Existe Pix na Europa? Conheça o cenário dos pagamentos instantâneos no continente europeu
novembro 2024 | por Juliana GomesGDPR – General data protection regulation
1. Goal
1.1. This policy, based on C&M SOFTWARE’s processes and procedures for licensing its products, provides for the processing of personal data, including in digital media, by natural persons or legal entities governed by public or private law, with the aim of protecting fundamental rights of freedom and privacy and the free development of the personality of the natural person.
1.2. Whereas:
- C&M Software, as the owner, commercializes, through Licensing, the Rights to use the functionalities of its Software to support the business of its INSTITUTION;
- C&M Software, only for operational, development and updating reasons, maintains the licensed software in operation on its servers at its headquarters and contingency in Brazil;
- C&M Software does not have access, nor any control, over the data requested or transferred at the request of the INSTITUTION;
- C&M Software is responsible for the integrity of the “data block” from the moment it enters its systems until the moment it leaves the INSTITUTION, and never for its content;
- The INSTITUTION is the one that has a software licensing agreement signed and in force with C&M Software, to assist its decisions. When necessary, the INSTITUTION’s client will be identified as CLIENT.
2. Adoption and Term
2.1. This “C&M2021-01-GRPR” policy comes into force on the date of its publication with the communication to the INSTITUTIONS and will be immediately incorporated into the Licensing Agreement, generating all its effects from the publication and specifies the licensing conditions and the general conditions.
2.2. Contracts signed during the term of the previous policy, if necessary, will be amended by agreement between the parties, except if flagrantly against legal provision, when it will come into force on the defined date, automatically adding the previous policy, or the present one.
3. Definitions
3.1. In this policy, the following terms, all referring to the requirement of the law, will have their meanings defined below, without any exclusion to the reference of the law, but, by the function of C&M Software:
- Personal data: is the data indicated by the INSTITUTION for use in the licensed software, under its full responsibility;
- Sensitive personal data: like personal data, it specifies the precautions that the INSTITUTION must observe under the terms of the law;
- Holder: the person who provided the data for research, under their consent or authorization, if necessary;
- Controller: person appointed by the INSTITUTION who is responsible for decisions regarding the processing of personal data;
- Operator: person appointed by the INSTITUTION who provides data to the software on behalf of and under the guidance of the controller;
- Person in charge: person appointed by the INSTITUTION to act as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD);
- Treatment: as licensor, C&M Software is responsible for the integrity of the “data block” from the moment it enters its systems until the moment it leaves the INSTITUTION, and not for its content;
- Shared use of data: designation that does not apply to licensing, due to the unavailability of access to information;
- Personal data protection impact report: exclusive documentation of the INSTITUTION and its unique knowledge, unknown by C&M Software, since access to the data requested by the INSTITUTION is granted, without identifying them;
- “data block” means the set of data, duly encrypted, transmitted by the INSTITUTION for its own queries within the licensed system where C&M Software is unaware of its quantity and content.
3.2. The terms defined here only complement, guide, define and/or explain the limits of activity of C&M Software related to licensing, and, at any time, it seeks to modify the legal text.
3.3. Under the terms of the GDPR, the data used by the INSTITUTION and forwarded to C&M Software must observe good faith and the following principles: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination and accountability and accountability.
4. Responsibilities of the parties
4.1. The responsibility for obtaining and keeping the holder’s consent, only when applicable and if necessary under the terms of the GDPR, lies with the INSTITUTION until the date of its purge (Art. 14 Res. 4.658).
4.2. The INSTITUTION is responsible for the concepts of purpose, good faith and public interest for which data processing is necessary, except for cases made manifestly public, under the terms of the law. The INSTITUTION undertakes not to transfer personal data necessary for the execution of the software that does not strictly comply with the GDPR.
4.3. In the event of a manifestation by the data subject requesting revocation by C&M Software, the INSTITUTION will be immediately notified, in order to determine the action, under the terms of the law.
4.4. The INSTITUTION agrees that changes in the requirements of the GDPR may generate costs and expenses not foreseen in the original contract and that must be negotiated by mutual agreement by the Parties by signing an amendment to the Contract, unless by legal imposition.
4.5. C&M Software guarantees the integrity and protection of the “data block” from the moment it enters its servers until the moment it is returned to the INSTITUTION’s requests.
4.6. The Parties guarantee to comply with the applicable legislation on privacy and data protection, including (whenever and when applicable) the Federal Constitution, the Consumer Protection Code, the Civil Code, the Civil Rights Framework for the Internet (Federal Law No. 12,965/2014), its regulatory decree (Decree No. 8771/2016), the General Law for the Protection of Personal Data (Federal Law No. 13709/2018), and other sectoral or general rules on the subject that do not confront BACEN requirements.
4.7. The information related to the “data block”, stored on C&M Software’s servers, was sent by the INSTITUTION, and will remain stored there in an isolated and secure manner, following the INSTITUTION’s information purge policy.
4.8. C&M Software undertakes to cooperate with the INSTITUTION in its needs to comply with the law or the holders of the Right, as well as the Federal, State or Municipal Authorities regarding the terms of the current GDPR policy.
4.9. C&M Software is obliged to obtain the necessary authorizations regarding access to those public data indicators, as well as the private ones that it contractually services, except those that the INSTITUTION maintains by its own hiring, only when applicable and if necessary.
4.10. C&M Software shall: (i) take reasonable measures to inform its work team about the responsibilities and reliability resulting from the General Data Protection Law; (ii) immediately notify the INSTITUTION, in writing, as well as the data subjects, when applicable, whenever it knows or suspects that a security incident and/or data leak or a violation of the General Data Protection Law has occurred; (iii) investigate the security incident and/or data leak, taking all necessary measures to eliminate or contain any exposure, as well as any damages that may fall on the INSTITUTION, including cooperating with the INSTITUTION’s investigation and remediation efforts , also committing to provide any type of document and information requested by the INSTITUTION in order to mitigate said damages; (iv) make reasonable efforts to ensure the integrity, availability and confidentiality of the information handled under all circumstances, to the extent that it has the capacity to do so; (v) cooperate reasonably with the INSTITUTION in defining a solution to implement the new protection and security requirements for personal data, if the legislation requires it; and (vi) allow the INSTITUTION, or its duly authorized representatives, provided that with reasonable prior notice, to inspect and/or audit its facilities, to verify that its activities are in compliance with the provisions of the Agreement and its annexes.
4.11. Pursuant to art. 4.9, the INSTITUTION will be informed, if it occurs, of the following data: (i) date and time of the incident; (ii) date and time of acknowledgment by C&M Software; (iii) data referring to the “data block” affected by the incident; (iv) identification of the operator in charge at the time of the fact or another person from whom it is possible to obtain further information about the incident; (v) description of the possible consequences of the accident; and (vi) indication of measures being taken to repair the damage and prevent further incidents.
5. Rights on the internet
5.1. Both must respect, in all its terms, LAW No. 12,965, OF APRIL 23, 2014, in particular, human rights, personality development and the exercise of citizenship in digital media; plurality and diversity; openness and collaboration and free enterprise and free competition and consumer protection.
5.2. They also guarantee the protection of privacy, protection of personal data and accountability of agents according to their activities, under the terms of the law, and also access to information, knowledge and participation in cultural life and in the conduct of public affairs. , innovation and promotion of the wide dissemination of new technologies and models of use and access, and adherence to open technological standards that allow communication, accessibility and interoperability between applications and databases.
6. Other Responsibilities of C&M Software
6.1. C&M Software may not: (i) license; (ii) authorize the processing; (iii) transfer; (iv) share; (v) yield; (vi) sell; and/or (vii) hire any third party to process the information, including the INSTITUTION’s Personal Data, except with its express authorization. C&M Software may not treat the INSTITUTION’s Personal Data for purposes other than that provided for in the licensing.
6.2. When expressly authorized, C&M Software shall preserve the integrity and accuracy of the INSTITUTION’s “data block”, and shall update, correct or delete such data at its request.
6.3. C&M Software shall treat the “data block” solely and exclusively to comply with the purpose for which this Agreement is intended, in strict compliance with the GDPR, as they form a block of encrypted information for processing and forwarding the requested items.
6.4. C&M Software ensures that “data blocks” will not be processed by third parties (including subcontractors, authorized agents, affiliates, affiliates, subsidiaries, parent company and subsidiaries), unless expressly provided for in this Agreement and/or authorized in writing by the INSTITUTION. In this case, C&M Software guarantees that its third parties are obliged to have the same level of protection for personal data established in this Agreement as required for C&M Software. In any case, C&M Software will be responsible, within the limits provided by the applicable legislation, for the actions and omissions carried out by such third parties regarding the processing of personal data.
6.5. C&M Software also undertakes, in relation to the INSTITUTION, to: (i) not retain any personal data provided or owned by the INSTITUTION for a period longer than necessary for the fulfillment of its purpose under the terms of this Agreement and/or to the fulfillment of its legal obligations, as permitted by applicable law; (ii) upon termination of the Agreement for any reason, securely erase/destroy (upon written confirmation), or return to the INSTITUTION (when requested) all documents containing personal data, which you have had access to as a result of this Agreement, as well as any copy thereof, whether in documentary or magnetic form, unless their maintenance is required or ensured by current legislation; (iii) not process personal data in a location other than that established by the Parties; and (iv) collaborate with the INSTITUTION so that it ensures full compliance with the provisions set forth in the General Data Protection Law.
7. Data subject rights
7.1. The holder must have their requests to exercise the rights of Data Subjects under Data Protection Laws and Regulations.
7.2. It is forbidden to copy, transfer, duplicate, or perform any action aimed at creating a new database containing personal data.
7.3. Only INSTITUTION data is stored at C&M Software for legal and fiscal use.
8. Data and information security
8.1. It is the obligation of the parties, within the limits of action of each of them in relation to the data processing it carries out, to implement the necessary measures to guarantee a level of data security and mitigate possible risks and keep those related to security incidents up to date.
8.2. The security measures described in the Information Security Policy, Business Continuity Policy and others necessary for the INSTITUTION will be available in the respective Annexes to the Agreement, as well as available at https://br.cmsw.com/politicas/.
8.3. C&M Software will regularly carry out tests, evaluations and verifications of the effectiveness of the technical, administrative and organizational measures to ensure the security of the processes involving the Processing of the INSTITUTION’s Personal Data.
8.4. Said tests will be internal and made available to the INSTITUTION upon request and justification of the need.
9. System audit
9.1. The INSTITUTION may, at any time, request C&M Software to audit the systems that make up the operation of the licensed software.
9.2. Three auditors licensed and authorized by C&M Software will be appointed to the INSTITUTION.
9.3. The INSTITUTION must indicate, in detail, to the auditor the items that must be verified, as well as their purpose and destination.
9.4. The costs related to the audit will be borne by the INSTITUTION with prior authorization.
10. Obligation to indemnify
10.1. The party giving cause shall indemnify, defend and/or hold the other party harmless against any and all losses and any liability, loss, claim, damage, fine, penalty, expense (including, without limitation, fines, indemnity for direct damages demonstrably caused , costs of remedial efforts and attorneys’ fees, and costs arising out of or relating to any third party action, claim or allegation – including, without limitation, any regulatory or governmental authority) arising out of the breach of the Licensing Agreement between the parties and/or or non-compliance with Data Protection Laws and Regulations, including, without limitation, in the event of a security incident and/or data leakage to which it causes.
10.2. If the ANPD imposes sanctions on the party that gives cause, related to the licensing, and fault, intent or other element of responsibility of the other party is found, the latter must bear the respective financial penalty – when applicable – and/or indemnify, including the damage to the image experienced.
10.3. The indemnification obligations between the parties will not be subject to any limitation of actions, arbitration provisions or any other similar limiting clauses.
10.4. The Parties will be individually responsible for the processing of personal data that they carry out and will not be considered responsible for such processing.
11. Final dispositions
11.1. At the end of the relationship between the parties and/or when one of them requests, upon eventual request of the holder, the other must eliminate, correct, anonymize and/or block access to the data, definitively or not, at the discretion of the INSTITUTION , which have been transmitted during the term of the license, extending to any copies, unless otherwise instructed.
11.2. C&M Software is responsible for the security and control of physical access to the servers, which process the data object of the license, all located in Brazil.
11.3. Any amendments to the Licensing Agreement and/or its Attachments when related to the INSTITUTION’s “data blocks” made between the parties, will only be valid when entered into in writing, signed by authorized representatives of both and it is not an eminently technical matter.
11.4. This amendment and all non-contractual or other obligations arising out of or in connection with it are governed by Brazilian law.
11.5. The provisions of this Term shall prevail over any inconsistencies between it and any other agreements between the Parties, including the Licensing Agreement, unless the document, expressly signed by the Parties, otherwise states.
11.6. Either party may propose variations to this amendment where necessary to meet the requirements of any changes in Data Protection Laws and Regulations.
11.7. If any provision of the present is invalid or unenforceable, under the terms of current civil law, the remainder will remain valid and in force. The invalid or unenforceable provision must be: (i) amended as necessary to ensure its validity and enforceability, preserving the parties’ intentions as much as possible or, if this is not possible; (ii) construed as if the invalid or unenforceable provision was never contained; (iii) always in compliance with the Law.
Sign up for our newsletter
Sign up and receive monthly information about the market, products, events and regulations. Join us and stay on top of everything!