1 Contextualization
This Privacy Policy and Personal Data Protection Policy (“Policy”) aims to provide guidance on how to manage the various activities and operations involving personal data processing at Dynalogic Network Services. This document is part of Dynalogic Network Services’ compliance program with the General Data Protection Law (Law No. 13,709/2018 – “LGPD”) and other sectoral laws on the subject.
Dynalogic Network Services, aware of the importance and necessity of adapting its personal data processing operations to a new and broad regulation on the subject, namely the LGPD, approved in August 2018, began its compliance process with the new Law in May 2019.
It is noteworthy that the LGPD is a cross-cutting law that affects different economic agents in Brazil, from the private, public, and third sectors, and provides the rules and conditions for personal data to be used in the activities of these agents.
Furthermore, considering that in May 2018, the General Data Protection Regulation (Regulation EU 2016/679 – “GDPR”) came into force, and that it has points of contact with the activities carried out by FGV in the European Union, it was decided that the LGPD Compliance Program would also cover this regulation.
In carrying out the activities provided for in its bylaws, Dynalogic Network Services carries out various personal data processing operations, seeking the best interest of the data subjects and respecting their rights, and may be characterized as a Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, or Co-Personal Data Controller, in accordance with the definitions of the LGPD, reinforcing, in all positions it occupies, its commitment to complying with the applicable privacy and personal data protection rules.
The regulatory compliance process that will culminate in the LGPD Compliance Program involves work on interpreting the Law to define legal obligations, diagnosing relevant facts for its application, and identifying flows and processes that contribute or not to ensuring that the facts comply with the legal document.
This Policy is part of a broad set of elements that make up the Dynalogic Internal Controls and Compliance System, coordinated by the Internal Controls Directorate (DCI), and must be read and interpreted in light of the set of documents and regulations that make up the company’s information governance structure.
2 Scope
This Policy sets out the guidelines of Dynalogic Network Services for safeguarding and using personal data that may be processed in its activities, with reference to the General Data Protection Law, among other national and international standards relating to privacy and protection of personal data, with special attention to the General Data Protection Regulation.
3 Recipients
This Policy applies to:
- employees of Dynalogic Network Services;
- all third parties, whether individuals or legal entities, who act for or on behalf of Dynalogic Network Services in operations involving the processing of personal data that are carried out within the scope of the activities conducted by Dynalogic Network Services;
- external personal data processing agents who in any way relate to the company; and
- data subjects whose data are processed by Dynalogic Network Services.
Compliance with Dynalogic Network Services’ compliance program with personal data protection laws and related regulatory provisions, including this Policy, is mandatory for all recipients listed above to the extent they are related to Dynalogic Network Services. All operations involving the processing of personal data carried out within the scope of the activities conducted by Dynalogic Network Services are subject to such regulations.
4 Applicability
This Policy establishes guidelines and rules to ensure that its recipients understand and comply with the laws that deal with the protection of personal data in all interactions with current and future data subjects, third parties, and data processing agents external to Dynalogic Network Services in the scope of its activities.
In addition to the concepts defined by privacy and personal data protection laws, the information covered by this Policy includes all data held, used, or transmitted by or on behalf of Dynalogic Network Services, in any type of media. This includes personal data recorded on paper, held on computer systems or portable devices, as well as personal data transmitted orally.
5 Objectives
The objectives of the Dynalogic Privacy and Personal Data Protection Policy are:
- Establish the guidelines and responsibilities of Dynalogic Network Services that ensure and reinforce the company’s commitment to compliance with applicable personal data protection laws;
- Describe the rules to be followed in conducting activities and operations involving the processing of personal data carried out by Dynalogic Network Services and the recipients of this Policy, within the scope of Dynalogic Network Services activities, which ensure compliance with applicable personal data protection laws, especially the LGPD.
This Policy should be read in conjunction with the obligations set forth in the documents listed below, which deal with information in general and supplement it when applicable:
- Employment contracts of Dynalogic Network Services employees and comparable documents, which provide for confidentiality obligations with respect to information held by the company;;
- Information security policies and procedural norms, as well as terms and conditions of use, which deal with the confidentiality, integrity, and availability of Dynalogic Network Services information;
- All internal regulations regarding personal data protection that may be developed and updated from time to time.
6 Privacy and Personal Data Protection Principles
Dynalogic Network Services will comply with the following personal data protection principles when processing personal data:
- PURPOSE: Dynalogic Network Services will process personal data only for legitimate, specific, explicit, and informed purposes to the data subject, without the possibility of further processing that is incompatible with those purposes;
- ADEQUACY: Dynalogic Network Services will process personal data in a manner that is compatible with the purposes informed to the data subject and according to the context of the processing;
- NECESSITY: The personal data processing carried out by Dynalogic Network Services will be limited to the minimum necessary to achieve its purposes, with the scope of relevant, proportional, and non-excessive data in relation to the purposes of processing;
- FREE ACCESS: Dynalogic Network Services will ensure that data subjects have easy and free access to information about the form and duration of the processing, as well as the completeness of their data;
- DATA QUALITY: Dynalogic Network Services will ensure the accuracy, clarity, relevance, and updating of data to the data subjects, as needed, and to comply with the purpose of processing;
- TRANSPARENCY: Dynalogic Network Services will provide data subjects with clear, accurate, and easily accessible information about the processing and the respective data processing agents, subject to commercial and industrial secrets;
- SECURITY: Dynalogic Network Services will use technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or dissemination;
- PREVENTION: Dynalogic Network Services will adopt measures to prevent harm resulting from personal data processing;
- NON-DISCRIMINATION: Dynalogic Network Services will ensure that personal data processing is not conducted for illicit or abusive discriminatory purposes;
- RESPONSIBILITY AND ACCOUNTABILITY: Dynalogic Network Services is committed to demonstrating the adoption of effective measures to prove compliance with personal data protection rules, and the effectiveness of those measures.
7 Legal Bases for Personal Data Processing
All personal data processing operations carried out in the context of activities conducted by Dynalogic Network Services will have a legal basis that legitimizes their performance, with stipulation of purpose and designation of those responsible for the processing.
Dynalogic Network Services takes as an institutional commitment the periodic evaluation of the purposes of its processing operations, considering the context in which these operations are inserted, the risks and benefits that can be generated to the data subject, and the legitimate interest of the Institution.
The processing of personal data operations by Dynalogic Network Services may be carried out:
- Upon provision of consent by the data subject;
- For compliance with a legal or regulatory obligation;
- For conducting research by research institutions;
- When necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party;
- For the regular exercise of rights in judicial, administrative or arbitration proceedings;
- For the protection of the life or physical integrity of the data subject or third parties;
- For the protection of health, exclusively in procedures carried out by health professionals, health services, or health authorities;
- When necessary to meet the legitimate interests of Dynalogic Network Services or third parties;
- For credit protection purposes.
Dynalogic Network Services will register its processing operations based on processing categories, each described based on its purpose(s), serving as an aid and support for its periodic evaluation of compliance with the personal data protection regulatory framework.
The records of personal data processing operations may be consulted by the data subject, as well as by competent public authorities for access and retention of data on their behalf, safeguarding the rights of the data subject.
8 Legal Bases for Sensitive Personal Data Processing
Dynalogic Network Services recognizes that the processing of sensitive personal data poses higher risks to data subjects and for this reason the Institution undertakes the commitment to safeguard and provide special care in processing sensitive personal data.
This commitment includes personal sensitive data listed in article 5, item II of the LGPD, as well as financial data that, for the purposes of this Policy and Dynalogic Network Services LGPD Compliance Program, will have the same status as sensitive personal data.
- Children and adolescent personal data will be treated with the same level of care required and provided to sensitive personal data, but will also be subject to the provisions established in Chapter II, Section III, of the LGPD, and other specific applicable regulations.
The processing of sensitive personal data by Dynalogic Network Services can only be carried out in the following cases:
- When the data subject or their legal representative gives specific and highlighted consent for specific purposes;
- Without the data subject’s consent, in cases where processing is indispensable for:
- Compliance with legal or regulatory obligations by Dynalogic Network Services;
- Conducting studies when Dynalogic Network Services acts as a Research Agency, always guaranteeing, whenever possible, the anonymization of sensitive personal data;
- Regular exercise of rights, including in contracts and in judicial, administrative and arbitral proceedings;
- Protection of the life or physical integrity of the data subject or third parties;
- Healthcare exclusively in procedures carried out by healthcare professionals, healthcare services, or health authorities; or
- Guaranteeing the prevention of fraud and security of the data subject in identification and authentication processes for electronic systems.
9 Rights of Personal Data Subjects
Dynalogic Network Services, in the context of its activities involving the processing of personal data, reinforces its commitment to respecting the rights of personal data subjects, which are:
- RIGHT TO CONFIRMATION OF THE EXISTENCE OF PROCESSING: the personal data subject may question Dynalogic Network Services if operations involving the processing of their personal data are being carried out;
- RIGHT OF ACCESS: the personal data subject may request and receive a copy of all collected and stored personal data;
- RIGHT TO RECTIFICATION: the personal data subject may request the correction of incomplete, inaccurate or outdated personal data;
- RIGHT TO ERASURE: the personal data subject may request the deletion of their personal data from databases managed by Dynalogic Network Services, except in cases where there is a legitimate reason for their maintenance, such as legal obligations for data retention or research purposes by a research agency. In the case of erasure, the Institution reserves the right to choose the deletion procedure employed, committing to use a means that guarantees security and avoids the recovery of data;
- RIGHT TO REQUEST SUSPENSION OF UNLAWFUL PROCESSING OF PERSONAL DATA: at any time, the personal data subject may request from Dynalogic Network Services the anonymization, blocking or deletion of their personal data that has been recognized by a competent authority as unnecessary, excessive, or processed in non-compliance with the LGPD;
- RIGHT TO OBJECT TO PROCESSING OF PERSONAL DATA: in cases where personal data processing is not based on obtaining consent, the personal data subject may present an objection to Dynalogic Network Services, which will be analyzed based on the criteria set forth in the LGPD;
- RIGHT TO DATA PORTABILITY: the personal data subject may request that their personal data be made available to another service or product provider, respecting the Institution’s commercial and industrial secrecy, as well as the technical limitations of its infrastructure;
- RIGHT TO WITHDRAW CONSENT: the personal data subject has the right to withdraw their consent. However, it should be noted that this will not affect the legality of any processing carried out before the withdrawal. In the case of withdrawal of consent, it may not be possible to provide certain services. If this is the case, the personal data subject will be informed.
Dynalogic Network Services reiterates its commitment to the rights of personal data subjects to transparency and adequate information, highlighting the provision of:
- Information about public and private entities with which Dynalogic Network Services has shared data;
- Information about the possibility of not providing consent and about the consequences of refusal.
10 Duties for Proper Use of Personal Data
The duties of care, attention, and proper use of personal data extend to all recipients of this Policy in the development of their work and activities at Dynalogic Network Services, committing to assist the Institution in fulfilling its obligations in the implementation of its privacy and personal data protection strategy.
- SPECIFIC DUTIES OF PERSONAL DATA HOLDERS:
It is the responsibility of personal data holders to notify Dynalogic Network Services of any modifications to their personal data in their relationship with the Institution (e.g., change of address), preferably notifying in the following order:
- Through the platform made available by the Dynalogic Network Services Unit with which the holder is related;
- By email addressed to the responsible person of the Dynalogic Network Services Unit with which the holder is related;
- By email addressed directly to Dynalogic Network Services, when designated; and
- By physical means (e.g., letter) addressed directly to Dynalogic Network Services, when designated.
- SPECIFIC DUTIES OF DYNALOGIC EMPLOYEES:
The sharing of personal data of data subjects between Dynalogic Network Services units is allowed, provided that their purpose and legal basis are respected, and the principle of necessity is observed, with the processing of personal data always being associated with the development of activities authorized by the company.
- DUTIES OF DYNALOGIC EMPLOYEES, PERSONAL DATA PROCESSORS, AND THIRD PARTIES:
- Not to disclose or grant access to the personal data held by Dynalogic Network Services to any unauthorized individuals or those not competent according to the Institution’s rules.
- Obtain the necessary authorization for data processing and have the necessary documents demonstrating the designation of their competence for carrying out lawful data processing operations, in accordance with the regulatory framework of Dynalogic Network Services to be developed.
- Comply with the rules, recommendations, information security guidelines, and incident prevention guidelines published by the Institution (e.g. Information Security Policy, Information Security Incident Response Plan, password management guidelines, among others).
- DUTIES OF ALL RECIPIENTS OF THIS POLICY:
All recipients of this Policy have a duty to contact the Dynalogic Network Services Data Protection Officer when suspecting or becoming aware of any of the following actions:
- Processing of personal data without a legal basis that justifies it;
- Processing of personal data without authorization from Dynalogic Network Services within the scope of its activities;
- Processing of personal data that is carried out in non-compliance with the Dynalogic Network Services Information Security Policy;
- Unauthorized elimination or destruction by Dynalogic Network Services of personal data from digital platforms or physical collections at all facilities of the Institution or used by it;
- Any other violation of this Policy or any of the data protection principles set forth in item 8 above.
11 Relationship with Third Parties
The LGPD establishes that responsibility for property, moral, individual, or collective damages arising from violations of personal data protection legislation is joint and several, i.e., all agents involved in the personal data processing chain may be held liable for any damages caused.
In this sense, the possibility of Dynalogic Network Services being held responsible for the actions of third parties implies the need to make the best efforts to verify, evaluate, and ensure that such third parties comply with applicable data protection laws.
- Therefore, all contracts with third parties must contain clauses related to personal data protection, establishing duties and obligations related to the topic and attesting to the commitment of third parties to applicable personal data protection laws. It should be noted that these contracts will be reviewed and submitted for approval by Dynalogic Network Services and its technical team, in accordance with the current regulatory framework.
- All third parties must sign the acceptance terms of this Policy, the Information Security Policy, and the Security Incident Response Plan, submitting the contracted activities under the relationship with Dynalogic Network Services also to these regulations.
12 Personal Data Protection Law Compliance Program
The LGPD Compliance Program aims to ensure Dynalogic Network Services’ commitment to ensuring the proper treatment of personal data for legitimate purposes that may be the subject of its activities and reinforces its commitment to good privacy and data protection practices with the following actions:
- Production and dissemination of information, regardless of the format, that describes the individual responsibilities of the recipients of this Policy in the scope of privacy and personal data protection;
- Provision of training, guidance, and counseling for Dynalogic Network Services employees and third parties, including but not limited to online courses, workshops, internal meetings, regular conversations, lectures, and other initiatives, sharing content available in digital and in-person formats.
- Incorporation of concerns and care in the treatment of personal data at all stages of its activities, including but not limited to administrative routines, research activities, service provision, academic activities, among others.
- Identification and deepening of the assessment of risks that may compromise the achievement of Dynalogic Network Services’ objectives in the area of privacy and personal data protection; defining, creating, and implementing action plans and policies to mitigate identified risks, as well as maintaining ongoing evaluation of scenarios to assess whether implemented measures do not require new guidelines and attitudes.
From the entry into force of the LGPD, the Encarregado of Dynalogic Network Services – also referred to as the Data Protection Officer (Dynalogic Network Services DPO) – assisted by their technical team, shall have the following responsibilities:
- Lead the LGPD Compliance Program at Dynalogic Network Services, ensuring its enforcement;
- Monitor compliance with applicable personal data protection legislation, in accordance with Dynalogic Network Services policies;
- Provide guidance to recipients of this Policy regarding Dynalogic Network Services’ privacy and personal data protection regime;
- Ensure that rules and guidelines relating to data protection are communicated and incorporated into Dynalogic Network Services’ routines and practices;
- Organize training on personal data protection at Dynalogic Network Services;
- Provide clarification, offer information, and present reports on personal data processing operations and their impacts to competent public authorities (e.g. Public Prosecutor’s Office, National Authority for Personal Data Protection, etc.);
- Respond to requests and complaints from data subjects whose personal data have been processed by a unit of Dynalogic Network Services;
- Assist in audits or any other evaluation and monitoring measures involving data protection;
- Prepare privacy impact assessments, technical opinions, and review documents regarding data protection.
13 Information Security
The information security standards and prevention against personal data incidents are contained in the Information Security Policy of Dynalogic Network Services and in internal regulations and documents related to the topic.
Dynalogic Network Services reinforces its commitment, embodied in its Information Security Policy, to employ adequate technical and organizational measures in the handling of personal data and to make efforts to protect the personal data of data subjects against unauthorized access, loss, destruction, unauthorized sharing, among other possibilities.
14 International Transfer of Personal Data
In cases where Dynalogic Network Services is authorized to process personal data without the consent of the data subject, Dynalogic Network Services may transfer personal data to other countries provided that, alternatively:
- The country is classified as having an adequate level of data protection assigned by ANPD or the transfer is authorized by ANPD;
- While there is no list of adequate countries published by ANPD, the country is classified by the European Commission, through an Adequacy Decision, as a country with an adequate level of GDPR criteria;
- The international data processing agent offers Dynalogic Network Services at least one of the following safeguards:
- Codes of Conduct regularly issued or binding corporate rules approved by the European Commission;
- Standard Contractual Clauses issued by ANPD or the European Commission;
- Seals and Certificates of compliance or adequacy for personal data protection granted by entities recognized by ANPD or the European Commission.
- Obtain explicit and highlighted consent from data subjects for international transfer operations of personal data, with prior information on the international nature of the operation and highlighting that the country does not have recognized adequate data protection level or there are no safeguards of the processing agent’s compliance, as appropriate.
In cases where Dynalogic Network Services is authorized to process personal data based on consent, Dynalogic Network Services may transfer personal data to other countries provided it obtains explicit and highlighted consent from data subjects for international transfer operations of personal data, with prior information on the international nature of the operation.
- If the country does not have a recognized adequate level of data protection or there are no safeguards of the processing agent’s compliance, such information should be provided to the data subject in advance so that they consent to the risks of the operation.
Dynalogic Network Services is committed to informing data subjects on its digital platforms (e.g. websites, applications, etc.) about the occurrence of international transfer operations of personal data, specifying the set of data sent, the purpose of the transfer, and its destination. Information on international data transfers will be made available on the Dynalogic Network Services Personal Data Protection Portal after the entry into force of LGPD.
15 Monitoring
Dynalogic Network Services reaffirms its commitment to ensure proper processing of personal data for legitimate purposes that may be subject to its activities and reinforces its commitment to good privacy and data protection practices, committing to keep its LGPD Compliance Program up to date with the standards and recommendations issued by ANPD or other competent authorities.
Dynalogic Network Services commits to periodically review this Policy and, at its discretion, make modifications that update its provisions to reinforce the company’s ongoing commitment to privacy and personal data protection, with all changes communicated in a timely manner through official channels of the company.
16 How to talk about personal data with Dynalogic Network Services?
If you believe that your personal data has been used in a manner incompatible with this Privacy Policy or with your choices as the data subject, or if you have any questions, comments, or suggestions related to this Policy, please contact us. We have a Data Protection Officer (DPO) who is available at the following contact addresses:
Data Protection Officer (DPO):
Ronaldo Gama Silva
Contact email:
privacidade@dynalogic.net
1 Contextualization
This Privacy Policy and Personal Data Protection Policy (“Policy”) aims to provide guidance on how to manage the various activities and operations involving personal data processing at Dynalogic Network Services. This document is part of Dynalogic Network Services’ compliance program with the General Data Protection Law (Law No. 13,709/2018 – “LGPD”) and other sectoral laws on the subject.
Dynalogic Network Services, aware of the importance and necessity of adapting its personal data processing operations to a new and broad regulation on the subject, namely the LGPD, approved in August 2018, began its compliance process with the new Law in May 2019.
It is noteworthy that the LGPD is a cross-cutting law that affects different economic agents in Brazil, from the private, public, and third sectors, and provides the rules and conditions for personal data to be used in the activities of these agents.
Furthermore, considering that in May 2018, the General Data Protection Regulation (Regulation EU 2016/679 – “GDPR”) came into force, and that it has points of contact with the activities carried out by FGV in the European Union, it was decided that the LGPD Compliance Program would also cover this regulation.
In carrying out the activities provided for in its bylaws, Dynalogic Network Services carries out various personal data processing operations, seeking the best interest of the data subjects and respecting their rights, and may be characterized as a Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, or Co-Personal Data Controller, in accordance with the definitions of the LGPD, reinforcing, in all positions it occupies, its commitment to complying with the applicable privacy and personal data protection rules.
The regulatory compliance process that will culminate in the LGPD Compliance Program involves work on interpreting the Law to define legal obligations, diagnosing relevant facts for its application, and identifying flows and processes that contribute or not to ensuring that the facts comply with the legal document.
This Policy is part of a broad set of elements that make up the Dynalogic Internal Controls and Compliance System, coordinated by the Internal Controls Directorate (DCI), and must be read and interpreted in light of the set of documents and regulations that make up the company’s information governance structure.
2 Scope
This Policy sets out the guidelines of Dynalogic Network Services for safeguarding and using personal data that may be processed in its activities, with reference to the General Data Protection Law, among other national and international standards relating to privacy and protection of personal data, with special attention to the General Data Protection Regulation.
3 Recipients
This Policy applies to:
- employees of Dynalogic Network Services;
- all third parties, whether individuals or legal entities, who act for or on behalf of Dynalogic Network Services in operations involving the processing of personal data that are carried out within the scope of the activities conducted by Dynalogic Network Services;
- external personal data processing agents who in any way relate to the company; and
- data subjects whose data are processed by Dynalogic Network Services.
Compliance with Dynalogic Network Services’ compliance program with personal data protection laws and related regulatory provisions, including this Policy, is mandatory for all recipients listed above to the extent they are related to Dynalogic Network Services. All operations involving the processing of personal data carried out within the scope of the activities conducted by Dynalogic Network Services are subject to such regulations.
4 Applicability
This Policy establishes guidelines and rules to ensure that its recipients understand and comply with the laws that deal with the protection of personal data in all interactions with current and future data subjects, third parties, and data processing agents external to Dynalogic Network Services in the scope of its activities.
In addition to the concepts defined by privacy and personal data protection laws, the information covered by this Policy includes all data held, used, or transmitted by or on behalf of Dynalogic Network Services, in any type of media. This includes personal data recorded on paper, held on computer systems or portable devices, as well as personal data transmitted orally.
5 Objectives
The objectives of the Dynalogic Privacy and Personal Data Protection Policy are:
- Establish the guidelines and responsibilities of Dynalogic Network Services that ensure and reinforce the company’s commitment to compliance with applicable personal data protection laws;
- Describe the rules to be followed in conducting activities and operations involving the processing of personal data carried out by Dynalogic Network Services and the recipients of this Policy, within the scope of Dynalogic Network Services activities, which ensure compliance with applicable personal data protection laws, especially the LGPD.
This Policy should be read in conjunction with the obligations set forth in the documents listed below, which deal with information in general and supplement it when applicable:
- Employment contracts of Dynalogic Network Services employees and comparable documents, which provide for confidentiality obligations with respect to information held by the company;;
- Information security policies and procedural norms, as well as terms and conditions of use, which deal with the confidentiality, integrity, and availability of Dynalogic Network Services information;
- All internal regulations regarding personal data protection that may be developed and updated from time to time.
6 Privacy and Personal Data Protection Principles
Dynalogic Network Services will comply with the following personal data protection principles when processing personal data:
- PURPOSE: Dynalogic Network Services will process personal data only for legitimate, specific, explicit, and informed purposes to the data subject, without the possibility of further processing that is incompatible with those purposes;
- ADEQUACY: Dynalogic Network Services will process personal data in a manner that is compatible with the purposes informed to the data subject and according to the context of the processing;
- NECESSITY: The personal data processing carried out by Dynalogic Network Services will be limited to the minimum necessary to achieve its purposes, with the scope of relevant, proportional, and non-excessive data in relation to the purposes of processing;
- FREE ACCESS: Dynalogic Network Services will ensure that data subjects have easy and free access to information about the form and duration of the processing, as well as the completeness of their data;
- DATA QUALITY: Dynalogic Network Services will ensure the accuracy, clarity, relevance, and updating of data to the data subjects, as needed, and to comply with the purpose of processing;
- TRANSPARENCY: Dynalogic Network Services will provide data subjects with clear, accurate, and easily accessible information about the processing and the respective data processing agents, subject to commercial and industrial secrets;
- SECURITY: Dynalogic Network Services will use technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or dissemination;
- PREVENTION: Dynalogic Network Services will adopt measures to prevent harm resulting from personal data processing;
- NON-DISCRIMINATION: Dynalogic Network Services will ensure that personal data processing is not conducted for illicit or abusive discriminatory purposes;
- RESPONSIBILITY AND ACCOUNTABILITY: Dynalogic Network Services is committed to demonstrating the adoption of effective measures to prove compliance with personal data protection rules, and the effectiveness of those measures.
7 Legal Bases for Personal Data Processing
All personal data processing operations carried out in the context of activities conducted by Dynalogic Network Services will have a legal basis that legitimizes their performance, with stipulation of purpose and designation of those responsible for the processing.
Dynalogic Network Services takes as an institutional commitment the periodic evaluation of the purposes of its processing operations, considering the context in which these operations are inserted, the risks and benefits that can be generated to the data subject, and the legitimate interest of the Institution.
The processing of personal data operations by Dynalogic Network Services may be carried out:
- Upon provision of consent by the data subject;
- For compliance with a legal or regulatory obligation;
- For conducting research by research institutions;
- When necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party;
- For the regular exercise of rights in judicial, administrative or arbitration proceedings;
- For the protection of the life or physical integrity of the data subject or third parties;
- For the protection of health, exclusively in procedures carried out by health professionals, health services, or health authorities;
- When necessary to meet the legitimate interests of Dynalogic Network Services or third parties;
- For credit protection purposes.
Dynalogic Network Services will register its processing operations based on processing categories, each described based on its purpose(s), serving as an aid and support for its periodic evaluation of compliance with the personal data protection regulatory framework.
The records of personal data processing operations may be consulted by the data subject, as well as by competent public authorities for access and retention of data on their behalf, safeguarding the rights of the data subject.
8 Legal Bases for Sensitive Personal Data Processing
Dynalogic Network Services recognizes that the processing of sensitive personal data poses higher risks to data subjects and for this reason the Institution undertakes the commitment to safeguard and provide special care in processing sensitive personal data.
This commitment includes personal sensitive data listed in article 5, item II of the LGPD, as well as financial data that, for the purposes of this Policy and Dynalogic Network Services LGPD Compliance Program, will have the same status as sensitive personal data.
- Children and adolescent personal data will be treated with the same level of care required and provided to sensitive personal data, but will also be subject to the provisions established in Chapter II, Section III, of the LGPD, and other specific applicable regulations.
The processing of sensitive personal data by Dynalogic Network Services can only be carried out in the following cases:
- When the data subject or their legal representative gives specific and highlighted consent for specific purposes;
- Without the data subject’s consent, in cases where processing is indispensable for:
- Compliance with legal or regulatory obligations by Dynalogic Network Services;
- Conducting studies when Dynalogic Network Services acts as a Research Agency, always guaranteeing, whenever possible, the anonymization of sensitive personal data;
- Regular exercise of rights, including in contracts and in judicial, administrative and arbitral proceedings;
- Protection of the life or physical integrity of the data subject or third parties;
- Healthcare exclusively in procedures carried out by healthcare professionals, healthcare services, or health authorities; or
- Guaranteeing the prevention of fraud and security of the data subject in identification and authentication processes for electronic systems.
9 Rights of Personal Data Subjects
Dynalogic Network Services, in the context of its activities involving the processing of personal data, reinforces its commitment to respecting the rights of personal data subjects, which are:
- RIGHT TO CONFIRMATION OF THE EXISTENCE OF PROCESSING: the personal data subject may question Dynalogic Network Services if operations involving the processing of their personal data are being carried out;
- RIGHT OF ACCESS: the personal data subject may request and receive a copy of all collected and stored personal data;
- RIGHT TO RECTIFICATION: the personal data subject may request the correction of incomplete, inaccurate or outdated personal data;
- RIGHT TO ERASURE: the personal data subject may request the deletion of their personal data from databases managed by Dynalogic Network Services, except in cases where there is a legitimate reason for their maintenance, such as legal obligations for data retention or research purposes by a research agency. In the case of erasure, the Institution reserves the right to choose the deletion procedure employed, committing to use a means that guarantees security and avoids the recovery of data;
- RIGHT TO REQUEST SUSPENSION OF UNLAWFUL PROCESSING OF PERSONAL DATA: at any time, the personal data subject may request from Dynalogic Network Services the anonymization, blocking or deletion of their personal data that has been recognized by a competent authority as unnecessary, excessive, or processed in non-compliance with the LGPD;
- RIGHT TO OBJECT TO PROCESSING OF PERSONAL DATA: in cases where personal data processing is not based on obtaining consent, the personal data subject may present an objection to Dynalogic Network Services, which will be analyzed based on the criteria set forth in the LGPD;
- RIGHT TO DATA PORTABILITY: the personal data subject may request that their personal data be made available to another service or product provider, respecting the Institution’s commercial and industrial secrecy, as well as the technical limitations of its infrastructure;
- RIGHT TO WITHDRAW CONSENT: the personal data subject has the right to withdraw their consent. However, it should be noted that this will not affect the legality of any processing carried out before the withdrawal. In the case of withdrawal of consent, it may not be possible to provide certain services. If this is the case, the personal data subject will be informed.
Dynalogic Network Services reiterates its commitment to the rights of personal data subjects to transparency and adequate information, highlighting the provision of:
- Information about public and private entities with which Dynalogic Network Services has shared data;
- Information about the possibility of not providing consent and about the consequences of refusal.
10 Duties for Proper Use of Personal Data
The duties of care, attention, and proper use of personal data extend to all recipients of this Policy in the development of their work and activities at Dynalogic Network Services, committing to assist the Institution in fulfilling its obligations in the implementation of its privacy and personal data protection strategy.
- SPECIFIC DUTIES OF PERSONAL DATA HOLDERS:
It is the responsibility of personal data holders to notify Dynalogic Network Services of any modifications to their personal data in their relationship with the Institution (e.g., change of address), preferably notifying in the following order:
- Through the platform made available by the Dynalogic Network Services Unit with which the holder is related;
- By email addressed to the responsible person of the Dynalogic Network Services Unit with which the holder is related;
- By email addressed directly to Dynalogic Network Services, when designated; and
- By physical means (e.g., letter) addressed directly to Dynalogic Network Services, when designated.
- SPECIFIC DUTIES OF DYNALOGIC EMPLOYEES:
The sharing of personal data of data subjects between Dynalogic Network Services units is allowed, provided that their purpose and legal basis are respected, and the principle of necessity is observed, with the processing of personal data always being associated with the development of activities authorized by the company.
- DUTIES OF DYNALOGIC EMPLOYEES, PERSONAL DATA PROCESSORS, AND THIRD PARTIES:
- Not to disclose or grant access to the personal data held by Dynalogic Network Services to any unauthorized individuals or those not competent according to the Institution’s rules.
- Obtain the necessary authorization for data processing and have the necessary documents demonstrating the designation of their competence for carrying out lawful data processing operations, in accordance with the regulatory framework of Dynalogic Network Services to be developed.
- Comply with the rules, recommendations, information security guidelines, and incident prevention guidelines published by the Institution (e.g. Information Security Policy, Information Security Incident Response Plan, password management guidelines, among others).
- DUTIES OF ALL RECIPIENTS OF THIS POLICY:
All recipients of this Policy have a duty to contact the Dynalogic Network Services Data Protection Officer when suspecting or becoming aware of any of the following actions:
- Processing of personal data without a legal basis that justifies it;
- Processing of personal data without authorization from Dynalogic Network Services within the scope of its activities;
- Processing of personal data that is carried out in non-compliance with the Dynalogic Network Services Information Security Policy;
- Unauthorized elimination or destruction by Dynalogic Network Services of personal data from digital platforms or physical collections at all facilities of the Institution or used by it;
- Any other violation of this Policy or any of the data protection principles set forth in item 8 above.
11 Relationship with Third Parties
The LGPD establishes that responsibility for property, moral, individual, or collective damages arising from violations of personal data protection legislation is joint and several, i.e., all agents involved in the personal data processing chain may be held liable for any damages caused.
In this sense, the possibility of Dynalogic Network Services being held responsible for the actions of third parties implies the need to make the best efforts to verify, evaluate, and ensure that such third parties comply with applicable data protection laws.
- Therefore, all contracts with third parties must contain clauses related to personal data protection, establishing duties and obligations related to the topic and attesting to the commitment of third parties to applicable personal data protection laws. It should be noted that these contracts will be reviewed and submitted for approval by Dynalogic Network Services and its technical team, in accordance with the current regulatory framework.
- All third parties must sign the acceptance terms of this Policy, the Information Security Policy, and the Security Incident Response Plan, submitting the contracted activities under the relationship with Dynalogic Network Services also to these regulations.
12 Personal Data Protection Law Compliance Program
The LGPD Compliance Program aims to ensure Dynalogic Network Services’ commitment to ensuring the proper treatment of personal data for legitimate purposes that may be the subject of its activities and reinforces its commitment to good privacy and data protection practices with the following actions:
- Production and dissemination of information, regardless of the format, that describes the individual responsibilities of the recipients of this Policy in the scope of privacy and personal data protection;
- Provision of training, guidance, and counseling for Dynalogic Network Services employees and third parties, including but not limited to online courses, workshops, internal meetings, regular conversations, lectures, and other initiatives, sharing content available in digital and in-person formats.
- Incorporation of concerns and care in the treatment of personal data at all stages of its activities, including but not limited to administrative routines, research activities, service provision, academic activities, among others.
- Identification and deepening of the assessment of risks that may compromise the achievement of Dynalogic Network Services’ objectives in the area of privacy and personal data protection; defining, creating, and implementing action plans and policies to mitigate identified risks, as well as maintaining ongoing evaluation of scenarios to assess whether implemented measures do not require new guidelines and attitudes.
From the entry into force of the LGPD, the Encarregado of Dynalogic Network Services – also referred to as the Data Protection Officer (Dynalogic Network Services DPO) – assisted by their technical team, shall have the following responsibilities:
- Lead the LGPD Compliance Program at Dynalogic Network Services, ensuring its enforcement;
- Monitor compliance with applicable personal data protection legislation, in accordance with Dynalogic Network Services policies;
- Provide guidance to recipients of this Policy regarding Dynalogic Network Services’ privacy and personal data protection regime;
- Ensure that rules and guidelines relating to data protection are communicated and incorporated into Dynalogic Network Services’ routines and practices;
- Organize training on personal data protection at Dynalogic Network Services;
- Provide clarification, offer information, and present reports on personal data processing operations and their impacts to competent public authorities (e.g. Public Prosecutor’s Office, National Authority for Personal Data Protection, etc.);
- Respond to requests and complaints from data subjects whose personal data have been processed by a unit of Dynalogic Network Services;
- Assist in audits or any other evaluation and monitoring measures involving data protection;
- Prepare privacy impact assessments, technical opinions, and review documents regarding data protection.
13 Information Security
The information security standards and prevention against personal data incidents are contained in the Information Security Policy of Dynalogic Network Services and in internal regulations and documents related to the topic.
Dynalogic Network Services reinforces its commitment, embodied in its Information Security Policy, to employ adequate technical and organizational measures in the handling of personal data and to make efforts to protect the personal data of data subjects against unauthorized access, loss, destruction, unauthorized sharing, among other possibilities.
14 International Transfer of Personal Data
In cases where Dynalogic Network Services is authorized to process personal data without the consent of the data subject, Dynalogic Network Services may transfer personal data to other countries provided that, alternatively:
- The country is classified as having an adequate level of data protection assigned by ANPD or the transfer is authorized by ANPD;
- While there is no list of adequate countries published by ANPD, the country is classified by the European Commission, through an Adequacy Decision, as a country with an adequate level of GDPR criteria;
- The international data processing agent offers Dynalogic Network Services at least one of the following safeguards:
- Codes of Conduct regularly issued or binding corporate rules approved by the European Commission;
- Standard Contractual Clauses issued by ANPD or the European Commission;
- Seals and Certificates of compliance or adequacy for personal data protection granted by entities recognized by ANPD or the European Commission.
- Obtain explicit and highlighted consent from data subjects for international transfer operations of personal data, with prior information on the international nature of the operation and highlighting that the country does not have recognized adequate data protection level or there are no safeguards of the processing agent’s compliance, as appropriate.
In cases where Dynalogic Network Services is authorized to process personal data based on consent, Dynalogic Network Services may transfer personal data to other countries provided it obtains explicit and highlighted consent from data subjects for international transfer operations of personal data, with prior information on the international nature of the operation.
- If the country does not have a recognized adequate level of data protection or there are no safeguards of the processing agent’s compliance, such information should be provided to the data subject in advance so that they consent to the risks of the operation.
Dynalogic Network Services is committed to informing data subjects on its digital platforms (e.g. websites, applications, etc.) about the occurrence of international transfer operations of personal data, specifying the set of data sent, the purpose of the transfer, and its destination. Information on international data transfers will be made available on the Dynalogic Network Services Personal Data Protection Portal after the entry into force of LGPD.
15 Monitoring
Dynalogic Network Services reaffirms its commitment to ensure proper processing of personal data for legitimate purposes that may be subject to its activities and reinforces its commitment to good privacy and data protection practices, committing to keep its LGPD Compliance Program up to date with the standards and recommendations issued by ANPD or other competent authorities.
Dynalogic Network Services commits to periodically review this Policy and, at its discretion, make modifications that update its provisions to reinforce the company’s ongoing commitment to privacy and personal data protection, with all changes communicated in a timely manner through official channels of the company.
16 How to talk about personal data with Dynalogic Network Services?
If you believe that your personal data has been used in a manner incompatible with this Privacy Policy or with your choices as the data subject, or if you have any questions, comments, or suggestions related to this Policy, please contact us. We have a Data Protection Officer (DPO) who is available at the following contact addresses:
Data Protection Officer (DPO):
Ronaldo Gama Silva
Contact email:
privacidade@dynalogic.net