Skip to content
 

Logo_Droz_2025_Cor_Preto

LGPD ADDENDUM

 

Annex I

Privacy and Personal Data Protection

 

 

ANNEX I – PRIVACY AND PERSONAL DATA PROTECTION

1) Definitions: For the purposes of interpreting this Annex I (Privacy and Personal Data Protection), the terms below shall have the meanings set forth hereafter:

  • “CONTRACTOR Affiliate(s)” means the entity that owns or controls the CONTRACTOR, is owned or controlled, in whole or in part, by the CONTRACTOR, or is under the control of an entity that also controls the CONTRACTOR, where control is understood as the direct or indirect possession of voting shares or quotas sufficient to conduct and define the management of the entity's policies and activities;
  • “National Data Protection Authority” or “ANPD” means the public entity competent to supervise, inspect, and conduct the execution of procedures provided for in the General Personal Data Protection Law – LGPD and created by Provisional Measure 869/2018;
  • “Personal Data”, “Sensitive Personal Data”, “Processing”, “Controller”, “Processor”, “Data Protection Officer (DPO)” and “Data Subject” shall have the same meanings as contained in the General Personal Data Protection Law - LGPD;
  • “CONTRACTOR Personal Data” means any Personal Data or Sensitive Personal Data, as described in the LGPD, processed by the CONTRACTED PARTY on behalf of the CONTRACTOR, or any of its Affiliates, in the execution of the Agreement;
  • “General Data Protection Law” or “LGPD” means Federal Law No. 13,709 of August 14, 2018, and its amendments introduced by Provisional Measure 869/2018;
  • “Applicable Legislation” means (i) the LGPD, with respect to any Personal Data and its Processing; and (ii) any other applicable law regarding the protection and privacy of Personal Data in the Brazilian national territory;
  • “Data Protection Laws” shall mean the rules contained in the LGPD and any other rule contained in specific legislation that applies to the protection and privacy of Personal Data in the Brazilian national territory;
  • “Services” means the services to be provided by the CONTRACTED PARTY to the CONTRACTOR, and/or its Affiliates, in the execution of the Agreement;
  • “Sub-processor” means any Processor (including third parties) appointed by the CONTRACTED PARTY to process CONTRACTOR Personal Data on behalf of the CONTRACTOR, or any of its Affiliates;
  • “Authorized Sub-processor” means the Sub-processor expressly consented to and authorized by the CONTRACTOR, in accordance with the terms of item 6 below; and
  • “Personal Data Breach” means the breach leading to the unlawful or accidental destruction, loss, alteration, unauthorized disclosure, or access to the CONTRACTOR’s Personal Data, transmitted, stored, or otherwise processed by the CONTRACTED PARTY on behalf of the CONTRACTOR, or any of its Affiliates, as well as any violation of the provisions under item 5 below, or the data protection, confidentiality, or provisions set forth in this Annex I.

2) Terms of Data Processing: The CONTRACTOR’S Personal Data may be processed, on behalf of the CONTRACTOR or any of its Affiliates, by the CONTRACTED PARTY during the course of providing the Services of the Agreement. The CONTRACTED PARTY agrees to comply with all provisions stipulated herein regarding the CONTRACTOR'S Personal Data or any other Personal Data submitted to Processing.

3) Processing of CONTRACTOR’S Personal Data: The CONTRACTED PARTY may only process the CONTRACTOR’S Personal Data to execute the purpose set forth in the Agreement. The CONTRACTED PARTY shall not process, transfer, modify, amend, alter, disclose, or allow the disclosure of the CONTRACTOR’S Personal Data to any third party that has not been expressly authorized by the CONTRACTOR, except when processing is required by a legal obligation to which the CONTRACTED PARTY is subject, in which case, to the extent permitted, it shall inform the CONTRACTOR of such requirement and/or legal demand before proceeding with the Processing of its Personal Data.

4) Access by CONTRACTED PARTY’S Employees: The CONTRACTED PARTY shall take all necessary security measures regarding access to the CONTRACTOR’S Personal Data by any of its employees, agents, or subcontractors, ensuring that such access is limited to those individuals who truly need to access such Personal Data and strictly for the execution of the purposes established in item 3 above, ensuring that such individuals:

  • Are informed of the confidential nature of the CONTRACTOR'S Personal Data and are aware of the obligations assumed by the CONTRACTED PARTY in the Agreement and by this Annex I regarding the CONTRACTOR'S Personal Data;
  • Receive appropriate training regarding Data Protection Laws;
  • Are subject to contractual and legal obligations and obey the duty of confidentiality accepted by the CONTRACTED PARTY; and
  • Are subject to all technical security measures for access to Personal Data.

5) Security Measures: Taking into account the state of the art, the nature of the scope, and the context involved, as well as the purposes for the Processing stipulated herein, in addition to the relevance of preserving the rights and freedoms of natural persons, the CONTRACTED PARTY shall implement all possible and available technical and organizational measures to ensure appropriate levels of information security and risk mitigation provided for in Data Protection Laws, especially the LGPD.

6) Sub-processing: Where sub-contracting is authorized under the terms of the Agreement, the CONTRACTED PARTY guarantees that its Sub-processors will always be subject, at a minimum, to the same compliance obligations applicable to itself as set forth in the Agreement and this Annex. Regarding each Sub-processor, the CONTRACTED PARTY shall:

  • Include terms and conditions in the contracts signed between the CONTRACTED PARTY and the Sub-processors that are substantially equivalent to the terms of this Annex.
  • Be fully liable to the CONTRACTOR for any failure or Personal Data Breach arising from activities under the responsibility of any of the Sub-processors.

7) Rights of Data Subjects: Taking into account the nature of the Processing activity, the CONTRACTED PARTY shall assist the CONTRACTOR in the implementation of appropriate technical and organizational measures to facilitate compliance by the CONTRACTOR, or any of its Affiliates, with the obligations (as Controller) to respond to eventual requests from Data Subjects regarding their rights, as listed and provided for in Article 18 of the LGPD, provided it is within the scope of this agreement. The CONTRACTED PARTY shall promptly notify the CONTRACTOR if it receives any request from a Data Subject regarding the Processing of the CONTRACTOR'S Personal Data under any Data Protection Law. The CONTRACTED PARTY shall cooperate as requested and help the CONTRACTOR enable compliance with any Data Subject right under Data Protection Laws regarding the CONTRACTOR'S Personal Data and comply with any risk assessment, notice, or investigation under Data Protection Laws regarding the CONTRACTOR'S Personal Data, provided it is within the scope of this agreement or this Annex. The risk assessment provided for in the previous item shall comply with the following requirements, but not limited to:

  • Contain a list of all CONTRACTOR Personal Data held by the CONTRACTED PARTY, which must be provided when requested by the CONTRACTOR within a reasonable period specified for each case, including full details and copies of complaints, communications, and/or requests, as well as any CONTRACTOR Personal Data processed and stored regarding the requesting Data Subject;
  • When applicable, lead the CONTRACTED PARTY to provide said assistance, upon request by the CONTRACTOR, to enable and comply with the relevant and requested compliance within the periods provided by Data Protection Laws or stipulated by the ANPD; and
  • When applicable, request the CONTRACTED PARTY to implement any additional Technical and Organizational Measure upon request by the CONTRACTOR or ANPD, to allow a competent and effective response to eventual and relevant complaints, communications, and/or requests.

8) Personal Data Breach: Upon becoming aware of any Personal Data Breach under its custody and processing, the CONTRACTED PARTY shall immediately notify the CONTRACTOR, in any case within 24 (twenty-four) hours, providing the CONTRACTOR with sufficient information to take the necessary measures to comply with the duty of information in such cases. To the extent that the CONTRACTOR’S Personal Data is involved in eventual breaches, such notifications from the CONTRACTED PARTY shall, at a minimum:

  • Describe the nature of the Personal Data Breach, the number of Data Subjects involved, the Personal Data breached, and its volume;
  • Communicate the name and contact of the DPO and the person responsible at the CONTRACTED PARTY or any other contact that can provide relevant information about the breach(es);
  • Describe the possible consequences of the Personal Data Breach; and
  • Describe the measures taken (or to be taken) to mitigate the Personal Data Breach. The CONTRACTED PARTY shall cooperate with the CONTRACTOR to take all commercial and technical measures as directed by the CONTRACTOR to assist in investigations, mitigate, and remedy each of the breaches. In the event of any Personal Data Breach, the CONTRACTED PARTY shall not inform or communicate to any third party without first obtaining the express consent of the CONTRACTOR, except when the notification is required by legal obligation, in which case the CONTRACTED PARTY, to the extent permitted by law, shall inform the CONTRACTOR of such notification, provide a copy, and consider any remarks from the CONTRACTOR before providing any response and/or notification to third parties or authorities.

9) Data Protection Impact Assessment and Prior Consultation: The CONTRACTED PARTY shall provide all reasonable assistance to the CONTRACTOR, upon prior consultation, in any data protection impact assessment and production of the competent impact report, as provided for in the LGPD and whenever required by law or the ANPD.

10) Deletion and Return of CONTRACTOR’S Personal Data: Upon termination of the Agreement or when there is no longer a purpose or need for the Processing of the CONTRACTOR’S Personal Data, the CONTRACTED PARTY shall promptly delete, including from existing copies/backups, all CONTRACTOR’S Personal Data processed by the CONTRACTED PARTY or any Authorized Sub-processor. The CONTRACTOR may, at its sole discretion, notify and expressly request the CONTRACTED PARTY to return a complete copy of the CONTRACTOR’S Personal Data by secure data transfer and storage means and formats (analog or electronic) as described in a specific request. The CONTRACTED PARTY shall comply with the request within 30 (thirty) calendar days of receiving the request from the CONTRACTOR. The CONTRACTED PARTY may retain the CONTRACTOR’S Personal Data to the extent required by Applicable Legislation and only for the period required by law, always ensuring confidentiality, reliability, integrity, and security, and ensuring that such data is processed and stored only as long as necessary for the specific purpose defined in the Applicable Legislation.

11) Audit Rights: In addition to any audit rights provided for in the Agreement, the CONTRACTED PARTY shall make available, upon prior request by the CONTRACTOR, all information necessary to demonstrate total compliance with this Annex, as well as allow and contribute to eventual audits, including inspections by the CONTRACTOR or any auditor appointed by it, or any of its Affiliates, regarding the Processing of the CONTRACTOR’S Personal Data and the terms of this Annex. The CONTRACTED PARTY shall cooperate with the CONTRACTOR in any aspect of said audit, providing all existing evidence of compliance with the terms and conditions of this Annex.

12) Indemnification: The CONTRACTED PARTY shall indemnify and hold harmless the CONTRACTOR, or any of its Affiliates, in the event of any losses, fines, and/or sanctions arising from any action by third parties or public authorities, especially the ANPD, due to a violation of any term or provision of this Annex or a Personal Data Breach caused by the CONTRACTED PARTY.

13) General Terms:

  • Termination: The Parties agree that this Annex automatically loses its effect upon (i) the termination of the Agreement; or (ii) subject to consensus between the Parties, the end of the purpose and need for continued Processing of the CONTRACTOR’S Personal Data, except for legal obligations imposed on the Parties regarding the safeguarding and preservation of the rights of the CONTRACTOR, Data Subjects, or third parties, in which case the provisions herein shall survive regarding the CONTRACTED PARTY and its Sub-processors.
  • Jurisdiction and Applicable Law: The Parties submit this Annex to the jurisdiction (forum) elected in the Agreement, waiving any other, especially regarding any dispute or action arising from the application of the rules of this Annex. This Annex is governed by the rules contained in the Applicable Legislation.
  • Violations: Any violation of this Annex shall constitute a material breach of the Agreement.
  • Contradictions and Inconsistencies: In the event of any contradiction or inconsistency between the provisions of this Annex and any other agreement between the Parties, including the Agreement, the provisions of this Annex shall prevail regarding matters of privacy and personal data protection.
  • Costs and Expenses of Technical and Organizational Measures: The Parties agree that any costs and expenses for the implementation of the Technical and Organizational Measures provided for herein, as well as for the adaptation of compliance and information security programs, shall be the sole responsibility of each Party and shall not result in additional costs to the other Party.
  • Third-Party Rights: No third party, other than the Parties to this Agreement, shall have the right to demand the execution or application of the provisions of this Annex.
  • Amendments to Data Protection Laws: The CONTRACTOR may expressly notify the CONTRACTED PARTY at any time when there is any type of change to Data Protection Laws requiring modification of this Annex. Any necessary amendment shall be made in writing and by mutual agreement between the Parties.
  • Severability: In the event that any provision of this Annex is declared null, invalid, or inapplicable, the remaining provisions shall remain in full force and effect. The null or invalid provisions shall be amended, as far as possible, to confer validity and preserve the original intentions of the Parties.
Nosso site