Data protection

I. INTRODUCTION

This Policy defines the standards adopted by 4KST for the processing and protection of personal data1 that is or may be under its tutelage.

The entire legal repertoire involving the issue of personal data protection and the rights inherent to its holders is a primary concern of 4KST and it demands the same commitment from all its employees in carrying out its activities.

 

II. PREMISES

4KST adopts premises that guide this Policy and that must be taken into account in any of its processes (internal or external) and in all its decisions:

  1. protection of all personal data under its tutelage, acting continuously to prevent any leakage or improper access;
  2. will only supply personal data (e.g. bureaus) or services related to personal data to 4KST if it is a duly incorporated company, in respect of which there is no indication of illegality, illegality or lack of legitimacy for such supply;
  3. personal data will only be processed for lawful, non-discriminatory and non-abusive purposes;
  4. strict respect for the privacy of any data subject2;
  5. full compliance with legislation and regulations involving the protection of personal data, whether national or international, in particular the Brazilian Personal Data Protection Law - Law 13.708/2018 (the "LGPD");
  6. the processing of personal data will only be carried out when framed on a legal basis in accordance with the requirements of the LGPD;
  7. no processing of sensitive personal data3;
  8. dispose of any and all personal data that you do not need to keep under your control, i.e. that you do not need to keep for the purposes of complying with any legal requirement, for the operation of the product or service provided, or for maintaining commercial and/or technical contacts;
  9. all its relations, internal and with third parties, are guided by total transparency with regard to the storage, processing and use of personal data; and
  10. in the event of a security incident4, the data subject(s) involved will be duly and immediately informed, with full transparency for them and the related public authorities.

4KST will only provide personal data processing services to third parties if there has been prior formalization of the related contractual instrument, which expressly states the alignment of the other party with the premises related to the protection of personal data defined herein.

 

III. PERSONAL DATA

Due to its organizational structure, activities and market, 4KST segregates the personal data under its tutelage into two categories in order to structure its internal processes for collecting, storing, protecting and disposing of personal data:

1. Internal Personal Data

These are the personal data of employees, trainees, partners, investors, freelancers and service providers who make up the 4KST group of collaborators.

This category also includes the data of people who represent customers or prospective customers, suppliers and partners of 4KST.

2. Personal Data Business 4KST

They make up this category:

  • personal data controlled by customers of 4KST products or services delivered for processing; and
  • personal data acquired from bureaus supplying the

 

IV. PERSONAL DATA PROTECTION GOVERNANCE

4KST adopts an internal governance structure dedicated to the security of personal data and compliance with the legal and ethical issues surrounding the matter.

In addition to the Security and Personal Data Protection Committee (the ¨Committee¨) and its head, the Data Protection Officer (DPO), 4KST has Personal Data Protection Representatives (the ¨RPDPs¨) in all sensitive areas/activities of the company.

These RPDPs are responsible for supporting the DPO in identifying and monitoring LGPD 5 risks and also for ensuring compliance with the processes and procedures defined in their areas of activity.

4KST's Personal Data Protection Governance is structured as follows:

1. Personal Data Protection and Security Committee -
Members: DPO shareholders
Frequency: Ordinary, every 30 days; Extraordinary, on call
Minutes: If necessary, document the relevance of the decision taken

The following matters must be brought before the Committee for mapping of LGPD risks and deliberation:

  • a new product or service that involves the use or processing of personal data, in the feasibility study phase for release to the market by 4KST;
  • hiring a supplier of personal data and/or services involving personal data, especially services provided outside the 4KST environment (e.g. bureaus, cloud processing services, etc.);
  • definition of internal audit processes and presentation of their results;
  • approval of 4KST's internal rules (Policies and Procedures) relating to the protection of personal data, and their updates;
  • complaints regarding non-compliance with this Policy and other 4KST internal rules relating to the protection of personal data; and
  • other matters relating to the protection of personal data that the DPO or any of the RPDPs decides to bring to the Committee for deliberation.

Also subject to study and deliberation by the Committee is any Personal Data Protection Impact Report (RIDP) produced by 4KST when it intends to process personal data, under the following conditions:

  • 4KST is the controller6 of the personal data; and
  • the processing of data is based on the legitimate interest of 4KST provided for in the

The purpose of any RIDP is to analyze and document the future impact that any data processing may have on data subjects and society, taking into account possible unintended consequences for them.

2. Data Protection Officer - 4KST DPO

The DPO is the person appointed to act as a channel of communication with personal data subjects, the National Data Protection Authority (ANPD) and other public authorities that may represent the interests of data subjects. The DPO is responsible for drawing up the RIPD, together with the DPO(s) responsible for the area(s) to which the report refers.

The DPO is also responsible for leading the response to any security incident that may occur at 4KST.

Any exception to compliance with a 4KST standard and/or internal process that involves LGPD risk must be brought to the attention of the DPO for analysis and prior authorization.

3. Personal Data Protection Representatives - PDPR
a) Marketing and Communication-

The 4KST Marketing RPDP is responsible for:

  • ensure that all digital environments and channels used by 4KST have terms of use, privacy policies, terms of consent and other documents defined to comply with 4KST's personal data protection rules;
  • provide support for internal communication and training regarding internal data protection rules and LGPD risk; and
  • report to the DPO any non-conformity or weakness detected in their area of activity that may constitute an exposure to LGPD risk.
b) Commercial -

4KST's Commercial RPDP is responsible for:

  • ensure that any commercial approach to the client follows all of 4KST's premises regarding its personal data protection rules;
  • assess prior to any contracting whether a customer's intention to use a 4KST product or service is in line with the personal data protection guidelines adopted by 4KST, especially with regard to the non-use of sensitive data and non-discriminatory and non-abusive purposes; and
  • report to the DPO any non-conformity or weakness detected in their area of activity that may constitute an exposure to LGPD risk.
c) Administrative/Financial -

The Administrative/Financial RPDP at 4KST is responsible for:

  • protection and confidentiality of all information relating to service providers and other self-employed professionals;
  • protection and confidentiality of information relating to 4KST's partners, investors and associates; and
  • communicating to the DPO any non-conformity or weakness detected in their area of activity that may constitute an exposure to LGPD risk.
d) Technical - Information Technology

The RPDP in 4KST's Technical area is responsible for:

  • ensuring the implementation of good information security practices in the transmission and storage of data;
  • ensure that all company computers have file access logs;
  • ensure that log analysis is carried out periodically and in accordance with internal/external requests;
  • confirm the disposal of all data after proof of concept or the provision of services within the period stipulated in the contract;
  • continuously search for new IT security solutions to identify those that can be implemented in 4KST's processes as a form of continuous improvement;
  • train all of 4KST's information technology staff in IT security and data protection concepts;
  • notify the DPO immediately when any security incident is detected in the 4KST structure; and
  • report to the DPO any non-conformity or weakness detected in their area of activity that may constitute an exposure to LGPD risk.
e) Human Resources -

4KST's Human Resources RPDP is responsible for:

  • guaranteeing the safekeeping of all information relating to the company's employees and trainees and self-employed technical professionals, including contractually requiring any service providers who need access to such information (e.g. payroll and e-social, occupational medicine, etc.) to strictly adhere to a safekeeping and non-disclosure commitment;
  • create all the internal processes of the human resources management activity taking into account 4KST's personal data protection guidelines set out in this Policy and other related internal rules;
  • keep documents with personal data identifying candidates only during selection processes conducted by 4KST;
  • give preference to the use of public tools for registering professional and academic data (e.g. Curriculum Lattes, Linkedin, etc.) to search for professionals;
  • implement periodic processes to confirm compliance with 4KST personal data protection standards by its suppliers and 4KST employees; and
  • report to the DPO any non-conformity or weakness detected in their area of activity that may constitute an exposure to LGPD risk.
f) Legal -

4KST's Legal RPDP is responsible for:

  • monitor legal and regulatory changes related to the matter and keep the DPO and members of the Committee up to date;
  • ensure that all contractual instruments governing relationships with third parties involving personal data have robust security and confidentiality clauses and are in full compliance with related legislation and 4KST's internal rules; and
  • report to the DPO any non-conformity or weakness detected in their area of activity that may constitute an exposure to LGPD risk.
g) Compliance -

The 4KST Compliance RPDP is responsible for:

  • carrying out due diligence processes on third parties sensitive to LGPD risk (e.g. bureaus);
  • training and refresher courses on LGPD risk and related 4KST internal rules for all 4KST employees; and
  • report to the DPO any non-conformity or weakness detected at 4KST that may constitute an exposure to LGPD risk.

 

V. EXTERNAL RELATIONS

1) Public authorities

4KST and its DPO are committed to complying with all the requirements of public authorities backed up by legal precepts, as well as fully complying with any judicial determination involving the issue of personal data. No 4KST employee may create any obstacle to prevent or hinder inspections or investigations.

2) Data subjects

4KST's relationship with personal data subjects will be guided by total transparency and full compliance with Law 13.708/2018, in particular the principle of free access provided for therein.

 

VI. MONITORING

1) Third-party auditing

4KST will allow its clients and suppliers to carry out auditing processes in their physical and computer environments, with a view to confirming compliance with contractual commitments relating to the safekeeping, protection, confidentiality and disposal of personal data.

2) Internal monitoring

4KST will maintain periodic monitoring routines, including through internal audits, to identify any non-compliance with its internal rules that may generate exposure to LGPD risk.

 

VII. INCIDENT RESPONSE

4KST, through its employees, is aware of the sensitivity of its activities with regard to the impact on data subjects in the event of a security incident. It recognizes that, despite all the security precautions that may be implemented, there is no way to fully guarantee the inviolability of its processing and storage environment. It also recognizes that Business 4KST's personal data derives from relationships that its clients have with data subjects, relationships that are protected by consumer law.

It is therefore 4KST's commitment to adopt clear, pre-defined processes for responding to any security incident, considering levels of impact and severity, in order to guarantee swift action to mitigate its damaging effects as far as possible, as well as full transparency with data subjects and public authorities.

 

VIII. VIOLATIONS AND PENALTIES

All 4KST employees will be continuously trained on LGPD risk and the internal rules and processes adopted by the company to reduce exposure to such risk.

This Policy and other internal rules related to information security published by 4KST must be known and fully observed by each 4KST employee, and any violations may be punishable by discontinuation of the contractual relationship. 4KST will not refrain from referring any legal violations to the competent authorities.

 

 

1 Personal data: data that individually identifies or can identify a natural person, or through a set of data.
2 Data subject: natural person to whom the personal data refer.
3 Sensitive personal data: data relating to an individual's racial or ethnic origin, religious conviction, political opinion, membership of a trade union or religious, philosophical or political organization, health or sex life, genetic or biometric data.
4 security incident: breach of security that accidentally or unlawfully results in the destruction, loss, alteration, unauthorized disclosure of or access to personal data under the supervision of 4KST.
5 LGPD risk: the risk of personal data under 4KST's protection being improperly disclosed or being used, stored and/or processed in breach of the laws relating to the protection of personal data in the jurisdictions in which 4KST does business.
6 Controller: who makes the decisions regarding the processing of personal data.
4KST Personal Data Protection Policy - version 01 Published on 18/09/2020
compliance@4kst.com

Stay ahead
of the competition

Optimize your strategic decisions with the most assertive
forecasts on the market.


Contact us
  • LGPD compliance
  • BCB Resolution 85/2021
  • ISO/ISE 27001:2022 certification