Privacy Policy
1 OBJECTIVE
The purpose of this policy is to establish guidelines that allow AMAGGI to guarantee security in the treatment of data, whether personal or not, and to comply with the requirements of laws, regulations and applicable private documents that control the subject in relation to the Company.
- Scope
AMAGGI Privacy Policy covers all dimensions and activities in all regions where the company operates in Brazil and applies to the processing of personal data collected by AMAGGI, directly or indirectly, from all individuals, including, but not limited to, current, future or potential job seekers, employees, customers, producers, consumers, dependents, suppliers, contractors/subcontractors, shareholders or any 3rd parties, with “Personal Data” defined as any data relating to an identified or identifiable individual, in compliance with the General Data Protection Law (LGPD) in force in our country.
- Alterations
Change in all texts and deleting the fields: 3.1 What are your rights in relation to privacy and protection of personal data; 3.2 Collection and use processing of your personal data; 3.4 Cookies and 3.9 Storage of Personal Data.
Inclusion of Items: 3.1.9 AL5 Seguros Data and 3.3 How We Protect Your Data, 3.6 Data Privacy Officer (DPO) Responsibilities.
2 DEFINITIONS, TERMINOLOGY AND ACRONYMS
See below some important definitions to better understand the protection we apply to your personal data, the limits of our use and your rights:
- Data Holder: natural person to whom the Personal Data refers, which will be processed by AMAGGI.
- Personal data: Identified or identifiable information about the holder. Examples of personal data are your name, Individual Taxpayer Registration Number – CPF, Identity Number – RG, address, computer IP address, and telephone.
- Sensitive personal data: Personal data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, and union membership, plus genetic and biometric data with the purpose of exclusively identifying a natural person, health-related data or data relating to the sexual life or sexual orientation of an individual person.
- Anonymization: the use of reasonable and available technical means through which data loses the possibility of an association, directly or indirectly, with an individual;
- Controller: Individuals responsible for making decisions related to the processing of personal data.
- Co-controller: Controllers with joint responsibilities, co-existing in the processing of personal data.
- Operator: Individual responsible for processing data pursuant to lawful instructions from a Controller of the personal data;
- Data Protection Officer (DPO): Individual appointed by the Controller as responsible for data protection within AMAGGI, ensuring the security of information, both for the data owner and for the organization itself. They also act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD);
- Treatment: any operation or set of operations performed on the data, by automated means or not, including, but not limited to, the collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, deletion, combination, restriction, adaptation, recovery, consultation, destruction or anonymization;
- AMAGGI: cover all business areas, their respective branches, subsidiary, and affiliated and controlled companies, nationally and internationally, that make up the business group.
- “National Data Protection Authority” (“ANPD”) is the national public administration body responsible for overseeing and ensuring compliance with the General Data Protection Law (LGPD) throughout the national territory;
- LGPD: acronym used to identify the General Data Protection Law, Law No. 13,709/2018, which regulates Data Processing activities in Brazil.
- Cookies: Cookies are pieces of text that are placed on your computer’s hard drive when you visit certain websites. We may use cookies to let us know, for example, if you have visited us before or if you are a new visitor, and to help us identify resources in which you might be most interested.
- Incident: any act, suspicion, threat or circumstance that compromises the confidentiality, integrity or availability of information held by AMAGGI or that it may have access to.
3 AMAGGI PRIVACY POLICY
This Privacy Policy tells you what personal data we collect about you, what we use it for, how and where we store it, and with whom we share it. It also defines your rights in relation to your personal data and whom you can contact for more information or clarification on this topic. If you have questions about this Privacy Policy, please contact us by email: privacidade@amaggi.com.br.
3.1 DATA WE COLLECT FROM YOU
Following the principles of loyalty, justice and transparency, AMAGGI does not collect or process personal data without having a legitimate, contractual and/or legal reason for doing so. In order for us to provide our services and/or products, it is essential to collect some information about you as detailed below:
3.1.1 Data collected through our channels (Websites or Apps)
AMAGGI will collect the personal data entered or forwarded when accessing our channels (websites or applications) by completing the interest, registration, pre-registration or information request forms. The data collected is necessary to respond to information and requests through ‘Contact Us’ and ‘Channel Confidential’; for other purposes for which we provide specific notice at the time of collection or otherwise as authorized or required by law.
These personal data are:
a) Identification data such as name, RG (ID), CPF (Individual Taxpayer Identification Number), nationality, and license plate;
b) Personal and professional contact details such as email and telephone;
c)Employment data such as company/entity, complaints and claims.
Since it is a channel where holders can send complaints or situations that violate our Code of Ethics and Conduct, AMAGGI may receive personal data classified as sensitive, such as data on health, race and ethnicity, sexual orientation, union membership or the organization of religious, philosophical and political nature or other information that may be sources of discrimination against holders. The channel is open to all holders, so AMAGGI may process data from employees, candidates, drivers, customers, producers, suppliers, and service providers, among other citizens who do not necessarily have a direct link to AMAGGI.
Data are collected with consent provided by the holder who described the situation and is treated in accordance with the LGPD, in compliance with the legal obligations of the controller, including those provided for in the Anti-Corruption Law.
3.1.2 Candidate data
Job seekers data at AMAGGI are collected to support the recruitment and selection process, as well as check for conflicts of interest.
These personal data are:
a) Identification data such as name, RG (ID), CPF (Individual Taxpayer Identification Number), CNH (Driver’s License), date of birth, nationality, place of birth, parent’s names, marital status, voter registration, reservist certificate, and social media account;
b) Personal contact data such as email, telephone and home address;
c) Educational, professional and employment data such as school/academic history, curriculum, education level, school/university, diploma, educational and training history, course and training information, qualifications/certifications, languages, benefits and rights data, portfolio work history, previous work history, enrollment, termination date and reason for termination, title/function, salary expectation;
We may also collect sensitive personal biometric data such as photos and images; health data such as PCD (disabled person), information and reports related to health and safety, occupational health certificate, medical records; racial or ethnic origin.
3.1.3 Employee data
Employee data is collected aiming at the completeness human resources processes; perform access control to AMAGGI; comply with regulations; and other purposes necessary for the full execution of its activities, as well as the employment contract signed.
The personal data collected are:
a) Identification data such as name, RG (ID), CPF (Individual Taxpayer Identification Number), CNH (Driver’s License), PIS, PPE, INSS, date of birth, birth certificate, Birth Certificate number (DNV), mother’s name, father’s name, nationality, place of birth, marital status, voter registration, marriage certificate, death certificate, children’s names, traffic fines or warnings, license plate, signature, social media account;
b)Identification data of the employee’s spouse, such as RG (ID), CPF (Individual Taxpayer Identification Number), marriage certificate, birth certificate, and death certificate;
Personal and professional contact details such as email, telephone, and home address;
c) Educational, professional and employment data such as school/academic history, education level, professional registration, company/entity, position/function, area, immediate superior, date of admission, enrollment, work card, data on benefits and rights, termination date and reason for termination, pay-slips, disciplinary action, grievances and grievances, past work history, a record of absence/time tracking/annual leave, salary/earnings, course and training information, working hours, working hours, shift, social security psychographic profile, performance evaluation;
d) Financial data such as bank account and clearing, corporate credit or debit card;
e) Browsing data such as browsing time, IP address
f) network interaction history, site history, and user.
Other data are sensitive personal biometric data such as fingerprint, photo, image, and voice recognition; health data such as medical certificates, medical records, occupational health certificates, information and reports related to health and safety, vaccination card, National Health Card (CNS) of the employee and spouse, racial or ethnic origin; political affiliation and activities; and union membership.
In cases of registration of images of events, the processing of personal data will take place upon the provision of consent by the data subject through a written document. In addition, information may be collected to respond to information and requests made directly by the data subject via email: privacidade@amaggi.com.br.
3.1.4 Data of directors, beneficial owner and legal representatives
Personal data of directors, beneficial onwer and legal representatives are necessary to guarantee the execution of a contract or to meet the prerequisites for signing a contract; comply with regulations; for other purposes for which we provide specific notice at the time of collection, or otherwise as authorized or required by law; answering information and requests via email: privacidade@amaggi.com.br.
Personal data:
a) Identification data such as name, RG (ID), CPF (Individual Taxpayer Identification Number), CNH (Driver’s License), PIS, marital status, nationality, and signature;
b) Contact data such as home address;
c) Professional and employment data such as profession, professional registration, position/function;
d) Financial data such as bank account.
e) Other data are sensitive personal biometric data such as image, fingerprint (if entering AMAGGI premises) and voice recognition (if using AMAGGI extensions).
3.1.5 Data on visitors, drivers, crew and inspection agents
Data from visitors, drivers, crew and inspection agents are necessary to control access to AMAGGI; comply with legal regulations; for other purposes for which we provide specific notice at the time of collection, or otherwise as authorized or required by law; answering information and requests via email privacidade@amaggi.com.br.
The personal data collected are:
a) Identification data such as name, RG (ID), CPF (Individual Taxpayer Identification Number), CNH (Driver’s License), CIR, date of birth, nationality, passport, signature, and license plate;
b) Personal and professional contact details such as telephone and email;
c) Educational, professional and employment data such as school/university, company/entity, position/function, and badge;
d) Other data are sensitive personal biometric data such as image, fingerprint (if entering AMAGGI premises) and voice recognition (if using AMAGGI extensions).
3.1.6 Data from suppliers, producers, service providers, third parties and independent workers
Data from suppliers, service providers, third parties and independent workers are necessary to: control access to AMAGGI; ensure the execution of contracts and documents and meet the prerequisites for signing a contract; full execution of its activities, as well as the contract for the provision of services signed; comply with regulations; for other purposes for which we provide specific notice at the time of collection, perform third-party due diligence as determined by the Company Policy or otherwise as authorized or required by law; and answering information and requests via email: privacidade@amaggi.com.br.
The personal data collected are:
a) Identification data such as name, RG (ID), CPF (Individual Taxpayer Identification Number), CNH (Driver’s License), PIS, INSS, date of birth, nationality, marital status, signature, and license plate;
b) Personal and professional contact details such as email, telephone and home address;
c) Professional and employment data such as resume, company/entity, position/function, area, profession, professional registration, enrollment, badge, qualifications/certifications, information on courses and training, employment card, salary, absence record/ follow-up of time/annual leave, complaints and claims, shift, working hours, absences, payslips;
d) Financial data such as bank account;
e) Background data such as disciplinary action and criminal history.
Other data are sensitive personal biometric data such as fingerprint, voice recognition (if using AMAGGI extensions), photo and image; health data such as information and reports related to health and safety and occupational health attestation.
3.1.7 Underage Individuals’ Data
AMAGGI may process data from underage individuals (people under the age of 18) in cases of young apprentices, as well as dependents and beneficiaries of employees.
Personal data:
a) Identification data such as name, RG (ID), CPF (Individual Taxpayer Identification Number), date of birth, degree of kinship, mother’s name, birth certificate, Birth Certificate, death certificate, and signature;
b) Personal and professional contact details such as telephone, email and home address;
c) Professional and employment data such as curriculum, company/entity, position/function, area, work portfolio, working hours, ID, badge number, information on courses and training and exit interview;
d) Financial data such as bank account.
Other data are sensitive personal biometric data such as fingerprint, photo, image and voice recognition; health data such as information and reports relating to health and safety; occupational health certificate and National Health Card (CNS).
This data is collected with the consent provided by the legal guardian in a clear and explicit manner, as established by the General Data Protection Law, Law nº 13.709/2018.
3.1.8 Customers’ Data
AMAGGI may process the personal data of customers who take part in the Customer Satisfaction Survey sent annually by AMAGGI.
The personal data processed are those of employees (representatives of the customer company) who respond to the survey and provide full name, position, company and telephone data (messaging applications) for sending the questionnaire.
This data is collected with the consent provided by the legal guardian in a clear and explicit manner, as established by the General Data Protection Law, Law nº 13.709/2018.
3.1.9 AL5 Seguros Data
Personal data and sensitive data are received by AL5 SEGUROS at the time of contracting our products and services, when:
- filling out forms on our digital platforms;
- contacting our call centers;
- including in our systems by intermediary third parties in the contract, such as brokers, bank representatives, insurance policyholders, financial agents, and business partners;
- browsing our digital channels;
- registering information.
a) Public records: PIS/Pasep, NIS (INSS), securities (ISS) and real estate (IPTU) registration, employment card number, etc.;
b) Financial: data related to bank information used to carry out debit and credit related to contracted products and services, such as bank, account (current/savings/investment) and branch data, in addition to the debit card number, PIX credit (instant bank transfer) and key;
c) Hiring: information necessary to complete the hiring process for our products and services, such as license plate, vehicle chassis, brand and model of portable geolocation equipment, among others;
d) Sensitive: personal preference data, such as religion, sexual orientation/gender, racial/ethnic origin, data referring to health (history and medical records), genetic or biometric data, etc.
We may process the data we collect for:
a) Marketing actions aimed at prospecting new customers;
b) Profiling analysis;
c) Risk acceptance analysis;
d) Credit protection;
e) Analysis aimed at preventing fraud;
f) Commercialization of our products and services;
g) Execution of activities and pre-contractual analysis;
h) Execution of activities related to the contracted product or service;
i) Activities of relationship and customer service;
j) Concession of benefits that make up our products, services and human resources policies;
k) Activities of debt collection and credit granting;
l) Reimbursement of amounts;
m) Activities related to lawsuits;
n) Extrajudicial agreements for credit recovery or compensation;
o) Compliance with legal obligations or regulatory entities such as: Susep – Superintendence of Private Insurance, ANS – National Complementary Health Agency, Bacen – Central Bank of Brazil, ANPD, Federal Revenue Service, INSS, etc;
p) Carrying out satisfaction surveys, and consumer profile surveys to improve our products and services, among others;
q) Conducting pricing, actuarial and statistical studies;
r) Registration update and increment;
s) Payment of credit and indemnity to third parties;
t) Analysis of medical, dental and occupational health procedures;
u) Analysis of claims in general;
v) Creation of metrics and indicators in general.
3.1.10 Personal data collected automatically
AMAGGI uses technology for automatic data collection, which helps to improve the website and offer personalized services using market technologies, such as cookies, subject to the provisions contained in the LGPD.
Information on how cookies is used and other tracking technologies can be found in our DE-0178 – Cookie Policy.
3.2 SHARING PERSONAL DATA
It is allowed, in the normal course of our business, to internally share personal data among our employees, contractors/subcontractors to meet legitimate interests, subject to the provisions of the LGPD and also to:
(i) Economic Group: Companies that make up our economic group, to promote the products and services traded by them and carry out studies in general;
Business Partners:
a) Service providers to carry out activities related to our products and services, such as tow trucks, locksmiths, general technicians, referenced medical and dental networks;
b) Technology companies responsible for the storage and guarantee of security in the treatment of your data;
c) Credit reference agencies or other organizations that help to make credit decisions and reduce the incidence of fraud;
d) Business partners for granting benefits, carrying out economic feasibility studies, etc;
e) Brokers, to finalize the contracting of a product or service that was initiated directly by you, digitally, on our platforms, as well as for payment of commissions, monitoring the evolution of the client portfolio, etc;
f) Policyholders, bank representatives, and financial agents for the payment of commissions and monitoring the evolution of the customer portfolio;
g) and other third parties who reasonably require access to personal data relating to you for one or more of the purposes described in section “3.1 Data we collect about you”.
business partners will always be guide on how to treat their data, keep them safe and comply with the law.
External/internal audits: personal data may be shared with external audit services of our operations, especially for analysis regarding compliance with privacy parameters, data protection and information security.
Public authorities or official bodies: in order to comply with legal obligations to which we are subject to, we may have to share data with public authorities or official bodies upon request or express legal provision.
3.2.1 International transfer of personal data
Considering AMAGGI international’s presence, personal data may be transferred to other group companies or third parties located outside Brazil. In such cases, we will ensure that we take all possible steps to protect your personal data in line with our legal obligations.
When the recipient is not a member of AMAGGI, the adequate guarantee may be a data transfer agreement with the recipient based on standard contractual clauses approved by the National Data Protection Authority (ANPD) or other competent authority for personal data transfers from other countries.
3.3 HOW WE PROTECT YOUR DATA
We use a range of physical, electronic and management measures to ensure that your personal data is kept secure, accurate and up to date. These measures include:
- Education and training of everyone who interacts with your personal data so that they are aware of our privacy and data protection obligations when dealing with such;
- Administrative and technical controls to restrict access to personal data, conditioned by a need-to-know basis;
- Technological security measures, including firewalls, encryption and antivirus software;
- Physical security measures, such as employee security access control, to enter our facilities.
Although we use appropriate security measures, once we receive your personal data, data transmission over the internet (including email) is never completely secure. We strive to protect your personal data, but we cannot guarantee the security of data transmitted to or by us.
In order to properly protect and process your personal data in accordance with the LGPD, in addition to other applicable laws, we are committed to:
- Adopt security, technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or unlawful treatment;
- Keep a record of the personal data processing operations carried out, especially when based on legitimate interest;
- Communicate, within a reasonable period of time, the National Data Protection Authority and the holder of the occurrence of a security incident that may entail significant risk or damage to the holders;
- Use for the processing of personal data systems that are structured in order to meet the security requirements, the standards of good practices and governance and the general principles set out in the LGPD;
- Eliminate personal data after the end of its treatment, within the scope and within the technical limits of the activities, authorized the conservation for the purposes foreseen by law; and
- Comply with the guidelines, rules and regulations issued by the National Data Protection Authority (ANPD).
3.4 DATA RETENTION PERIOD
We will keep your personal data in our systems in accordance with AMAGGI’s PO-0764 Personal Data Retention Procedure and/or for the length of the following periods:
(i) as long as necessary for the relevant activity or services;
(ii) any retention period required by law;
(iii) the end of the period in which disputes or investigations in relation to the Services may arise;
(iv) while your consent is valid, in the applicable cases;
(v) pursuant to current legislation.
3.5 INFORMATION SECURITY
We implement appropriate technical and organizational measures to protect Personal Data against accidental or illegal alteration or loss, or from unauthorized use, disclosure or access, in accordance with AMAGGI’s Information Security Policy.
Handling and responding to security incidents consists of receiving, filtering, classifying and responding to requests and alerts and carrying out analysis of security incidents, seeking to extract information that allows preventing the continuation of the malicious action and also identifying vulnerabilities according to PO-0765 AMAGGI’s Personal Data-related Incident Response Procedure.
We take, where appropriate, all reasonable steps based on privacy by design and privacy by standard principles to implement necessary safeguards and to protect the processing of personal data.
3.6 DATA PRIVACY OFFICER (DPO) RESPONSIBILITIES
The person in charge of processing personal data has the function of acting as a communication channel between the institution, the data holders and the National Data Protection Authority (ANPD).
- Legal provision: LGPD, art. 5º, VIII
- Attributions: Article 41, §2º, of the LGPD.
(i) accept complaints and communications from holders, provide clarifications and adopt measures;
(ii) receive communications from the national authority and adopt measures;
(iii) guide the entity’s employees and contractors regarding the practices to be adopted in relation to the protection of personal data; and
(iv) perform the other attributions determined by the controller or established in complementary norms.
3.7 CONTACT US
Should you have any doubts regarding the collection and processing of your personal data by AMAGGI, please send your queries, comments, complaints, or exercise your data holder rights to AMAGGI’s Data Protection Officer via email: privacidade@amaggi.com.br.
3.8 UPDATE/CHANGES TO THIS POLICY
We may update this Data Protection Policy from time to time as our business, or legal requirements, change. Should we incur significant changes to this policy, we will post a notice on our website when these take effect and, the date of the last revision to this policy is identified at the top of the page.
4 RESPONSIBILITIES, EXCEPTIONALITIES AND GENERAL PROVISIONS
All employees are individually responsible for ensuring compliance with this document in line with the Code of Ethics and Conduct and with the laws and regulations in force.
Direct superiors must ensure that their subordinates receive the necessary guidance to meet the requirements of this document.
This document and its updating, whenever necessary, are the responsibility of the Compliance area, and any exception to the provisions must be sent through to the Compliance Manager.
5 REFERENCES
General Data Protection Law No. 13.709/2018.
DE-0176 Cookies Policy
PO-0764 Personal Data Retention Procedure
PO-0765 Personal Data-related Incident Response Procedure