Privacy Policy and Protection of Personal Data

Privacy Policy and Protection of Personal Data

This privacy and personal data protection policy (“Privacy Policy”) [1] was established, in accordance with the General Data Protection Law – Law No. 13,709/18 (“LGPD”), to reaffirm the commitment of the firm Donelli , Nicolai e Zenid Advogados [2] (“Firm”) to the protection of the personal data of clients and visitors (“Data Subject(s)”) both in the virtual and in-person environments [3] (“Our Environments”).

1. PERSONAL DATA

1.1. The processing of personal data involves operations such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination and/or extraction.

1.2. The following are Personal Data that may be collected, as needed:

• Full Name;
• Date of Birth;
• Identity Card (RG) number and image;
• Taxpayer Identification Number (CPF) and image;
• Marital status;
• Level of education or schooling;
• Profession, occupation and/or position;
• Electronic address(es) (personal and/or professional e-mails);
• Home, work and/or mobile phone number(s);
• WhatsApp contact number;
• Full personal and/or business address(es);
• Banking information (bank, branch and bank account number);
• Information about the institution where you studied and about your personal and professional background;
• Details about your job, profession, or occupation;
• Tax and banking information;
• Information regarding financial income and/or salary;
• The user’s motor, perceptual, sensory, intellectual, and mental characteristics;
• Data regarding judicial and/or extrajudicial proceedings related to the Data Subject; and
• Any other data that may be deemed necessary in the future for the defense and representation of the client’s interests.

2. Sensitive Data

2.1. In some cases, it will be necessary to collect, produce, receive, classify, use, access, reproduce, transmit, distribute, process, archive, store, eliminate, evaluate or control information, modify, communicate, transfer, disseminate and/or extract sensitive data.

2.2. The following are Sensitive Personal Data that may be collected, as necessary:

• Data concerning racial or ethnic origin;
• Data concerning religious beliefs, political opinions, trade union membership, and/or membership in religious, philosophical, or political organizations;
• Data concerning health or sex life;
• Genetic and/or biometric data;
• Data concerning psychological and/or behavioral profile; and
• Any other information that may be deemed necessary for the defense and representation of the client’s interests.

3. PURPOSES OF THE PROCESSING OF PERSONAL AND SENSITIVE DATA

The processing of the personal data listed in this document has the following purposes:

• To enable the Firm and its operators to identify and contact the Data Subject for the purposes of a business relationship;
• To enable the Firm and its operators to draft commercial contracts and issue invoices to the Data Subject;
• To enable the Firm and its operators to prepare documents related to defending the interests of the Data Subject in judicial and extrajudicial proceedings;
• To enable the Firm and its operators to prepare audit reports containing information about the data collected and processed, to be sent to third parties, namely external audit firms, as requested on behalf of the Data Subject;
• To enable the Firm and its operators to prepare procedural information reports;
• To enable the Firm and its operators to send information about new features, functionalities, content, news and other events that it considers relevant to the client; and
• To allow the firm and its staff to make statements to the press, when authorized by the client.

4. DATA SHARING

The data collected and the activities recorded may be shared whenever necessary for the purposes listed in this document, observing the principles and guarantees established by Law No. 13,709/2018.

• With competent judicial, administrative or governmental authorities, when there is a legal requirement, request, requisition, court order and/or it is deemed necessary; and
• Automatically, in the event of corporate transactions such as mergers, spin-offs, acquisitions, and incorporations.

DATA STORAGE

5.1. The collected data will be stored for the period necessary to achieve the purposes listed in this Policy; or when, for legal reasons, there is an obligation to safeguard it. Otherwise, the data will be deleted from the Firm’s databases or anonymized.

5.2. Anonymized personal data, without the possibility of association with the individual, may be kept indefinitely.

5.3. The Data Subject may request, via email (atendimento@dsalaw.com.br) or mail addressed to the Firm, at any time, that their non-anonymized personal data be deleted. It should be noted, however, that ordering the immediate deletion of data may make it impossible for the Firm to continue providing products and/or services.

6. DATA SECURITY

6.1. Internally, the Personal Data collected is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity, and relevance to the purposes of the Firm, in addition to the commitment to confidentiality and the preservation of the privacy of the client, the data subject, in the exact terms of this Privacy Policy.

6.2. E-mail communications will be sent exclusively from the official domains of the Firm, ending in @dsalaw.com.br;

6.3. In order to safeguard the data provided, processed and/or stored, the Firm adopts security measures of a technical, administrative, and organizational nature, aimed at protecting personal and sensitive data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, disclosure, or any other form of inappropriate or unlawful processing.

6.4. In the event of a security incident that may pose a significant risk or harm to the Data Subject, the Firm shall notify the National Data Protection Authority (ANPD) and the client, pursuant to Article 48 of Law No. 13,709/2018.

7. RIGHTS OF THE DATA SUBJECT

7.1. The data subject shall have the right to obtain from the Firm, in relation to the data processed by it, at any time and upon request:

• Confirmation of the existence of processing;
• Access to personal data;
• Rectification of incomplete, inaccurate, or outdated data;
• Anonymization, blocking, or deletion of unnecessary, excessive, or personal data processed in violation of Law No. 13,709/2018;
• Data portability to another service or product provider, upon formal and express request, in accordance with the regulations of the national authority, subject to commercial and industrial secrecy;
• Erasure of personal data processed with the consent of the data subject, except in the cases provided for in Article 16 of Law No. 13,709/2018;
• Information about public and private entities with which the controller has shared personal data;
• Information about the option of not providing consent and the consequences of refusal; revocation of consent, pursuant to paragraph 5 of Article 8 of Law No. 13,709/2018.

7.2. To exercise the rights provided for in the Brazilian General Data Protection Law (LGPD), the data subject may simply send a request to our Personal Data Department via the contact
atendimento@dsalaw.com.br.

[1] The Firm may amend this Privacy Policy at any time. Amendments will always be available in this space, so that users and visitors are fully informed.

[2] Headquartered at Avenida Nove de Julho, No. 5017, 3rd and 5th floors, São Paulo/SP, CEP 01407-200.

[3] Through this Privacy Policy, it will be possible to understand how the Firm collects, maintains, and uses Personal Data, as well as the rights that clients and visitors have in accordance with legal requirements, especially those provided for in Law No. 13.709/2018 (“Brazilian General Data Protection Law – LGPD”).