GMREIS PRIVACY POLICY
GMREIS PROCESSING AND PROTECTION OF THIRD-PARTY OWNERSHIP DATA AND GOOD GOVERNANCE PRACTICES IN PRIVACY
I– OBJECTIVE:
The purpose of this POLICY is to determine the form and limit parameters for the processing of personal and sensitive data held by third parties, in all operations in which GMReis is characterized as the CONTROLLER or OPERATOR of these processing; encompassing its main head office and subsidiaries:
| HEADQUARTERS | CITY | STATE: | CNPJ |
| Headquarters | Campinas | SP | 60040599/0001-19 |
| Subsidiary | São Paulo | SP | 60040599/0005-42 |
| Subsidiary | Porto Alegre | RS | 60040599/0004-61 |
| Subsidiary | São José | SC | 60040599/0015-14 |
| Subsidiary | Curitiba | PR | 60040599/0018-67 |
| Subsidiary | Rio de Janeiro | RJ | 60040599/0003-80 |
| Subsidiary | Santos | SP | 60040599/0020-81 |
The ultimate purpose of the actions of this POLICY is for: privacy, informative self-determination, inviolability of intimacy, honor and image; pursuant to the Law, demonstrating good faith in the protection of data held by third parties which, in any case, are provided or collected.
1. DEFINITIONS:
In order to facilitate the understanding of the entire content of this policy, we describe the DEFINITIONS of the technical terms applied therein, in accordance with the definitions contained in the General Data Protection Law:
a. PERSONAL DATA
Information related to identifiable or identified individual.
b. SENSITIVE DATA:
Personal Data related to race or ethnicity, religious belief, political opinion, membership to labor union or to an organization of religious, philosophical or political nature, referring to health or to sexual life, genetic or biometric datum, when linked to an individual.
c. ANONYMIZED DATA
Data concerning holder who cannot be identified, considering the use of reasonable technical means available at the time of the processing.
d. DATABASE:
Structured set of personal data, established in one or in several locations, in electronic or physical support.
e. HOLDER:
Individual to whom the personal data that are the object of processing.
f. CONTROLLER:
An individual or legal entity, governed by public or private law who is liable for decisions concerning the processing of Personal Data.
g. OPERATOR:
Individual or legal entity governed by public or private law, which performs the processing of personal data on behalf of the controller.
h. SUPERVISOR:
Person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the Domestic Data Protection Authority (ANPD); in the case of GMReis, its D.P.O. identified in this policy.
i. PROCESSING:
Every operation performed with Personal Data, such as collection, production, receiving, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, disclosure or extraction.
j. PURPOSE:
Purpose for which the processing is carried out, in a way that justifies the processing according to the principles of adequacy, need and quality of data.
k. ANONYMIZATION:
Use of reasonable technical means that are available at the time of processing by which the data loses the possibility of association, direct or indirect, to an individual.
l. CONSENT
Free, informed and unequivocal statement that the holder agrees with the processing of his personal data for a particular purpose.
m. BLOCKADE
Temporary suspension of any processing operation through the keeping of personal data or the database.
n. ERASING:
Removal of data or a set of data that is stored in a database, regardless of the procedure used.
o. INTERNATIONAL DATA TRANSFER:
Transfer of Personal Data to other country.
p. SHARED USE OF DATA:
Communication, dissemination, international transfer, interconnection of personal data or shared processing of personal database with specific authorization.
2. PRINCIPLES:
This Privacy Policy and all acts performed by GMReis as a result hereof must follow the basic principles of:
a. PURPOSE, SUITABILITY AND NEED:
Data held by appropriate third parties, and limited to the minimum necessary, will be processed to meet the purposes described in this POLICY.
b. FREE ACCESS AND TRANSPARENCY:
Free access to all data processed by the company to its holders, with clarity and accuracy in relation to its content.
c. SECURITY AND PREVENTION:
The company uses all means available to it to prevent unauthorized, accidental or illicit access, thus avoiding: destruction, loss, alteration, communication or dissemination that may cause harm to its holders.
d. DATA QUALITY AND NON-DISCRIMINATION:
Ensuring to the holders in relation to: accuracy, clarity, relevance, need and fulfillment of the purpose in the processing of their data; any unlawful or abusive discriminatory purpose is prohibited.
e. LIABILITY AND ACCOUNTING:
GMReis will act to ensure compliance with legal obligations regarding the processing of data held by third parties, through effective measures capable of proving its good faith and commitment, measures described in this policy.
3. PURPOSES:
The processing of personal data held by third parties will be carried out in the strict performance of its purposes; in the event of: need for compliance with legal or regulatory obligation, for the performance of agreements or related preliminary procedures and the agreement to which the holder is a party, to regulate the exercise of law in judicial proceedings, when necessary to take into account the legitimate interests of the controller or third party (except where the fundamental rights and freedoms of the holder prevail), when anonymized; or CONSENT BY THE HOLDER.
The processing of SENSITIVE DATA held by third parties will also be carried out in the strict fulfillment of its purposes, in the event of: need for compliance with legal or regulatory obligation, regular exercise of rights in agreement or judicial proceedings, anonymization of the data; CONSENT BY THE HOLDER or his/her legal representative.
The data and processing should be consulted at any time, according to the Law, as well as its purposes and adequacy to the conditions listed in the previous paragraph.
All GMReis’ employees, direct or outsourced, who by function process data held by third parties, will be properly trained to the content of this POLICY, proving the knowledge of their obligations in the Training Attendance List.
The purposeful or negligent failure by GMReis’ employee duly trained in relation to the content of this POLICY, which generates an incident related to the protection and confidentiality of data held by third parties, should constitute a serious misconduct in relation to their commitments to the employment contract, pursuant to the Law.
II- DATA PROCESSING FOR HUMAN RESOURCE MANAGEMENT
1. Processing of data contained in résumé or other documents of professionals interested in participating in the GMReis’ recruitment and selection processes:
The submission of resumes to GMReis will take place through the website, on a specific page, whose access and VOLUNTARY submission of the résumé will only be possible after the interested party declares knowledge of the content of this POLICY and CONSENT in the processing of the data presented in the document.
The applicant will therefore be free to declare consent with the processing of the data contained in the completed form and/or in the documentation submitted, for the specific purpose of recruitment and selection. Non-consent will result in the impossibility of forwarding the professional résumé, and there will be no processing.
Another form of forwarding of résumé to the GMReis recruitment and selection department is the direct delivery, in which will be presented consent form for the interested party. The consequence of non-consent for the delivery of a resume will be the denial of its receipt and the non-processing of the data contained therein.
Resumes received from non-hired candidates will be destroyed within one (1) year; and in the case of hiring, the resumes will be stored together with the other documents and information of the employee, for the regular exercise of the employment contract and possible future lawsuit involving employees and GMReis, pursuant to the Law.
2. Processing of data related to employment contracts:
The processing of data held by employees of the company, direct and outsourced, is defined as “necessary for compliance with legal obligations related to labor legislation”; consent is therefore unnecessary. These processing will be limited to the minimum necessary.
The period of storage of the data shall be limited to the time necessary to secure the rights of the company and employees during the employment contract and as necessary to ensure the right of GMReis in possible legal proceedings.
a) Receipt and processing of employee data to prove justification of absence, leave or medical leave:
To justify absence from work, the employee must present proof of the commitment preventing his attendance, thus avoiding penalty for unjustified absence.
This applies also to the medical certificates and leaves, also for sick pay, when the company shall be informed on the employee’s condition with documents proving such condition.
In the receipt of the absence justification by the company, the Absence Justification form will be provided in which the employee will describe the content of his documentation when he/she is informed of the purpose of treatment, manner and term for storage
The period of storage of the data shall be limited to the time necessary to secure the rights of the company and employee during the employment contract and as necessary to ensure the right of GMReis in possible legal proceedings.
Consent for the processing of the data presented to justify the absence is not required under the terms of article 7, II, V and VI and article 11, II, ‘a’ and ‘d’ of the General Data Protection Law. If the employee does not agree to complete the absence justification and present documentation to demonstrate it, his or her non-attendance to work will be considered unexcused.
b) Processing of employees’ sensitive data:
GMReis will collect and process the least possible sensitive data from employees, direct and outsourced, in order to preserve their right to privacy.
Whenever sensitive data is necessarily collected, to fulfill a legal obligation in the performance of the employment contract and stored to ensure regular exercise of rights in a possible lawsuit, this will be in accordance with the Law.
The sensitive data of employees that can be collected are related to their health, to justify absence or service in the health care plan; biometrics for fingerprint registration in time clock and access in doors with access control; and data referring to spouses and union membership (when strictly necessary).
c) Receipt and processing of data from employees and dependents for contracting benefits:
For benefit purposes, especially health and dental care plans (with the company’s share) and life insurance, data from employees and their dependents (if any) will be processed, which will be shared with the operator companies of the plans and insurance.
The interested employee will have access to the benefits by signing a Consent Sheet to process the data necessary for contracting them. Employees’ dependents should state their Consent in the processing of data necessary for contracting benefits (when applicable), also through a Consent Sheet.
For incapable dependents, the Consent Sheet for data processing for contracting benefits shall be signed by one of their legal guardians, who must prove their situation, in accordance with the law.
d) Receipt and processing of employee data for contracting and promotion of courses, training and outside work.
To contract external courses and training for employees, whether necessary or voluntary, GMReis will receive and share the data necessary for enrollment; and the employee will sign a specific Consent Sheet.
e) Image use:
GMReis holds events inside and outside its premises, also virtual webinars, for: internal marketing, professional motivation, team training, training and dissemination of products and services to customers, which can be registered by capturing images (photos and videos).
Employees’ image will only be processed at events when they sign a specific Consent Sheet for the event in which they were collected.
The specific revocation to stop any use of the image can be carried out at any time, except for the anonymization situation.
f) Unintentionally collected data:
GMReis makes available to its employees, according to the needs of their occupation: computers, tablets, e-mail accounts and mobile phones; exclusively for job performance.
For this reason, GMReis has access and control of all information in these equipment and software inserted.
Employees are informed of this access and control by the company, and the prohibition of entering or processing their data or third parties’, unrelated to their work and unknown to the company.
Any and all personal or sensitive data collected by devices or programs operated by employees, in violation of this policy, will be immediately informed to the employee and the holder(s), where possible, and deleted.
3. Data processing necessary for the Compensation of Self-Employed Professionals – RPA:
For the remuneration of a self-employed professional, only the data necessary to prove the work performed and the due remuneration will be received and processed; as well as personal data to identify the professional and make the payment.
If the holder, in this case, is a party to the service agreement to be compensated, consent is not required, and the data will be stored for the period necessary to comply with legal tax and social security obligations by the company, as well as for the time necessary to ensure its exercise of right in possible future lawsuit.
III- DATA PROCESSING OF SUPPLIERS OF PRODUCTS OR SERVICES:
Whenever the contracting of services or the acquisition of products involves the processing of personal or sensitive data owned by third parties, the contract must include: the data processed and its holders, purpose and form of processing, sharing (if any), data protection system; and mention of the companies’ privacy policies.
1. Suppliers with which GMReis shares data owned by third parties:
GMReis will not share data owned by third parties with companies which do not have a Privacy Policy to demonstrate good faith and dedication to protecting the data they receive, to avoid failures, even if unintentional.
Whenever GMReis shares data owned by third parties with supplier companies, the responsibility of both in relation to data protection must be provided for in the agreement.
Data sharing with suppliers will take place in the following cases: contracting benefits, courses and employee occupational health management; contracting transportation and accommodation for employees and customers, contracting company’s employees to participate in events (e.g. fairs, courses and congresses); and customer data management by a third-party digital marketing company.
2. Suppliers who share data with GMReis :
Whenever, for the performance of any activity, supplier companies share third-party’s data with GMReis, this data will be protected by this Policy, and the processing will be limited to the minimum necessary.
GMReis will refuse to receive and process unrequested or unnecessary data for the performance of activities related to the supplier.
Suppliers and customers sharing data owned by third parties with GMReis shall submit Privacy Policy to demonstrate good faith and dedication to protecting the data, to avoid failures, even if unintentional.
The data processing owned by third parties shared by suppliers will only take place as provided for in item I, 3 of this policy.
IV- PROCESSING OF CUSTOMER’S DATA:
For the sale of implants and instruments it manufactures, GMReis directly and indirectly serves customers involved in the entire commercial chain of its industry, namely: patients, surgeons, health care plans, hospitals and resellers companies of GMReis’ products inside and outside Brazil.
Customer’s data should be used for disclosure and marketing, or commercial service and product supply, also encompassing regulatory obligations involving traceability.
1. Processing of customer’s data for dissemination and marketing:
a) Intraoperative and Radiographic Images:
GMReis sells orthopedic implants so that, in order to demonstrate their application, it is sometimes makes use of surgical and radiographic images.
Surgical imaging is one in which implants are demonstrated directly on the patient in which they were implanted; and radiographic images are those that are demonstrated by imaging.
The commercial use of the images will only take place anonymously, or with the patient’s consent.
Anonymization will be carried out by technical means of editing in order to prevent the recognition of the individual by the image.
Intraoperative or radiographic images should be used to promote GMReis’ products through: posts on social networks, informative emails, website, catalogue, flyers, courses, events, animations, dissemination of clinical cases, Technical Reports and other means of similar disclosure.
b) Participation in Courses and Events:
The events hold by GMReis or it participates, in person or remotely (e.g. webinars) are recorded through photographic images or video recordings, in order to publicize them.
GMReis will provide a consent sheet with the capture of the image of all participants during the event, for later disclosure, containing in the sheet: data that can be processed, purpose of processing, placement and sharing (i.e. posts on social networks, and informative emails, website, catalogue, flyers, courses, events and other similar means of dissemination).
The images of event participants who do not consent to the processing will only be published by GMReis anonymously.
2. Processing of Customer’s Data for Commercial Service:
a) Record of Dealer Companies:
In order to carry out sales intermediated by reseller companies, these will be previously recorded with the GMReis’ Quality Management System, to regulate compliance with current health standards.
The personal data processed for the aforementioned record are considered necessary for the execution of the agreement, legal and/or regulatory obligation; therefore, exempt from specific consent.
The agreement governing the commercial relationship between GMReis and each reseller company must contain clauses regarding the processing of data owned by third parties, in accordance with this policy and the General Data Protection Law.
b. Direct sales quote, processing, supply and billing:
In the process of direct surgery care, GMReis will receive and process data from physicians and patients in order to provide products and services meeting customer’s requests and expectations.
In the quote phase, GMReis as OPERATOR should receive personal data from patients and surgeons from the CONTROLLERS (hospitals and health care plans).
Once the quote phase is over, GMReis also appears as CONTROLLER of the processing of patient and physician data, to define the processing of the sale and supply of material, surgical procedures, post-surgical feedback and billing.
GMReis will not share the personal data involved in the surgical procedures; will limit the processing and people involved in them as much as possible.
Data relating to the patients’ health are considered sensitive and will be processed as such; however, without the need for consent as they are necessary for the fulfillment of legal and mainly regulatory obligations, specifically for the necessary traceability of the use of health products produced by GMReis.
The storage of traceability information containing physician and patient’s data will be carried out in software with access control, avoiding leakage or loss of data.
V- DATA PROCESSING IN COMPLIANCE WITH LEGAL AND REGULATORY OBLIGATIONS:
GMReis, as a manufacturer of implants and surgical instruments, in addition to current legislation, has its activities regulated by health and quality certifying agencies in Brazil and abroad.
Thus, for its full operation, it records data and information to demonstrate its compliance, such as: surgery traceability, feedback, customer’s satisfaction survey, record and documentation of suppliers and customers, among others.
All processing of personal and sensitive data that involve these legal and regulatory obligations, as provided for in articles 7, II and 11, II, of the LGPD, do not require consent; but they must be carried out in accordance with this policy and the General Data Protection Law.
VI- DATA PROCESSING AS OBTAINED BY WEBSITE BROWSING HISTORY – COOKIES:
The institutional website of GMReis ( www.gmreis.com / www.gmreis.com.br ) collects cookies to improve users’ browsing experience, in the sense of recording browsing flows, without storing personal or sensitive data.
When accessing the GMReis’ website, the user is informed about the collection of cookies, the link to access this policy is presented, so that he/she is aware of the use of cookies:
“We use cookies to offer a better browsing experience, improve website performance and analyze target groups interaction with our content; see our Privacy Policy and learn more. By using the website, you agree to this use of cookies. Acknowledged.”
The recorded browsing histories are anonymized, without any personal or sensitive data, so as not to generate processing protected by the General Data Protection Law.
VII – GENERAL CONSIDERATIONS
1. DATA HOLDERS’ RIGHTS:
Every data subject processed by GMReis will have easy access to information about the treatments carried out, as provided for in article 9 of the LGPD, and other rights provided for in the same Law:
a. Information about the possibility of not consenting in relation to the processing of your data, consequences of denial and how to revoke consent;
b. Consultation of the existence of processing and/or sharing of your data by GMReis;
c. Correction of incomplete, inaccurate or outdated data;
d. Access to all your data, purpose, form and duration of processing;
e. Anonymization, blockage or deletion of data that is unnecessary, excessive or processed in breach with the General Data Protection Law;
f. Opposition to the processing carried out based on one of the cases of waiver of consent, in the event of non-compliance with the provisions of the General Data Protection Law;
g. Not be subjected to automated decisions and request their review when they affect your interests;
h. Limit the processing carried out unnecessarily, excessively or processed in breach with the General Data Protection Law;
i. Deletion of data processed with your consent, with exceptions provided for by law; and
j. Controller data (GMReis) and responsibilities of all agents involved in the processing.
The person in charge of managing the processing of data owned by third parties, making contacts with the Domestic Data Protection Authority (ANPD) and with the data subjects in order to ensure their rights is the Data Protection Officer (DPO):
Name: Nelson dos Santos
Title: Administrative Supervisor
E-mail address: [email protected]
Telephone number for contact: +55 19 3765.9900
2. CONSENT SHEET:
With the exception of the legal provisions mentioned in item I, 3 of this policy, whenever a processing depends on the consent of its holder, this consent must be free, informed and unequivocal, in accordance with the Law:
a. It will be written, or in a way that demonstrates the real willingness to consent to the processing, by its holder, including the electronic means.
b. The consent sheet shall contain:
- Data to be processed by GMReis and how to access them;
- Form, agents and specific purposes of the processing;
- Consequences of refusal to consent and possibility and how to revoke the consent;
- Period of processing and forecast of data deletion after its end; and
- How to access this Policy, in the updated version and previous versions (within the limit of the data processing at issue); in which the rights of the holder are stated.
Change the purpose or scope of the consented processing will depend on holder updating the Consent Sheet.
GMReis designs its actions and internal procedures in order to minimize the volume of data owned by third parties and processing, demonstrating its good faith in protecting them.
3. SECURITY, PREVENTION, STORAGE AND DATA DELETION:
a. SECURITY IN DATA STORAGE:
To ensure the protection of all data processed within the company’s computerized system, GMReis established an INFORMATION SECURITY POLICY, which determines all resources and structure in order to protect digitally stored data owned by third parties; in order to prevent unauthorized access, even if accidentally or illicit origin; and its: destruction, loss, alteration, unauthorized communication or dissemination.
THE INFORMATION SECURITY POLICY shows the GMReis’ good faith in preventing the occurrence of damages from the processing of data it performs.
b. DATA STORAGE TERM:
The period of data storage owned by third parties will respect the provisions of the consent sheets (when necessary), freely signed and informed by its holder; or the period necessary for: compliance with a legal or regulatory obligation, regular exercise of rights in legal proceedings, execution of agreement to which the holder is a party, compliance with the legitimate interests of the controller or third party; all in accordance with the General Data Protection Law.
The data storage periods must always comply with the principles of purpose, adequacy and need; so as not to perpetuate storage for an excessive and unnecessary period; or in violation of the law.
In the case of data processing with consent, the storage period can be modified at any time by blocking or revoking consent.
c. DATA STORAGE SYSTEM:
The storage of data owned by third parties by GMReis will be in physical or digital format, meeting the principles of security, prevention and data quality thereto.
Both physical and digital storage must comply with the principles of security, prevention and quality, in order to ensure: the quality of the data and the non-deterioration or involuntary loss thereof , leaks and unauthorized access, even by unlawful act.
Physical means will be used to protect data stored physically, and the INFORMATION SECURITY POLICY will protect digitally stored data.
d. DATA STORAGE DELETION:
All data owned by third parties stored by GMReis, at the end of their processing, will be duly deleted in order to render any access or interpretation of them impossible.
For physical data, the elimination will take place by means of destruction (e.g. fragmentation) ensuring the non-interpretation of its content; and the digitally stored data must be deleted according to available technical means to ensure the non-recovery of information; according to a specific policy for information security.
e. LIABILITY TO PROSECUTION
GMReis will act with severity in relation to any unethical, illegal, immoral, non-consensual or unauthorized, excessive or unnecessary attitude related to the processing of data owned by third parties; in order to prevent such acts, as well as ensure the effectiveness of this policy.
Failure to comply with this policy or the General Data Protection Law, in violation of the guidelines presented by the company, will subject the employee agent to appropriate sanctions (warnings, suspension or even termination of the employment contract for cause – by the recurrence or seriousness of the act); as well as contract cancellation or termination in the case of contracted third parties.
f. STRUCTURE, ADVERTISING, DEFINITION, DURATION AND AMENDMENTS TO THIS POLICY:
GMReis’ top management shall define the parameters and provide the necessary means for full compliance with this policy and consequent adaptation to the General Data Protection Law.
Representing the executive board (and the company itself) the DPO is the professional responsible for all contacts and response to requests from the ANPD and data subjects processed by GMReis; also responsible for the guidance of all other company’s employees involved in the processing.
The DPO is also responsible for maintaining the training of the team, as well as controlling the employees’ regular compliance with this policy.
Top management, which should be represented by the DPO, are responsible for drafting and approving this policy, future changes, and all definitions referring to all sectors involved in data processing: human resources, information technology, commercial, marketing, quality and regulatory.
The first version of this policy will be considered revision 00; and its amendments will be considered as subsequent revisions in ascending order, always with reference to the effective date.
The validity of each version will be indefinite, which is interrupted by each amendment, and the content of the subsequent revision will take effect. All versions will be archived to comply with the principles of open access, transparency, rendering of accounts and accountability.
The current version of the GMReis’ PRIVACY POLICY will be ostensibly disclosed for access by all interested parties on the GMReis’ website, in Portuguese, English and Spanish versions, with access carried out as follows:
www.gmreis.com.br – institutional menu – privacy policy.
Any data subject processed by GMReis should request a printed or digital version of this POLICY, which will be made available and sent to anyone immediately and free of charge.
For holders who so request, all previous versions will be sent, limited to the start date of their processing.
Finally, GMReis represents total good faith in the processing of data owned by third parties and its processing are carried out only to: regulate the operation of its industrial activity of manufacturing implants and surgical instruments, and sale of its products in Brazil and abroad.
