Privacy and Data Protection Policy

PRIVACY AND DATA PROTECTION POLICY UPDATED ON: SEPTEMBER 16, 2020

This Privacy and Data Protection Policy (“Policy”) of CHAVES, GELMAN, MACHADO, GILBERTO E BARBOZA SOCIEDADE DE ADVOGADOS (“CGM”) applies to all individuals who somehow have their personal data processed by CGM (“Data Subjects”), either through the use of our website, our services, registration for our events, application for a job position and/or as a result of the supply of products and provision of services to CGM. We recommend that you carefully review this Policy.

1. PRIVACY AND DATA PROTECTION:

The Data Subject’s (“you” or “your”) privacy and the protection of your data are very important to us. This Policy contains important information regarding the collection, use, retention, transfer and disclosure of personal data, as well as other important matters, and explains how and for what purposes we collect, use, retain, disclose, transfer and protect the information you provide to us.

Your personal data will be processed in compliance with current applicable laws on privacy and data protection, including, but not limited to, Law No. 13,709/2018 (Lei Geral de Proteção de Dados Pessoais – “LGPD”) and Law No. 12,965/2014 (Marco Civil da Internet).

In addition to the laws mentioned above, we are also subject to legal and ethical rules relating to attorney-client privilege, in particular those provided in the Brazilian Law Practice and the Brazilian Bar Association (“OAB”) Act and in the Code of Ethics and Discipline of OAB. This Policy does not supersede or aims to override any of the aforementioned legal and ethical rules. On the contrary: It should be considered as an instrument enabling compliance with such rules.

2. PERSONAL DATA:

Personal data is any information relating to an identified or identifiable natural person. This means that, for example, name, individual taxpayer (CPF) enrollment, ID number (RG), address, phone number, birthday, bank account information, and also cookies and other types of electronic means of identification, are personal data to the extent they can be connected to a natural person.

3. PROCESSING OF PERSONAL DATA:

Processing of personal data is any act or set of acts which is performed on personal data or on sets of personal data, such as those referring to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise availability, alignment or combination, restriction, deletion or destruction thereof.

4. TYPE AND SOURCE OF DATA:

We may collect personal data about you, including, without limitation, the following:

  1. Full name/company name;
  2. CPF;
  3. RG;
  4. Birthday;
  5. Education;
  6. Mobile number;
  7. Phone number;
  8. IP address;
  9. Email address;
  10. Bank/payment account information;
  11. Address; and
  12. Merchant information (if applicable).

As a rule, we will collect such personal data when you provide it to us or authorize us to obtain it from third parties. We may also obtain them independently, from public sources.

5. LEGAL BASES AND PURPOSES OF THE PROCESSING:

In general, we will collect and process your personal data, among other purposes, to provide our services and establish a relationship with you (if you are our client) or with third parties with whom you are in negotiations or disputes (if the counterparty on such negotiations or disputes is our client), to receive services/products and interact with you (if you are our supplier or service provider), to organize our events (if you are a participant in such events), to recruit new talents for our team (if you are an applicant), and to provide information to you (if you access our website and/or request to receive our newsletters). Processing will only be carried out when we have a legal basis to do so. Legal bases include: (i) consent (i.e., when you give your consent), (ii) a contract (i.e., when processing is required for the execution or performance of a contract with you); (iii) the fulfillment of a legal obligation by us as controllers or by the controller, when we are processors; (iv) exercise of our rights; and (v) our legitimate interests as controllers, or the legitimate interests of the controller or of a third party, when we are processors, under applicable law.

From time to time and upon your consent, we may use your personal data as a reference for our services in national and international legal publications.

In cases where your personal data is processed based on your consent, you have the right to withdraw your consent at any time, which shall not affect (i) the lawfulness of processing based on your consent prior to such withdrawal; or (ii) the lawfulness of processing based on other legal bases.

We may process your personal data in furtherance of legitimate interests in a way that does not override your fundamental rights and freedoms. If applicable, we will process your personal data based on our legitimate interests in order to guarantee the quality and continuation of our services, to improve them, as well as to support, carry out and promote our activities.

6. PROCESSING OF SENSITIVE DATA:

Occasionally we may also process sensitive data (those relating to racial or ethnic origin, religion, political opinions, membership of trade union or of religious, philosophical or political organizations, health and sexual data, genetic data and/or biometric data) when pursuing the purposes mentioned in this Policy, such as, for example, in cases of biometric identification for entering our premises, or in cases where sensitive data are processed for the provision of our services in judicial, administrative or arbitration proceedings, legal advice or other legal services.

The processing of such data will be restricted and CGM will only perform it based on one or more of the following legal bases:

  1. Compliance with legal or regulatory obligations by us as controllers or by the controller, when we are processors;
  2. Regular exercise of rights, including in contracts and in judicial, administrative or arbitration proceedings; and
  3. Prevention of fraud or for your safety, in identification and authentication by electronic systems, except where overridden by your fundamental rights and freedoms which require protection of personal data.

We may also process sensitive data based on your freely given, specific, informed and unambiguous consent. You have the right to withdraw your consent at any time, which shall not affect (i) the lawfulness of processing based on your consent prior to such withdrawal; or (ii) the lawfulness of processing based on other legal bases.

7. CHILDREN AND TEENAGERS:

As a rule, we do not process personal data related to children (persons under the age 12) or teenagers (persons between 12 and 18 years of age), but we may occasionally process information, including personal data, from children or teenagers, for example, for the provision of our services (such as judicial or arbitration proceedings involving children or teenagers) and for the hiring of new talents for our team (such as trainees and interns). Whenever we become aware that processing personal data of a child is necessary, we will make reasonable efforts to ensure that at least one of the parents or guardians consent. Contact us if you believe that we have mistakenly or unintentionally collected information from a child or teenager.

8. COOKIES AND OTHER TRACKING TECHNOLOGIES:

Cookies are text files placed on your computer or device to collect standard internet log information and visitor use of our website and to compile statistical reports on website activities. When you visit our website, we and our business partners and vendors may use cookies and other tracking technologies to: recognize you as a user and to customize your online experience, the services you use, and other online content; measure the effectiveness of our publications and perform analytics; and to mitigate risk, prevent potential fraud, and promote trust and safety across our website.

We thus may use cookies to distinguish you from other users of our website and services. This may help us to provide you with a good experience when you browse our website, or use our services, and also allows us to improve them. As a rule, we will use Google Analytics, a free tool for websites that collects and aggregates anonymized data from visitors, offering access reports, such as traffic origin, pages browsed, length of stay, among others. To learn more about Google Analytics, visit https://policies.google.com/technologies/partner-sites.

You may set your browser or device to not accept cookies. However, in certain cases some website and/or features of our website may not function as a result.

Some browsers provide settings that allow you to control or reject cookies or to include an alert when a cookie is placed on your computer. The procedure for managing cookies is different for each browser, and you can check the specific steps in your particular browser help menu. You may also be able to reset device identifiers by activating the appropriate setting on your mobile device. The procedure for managing device identifiers is also different for each device, and you can check the specific steps in the help or settings menu of your particular device.

9. THIRD PARTY WEBSITES:

Our website may occasionally contain links to third party websites that are not controlled by us. If you visit these sites or use the services made available on them, please be aware that this Policy does not apply to the processing of data by third parties, and we recommend that you carefully review how these third parties process personal data before using their websites, applications or services.

10. RETENTION PERIOD:

Your personal data will be processed and stored: (a) for as long as required to carry out the purposes for which the personal data were collected; (b) in accordance with the storage periods required by applicable laws; or (c) until you revoke your consent given to us to the processing/storage of your personal data, as applicable.

We will retain personal data for the compliance with legal or regulatory obligations by us as controllers, or by the controller, when we are processors. We will also retain personal data for longer periods than required by law if it is in our legitimate interests (or to protect our rights) and not prohibited by law. We may take steps to anonymize personal data and other information, but we reserve our ability to retain and access the data that is archived in our backup and support systems (provided that securely protected by us), and also for as long as required to comply with applicable laws and regulations. The use and disclosure of such personal data will be done in accordance with this Policy.

11. TRANSFER OF DATA:

We may share your personal data or other information with third parties for the purposes described in this Policy. Such third parties include public offices, financial institutes, legal publications, the firm’s service providers (such as paralegals, translation companies, accounting firms, technology service platforms, courier services, expert consultants, marketing agencies, among others) and other third parties.

Whenever possible, we will enter into a data processing agreement with the third party suppliers and/or service providers who have access to your personal data to ensure that such third parties will guarantee a level of data protection compatible with that provided for in this Policy.

Also, your personal data may occasionally be transferred outside of Brazil for the purposes mentioned in this Policy, in accordance with applicable law, with the adoption of all appropriate security measures and safeguards to ensure an adequate level of data protection and security. We will only transfer your personal data internationally (i) to jurisdictions that provide a level of data protection adequate to that of the applicable legislation; or based on (ii) your consent, (iii) a contract entered into with you, or (iii) the fulfillment of a legal obligation. Among other situations of international data transfers, the software and applications used by us (all bearing a high security level) may also potentially store data outside Brazil.

12. PROCESSING METHODS:

Your personal data will be processed by suitable electronic or automated means and computerized tools, or manually and on hard copy, exclusively for the purposes for which they have been collected, and guaranteeing the security and confidentiality of any processed information through the adoption of appropriate measures to prevent the unauthorized alteration, cancellation, destruction, access or processing, or any processing that is not in accordance with the purpose of collection. Your personal data will be processed by personnel duly authorized to do so in accordance with their respective job duties.

13. SECURITY AND INTEGRITY:

We maintain technical, physical, and administrative security measures designed to provide reasonable protection for your personal data against loss, misuse, unauthorized access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centers, and information access authorization controls. While we are dedicated to securing our systems and services, you are responsible for securing and maintaining the privacy of your registration information, and for verifying that the personal data we maintain about you is accurate and current.

The third-party tools used by us to guarantee the security and integrity of your personal data are highly reliable, and most of them have the main certifications worldwide on the subject, such as ISO/IEC 27001.

14. YOUR RIGHTS:

Subject to the legal and ethical rules relating to attorney-client privilege, please note that, when CGM acts as controller of your personal data, you may exercise certain rights under article 18 of the LGPD:

  1. Request confirmation of the existence of processing;
  2. Access your personal data;
  3. Request correction of incomplete, inaccurate or outdated data;
  4. Request anonymization, blocking or elimination of unnecessary or excessive data, or of data processed in breach of the provisions of the LGPD;
  5. Request portability of the data to another service or product provider, upon express request, subject to preservation of trade secrets, in accordance with the regulation of the national authority;
  6. Request deletion of personal data processed with your consent, except in the cases provided for in article 16 of the LGPD and in this Policy;
  7. Request information on the public and private entities with which CGM performed shared use of data;
  8. Obtain information on the possibility of not giving consent and on the consequences of refusal; and
  9. Withdraw your consent, pursuant to paragraph 5 of article 8 of the LGPD.

The exercise of any of these rights will not affect the lawfulness of any data processing carried out before such right is exercised.

If you have any requests regarding your personal data or if you would like to exercise your rights, please contact our Data Protection Officer, Marcia Issler Mandelbaum, via e-mail at privacidade@cgmlaw.com.br.

15. CHANGES TO THIS POLICY:

We are constantly working on improving and developing our services and website, so we may change this Policy from time to time. We will not diminish your rights under this Policy or under applicable laws. If the changes are significant, we will alert you, when we are required to do so by applicable law. In any event, please review this Policy from time to time to stay updated on any changes.