COMMUNICATION CHANNEL FOR ATTENDING ANPD DATA SUBJECTS.

If you have any questions regarding the use of your personal data by Glovis, or if you wish to exercise your rights, you may contact us through the following channel: lgpd@glovis.com.br

Responsible DPO (Data Protection Officer): Luiz Fernando Maluli Delgado.

To make it easier for you, we have prepared a summary below containing your rights under the General Law of Data Protection (LGPD). You are entitled to:

• Confirmation of the existence of data processing of your data;
• Access to your data;
• Correction of incomplete data;
• Anonymization, blocking or deletion of unnecessary or excessive data;
• Deletion of data processed based on consent;
• Information of the public and private entities with whom the company has shared your data;
• Information about the possibility of not providing consent and its consequences;
• Revocation of consent.

Questions?

What is LGPD?

LGPD is a Brazilian law created to guarantee the subject a greater control over the processing of their personal data, establishing principles and rules that can be followed by individuals and legal entities, both public and private, to guarantee rights related to the protection of personal data.

Who monitors compliance with the law?

The supervision is the responsibility of the National Data Protection Authority (ANPD) from Brazil, a government agency subordinated to the Presidency of the Republic, responsible for monitoring compliance with the law, developing guidelines and applying sanctions in cases of irregularity. Other agencies may be related to the enforcement of the law when appropriate, such as the Public Prosecutor's Office, to deal with the issue of unclear rights of citizens and others.

Who is the “subject”?

Under the law, it is the natural person to whom the personal data that is the object of collection and processing relates.

Who is the Operator?

It is the natural or legal person, of public or private right, who performs the processing of personal data on behalf of the controller. Any party contracted by us, who performs data processing on their behalf, acts as a data controller.

What is "personal data"?

This is any information related to an identified or identifiable natural person (name, ID, natural person identification number [CPF], gender, date and place of birth, telephone number, home address, GPS location, photograph portrait, health record, bank card, income, payment history, consumption habits, leisure preferences, Internet Protocol [IP] address, cookies, and others).

What are "sensitive personal data”?

Under the law is any personal data about racial or ethnic origin, children and adolescents, religious conviction, political opinion, membership in a union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person.

What comprises the processing of this data?

Data processing is the operations performed with personal data such as storage, collection, processing, and so on.

In which cases of personal data processing does the law apply?

The LGPD applies to personal data processing operations that have been collected in the Brazilian territory or that aim to offer goods or services to people located there, regardless of whether these personal data have been collected offline or online, in physical or digital media.

Will LGPD apply to any personal data processing?

Not when the personal data processing is done by a natural person for private purposes; not for journalistic, artistic, and academic purposes only; and not when done by Public Authorities – in the case of public security, national defense, State security, and activities of investigation and repression of criminal offenses.

Can sensitive personal data be processed?

Yes, with the consent given according to the law; or when indispensable for: the fulfillment of a legal or regulatory obligation by the controller; by the public administration of public policies provided by laws or regulations; studies by a research body; the regular exercise of rights, including in contracts and judicial, administrative and arbitration proceedings; the protection of life; the protection of health; the guarantee of fraud prevention, and the security of the subject.

What are the LGPD principles?

The treatment of personal data at the Glovis shall be governed by the following principles:

1. Purpose: To process personal data only for specified, explicit and legitimate purposes, which are disclosed prior to processing, and may not be further processed for incompatible purposes.
2. Adequacy: To process personal data in a manner that is adequate and relevant to the purposes for which they are used.
3. Necessity: To process only those sets of personal data that are necessary and proportionate to the business goals and to seek alternative (subsidiary) ways to achieve the same goals by means that are less invasive to the privacy of the data subject.
4. Free access: To enable data subjects to easily consult without any charge the way their personal data are being processed and for how long.
5. Data quality: To maintain the accuracy, clarity and relevance of personal data, keeping it updated, according to the needs and to fulfill the purpose of its processing.
6. Transparency: To provide clear, precise and easily accessible information to data subjects regarding the processing of their personal data (collection, purpose, storage, sharing and disposal of their personal data), subject to commercial and industrial secrecy.
7. Security: To protect personal data against unauthorized or unlawful treatment, loss, destruction or accidental damage, with the adoption of technical and organizational measures to safeguard the integrity, confidentiality and availability of personal data and meet the existing security guidelines in the Information Security Policy of the Glovis during the entire life cycle of the personal data.
8. Prevention: To take measures to prevent damage from occurring as a result of personal data processing.
9. Non-discrimination: To not process personal data for unlawful or abusive discriminatory purposes.
10. Accountability and legal reporting: To demonstrate the adoption of effective measures capable of proving compliance with personal data protection regulations and the effectiveness of those measures.

Which rights can be exercised by data subjects?

The rights of the data subject must be observed regarding the personal data being processed, such as confirmation of the existence of the processing operation, access to personal data, correction, revocation of consent, portability, anonymization, blocking and deletion of personal data.

1. Correction and updating: When a data subject requests the correction or updating of their personal data, before proceeding with the request, the authenticity of the data subject must be confirmed, so the Information Technology Area and the Business Area must ensure that physical and digital media on which the personal data have been collected and stored are also updated.
2. Responses to requests from the subjects: Responses to requests from the personal data subjects shall be made by caregivers defined by the Glovis, and shall be governed by the Subjects Requests Response Procedure.
3. Health Data: The treatment of health data by Operators hired by the Glovis shall, obligatorily, allow the subject the right to portability of their data, when requested or the financial and administrative transactions resulting from the use and provision of services.
4. Consent: Where processing based on consent is necessary, this consent must be obtained through a free and informed manifestation of the data subject, following the purposes determined for the data processing.
5. Revocation of Consent: The data subject may revoke the consent in a free and easy way through the service channels of the Glovis, and all the data processing performed before the revocation shall remain valid. The personal data subject shall be informed of the consequences of the revocation of consent, in a simple, clear and easy way.
6. Free access: To enable data subjects to easily consult without any charge the way their personal data are being processed and for how long.

In what situations does the law allow the processing of personal data?

Sensitive personal data may be processed only in the event of:

1. Consent by the subject or their legal guardian, specifically and distinctly, for specific purposes;
2. Compliance with a legal or regulatory obligation;
3. Shared processing of data necessary for the execution, by the public administration, of public policies provided for in law or regulations;
4. Conduction of studies by research organizations, guaranteeing, whenever possible, the anonymization of sensitive personal data;
5. Regular exercise of rights, including in contract and judicial, administrative and arbitration proceedings;
6. Protection of life or physical safety of the data subject or third parties;
7. Guarantee of fraud prevention and security of the subject, in identification and authentication processes of registries in electronic systems.

What is "consent"?

It is the free, informed and unequivocal manifestation, by which the data subject agrees to the processing of their personal data for a specific purpose. Consent is one of the legal possibilities for data processing and is not mandatory or prevailing over the other authorizing provisions for data processing.

How is the consent of Children and Adolescents given?

The LGPD establishes, in article 14, that the processing of personal data from children and adolescents must be carried out in their best interest. Processing data from children (up to 12 years old), shall be carried out with specific and clear consent given by at least one of the parents or legal guardians. For this reason, Glovis advises the data subjects who have registered the data of their minor dependents to update, in the restricted area, the information to give their express consent for the processing of children's data, through a clear and objective manifestation, in order to comply with the law. The data of children and adolescents may be collected without consent when it is necessary for their protection or to contact their parents or legal guardians, being used only once and without storage. Without consent, under no circumstances may they be passed on to third parties.

In cases of irregularities in data processing, what are the liabilities?

Liabilities are administrative or civil, under the terms provided in the Brazilian Law 13.709/2018.

What is a DPO or Officer in Charge?

This is the person indicated by the controller and operator to act as a communication channel between the controller, the data subjects and the ANPD, who is also entrusted with other tasks of legal nature or ones that the Controller may determine.

In case of an incident, should the subject be informed?

In the event of a security incident that may cause harm to the data subject, the LGPD provides that the Controller shall notify the data subject and the ANPD of its occurrence.

What is the ANPD?

The National Data Protection Authority is a Brazilian federal public administration agency with technical and decision-making autonomy, under the Presidency of the Republic, responsible for overseeing, ensuring and guiding compliance with Law 13,709/2018.

For further clarification on how Glovis handles this issue, please check the PRIVACY POLICY