Data Privacy and Protection Policy
|Version:||Date of Review:||History:|
|02||07/07/2017||Inclusion of item IV. Concepts and Acronyms, Legal Executive Board in V. Responsibilities and subitem 1.1.10 of VI. Guidelines.|
|03||10/29/2019||Updating Items II. Scope, III. Guidelines Subitems 1.1, 1.3, 2.4, 2.5, 3.1, 4.1, 5.1 and 6.1, V. Responsibilities, VI. Additional Documents, VII. Concepts and Acronyms and VIII. General Provisions;
Including Item III. Guidelines Subitems 4.2, 4.3 and 4.4.
Provide guidance on the guidelines applicable to the privacy and protection of the personal data of customers, employees, and partners to which Cielo has access due to its activities, establishing the applicable rules on the collection, registration, storage, use, sharing, enrichment and elimination of collected data, according to current laws.
All members of the Management (officers, members of the Board of Directors and members of the Advisory Committees), members of the Fiscal Council and employees of the companies Servinet Serviços Ltda., Braspag Tecnologia em Pagamentos Ltda., Aliança Pagamentos e Participações Ltda. and Stelo S.A., hereinafter (“Cielo” or “Company”), as well as third parties, service providers and/or suppliers who have access to information on the customers of these companies.
All the Company’s Subsidiaries must establish their directives based on the guidance provided in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
Regarding the Affiliated Companies, the Company’s representatives working in the Management of Affiliated Companies should make efforts to set their directives based on the guidance provided for in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
- Initial Provisions
1.1. This Policy’s purpose is to demonstrate Cielo’s commitment to:
1.1.1. Ensure the privacy and protection of personal data collected from Cielo’s customers, employees and partners, due to Cielo’s activities;
1.1.2. Adopt guidelines that ensure the comprehensive compliance with rules and good practices regarding privacy and protection of personal data;
1.1.3. Promote transparency on how Cielo handles personal data; and
1.1.4. Adopt protective measures regarding the risk of security incidents involving personal data.
2. Information Subject to the Policy
2.1. The following are subject to this Policy:
2.1.1. All information supplied or collected for Cielo’s provision of services to its clients for the acceptance of electronic payment methods, including the collection, transportation, information processing, and transaction settlement, as well as the offer of other related services and products; and
2.1.2. All information of employees and partners collected within contractual or legal obligations.
2.2. Regarding its nature, the information can be classified into two (2) groups:
2.2.1. Information provided by the data owner:Those inserted or forwarded by the data owner or its legal representative, resulting from the contact or registration with Cielo, such as full name, Individual Taxpayer’s ID, date of birth, full address, bank details, e-mail address and telephone number.
2.2.2. Information collected due to the data owner’s use of our Services: Those related to the use of electronic payment methods, collected by Cielo and sent and/or shared with third parties in the context and limit required to process and settle electronic payment transactions or to send the information related to non-financial transactions under the service provided by Cielo
2.3. Specific privacy practices regarding other products and services that Cielo may make available to its clients will be linked to the acceptance of each product or service by the client or third-party.
3. Data Collected, Collection Method and Purpose
3.1. The information will be collected by ethical and legal methods and stored in a safe and controlled environment for the period required by current laws. Cielo undertakes to take all reasonable measures to keep the absolute and strict confidentiality of all information, personal data or specifications to which the Company has access or may come to have access or become aware of, regarding transactions, holders, card data and payment methods of its clients, as well as of individuals directly related to clients, to which the Cielo has access due to provision of services (i.e., the collection, transportation, information processing, and transactions settlement, among other services). The Company is prohibited from granting and/or allowing the access of third parties to such information, except as provided in this Policy.
3.2. Third parties’ access to information collected by Cielo only occurs for the purposes outlined in this Policy and within the limit necessary to perform the activities related to the ordinary course of their businesses, including, but not limited to:
3.2.1. Institutions of payment arrangements and members of such arrangements;
3.2.2. Network for the electronic transfer of funds;
3.2.3. Clearing and settlement banks;
3.2.4. Service providers that carry out business operations and/or information processing for Cielo;
3.2.5. Partners of the Marketing Board;
3.2.6. Independent Auditors;
3.2.7. Collection agencies, credit protection services and the like;
3.2.8. Competent regulatory bodies.
3.3. The information collected by Cielo, under any of the assumptions outlined in Item 3.1 above, is used solely for the purposes outlined in this Policy to carry out Cielo’s activities or offer to the client specific content from the use of anonymous and aggregated information about its operating area.
3.4. Cielo may share information in an aggregated way, publicly and/or with its partners, provided that such information is not personally identifiable. For example, it may publicly share information to show trends in the general use of Cielo’s products and services.
3.5. Whenever the information collected by Cielo needs to be used for purposes other than those defined in this Policy or expressly authorized by the data owner, Cielo will directly inform the data owner about this new purpose and, when necessary, will collect a new authorization.
4. Relationship with Third Parties
4.1. Cielo demands that all third parties keep the confidentiality of the information shared with them or to which they have access due to their activity, as well as that all parties use such information only for the purposes expressly allowed. However, Cielo will not be responsible for the misuse of such information, either by third parties or their employees, due to the non-compliance with this Policy and contractual obligations assumed by such third parties with Cielo through own instruments.
5. Information Security
5.1. To ensure the security of the information provided by the clients, Cielo has physical, logical, technical, and administrative security processes compatible with the sensitivity of the information collected, whose efficiency is periodically evaluated by independent audit company.
5.2. Cielo always implements new procedures and technology updates to protect all personal data collected from clients.
5.3. Notwithstanding the security measures adopted, Cielo is not responsible for damages arising from breach of the confidentiality of the information due to the occurrence of any fact or situation not under its responsibility.
5.4. In the treatment of the information collected, Cielo uses structured systems to meet security and transparency requirements and comply with good practice and governance standards and the general principles outlined in Law 13709/2018 General Act of Personal Data Protection (“LGPD”).
5.5. All technologies used will always respect the current laws and the terms of this Policy.
6. Cooperation with Regulatory Authorities
6.1. If necessary to disclose personal data of clients, employees or partners, either due to law enforcement, court order or the competent supervisory body of the activities carried out by Cielo and/or third parties, such information shall be disclosed only within the strict terms and limits required for its disclosure. Owners of the information disclosed, to the extent possible, will be notified of such disclosure to take appropriate protective or remedial action.
IV. Management of Consequences
Employees, suppliers, and other stakeholders that see any deviations from the guidelines of this Policy may report this deviation through the Ethics Channel (www.canaldeetica.com.br/cielo or 0800 775 0808), anonymously, if they so wish.
Internally, the non-compliance with the guidelines of this Policy leads to the application of measures of accountability of the agents that do not comply with it according to the respective severity of the non-compliance.
When an incident reported to the Ethics Channel involves personal data and/or sensitive personal data, the Ethics Channel must promptly report the complaint to the Data Protection Officer (“DPO”).
- Members of the Management, Employees and Third Parties:
- Observe and ensure the compliance with this Policy, and whenever necessary, prompt the Data Protection Officer (DPO) for consultation on situations involving conflicts with this Policy or the occurrence of situations described therein.
- Risk, Compliance, and Prevention Board (DPO):
- Keeping this Policy updated to ensure that any regulatory/legal changes to the guidelines and general rules set forth herein are observed;
- Clarifying questions regarding this Policy and its application.
- Accept complaints and communications from data owners, provide clarifications and take action;
- Receive communications from the National Authority of Data Protection (“ANPD”) and take action;
- Guide Cielo’s employees and third parties regarding the practices to be taken concerning the protection of personal data; and
- Adopt initiatives to share information on personal data incidents with ANPD and with data owners, when necessary.
- Legal Board:
- Clarifying questions regarding the relevant legislation and regulations.
VI. Additional Documents
- Article 5 of the 1988 Federal Constitution;
- Cielo’s Code of Conduct/Ethics;
- Agreement of Cielo’s Accreditation System;
- Additional Law 105/2001;
- Law 13709/2018;
- Internal standards and procedures constantly improved, approved by the competent authorities, and made available to all employees.
VII. Concepts and Acronyms
- Clients: Individuals registered in Cielo’s system, owner of the personal data that is an object of the work;
- Personal Data: Any information related to an identified or identifiable individual, such as name, surname, date of birth, personal documents (Individual Taxpayer’s ID, Personal ID, Driver’s License, Work ID, passport, voter’s registration, among others), home or business address, telephone, email, cookies and IP address;
- Sensitive Personal Data: Any personal information on racial or ethnic origin, religious belief, political opinion, union membership or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to an individual;
- Information: Data, processed or not, that can be used to produce or transmit knowledge, in any medium, support or format;
- Data Privacy and Protection: Possibility for the owner to see, autonomously, the use of its own personal data, as well as establishing several guarantees to prevent these personal data from being used in a way that leads to discrimination or damage of any kind.
- Affiliated Companies: Companies in which the Company holds 10% (ten percent) or more of their capital, without, however, having control over them, according to Article 243, Paragraph 1 of the Brazilian Corporation Law.
- Subsidiaries: Companies in which the Company, directly or indirectly, holds rights as partner or shareholder, which permanently guarantee to the Company the preponderance in corporate resolutions and the power to elect the majority of the members of the Management, according to Article 243, Paragraph 2 of the Brazilian Corporation Law.
- Stakeholders: They represent all relevant stakeholders of the Company, or also, individuals or entities undertaking any type of direct or indirect risk with the company. Amongst others, we point out: shareholders, investors, employees, society, customers, suppliers, creditors, governments and regulatory agencies, competitors, press, professional associations and entities, users of electronic means of payment, and non-governmental organizations.
- Third Parties: Individuals or legal entities, either publicly or privately held, rendering services to Cielo, on its premises or remotely, and in the exercise of its activities may have access to information regarding the business of Cielo or its Clients.
VIII. General Provisions
The Company’s Board of Directors is responsible for changing this Policy whenever necessary.
This Policy takes effect on the date of its approval by the Board of Directors and revokes any rules and procedures to the contrary.