Skip to content

Privacy Policy

Version 01 - 01/11/2024 - Reviewed by Lopes Digital (DPO as a Service)
privacy@zarv.com

1 Objectives

Zarv do Brasil Ltda. ("ZARV" or "Organization") understands that privacy is a fundamental right of individuals. Therefore, it is necessary to ensure the systematic and effective management of all aspects related to the protection of personal data and the rights of data subjects in the development of its professional activities.
Thus, Zarv establishes this Privacy and Personal Data Protection Policy ("Policy") to promote a culture aligned with privacy and personal data protection, strengthen its commitment to ethical standards, and comply with the requirements established by the General Data Protection Law ("LGPD").

2 Scope

Considering the legal, regulatory, contractual, and technical requirements to which it is subject, Zarv establishes that the scope of this Policy includes all company departments, network and IT assets used, and the activities and processes they execute in fulfilling the organization's corporate purpose.
Any exceptions to the scope of this Policy do not imply the absence of appropriate technical and administrative controls and measures in the respective departments, activities, processes, or IT assets.

3 Terms and Definitions

a) Data Processing Agent: The controller and the operator.
b) National Data Protection Authority ("ANPD"): Federal authority responsible for overseeing, implementing, and enforcing compliance with the LGPD.
c) Controller: Natural or legal person, public or private, responsible for decisions regarding the processing of personal data.
d) Operator: Natural or legal person, public or private, that processes personal data on behalf of the controller.
e) Data Subject: Natural person to whom the personal data being processed refers.
f) Data Protection Officer ("DPO"): Individual or entity designated by the controller and operator to act as a communication channel between the processing agent, data subjects, and the ANPD.
g) Personal Data: Any information related to an identified or identifiable natural person. This includes directly identifying information (e.g., name, ID, CPF, address) and indirectly identifying information (e.g., location data, electronic identifiers).
h) Sensitive Personal Data: Data related to racial or ethnic origin, religious beliefs, political opinions, union membership, health, sexual life, genetic or biometric data linked to a natural person.
i) Data Processing: Any operation performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, storage, elimination, evaluation, modification, communication, transfer, or extraction.

4 Roles and Responsibilities

4.1 Privacy Advocates

Description: Each Zarv department will have a privacy advocate serving as the focal point for their area in relation to the DPO. The privacy advocate ensures compliance with policies, standards, and procedures related to Zarv's privacy and data protection governance program.
Responsibilities:

  • Adhere to the Policy and other governance instruments for privacy and data protection.
  • Support the update of the personal data processing operations registry.
  • Assist in identifying, evaluating, and managing privacy risks under the DPO's guidance.
  • Support technical, administrative, and organizational measures for LGPD compliance.
  • Participate in awareness campaigns and training on privacy, data protection, and information security.
  • Report any events violating the Policy or resulting in potential data security incidents to the DPO.

4.2 Data Protection Officer (DPO)

Description: Zarv ensures the DPO has the necessary autonomy and professional expertise to handle the sensitivity, volume, and complexity of data processing operations.
Responsibilities:

  • Advise on LGPD interpretation and application.
  • Recommend technical, administrative, and organizational measures for compliance.
  • Monitor compliance with data protection measures.
  • Handle data breach incidents and ensure timely reporting to the ANPD.
  • Address data subjects' complaints and communications.

4.3 Employees

Description: Employees are responsible for supporting the efficient management of privacy governance by adhering to this Policy and related instruments.
Responsibilities:

  • Comply with the Policy and governance instruments.
  • Assist the DPO or privacy advocates when requested.
  • Participate in awareness campaigns and training.
  • Report any events violating the Policy or resulting in potential data security incidents.

5 General Rules for Data Processing Operations

The governance of privacy and data protection relies on the guidelines in this Policy and the following instruments:

  • Privacy program monitoring standards.
  • Third-party risk management standards.
  • Data subject request management standards.
  • Privacy risk management standards.
  • Privacy by design standards.
  • Data Protection Impact Assessment (DPIA) standards.
  • Legitimate Interest Assessment (LIA) standards.
  • Data breach incident management standards.

6 Guiding Principles for Data Processing

6.1 Legality, Purpose, and Good Faith

Zarv ensures that data processing is lawful, fair, and transparent, respecting ethical standards and legitimate expectations.

6.2 Adequacy and Necessity

Zarv ensures data processing is compatible with its purpose and limited to what is strictly necessary.

6.3 Free Access, Quality, and Transparency

Zarv guarantees data subjects easy access to their data and ensures accuracy, clarity, and relevance.

6.4 Non-Discrimination

Zarv prohibits discriminatory, unlawful, or abusive data processing practices.

6.5 Security, Prevention, and Accountability

Zarv adopts measures to protect privacy and demonstrate compliance with the LGPD.

7 Confidentiality

Personal data is classified as confidential. Zarv ensures access is restricted to authorized personnel and enforces confidentiality agreements.

8 Data Subject Rights

Zarv respects and facilitates the exercise of data subject rights as provided by the LGPD.

9 Sanctions

Violations of this Policy may result in penalties, including legal actions for damages caused.

10 Communication Channel

Zarv provides the following communication channel for privacy-related matters: privacidade@zarv.com.

11 Maintenance and Updates

Zarv reserves the right to modify this Policy at its discretion. This document is valid indefinitely and takes effect upon issuance.