The Privacy Policy is essential to all titular of personal and sensitive data, being it a client, a collaborator or an external provider of AuditSafe. The objective of this document is to inform how the data are collected, how they are protected and which is the aim of their treatment, as well as to establish the directives and the principles that assure the Data Protection Policy in fulfillment to Law Nr. 13.709 – Data Protection General Law (LGPD).

The data titular has the right to accept or not the use of its personal data for the activities offered by AuditSafe.

This politics applies to the collaborators, external providers and clients of AuditSafe Corporative Risks Consulting and AuditSafe Independent Auditors in relation to the data that identify the user individually (Personal and Sensitive Data), data supplied or collected during the use of https://www.auditsafe.com.br, as well as for labor, legal or contractual aims, data treatment of the clients and professionals that has worked in audit and consulting projects that cover AuditSafe “core business”.

When browsing our website https://www.auditsafe.com.br, social networks or participating in any exclusive action in our services, the titular expressly agrees with the collection, use and sharing of data or information, since that they are kept in sigil and used for the aim of a commercial contact, support, research and internal statistics, sending of commercial proposals, invitations for lectures or other communication events of AuditSafe. In the case of non-agreement with our terms, the titular will have the option to cancel the cadaster, putting an end in any interaction with our activities.

1     COOKIES MANAGEMENT

Cookies are small files that store and recognize data from your navigation to guarantee the correct operation of the sites and applications and to provide a personalized experience.

In our website, you will receive a notice about the use of cookies and, when accepting or continuing to navigate, you will agree with its terms. In your computer, you can adjust the configurations of your browser not to allow their use.

2     DEFINITIONS

• Collaborators:
  • It is considered to be the employees registered by the CLT (Labor Laws Consolidation) regimen and the trainees.
• Confidentiality:
  • It is the aspect concerning the non-authorized divulgence, access or undue use of the information.
• Controller:
  • Natural person or legal entity, of public or private right, to which compete the decisions referring to personal data treatment.
• Personal data: 
  • They are the data that identify a natural person: name, residential address, telephone number, e-mail, birth date, IP address, profile in the social or cultural networks, localization data, etc.
• Sensitive personal data:
  • They are information that can cause some way of discrimination, disrespect to the individual freedom, honor, dignity or privacy, discrimination or risk to life, such as:  religious conviction, racial or ethnic origin, affiliation to syndicates or a religious, philosophical or politics character organization, data referring to health or sexual life, genetic or biometric data and political opinion.
• Person in charge – Data Protection Official (DPO):
  • Person indicated by the controller to actuate as a communication channel between the controller, the data titular and the Data Protection National Authority (ANPD).
• Operator:
  • Natural person or legal entity, of public or private right, which does the personal data treatment in the controller’s name.
• Privacy:
  • It is the right to the secrecy of personal information and personal life itself.
• External Providers:
  • They are considered the Associate Consultors (third parties’ resources), Suppliers and the Business Partners.
• Titular:
  • Natural person to whom the personal data refers and that are the object of treatment.
• Treatment:
  • Any operation done with personal data involving the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storing, elimination, evaluation or control of the information, modification, communication, transfer, diffusion or extraction.

3     COLLECTED DATA

The titular personal data follow the following collection principles:

• They are collected only for the determined, explicit and legitimate aims;
• They are collected in an adequate way, pertaining and limited to the objective needs for which they are processed (data minimizing).

The data collected by AuditSafe are described below, according to each type of titular:

• Website users: name / electronic address (e-mail);
• Prospects: in commercial visits, events or indication from other clients and partners, we collect the contact data (name, telephone and e-mail) of prospects (potential clients);
• Clients: when signing a contract, we collect the contacts data (name, telephone and e-mail) and eventual documents associated for legal purposes (CPF (Natural Person Cadaster), RG (ID), position in the company) to maintain the activities and occasionally, if allowed, to offer other service made available by AuditSafe;
• Collaborators: all the data demanded by the labor legislation: name / e-mail for access to the internal network and systems and the ones we need for the communication between the contractor and the contracted (name, telephone and electronic address (e-mail));
• External suppliers: contracted company partner’s data according the legal needs for the purpose of the services rendering contract effectuation (CPF, RG, name, telephone, address, e-mail); it may also be needed to collect the data of the legal representative (name and CPF), witnesses (name and CPF) and attorney (name and CPF).

4     DATA TREATMENT

The titular’s personal data follow the following principles:

• They are processed in a licit, loyal and transparent way (lawfulness, loyalty and transparency);
• They are updated always when needed, in a way that the incorrect data are erased or rectified when needed (exactitude);
• They are treated in a safe way, protected from the non-authorized or illicit treatment and against its loss, destruction or accidental damage, using adequate technical or organizational measures (integrity and confidentiality).

The collected data shall be used for the following aims:

• Contact with potential clients (sending of curricula or Business Cases);
• Technical Capacity Certificate and Commercial Proposals;
• Making of events and/or lectures;
• Divulgence of articles, webinars and eventual marketing actions;
• Defense of interests in administrative processes, people’s managing and legal;
• Fulfillment of judicial order or administrative requirement;
• Protection to life, risk for the titular or third parties’ physical safety, in the cases of urgency.

The consent referring to the data collection supplied by the titular is collected in a free, express, individual, clear, specific and legitimate way. In case the titular does not give his(her) permission for the end activity, AuditSafe reserves the right to take the appropriate measures to rescind or end the activities with the titular.

The collected data and the activities registered shall also be shared with legal, administrative or governmental competent authorities, always when there is a requirement, requisition or legal order.

Internally, the data of our collaborators, external providers and clients are only accessed by professionals duly authorized, respecting the principles of proportionality, need and relevance for the objectives, besides the compromise of confidentiality and privacy preservation in the terms of this Privacy Politics and other procedures of the Information Safety Managing System (SGSI).

Management System Certified by NBR ISO/IEC 27001:2013 (Safety) and NBR ISO/IEC 27701:2019 (Privacy)

Because of the nature of its operations, AuditSafe has certified its Managing System in the main Information Safety international standard, named NBR ISO/IEC 27001:2013, in February 2014.

It has also certified its Managing System in the ISO/IEC 27701:2019 standard in March 2020 to fulfill the Data Privacy requirements related to the Data Protection General Law (LGPD). It has the best behavior to manage safety risks, since it is considered an extension of the ISO 27001: standard.

• 1^st Brazilian company to obtain the certification directly in the 2013 version.
• Assures the information privacy.
• Guarantee the continuous Awareness of the Information Safety Collaborators.
• Assures the conformity with politics, legal requirements and continuity of businesses.
• Reduces the impact of incidents.

The Information Safety Management System scope (SGSI) includes the business and projects management with the service rendering of processes audit, systems, ICP-Brazil, conformity, frauds prevention, WebTrust, investigation and forensic expertise, as well as, in the information safety consulting services rendering, PCI DSS, PCI PIN, in compliance, in business risks, in business strategies, in advice in financial restructuring and implementation of integrated managing systems, in human resources and business process outsourcing. Applicability declaration of July, 7^th 2019.

• Certificate valid till February, 27^th 2023.
• Certificate number: SI-22114

5     DATA STORAGE, SIGIL AND SAFETY

The personal data storage will be kept according the needs of the activity or service rendering, labor and fiscal legislation in force or demanded by the law, by the period in which eventual litigations or investigations in relation to the services can arise.

AuditSafe has the certification of the ISO/IEC 27001:2013 standard that reinforces the information safety measures, control, monitoring and managing within a Management System to guarantee, among other objectives, the fulfillment of the Personal Data Protection General Law.

From the measures used, we can mention:

• Cryptography of the information classified as confidential and personal and sensitive data of the collaborators, external providers and clients.
• Safety in the personal data storage in a corporative network.
• Communication procedures to the titular in the case of personal data leakage.
• Management procedure and response to incidents.
• Access management procedure by the critical properties that intermediate the personal data of the collaborators, clients and external providers.
• Procedure for internal audit.
• Procedure and form to evaluate risks and the safety of third parties / suppliers.
• Procedure for managing External Providers and Human Resources.

6     DATA EXCLUSION

At the end of the personal data treatment or after the data retention period, including the data in temporary files, determined by the applicable legislation, AuditSafe compromises to exclude (eliminate) or to turn the personal data anonymous, that is, it will apply techniques that break the data link to their titular, in a way that the data are no longer associated to the person, no longer being considered as personal data.

7     INTERNATIONAL DATA TRANSFER

The international personal data transfer is only done by AuditSafe or allowed to its external providers when:

• The destination is a country that has data protection rules rigorous and adequate to the anticipated in the LGPD;
• There is a guarantee and proof of fulfillment of the protection regimen anticipated in the LGPD, through contractual clauses;
• The titular provides the consent;
• Fulfillment of a legal demand or a demand from the public authorities.

8     RESPONSE TO INCIDENTS

Any incident, suspected infringement to the standards anticipated in the law or violation of personal data safety must be reported to the Person in Charge (DPO) from AuditSafe, through the Communication Channels mentioned in this politics. According to the damage seriousness and the nature of the infringement and of the affected personal rights, the Person in Charge must evaluate the pertinent administrative sanctions.

9     PERSONAL DATA OF YOUNGERS

AuditSafe collects data of children and teenagers, having less than 18 years of age, only in the cases in which there is the consent of at least one of the parents or the legal responsible and that there is a legal base for this treatment.

Situations in which there is the data collection of people having less than 18 years of age:

• The collaborators declare dependents: 
  • In the adhesion or change of collective assisting medical plan; in this case, the less needed minimum data are collected: complete name, personal identity documents, biomedical data among other heath sensitive data, birth date and connection degree;
  • Inclusion in the E-Social;
  • When the dependents are included in the Natural Person Income Tax (IRPF) for the effect of cadaster in the employment relationship.

10    COMMUNICATION CHANNEL AND TITULAR RIGHTS

The data protection person in charge (or DPO) is the Partner – Operations Director, Elisa Ghiraldini, that you can contact by any communication channel in our website (Telephones, WhatsApp, Chat e Contact Us).

This information is divulged in the website, social networks and internally at AuditSafe. This e-mail is aimed for complaints or the titular petitions, violation of safety standards, technical standards, specific obligations for the ones involved in the data treatment, educative actions, risks supervision, mitigation internal mechanisms and other aspects concerning the personal data treatment.

Fulfilling the applicable regulations, in what concerns the personal data treatment, AuditSafe respects and makes available to the titular the possibility to present inquiries based in the following rights:

• the confirmation of the existence of treatment;
• the access to his(her) data;
• the correction of incomplete, inexact or outdated data;
• the anonymization, blocking or elimination of unneeded, excessive or treated data in nonconformity;
• the portability of his(her) data to other supplier of service or product, through the express inquiry by the titular;
• the copy of the titular treated data, when still stored, through a formal inquiry;
• the elimination of data treated with the titular consent, unless in the hypothesis of retention anticipated by law;
• the obtaining of information about the public or private entities with which AuditSafe has shared his(her) data;
• the information about the possibility not to supply his(her) consent, as well as to be informed about the consequences, in the case of a negative answer;
• the revocation of the consent, unless in the hypothesis of retention anticipated by law.

To exert any of your rights, or if there are other doubts about the use of your personal data, contact us.