Updated on 12/04/2023
The purpose of this Policy is to demonstrate in a transparent manner the commitment of R.B. A. PORTUGUESA DE BENEFICENCIA ("BP"), headquartered in the City of São Paulo – SP, at Rua Maestro Cardim, 769, Bela Vista CNPJ [Tax ID]: 61.599.908/0001-58, and its respective subsidiaries, with their privacy and protection of personal data, respecting the provisions of the General Data Protection Law.
This Policy describes the applicable guidelines on the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or extraction of personal data of clients and/or their legal guardians, companions and visitors, collaborators, members of their clinical and multidisciplinary staff, students, volunteers, researcher, providers sponsors and any other third party in accordance with applicable laws.
To access and use the services offered by BP, You as Data Subject aware of the terms and attentive reading of this Policy, and that you are fully aware of the terms set out herein, conferring your free and express agreement for the processing of the Data in accordance with the conditions specified below.
This Policy applies to all directors (members of the Board of Directors, Advisory Board, Fiscal Council, Administrative Board, Associates) and BP employees, clients and their legal guardians, companions and visitors, members of its clinical and multidisciplinary staff, students, researcher, volunteers, providers and suppliers of goods and services and any other third parties.
Considering the principles and grounds defined by the General Data Protection Law, the Processing of Personal Data will be carried out by BP only when the following hypotheses are observed:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5.1. How We Collect Data
Data, including Personal Data and Sensitive Personal Data, may be collected physically and/or digitally when interacting with Our Virtual Environments.
Data Subject | What can we collect? | What do we collect for? |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
BP may collect and process Personal Data of children and adolescents under the age of 18, in a physical manner and/or digitally when interacting with Our Environments, including Sensitive Personal Data, and therefore depending on the purpose, legal consent from parents or legal representatives may be required.
Although in the collection and processing of personal data of children and adolescents there is consent, parents must supervise the online activities of their underage children in Our Environments, especially in Our Digital Environments.
The activities of adolescents over 16 and under 18 years of age must be assisted by parents or legal representatives.
5.2.1. Other personal data that is not described in the Table above may be collected in accordance with the specific nature of the service or activity in question, in accordance with a specific document that should be considered together with this Privacy Policy.
5.2.2. Many of BP's services rely directly on some data provided in the table above, mainly Registration Data. If the Data Subject chooses not to provide any of this Data, we may be unable to provide all or part of our services.
5.2.3. BP is not responsible for the accuracy, veracity or timeliness of the information provided by the Data Subject, and it is the responsibility of the Data Subject to provide it accurately or update it whenever applicable. It is important to say that BP is not obliged to process any Data if there is reason to believe that such processing may impute to us any legally intended infringement, or if Our Environments are being used for any illegal or unlawful purpose or in any way contrary to ethics and/or morality purposes.
5.2.4. The database formed through the collection of Personal Data is the property and responsibility of BP, and its use, access and sharing, when necessary, will be made within the limits of this Privacy Policy and specific Terms of Use, if any.
We use cookies to identify you in your next access to the site and thus provide a personalized service according to your preferences or browsing history, and thus provide more practicality and functionality in your navigation. To know details about the Cookies we collect and why we collect them, please visit our Cookie Policy, available on the website: https://www.bp.org.br/politica-de-cookie
All technologies used by BP will always comply with the current legislation and the terms of this Policy.
The Collected Data and recorded activities can be shared:
BP will not be liable for the misuse of information, whether by third parties, volunteers, students or their employees, due to the failure to comply with this Policy and the contractual obligations assumed with them and through proper instruments.
6.1. BP makes every effort to maintain privacy and information security by adopting technical, physical and administrative security measures:
6.2 Internally the Personal Data collected by BP is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity and relevance to the objectives of our business, in addition to the commitment to confidentiality and preservation of your privacy under this Policy.
6.3. When using Our digital environments it is very important that the Data Subject protects their Data from unauthorized access to their computer or mobile phone, account or password, and always make sure to click "exit" when terminating their browsing on a shared computer. It is also very important to inform that BP never sends electronic messages with attachments that can be executed (this can be verified through file extensions such as: .exe, .com, among others) or links to file downloads. The emails are intended to provide information about your appointments, health and care reports and other information that the Data Subject consents to.
6.4. When the Data Subject accesses Our Environments, it may be conducted, via link, to other portals or platforms (such as BP's social networks), which may request that you provide your personal data and other information and have your own Data Processing Policy or specific Terms and Conditions of Use:
6.4.1 It will be up to the Data Subject to read the Privacy and Data Processing Policies of such portals or platforms outside our environment, and it is his/her responsibility to accept or reject them. BP will not be responsible for Privacy and Data Processing Policies of Third Parties or for the content of any websites or services linked to virtual environments of BP's systems, even if associated to it through links;
6.4.2 BP has business partners who may occasionally offer services through features or websites that can be accessed from Our Environments. [sic] to the supplier data to these partners shall be their responsibility and they are thus subject to their own data collection and use practices.
6.4.3 The consent provided by the Data Subject, if applicable, is collected individually, clearly, specifically, legitimately and informed.
6.5. BP uses market-compatible technologies, respecting the reasonable state of the art, with constant updates. All technologies used must comply with current laws and the terms of this Privacy Policy.
6.6. BP conducts training of its employees, clinical staff and multidisciplinary professionals regarding the standards and good practices related to information security, privacy and protection of personal data and on the General Data Protection Law, as well as developing a governance program with the purpose of making them aware of the importance of preserving and keeping confidential the information collected, recorded, stored, and shared.
6.7. BP respects the principles of lawfulness, purpose, adequacy, proportionality, necessity, free access, data quality, transparency, security, prevention, non-discrimination, accountability, subsidiarity and storage limitation, in addition to establishing a commitment to confidentiality and privacy preservation under this Privacy Policy.
BP will maintain and store Personal Data and Sensitive Personal Data for as long as necessary to comply with the purposes for which it was collected, as well as for the purposes of fulfilling any legal, regulatory or contractual obligation, accountability or request of competent authorities in accordance with applicable law. .
The Collected Data will be stored on our servers located in Brazil, as well as in a cloud computing environment, which may require a transfer and/or processing of this Data outside Brazil.
BP informs that, depending on the services used, your data may be transferred and maintained in an environment inside or outside Brazil. This transfer will always respect evaluation criteria of partners and suppliers that provide technological structure in countries with data protection laws equivalent to the Brazilian General Data Protection Law.
Currently the data for some of our services is stored in:
Any Data Subject has the right to request BP information related to the processing of his/her data. According to the LGPD, their rights consist of:
To fulfill your rights from requests for information, please contact us through the [DATA SUBJECT PETITION FORM] available at:
The Data Subject may exercise his/her rights directly, or through a legally appointed representative. In this channel, Data Subjects can also request a Copy of their Medical Records.
As a result, some additional documents will be requested by the BP Team to verify the identity of the Data Subject. All validation steps will be done through email. Keep an eye on your inbox and place the m.onetrust.com domain in your email provider's list of secure senders.
To deregister the mailing to receive communications from BP and other consents provided to our institution, access: https://privacyportal.onetrust.com/ui/#/preferences/multipage/login/46f72a0e-1293-4b45-976d-8d3d993e79e4
If we are asked to delete Personal Data, it may happen that the Data may need to be maintained for a period longer than the request for deletion, pursuant to Article 16 of the General Personal Data Protection Law, for the purposes of: (i) compliance with legal or regulatory obligation, (ii) study by research body, and (iii) transfer to a third party (subject to the data processing requirements set out in the same Law). In all cases by anonymizing Personal Data, provided possible. After the maintenance period and legal need, personal data will be deleted using safe disposal methods, or used in an anonymized manner for statistical purposes.
The automated decision making process occurs when an electronic system uses personal information to make a decision without human intervention.
In BP makes decisions that will have a significant impact on data subjects based on the automated processing of personal data, we will provide ample transparency regarding the criteria and procedures used and will provide adequate means to request a review of such decisions, subject to commercial and industrial confidentiality.
In case of any doubt regarding the provisions of this Privacy and Data Processing Policy, the Data Subject may get in contact through the service channels indicated below, whose opening hours are Monday to Friday from 7:00 am to 6:00 pm.
Data Officer:
Eduardo Nicolau
e-mail: dpo@bp.org.br
We seek to offer you the services as efficiently as possible and, for this purpose, we constantly update them. For this reason, this Policy may be adjusted at any time. Access updates to this Policy whenever possible through this email address.
If any topic of this Policy is deemed unenforceable by the Data Authority or any judicial authority, the other conditions shall remain in full force and effect.
Any communication made by e-mail (to the addresses informed in your registration), SMS, instant communication applications or any other digital form, are also valid, effective and sufficient for the disclosure of any subject that refers to the services we provide, as well as the conditions of its provision or any other subject addressed therein, unless otherwise provided for in this Policy.
This Policy shall be interpreted in accordance with the Brazilian law, in the Portuguese language, and the court of your domicile shall have jurisdiction to settle any dispute arising out of this document, unless specific to personal, territorial or functional competence by applicable law.
If the domicile in Brazil, and due to the services offered by BP only in the national territory, is subject to the Brazilian law, you therefore agree that, in case of litigation to be resolved, the lawsuit shall be brought in the Court of the Judicial District of São Paulo.
This Policy is registered at the Forth Vital Records of the Judicial District of São Paulo. For all purposes consider the latest version in force to be published on our website.
For the purposes of this Policy, the following definitions and descriptions shall be considered:
18/12/2020 - Version 01
18/12/2021 - Version 02
04/04/2022 - Version 03
12/04/2023 - Version 04