1. Scope
Establishing the guidelines for the processing of personal data carried out by Almaviva Experience as a Data Controller agent. Almaviva Experience, in its role as a Data Processor, reiterates to the interested parties concerned by the processing of personal data (“Data Subjects”) that the data relating to the identified or identifiable natural person (“personal data”) processed in connection with its business partnerships will be processed in accordance with the legislation in force on the protection of personal data. and according to the due guidelines of its client (“Controller”), who will have more information about said processing in its privacy policy.
2. Application field
This policy applies to all employees, third parties, suppliers who use the processing environment or access information belonging to Almaviva Experience.
3. References
• Federal Law No. 13,709/2018 – LGPD (General Law for the Protection of Personal Data)
• Federal Law No. 12,965 – Civil Rights Framework for the Internet
• NBR ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – Information security management systems – Requirements
• NBR ISO/IEC 27002:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Controls
• NBR ISO/IEC 27701:2019 – Security techniques – Extension of ABNT NBR ISO/IEC 27002 for information privacy management – Requirements and guidelines
• PSI-002 – Public Information Security Policy.
4. Definitions
• Controller:natural or legal person, under public or private law, who is responsible for decisions regarding the processing of personal data
• Personal data: information related to the identified or identifiable individual, such as: name, RG number, CPF, date of birth, photo, telephone number, geolocation, among others
• Sensitive personal data: category of personal data on racial or ethnic origin, religious belief, political opinion, membership in a union or organization of a religious, philosophical or political nature, data related to health or sex life, genetic or biometric data, when linked to a natural person
• Person in charge (DPO): person appointed by the Controller/Processor to act as a communication channel between the Controller, the data subjects and the National Data Protection Authority (ANPD)
• Personal Data Security Incident: any confirmed adverse event related to a personal data security incident, such as unauthorized, accidental, or unlawful access that results in the destruction, loss, alteration, leakage, or any form of inappropriate or unlawful data processing, which may cause a risk to the rights and freedoms of the data subjects
• Operator: natural or legal person, under public or private law, who processes data in accordance with the Controller’s instructions
• Data subject: natural person to whom the personal data that is the object of the processing refers
• Processing: any operation carried out with personal data, such as those referring to the collection, production, reception, handling, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction
• Technical measures: those related to technologies and controls that can be implemented in relation to information security and improvements for an assertive and efficient execution of the principles of the General Data Protection Law
• Organizational measures: measures related to policies, procedures, guides, manuals, awareness activities (such as training and communications) and documents, in general, that guide the user regarding the Privacy and Personal Data Protection guidelines.
5. Responsibilities
The Executive Board is responsible to:
• promote and approve the activities of the Information Security and Privacy Management System.
It is the responsibility of the Information Security and Privacy Committee to:
• conduct a periodic assessment on Data Protection and Privacy
• ensure the availability of the necessary resources for effective privacy management and protection of personal data
• disseminate the culture of Information Security and Privacy
• align the strategic objectives of Information Security and Privacy with the business objectives of Almaviva Experience
• support and approve continuous improvement activities of the Information Security and Privacy Management System
• deliberate on the application of sanctions when non-compliance with this policy and other policies established by the Information Security and Privacy area is observed.
It is the responsibility of the Personal Data Officer (DPO) to:
• promote and approve the activities of the Privacy Program
• cherish and safeguard the interests of all data subjects to whom Almaviva Experience relates
• receive communications and updates from the ANPD to pass them on internally, as well as maintain the relationship between the Parties.
It is the responsibility of the Information Security and Privacy area to:
• establish information security and privacy guidelines
• raise awareness among relevant stakeholders about information security and privacy
• identify and report risks related to Information Security and Privacy
• establish controls to mitigate risks
• maintain and continuously improve the information security management system.
It is up to Employees, Third Parties, Suppliers and other relevant stakeholders to:
• comply with the guidelines of this policy and other policies established by the Information Security and Privacy area
• ensure the security of companies’ information, informing any perceived abnormalities to the Information Security and Privacy area.
6. Guidelines
6.1 General information
Almaviva Experience Telemarketing e Informática S.A., a private legal entity, headquartered at Rua Bela Cintra, nº 1149, sobreloja, Consolação, São Paulo, CEP 01415-000, CNPJ/MF nº 08.174.089/0001-14, is one of the largest Contact Center companies and one of the main CRM BPO companies in the country, with mastery in collection services through CRC – Credit Recovery Center and innovation through Almawave, both companies belonging to the conglomerate.
The Company values the privacy and freedom of rights of all data subjects involved in its ecosystem, ensuring that the processing of their personal data is in accordance with the provisions of Federal Law No. 12,965 of April 23, 2014 (Civil Rights Framework for the Internet), with Federal Law No. 13,709, of August 14, 2018 (General Law for the Protection of Personal Data – LGPD), and other legislation applicable to the subject of privacy and data protection. In addition, Almaviva Experience adopts the best market practices for the application of technical and organizational measures, including specialized personnel, exclusively for the purpose of complying with its legal and contractual obligations.
This Privacy Policy provides guidelines for the processing of personal data carried out by Almaviva Experience as a Data Controller agent. Almaviva Experience, in its role as a Data Processor, reiterates to the interested parties concerned by the processing of personal data (“Data Subjects”) that the data relating to the identified or identifiable natural person (“personal data”) processed in connection with its business partnerships will be processed in accordance with the legislation in force on the protection of personal data. and according to the due guidelines of its client (“Controller”), who will have more information about said treatment in its privacy policy.
In addition, the guidelines for the processing of personal data of employees and dependents are disclosed through a specific internal notice.
If you have any questions about this Policy, Almaviva Experience’s Personal Data Processing Officer (“DPO”) can be contacted by email: dpobr@almavivaexperience.com.br.
6.2 Personal Data Involved
Almaviva Experience only collects the information provided by the Data Subjects. This information includes:
• contact data: name, email, telephone and address
• professional data: company, market segment, position, academic and professional history
• other data necessary for the fulfilment of contractual obligations.
Almaviva Experience processes the personal data received for a period not exceeding that necessary to fulfill the purposes set out in this Policy.
6.3 Cookies
Cookies are files used on websites to identify and store information about their visitors. Thus, while browsing a website, the user may have certain personal data collected through such cookies.
Almaviva Experience website makes use of the cookies described below, which can be consulted at any time by users in the cookie management center, through the icon available at the bottom of this page.
List of Cookies used on our website
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device, to remember information about you, such as your language preference or login information. These cookies are set by us and are called first-party cookies. We also use third-party cookies – which are cookies from a domain other than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:
a) Strictly necessary cookies
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set up in response to actions you take that correspond to a request for services, such as setting your privacy preferences, logging in, or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the website will not work. These cookies do not store any personally identifiable information.
b) Performance Cookies
These cookies allow us to count visits and traffic sources, so that we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and to see how visitors move around the website. All information collected by these cookies is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our website.
c) Advertising cookies
These cookies may be set through our website by our advertising partners. They may be used by these companies to build a profile about your interests and show you relevant advertisements on other websites. They do not directly store personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will have less targeted advertising.
The Cookie settings can be consulted through the icon available in the lower left corner of the page.
6.4 Purpose of processing personal data
The personal data processed by AlmavivA Experience may be used to:
6.4.1. Compliance with legal obligations or execution of contractual clauses
Almaviva Experience, as an Operator agent, processes personal data for the purpose of executing contracts on behalf of large companies, from various fields of activity such as health, finance, telecommunications, retail, among others, which they configure as customers. The Company also, due to the Brazilian legal system, processes personal data in order to comply with legal obligations, for the period stipulated by the laws in question in the civil, labor, tax, and corporate spheres, among others.
6.4.2 Communication with holders
Almaviva Experience maintains a contact list (containing the email addresses and other contact information provided by the Data Subjects by email or by filling out the specific form present on the portal) to allow communication with those who have expressed interest in its services (hereinafter referred to as “services”). Almaviva Experience may also contact the Data Subjects to respond to their requests and satisfy any other need expressed by them.
6.4.3 Commercial purposes
Almaviva Experience may also contact Data Subjects, who have previously shown interest, to send commercial communications related to its services, including by means of distance communication techniques, such as e-mail messages and text messages.
In addition, we may collect your information to fulfill each of our activities and obligations. Thus, we use your data to manage business relationships; prevent and detect fraud; ensure market intelligence mechanisms and enable effective and adequate customer service.
In this sense, part of the data processing activities is carried out to comply with our legitimate interest in providing an effective and secure service, always within the limit of your expectation, and never to the detriment of your interests, fundamental rights and freedoms.
Moreover, Almaviva Experience may also use personal data to comply with our services, respecting the purposes explained to the Data Subjects and any authorizations previously granted by such Data Subjects, when there is a legal requirement to collect it.
6.4.4 Recruiting and selection
Almaviva Experience, through its digital channels, receives the registration of candidates for job vacancies in the Company, which are stored in approved tools and for a predetermined period sufficient for the execution of the purpose of the data collection in question.
6.5 Rights of holders
Data subjects may exercise at any time their right of access, rectification, integration, opposition, deletion, limitation and portability of their personal data by filling out the form on the page Data Subject Rights.
6.6 Responsibilities
Almaviva Experience strives to ensure organizational and technological controls as a way to protect the personal data it processes, as well as to mitigate information security and privacy risks and threats that may impact its business. Such responsibility expands to partners, subcontracts and third parties through compliance with regulations, legislation and contractual terms agreed between the parties involved.
However, there are no absolute guarantees regarding the protection of this information from threats such as malware, hackers, and other digital threats.
Almaviva Experience reserves the right to modify the contents of the websites and this legal information at any time and without prior notice.
6.7 Access to linked external websites
Almaviva Experience assumes no responsibility with regard to third-party websites and their respective contents and operation, regardless of whether they can be accessed through the links indicated on this website. Anyone who visits a website through a link indicated on the Almaviva Experience website is responsible for adopting all necessary measures against viruses or other destructive elements, and Almaviva Experience is not responsible for the risks arising from this access. Linking to other websites does not imply a link between Almaviva Experience and any of these websites.
6.8 Intellectual property
All contents (texts, graphics, files, tables, images and information of any kind), as well as the products and brands mentioned on this website, are protected under current intellectual and industrial property regulations.
The reproduction, in any medium, of the published materials may only be made if expressly permitted and for exclusively personal, non-profit and non-direct or indirect commercial use.
6.9 Data sharing
Almaviva Experience may share the personal data received with other companies that are partners in the Direct Marketing process. The other treatments resort to internal teams, to return the requests made on the Portal or for its management.
Anything received through the e-mail addresses indicated on the portal or sent through the portal (e.g. requests, suggestions, ideas, information, documents), will not be considered confidential information. It is your responsibility to ensure that the information you submit does not violate the rights of third parties and that it is correct and truthful information. In any case, Almaviva Experience cannot be held responsible for the content of the messages it receives on its channels.
6.10 International data storage and transfer
The personal data held by Almaviva Experience is retained in the national territory, and no cross-border transfer is carried out.
Note: in exceptional cases, the risk and the authorization of the board of directors must be assessed.
6.11 Storage period
We will retain your Personal Data for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of providing the services and complying with any legal, contractual, accountability, or requisite obligations from competent authorities.
To determine the appropriate retention period for Personal Data, we consider the nature of the data, the purpose for which we process it, and the potential risk of its storage.
It should be noted that, if there is a request from the Data Subject, the Party Interested in deleting their personal data must make a formal deletion request, through the communication channels identified in this policy, according to the topic on Data Subjects’ Rights above.
6.12 Policy update
This Privacy Policy may be updated as a result of any regulatory updates, changes in the processing of personal data or as a result of the continuous improvement of our management systems carried out by Almaviva Experience, which is why we invite you to periodically consult this section.
6.13 Continuous improvement
The continuous improvement of the Information Security and Privacy Management System is a commitment of everyone at Almaviva Experience and stakeholders.
6.14 Legislation and Court
This Privacy Policy is governed in accordance with Brazilian law. Any disputes or controversies arising from any acts performed in connection with the use of the Website, including in relation to non-compliance with this Privacy Policy or the violation of Almaviva Experience’s rights, including intellectual property, confidentiality and personality rights, will be processed in the District of the Capital of the State of São Paulo.
7. Final dispositions
Any need for action in disagreement with the rules established in the Information Security Policy, the Privacy Policy and its complementary policies must be directed to Information Security for risk analysis, its registration, and submission for consideration by the competent authority and/or Information Security and Privacy Committee.
Employees who make improper or unauthorized use of company resources, violate security controls, or in any way act in disagreement with the terms of this policy, are subject to the application of disciplinary measures provided for by law, and may be held criminal, civil and/or administrative liability, in accordance with the legislation in force.
8. Annex
Not applicable.
Policy reviewed on 16/09/2024