1 INTRODUCTION
1.1. Objective and Scope
This is the data protection policy of Bio Bureau Biotecnologia Ltda and its purpose is to establish guidelines and procedures to guarantee the adequate protection of personal data processed in the performance of our activities.
This policy covers all personal data relating to customers, business partners, suppliers, employees and other people who interact with BIO BUREAU. Our organization recognizes the importance of protecting the privacy and rights of data subjects, in compliance with the provisions of the General Data Protection Act (LGPD) and the General Data Protection Regulation (GDPR).
The policy applies to all processes of collecting, using, processing, storing, transferring and deleting personal data, whether carried out electronically or physically. BIO BUREAU is committed to adopting consistent, transparent and secure data protection practices to ensure compliance with applicable data protection laws and regulations.
In addition, this policy is directed at all employees and business partners who act on behalf of BIO BUREAU, defining their responsibilities in relation to the protection of personal data. It must be observed at all stages of the data lifecycle, from initial collection to final deletion, in order to guarantee the confidentiality, integrity and availability of personal data.
The data protection policy will be reviewed periodically to ensure its continued compliance with applicable laws and regulations, as well as to adapt to changes in our business environment. Compliance with this policy is fundamental for BIO BUREAU and is the responsibility of all those involved in the processing of personal data.
In case of questions or requests related to data protection, data subjects can contact our Data Protection Officer (DPO) through the following communication channels:
- Monteiro, Teixeira & Kroeber Law Firm
- Daniel Torres Teixeira
- Mariana Moncorvo de Mattos
BIO BUREAU is committed to building and maintaining the trust of our customers, business partners and other stakeholders, demonstrating a solid commitment to the protection of personal data and respect for privacy.
1.2. Definitions
- Personal data: Refers to any information relating to an identified or identifiable natural person. This includes, but is not limited to, name, address, identification number, contact information, genetic information, biometric characteristics, health data, among others.
- Data processing: Means any operation carried out with personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, combination, restriction, deletion or destruction.
- Data subject: Refers to the natural person to whom the personal data refers.
- Controller: Designates the company responsible for determining the purposes and means of processing personal data.
- Operator: Means the company or individual who processes personal data on behalf of the controller, in accordance with its instructions.
- Data Protection Officer (DPO): Responsible for overseeing compliance with data protection legislation, providing guidance and advice on issues related to the protection of personal data and acting as a point of contact for data subjects and supervisory authorities.
- Consent: This refers to the data subject’s free, informed and unequivocal expression of consent to the processing of their personal data for a specific purpose.
- Anonymization: This is the process by which personal data is modified so that it can no longer be associated with a specific individual, without the use of additional information.
- International data transfer: This means the transfer of personal data to a country outside national territory.
- Data security incident: Refers to any event that may compromise the security or protection of personal data, such as unauthorized access, loss, alteration, disclosure or accidental or unlawful destruction.
2. DATA PROTECTION PRINCIPLES
2.1. Purpose and Limitation
The processing of personal data by BIO BUREAU is carried out for specific purposes and in accordance with the principles established by the LGPD and the GDPR. We collect, process and store personal data only for the legitimate and explicit purposes for which the data was provided by the data subjects, and we limit ourselves to these purposes throughout the entire lifecycle of the data.
Our objectives for processing personal data include:
- Fulfillment of contractual obligations: We use personal data for the execution of contracts with our customers, suppliers and business partners, thus guaranteeing the provision of services and the fulfillment of our contractual obligations.
- Customer relationship management: We use personal data to maintain and manage business relationships with our customers, including providing information about our products, services and relevant updates.
- Compliance with legal obligations: We may process personal data to comply with legal or regulatory obligations imposed on us, such as tax reporting, complying with industry-specific regulations or providing information to competent authorities.
Security and fraud prevention
We may process personal data to ensure the security of our operations, detect and prevent fraud, protect our assets and information, and ensure the integrity of IT systems and processes.
2.2. Adequacy, Relevance and Data Minimization
- Adequate and limited collection: We only collect personal data that is necessary and relevant for the fulfillment of the established purposes. We avoid excessive collection of personal data that is not strictly necessary for the purpose of processing.
- Specific use: We use personal data only for the purposes determined and communicated to the holders at the time of collection. We ensure that the processing of data is aligned with these specific purposes and that it is not used in an incompatible or unauthorized way.
- Updating and accuracy: We keep personal data up to date and correct, taking reasonable steps to ensure that it is corrected, amended or deleted when necessary. We also encourage data subjects to inform us of any changes or inaccuracies in their personal data to ensure its accuracy.
- Limited retention: We store personal data only for as long as necessary to fulfill the purposes for which it was collected, unless there is a legal or regulatory obligation that requires longer retention. After the end of this period, the personal data will be duly deleted or anonymized so as to no longer identify the data subjects.
- Restricted access: We limit access to personal data only to those employees and service providers who need it to fulfill their specific responsibilities. These people are subject to contractual and confidentiality obligations, ensuring adequate protection of personal data.
- Appropriate security: We have implemented appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, alteration, accidental or unlawful disclosure or destruction. These measures are constantly reviewed and updated in line with industry best practice.
2.3. Data accuracy
- Collecting correct information: We seek to collect accurate and up-to-date information directly from data subjects whenever possible. When requesting personal data, we take steps to verify the veracity and accuracy of the information provided.
- Maintaining accuracy: We take reasonable steps to keep personal data accurate and up-to-date. When informed by data subjects of changes to their personal information, we promptly update the relevant records.
- Periodic verification: We carry out periodic verifications of the accuracy of the personal data held in our systems. These checks are carried out to ensure that the information is up-to-date and correct, making the appropriate corrections and updates when necessary.
- Collaboration of data subjects: We encourage data subjects to inform us of any changes or inaccuracies in their personal data. We provide appropriate means of contact so that they can request the correction, updating or deletion of their information, as provided for by applicable data protection laws.
- Sharing accurate information: When we share personal data with third parties, we take appropriate measures to ensure that the information transmitted is accurate and up-to-date. We require third parties to process personal data in accordance with the established purposes and to maintain the accuracy of the information received.
- Retention of accurate data: We ensure that personal data is retained accurately for the period necessary to fulfill the purposes of processing. When it is no longer necessary to keep personal data, we undertake to delete or anonymize it so that it no longer identifies the data subjects.
2.4. Storage limitations
- Retention for as long as necessary: We keep personal data only for the period strictly necessary to fulfill the purposes for which it was collected. We determine this period based on applicable legal, regulatory, contractual and operational criteria, taking into account the nature of the data and the specific requirements of each purpose.
- Periodic review: We carry out periodic reviews of the personal data stored to assess the continued need for retention. During this review, we consider whether the data is still relevant, necessary and up-to-date for the intended purposes. When the data is no longer needed, we delete it or anonymize it so that the data subject can no longer be identified.
- Compliance with legal and regulatory obligations: In some cases, we may be required to retain personal data for a longer period due to legal or regulatory obligations, such as tax, accounting or record-keeping obligations. In such cases, we ensure that data retention complies with applicable legal and regulatory requirements.
- Security during storage: During the storage period, we implement appropriate security measures to protect personal data against unauthorized access, loss, misuse, accidental or unlawful alteration or destruction. We follow industry best practices to ensure data integrity and confidentiality during storage.
- Secure disposal: When personal data is no longer needed and there are no longer any legal or regulatory obligations requiring its retention, we ensure that it is properly disposed of securely and permanently, in accordance with internal policies and data protection guidelines.
2.5. Integrity and Confidentiality
- Security measures: We implement appropriate technical and organizational measures to protect personal data against security threats. These measures include, but are not limited to, access controls, encryption, intrusion detection systems, regular monitoring, backups and information security policies. We continually update and improve these measures to ensure the effective protection of personal data.
- Restricted access: We limit access to personal data only to authorized employees and service providers who need access to this information to carry out their specific duties. These people are subject to contractual and confidentiality obligations, and receive appropriate training on data protection and the importance of confidentiality.
- Employee awareness: We promote awareness and education among our employees about the importance of the integrity and confidentiality of personal data. This includes regular training on data protection policies, safe practices for handling personal information and actions to be taken in the event of security incidents.
- Monitoring and incident detection: We have implemented monitoring and incident detection systems to promptly identify any security breaches or unauthorized access to personal data. In the event of an incident, we adopt immediate corrective measures to mitigate the effects and notify the competent authorities and data subjects, where necessary, in accordance with legal requirements.
- Partnerships with trusted third parties: When we engage third parties to process personal data on our behalf, we carefully select trusted partners who adopt appropriate security and confidentiality measures. We require these third parties to maintain the integrity and confidentiality of personal data in accordance with our guidelines and applicable legal requirements.
2.6. Accountability and Responsibility
- Appointment of a Data Protection Officer (DPO): We have appointed a Data Protection Officer responsible for overseeing compliance with legal data protection obligations, providing internal and external guidance on privacy policies and practices, and acting as a point of contact for data subjects and competent authorities.
- Records of processing activities: We keep adequate records of all personal data processing activities carried out in our organization. These records include information on the purposes of processing, the categories of personal data involved, the legal bases for processing, data transfers, retention periods and the security measures implemented.
- Data protection impact assessment (DPIA): We carry out data protection impact assessments when necessary, especially in cases of data processing that may present significant risks to the rights and freedoms of data subjects. These assessments help us to identify and mitigate risks, implement appropriate protection measures and ensure compliance with legal requirements.
- Cooperation with the competent authorities: We maintain a position of cooperation with the competent data protection authorities, responding promptly to requests and queries, providing relevant information and collaborating in investigations and audits related to data protection.
- Training and awareness: We promote regular training and awareness among our employees about data protection laws, internal privacy policies and practices, as well as their individual roles and responsibilities in the proper handling of personal data.
- Periodic review and update of the Data Protection Policy: We carry out periodic reviews of our data protection policy to ensure its continued compliance with applicable laws and regulations. We update the policy and internal practices whenever necessary, taking into account changes in the operational, technological or legal environment.
3. DATA CONTROLLER
3.1. Identification of the person responsible
| Operator | CNPJ | Function |
|---|---|---|
3.2. Appointment of the Data Protection Officer (DPO)
3.3. Role and responsibilities of the DPO
- Supervision of compliance with legal data protection obligations.
- Providing internal and external guidance on privacy policies and practices.
- Acting as a point of contact for data subjects and the competent authorities.
- Monitoring of data processing activities and data protection impact assessment (DPIA) when necessary.
- Keeping adequate records of the data processing activities carried out by BIO BUREAU.
- Collaboration with the competent authorities in matters relating to data protection.
- Data subjects can contact our DPO to obtain information about the processing of their personal data, exercise their privacy rights or raise any data protection concerns.
4. DATA SUBJECTS' RIGHTS
Bio Bureau recognizes and respects the rights of personal data subjects in accordance with the LGPD and GDPR. We strive to ensure that these rights are exercised effectively and transparently. Below we highlight the main rights of data subjects.
We are committed to ensuring that the rights of personal data subjects are respected and met in accordance with data protection legislation. To exercise any of these rights, you can contact us using the contact details provided in section 3.2. We will promptly analyze all requests and seek to respond appropriately and in compliance with applicable legislation.
4.1. Right to Information and Access to Personal Data
4.2. Right of rectification and updating
We respect the right of data subjects to request the rectification or updating of their personal data if they identify any inaccuracy or incompleteness. We will promptly analyze these requests and take the appropriate measures to correct or update the personal data, guaranteeing its accuracy and completeness.
4.3. Right to Object and Restriction of Treatment
Data subjects have the right to object, in certain circumstances, to the processing of their personal data, as well as to request the restriction of processing during the analysis of a request or the verification of the accuracy of personal data.
4.4. Right to revoke consent
If the processing of personal data depends on the data subject’s consent, the data subject has the right to revoke consent at any time. We will respect this revocation and cease processing personal data, unless there is another legal basis for the processing that does not depend on consent.
5. INFORMATION SECURITY
To ensure information security, we have adopted the following measures and practices:
5.1. Risk assessment
We carry out regular risk assessments to identify potential threats to information security. These assessments allow us to understand vulnerabilities and implement appropriate measures to mitigate the risks identified.
5.2. Security Policies and Procedures
We have developed internal policies and procedures that establish clear guidelines for information security. These policies cover aspects such as the proper use of information technology resources, protection against malware and other cyber threats, user authentication, physical data protection, among others.
5.3. Access Controls
We have implemented access controls to ensure that only authorized persons have access to relevant data and information systems. This includes the use of secure passwords, two-factor authentication, privilege management and access restrictions based on business needs and assigned roles.
5.4. Encryption and Data Protection in Transit
We use encryption to protect the confidentiality of personal data during its transmission. This includes the use of secure protocols for transferring data over the internet, such as HTTPS, and the use of reliable encryption solutions.
5.5. Security Monitoring
We have implemented continuous monitoring systems to detect and respond to possible security incidents. This allows us to identify suspicious activity, cyber attacks and other security breaches, enabling us to respond quickly and effectively.
5.6. Training and Awareness
We provide regular training for our employees to raise awareness of the importance of information security. This includes guidance on safe practices for using systems, identifying cyber threats, phishing prevention and the importance of protecting personal data.
5.7. Security Incident Management
We maintain a security incident response plan to act quickly and effectively in the event of security breaches. This plan includes the designation of responsibilities, procedures for notifying and reporting incidents, impact assessment and corrective measures.
5.8. Partnerships with Suppliers and Third Parties
When sharing information or involving suppliers and third parties in our operations, we ensure that they meet our information security standards. We have established contractual agreements that include specific clauses relating to data security and protection.
6. SUBCONTRACTORS AND THIRD PARTIES
6.1. Selection of subcontractors and third parties
When selecting subcontractors and third parties, we assess their capabilities, data protection practices, experience, reputation, legal compliance and security measures in place. We ensure that they offer an adequate level of protection for personal data.
6.2. Contractual agreements
We have established contractual agreements with subcontractors and third parties that clearly stipulate data protection obligations. These contracts include specific clauses on confidentiality, information security, responsibilities in relation to personal data and compliance with applicable data protection laws. We require subcontractors and third parties to process personal data in accordance with our instructions and only for the stated purposes.
6.3. Ongoing Evaluation and Monitoring
We carry out regular assessments and ongoing monitoring of subcontractors and third parties to ensure that they continue to comply with our data protection requirements. This can include compliance reviews, security audits and other measures to assess the adequacy of the data protection practices of those involved.
6.4. Subcontractors and International Transfers
If subcontractors are located in countries that do not have an adequate level of data protection, we ensure that the appropriate protection measures are implemented for the international transfer of data. This may involve the use of standard contractual clauses, binding corporate rules or other safeguards recognized by data protection legislation.
6.5. Monitoring and Incident Response
We require subcontractors and third parties to promptly report any security incident or personal data breach. We work together to investigate and respond to these incidents, taking the necessary measures to mitigate the impacts and implement improvements to our security controls.
7. DATA BREACHES AND NOTIFICATION
7.1. Detection and Evaluation of Data Breaches
We implement continuous monitoring measures to identify possible personal data breaches. If a breach is detected, we carry out an immediate assessment to determine the nature and extent of the incident, as well as the potential impact on the rights and freedoms of data subjects.
7.2. Data Breach Notification
If a personal data breach poses a risk to the rights and freedoms of data subjects, we will promptly notify the competent authorities as required by applicable law. In addition, if the breach could result in a high risk to the rights and freedoms of the affected individuals, we will notify the affected data subjects, providing clear and understandable information about the incident and the measures taken to mitigate the risks.
7.3. Registration and Documentation
We keep accurate records and adequate documentation of all data breaches, including details of the nature of the incident, the categories of data affected, the corrective actions taken and the communications made. These records are essential for compliance purposes and to demonstrate our diligence in dealing with data breaches.
7.4. Coordination and Collaboration
We work closely with the relevant authorities, where necessary, to investigate and resolve data breaches. We also cooperate with other stakeholders, including subcontractors and third parties, to ensure a coordinated and effective response.
7.5. Continuous Improvement
We regularly analyze data breaches and the actions taken in response to them, seeking to identify opportunities for improvement in our processes, procedures and security measures. We have learned from past experiences to strengthen data protection and reduce the risk of future breaches.
8. EVALUATION AND REVISION OF THE DATA PROTECTION POLICY
8.1. Periodic evaluation
We carry out periodic evaluations of our data protection policy to identify areas for improvement and ensure its compliance with current legislation. These assessments take into account changes in legislation, technological advances, industry best practices and feedback from data subjects.
8.2. Review of Protective Measures
We regularly review the data protection measures implemented to ensure that they are effective and appropriate to the risks identified. This includes reviewing security policies and procedures, access controls, encryption, backups and other technical and organizational safeguards adopted to protect personal data.
8.3. Policy update
Based on the evaluations and reviews carried out, we update our data protection policy when necessary to reflect changes in laws, regulations and best practices. Updates may include new data protection requirements, improved procedures, guidelines for dealing with emerging technologies and other relevant guidance.
8.4. Communication and Training
We communicate updates to the data protection policy to all employees and relevant stakeholders. In addition, we provide regular training on data protection policies and procedures, ensuring that everyone involved is aware of their responsibilities and proper data protection practices.
8.5. Continuous Improvement
We promote a culture of continuous improvement in relation to data protection, encouraging feedback from employees and data subjects. We actively evaluate and consider the suggestions and comments received in order to further improve our practices and ensure the continued effectiveness of our data protection policy.
9. FINAL PROVISIONS
9.1. Duration
This data protection policy takes effect from the date of its approval and is applicable to all employees, subcontractors, third parties and others involved in activities related to the processing of personal data on behalf of BIO BUREAU.
9.2. Interpretation and Compliance
We interpret and comply with this data protection policy in accordance with applicable data protection laws and regulations. Any breach of this policy may result in disciplinary action, as provided for in BIO BUREAU’s internal policies and the relevant legislation.
9.3. Changes and updates
We reserve the right to make changes and updates to this data protection policy as necessary to reflect changes in laws, regulations and best practices. We will notify employees and relevant stakeholders of any significant changes and require their compliance with the new provisions.
9.4. Questions and Contact
We encourage employees and data subjects to contact us with any questions, concerns or requests relating to the protection of personal data.
- Monteiro, Teixeira & Kroeber Law Firm
- Daniel Torres Teixeira
- Mariana Moncorvo de Mattos
9.5. Additional Safeguards
This data protection policy is complemented by other policies, procedures and safeguards adopted by BIO BUREAU to guarantee the security and protection of personal data. The provisions of these documents are considered an integral part of this policy.