VCI SA has, as one of its main values, respect for the privacy of its service users,
employees, partners, its users in general (“You”) and their personal data. This “Privacy
Policy and Protection of Personal Data” (hereinafter the “Policy”) to explain to You how
we treat your personal data.
When using our services, we may process personal data owned by you, which is why
this Policy seeks to clarify our practices regarding the collection, use, disclosure and
processing in general of personal data of our service providers, users and other
natural persons who can establish some relationship with VCI SA
Doubts can be clarified with our Data Protection Officer ( Data Protection Officer -
DPO), through the service channel: dpo@vcisa.com.
1. General terms and concepts
1.1 For the purposes of this policy and as provided for in Law No. 13.709/2018, it is considered:
i. personal data: information related to an identified or identifiable natural person,
so that any information that enables the identification of a natural person is
considered personal data;
ii. sensitive personal data: personal data on racial or ethnic origin, religious conviction,
political opinion, affiliation to a union or organization of a religious, philosophical or
political nature, data relating to health or sexual life, genetic or biometric data, when
linked to a natural person;
iii. anonymized data: data related to the holder that cannot be identified, considering
the use of reasonable technical means available at the time of its treatment;
iv. database: structured set of personal data, established in one or several places,
in electronic or physical support;
v. holder of personal data: natural person to whom the personal data to be
processed refer;
saw.
vii.
treatment agents: the controller and the operator;
controller: natural or legal person, under public or private law, who are
responsible for decisions regarding the processing of personal data, such as VCI
SA;
viii. operator: natural or legal person, under public or private law, who processes
personal data on behalf of the controller;
ix. foreman or DPO ( Data Protection Officer): person appointed by the controller and
operator to act as a communication channel between the controller, the data subjects
and the National Data Protection Authority (ANPD);
x. treatment: any operation performed with personal data, such as those relating to the
collection, production, reception, classification, use, access, reproduction,
transmission, distribution, processing, archiving, storage, elimination, evaluation or
control of information, modification, communication , transfer, diffusion or extraction;
Translated from Portuguese to English - www.onlinedoctranslator.com
xi. anonymization: use of reasonable technical means available at the time of
processing, whereby data loses the possibility of association, directly or indirectly,
with an individual, making its identification impossible;
xii. consent: free, informed and unambiguous expression by which the holder agrees
with the processing of his/her personal data for a specific purpose;
xiii. blocking: temporary suspension of any processing operation, by keeping
personal data or the database;
xiv. deletion: deletion of data or set of data stored in a database, regardless of the
procedure used;
xv. shared use of data: communication, dissemination, international transfer,
interconnection of personal data or shared treatment of personal data banks by
public bodies and entities in compliance with their legal powers, or between these
and private entities, reciprocally, with specific authorization, to one or more
modalities of treatment allowed by these public entities, or between private
entities;
2. Rights of the holder of personal data
2.1. The holder of personal data, regardless of their position in relation to VCI SA, has
the right to:
i.
ii.
iii.
iv.
Confirm the existence of the processing of personal data;
Access personal data;
Correct incomplete, inaccurate or outdated personal data;
Request the anonymization, blocking, deletion or deletion of unnecessary or excessive
data;
Request the portability of your data to another supplier or product, as long as you
follow the parameters indicated by ANPD (National Data Protection Authority;
Request the deletion of data processed with your consent;
Request information about the public or private entities with which your data
has been shared;
Request information about the consequences of not providing your
consent; Revoke consent.
Request a copy of: the categories and specific personal data that are collected; the
categories of personal data collected; the purpose of the collection of personal
data; the categories and specific third parties with respect to which personal data
is shared;
Oppose the processing of personal data;
Request the review of automated decisions, in case, eventually, a decision of
this nature is taken.
v.
saw.
vii.
viii.
ix.
x.
xi.
xii.
2.2. Whenever possible, personal data will be deleted after processing or will be
anonymized, using techniques available at the time.
2.3. It is possible to maintain certain personal data in the VCI SA database, if such
action proves necessary: (i) to comply with the applicable legislation; or (ii) to
enable the exercise of VCI SA's rights in judicial, administrative or arbitration
proceedings.
2.4. The request for deletion or deletion of personal data does not guarantee the
complete or comprehensive removal of the content or information relating to
personal data, in cases where the maintenance of data in our database is necessary
for the strict fulfillment of legal duty.
3. Hypotheses for the processing of collected personal data: reasons that justify the
processing of personal data
3.1. Personal data will not be used without adequate justification, provided for by law, for
such purpose. Therefore, the processing of your personal data will only be carried out
in the following cases, alternatively:
i.
ii.
If consent to the processing of personal data has been obtained;
If the treatment is necessary to perform the contractual obligations assumed with you
or to adopt pre-contractual measures, at your request;
iii.
iv.
If legal or regulatory obligations demand the processing of personal data;
If the processing of personal data is necessary for the purpose of meeting the
legitimate interests of VCI SA and provided that, in this case, it does not unduly affect
the fundamental rights and freedoms of the holder of the personal data. Examples of
situations that constitute the “legitimate interest” of VCI SA are data processing
activities carried out for: (a) commercial operations through the sale of goods and
services; (b) responding to requests; (c) development of VCI SA's core business, among
others.
v. For the purpose of managing adverse events, carrying out prevention and/or
investigation activities, complying with administrative formalities, records,
declarations or audits;
saw. To enable access to applications and virtual platforms, manage online
accounts, control entry and exit, among other electronic control platforms;
vii.
viii.
ix.
x.
Preparation of research and clinical studies, through records and
trials; Recruitment of new employees;
Conducting market research for non-commercial purposes;
Identify access credentials, including passwords, password hints, security
information and questions, identification (ID) registered with the state entity,
health professional number, driver's license or passport data, among others.
xi.
xii.
xiii.
xiv.
To enable payments by verifying financial data; Send news and
information about products and services;
For the purpose of complying with judicial, administrative or arbitration
subpoenas; To ensure the health and safety of VCI SA's employees and facilities;
xv. In cases where authorized by the holder of the personal data upon obtaining
consent;
xvi. For the purpose of enabling the sale of the business or its assets, in order to allow the total
or partial acquisition by third parties;
xvi. Carry out the identification and registration of the holders of personal data in the
databases of VCI SA, being possible to receive personal data from the user's profile,
such as navigation, registration or contact data;
xviii. In order to provide sufficient information to the competent sector for the purpose
of issuing an invoice;
xix. Respond to any queries made by the holder of personal data, including orders,
purchases and returns, if applicable;
xx. Perform analyses, quality control, market research and determine the
effectiveness of activities developed by VCI SA;
xxi. Respond to requests from public and government authorities, national or
foreign;
xxii. In cases where VCI SA receives personal data from third parties, the institution
will assume that prior authorization has been obtained from the holder of the
personal data, by this third party, or that there is a legal basis for such sharing;
3.2. If the Owner of the personal data has doubts as to the regularity of the treatment of
their personal data, they may contact the VCI SA DPO directly through the email
address provided at the beginning of this Policy.
3.3. Personal data of children under 12 years of age will not be processed without the prior, specific
and prominent consent of their parents or legal guardians.
4. Types of personal data that are processed by VCI SA
4.1. In accordance with the governing legislation and in order to enable the achievement of the
activities described in its corporate purpose and in its legitimate interest, VCI SA processes the
following categories of personal data.
i. Financial or payment information: bank account, credit and/or debit card
details;
ii. Registration information: full name, marital status, date of birth, gender,
identity documents, username for login and password, RG and CPF;
iii.
iv.
Sensitive information: data relating to health and ethnicity;
Behavioral information: access logs, click data and other data collected
including through technologies;
v. Browsing data: server log information, IP address ( internet protocol) device,
date and time access, operating system, browser type;
saw. Cookie data: cookies, pixel tags and other similar technologies;
vii.
5. Methods of collecting personal data
The data processed by VCI SA can be collected in the following ways:
Contact details: registered address, email, telephone;
(i)
(ii)
Direct supply by the holder of personal data;
Receipt of personal data by third parties by sharing data from partners or
service providers;
It collects in an automated way upon access to our website, including:
characteristics of the device used for access, browser used for access, IP
origin (with date and time), information about your interaction on our
page, information that will be collected through of cookies.
(iii)
6. Identification of individuals or entities that have access to personal data and data
sharing with third parties
6.1. VCI SA guarantees that everyone who has access to the personal data under its care
undertakes to maintain absolute secrecy regarding the same;
6.2. VCI SA informs that it may share personal data with partner companies and
suppliers, in the development and provision of services or offering targeted
products, provided that it is in line with VCI SA's values;
6.3. VCI SA further emphasizes that it may share personal data under its custody with
authorities, government entities, national or foreign, or other third parties, for
the protection of its interests, in cases where there is any type of conflict, whether
of judicial or administrative nature;
6.4. It is also possible to share personal data with third parties when such action proves
necessary to comply with legal or regulatory obligations;
6.5. In the case of corporate transactions involving VCI SA, it will be possible to share
personal data with third parties, taking the necessary measures to ensure that privacy
rights continue to be protected, in accordance with this Policy;
6.6. Personal data held by VCI SA will be shared with third parties in the event that such
action proves necessary to comply with a court order or at the request of
administrative authorities that have legal competence for such request;
6.7. It is legitimate to share personal data with other companies that may be part of the
VCI SA group;
6.8. Personal data held by VCI SA may be shared with health professionals and
organizations, distributors and other members of the field, whenever the legal basis
refers to the protection of health, exclusively, in a procedure carried out by health
professionals, health services or health authority;
6.9. Personal data may be shared with marketing partners, for purposes of carrying out
marketing actions, provided that there is a legal basis for this and there is no
economic exploitation of such data;
6.10. We will not sell, share or, in any other way costly or with economic content,
transfer personal data with third parties;
6.11. In the exercise of our activity and for the same purposes provided for in this Policy,
personal data will be accessed by:
6.11.1. our employees (including employees or departments) in the exercise of their
functions;
6.11.2. our suppliers and service providers who provide us with products and
services;
6.11.3. our information technology systems providers, cloud service providers
(“cloud”), database providers and consultants;
6.11.4. our business partners;
6.11.5. Any third parties to whom we have transferred our rights and obligations;
6.11.6. our consultants and outside counsel in the context of the sale or transfer of
any part of our business or assets.
6.12. The aforementioned agents are contractually obliged to protect the confidentiality and
security of personal data and to comply with the provisions of the LGPD.
6.13. Personal data may be processed, accessed or stored in a country other than the
headquarters of VCI SA, provided that such country offers the same level of personal data
protection provided for in Brazilian law
6.13.1. In such case, we ensure that, when sharing personal data with third-party
companies located in other jurisdictions: (i) we will guarantee the application
of the level of protection required by the personal data protection/privacy
legislation applicable to VCI SA; and (ii) ensure that we act in accordance with
our policies and standards.
7. Duration of processing of personal data: how long will your data be processed?
7.1. All agents mentioned have a contractual obligation to protect the security and
confidentiality of personal data, and must fully comply with all provisions of the
LGPD.
7.2. Personal data will be retained by VCI SA for as long as is necessary to achieve the
purposes and objectives described in this Privacy and Data Protection Policy or
when there is specific consent to do so, except in the event that applicable law
requires or permits longer retention period.
7.3. VCI SA will eliminate all personal data processed in the event that it becomes
unnecessary for the purposes that justified its collection.
7.4. The processed personal data will also be deleted upon the express request of the
holder of said personal data, except in situations whose maintenance is authorized by
law, including with regard to the need to comply with a legal obligation, regulatory
obligation or, even when there is a need to exclusive use by VCI
SA, which includes its use to exercise VCI SA's rights in judicial or administrative
proceedings.
7.5. Personal data will be deleted upon express request, provided that such request is
accepted, considering the following hypotheses: (i) data collected with consent; (ii)
data considered excessive or unnecessary; (iii) when VCI SA fails to comply with
the rules provided for in the LGPD.
7.6. Personal data will not be deleted when the maintenance of their treatment proves
necessary to: (i) comply with a legal or regulatory obligation; (ii) transfer to a third
party (in compliance with the requirements for data processing in this case); and
(iii) exclusive use of VCI SA (including for exercising its ownership rights in legal or
administrative proceedings).
8. Measures taken to protect personal data
8.1. VCI SA adopts technical and administrative doctors capable of guaranteeing the protection
of personal data, observing the necessary levels of security and confidentiality.
8.2. The protection of collected personal data is carried out in line with the best security
practices used by the market, including with regard to the prohibition of
unauthorized access.
8.3. In addition to the security measures already adopted, we follow standards of conduct that
must be observed by our employees to ensure greater effectiveness in protecting
personal data, namely:
8.3.1. Use of the best physical, technical and administrative measures to reduce the
risk of loss, misuse, unauthorized access, disclosure or modification of your
Personal Data.
8.3.2. use of encryption
8.3.3. restriction of access only to authorized persons
8.3.4. identified access control
8.3.5. personal and non-transferable passwords
8.3.6. periodic update of passwords
8.3.7. hosting and storing information in secure environments
8.3.8. Restricted access to the place where personal data is stored.
8.3.9. Secrecy guarantee for everyone who has access to personal data
8.3.10. Prohibition to provide the registration password to third parties;
8.3.11. Immediate change of access credentials in case of use or suspicion of unauthorized
use;
8.3.12. Use of the “https:” model, showing that the connection to the website is secure;
8.4. All measures aim to preserve the integrity of personal data against: (i) unauthorized
access; (ii) accidental or unlawful situations of destruction, loss, alteration,
communication or dissemination; or (iii) any other form of unlawful treatment.
8.5. VCI SA highlights that, even if the best efforts and latest technologies are adopted
to preserve privacy and personal data, no information transmission is
invulnerable and therefore susceptible to the occurrence of technical failures,
cyber attacks by virus medium, among others. Despite this, the
VCI SA values transparency and will immediately inform holders of personal data
if any event of this nature occurs.
9.
9.1.
Cookies policy
VCI SA emphasizes that it is available on its website the indication of the cookies
that are obtained and stored by VCI SA
9.2. The full cookies policy must be consulted directly in the aforementioned electronic
information repository.
10. The possibility of changing this Privacy and Personal Data Protection Policy
10.1. Any changes in the treatment of personal data collected or shared with VCI SA will
be notified in advance by electronic notice sent via email and/or insertion on the
VCI SA website
21/07/2021