This Privacy and Personal Data Protection Policy (“Policy”) aims to disclose the principles and conduct standards that will guide the operations of the law firm Klempp Franco Advogados (“Klempp”) regarding all personal data under its control, including personal data of its partners, employees, suppliers and service providers, public agents and any other individuals, regardless of the means by which such personal data was obtained by Klempp. Personal Data is, under applicable law, any and all information related to an identified natural person, or who can be identified or individualized through reasonable efforts by Klempp.

This Policy applies to Klempp and all its partners, associates, consultants, employees and interns, and its conduct standards are also required of service providers and third-party workers who process personal data controlled by Klempp.

Klempp values the ethical and secure treatment of information, without sacrificing respect for laws and the fundamental rights and freedoms of personal data subjects. With this in mind, Klempp publishes this policy with the objective of informing personal data subjects how it acts to establish and demonstrate the forms of management and protection of personal data by Klempp.

DATA PROTECTION PRINCIPLES

The practices related to the processing of personal data by Klempp observe the following principles of the LGPD – General Data Protection Law (Law No. 13,709/2018), which must be followed by all its employees, partners, associates, partners, suppliers and service providers in their activities:

• Purpose: the processing of personal data will always be carried out for legitimate, specific, explicit purposes informed to the data subject, as well as compatible with Klempp’s corporate interests according to its business objectives, without the possibility of subsequent processing in a manner incompatible with these purposes.
• Adequacy: the processing of personal data will always be compatible with purposes informed to the data subject, according to the context of the processing.
• Necessity: the processing of personal data, including its collection and storage by Klempp, will be limited to the minimum necessary for achieving its purposes, with coverage of pertinent, proportional and non-excessive data in relation to the purposes of data processing.
• Free access: Klempp will guarantee data subjects facilitated and free consultation about the form and duration of processing of their respective personal data, as well as access to the entirety of their personal data processed by Klempp, except in cases where it is legitimate to refuse such access.
• Data quality: Klempp will guarantee data subjects that their personal data will be accurate, clear and updated, as well as that only relevant personal data will be processed by Klempp, according to necessity and for fulfilling the specific purposes of its processing.
• Transparency: as far as possible, Klempp will provide clear, precise and easily accessible information about the processing of personal data to the respective data subjects.
• Security and confidentiality: Klempp will adopt technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination, always applying security standards appropriate to the specific risks of each activity and observing the state of the art and applicable market best practices.
• Prevention and mitigation of damages: the best efforts will be adopted by Klempp to prevent the occurrence of damages due to the processing of personal data and to mitigate or repair them should they occur.
• Non-discrimination and ethical treatment of personal data: no processing will be done for discriminatory, unethical, illegal or abusive purposes.
• Accountability and transparency: Klempp will adopt mechanisms to confirm and demonstrate the effectiveness of its privacy and personal data protection governance program, including compliance with applicable legislation.

PERSONAL DATA COLLECTED BY THE WEBSITE

Klempp’s website may automatically collect some data about browsing behavior on the site through cookies (see below) for statistical purposes, for the duration of the respective cookie, and also records of website access, for a period of 6 months from collection, in accordance with the Brazilian Internet Framework (Law No. 12,965/2014).

Klempp also collects personal identification information and contact data from users of its website, such as their name, email and telephone if the user uses the “contact us” function, exclusively to establish contact with the user and any developments from this contact. Such data is maintained with Klempp for the time necessary to serve this purpose.

PERSONAL DATA COLLECTED THROUGH COOKIES

Klempp’s website may record certain “cookies” through the user’s browser, which are text files through which some information can be stored and read by Klempp’s servers and certain companies with which it works.

The website uses the following cookies for analytical purposes:

The website also uses functional tools from Nitropack and Weglot companies, which expire at the end of each session, to collect device and system data from the user that are necessary for the website to be presented in the most appropriate and optimized way for viewing, perform automatic translation and improve browsing security.

Each user’s browser can be configured in the options and tools available in the respective menu to refuse receiving cookies and to remove them at any time.

PERSONAL DATA USED BY KLEMPP IN ITS ACTIVITIES

Klempp possesses and processes various types of personal data in its legal activities, namely:

• Identification and contact data and information related to cases of clients contracting Klempp’s legal services, relating to clients and other people involved in these cases.
• Data related to cases addressed by Klempp, which may be collected from public sources, such as courts, public administration bodies, registries and private information services.
• Data of its employees, partners, associates and service providers related to compliance with their employment contracts, service provision and specialized consulting, respective payment and direction of work performed.
• Data of its partners related to making and recording management and administration decisions of Klempp, as well as alteration of its social contract and normative documents.
• Data of suppliers of goods and services, also related to contracts signed with Klempp.
• Profile data, messages and publications of LinkedIn users and other social networks that connect or contact Klempp, directly through the respective platforms.
• Data of third parties participating in webinars, events and lectures, as necessary for their realization and other purposes arising from them.

Personal data collected and used by Klempp is maintained in a protected electronic environment for the entire time necessary to fulfill its specific purposes and, after that, for the time necessary to exhaust legal obligations and statute of limitations related to its initial use.

SHARING PERSONAL DATA WITH THIRD PARTIES

Klempp only shares personal data with companies and public and private entities involved in providing its legal services, such as correspondent law firms, experts, technical assistants and opinion providers, courts and public administration bodies, and companies responsible for infrastructure, technology and services used in hosting systems and files, management and administration of Klempp.

Personal data is only shared, transferred or disclosed by Klempp to third parties as strictly necessary for fulfilling legitimate purposes, expressed and informed by Klempp in this Policy and through the use of legal instruments that bind the third party to compliance with laws, regulations and good practices for personal data protection. Additionally, Klempp adopts procedures to ensure that it only shares personal data with third parties that adopt sufficient technical and administrative measures to guarantee adequate security and protection of personal data, according to the risks to which they are exposed.

The sharing, transfer and disclosure of personal data to public authorities and governmental entities, except in processes and other cases where this sharing is a prerequisite of legal practice, is always limited to what is necessary for compliance with legal and regulatory obligations, compliance with court orders and requests from competent authorities, and defense or legal exercise of rights of Klempp or third parties.

GUIDELINES FOR PERSONAL DATA PROCESSING

Any and all personal data collected, received, obtained or generated by Klempp will be linked to one or more purposes, validated, recorded and, in the best possible way, communicated to the respective data subjects. No personal data will be collected, received, obtained or generated by Klempp if it is not necessary for a lawful, certain and determined purpose. Every personal data has its life cycle controlled and recorded from the moment Klempp gains control of the personal data until the moment of its definitive disposal.

Personal data processing activities by Klempp are always based on legal authorization to do so.

Only people with the need for access to certain categories of personal data have access to them, taking into account the role they play in relation to the use of this information and guaranteed through appropriate technical and organizational measures.

Documents and personal databases are stored in digital format while their processing purposes subsist and are eliminated securely and irrecoverably immediately after exhaustion of all their purposes, when the safeguard period is reached for compliance with legal obligations or exercise of rights, or in case of request from the respective data subject that obliges Klempp to delete such personal data.

Klempp maintains a Data Protection Officer for the application of good practices for appropriate processing of personal data under the terms above.

INFORMATION SECURITY

Klempp adopts technical and organizational information security measures compatible with the risk level of the activity to guarantee confidentiality, integrity, availability of data and information, as well as the resilience of its computer systems, databases, physical files and other information repositories, in order to avoid unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination of personal data.

Klempp maintains a security incident response plan for rapid assessment, interruption, remediation and, when necessary, mitigation and repair of damages eventually caused by incidents, with Klempp committing to assist, in good faith to a reasonable extent, all relevant parties in mitigating or repairing damages actually suffered.

RIGHTS OF PERSONAL DATA SUBJECTS

Klempp commits to adopting effective measures to guarantee the rights of personal data subjects as specified by the LGPD, and other Brazilian laws and regulations applicable to personal data protection, especially the following:

• facilitated access to clear information about the processing of personal data by Klempp, including about the specific purposes of processing, form and duration of processing, identification and contact information of Klempp and any other controllers, information about shared use of data by Klempp and the respective purpose of its sharing.
• confirmation of existence and information about the processing of their personal data by Klempp.
• access to personal data of their ownership controlled by Klempp.
• correction of any incomplete, inaccurate or outdated personal data.
• blocking, elimination or anonymization of personal data held by Klempp without necessity, excessive for the purposes stated by Klempp or processed in non-compliance with legislation and this Policy, as well as opposition to the use of their personal data in these same situations.
• portability of their personal data to other entities, in interoperable format, upon express request and according to official regulations on the subject.
• information about public and private entities with which there was shared use of their data.
• information about the possibility of not providing their consent and about the consequences of refusal, in cases where their data is collected and processed through consent.
• revocation of their consent for collection and processing of data in these same cases.
• elimination, when requested, of personal data collected through their consent, in accordance with applicable legislation.
• the possibility of reviewing automated decisions that Klempp may adopt in processes that may affect the rights and interests of data subjects.

Klempp maintains standards, controls, processes and notices to guarantee the presentation of information to respective data subjects with due transparency of its personal data processing practices, under the terms of current legislation. However, as it is a law firm subject to legal and ethical confidentiality obligations, it is possible that certain information may be omitted, including in responses to requests for access to personal data of data subjects, as necessary to comply with such obligations.

COMMUNICATION

Klempp maintains controls and processes that guarantee prompt response to the rights of data subjects and requests from competent authorities regarding personal data protection, providing direct contact channels with the Data Protection Officer so that data subjects can exercise their rights, make complaints and requests, as well as send suggestions.

DATA PROTECTION OFFICER

Karin Klempp Franco (CIPP/E)
Email: contato@klempp.com.br
Phone: +55 (11) 2189-0255

The duties and responsibilities of the Data Protection Officer, always acting with independence, impartiality, decorum and good faith, are:

• Clarify doubts of data subjects regarding Klempp’s practices in relation to their personal data, as well as receive, give internal referral and respond to requests and complaints from personal data subjects.
• Present Klempp’s response to requests and complaints from personal data subjects (after approval from competent decision-making instances).
• Act as a communication channel between ANPD and Klempp in administrative procedures, including receiving, giving internal referral and presenting Klempp’s response to communications, requests and summons from ANPD – National Data Protection Authority.
• Communicate security incidents to ANPD and data subjects on behalf of Klempp after risk assessment and potential for damages to data subjects and approval from competent decision-making instances.
• Guide Klempp’s lawyers, employees, contractors and third parties regarding Klempp’s current policies and practices related to privacy and personal data protection.

RESPONSIBILITY

Each partner, associate, consultant, intern, employee and service provider of Klempp is responsible for compliance with this Policy and other applicable standards, as well as for enabling the proper performance of the work of the Data Protection Officer.