PRIVACY AND DATA PROTECTION POLICY
Brazilian Mining Institute (‘IBRAM’ or ‘Institute’), a national non-profit private organization, was established to represent companies and institutions that operate in mining field, aiming at setting forth an environment that benefits business, competitiveness and sustainable development.
Through its actions, IBRAM intends to promote Brazilian mining industry, foster research, development, innovation and use of the best technologies available. It also intends to provide venues to exchange knowledge and experiences, hosting congresses, exhibits, courses, seminars, as well as enable competitiveness, fostering sustainable development, respect to the environment and use of the best labor safety and health practices for the workers engaged.
Within the scope of its performance, IBRAM cares for freedom of speech, information, communication, opinion, as well as data protection. Within this background, present Privacy and Personal Data Protection Policy (‘Policy’) has been developed, fostering, especially: respect to privacy; informative self-determination; intimacy, honor and image inviolability; economic, technological and innovation development; and other essential principles to economic, social and individual development.
Likewise, considering Personal Data Protection global principles, standards and guidelines reflected in this Policy, IBRAM´s Board, engaged and aware of social demands and legislative changes, through its Policy, restates its commitment with people essential rights and liberties, especially the right for protection and Personal Data privacy.
Within this Policy, we have adopted the following terms listed with the following meanings:
- Anonymization: reasonable and available technical means usage at the time of treatment, through which data looses the possibility of direct or indirect association to an individual;
- National Data Protection Authority (‘ANPD’): Public Administration agency responsible for inspecting compliance with General Data Protection Law (‘LGPD’) within all national territory;
- Database: Personal Data structured set, set forth in one or several location, in electronic or physical support;
- Legal Framework: legal framework that makes Personal Data Handling legitimate for a specific purpose;
- Block: temporary suspension of any Personal Data Handling operation;
- California Consumer Privacy Act (‘CCPA’): It is a Data Protection law of California State, USA, aimed at the consumer. It gathers rules that can be followed by companies that handle Personal Data in the state.
- Consent: free, informed and unequivocal manifestation, through which the Holder agrees with Personal Data Handling for a specific Purpose. It is worth noting that Consent is not the only Legal Framework that authorizes Data Handling, it is only one of the assumptions;
- Data Controller or Controller: natural or legal person that, severally or jointly with another party ,sets forth IBRAM Personal Data Handling Purposes and means.
- Anonymized Data: data related to a Holder that cannot be identified, considering the usage of reasonable and available technical means at the Handling time;
- Personal Data: all information related to an identified or identifiable natural person, including, but not limited to, name, last name, nickname, age, home or electronic address, and it can include location data, automobile license plates, purchase profiles, academic data, purchase history, among others;
- Sensitive Personal Data: data related to individual personality characteristics and/or personal choices, including racial or ethnic origin, religious belief, political opinion, membership to union or religious, philosophical or political organization, data related to health or sex life, genetic or biometric data, whenever linked to a natural person;
- Data Protection Officer (‘DPO’ or ‘Officer’): natural or legal person appointed by IBRAM, as a communication link between Controller, data Holders and ANPD;
- Personal Data Elimination: deletion upon Personal Data Handling end or compliance with Purposes, legal rulings and/or Holder requests, whenever there is not Anonymization;
- General Data Protection Regulation (‘GDPR’): General Data Protection Regulation passed by European Parliament and European Union Council, in order to set forth rules on European Union citizen Privacy and Data Protection.
- Legitimate Interest: Legal Framework that can ground personal data handling for legitimate purposes, considered as from concrete situations, as per LGPD art. 10;
- Operator: a natural or legal person that handles Personal Data on behalf of Data Controller;
- Personal Data Retention: storage of all Personal Data provided by the Holder to IBRAM, for its activity performance or even occasional Elimination request;
- Third parties: the ones that are not part of IBRAM organizational structure;
- Holder: person to whom Personal Data subject to any Handling is referred to;
- Data Transfer: Personal Data transfer, whether national (locally in Brazil to any natural or legal person) or international (to a foreign country or international agency to which the country is a member);
- Handling: any operation or operation set performed by means of Personal Data, by automated means or not, including collection, registration, organization, storage, adaptation or change, recovery, consultation, use, disclosure by transmission, transfer, dissemination or other form of provision, alignment or combination, blockage, broadcast, extraction, elimination or destruction; and
- Personal Data Violation: any offense, whether real or suspected, of security that causes total or partial data destruction, as well as composition loss or change. What is more, Personal Data Violation is considered Personal Data unauthorized disclosure or transmission, storage, change or improper access in any other way.
This Policy sets forth specific guidelines and parameters, aiming at compliance and adequacy of IBRAM with rules in force of Law no. 13.709/18, General Data Protection Law (‘LGPD’), as well as Personal Data use and handling good practices.
It is also intended, thus, to defend mining industry interest to provide quality services, in Brazil and overseas, and in compliance with LGPD, especially, in relation to IBRAM internal policies, as well as its values values, principles and operating procedures.
This Policy intends to describe procedures/behaviors that assure and reinforce IBRAM commitment not only in relation to compliance with LGPD, but also with practices and regulations to be followed during Personal Data Handling activity and operation performance executed by the Institute and by this Policy addressees.
Moreover, IBRAM intends to, through this Policy, to ratify its commitment with information safety of all relevant players in their activities, whether they are customers, business partners, service providers and third parties.
This Policy is designed to IBRAM employees, whether permanent or temporary, associates, business partners, service providers, third parties that work on behalf of the company, and also to Personal Data Holders.
Applicable laws and regulations
Present Policy has been developed based on standards provided in Brazilian laws and regulations, especially LGPD, in principles provided in other local legal rulings related to the topic, and in international treaties that Brazil Federative Republic is a part of.
Internet Civil Milestone Law (Law no. 12.965/14), Consumer Defense Code (Law no. 8.078/90), Civil Code (Law no. 10.406/02), Competition Defense Law (Law no. 12.529/11), 1988 Brazil Federative Republic Constitution shall also be observed, and well as other standards, as applicable.
Personal Data Handling Principles
Within Personal Data Handling, IBRAM shall consider and comply with the following Personal Data Handling legal principles:
- Adequacy: Personal Data Handling shall be compatible with the Purpose reported to its Holder, that is, it shall comply with Purposes intended to the scope;
- Purpose: Personal Data shall be gathered to the defined, express and legitimate goal at the time of its handling. Thus, Personal Data gathered shall not be used to a different purpose than the one reported to its Holder;
- Lawfulness: Personal Data Handling shall be considered legal, if it is grounded in at least one of the Legal Frameworks set forth in this Policy;
- Free Access: easy and free consultation shall be assured to the Holder concerning the Handling form and duration, as well as Personal Data completeness;
- Non Discrimination: Personal Data cannot be handled for discriminating, unlawful or abusive purposes;
- Need: handling limitation to minimum required to achieve the Purpose, preventing excessive Personal Data Handling;
- Prevention: measures to prevent damages due to Personal Data Handling shall be adopted;
- Quality: Handled Personal Data needs to be accurate, clear, relevant and updated according to the need and for compliance with its Handling Purpose;
- Accountability: Controller shall be responsible for enforcing compliance and evidence of compliance of each Personal Data Handling operation with requirements set forth in this Policy;
- Safety: Personal Data shall be processed in order to assure proper safety to process, including protection against unauthorized or improper Handling, and against accidental loss, destruction and damage, using adequate technical and organizational measures;
- Transparency: where Personal Data is gathered, the Holder shall be aware, and also previously informed of whom shall be: Data Controller(s); Operator(s); Officer; Third Party(ies) to whom Personal Data can be transmitted; and Handling goal(s).
Personal Data Protection
Every IBRAM employee, whether permanent or temporary, business partners, service providers and third parties, that act on its behalf, shall comply with ever local law related to Personal Data Protection and Holder right and liberty protection, which Personal Data, eventually, is handled within their professional operation scope.
IBRAM privacy management structure aims at assuring adequate protection of Personal Data Handling; and
- comply with IBRAM Personal Database management specific requirements;
- support developed project goals and obligations related;
- enforce controls in compliance with developed project risk acceptable level;
- enforce compliance with applicable legal, regulatory, contractual and/or professional obligations; and
- protect Personal Data Holder interests.
Personal Data Use
Within is activity performance, and as long as this Policy standards and guidelines are complied with, IBRAM can use Personal Data:
- to perform personnel recruitment/selection;
- to register, identify and monitor people access to events (e.g. congresses, lectures, symposiums) held by IBRAM;
- to develop event management reports;
- to perform business partnerships, development and compliance of services provided;
- for email marketing (‘Mailing’), with the goal of contacting Personal Data Holder, by means of informative newsletters, marketing, promotional materials, and other means;
- to contact the Holder (e.g. through email, telephone calls, SMS or other digital means), as long as previously and specifically consented;
- to share with service providers and business partners, as long as they are authorized, in order to develop its activities.
- for credit protection (e.g. query on Serasa) in its business transactions; and
Sensitive Data Handling
Within IBRAM performance, Sensitive Personal Data Handling shall be performed to the following Purposes:
- filling in form(s) including union/political party membership information;
- digital and facial biometrics;
- medical document control (e.g. hiring medical exam, toxicological exam, COVID-19 exam and other labor medical exams); and
- filling in form(s) with personal information in its Database (e.g. Passport Number).
IBRAM also acknowledges the relevance and specificity related to Sensitive Personal Data Handling, and thus it is committed with adopting special safeguard measures (e.g. data segregation; encryption; anonymization).
Personal Data Handling within IBRAM performance scope is based on legal grounding(s), as provided in LGPD. Thus, the legal ground shall be identified and registered at first. Nevertheless, the handling without and legal framework or ground shall be considered illegal and shall be interrupted immediately.
Therefore, the procedure abovementioned can be backed by at least one of the Legal Frameworks provided as follows:
- Personal Data Holder previous consent;
- compliance with legal or regulatory obligation;
- whenever required to execute the contract or preliminary procedures related to contract of which the Holder is a party, at request of Personal Data Holder;
- compliance with a task performed at public interest, or to regular right performance in judicial, administrative or arbitration proceeding;
- to protect Holder or Third Party life or physical integrity;
- Legitimate Interest, except in cases in which Holder fundamental rights and liberties prevail that require Personal Data protection; and
- credit protection.
IBRAM, within its performance, shall observe preferably Personal Data Handling based on Data Holder Consent. For that, Personal Data Operator(s), following guidelines set forth in this Policy, shall assure and certify that the Holder provided Consent in free, specific and previously informed way.
Concerning that, Consent shall be provided as express, unequivocal and clear statement of Personal Data Holder. On the other hand, if it is achieved by coercion or based on misleading information, Consent shall not be considered valid legal framework for Personal Data Handling by IBRAM.
Notwithstanding, Personal Data Holder can also revoke Consent, at any time, by means of express manifestation forwarded to IBRAM in the person of the Officer, through communication means provided by the end of this Policy.
What is more, in case Operator(s) identifies(y) that Consent Legal Framework was not complied with or that it was not achieved invalid and lawful way, Personal Data Handling shall be immediately stopped and IBRAM, in the person of the Officer, shall be promptly notified.
Data Holder Rights
IBRAM, within this Policy scope and its performance, shall enforce and observe the following Holder rights:
- access right to information on Personal Data Handling, kept and/or eventually disclosed or transferred;
- right to oppose, limit, stop or prevent Handling;
- right to correct any Personal Data mistake;
- right to eliminate Personal Data from Personal Database, except for legal storage assumptions;
- right to receive Personal Data within a structure, legible format;
- right to revoke Consent to relevant Personal Data Handling Purpose;
- right to information on IBRAM relation consequences;
- right to Personal Data portability, by means of request, so that Personal Data Handled is transferred to another service provider assigned by Holder; and
- right to Anonymization or Blockage, by means of request in advance.
However, it is important to observe that Holder rights are not absolute, as IBRAM is subject to comply with legal obligations enforced due to LGPD and other norms and/or regulatory obligations.
The point is that, in specific situations, Personal Data can be essential to regular right performance in judicial administrative or arbitration procedure, and such facts can be impediment assumptions to comply with specific Personal Data Holder requests.
In case of right performance request by Personal Data Holder, Operator(s) shall, in compliance guidelines provided in this Policy, check eventual impediment assumption for Holder right performance. And in case of impediment, Operator(s) shall also register and report to DPO, so that Holder is, justifiably, notified on non-compliance.
Personal Data Safety
Every employee, whether permanent or temporary, is responsible for assuring that Personal Data handled by IBRAM is kept safely, by means of adequate technical/organizational measures, to prevent Personal Data Violation kept under company control.
Likewise, Personal Data can be accessed only by those natural/legal persons which individualized accesses were granted or authorized. It is thus strictly forbidden any kind of action that results in improper change, violation or access at hierarchy level not authorized/allowed by IBRAM.
On the other hand, inoperative/inactive Personal Data shall be disposed or anonymized (coded/encrypted) to Holder or IBRAM safety, according to guidelines provided in this Policy.
Finally, IBRAM highlights that its website can include links to other websites that are not operated by the company. It is warned, however, that IBRAM does not control electronic domains kept by other natural/legal persons, and it is not responsible thus, for: content; websites; privacy policies; or any third party services not directly related to its activities.
Personal Data Disclosure and Transfer to Third Parties
Disclosures without Holder Consent, shall be allowed only whenever information is requested to one or more of the following assumptions:
- for compliance with legal or regulatory obligation of IBRAM;
- Personal Data shared Handling required to execution, by public administration, of public policies provided in laws or regulations;
- regular right performance, including in contract and judicial, administrative and arbitration proceeding, as per applicable laws and regulations;
- to protect Holder or Third Party life or physical integrity;
- credit protection, including applicable laws and regulations provisions;
- whenever required, to comply with IBRAM or Third Party legitimate interests, except in case Holder fundamental rights and liberties that demand Personal Data protection prevail.
Thus, every Personal Protection provision request based on abovementioned assumptions shall be backed by adequate documentation and specifically authorized by Personal Data Handling Officer.
Foreigner Personal Data Transfer and Handling
In case of Foreigner Personal Data Handling and/or Personal Data International Transfer, IBRAM shall evidence and formalize Handling or Transfer, as the case may be, observing, especially, principles, legal limits and holder rights, in compliance with provisions of LGPD art. 33 and other applicable legal diplomas (e.g. ‘GDPR’; ‘CCPA’).
Likewise, IBRAM shall observe local standards and guidelines, and assess aspects of each case individually (e.g. adequate personal data protection level, as provided in LGD, global corporate standards, seals, certificates and others), assuring transferred data confidentiality, privacy and secrecy.
Personal Data Storage, Retention and Elimination
Personal Data shall be retained by the period required to comply with works developed by IBRAM or to perform other legal assumptions, according to this Policy item 10. If not, Elimination shall be adopted, or yet, Personal Data Anonymization, which can only be performed in compliance with guidelines set forth in this Policy.
Personal Data kept by means of manual or electronic records that reached Retention date shall be be disposed as ‘confidential garbage’, placed in obsolescence, removed and destroyed immediately. However, considering that online tools and methodologies deployed provide more reliability and lower leakage, loss exposure, as well as other safety incidents, IBRAM does not encourage manual record use, especially the ones related to Personal Data.
In case of eventual request of Personal Data Elimination by Holder, IBRAM reserves the right to keep it in its Database, to comply with legal obligations, settle disputes, keep safety, prevent frauds, abuses, assure contract compliance, or yet, provide information to public agencies, as Personal Data shall be anonymized.
Present Policy is subject to ongoing improvement and enhancement, to assure further Personal Data Holder Transparency and Safety. Thus, IBRAM reserves the right to change at any time, in unilateral way, the present document.
Notwithstanding, IBRAM´s Board shall notify eventual Policy change. Likewise, it is considered, to the purposes adopted in this Policy, that Personal Data Holders shall agree automatically with performed modification content.
Policy Effectiveness and Compliance
IBRAM shall adopt every mean and enforcement required to assure effective compliance with this Policy, including Policy disclosure, adherence to agreement terms, contractual adequacies, training, disciplinary sanctions and other measures required.
BRAZILIAN MINING INSTITUTE – IBRAM