Protection Governance Program, we must be able to produce documents that attest to the existence of our program. Our program is composed of policies and procedures that should guide the use of personal data in LGBANK, with the main documents listed below:
Documents
It structures the LGBANK Privacy and Personal Data Protection Governance Program, providing general guidelines to be observed in all personal data processing.
Corporate Privacy and Personal
Data Protection Policy
(document present)
Establishes the rules to be observed in the collection, use, and storage of personal data.
Personal Data Handling Policy
Establishes the rules for sharing personal data with third parties.
Data Sharing Policy
Establishes the rules on when and how to complete a Data Protection Impact Report
Data Protection Impact Reporting Procedure
Establishes procedures to minimize the legal impacts of a personal data breach incident.
Personal Data Incident Response Procedure
It structures the LGBANK Privacy Committee, its decision-making authority and applicable internal rules.
Privacy Committee Rules
It offers multiple models of contractual clauses to be adapted to specific contracting situations, supported by LGBANK's Legal Department.
contract terms bank
Indicates LGBANK's treatment operations involving its employees.
Internal Privacy Notice
Indicates LGBANK processing operations involving data subjects external to the company.
External Privacy Notice
5. SECURITIES RIGHTS
The holders have several rights related to their personal data. It is LGBANK's obligation to allow these holders to exercise their rights free of charge and in a simplified manner.
Among the requests that can be made are: confirmation of the existence of treatment, data, correction of information, restriction of limited data, portability of data to another provider, prior to giving consent, revoking consent, avoiding data processed based on on prior consent, information on shares already made, review of decision decisions.
Confirmation of the processing of personal data and access (simple or complete) to this information must be made within 15 days of the request.
The other rights will be regulated according to the future understanding of the National Data Protection Authority. More information may be topics in the Right of Holders.
6. PERSONS RESPONSIBLE FOR THE PRIVACY PROGRAM
In order for the LGBANK privacy program to be effective and produce the most positive results, it is of great importance that all employees, managers, employees, service providers, among them, observe the provisions contained in this document, taking into account that the acts of any LGBANK employees may be reported to LGBANK as a whole. To facilitate content control, publication data and review deadlines, privacy-related governance documents (including this policy) must be centrally controlled and managed by the Privacy Committee, which has internal rules, and by the DPO ( Person in Charge) competing for the management of the Governance Program in Privacy and Protection of Personal Data of LGBANK with the LGPD, including the creation of measurements, compliance with compliance, updating of policies and procedures, and training of employees.
With the support of the policymakers described above, to ensure compliance with the privacy and data protection rules of this person, the following points must be observed at all points, without prejudice to the other points:
⦁ Primary employees are guaranteed the confidentiality, availability and confidentiality of personal data processed in the exercise of their functions;
⦁ The processing of personal data must, specifically, be observed as proposed purposes, not allowing the processing of compatible or extensive information or for new purposes, which there is the express authorization of LGBANK, or which this purpose is previously validated with the holder of the information;
⦁ The employee must commit to using the purposes of promises and the regular exercise of his/her duties;
⦁ Personal data processed without function protection will necessarily be stored by the secure and officially approved LGBANK, non-protected storage data in proper environments, such as notebooks or desktop computers, without using the procedure for handling separate Personal devices;
⦁ The unprocessed data of the function cannot be exercised, deleted or anonymized, without direct commands from LGBANK to do so.
⦁ Data manipulated in the function, as an exercise rule, cannot be protected for personal exercise or remote devices such as units.
Violations of this policy, by the application of employees, may occasionally lead to the application of disciplinary measures, in accordance with the codes and procedures established by LGBANK.
For questions regarding privacy and/or data protection, please contact us at the following email address: contact@lgbank.io.
7. FINAL PROVISIONS
Violating the rules contained in our Governance Program in Internal Measures and Protection of Personal Data may lead to the application of established internal codes, policies and procedures. This Policy will be revised whenever there are changes to the LGBANK Privacy and Personal Protection Governance Program, or every 2 (two) years.
Luiz Góes
President of LGBANK