This document is an integral part of Carfi’s normative body for the protection of personal data, taking into account the General Regulation on Data Protection (2016/679), hereafter GDPR.
Whenever this document is updated, a new version will be made available immediately after its approval.
Monitoring of execution with this standard will be ensured by measuring the indicators for assessing controls and / or audits (internal or external), at regular time intervals or when significant changes occur.
Scope and objective
Carfi is committed to respecting the best practices in the field of security and protection of personal data, having approved a demanding program for this purpose, capable of safeguarding the protection of the data made available to us by all those who in some way relate with Carfi
Personal data – All information relating to an identified or identifiable natural person; an identifiable individual is a person who can be identified, directly or indirectly, such as a name, an identification number, location data, identifiers electronically or one or more specific elements of physical, physiological, genetic, mental identity, economic, cultural or social status of that natural person.
pecial Categories of Personal Data – Personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or the union membership of a natural person, as well as the processing of genetic data, biometric data to uniquely identify a person, relative data health or data relating to sexual life or sexual orientation.
Treatment – It is the operation or a set of operations carried out on personal data or on personal data sets, by automated or non-automated means, such as the collection, registration, organization, structuring, conservation, adaptation or alteration, the retrieval, consultation, use, disclosure by transmission, diffusion or any other form of availability, comparison or interconnection, limitation, erasure or destruction.
Responsible for Treatment – It is the natural or legal person, the public authority, the agency or other body that, individually or in conjunction with others, determines the purposes and means of processing personal data; where the purposes and means of such treatment are determined by Union or Member State law, the controller or specific criteria applicable to his appointment may be provided for by Union or Member State law.
Breach of Personal Data– It is a breach of security that causes, accidentally or unlawfully, the destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, preserved or subject to any other type of treatment.
Subcontractor – It is a natural or legal person, the public authority, agency or other body that processes personal data on behalf of the person responsible for processing them.
Third – It is a natural or legal person, the public authority, the service or body other than the data holder, the controller, the subcontractor and the persons who, under the direct authority of the controller or the subcontractor are authorized to process personal data.
HOLDER’S DATA COLLECTION AND PROCESSING
As part of Carfi’s activity, it collects, registers, organizes, preserves, uses and consults personal data. There may also be other operations or set of operations that, under the terms of the General Data Protection Regulation, are called “personal data treatment.”
The personal data collected concerns not only employees, but also suppliers, customers, employees and applicants.
Carfi collects personal data, namely, the data needed for billing, order processing, sales and employee data.
When collecting Personal Data, Carfi provides data subjects with detailed information about the nature of the data collected and about the purpose and treatment that will be carried out in relation to personal data, as well as the information mentioned in the clause relating to the right access to personal data.
These subcontracted entities will not be able to transmit the holder’s data to other entities unless Carfi has previously given written authorization to do so, and they are also prevented from contracting other entities without prior authorization from Carfi
Carfi is committed to subcontracting only entities that have sufficient guarantees of execution of the appropriate technical and organizational measures, in order to ensure the defense of the rights of the holder All entities subcontracted by the company are linked to the latter through a written contract in which the object and duration of the treatment are regulated, the nature and purpose of the treatment, the type of personal data, the categories of data subjects and the rights and obligations of the parties.
When collecting personal data, Carfi provides the data subject with information about the categories of subcontracted entities that, in the specific case, can carry out data processing on their behalf.
DATA COLLECTION CHANNELS
Carfi can collect data directly (i.e., directly from the holder) or indirectly (i.e., through partner entities or third parties). Collection can be done through the following channels:
Direct collection: in person, by phone or by email;
Indirect collection: through Carfi partners or companies and official entities.
GENERAL PRINCIPLES APPLICABLE TO THE HOLDER’S DATA PROCESSING
In terms of general principles relating to the processing of personal data, Carfi is committed to ensuring that the data of the data subject it processes are:
- The object of lawful, fair and transparent processing in respect of the data subject;
- Collected for specific, explicit and legitimate purposes, not later being treated in a way incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected and processed;
- Accurate and updated whenever necessary, taking all appropriate measures so that the inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;
- Kept in a way that allows the identification of the data subject only during the period necessary for the purposes for which the data are processed;
- Treated in a way that guarantees their safety, including protection against their unauthorized or illicit treatment and against their accidental loss, destruction or damage, taking appropriate technical or organizational measures.
Data treating carried out by Carfi is lawful when at least one of the following situations occurs:
- The data holder has given his explicit consent to the processing of the data subject’s data for one or more specific purposes;
- Processing is necessary for the execution of a contract to which the data holder is a party, or for pre-contractual steps at the request of the data holder;
- Treatment is necessary to fulfill a legal obligation to which Carfi is subject;
- The processing is necessary to defend the vital interests of the data holder or another natural person;
- Processing is necessary for the purposes of the legitimate interests pursued by Carfi or by third parties (unless the interests or fundamental rights and freedoms of the data holder that require the protection of personal data prevail).
Carfi is committed to ensuring that the data of the holder is processed only under the conditions listed above and with respect for the principles mentioned above.
When the data subject’s treatment is carried out by Carfi based on the data subject’s consent, the data subject has the right to withdraw his consent at any time. The withdrawal of consent, however, does not compromise the lawfulness of the treatment carried out by Carfi based on the consent previously given by the data subject.
The period of time during which data is stored and preserved varies according to the purpose for which the information is processed.
In fact, there are legal requirements that require data to be kept for a minimum period of time. Thus, and whenever there is no specific legal requirement, the data will be stored and preserved only for the minimum period necessary for the purposes that motivated its collection or further treatment, after which they will be eliminated.
USE AND PURPOSES OF THE HOLDER’S DATA PROCESSING
In general terms, Carfi uses the data holder’s data for different purposes, namely billing and collection to the data holder, for marketing purposes and for the management of human resources and recruitment of employees.
The data of the holder collected by Carfi are not shared with third parties without the consent of the holder, with the exception of the situations referred to in the following paragraph. However, in the event that the holder contracts with Carfi with services that are provided by other entities responsible for the processing of personal data, the data of the holder may be consulted or accessed by those entities, insofar as this is necessary for the provision of said services.
IMPLEMENTED TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES
In order to guarantee the security of the data of the holder and the maximum confidentiality, Carfi treats the information it has provided to us in an absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, which are updated periodically according to needs, as well as as per the legally provided terms and conditions.
Depending on the nature, scope, context and purposes of data processing, as well as the risks arising from processing for the rights and freedoms of the data subject, Carfi undertakes to apply, both when defining the means of processing as at the moment of the processing itself, the technical and organizational measures necessary and adequate to protect the data of the holder and to comply with legal requirements.
It also undertakes to ensure that, by default, only the data that is necessary for each specific purpose of treatment are processed and that these data are not made available without human intervention to an undetermined number of people.
In terms of general measures, Carfi adopts the following:
- Regular audits to assess the effectiveness of the technical and organizational measures implemented;
- Awareness and training of staff involved in data processing operations;
- Mechanisms capable of ensuring the confidentiality, availability and permanent resilience of information systems;
- Mechanisms that ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident;
TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION
The personal data collected and used by Carfi are not made available to third parties established outside the European Union. If, in the future, this transfer takes place, Carfi undertakes to ensure that the transfer complies with the applicable legal provisions, namely regarding the determination of the suitability of that country with regard to data protection and the requirements applicable to such transfers.
RIGHT TO INFORMATION
Information provided to the data holder by Carfi (when data is collected directly from the data subject):
- The identity and contact details of Carfi, responsible for the processing and, if applicable, of its representative;
- The purposes of the processing for which the personal data are intended, as well as, if applicable, the legal basis for the processing;
- If the processing of the data is based on the legitimate interests of Carfi or a third party, an indication of such interests;
- If applicable, the recipients or categories of recipients of personal data;
- If applicable, an indication that personal data will be transferred to a third country or an international organization, and whether or not an adequacy decision has been taken by the Commission or reference to appropriate or appropriate transfer guarantees;
- Period of retention of personal data;
- The right to request Carfi access to personal data, as well as its rectification, erasure or limitation, the right to object to the processing and the right to data portability;
- If the processing of data is based on the consent of the holder, the right to withdraw consent at any time, without compromising the lawfulness of the treatment carried out based on the consent previously given;
- The right to file a complaint with the CNPD or another supervisory authority;
- Indication whether or not the provision of personal data constitutes a legal or contractual obligation, or a necessary requirement to conclude a contract, as well as whether the holder is obliged to provide personal data and the possible consequences of not providing such data;
- If applicable, the existence of automated decisions, including profiling, and information regarding the underlying logic, as well as the importance and expected consequences of such processing for the data subject.
- In the event that the data of the data subject are not collected directly by Carfi from the data subject, in addition to the information referred to above, the data subject is additionally informed about the categories of personal data being processed and, as well, about the origin of the data and eventually come from publicly accessible sources.
- If Carfi intends to further process the data of the data subject for a purpose other than that for which the data were collected, before such processing it will provide the data subject with that purpose and any other relevant information, under the terms referred to above.
Procedures and measures implemented to fulfill the right to information:
The aforementioned information shall be provided in writing (including by electronic means) by Carfi to the data subject prior to the processing of the personal data in question. Under applicable law, there is no obligation to provide the holder with this information when and to the extent that the holder is already aware of it.
The information is provided by Carfi free of charge.
RIGHT OF ACCESS TO PERSONAL DATA
Carfi guarantees the means by which the data subject can access his personal data.
The data holder has the right to obtain confirmation from Carfi that the personal data concerning him are or are not subject to processing and, if applicable, the right to access his personal data and the following information:
- The purposes of data processing;
- The categories of personal data in question;
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients established in third countries or belonging to international organizations;
- The period of conservation of personal data;
- Right to ask Carfi to rectify, erase or limit the processing of personal data, or the right to object to such processing;
- Right to file a complaint with the CNPD or other supervisory authority;
- If the data has not been collected from the data subject, the information available on the source of that data;
- The existence of automated decisions, including the definition of profiles, and information related to the underlying logic, as well as the importance and expected consequences of such treatment for the data subject;
- Right to be informed about adequate guarantees associated with the transfer of data to third countries or international organizations.
Upon request, Carfi will provide the data subject, free of charge, with a copy of their data that are being processed. The supply of other copies requested by the holder may incur administrative costs.
RIGHT TO RECTIFY PERSONAL DATA
The data subject has the right to request, at any time, the rectification of his Personal data, as well as the right to have his incomplete personal data completed, including by means of an additional declaration.
In case of rectification of the data, Carfi communicates to each recipient to whom the data has been transmitted the respective rectification, unless such communication proves impossible or involves a disproportionate effort for Carfi.
RIGHT TO DELETE PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)
The data subject has the right to obtain, on the part of Carfi, the erasure of his data when one of the following reasons applies:
- The data of the holder is no longer necessary for the purpose that motivated its collection or treatment;
- The holder withdraws the consent on which the data processing is based and there is no other legal basis for such processing;
- The holder opposes treatment under the right to object and there are no prevailing legitimate interests that justify the treatment;
- If the data of the holder is processed illegally;
- In case the holder’s data have to be deleted in order to fulfill a legal obligation to which Carfi is holder;
Under applicable legal terms, Carfi is under no obligation to delete the holder’s data to the extent that processing proves necessary to fulfill a legal obligation to which Carfi is subject or for the purposes of declaring, exercising or defending a right in a judicial process.
In case of data deletion, Carfi communicates to each recipient / entity to whom the data has been transmitted the respective deletion, unless such communication proves impossible or involves a disproportionate effort for Carfi.
When Carfi has made the data of the holder public and is obliged to delete them under the right of erasure, it undertakes to ensure that the measures are reasonable, including technical measures, taking into account the available technology and the costs of its application, to inform those responsible for the effective processing of personal data that the holder has requested that the links to such personal data be deleted, as well as copies or reproductions thereof.
RIGHT TO LIMIT THE PROCESSING OF PERSONAL DATA
The data owner has the right to obtain, from Carfi, a limitation in the processing of the data of the data subject, if one of the following situations applies (the limitation is to insert a mark in the personal data kept with the aim of limiting its treatment in the future):
- If you challenge the accuracy of personal data, for a period that allows Carfi to verify its accuracy;
- If the processing is unlawful and the data subject opposes the deletion of the data, requesting, on the other hand, to limit its use;
- If Carfi no longer needs the data subject’s data for processing purposes, but that data is required by the data subject for the purpose of declaring, exercising or defending a right in a judicial process;
- If the owner has opposed the treatment, until it is found that Carfi’s legitimate reasons prevail over those of the holder.
When the data of owner are limited, they may, with the exception of conservation, only be processed with the consent of the data subject or for the purpose of declaring, exercising or defending a right in a judicial process, defending the rights of another natural person or collective action, or for reasons of public interest provided for by law.
The data owner who has obtained a limitation on the processing of his data in the cases referred to above will be informed by Carfi before the limitation on processing is lifted.
In the case of a limitation in the processing of data, Carfi will communicate to each recipient to whom the data has been transmitted the respective limitation, unless such communication proves impossible or implies a disproportionate effort for Carfi.
RIGHT TO PORTABILITY OF PERSONAL DATA
The data owner has the right to receive the personal data that concerns him and that he has provided to Carfi, in a structured format, in common use and automatic reading, and the right to transmit that data to another controller, if:
- Treatment is based on consent or a contract to which the holder is a party;
- The treatment is carried out by automated means.
The portability right does not include inferred data or derived data, i.e., personal data that is generated by Carfi as a consequence or result of the analysis of the data being processed.
The data owner has the right to have personal data transmitted directly between controllers, whenever technically possible.
RIGHT OF OPPOSITION
The owner has the right to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him based on the exercise of legitimate interests pursued by Carfi or when the processing is carried out for purposes other than whether those for which personal data were collected, including the definition of profiles, or when personal data are processed for statistical purposes.
Carfi will cease processing the holder’s data, unless it presents compelling and legitimate reasons for such processing that prevail over the holder’s interests, rights and freedoms, or for the purposes of declaring, exercising or defending a Carfi right in a judicial proceeding.
When the data owner’s data are processed for the purpose of direct marketing (marketing), the data subject has the right to object at any time to the processing of data concerning him for the purposes of said marketing, which covers the definition of profiles to the extent that it is related to direct marketing. If the owner opposes the processing of his data for the purpose of direct marketing, Carfi ceases processing the data for that purpose.
The data owner also has the right not to be subject to any decision taken exclusively on the basis of automated processing, including the definition of profiles, which has an effect on its legal sphere or which significantly affects it in a similar way, unless the decision:
- It is necessary for the conclusion or execution of a contract between the holder and Carfi;
- It is authorized by legislation to which Carfi is subject; or
- It is based on the explicit consent of the data subject.
PROCEDURES FOR THE EXERCISE OF RIGHTS BY THE HOLDER
The right of access, the right to rectify, the right to erase, the right to limit, the right to portability and the right to object can be exercised by the data subject through contact with Carfi, by any formal means.
Carfi will respond in writing (including by electronic means) to the holder’s request within a maximum period of one month from receipt of the request, except in cases of special complexity, where this period may be extended up to two months.
If the requests submitted by the holder are manifestly unfounded or excessive, namely due to their repetitive nature, Carfi reserves the right to charge administrative costs or to refuse to proceed with the request.
PERSONAL DATA BREACHES
In the case of a data breach and to the extent that such breach is likely to imply a high risk to the holder’s rights and freedoms, Carfi undertakes to report the breach of personal data to CNPD within 72 hours of knowledge of the incident.
Under legal terms, communication to the holder is not required in the following cases:
- If Carfi has applied appropriate protection measures, both technical and organizational, and these measures have been applied to the personal data affected by the personal data breach, especially measures that make the personal data incomprehensible to any person not authorized to access that data, such as encryption;
- If Carfi has taken subsequent measures to ensure that the high risk to the holder’s rights and freedoms is no longer likely to materialize; or
- If the communication to the holder implies a disproportionate effort for Carfi. In that case, it will make a public communication or take a similar measure by which the holder will be informed.
APPLICABLE LAW AND JURISDICTION