SoftExpert Software S.A. (“SoftExpert” or “organization”) was founded on February 1, 1995, and is currently a leading company in the information technology sector, with the main objective of offering its clients software and services aimed at continuous improvement and optimization of their business processes, transforming operational excellence into a true competitive advantage.
SoftExpert's business is the commercialization of products and services for legal entities. However, in the performance of its functions, the organization may carry out activities characterized as processing personal data. During the execution of these operations, SoftExpert is committed to observing the basic security and privacy requirements defined by the General Data Protection Law (“LGPD”).
The privacy and security of personal data collected by SoftExpert are of enormous importance. For this reason, SoftExpert seeks, through this document, to demonstrate its commitment to the protection and privacy of personal data, covering topics such as data subjects' rights, data usage methods and types, legal bases legitimizing the processing, and means of contact for exercising rights and communication with SoftExpert.
This document is applicable to all data subjects whose personal data is processed by SoftExpert, including employees, clients, suppliers, business partners, and any other involved parties, in accordance with applicable data protection legislation.
The following are the standards that this document adopts:
For the purposes of this document, the following terms and definitions are adopted:
Natural person to whom the personal data being processed refers.
The natural or legal person, public or private, to whom the decisions regarding the processing of personal data belong. In other words, it is the entity responsible for decision-making related to the activity to be performed with personal data.
The natural or legal person, public or private, who processes personal data on behalf of the controller and in accordance with the purpose determined by them.
Any information or combination of information that can uniquely identify a data subject without ambiguity.
Personal data related to racial or ethnic origin, religious beliefs, political opinions, union membership or membership in religious, philosophical, or political organizations, data concerning health or sex life, genetic or biometric data.
The person responsible for acting as a communication channel between the Controller, data subjects, and the National Data Protection Authority, when the matter involves personal data.
Any activity that uses personal data in its execution, including but not limited to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, and evaluation.
This Policy aims to:
SoftExpert hopes that this policy helps in understanding its commitment to the privacy of its clients and third parties from whom SoftExpert collects information.
As provided in applicable law and unless limited by it, the rights granted to individuals are as follows:
It should also be clarified that the data subject may exercise their rights through written communication, specifying the right they wish to exercise, as well as requesting clarifications on any questions about processing. For this, they should send an email to privacy@softexpert.com. SoftExpert will respond to requests within the legal timeframe of 15 days, reserving the right to extend this period, provided it is justified.
SoftExpert collects personal data in the following ways:
Whenever possible, SoftExpert uses anonymized and aggregated information for purposes that include testing its IT systems, investigation, data analysis, creating marketing and promotional models, improving its software and services, and developing new features and functionalities.
In carrying out SoftExpert's commercial activities, it may process personal data relating to individuals who interact, have interacted, or will interact with the organization, directly or indirectly, as well as personal data specifically related to clients, business partners, service providers, employees, and associates. Such personal data may be expanded depending on the specific case; however, SoftExpert primarily processes:
SoftExpert may, in certain situations, process personal data of children or adolescents, always linking this processing to the legal basis that makes it legitimate, as per LGPD.
Occasionally, SoftExpert may process sensitive personal data. In cases where SoftExpert is the controller, it will respect the provisions of article 11 of the LGPD, which requires obtaining the data subject's consent or, if there is no consent, when processing is essential for compliance with legal or regulatory obligations, the regular exercise of rights, including in contracts and legal, administrative, and arbitration processes, protection of life or physical integrity of the data subject or third parties, health protection, exclusively in procedures performed by health professionals, health services, or health authority; or ensuring fraud prevention and data subject security in identification and authentication processes for electronic system registration, safeguarding the rights mentioned in article 9 of the LGPD and except where fundamental rights and freedoms of the data subject prevail that require personal data protection. The types of personal data processed vary according to the purposes and activities performed.
In cases where SoftExpert acts as a processor, personal data processing will be limited to the execution of the service itself, with the controller being responsible for correctly associating the legal basis or even obtaining appropriate consent, as applicable.
However, SoftExpert limits its processing to the minimum necessary personal data for each process.
Depending on the formalized legal relationship, SoftExpert may occupy the position of Controller or Processor of data, according to the concepts indicated in this document and in accordance with LGPD.
Thus, when it is up to SoftExpert to determine the purposes, means, and decision-making regarding data processing, the organization will be considered a Controller, as is the case with its employees' personal data, for example.
When SoftExpert performs data processing on behalf of a Controller, it will be considered a Processor, such as when SoftExpert provides cloud environment management services to the client. Additionally, service providers, consultants, and partners may also act as Data Processors when they perform data processing operations for SoftExpert clients.
Regardless of the role played by SoftExpert during the execution of its activities, SoftExpert declares through this document that it has good data governance practices, taking into account the nature, scope, purpose, probability, and severity of risks and benefits arising from data processing.
LGPD establishes, in its article 7, the grounds that legitimize personal data processing, i.e., it lists situations that authorize the execution of activities considered data processing. The Law establishes that each process involving data processing must be based on at least one legal basis that authorizes the operation.
SoftExpert may process personal data based on the following situations:
Additionally, SoftExpert invests, adopts, and exerts significant efforts to implement technical and organizational measures to protect personal data from unauthorized and improper access. These measures and solutions take into account the nature, context, risks, purposes, and costs involved in their application.
SoftExpert processes personal information within national territory and in countries with similar and equivalent legislation. In this regard, when SoftExpert performs cross-border data processing, it safeguards data subjects' rights and adopts technical and organizational measures capable of protecting data subjects' personal data.
Additionally, SoftExpert may share personal data to assist in fraud investigations and prevention, where requests from corresponding authorities are compatible with legal, regulatory, or applicable legal process requirements.
SoftExpert may retain personal data collected for as long as necessary to provide the services it makes available to its clients and for legitimate and essential commercial purposes, such as to maintain the performance of its software, make business decisions regarding features and offerings based on data, meet legal obligations, and resolve disputes.
Once the intended purpose is met, such information may be discarded unless another legal basis justifies the retention of this information.
SoftExpert is committed to adopting the necessary technical and organizational measures to protect personal data it processes, ensuring it is safeguarded against unauthorized access, destruction, loss, alteration, improper communication, or unauthorized disclosure. Although we strive to maintain a high level of security, it is important to emphasize that no system is completely immune to risks.
To ensure adequate protection, SoftExpert uses solutions that follow the best technical practices available in the market, considering implementation costs, the nature and context of data processing, specific purposes, and risks associated with data subjects' rights and freedoms.
SoftExpert also holds ISO 27001:2022 certification, attesting to the existence of an Information Security Management System (ISMS). This system includes policies, procedures, and processes that guide the protection of information confidentiality, integrity, and availability. As part of this commitment, internal and external audits are periodically conducted by certification bodies, ensuring continuous improvement and compliance with high-security standards.
In addition, SoftExpert commits to promptly notify data subjects in the event of a security incident that could pose risks or cause significant harm to their rights and freedoms, adopting all necessary corrective measures.
It is worth noting that, under the General Data Protection Law (LGPD), SoftExpert cannot be held responsible for events exclusively caused by third parties or by the data subject.
Finally, SoftExpert ensures that personal data under its management is processed based on the principles of confidentiality, integrity, and availability, in accordance with legal requirements and information security standards.
The figure of the Data Protection Officer, also known as the DPO, is the person appointed by the Controller to act as a communication channel between the Controller, data subjects, and the ANPD.
The Data Protection Officer/DPO appointed by SoftExpert is Tatiane Arnhold, who can be contacted via email at privacy@softexpert.com.
This Privacy Notice was last updated on 10/05/2024. SoftExpert reserves the right to change this document at any time, at its sole discretion or regulatory update. The provisions of this document will take effect immediately after its publication on the SoftExpert website.
If you have any questions about this document or how personal data is handled by the organization, you can contact us through the following means: