Last updated: April 04, 2023.
This document, hereinafter referred to as “Disclaimer” (Annex of Use, Contract or Terms), sets out the general conditions of privacy and personal data protection that are standard for all contracts concluded by the company “Deal” regardless of their nature. The company “Deal” is DEAL TECHNOLOGIES LTDA, a legal entity of private law, enrolled in the CNPJ/MF under No. 04.799.829/0001-57, headquartered in the State of São Paulo, Municipality of Barueri, located at Rua Alameda Rio Negro, 503, conjuntos 2201 e 2202, Alphaville, CEP: 06454-000, and in this document will be referred to as “Deal”.
The present Term defines the general conditions for privacy and personal data protection that will be applied in all contracts entered into by the Contractor. All references to the “Contract” or “Instrument” in this Appendix shall be deemed to refer to all contracts concluded by Deal.
SUPPLIER, a legal entity governed by private law, registered in the CNPJ under no. ____________________________________, with its registered address at _______________________________________, Neighborhood _______________________________________ZIP Code ______________________ ; here in represented in the terms of its Articles of Incorporation, hereinafter referred to as CONTRACTED.
Deal Technologies Ltda. and all companies controlled, directly or indirectly, by Deal will be denominated, collectively, as “Deal Group” or individually referred to simply as “Deal”, without prejudice to being considered of themselves as autonomous and individualized parties and not jointly liable among themselves.
The dispositions of this Term regulate hypotheses in which there can be treatment of personal data or not. Thus, when celebrating the Contract with the COMPANY, except for eventual adjustments agreed upon between the Parties and specifically foreseen in the SUPPLIER itself, the SERVICE PROVIDER will be declaring awareness and agreement with the terms of this Term, committing to fully comply with it, regardless of the date of instrumentalization and signature of the Contract, according to the context in which it fits as Operator or Controller, according to the factual contractual situation between the Dealer and Supplier.
For the purposes provided for in this Term and the Contract, the following terms shall be interpreted in accordance with Brazilian law, notably Law No. 13,709, dated August 14, 2018 and any subsequent amendments (the “General Law for the Protection of Personal Data” or “LGPD”), with the following meanings:
(i) “ANPD” or “National Personal Data Protection Authority” means the ultimate regulatory authority to dispose of personal data protection matters in Brazil.
(ii) “Master Agreement” means the Service Agreement entered into between one of the companies of the Deal Group and the respective Supplier.
(iii) “Controller” means the natural or legal person, of public or private law, who is in charge of the decisions regarding the Processing of Personal Data, that is, under the terms of the present ANNEXE, Deal.
(iv) “Personal Data” or “Personal Data” means any information relating to an identified or identifiable natural person, i.e. having the potential to be used, directly or indirectly, alone or in combination, to identify a natural person.
(v) “Sensitive Personal Data” means any Personal Data concerning racial or ethnic origin, religious belief, political opinion, membership of a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data when linked to a natural person;
(vi) “Data Protection Legislation” means any national legislation, decrees, regulations, including regulatory standards issued by the ANPD, applicable to the protection ofprivacy and Personal Data in the context of the Processing of Personal Data, including but not limited to the General Law on Personal Data Protection.
(vii) “Security Incidents” means any unauthorized access to Personal Data and accidental or unlawful destruction, loss, alteration, communication or any form of inappropriate or unlawful Processing of Personal Data.
(viii) “Processor” means the natural or legal person, governed by public or private law, who carries out the Processing of Personal Data on behalf of the Controller and in accordance with its legal instructions, i.e., pursuant to this ANNEX, the SUPPLIER.
(ix) “Sub-Operator” means any natural or legal person contracted by Provider and who will carry out Processing of Personal Data under the responsibility of Provider for the purposes of this ANNEX.
(x) “Personal Data Subject” or “Data Subject” means the natural person to whom Personal Data which is the subject of Processing refers.
(xi) “Processing” means any operation carried out with Personal Data, such as those relating to the collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or extraction of data.
PERSONAL DATA PROTECTION: CONTROLLER – OPERATOR
1. PROTECTION OF PERSONAL DATA – EIn situations where the Contract implies the Treatment of Personal Data in which the COMPANY acts as controller and, the SUPPLIER as Operator, the following provisions will apply
1.1 Each Party undertakes to comply with the provisions of the Data Protection Legislation in the execution of the object of the Contract. Depending on the nature and definition in the Contract, the SUPPLIER may perform the Processing of Personal Data on behalf of Deal under the terms of this ANNEX. The SUPPLIER agrees to: (i) limit access to the Personal Data it processes on behalf of Deal to its employees who need access to such Personal Data to perform their duties; and (ii) ensure that such employees are trained with regard to the confidentiality obligations set forth in this clause and the Agreement and agree to comply with them.
1.2 The SUPPLIER will process Personal Data solely and strictly necessary for the performance of the Agreement and in accordance with Deal’s legal instructions. The SUPPLIER will not process Personal Data for any other purpose not foreseen in this Agreement, unless previously authorized in writing by Deal’s legal representative(s).
1.3 The SUPPLIER may not transfer or disclose Personal Data to any third party without the prior express written consent of Deal, including a Sub-Operator. If authorized by Deal to disclose Personal Data to any Subcontractor, the SUPPLIER shall sign a written agreement with the respective Subcontractor, remaining jointly and severally liable with the latter, and such agreement shall contain provisions for data protection no less stringent than those set forth in this Agreement. If requested by Deal, the SUPPLIER shall provide within 5 (five) days copies of the contracts executed (or to be signed) with the Subcontractors for Deal’s review.
1.3.1. Notwithstanding any authorization from Deal regarding SUPPLIER’s Subcontractors, The SUPPLIER shall ensure that such Subcontractors are able to comply with the Data Protection Legislation as well as the terms of this Agreement. The SUPPLIER shall remain jointly and severally liable for any Processing of Personal Data performed by a Subcontractor of SUPPLIER, even if such subcontracting has been authorized by Deal.
1.4. The SUPPLIER and its subcontractors may not transfer abroad any Personal Data related to the Contract, including in relation to the storage of data in cloud computing, unless previously authorized in writing by Deal. In any case, even if authorized by Deal, the international transfer of Personal Data will be subject to the observation of the permissive hypotheses of international transfer of Personal Data foreseen in the Data Protection Legislation and the existence of safeguards of the Treatment of Personal Data in writing. THE SUPPLIER shall ensure compliance with the principles and rights of Data Subjects set forth in the Data Protection Laws with respect to any Personal Data transferred abroad in any case.
1.5 Within fifteen (15) days (a) after the Personal Data is no longer needed for the purposes of the Agreement, or (b) after the end of the term of the Agreement, or, (c) for any reason, by decision of Deal, the SUPPLIER shall return or destroy all Personal Data in its possession or control as a result of the Agreement. Notwithstanding the foregoing, the SUPPLIER may keep a copy of the Personal Data necessary to comply with the period provided for by applicable law, in which case the SUPPLIER shall inform Deal which Personal Data will be kept, the period for which it will be kept and the legal basis justifying such retention. After the end of the legal period, the SUPPLIER one shall immediately destroy the referred Personal Data. In such event, the obligations concerning Personal Data set forth in this Agreement shall continue in effect until all such Personal Data has been destroyed.
1.6. Notwithstanding any obligations under the Agreement or this ANNEX establishing standards for systems, applications, data files, and other technology tools, the SUPPLIER warrants that it has adopted and implemented, and will maintain during the term of the Agreement, organizational and technical security measures to protect Personal Data against improper destruction, unauthorized or unlawful sharing, accidental loss, alteration, unlawful access or disclosure and/or any form of unlawful or improper Processing of Personal Data. The adequacy of such measures shall be assessed in light of the state of the art, the cost of implementation, the nature of the Personal Data and the risk to which the Personal Data are exposed. Such measures shall be at least equal to or greater than, cumulatively: (i) any regulation set forth by the ANPD or other competent government body; (ii) the COMPANY’s industry standards; and (iii) measures the SUPPLIER adopts to protect other Personal Data in its possession or control.
1.7. You agree that the SUPPLIER, its agents, subcontractors, affiliates, subsidiaries, affiliates, agents, subsidiaries and licensors shall not be liable to you or to any third party for any breach of this Agreement, nor shall you or the SUPPLIER have any liability whatsoever for any breach of this Agreement. Such notice shall, at a minimum:
(a) (a) describe the nature of the Personal Data affected, the categories and number of Personal Data subjects concerned;
(b) provide information on the Personal Data subjects concerned;
(c) provide information on the technical and security measures used for the protection of Personal Data;
(d) communicate the name and contact details of the person in charge or responsible for protecting the Personal Data of the SUPPLIER;
(e) describe the probable consequences and risks related to the Security Incident;
(f) describe the measures taken or proposed to be taken to resolve the Security Incident; and
(g) describe the measures that have been or will be taken to reverse or mitigate the effects of the losses related to the Security Incident.
1.7.1. as directed by Deal to assist in the investigation, mitigation and remediation of each Security Incident, allowing Deal to (i) conduct a thorough investigation into the Security Incident, (ii) formulate a correct response and adopt additional appropriate measures in relation to the Security Incident in order to meet any requirements of applicable law.
1.7.2 The Parties agree to coordinate and cooperate in good faith in developing the content of any related public statements or any notices required by Holders affected by the Security Incident or the ANPD. The SUPPLIER shall not inform any third party without first obtaining Deal’s prior written consent, unless notice is required by law to which Deal is subject. In such case, the SUPPLIER shall, to the maximum extent permitted by applicable law, inform Deal of such legal requirement, provide a copy of the proposed notification(s), and consider the comments made by Deal, before notifying any third party of the Security Incident.
1.7.3 If Deal incurs any costs, direct or indirect, as a result of the Security Incident, including investigating, remediating, and mitigating its impact, the SUPPLIER agrees to reimburse Deal for such costs. Upon satisfactory correction of the Security Incident, the SUPPLIER agrees to take actions reasonably necessary to prevent a recurrence, and will provide written statements to the Deal about the appropriate measures that have been taken to protect the SUPPLIER against the threat of a similar occurrence.
1.8 The SUPPLIER will immediately notify Deal of any request received from a Data Subject whose Personal Data is being processed by the SUPPLIER under the Agreement. The SUPPLIER agrees to comply with all reasonable instructions requested by Deal regarding the response to such individual request and not to respond to any request from a Data Subject directly. Further, the SUPPLIER agrees to provide any and all assistance required by Deal to respond, within the timeframe required by Data Protection Law or Deal’s policy, to any individual request received by the SUPPLIER or Deal.
1.9 The SUPPLIER agrees to respond fully and within two (2) business days to all inquiries from Deal regarding the Processing of Personal Data related to the Agreement, and to assist Deal in responding fully and promptly to inquiries from any competent authority regarding the Processing of Personal Data related to the Agreement, including the ANPD. The SUPPLIER will promptly notify Deal of any request by the ANPD or other competent authority to disclose Personal Data that the SUPPLIER handles on Deal’s behalf, unless such communication is prohibited by law. In addition, the SUPPLIER agrees to cooperate with Deal in responding to or objecting to any such request.
1.10. The SUPPLIER agrees that upon Deal’s reasonable request, the SUPPLIER shall make its facilities available for an audit of Deal’s compliance with its obligations under this Agreement or the Agreement, to be conducted by Deal or its designee. The SUPPLIER shall cooperate fully and satisfactorily with such audit. In the event that such audit reveals material breaches or weaknesses in the SUPPLIER’s efforts to protect Personal Data, Deal shall have the right to suspend or terminate the Agreement as well as the performance of the services involving the Processing of Personal Data until such measures are adequately resolved.
1.11. The SUPPLIER shall defend, indemnify, and hold harmless Deal, the companies of the Deal Group, and their directors, shareholders, managers, agents, suppliers, collaborators, and employees from any claims, demands, expenses, damages, losses, costs, fees, or penalties arising from the SUPPLIER’s failure to comply with the Data Protection Laws, as well as the Agreement. Notwithstanding any provision in the Agreement to the contrary, the indemnification obligations set forth in this Section shall not be subject to any limitation of the SUPPLIER’s liability.
2. REPRESENTATIONS AND WARRANTIES
2.1 The Controller declares and guarantees that it has instructed, and will continue to instruct during the term of the Contract, the Provider on the carrying out of the Processing of Personal Data, always with due respect for the Data Protection Legislation.
2.2 Provider declares and warrants that:
(i) it will carry out Processing of Personal Data only within the limits and to the extent it is authorized by the Controller, in accordance with its explicit instructions;
(ii) in the event that Provider becomes aware that it will be unable to comply with the requirements of the Data Protection Legislation, it will communicate this fact immediately and in writing to Provider, which may, in its sole and exclusive discretion, suspend the transfer of Personal Data or terminate the Contract;
(iii) will encrypt any Sensitive Personal Data stored on portable devices, as well as any Personal Data requested by the Controller, to the extent reasonably required;
(iv) is not aware of any Security Incidents in the last five (5) years that may affect the Agreement or the other Party; and
(v) is fully capable of complying with the terms and conditions of this ANNEX, the Agreement and the Data Protection Legislation and that, in the event of a material change in the regulations applicable to Personal Data Processing activities that has the potential to modify its legal and contractual compliance, it will notify the Controller immediately; and
(vi) has implemented all organizational and technical security measures required under the Data Protection Legislation Agreement.
PROTECTION OF PERSONAL DATA: CONTROLLER – CONTROLLERS (Independent)
3. PROTECTION OF PERSONAL DATA – In situations where the Contract implies the Treatment of Personal Data in which both the COMPANY and the SUPPLIER act as Controllers, the provisions below shall apply.
3.1 Each Party undertakes to comply with the provisions of the Data Protection Legislation in the execution of the object of the Contract, including by making publicly available in a transparent way their respective privacy notices, according to the applicable requirements. Each Party shall carry out the Processing of Personal Data only in accordance with a valid legal basis and for lawful purposes, disclosing the Personal Data Processing information to the relevant Data Subjects.
3.2 Each Party is an independent controller and responsible for its Processing of Personal Data carried out in connection with the Agreement and its operations and business. The Parties shall also be responsible for the conduct of their respective Operators in accordance with the Data Protection Legislation.
3.3 As applicable, each Party shall clearly and transparently inform the Data Subject in case of any transfer or disclosure of Personal Data, including shared use, from one Party to the other by virtue of the Agreement. Each Party shall obtain a valid consent from the Data Subject to the transfer, disclosure or shared use of Personal Data as required under the Data Protection Legislation. The Parties shall disclose to the Data Subjects that each Party shall have an independent right to carry out Processing of Personal Data for the specific purposes disclosed and each Party shall observe and strictly comply with the respective privacy notices disclosed to Data Subjects.
3.4 Notwithstanding any obligations under the Agreement, each Party warrants that it has adopted and implemented, and will maintain during the term of the Agreement, organizational and technical security measures to protect Personal Data against improper destruction, unauthorized or unlawful sharing, accidental loss, alteration, unlawful access or disclosure and/or any form of inappropriate or unlawful Processing of Personal Data. The adequacy of such measures shall be assessed in light of the state of the art, the cost of implementation, the nature of the Personal Data and the risk to which the Personal Data are exposed. Such measures shall at least equal or exceed, cumulatively: (i) any regulation set forth by the ANPD or other relevant government body; (ii) industry standards; and (iii) measures that the relevant Party takes to protect other Personal Data in its possession or control.
3.5. The Parties shall be responsible for taking reasonable measures within the scope of their operations and business with respect to any Security Incident affecting the Cardholders’ Personal Data. Each Party shall be responsible for assessing the appropriate measures, including notifying the Data Subjects and the ANPD. Without prejudice to this, immediately upon becoming aware or having reasonable suspicion of any Security Incident that may compromise the integrity, confidentiality and/or availability of any Personal Data in the context of the contractual relationship between the Parties, the responsible Party shall notify the other Party in writing, providing all necessary information in full. Each Party shall cooperate with the other and take reasonable steps to assist in the investigation, mitigation and remediation of each Security Incident affecting the Agreement. The Parties agree to coordinate and cooperate in good faith in developing the content of any related public statements or of any notices required for Holders affected by such Security Incident and/or the ANPD.
3.6. The Parties represent and warrant that they will comply with and respond to Personal Data Subjects’ requests to exercise their rights in the manner and timeframe required by the Data Protection Legislation. As required, each Party shall promptly notify the other of any request received from a Data Subject whose Personal Data is being Processed by the other Party under the Agreement. As necessary and to the extent reasonable, each Party agrees to provide the assistance required by the other Party to respond, within the period required by the Data Protection Legislation, to any individual request received from a Data Subject in connection with the Agreement.
3.7 Each Party shall defend, indemnify and hold harmless the other Party, its affiliates and its directors, shareholders, officers, agents, suppliers and employees from any claims, demands, expenses, damages, losses, costs, fees or penalties arising out of breach of the Data Protection Legislation as well as this clause. Notwithstanding anything in the Agreement to the contrary, the indemnification set forth in this clause shall not be subject to any limitation of liability.
4. REPRESENTATIONS AND WARRANTIES
4.1 Each Party represents and warrants that:
(i) maintains and complies with privacy notices disclosed to the respective Data Subjects in the form of the Data Protection Legislation;
(ii) maintains a Personal Data Protection Officer responsible for contacting Data Subjects and the ANPD, and complies with other obligations to comply with the Data Protection Legislation
(iii) makes available to Data Subjects adequate means for the exercise of their rights;
(iv) is not aware of any Security Incident in the last five (5) years that may affect the Contract or the other Party; and
(v) is fully able to comply fully with the provisions of the Personal Data protection clause and the Agreement.
PROTECTION OF PERSONAL DATA: NO PROCESSING OF PERSONAL DATA
5. NON-PERSONAL DATA PROCESSING – In situations where the Agreement does not involve the Processing of Personal Data of one Party for the benefit of the other Party, the provisions below shall apply.
5.1 Each Party shall be an independent Controller and responsible for its Processing of Personal Data carried out in connection with its operations and business and shall hold the other Party harmless from any liability.
5.2 In the event that a Party’s actions, whether undertaken or not, result in violations of the Data Protection Legislation, including those that may cause damage to Data Subjects, the Party that has committed the wrongful act and/or caused the damage shall be solely and exclusively liable for any payments by way of damages, compensation, fines, penalties, fees or any other amounts due. Each Party shall expressly hold harmless and indemnify the other Party from and against any claims, damages, losses and costs, including against third parties, arising out of the Party’s wrongful act in violation of the Data Protection Legislation.
5.3 Each Party represents and warrants that it complies and will continue to comply with the Data Protection Legislation as amended throughout the term of the Agreement, including, but not limited to, the appointment of a personal data protection officer as applicable, the adoption of organizational and technical security measures, and the enforcement of the rights of the Personal Data Subjects.
5.4 The courts of the District of São Paulo are hereby elected to settle any and all disputes arising from this Agreement, waiving any other, however privileged it may be.
6. The Parties expressly acknowledge the veracity, authenticity, integrity, validity and effectiveness of this ANNEX, formed in digital media. And, BEING JUST AND AGREED, the signatories agree that this document shall be executed by means of advanced or qualified electronic signature, in accordance with Federal Law No. 14,063/2020. In this sense, the signature of this document presupposes unequivocally declared the agreement of the signatories, being a binding, valid, effective, and enforceable commitment, in all its terms, conditions, and clauses, in accordance with Article 10, Paragraph 2 of Provisional Measure No. 2,200-2/2001 and Article 6 of Decree 10,278/2020. The signatories waive the possibility of requiring the exchange, sending or delivery of the original (non-electronic) signed copies of the instrument, as well as waive the right to refuse or challenge the validity of the instrument. Right to refuse or challenge the validity of electronic signatures, to the fullest extent permitted by applicable law. Finally, even if any of the signatories were to digitally sign this document at a place and/or on a date other than that established, the place and date of execution.