Privacy and Personal Data Protection Policy
Firm: Ayres Westin Advogados
Tax ID (CNPJ): 19.617.682/0001-04
Version: 01
Date: December 2024
Created/Reviewed by: Jonathan S. Mazon (Compliance)
Approved by: Gilberto Ayres
Amendment History
| Versão | Data | Descrição |
|---|---|---|
| 01 | December 2024 | Initial Release |
Contents
- PURPOSE
- SCOPE
- PRINCIPLES
- GUIDELINES
- RESPONSIBILITIES
- DEFINITIONS
- DISTRIBUTION
- PERSONAL DATA PROCESSING SCENARIOS
- TYPES OF PERSONAL DATA PROCESSED
- DATA SUBJECT RIGHTS
- PENALTIES
- INQUIRIES
1. Purpose
This Policy aims to safeguard privacy and ensure appropriate handling of personal data processed by AYRES WESTIN ADVOGADOS, while maintaining compliance with applicable data protection legislation. It establishes core principles and guidelines, and implements information security measures aligned with industry best practices.
2. Scope
This Policy governs all data that AYRES WESTIN ADVOGADOS processes, including but not limited to information relating to employees, partners, clients, suppliers, management, and service providers.
3. Principles
Our Policy is founded on these key principles:
Purpose Limitation: We collect and process personal data only for transparent and legitimate purposes. Unless required by law, we never use data in ways inconsistent with these stated purposes.
Transparency: We commit to clearly communicating our data protection practices and providing relevant information to all data subjects whose information we handle.
Adequacy: All data processing activities are conducted to maintain relevance and proportionality, limiting collection and processing strictly to what is necessary to fulfill stated purposes.
Access Rights: We ensure data subjects can easily access clear information about how their data is processed and can request deletion of their data from AYRES WESTIN ADVOGADOS’ systems when appropriate.
Security: We implement robust measures to protect processed data through appropriate security protocols designed to prevent privacy breaches and unauthorized data disclosure.
Accountability: We take full responsibility for collected data, ensuring its use remains within stated parameters and complies with all applicable laws and regulations.
4. Guidelines
Our Policy follows these essential guidelines:
Security Measures: We protect privacy and personal data through industry-leading security practices and compliance with applicable law, implementing appropriate technical and organizational safeguards to ensure data security.
Purposeful Collection: We gather and process personal data only for specific, legitimate purposes, always informing data subjects about these purposes, and retaining data only for the period necessary to fulfill these objectives.
Data Accuracy: We maintain accurate data records and enable data subjects to update or correct their personal information when necessary.
Continuous Improvement: We regularly review and enhance this Policy to strengthen data protection practices and ensure ongoing compliance with evolving legislation
5. Responsibilities
Key responsibilities under this Policy include:
The Data Protection Officer (“DPO”) ensures strict compliance with Brazil’s General Data Protection Law (“LGPD”);
All employees must adhere to this Policy’s guidelines and applicable data protection laws; and
AYRES WESTIN ADVOGADOS bears responsibility for implementing appropriate technical and organizational measures to protect personal data and process it lawfully, transparently, and ethically.
6. Definitions
Data Protection Officer (“DPO”): The individual or entity appointed by the Controller to serve as the communication channel between the Controller, Data Subjects, and the National Data Protection Authority.
Controller: The individual or legal entity responsible for decisions regarding personal data processing, determining the means and purposes of such processing.
Personal Data: Information relating to an identified or identifiable natural person, including data used to develop behavioral profiles of specific individuals.
Data Subject: Any individual to whom personal data relates.
General Data Protection Law (“LGPD”): Brazilian Law No. 13.709/2018 governing personal data protection.
Purpose: The specific objectives for which the Controller processes personal data, as disclosed to the Data Subject.
Processing: Any operation performed on personal data
7. Distribution
This Policy is publicly available on the AYRES WESTIN ADVOGADOS website.
8. Personal Data Processing Scenarios
We process personal data for the following purposes:
- Subscription management for newsletters and firm publications
- Event registration for firm-hosted activities
- Access management for visitors, suppliers, and third-party personnel to our offices
- Contract negotiation and execution
- Due diligence screening of prospective clients, employees, suppliers, and partners
- Employee onboarding and personnel management
- Accounting and financial operations
Additionally, device information may be processed to fulfill legal obligations.
AYRES WESTIN ADVOGADOS guarantees that personal data will never be used for purposes beyond those outlined above.
9. Types of Personal Data Processed
AYRES WESTIN ADVOGADOS collects and processes:
| Personal identification data: | Purpose: | BASE LEGAL |
|---|---|---|
| • Full name • Date of birth • National ID • Tax registration number (CPF) • Email address • Residential address |
Employee registration and onboarding; Facility access management; Systems access authorization |
Consent. Compliance with legal and regulatory obligations (LGPD Art. 7, II). |
| • Date of birth: | Publication of monthly birthday celebrations | Consent |
| • Financial information: | Accounting operations; Management of labor obligations; Payroll processing |
Cumprimento e obrigação legal ou regulatório pelo controlador, conforme o Art. 7, II da LGPD. |
| • Driver’s license • Social integration program number (PIS) • Military service certificate • Voter registration • Vaccination records • Employment record book • Parents’ names |
Union relations; Employment recordkeeping; Employee onboarding |
Mandatory employer requirements under Labor Law (CLT Art. 41). |
| • Biometric information • Professional photograph (3×4) |
Work hours monitoring; Employee identification; Personnel records |
LGPD Art. 11(g): Fraud prevention and data subject security in electronic identification and authentication systems, safeguarding rights under Art. 9, except where fundamental rights and freedoms requiring personal data protection prevail.. |
10. Data Subject Rights
Individuals whose personal data we process have the right to:
- Confirm whether their data is being processed
- Access their collected and processed data
- Request immediate correction of incomplete, inaccurate, or outdated information;
- Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of LGPD provisions or this Policy;
- Request data portability to another service provider, subject to regulatory guidelines and with consideration for trade secrets;
- Request deletion of personal data processed with consent, except in cases permitted under LGPD Art. 16
- Receive information about public and private entities with whom we share data;
- Be informed about the option to withhold consent and understand the consequences of such decisions;
- Withdraw previously given consent
To exercise these rights, data subjects may contact our Data Protection Officer at dpo@ayreswestin.com.br.
11. Enforcement
Non-compliance with this Policy or AYRES WESTIN ADVOGADOS’ Code of Conduct and Ethics may result in disciplinary action proportionate to the violation’s severity. Sanctions may range from written warnings to suspension, termination for cause, or legal proceedings (civil or criminal) in cases where violations cause organizational harm or constitute criminal offenses.
12. Contact Information
For questions regarding this Policy, please contact dpo@ayreswestin.com.br.
Version Control
| Version | Author | Description | Date |
|---|---|---|---|
| 1 | Compliance Department | Initial Release | December 2024 |