News Technical Assistance Catalogs Contact
PT ES

Personal Data Subject Response Policy

PURPOSE

This policy aims to guide the holder of personal data in the exercise of their rights, especially with regard to requests for personal data to Cromex.

It should be said these requests include, but are not limited to: Request for processing confirmation; Request for data access; Request for correction of incomplete, inaccurate or outdated data; Request for blocking or deleting unnecessary, excessive or processed data in violation of the law; Request to delete personal data processed with the consent of the holder and revocation of consent; Data portability request; Request for information from public and private entities with which Cromex shared data and various requests.

Any request made to Cromex based on this policy, in which it acts as Data Controller, will be free and facilitated, always respecting the rights of the holders of personal data.

SCOPE

Every individual has the right to be informed about the treatment of their personal data, in this regard, this policy covers all individuals subject to the General Personal Data Protection Law (LGPD), Law No. 13,709, of August 14, 2018, regardless of having your data processed by Cromex.

It is worth mentioning that this policy has effects in cases where the performance of Cromex demonstrates to be Data Controller, so that all foreseen and listed rights will be analyzed, even if illegitimate or unreasonable, to, from that, be met pursuant any provision in law.

In situations where the performance of Cromex as an Operator is evident, we commit ourselves, solely, to use our best efforts to make the request made known to the Parent Company, as a sign of good practices.

CONTACT FORMS

Cromex provides direct contact with its Personal Data Processing Officer, who will make every effort to fulfill such requests in the shortest possible time, subject to the suggested deadlines for each type of request.

Furthermore, Cromex preserves the right not to comply with requests that prove to be unfounded, excessive, illegal, would involve a disproportionate effort to comply with, imply disclosure and exposure of commercial and industrial secrets of Cromex or there is any risk of breach of personal data , in these situations of refusal, Cromex will present its justified reasons in view of the impossibility of service.

Contact should be made through the address: privacidade@cromex.com.br

TERM COUNT FORM

For the purposes of counting any term in days indicated in this Policy, only the business days in force in the city of São Paulo/SP will be computed, which will be counted excluding the beginning day and including the expiration day.

WHO CAN MAKE REQUESTS

Every individual should contact Cromex to submit requests pertaining to their own personal data.

You should also prefer that a third party (for example, a relative, friend or attorney) make a request on your behalf. In this case, as a form of security for your personal data, the third party must present a power of attorney by a public instrument, registered at the Notary Public’s Office, for the specific purpose of the request presented. If there is no evidence that third parties are authorized to act on your behalf, Cromex will not comply with the request.

APPLICANT’S CERTIFICATION:

To prevent an individual’s personal data from being sent to another, accidentally or as a result of fraud, Cromex should need to validate it, whether you are the data holder or a third party with powers to represent the data holder.

This level of security seeks to avoid possible harm that the inappropriate disclosure of information could cause to the holder of personal data.

REQUEST FOR CONFIRMATION OF ANY PROCESSING

You should only want to know if Cromex handles the processing of your personal data.

Upon requesting confirmation of the existence of processing, we will return exactly whether Cromex performs the processing of your personal data or not, reaffirming our commitment to transparency, without any confirmation or submission of content.

Return term: 5 (five) days.

IN CASE OF ANY PROCESSING OF PERSONAL DATA AT CROMEX

Once the request is made and it is verified that Cromex does not process your personal data, Cromex will answer your question and will delete the personal data sent that instructed the application made, within 3 (three) days after sending the answer.

If you are aware that your personal data were previously processed by Cromex, but you received a response that there was no data stored in our systems, we advise that the processing of your personal data may have ended, in which case we will delete your personal data or anonymize it so that it is impossible to identify it, it is no longer considered a personal data. In these cases, as we do not keep any record of your data, by law, we will respond that we do not process your personal data.

We ask that you do not insist on reiterating requests in this situation, as your possible identified or identifiable personal data previously processed are not stored in any type of backup or unknown location by Cromex, and actually deleted or anonymized in a secure manner.

If you wish to make a new request, you will have to start the new authentication step, as your personal request data will not be stored in our databases.

DATA ACCESS APPLICATION

Upon request for access to personal data, we will display all your personal data that we process.

Once the processing of your personal data is identified, we will provide verification access for a period of 5 (five) days, and you may select the data validation option, if they are correct and complete; or correction of the data in case you observe any need for correction, supplementation or update.

If we do not identify the treatment of your personal data, we will return the negative information, in accordance with topic 8 above.

Return term: 10 (ten) days.

APPLICATION FOR CORRECTION OF INCOMPLETE, INACCURATE OR OUTDATED DATA;

After accessing your personal data, you will be able to request correction of incomplete, inaccurate or outdated data. In this request, you will be able to inform us which data you wish to change, based on the data we have processed.

We hope you understand we carry out our activities with the limitation of processing to the minimum necessary, covering only relevant, proportional and not excessive data, that is, you will not be able to request additional data types beyond those we consider necessary for processing purposes.

If we have any doubts regarding the request to change your data, we may ask you to send the document containing the data you want to change, scanned, as a means of validating the information, thus preserving the quality of your data.

Return term: 10 (ten) days.

REQUEST FOR THE DELETION OR EXCLUSION OF YOUR PERSONAL DATA

In some cases, you have the right to request the deletion or exclusion of your personal data, when processed under your consent.

Please note that this is not an absolute right as we may have legal or legitimate reasons to withhold your personal data.

Return term: 10 (ten) days.

REQUEST FOR WITHDRAWAL OF CONSENT

When you use our website to request information about our products or services, register for newsletters or events, respond to surveys or marketing communications, or use any of our community forums, or use our website to apply to an employment, you can withdraw the consent to the processing of your data in cases where such processing is based on consent.

Withdrawal of consent does not affect the legality of consent-based processing prior to withdrawal.

Return term: 5 (five) days.

REQUEST FOR PORTABILITY OF PERSONAL DATA

The LGPD provides the data holders to have the right of data portability to another service or product provider. However, we understand that you as the data holder also have the right to obtain a copy of this data for you, in a structured, commonly used, automatic reading in machine readable format, whenever technically possible.

We thus provide you with the opportunity to use a file of personal data, in machine-readable format, in order to conserve and store personal data and to grant authorization those responsible for processing for the purposes of accessing and processing personal data, insofar as that understand necessary.

This right must be exercised by requesting data portability, which will include receiving a copy of your personal data, or sending the same file to a specific supplier.

Exercising the right to receive the data in machine-readable format, we will send you the encrypted file. We recommend from the moment you have possession of this file, you store it and use it in a safe way, as Cromex cannot be held responsible for any violation of this file and stored data after it leaves our sphere of control.

If you request for data portability to another service or product provider, you must inform us of the recipient supplier’s data.

In this case, it is worth mentioning that the LGPD, nor the Domestic Data Protection Agency (ANPD), to date, imposes on Cromex the obligation to adopt or maintain processing systems that are technically compatible with the other supplier, nor the obligation of the recipient in accepting the personal data contained in the portability file.

Return term: 20 (twenty) days.

REQUEST FOR – INFORMATION FROM PUBLIC AND PRIVATE ENTITIES WITH WHICH THE CROMEX PERFORMED THE SHARED DATA USAGE;

You will be able to request information from public and private entities with which Cromex shared data, and we will answer which personal data was shared and with which entities.

Return term: 20 (twenty) days.

MISCELLANEOUS REQUESTS

In addition to the requests listed above, you may also contact us to submit requests not covered by this policy. In this case, we will analyze your request and the best way to respond to it, if there is no prohibition that justifies our refusal.

Considering the impossibility of predicting what will be asked of us, we cannot estimate the response time, as it will depend on the evaluation of the necessary effort. However, we are committed to returning your request in the shortest possible time, with a limit of 30 (thirty) days depending on the type of request.

Furthermore, we remind you that the requests described above and sent to the Controller are the sole responsibility of the Controller, arising from its exclusive analysis of legality and legitimacy for the processing of your personal data, as well as the possibility of complying with the request presented.

We also point out, the withdrawal of consent does not affect the legality of consent-based processing prior to withdrawal.

REQUESTS FOR RECORDS

Every request you make to us will be recorded in our files, as well as what was met or eventually not met.

This request record will be stored for a period of five years after the request has been met, which is the statute of limitations for claiming civil redress pursuant to item 27 of Law No. 8078, of September 11, 1990 (CDC).

In the event that we do not process your personal data, the request record will only store the day and time of the request and response.

REVISIONS

This policy must be revised every 2 years or as per the understanding and decision of the Personal Data Protection Management Committee, and should be updated in accordance with the legislative changes or organization’s procedural regarding the processing of personal data.

Therefore, we recommend you periodically review it for updated information about our Personal Data Holder Response Policy.

Sign up for our newsletter

Receive news in your email