Data Privacy Policy
1. GENERAL INFORMATION AND DEFINITIONS
The Association of Capital Market Investors – Amec (“Amec”) respects the data privacy of its users, visitors, collaborators, members, employees and service suppliers and has developed this Privacy Policy to demonstrate its commitment to protecting their privacy and personal data pursuant to the Lei Geral de Proteção de Dados – LGPD (the Brazilian General Data Protection Law) and all other applicable laws. This Privacy Policy provides stakeholders and data subjects with information about:
(i) What personal data Amec processes;
(ii) How personal data are used and for how long they are processed;
(iii) With whom personal data is shared;
(iv) The rights on the use of personal data;
(v) Which channel shall be used to exercise rights; and
(vi) How we handle, store and dispose of personal data when required.
1.1 Definitions
Data Privacy: Data privacy is focused on the rights of individuals regarding data collection and processing, privacy preferences and how organizations control the data subject’s personal data. It is intended to safeguard the person’s fundamental freedom and privacy rights based on good-faith assumptions for the processing of personal data. It focuses on how data are collected, processed, shared and disposed of pursuant to the applicable law.
Data Processing: Any operation involving the processing of personal data: how they are collected, produced, received, classified, used, accessed, reproduced, transmitted, distributed, processed, stored, edited, disposed of, evaluated or controlled, modified, communicated, transferred, disseminated or extracted.
Data Security: Data security refers to the procedures an organization adopts to prevent unauthorized third parties from accessing your personal data. It concerns the protection of data from malicious attacks and prevents data exploitation (data breach or cyber attacks). It includes access control, encryption, physical and logical network security etc.
Data Subject: Person to whom the personal data within the scope of this policy refers to;
Personal data: All information related to an identified or identifiable natural person, therefore not limited to his/her name, physical and electronic address, age, RG (ID number), CPF (Individual Taxpayer Register number)/CNPJ (Brazilian Register of Legal Entities number), but also to his/her location, behaviors, and IP, among others;
Sensitive Personal Data: Personal data about race or ethnic origin, religion, political opinion, trade union membership or religious, philosophical or political affiliation, health condition, sexual orientation, and genetic or biometric data related to a natural person;
Purpose: Requirement that personal data be collected for legitimate, specified and explicit purposes duly informed to the data subject, not processed further in a manner incompatible with those purposes;
Necessity: Limitation of the processing to the minimum necessary to achieve its purposes, covering data that are relevant, proportional and non-excessive in relation to the purposes of the data processing;
Anonymous Data: Use of reasonable and available technical means to process data in such a manner that the data are not directly or indirectly associated with an individual;
Legal bases: Legal grounds that make personal data processing lawful for a specific purpose.
Processing Agents: The CONTROLLER that receives the data subject’s personal data by consent or as a result of exceptional circumstances, and the PROCESSOR that processes the personal data motivated by an agreement or legal obligation.
Data Protection Officer (DPO): Natural person appointed by the controller who acts as the communication channel between the controller, the data subjects and the national authority.
Consent: Free, informed and unequivocal manifestation by which the data subject agrees with the processing of his/her personal data for a specific purpose;
2. PERSONAL DATA COLLECTION AND USES
All information requested should be provided on a conscious and voluntary basis through record forms linked to our portals, or through other websites managed by Amec. We always highlight the importance of transparency in the use of data in the descriptions of the forms we make available. When visitors register or fill in Amec’s forms, also on the portals we manage, we inform that such data shall be safely stored and used only for the informed purpose.
Amec processes data on a transparent basis and for lawful and specific purposes, as described below:
- To allow the navigation on the Platform, the customization of resources, and the monitoring of security controls;
- To respond to requests and contacts, receive and investigate complaints or fulfil requirements;
- To manage the relationship with members, service suppliers, stakeholders and employees, also through communication using the available means, direct marketing, advertising, and promotional actions and events;
- For marketing and advertising purposes, including targeted advertising based on users’ behaviors, consumption profile and/or location;
- To conduct satisfaction surveys, among other types of surveys.
Amec is committed to storing your personal data only for as long as it is necessary to fulfill the above-mentioned purposes and to dispose of data whenever possible and as reasonably required by law, in compliance with the provisions in the Brazilian General Data Protection Law. Should you have any questions about Amec’s storage and disposal practices, please contact Amec’s Data Protection Officer at contato.dpo@amecbrasil.org.br.
3. SHARING AND PROCESSING OF PERSONAL DATA
Amec may make the personal data collected on its websites available to other companies, such as technology infrastructure providers, to carry out essential activities and to provide services, such as payment intermediaries and data storage service providers, subject to the signing of data processing secrecy and non-disclosure agreements.
Whenever possible, Amec shall use security mechanisms and tools to prevent such data from being exposed, and shall also recommend the use of anonymous data when a third party is involved in the activity.
Amec may eventually disclose the personal data collected as a result of a legal obligation, order of the competent authority, judicial decision or when the person provides Amec with his/her free, unequivocal and express consent to share his/her personal data.
Amec may also share personal data with partner companies whenever they are necessary for the adequate providing of services within the scope of its activities; and whenever they are necessary for the protection of Amec’s interests in any type of conflict.
4. PERSONAL DATA SECURITY
All Personal Data shall be stored on Amec’s database platforms or on external provider’s databases by means of agreements with suppliers. The service suppliers contracted by Amec shall be periodically evaluated and shall operate in accordance with the data privacy legislation in force.
Amec and its suppliers are committed to using several physical or logical security systems to mitigate the risks related to unauthorized access, unavailable service and data leaks, ensuring the integrity and confidentiality of the data transmitted and contributing to the prevention of eventual damages resulting from the processing of these data.
Amec commits to taking appropriate security, technical and administrative measures against the irregular or unlawful processing of its Clients’ personal data, including measures against unauthorized access to and destruction, loss, modification or transmission of data, what does not necessarily mean that eventual cyber attacks or unlawful accesses may not happen. All Amec’s employees, suppliers, collaborators and contractors are subject to secrecy and confidentiality obligations. Additionally, to protect personal data, Amec updates and tests its security systems according to good practices.
5. DATA STORAGE
Amec stores all the data it receives, including personal data, only during the period the user’s records are active or when they are necessary for the development of the association’s activities.
Amec is protected against the unauthorized access to its systems and only people whose work is essential for the development of Amec’s activities are authorized to access them, upon the signing of instruments of commitment and secrecy and non-disclosure agreements. Breaches of these instruments and agreements imply the imposition of civil, criminal and administrative penalties under the terms of law.
These data can be deleted from our platforms through a ‘request to delete’ sent by the data subject. Amec reserves the right of using validation mechanisms when it is requested to access, delete or modify personal data that may damage the stored data. The main objective of this validation is to ensure the identity of the data subject at the time he/she contacts us.
Amec reserves the right of keeping your personal data stored after a request to delete only when they are necessary for the compliance of legal obligations or agreements.
After the data are deleted, in case the user wants to receive emails or have access to events or other campaigns developed by Amec again, he/she shall re-register.
6. DATA PROTECTION OFFICER – DPO
Users can contact Amec’s DPO at contato.dpo@amecbrasil.org.br.
7. RIGHT OF ACCESS
Amec provides users with direct contact with our Data Protection Officer (DPO) to get information about the collection, processing, storage and disposal of their personal data whenever necessary. Users can send an email to contato.dpo@amecbrasil.org.br requesting the following:
I. Confirm the processing of data;
II. Access the stored data;
III. Correct incomplete, inexact or outdated data;
IV. Anonymize, block or delete unnecessary and excessive data or data that are not in compliance with LGPD’s provisions;
V. Request the portability of data to another service or product provider upon express request;
VI. Request the deletion or anonymization of the personal data processed with the consent of the data subject, unless the storage of these data is authorized by law based on another legal basis;
VII. Request information about public and private organizations with which the controller shared data;
VIII. Request information about the possibility of not giving consent and the consequences of such refusal;
IX. Withdraw consent when the data were processed based on the consent given by the data subject.
8. POLICY REVIEW
Amec reserves the right to change or modify this Privacy Policy at any time, so please check this document periodically for such changes. This policy takes effect as of January 1st, 2021. Should you have any questions, suggestions or want additional information about the privacy policies of our portals, please contact our DPO by email.
