1. IDENTIFICATION OF HANDLING AGENTS AND HEAD OF INFORMATION
CONTROLLER: HOLDBRASIL SERVICOS DE COBRANÇA LTDA
OPERATOR: HBB Serviços de Cobrança LTDA
HEAD OF INFORMATION: Yamn Khalil Mori Moreno Sousa
2. WHY IS A REPORT NEEDED?
Our company’s culture has always meant to ensure our activities are conducted in a manner that complies with the standards that apply to our clients.
In this regard, pursuant to Art. 38 of Act 13709/18 or the Data Protection Act of Brazil (DPA), the Personal Data Protection Authority is able to require that HoldBrasil write a report on personal data protection, including sensitive data.
HoldBrasil handles on a daily basis personal data related to identified or identifiable natural persons (Art. 5, I, DPA).
Depending on the client and the agreement that was entered into, there is also sensitive data, which refers to one’s racial or ethic background, religious beliefs, political views, membership to a union or to a religious, philosophical or political organization, genetic or biometric information, if associated with a natural person (Art. 5, II, DPA).
In the interest of personal data protection (Art. 2 and its items, DPA), of good faith and of other principles that must be adhered to when handling personal data (Art. 6 and its items, DPA), HoldBrasil has in place internal controls, which may vary, but are always in agreement with the nature of the personal data in order to mitigate any risks arising if personal data protection should fail.
Despite the great degree of maturity in how internal controls are managed, HoldBrasil is not able to guarantee the complete elimination of risks which, if materialized, would affect the confidentiality of the personal data existing in our company.
3. HOW INFORMATION IS HANDLED
Our Information Security Policy describes how HoldBrasil mitigates potential risks which information assets are subject to and which may jeopardize our activities and our mission.
3.1. Nature of Data Handling
We take technical and administrative measures that are able to protect personal data from unauthorized access, unintentional or illegal destruction, loss or tampering.
Access to our databases is controlled via network groups and by limiting access to certain user profiles, using logins and passwords.
As administrative measures, we inform all those involved of their responsibility for accessing systems, by a formal requirement or by email, for logs of access granted and for creating directories of exclusive access to keep our clients’ digital documents.
3.2 Data Handling
There are a few ways in which information is handled at HoldBrasil, all of which comply with the DPA:
Collected/HandledData is collected mainly using information systems and by capturing client information, per the agreements entered into. Capturing data is received, generally speaking, by means of the File Transfer System (FTS).
Data is kept on:
DeletedData can be deleted through actions in information systems, SQL commands in databases file deletion, or through disposal, when data is erased.
3.3 Data Sharing
Personal data is shared when a client expresses intent in writing and only if express authorization is granted. Data may be shared with agencies under the judiciary, executive and legislative branches and the Prosecutors’ Office for purposes of informing an investigation into irregularities the holder of the information is involved in, as well as due to a court order.
3.4 Security Measures
The security measures that HoldBrasil adopts are valid for any kind of information (as defined in the Information Security Policy, which sets out information technology security procedures).
Removable media (flash drives, CDs, DVDs or external hard drives) may be used to transfer files, if justification is provided and with the consent of the IT department.
Printed Out DocumentsCorporate electronic files containing sensitive information about clients must not be printed outside HoldBrasil’s facilities.
Disposal of InformationCorporate information recorded onto any type of medium must be discarded in a manner which prevents such information from being recovered.
MonitoringFor purposes of assisting an audit, our IT department may monitor the access to, recording, transferring and printing of corporate electronic files.
3.5 Physical Data
Physical copies are kept in folders at HoldBrasil’s records office until their storage period has expired or until they can be disposed of or sent to permanent records.
Physical documents are filed for a period of time established by the company, and only personnel assigned to departments that manage a given subject are allowed to request access to a physical document that was filed. There are exceptional cases, such as documents from Human Resources, that may be viewed also by the holder of the data, for instance.
Copies of physical documents are rated restricted, and the recipient will be responsible for re-rating them, if needed. Restricted documents may be viewed only by their owners.
3.6 Handling Context
HoldBrasil handles personal data according to the legitimate and specific purposes, consistently with its purpose, that is to meet our client’s specific needs as addressed in the agreements entered into by the parties.
4. CONSULTED PARTIES
The writing of this Report included input from all departments at HoldBrasil. Starting December 2020, virtual meetings were held to assess our compliance with the DPA according to the methodology of the consulting firm hired to implement the project, based on best compliance management practices.
5. FINAL CONSIDERATIONS
This document provides a summary of how personal data is collected, handled, used and shared. It also shows the measures taken to deal with risks that may affect the civil liberties and fundamental rights of data holders. Moreover, this document presents information that demonstrate the current stage of compliance by HoldBrasil with the DPA.
This report will be reviewed and updated annually or whenever HoldBrasil deems it appropriate to show any type of change affecting how personal data is handled.
HoldBrasil is careful about continually assessing personal data handling risks resulting from the dynamic changes in technology, standards and our business.