GRUPO PLANUS SOLUÇÕES EMPRESARIAIS (“GRUPO PLANUS” or “COMPANY”) values the privacy and protection of the personal data of its employees, customers, suppliers, and partners. This Policy establishes guidelines for the collection, use, storage, and protection of personal information processed in our operations, in accordance with the General Personal Data Protection Law (LGPD) - Law 13.709/2018.
1. TERMS AND DEFINITIONS
For the purposes of this Policy, the following are considered:
- Data Controller: A natural or legal person who makes the decisions regarding the processing of personal data.
- Data Processor: Natural or legal person who carries out the processing of personal data on behalf of the controller.
- Data Protection Officer (DPO): PNatural or legal person appointed to act as the point of contact between the company, the data subjects, and the ANPD. They will be responsible for implementing the Compliance Program with personal data protection laws and conducting activities related to the protection of personal data within GRUPO PLANUS.
- Data Subject: The natural person to whom the personal data being processed refers.
- Personal Data: Information that allows a person to be identified, directly or indirectly, such as name, CPF,e-mail, telephone, financial data, professional data, among others.
- Sensitive Personal Data (Special Categories of Personal Data): Information revealing racial or ethnic origin, religious conviction, political opinion, membership of a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data.
- Data Processing: Any operation carried out with personal data, including collection, storage, use, sharing and deletion.
- Anonymized Data: Data that has been processed in such a way that the data subject cannot be identified, even when combined with other data.
- Data Processing Agents: The data controller and the data processor.
- Security Incident (Data Breach): Any event that compromises the security of personal data, such as leaks, unauthorized access, or loss of information.
- ANPD (National Data Protection Authority): Public administration body responsible for overseeing, implementing, and supervising compliance with the LGPD throughout the national territory.
2. OBJECTIVE
The aim of this Policy is to provide clear guidelines on how we treat personal information, ensuring that all data is used in a transparent and responsible manner, only for legitimate and necessary purposes. We are committed to informing and training our employees and partners about the importance of data protection and promoting a culture of awareness and respect. In this way, we ensure that the privacy of each individual is a priority in our operations.
3. RECIPIENTS AND APPLICABILITY
This policy applies:
- (I) GRUPO PLANUS employees.
- (II) GRUPO PLANUS clients, whether individuals or companies.
- (III) Suppliers, partners, and third parties, whether natural or legal persons, acting for or on behalf of GRUPO PLANUS, in operations involving the processing of personal data related to the activities conducted by the Company.
- (IV) Personal data subject whose data is processed by the company.
This Policy defines standards and rules to ensure that all recipients understand and comply with personal data protection legislation in their interactions with data subjects, third parties, and external agents, in the context of GRUPO PLANUS' activities. It covers all data that the company holds, uses, or transmits, regardless of format, including information on paper, electronic systems, and verbally transmitted data.
4. PERSONAL DATA COLLECTED
GRUPO PLANUS collects and processes different types of personal data, including, but not limited to:
- Identification Data: name, CPF, ID, date of birth.
- Contact Details: e-mail, telephone, address.
- Professional Data: job title, position, professional history, CV.
- Financial Data: bank information, income information, billing data.
- Performance Data: performance appraisals, feedback received.
- Security Data: access data (records of entries and exits to company environments, date and time of access, user identification, place of access, activities carried out).
- Sensitive Data (special categories of personal data): health information, medical certificates, biometric data (fingerprints).
These data are collected for the following purposes:
- Management of Employees and Employment Contracts: Administration of information related to hiring, payroll, and benefits.
- Service Contract Management: Maintenance of records necessary for the execution of contracts with suppliers and service providers.
- Service Provision: Delivering products and services to clients, guaranteeing quality and efficiency.
- Communication and Marketing: Sending information about products, services, promotions, and news from GRUPO PLANUS.
- Compliance with Legal Obligations: Meeting legal and regulatory requirements, including audits and tax reports.
- Improving Services and Products: Collecting feedback and analyzing data to improve service and product offerings.
- Data Analysis for Administrative and Management Purposes: Using data to make strategic and operational decisions.
5. PRIVACY AND DATA PROTECTION PRINCIPLES
GRUPO PLANUS undertakes to comply with the following principles when processing personal data:
- PURPOSE: Personal data will only be processed for legitimate and specific purposes, informed to the data subjects.
- ADEQUACY: Processing will be compatible with the purposes communicated.
- NECESSITY: Processing will be limited to the minimum necessary to fulfill the purposes.
- FREE ACCESS: We will guarantee data subjects free and easy access to information about the processing of their data.
- DATA QUALITY: We are committed to the accuracy and updating of personal data.
- TRANSPARENCY: We will provide clear information about the processing of data and those responsible for it.
- SECURITY: We will implement measures to protect personal data against unauthorized access and incidents.
- PREVENTION: We will adopt measures to prevent damage as a result of data processing.
- NON-DISCRIMINATION: We will ensure that processing is non-discriminatory.
- RESPONSIBILITY: We undertake to demonstrate compliance with data protection regulations.
6. LEGAL BASIS FOR PROCESSING PERSONAL DATA
The processing of personal data by GRUPO PLANUS will always be carried out based on an appropriate legal justification, as provided for in the General Data Protection Law (LGPD), ensuring that the processing is legitimate and suitable for its specific purposes. The legal bases include:
- Consent of the data subject, which can be revoked at any time.
- Execution of a contract or preliminary procedures to which the data subject is a party.
- Compliance with a legal or regulatory obligation.
- Regular exercise of rights in judicial, administrative, or arbitration proceedings.
- Legitimate interests of GRUPO PLANUS or third parties, provided that the fundamental rights and freedoms of the data subject do not prevail over such interests.
7. RIGHTS OF PERSONAL DATA SUBJECTS
GRUPO PLANUS respects the rights of data subjects guaranteed by the LGPD, which include:
- Confirmation of the existence of data processing: Right to know if your personal data is being processed.
- Access: The right to request and receive a copy of the personal data the company holds.
- Correction: The right to request the correction of incomplete, inaccurate, or outdated personal data.
- Deletion: The right to request the deletion of your personal data, subject to certain exceptions, such as legal retention obligations.
- Anonymization, Blocking, or Deletion: The right to request the anonymization, blocking, or deletion of personal data that is unnecessary or processed in breach of the LGPD.
- Objection: The right to object to data processing that is not based on consent, in certain circumstances.
- Portability: The right to request the transfer of your personal data to another service or product provider.
- Revocation of Consent: The right to revoke consent previously given for the processing of your data.
- Information on Sharing: The right to be informed about the public and private entities with which your data has been shared.
8. DATA SHARING
GRUPO PLANUS may share the personal data collected with third parties, always within the limits required by law, in the following circumstances:
- a) Consent: When the data subject provides explicit consent for the sharing.
- b) Contract execution: When necessary for the execution of a contract with suppliers and service partners or for carrying out preliminary procedures related to the contract to which the data subject is a party. Example: Providers of cloud hosting services, data storage, and systems maintenance, always ensuring that such partners strictly comply with data protection legislation and implement appropriate security measures.
- c) Compliance with legal or regulatory obligations: When necessary to comply with legal or regulatory obligations or determinations by competent authorities.
- d) Legitimate interests: When necessary to meet the legitimate interests of GRUPO PLANUS or third parties, provided that the fundamental rights and freedoms of the data subject do not prevail.
- e) Studies by research bodies: When necessary to carry out studies by research bodies, always ensuring that the data is anonymized whenever possible.
9. INTERNATIONAL TRANSFER OF PERSONAL DATA
Due to the global nature of GRUPO PLANUS' operations and the fact that it serves a vast portfolio of foreign clients, GRUPO PLANUS frequently receives personal data from clients located outside Brazil. To ensure that these transfers comply with the legal bases set out in Article 33 of the General Data Protection Law (LGPD), we have adopted the following guidelines:
- Adoption of contractual clauses, in order to guarantee that our foreign partners and clients follow appropriate personal data protection practices during the transfer and processing of personal data in Brazilian territory, as well as ensuring compliance with the applicable legislation in their countries.
- Minimum compliance verification of international clients and partners, ensuring that the country of origin of the data or the company sending it adheres to recognized international data protection standards, such as standard contractual clauses or other equivalent regulations.
- We ensure that personal data received is processed securely, respecting the privacy of data subjects and in compliance with the provisions of the LGPD, regardless of its origin.
10. DUTIES OF CARE AND ATTENTION
All individuals and entities that interact with GRUPO PLANUS, including employees, suppliers, and third parties, must ensure the protection of personal data in the course of their activities. This includes following the guidelines set out in this Policy to guarantee the privacy and security of the information processed, as well as reporting any incident or data breach to GRUPO PLANUS' Data Protection Officer (DPO).
11. RELATIONS WITH THIRD PARTIES
All contracts with third parties must include personal data protection clauses, ensuring that they comply with the relevant legislation.
12. INFORMATION SECURITY
GRUPO PLANUS adopts appropriate security measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. Among the measures implemented are:
- Encryption: We use end-to-end encryption to protect personal data during transmission and storage.
- Access Control: Access to systems containing personal data is restricted to authorized employees using secure credentials (login and password).
- Firewall and Network Monitoring: We employ firewalls and continuous monitoring systems to detect and prevent intrusions, improper access and cyber security incidents.
- Data Backup and Recovery: We carry out regular backups of personal data, ensuring safe recovery in the event of failures or incidents.
- Incident notification: In the event of security incidents that compromise personal data, we undertake to notify the ANPD immediately, and no later than 48 hours after detecting the incident, as required by the LGPD. Data subjects will also be informed when there is a significant risk to their rights.
13. TRAINING AND CAPACITY-BUILDING
GRUPO PLANUS recognizes the importance of protecting personal data and may carry out training on the subject for its employees as it deems necessary. These activities may be conducted by the Data Protection Officer (DPO) or the Information Technology (IT) sector, with the following objectives:
- Raise awareness of the importance of protecting personal data.
- Explain the legal and internal obligations related to data processing.
- Teach best practices for guaranteeing information security.
- Provide guidance on how to identify and report security incidents.
These training sessions will be documented, ensuring that employees have access to the relevant data protection guidelines and procedures.
14. MONITORING AND POLICY CHANGES
GRUPO PLANUS undertakes to periodically review and update this Privacy Policy, ensuring that it remains in compliance with applicable legislation. Any substantial changes will be communicated to data subjects through official channels and published on our website.
15. DATA RETENTION
Personal data will be retained for as long as necessary to fulfill the purposes set out in this policy or to meet legal and regulatory requirements. Data retention will follow the following parameters:
- Employee Data: Kept for the duration of the employment contract and, after its termination, for a maximum period of 5 (five) years, to comply with legal and regulatory obligations, in accordance with labor and social security legislation.
Legal basis:
CF - art. 7, XXIX, c/c CLT art. 11 / Law no. 8.036/90 - art. 23, § 3 / Decree no. 3.048/99 - arts. 348 and 349 / Law no. 8.212/91 c/c Binding Precedent no. 8 STF.
- Customer and Supplier Data: Kept for the duration of the contractual relationship and, after its termination, for a maximum period of 5 (five) years, to comply with tax and regulatory obligations, as provided for in current legislation.
Legal basis:
Law No. 5.172/66 (CTN), art. 150, § 4 and art. 173.
- Marketing Data: Kept until the data subject revokes consent or requests deletion, in compliance with applicable legal requirements.
After the end of these periods, personal data will be anonymized or deleted in a secure manner, as applicable.
16. CONTACT
For any questions, requests, or complaints regarding this Privacy Policy, or to contact our Data Protection Officer (DPO), please use the information below:
We are available to meet your needs and guarantee the protection of your personal data.
Download the Privacy and Data Protection Policy in PDF.
