ORGANIZATIONAL DATA PROTECTION

OBLIGATION OF EMPLOYEES IN CONFIDENTIALITY TERMS

All the SENDI partners and employees must be subject to confidentiality and accountability by signing a confidentiality declaration. You are prohibited from collecting, processing, or using personal data without authorization. The confidentiality obligation continues even after the end of their duties.

​

COMMUNICATION OF INCIDENTS RELATED TO DATA PROTECTION

​

LEGAL CONTEXT

All employees are obliged to immediately inform their supervisor if they violate the LGPD during their work.
In case of a personal data breach, SENDI, under article 48 of the LGPD, must inform the National Data Protection Authority within a reasonable period of up to 72 (seventy-two) hours. Also, SENDI may be required to take measures, such as wide dissemination in the media.

​

PRE-REQUIREMENTS FOR BREACH OF DATA PROTECTION

A privacy breach occurs whenever a breach of data security results in the destruction, loss, alteration, disclosure, or unauthorized access to personal data that has been transmitted, stored, or processed. There is an illegal disclosure, for example, if the people involved (employees, customers, etc.) have not consented and the disclosure is not permitted by law (for example, by LGPD) or any other legal provision (for example, a company contract). It is enough that there is only one assumption, with some probability, for there to be a failure in data protection.

​

CODE OF CONDUCT FOR A PRIVACY PROTECTION POLICY

To be able to react appropriately to a data protection failure, please follow the instructions below and report on the specified channels:

​

MESSAGE

As soon as you determine or believe that a privacy violation has occurred, immediately notify the communication channels for this purpose by sending an incident notification to the Data Protection Officer at the end of this Privacy Policy and the following email address comitelgpd@sendi.com.br.

 

Note: Do not hesitate to report situations, which you are not sure whether they respect the conditions of a failed data protection. Considering that the analysis can be difficult, trained employees and specialists, such as the Data Protection Officer, will decide if there is a failure case.

​

INFORMATION TO BE REPORTED

In case of a privacy breach, verify that all necessary information has been collected. Each step of the data protection breach must be documented with precision and immediately sent to the Data Protection Officer by e-mail dpo@sendi.com.br.

​

NOTIFICATION OF OBLIGATIONS IN CASE OF INCIDENTS IN THE PROCESSING OF ORDERS

If SENDI acts as a processor, the duty to provide information derives from the order processing. The customer must immediately inform that there has been a protection breach of their personal data by SENDI or SENDI employees who have incurred a data protection breach.
This reporting obligation is valid for each data protection breach if the processed personal data is/has been affected.

​

​

PROCEDURE FOR A NOTIFICATION MESSAGE

The following steps should be followed:

​

1. In case the data holder who uses the website or the newsletter subscriber, for example, must immediately and directly inform the Data Protection Officer at SENDI. Internally, the responsible person must immediately inform his superior, the Data Protection Officer, and the HR/IT officer about the notification.

​

2. The Data Protection Officer will review the matter with the HR/IT officer and provide management with an assessment and recommendations.

​

3. Also, the Data Protection Officer, in conjunction with the HR/IT officer and the reporting person, will complete the failure record in the Data Protection and make it available to the board.

​

4 .The decision about what to do in the specific case will be made by the Board, after consulting the Data Protection and HR/IT Officer.

​

VERIFICATION BY AUTHORITIES

Will be allowed the public administration and judiciary employees, who need to access the data, especially personal data, in the exercise of their functions. All necessary measures will be coordinated and supervised by the Executive Director or his appointed representative.
If it happens, the person responsible internally must inform immediately. The notification from the responsible person, as well as the notification receipt, must be documented.

​

CONTROL BY DATA PROTECTION SUPERVISION AUTHORITIES

If an inspection is performed by a data protection supervisory authority, they must inform immediately the internally person responsible and the person responsible for data protection.According to the LGPD, the National Data Protection Authority is required to monitor and supervise the LGPD execution and other data protection regulations. In that case, the data protection supervisory authority has the right to enter under supervision during business hours at the company's premises to perform inspections and view business documents, stored personal data, and data processing programs of the company data. An announcement by the competent authority about the on-site inspection is not necessary.
SENDI must tolerate these measures by the National Data Protection Authority and make sure that facilities, which data processing takes place (such as employee offices, computer rooms, files), are made available to representatives of the data protection supervisory authority, as well as necessary passwords and relevant documents. Also, upon request, the supervisory authority must receive all necessary information to perform its functions.

​

TRAINING

SENDI trains employees in the relevant data protection provisions. The internal training will be documented, indicating the content, the date, and the instructor.

​

REGISTRATION OF DATA PROCESSING ACTIVITIES

 

GENERAL

The General Data Protection Law requires SENDI to compile and keep a list of processing activities and, it must be done, on the one hand, by the controllers and, on the other hand, by the processor.The record of data processing activities is generally provided to the data protection supervisory authorities during the inspection providing an overview of current data processing. So, make sure they’re always up to date.

​

CREATION OR MODIFICATION OF THE REGISTRATION OF DATA PROCESSING ACTIVITIES

Technical departments create the Data Processing Activity Register for all processing activities they use in the workplace and for which personal data is stored, processed, and used. In case of new procedures, the preparation must be performed before its introduction and given to the responsible person internally. The data processing activities register is complemented by reference to data protection analyzes related to the data processing admissibility, to the need to perform an impact assessment, and to the respective statement by the data protection officer.

​

PRIVACY IMPACT ASSESSMENT

In specific cases, SENDI must perform a Data Privacy Impact Report, for example, if the processing may represent high risks for the data holders. It can arise high risk when are performed video surveillance or automated performance of employee roles and behavioral tests.
The necessity to perform or not an impact assessment will be determined by the board and the Data Protection Officer. In specific cases, they also determine who will be involved in the process or who will implement the impact assessment

​

COMPLIANCE WITH TECHNICAL-ORGANIZATIONAL MEASURES / DATA SECURITY

To make sure the personal data securely stored at SENDI, appropriate technical and organizational measures have been implemented that also guarantee the data protection against unauthorized access, processing, or disclosure, as well as accidental loss, alteration, or destruction. In particular, SENDI has taken steps to ensure an adequate level of protection to the processing risk in terms of confidentiality, integrity, availability, and resilience of IT systems, databases, etc. The confidentiality protection is implemented through access control and disconnection. Integrity is implemented through transfer control, entry control, and order control. Availability and resilience are guaranteed through measures of availability and regular monitoring. These technical and organizational measures are described in SENDI's Information Security Management System. They are continually adapted to reflect technical developments and organizational changes.