LGPD
Data processing policy - DONDONI SA
Based on best corporate governance practices, respecting the fundamental rights of freedom and privacy of our customers and in compliance with Law 13,709 of August 14, 2018 and Law 13,853 of July 8, 2019, which provides for the processing of personal data of natural persons and other protection and privacy standards, DONDONI SA resolves to formalize and disclose in a clear and transparent manner its rules for the processing of personal data, which will now be in force in all companies belonging to its business group.
BASIC CONCEPTS
What is LGPD?
LGPD is the acronym used to refer to the General Law for the Protection of Personal Data of natural persons (individuals). This law establishes rules for companies on the collection, storage, processing and sharing of personal data, as well as determining the rights related to data subjects.
What are Data Subjects?
These are the natural persons (individuals) to whom the data subject to processing refers.
What is Data Processing?
Any operation carried out with personal data, such as those relating to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction;
What is Personal Data?
These are those that, together or alone, can identify a person. Examples of personal data that can allow your identification are: Name, ID, CPF, filiation, date of birth, telephone, email, vehicle data, address, geolocation, among others.
What is Sensitive Personal Data?
These are data that allow the identification of personal characteristics that give rise to discrimination. This definition includes personal data on racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data.
What is DONDONI SA?
DONDONI SA is the trade name of the group of companies belonging to DONDONI SA, together with the companies that have any of the partners of DONDONI SA in their corporate structure and that are managed by it.
What is the CONTROLLER in the LGPD?
For the purposes of compliance with the LGPD, CONTROLLER is the legal entity responsible for decisions regarding the processing of personal data.
DONDONI SA CONTROLLER'S DATA:
DONDONI IN
800, Martello – Hunter – Santa Catarina
MOBILE 89.510-770
CNPJ: 43.787.276/0001-74
What is the OPERATOR in the LGPD?
It is the legal entity that processes personal data on behalf of the CONTROLLER. For the purposes of this Policy, OPERATOR are all companies belonging to Dondoni SA as defined below.
What companies belong to DONDONI SA?
The parent companies and their subsidiaries are considered, as well as others that are acquired or incorporated by Dondoni SA or its partners and are managed by it. Below is a list of the parent companies, updated in September 2022:
What is the Data Controller (DPO)?
The DPO, an acronym in English that refers to “Data Protection Officer”, is the person in charge of data processing appointed by the Controller. The DPO’s activities consist of receiving and analyzing complaints and communications from Data Subjects, providing clarifications and taking measures; receiving communications from the national authority and taking measures; guiding employees and contractors of companies belonging to Dondoni SA regarding the practices to be adopted in relation to the protection of personal data; monitoring the evolution of legislation and best practices within the interests of the Controller and the Data Subjects.
DONDONI SA DPO DPO data:
Rafael EM
Email: dpo@dondonisa.com.br
Address: 800 Engineer Lourenço Faoro Avenue
Martello neighborhood
89.510-770 Hunter - Santa Catarina
The DPO will handle your request and respond within the legal deadlines stipulated.
DEFINITIONS
PURPOSE - Why do we process your data?
We process your data in accordance with the PURPOSE of DONDONI SA, which in short is “why” the companies in this business group exist. The PURPOSE, LEGITIMATE INTERESTS and LEGITIMATE PURPOSES of the CONTROLLER are considered to be all activities related to the business of companies belonging to DONDONI SA, including, but not limited to, sales of new vehicles of the brands with which it has a concession contract, sales of pre-owned and used vehicles, financing proposals, sale of parts and technical assistance services, sales of accessories and boutique, sale of consortium quotas, general insurance, dispatch service, hiring of employees from the beginning of the selection process, customer prospecting, store flow control, evaluation of pre-owned and used vehicles, dissemination of marketing campaigns and its products and services, promotional events, CRM, Call Center, service scheduling, satisfaction surveys, sales simulation, product and service quotes, leads and simulations on digital platforms, invitations to events, collection and credit protection, credit analysis, legal collections, fraud prevention, prevention of money laundering, as well as all other related activities. inherent to the commercial and administrative activities of companies in this economic group.
Form of Treatment and Legal Basis
There are several hypotheses in the legal provision of the LGPD that allow the collection and processing of personal data. DONDONI SA has a clear and well-defined PURPOSE both legally and in the consumer's perception. Our Data Processing Policy uses the legal provisions for the collection and processing of data in accordance with items “I”, “II”, “V”, “VI”, “IX” and “X” of article 7 of Law 13.709, and only the cases provided for in item “I” require the consent of the data subject. Below is a definition of this legal provision:
I – With Consent from the Holder: We use this legal provision in the event of a possible need to collect or process any SENSITIVE DATA;
II - For compliance with a legal or regulatory obligation by the controller: As an example, we can mention the activities of Servopa Administradora de Consórcios, which is regulated by the Central Bank. There is a legal framework that regulates the consortium system and clear rules on which data must be mandatorily processed and collected in order to comply with legal provisions. Similarly, there are tax regulations for issuing invoices, which must be complied with regardless of the data subject's consent;
V - When necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject: As an example, we can mention the purchase of a car. There is a process of preliminary procedures while the consumer and the company are in negotiation. In the event of the transaction being completed, it is considered as the execution of a contract, and all data legally required for the transaction can be collected and processed;
VI - for the regular exercise of rights in judicial, administrative or arbitration proceedings: To carry out data processing in order to protect the right of defense of the Controller or third parties, in accordance with the constitutional precepts of broad defense and adversarial proceedings;
IX - When necessary to meet the legitimate interests of the controller: We rely on this hypothesis primarily in cases of collection and processing for the purpose of advertising and marketing actions. In this case, we limit the personal data collected and processed to the minimum necessary for the purpose used. As an example, we can mention “leads” on our digital platforms, where the consumer voluntarily fills in their information and we basically collect the data necessary to return contact and meet their demand.
X - For credit protection, including as provided for in the relevant legislation: The area of credit protection, fraud prevention, among others that are part of this hypothesis, has specific regulations that allow the processing of personal data for this purpose.
Data Collection from Children and Adolescents
In compliance with legal requirements, the collection or processing of data from individuals under 16 years of age is not permitted, except with the express consent of one of their parents or legal representative.
If we detect holders who may be under 16 years of age, specific consent from the minor's parents or legal representative will be essential to continue offering our products or services.
Duration of Data Processing and Storage
The Company has a Personal Data retention policy in accordance with current legislation. Personal Data is stored only for as long as necessary to fulfill the purposes for which it was collected, always respecting any legal, regulatory, contractual obligations, among others.
As an example of a legal obligation, the Central Bank of Brazil determines that the data of consortium group participants must be kept for 10 (ten) years after the group is closed. In the case of issuing invoices, for the purchase of automobiles for example, tax legislation requires that data be kept for 5 (five) years.
Sharing of Personal Data
The sharing of personal data is carried out primarily on occasions when it is necessary to comply with a legal obligation, a contractual obligation or a need that is justified by the PURPOSE of DONDONI SA. Some examples:
Companies must share data with the Federal Revenue Service;
Companies must share data by court or government agency requests, official letters, subpoenas, etc.;
Vehicle dealerships share data with automakers, due to contractual necessity and to meet the PURPOSE of these companies, which use the data to safeguard compliance with legal and contractual guarantees, satisfaction surveys, Recall information, among others that also serve the interests of Data Subjects;
With suppliers that act concurrently within the PURPOSES of DONDONI SA, such as window film installers, bodywork treatment, financial institutions, data triggering agencies via digital channels, insurance companies, dispatchers, Detran and similar, document storage companies, CEF dispatchers or affiliates (FGTS) among others;
Sharing with credit analysis companies;
Companies belonging to GRUPO DONDONI may share data among themselves to carry out their activities in compliance with legal provisions.
DONDONI SA does not sell or share personal data outside of legal provisions, and personal data is processed in accordance with the General Data Protection Law and in full accordance with the rights and interests of Data Subjects.
Responsibilities of Processing Agents
The processing agents are the CONTROLLER and all companies belonging to the SERVOPA GROUP. Personal Data processing activities must observe the principle of good faith, respect the imposed legal provisions and must be clear and transparent to the Data Subject, be adequate and compatible, preserving quality and accuracy, guaranteeing the Data Subject compliance with accurate and easily accessible information when requested. They must respect:
I - Purpose: carrying out the processing for legitimate, specific, explicit purposes informed to the holder, without the possibility of subsequent processing in a manner incompatible with these purposes;
II - Adequacy: compatibility of the processing with the purposes informed to the holder, according to the context of the processing;
III - Necessity: limitation of processing to the minimum necessary to achieve its purposes, covering pertinent, proportional and non-excessive data in relation to the purposes of data processing;
IV - Free access: guarantee, to the holders, easy and free consultation on the form and duration of the processing, as well as on the completeness of their personal data, through consultation through the communication channels with the DPO;
V - Data quality: guarantee to data subjects of accuracy, clarity, relevance and updating of data, according to the need and to fulfill the purpose of its processing;
VI - Transparency: guarantee, to the holders, of clear, precise and easily accessible information about the performance of the treatment and the respective treatment agents, observing commercial and industrial secrets;
VII - Security: use of technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination;
VIII - Prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data;
IX - Non-discrimination: impossibility of carrying out processing for unlawful or abusive discriminatory purposes. DONDONI SA repudiates and does not support any act of discrimination and is against any data processing for unlawful or abusive discriminatory purposes;
X - Accountability and accountability: demonstration, by the agent, of the adoption of effective measures capable of proving observance and compliance with personal data protection standards and, including, the effectiveness of these measures.
Security of Collected Data
All data provided by the HOLDER will be stored and processed in accordance with the security and technology protocols recommended by good market practices, in order to ensure, in the best possible way, the privacy, confidentiality and protection of the personal data of each HOLDER, without prejudice to the inviolability of the HOLDER's privacy and private life.
The companies belonging to DONDONI SA adopt solid Information Security practices, subject to constant review by inspections, and consistently updated with the best information security exercises.
Companies belonging to DONDONI SA use and adopt security processes, techniques, mechanisms and procedures aimed at preventing and providing due protection, including in their transmission measures against possible security incidents, occurrences or suspicions of unauthorized access, use, alterations, appropriation and destruction by third parties, likely to compromise or threaten the integrity, confidentiality, authenticity and availability of Personal Data.
The Rights of the HOLDER in relation to the Processing of Personal Data
The holder of personal data has the right to obtain from the controller, upon formal request through one of the DPO's contact channels, in relation to the data of the holder processed by the latter, at any time and upon request:
Request confirmation of the existence of the processing of Personal Data;
Access to which data is processed;
Correction of incomplete, inaccurate or outdated data;
Anonymization, blocking or deletion of unnecessary, excessive data or data processed in non-compliance with current legislation;
The portability of data to another service or product provider;
Information about the public or private entities with whom we share your data;
Deletion of personal data processed with the consent of the holder, except for data relating to compliance with a legal or regulatory obligation by the controller;
Information about the possibility of not providing consent and the consequences of refusal;
Revocation of consent;
Object to data processing.
IMPORTANT NOTICES
For your safety, whenever you submit a request to exercise your rights, the Company may request some additional information and/or documents so that we can verify your identity, seeking to prevent fraud. We do this to ensure everyone's safety and privacy.
In some cases, the Company may have legitimate reasons for not complying with a request to exercise rights. These situations include, for example, cases where disclosure of specific information could violate the intellectual property rights or trade secrets of the Company or third parties, as well as cases where requests for deletion of data cannot be fulfilled due to the Company’s obligation to retain data, whether to comply with legal or regulatory obligations or to enable the Company or third parties to defend themselves in disputes of any nature.
Furthermore, some requests may not be responded to immediately, but the Company undertakes to respond to all requests within a reasonable timeframe and always in compliance with applicable legislation.
If the data subject wishes to exercise his/her right to consultation or clarification, simply contact our Data Processing Officer (DPO) via one of the channels listed below. Rafael EM
Email: dpo@dondonisa.com.br
Address: 800 Engineer Lourenço Faoro Avenue
Martello neighborhood
89.510-770 Hunter - Santa Catarina
Updates to this Data Processing Policy
As we are always seeking to improve our services and the way we operate, this Data Processing Policy may be updated to reflect the improvements made. Therefore, we recommend that you visit this page periodically so that you are aware of any changes made.
This Policy was last updated on August 12, 2022.
