PRIVACY POLICY

Last update: November 03, 2023 | Version 2.1

THANK YOU FOR USING THE GRC SOLUTIONS WEBSITE

When you use the GRC Solutions website, we are committed to maintaining the security of your personal information and data.

This Privacy Policy explains how your information and data will be collected, used, shared, and stored by GRC Solutions applications.

Acceptance of this Policy will occur when you come across privacy notices at collection points on our Website by checking the box. This indicates that you agree with how we process and use your data and information. This document should be read together with our Terms of Use of Cookies.

 

1. Terms and definitions

LAW NO. 13.709, OF AUGUST 14, 2018. (LGPD): This Law provides for the processing of personal data, including in digital media, by an individual or legal entity under public or private law, intending to protect the fundamental rights of freedom and privacy and the free development of the individual’s personality.

User: all individuals who will use or visit the Website(s) and/or application(s), are over 18 (eighteen) years of age or emancipated, and fully capable of performing acts of civil life or those who are absolutely or relatively incapable and duly represented or assisted.

Personal Data: personal data is any information about an identified or identifiable individual. This means that, for example, your name, the number of your Brazilian Register of Individual Taxpayers – CPF, ID, address, telephone number, date of birth, cookies, and other types of electronic identifiers are personal data to the extent that they can be related to an individual.

Purpose: the objective or the purpose that GRC Solutions wishes to achieve through each act of processing personal data.

Need: justification for which it is strictly necessary to collect personal data to avoid excessive collection.

Legal basis: legal basis that makes processing personal data for a specific purpose by GRC Solutions legitimate.

Consent: express and unequivocal authorization given by the User, the data subject, for GRC Solutions to process its personal data for a previously described purpose, in which the legal basis necessary for the act requires the express authorization of the data subject.

2. WHAT KIND OF PERSONAL DATA IS PROCESSED BY OUR WEBSITE?

  • Name;
  • Email;
  • Telephone;
  • Position/Role;
  • Company;
  • Access log: IP address with date and time, mandatory collection pursuant to Law 12.965/2014;
  • Authentication, security, research, and performance analysis cookies.

3. WHAT ARE THE PURPOSES FOR PROCESSING PERSONAL DATA?

GRC Solutions may collect and process personal data, among other purposes, depending on the relationship between the data subject and us:

– Our Website:

  • Sending mailings and communication;
  • Training and development of people aligned with our guidelines
  • Management, enrichment, and cleaning of registration data;
  • Sending mailings and communication;
  • Recruitment and selection of job applicants, union negotiations, compensation studies, career, and salaries, among other activities related to the human resources area;
  • Assurance of access to our websites and/or applications, as well as the operation of all the features made available, which can be used to improve our services;
  • Development, maintenance, and improvement of the resources and features of our websites and/or applications;
  • Performance analysis and audience assessment of our websites and/or applications;
  • Analysis of users’ browsing habits on our websites and/or applications, how they reached the Website and/or application page (for example, through links from other websites, browsers, or directly via the address), assessment of statistics related to the number of accesses and use of the websites and/or applications, their features and functionalities;
  • Analysis related to the security of our websites and/or applications;
  • Improvement of users’ browsing experiences on our websites and/or applications;
  • Provision of more personalized services that are more suited to the needs of users of our websites and/or applications;
  • Communication between us and users of our websites and/or applications, including by sending and receiving emails and mailings; and
  • Continuous improvement of the services we provide.

Data collected in the provision of our services:

 

GRC Solutions has an extensive portfolio of services aimed at, but not limited to:

  • Digital Compliance:

(eDiscovery);

Reporting Channel.

  • Digital Forensics;
  • Internal Investigation Support;
  • Data Protection;
  • Information Security;
  • Internal Audit;
  • Corporate Governance;

– To perform the above services, our clients usually provide us with data related to their employees or customers. For example, but not limited to:

  • CPF, NAME, EMAIL, CORPORATE DATA, among others
  • We also use data for treasury management and collection, including activities with banks, payment processing, write-offs, criticisms, and refunds, among other financial activities;
  • Based on the processing context and according to the purpose and specific need related to the contracted service, we identify the appropriate legal basis and continue to act under the technical and organizational measures provided in the LGPD (Brazilian General Data Protection Law).

–We may also use the data concerning other processing activities such as, but not limited to:

  • Compliance with regulatory requirements;
  • Compliance with requests from competent authorities and regulatory bodies.

– Personal data is only processed when there is a legal basis for doing so. The Legal bases include:

(i) consent, (ii) contract (i.e., when processing is necessary to enter into or execute a contract); (iii) compliance with a legal or regulatory obligation; (iv) exercise of our rights; (v) protection of the life or physical safety of the data subject or the life and physical safety of a third party; (vi) implementation of public policies provided in laws and regulations or supported by contracts, agreements, or similar instruments; (vii) health protection; (viii) our legitimate interests; and (ix) credit protection.

In cases where the processing of personal data is carried out based on consent, the data subject has the right to revoke consent at any time, which does not affect (i) the lawfulness of the processing of personal data based on consent before its revocation; or (ii) the lawfulness of the processing of personal data based on other legal grounds.

GRC Solutions may process personal data based on legitimate interests, provided that the fundamental rights and freedoms of the data subject prevail. If and when applicable, personal data is processed based on legitimate interests to ensure the provision of services, perform internal analyses, and to support, carry out, and promote our activities.

4. PROCESSING OF SENSITIVE DATA

GRC Solutions may process sensitive personal data such as, for example, biometric registration, race, health data, or other sensitive personal data involved in the context of the activity:

The processing of sensitive personal data is restricted and only carried out under one or more of the following legal scenarios:

  • Compliance with legal and/or regulatory obligations;
  • Implementation of public policies provided in laws or regulations;
  • Regular exercise of rights, including in contracts and judicial, administrative, and arbitration proceedings;
  • Protection of your life or physical safety or the life and physical safety of third parties;
  • Protection of health, exclusively in procedures carried out by health professionals, health services, or health authorities; or
  • Guarantee of fraud prevention and your security in the identification and authentication processes of registration in electronic systems, safeguarding the rights mentioned in the applicable legislation and this Policy, except in the case that your fundamental rights and freedoms that require personal data protection prevail.

 

GRC Solutions may also process sensitive personal data based on the data subject’s consent. The data subject has the right to revoke consent at any time, which does not affect (i) the lawfulness of the processing of sensitive personal data based on consent before its revocation; or (ii) the lawfulness of the processing of sensitive personal data based on other legal grounds.

5. THIRD-PARTY LINKS AND PLATFORMS

GRC SOLUTIONS’ websites and/or applications may contain links to third-party Website (s). The existence of these links does not constitute an endorsement or sponsorship of third-party Website (s), which are subject to the terms of use and privacy policies of the respective Website (s) and are not under the responsibility of GRC Solutions. It is recommended that users also have access to the terms and policies of such third parties.

If you choose to contact GRC SOLUTIONS through third-party platforms (such as, but not limited to, Facebook, Instagram, and WhatsApp), the processing of your data will also be subject to the terms of use and privacy policies of such platforms and under no circumstances will GRC Solutions be held liable.

6. PERIOD OF RETENTION OF PERSONAL DATA​

Personal data may be processed and stored:

  • For the time necessary to fulfill the purposes for which it was collected, being limited to what is needed for the identified purpose;
  • According to the storage periods required by applicable legislation; or
  • Until a request to revoke consent for processing is made, as applicable.

GRC Solutions may retain personal data to comply with legal or regulatory obligations, to protect the company’s rights, and to comply with an order issued by a competent authority if it is in the legitimate interest of GRC Solutions, provided that it is permitted by applicable legislation, or also for the period necessary according to the legal basis that justifies the retention of your data.

7. SHARING OF PERSONAL DATA

GRC Solutions may share personal data and other information to achieve the purposes described in this Policy.

The information will be shared securely to preserve your privacy with partners that demonstrate compliance with the LGPD. Examples include, but are not limited to:

  • Partners that offer support for consulting public registry databases for our due diligence service.
  • Partners that support our digital marketing services with indicators related to the performance of our Website.

8. METHODS OF PROCESSING PERSONAL DATA

GRC Solutions may process personal data by electronic or automated means and appropriate computerized tools, or manually and in hard copy, exclusively for the purposes for which it was collected, and ensuring the security, confidentiality, availability, and integrity of any information processed, through appropriate measures to prevent unauthorized change, cancellation, destruction, access, or processing, or any processing that is not aligned with the purpose of collection and the terms of this Policy.

9. SECURITY, HOW WE PROTECT YOUR DATA:

GRC Solutions adopts technical, physical, and administrative security measures designed to provide reasonable protection for personal data against loss, misuse, unauthorized access, disclosure, and change. Security measures include, but are not limited to, firewalls, encryption, physical and logical access controls, and information access authorization controls. While GRC Solutions protects its systems and services, the data subject is responsible for safeguarding and maintaining the privacy of its registration information and verifying that the personal data maintained by GRC Solutions is accurate, complete, and up to date.

10. WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?

The data subject, whether a Customer, Contractors (suppliers), Applicant for one of the job vacancies, Administrator, or Employee of GRC Solutions, or who in any way has or believes to have personal data processed by GRC Solutions as controllers of personal data, may exercise the rights listed in article 18 of the LGPD, from its effectiveness. They are:

  • Request confirmation of the existence of processing of its personal data;
  • Access its personal data;
  • Request the correction of incomplete, inaccurate, or outdated personal data;
  • Request the anonymization, blocking, or deletion of unnecessary, excessive personal data or data processed in non-compliance with the provisions of the LGPD;
  • Request the portability of its personal data to another service or product provider, upon express request, according to the regulations of the national authority, subject to the commercial and industrial secrets;
  • Request the deletion of its personal data processed with its consent, except in the cases provided in this Policy and article 16 of the LGPD;
  • Request information from public and private entities with which we share data;
  • Obtain information about the possibility of not providing consent and the consequences of refusal; and
  • Revoke its consent, according to paragraph 5, Article 8 of the LGPD.

The exercise of any of these rights does not affect the legality of any processing of personal data carried out before the exercise of such right. If the data subject has any requests related to its personal data or wishes to exercise any of its rights, GRC Solutions provides the contact details of the Data Protection Officer on its Website and in this document below.

When the data subject requests to exercise any of its rights, GRC Solutions needs to use the personal data to process the request and respond.

The data subject may contact us regarding the exercise of rights through the email address of our Data Protection Officer: dpo@grcsolutions.com.br. dpo@grcsolutions.com.br.

GRC Solutions will respond to all legitimate requests within 15 (fifteen) business days according to the deadlines indicated by the Brazilian General Data Protection Law – LGPD.

11. PRIVACY POLICY UPDATES

GRC Solutions reserves the right to amend this Policy whenever necessary to ensure the security of the personal data collected and processed. Our policy will always include the update date or current version.

We will inform you for your knowledge and consent if relevant changes are made to a new privacy policy.

REFERENCES

Services

Company

Contact Channels

Location

  • São Paulo
  • Av. Brig. Faria Lima, 2055 - 12° andar
    CEP: 01452-001
  • Alphaville
  • Hosts confidential services
    CEP: 01452-001
Facebook Instagram Linkedin