INFORMATION SECURITY

POLICY

1. IDENTIFICATION OF HANDLING AGENTS AND HEAD OF INFORMATION

CONTROLLER: HOLDBRASIL SERVICOS DE COBRANÇA LTDA

OPERATOR: HBB Serviços de Cobrança LTDA

HEAD OF INFORMATION: Yamn Khalil Mori Moreno Sousa

Position: Marketing

E-mail: lgpd@holdbrasil.com.br

2. WHY IS A REPORT NEEDED?

Our company’s culture has always meant to ensure our activities are conducted in a manner that complies with the standards that apply to our clients.

In this regard, pursuant to Art. 38 of Act 13709/18 or the Data Protection Act of Brazil (DPA), the Personal Data Protection Authority is able to require that HoldBrasil write a report on personal data protection, including sensitive data.

HoldBrasil handles on a daily basis personal data related to identified or identifiable natural persons (Art. 5, I, DPA).

Depending on the client and the agreement that was entered into, there is also sensitive data, which refers to one’s racial or ethic background, religious beliefs, political views, membership to a union or to a religious, philosophical or political organization, genetic or biometric information, if associated with a natural person (Art. 5, II, DPA).

In the interest of personal data protection (Art. 2 and its items, DPA), of good faith and of other principles that must be adhered to when handling personal data (Art. 6 and its items, DPA), HoldBrasil has in place internal controls, which may vary, but are always in agreement with the nature of the personal data in order to mitigate any risks arising if personal data protection should fail.

Despite the great degree of maturity in how internal controls are managed, HoldBrasil is not able to guarantee the complete elimination of risks which, if materialized, would affect the confidentiality of the personal data existing in our company.

3. HOW INFORMATION IS HANDLED

Our Information Security Policy describes how HoldBrasil mitigates potential risks which information assets are subject to and which may jeopardize our activities and our mission.

  • Information assets include from storage media to how information is handled;
  • Equipment that this requires;
  • Systems used to such end and the locations this media can be found at.

3.1. Nature of Data Handling

We take technical and administrative measures that are able to protect personal data from unauthorized access, unintentional or illegal destruction, loss or tampering.

Access to our databases is controlled via network groups and by limiting access to certain user profiles, using logins and passwords.

As administrative measures, we inform all those involved of their responsibility for accessing systems, by a formal requirement or by email, for logs of access granted and for creating directories of exclusive access to keep our clients’ digital documents.

3.2 Data Handling

There are a few ways in which information is handled at HoldBrasil, all of which comply with the DPA:

  • Collected/Handled

    Data is collected mainly using information systems and by capturing client information, per the agreements entered into. Capturing data is received, generally speaking, by means of the File Transfer System (FTS).
  • Kept/Stored

    Data is kept on:

    • Corporate databases (using database management systems DB2, SQL Server, Oracle);
    • Files (e.g.: Excel spreadsheets).
  • Deleted

    Data can be deleted through actions in information systems, SQL commands in databases file deletion, or through disposal, when data is erased.

3.3 Data Sharing

Personal data is shared when a client expresses intent in writing and only if express authorization is granted. Data may be shared with agencies under the judiciary, executive and legislative branches and the Prosecutors’ Office for purposes of informing an investigation into irregularities the holder of the information is involved in, as well as due to a court order.

3.4 Security Measures

The security measures that HoldBrasil adopts are valid for any kind of information (as defined in the Information Security Policy, which sets out information technology security procedures).

Removable media (flash drives, CDs, DVDs or external hard drives) may be used to transfer files, if justification is provided and with the consent of the IT department.

  • Folders shared on workstations (desktop computers and laptops), private email addresses and third-party Internet services (e.g.: Dropbox, Google Drive, One Drive) are not considered appropriate means for transferring electronic files.
  • Printed Out Documents

    Corporate electronic files containing sensitive information about clients must not be printed outside HoldBrasil’s facilities.
  • Disposal of Information

    Corporate information recorded onto any type of medium must be discarded in a manner which prevents such information from being recovered.
  • Monitoring

    For purposes of assisting an audit, our IT department may monitor the access to, recording, transferring and printing of corporate electronic files.
    Each department is responsible for ensuring data storage is used correctly and efficiently, checking periodically if only files required for work processes are stored and if of those any files may pose legal risks, such as music, movies and books that were not acquired by HoldBrasil.
    Information security is constantly reviewed and improved by means of new security measures. One approach being discussed currently consists of ensuring data is protected at all times it is being handled (from the moment it is collected through its disposal). This process uses numerous tools to allow cryptography and access control in an integrated manner.

3.5 Physical Data

Physical copies are kept in folders at HoldBrasil’s records office until their storage period has expired or until they can be disposed of or sent to permanent records.

Physical documents are filed for a period of time established by the company, and only personnel assigned to departments that manage a given subject are allowed to request access to a physical document that was filed. There are exceptional cases, such as documents from Human Resources, that may be viewed also by the holder of the data, for instance.

Copies of physical documents are rated restricted, and the recipient will be responsible for re-rating them, if needed. Restricted documents may be viewed only by their owners.

3.6 Handling Context

HoldBrasil handles personal data according to the legitimate and specific purposes, consistently with its purpose, that is to meet our client’s specific needs as addressed in the agreements entered into by the parties.

4. CONSULTED PARTIES

The writing of this Report included input from all departments at HoldBrasil. Starting December 2020, virtual meetings were held to assess our compliance with the DPA according to the methodology of the consulting firm hired to implement the project, based on best compliance management practices.

5. FINAL CONSIDERATIONS

This document provides a summary of how personal data is collected, handled, used and shared. It also shows the measures taken to deal with risks that may affect the civil liberties and fundamental rights of data holders. Moreover, this document presents information that demonstrate the current stage of compliance by HoldBrasil with the DPA.

This report will be reviewed and updated annually or whenever HoldBrasil deems it appropriate to show any type of change affecting how personal data is handled.

HoldBrasil is careful about continually assessing personal data handling risks resulting from the dynamic changes in technology, standards and our business.