Luby's Personal Data Protection Policy
Luby employs more than 300 people in Brazil to provide digital services to many customers, including services that involve the processing of personal information. Luby implements various measures to ensure an appropriate level of personal data protection, including the Luby Personal Data Protection Rules, which are designed to establish a consistent standard of personal data protection for all Luby employees.
1 Scope
1.1 Role of Luby
Luby processes personal data either as a data controller or as a data processor.
As a data controller, Luby hires employees, maintains business contacts, receives visitors, and performs other activities necessary to operate a business.
Luby provides a wide range of services, some of which involve the processing of (personal) data. As a processor, Luby processes personal data on behalf of customers who are data controllers, pursuant to contracts entered into with such customers.
1.2 Data subjects
Luby processes personal data belonging to different categories of individuals, also referred to as “data subjects”:
– When Luby is the data controller
– When Luby is the data controller
- Individuals involved in Luby’s business include.
- Luby personnel (employees and contractors).
- Business contacts and customer representatives.
- Job applicants.
- Family members of employees.
- Other individuals (visitors, inquiring parties, etc.).
- For external services: Other individuals.
2 Binding
Luby complies with Brazilian and American privacy laws.
2.1 Binding on Luby Luby agrees to comply with and implement the provisions of data protection laws in its structure and operations.
2.2 Obligations of Luby Associates All professionals associated with Luby are required to comply with the privacy laws followed by the company. This commitment is reflected in all employment and collaboration contracts.
Luby Associates are made aware of the Privacy Policy during onboarding, training and periodic reviews. Violation of Luby’s Personal Data Protection Policy may result in sanctions under applicable local law, up to and including termination of the Associate.
2.1 Binding on Luby Luby agrees to comply with and implement the provisions of data protection laws in its structure and operations.
2.2 Obligations of Luby Associates All professionals associated with Luby are required to comply with the privacy laws followed by the company. This commitment is reflected in all employment and collaboration contracts.
Luby Associates are made aware of the Privacy Policy during onboarding, training and periodic reviews. Violation of Luby’s Personal Data Protection Policy may result in sanctions under applicable local law, up to and including termination of the Associate.
3 Privacy Principles
3.1 Compliance with Local Laws
Luby will always comply with local privacy laws. If local data protection laws require a lower level of personal data protection than the standards set by the Company, Luby will take whatever action is necessary to comply.
Luby will collect evidence of compliance and demonstrate compliance with applicable laws (the “Accountability Principle”). This includes various forms of evidence:
3.2 Transparent communication Luby will communicate transparently with individuals about the processing of their personal data.
– When Luby is the data controller Luby acting as a data controller will provide data subjects with essential information, including
This notice should be provided promptly, ideally at the time of collection or, if immediate notice is not practicable, within the shortest reasonable time after collection. Luby will provide this information in a clear and comprehensive manner, using language and terminology that is easily understood by individuals.
However, Luby may be exempt from providing this information to individuals in certain circumstances, such as when individuals already have the information or when such exemptions are required by applicable law.
– When Luby is a data processor
Luby acting as data processors will assist data controllers in fulfilling their responsibilities to communicate with data subjects. This assistance includes collecting the necessary information that the controllers need to communicate effectively.
3.3 Purpose of Processing Luby is committed to processing personal data only for clearly defined, specific and legitimate purposes.
– When Luby is the data controller
Luby, as data controller, will process personal data only for the purposes communicated to individuals at the time of collection. The data will not be reused in a manner inconsistent with those communicated purposes.
Exceptions to this principle may only occur if there is a legitimate reason, such as compliance with a legal obligation or the existence of a legitimate interest. Any deviation from the stated purposes will be properly recorded, documented and communicated to the individuals concerned in accordance with applicable laws.
– When Luby is the data processor
Luby, as the data processor, is obligated to strictly follow the instructions of the data controller as set forth in the applicable data processing agreement or other written notice, all in accordance with the agreed-upon terms.
Luby will refuse to process requests that conflict with the terms of the agreement. In cases where a request from a data controller violates applicable law, Luby will promptly notify the data controller of such violations.
3.4 Lawfulness of Processing Luby will only process personal data if there is a legal basis for doing so.
– When Luby is the data controller
Luby, as data controller, will process personal data when a legal basis is recognized by applicable law. Depending on the context and the type of data processed, this may include the following.
Luby, in its capacity as a data processor, will only process personal data on behalf of a controller when directed to do so by a data processing agreement duly executed between the controller and Luby.
3.5 Retention Luby is committed to retaining personal data for the shortest period of time necessary to fulfill the purposes of the processing.
– When Luby is the data controller
Luby will delete all data elements when they reach their designated retention periods. In addition, Luby may choose to securely and irreversibly depersonalize (anonymize) data to allow for legitimate purposes, such as retaining program source code while removing developer emails.
Retention periods established by Luby will be reasonable and will ensure that data is not retained longer than necessary.
– When Luby is the data processor
For Luby, when acting as data processors, the return or deletion of personal data processed on behalf of the data controller, together with the deletion of all copies of such data, will be carried out at the end of the processing engagement, subject to the decision of the data controller.
3.6 Data Minimization
– When Luby is the data controller
Luby, as data controller, will actively limit processing to the minimum amount of data necessary to achieve the purposes of the processing. This approach ensures that data profiles are kept minimal and consistent with the purposes of the processing.
– When Luby is the Data Processor
Luby, in its role as a data processor, will proactively minimize their exposure to data processed on behalf of a controller. This may include assuming minimal rights or receiving minimal data sets to ensure a focused and limited scope of data processing.
3.7 Accuracy and Data Quality
– When Luby is the data controller
Luby as the data controller will proactively implement measures to ensure the accuracy and quality of personal data, consistent with the purposes of the processing.
When Luby is the data processor
Luby, when acting as a data processor, will actively assist Data Controllers in maintaining an appropriate level of data quality appropriate to the purposes of processing.
3.8 Security and Confidentiality
– When Luby is the data controller
As data controller, Luby will implement industry-standard technical and organizational security measures appropriate to the risks associated with the processing of personal data, as described in the Luby Security Policy.
– When Luby is the data processor
As a data processor, Luby will implement technical and organizational security measures as agreed with the relevant data controllers. Details of these measures are set forth in Luby’s Security Policy.
3.9 Processing of Special Categories of Data
– When Luby is the data controller
Luby, as the data controller, will minimize the processing of special categories of personal data and will only undertake such processing where strictly necessary and
legally permitted. Additional measures may be taken to address heightened risks to data subjects.
– When Luby is the data processor
As data processor, Luby will implement additional technical and organizational security measures as agreed with the relevant data controller, especially when processing special categories of data.
Luby will collect evidence of compliance and demonstrate compliance with applicable laws (the “Accountability Principle”). This includes various forms of evidence:
- Electronic records of consent or notice;
- Contracts and agreements;
- Records of processing, registers of specific processing operations, transfers or disclosures;
- Archives of emails or other communications;
- Archived logs or screenshots;
- etc.
3.2 Transparent communication Luby will communicate transparently with individuals about the processing of their personal data.
– When Luby is the data controller Luby acting as a data controller will provide data subjects with essential information, including
- The identity of the specific Luby entity acting as data controller.
- The nature of the personal information that will be processed.
- The purposes for which the data will be processed.
- The legal basis for the processing.
- The anticipated retention period for the data.
- The identity or at least the categories of entities with whom the data will be shared (data recipients).
- Any third countries to which the data may be transferred and details of the appropriate safeguards in place.
- The rights granted to individuals in relation to their data.
- The right to complain to a supervisory authority.
This notice should be provided promptly, ideally at the time of collection or, if immediate notice is not practicable, within the shortest reasonable time after collection. Luby will provide this information in a clear and comprehensive manner, using language and terminology that is easily understood by individuals.
However, Luby may be exempt from providing this information to individuals in certain circumstances, such as when individuals already have the information or when such exemptions are required by applicable law.
– When Luby is a data processor
Luby acting as data processors will assist data controllers in fulfilling their responsibilities to communicate with data subjects. This assistance includes collecting the necessary information that the controllers need to communicate effectively.
3.3 Purpose of Processing Luby is committed to processing personal data only for clearly defined, specific and legitimate purposes.
– When Luby is the data controller
Luby, as data controller, will process personal data only for the purposes communicated to individuals at the time of collection. The data will not be reused in a manner inconsistent with those communicated purposes.
Exceptions to this principle may only occur if there is a legitimate reason, such as compliance with a legal obligation or the existence of a legitimate interest. Any deviation from the stated purposes will be properly recorded, documented and communicated to the individuals concerned in accordance with applicable laws.
– When Luby is the data processor
Luby, as the data processor, is obligated to strictly follow the instructions of the data controller as set forth in the applicable data processing agreement or other written notice, all in accordance with the agreed-upon terms.
Luby will refuse to process requests that conflict with the terms of the agreement. In cases where a request from a data controller violates applicable law, Luby will promptly notify the data controller of such violations.
3.4 Lawfulness of Processing Luby will only process personal data if there is a legal basis for doing so.
– When Luby is the data controller
Luby, as data controller, will process personal data when a legal basis is recognized by applicable law. Depending on the context and the type of data processed, this may include the following.
- Conclusion and performance of a contract: Processing necessary for the performance of a contract with the individual, such as an employment contract.
- Legal obligation: Processing necessary to comply with a legal obligation of Luby, such as tax obligations.
- Legitimate Interest: Processing based on the legitimate interests of Luby, such as activities to promote its business.,/li>
- Protection of Vital Interests: Processing necessary to protect the vital interests of the individual, such as making emergency calls. Consent: Processing based on explicit consent obtained in other cases, such as obtaining consent to place a website cookie.
Luby, in its capacity as a data processor, will only process personal data on behalf of a controller when directed to do so by a data processing agreement duly executed between the controller and Luby.
3.5 Retention Luby is committed to retaining personal data for the shortest period of time necessary to fulfill the purposes of the processing.
– When Luby is the data controller
Luby will delete all data elements when they reach their designated retention periods. In addition, Luby may choose to securely and irreversibly depersonalize (anonymize) data to allow for legitimate purposes, such as retaining program source code while removing developer emails.
Retention periods established by Luby will be reasonable and will ensure that data is not retained longer than necessary.
– When Luby is the data processor
For Luby, when acting as data processors, the return or deletion of personal data processed on behalf of the data controller, together with the deletion of all copies of such data, will be carried out at the end of the processing engagement, subject to the decision of the data controller.
3.6 Data Minimization
– When Luby is the data controller
Luby, as data controller, will actively limit processing to the minimum amount of data necessary to achieve the purposes of the processing. This approach ensures that data profiles are kept minimal and consistent with the purposes of the processing.
– When Luby is the Data Processor
Luby, in its role as a data processor, will proactively minimize their exposure to data processed on behalf of a controller. This may include assuming minimal rights or receiving minimal data sets to ensure a focused and limited scope of data processing.
3.7 Accuracy and Data Quality
– When Luby is the data controller
Luby as the data controller will proactively implement measures to ensure the accuracy and quality of personal data, consistent with the purposes of the processing.
When Luby is the data processor
Luby, when acting as a data processor, will actively assist Data Controllers in maintaining an appropriate level of data quality appropriate to the purposes of processing.
3.8 Security and Confidentiality
– When Luby is the data controller
As data controller, Luby will implement industry-standard technical and organizational security measures appropriate to the risks associated with the processing of personal data, as described in the Luby Security Policy.
– When Luby is the data processor
As a data processor, Luby will implement technical and organizational security measures as agreed with the relevant data controllers. Details of these measures are set forth in Luby’s Security Policy.
3.9 Processing of Special Categories of Data
– When Luby is the data controller
Luby, as the data controller, will minimize the processing of special categories of personal data and will only undertake such processing where strictly necessary and
legally permitted. Additional measures may be taken to address heightened risks to data subjects.
– When Luby is the data processor
As data processor, Luby will implement additional technical and organizational security measures as agreed with the relevant data controller, especially when processing special categories of data.
4 Rights of Individuals
4.1 Rights
– When Luby is the data controller
Luby acting as the data controller recognize the rights of data subjects, including access, rectification, erasure, restriction of processing, objection to processing, data portability, and the right not to be subject to decisions based solely on automated processing, as defined by the Brazilian and American data security acts. Data subjects also have the right to file a complaint with Luby and to receive fair treatment of the complaint.
– When Luby is the data processor
Luby, as the data processor, will cooperate with data controllers in handling the rights of data subjects.
Individuals retain the right to file a complaint with a relevant supervisory authority or court of competent jurisdiction, particularly in their country of residence or where Luby is located.
4.2 Rights Request Procedure
All requests from data subjects should be submitted in writing to Luby or by email to [email protected]. Luby, acting as data controller, will process each request within one month, unless applicable law permits an extension. If Luby is acting as a data processor, it will forward all requests received to the appropriate data controller.
4.3 Complaint Handling Procedures
Data subjects may submit complaints to Luby by sending an e-mail to [email protected]. The Legal Department will handle all complaints and maintain a registered issue tracking system with an accessible handling history. The departments involved in handling complaints will have sufficient independence to ensure fair resolution of complaints. Luby will address each complaint within one month, with possible extensions allowed by applicable law.
– When Luby is the data controller
Luby acting as the data controller recognize the rights of data subjects, including access, rectification, erasure, restriction of processing, objection to processing, data portability, and the right not to be subject to decisions based solely on automated processing, as defined by the Brazilian and American data security acts. Data subjects also have the right to file a complaint with Luby and to receive fair treatment of the complaint.
– When Luby is the data processor
Luby, as the data processor, will cooperate with data controllers in handling the rights of data subjects.
Individuals retain the right to file a complaint with a relevant supervisory authority or court of competent jurisdiction, particularly in their country of residence or where Luby is located.
4.2 Rights Request Procedure
All requests from data subjects should be submitted in writing to Luby or by email to [email protected]. Luby, acting as data controller, will process each request within one month, unless applicable law permits an extension. If Luby is acting as a data processor, it will forward all requests received to the appropriate data controller.
4.3 Complaint Handling Procedures
Data subjects may submit complaints to Luby by sending an e-mail to [email protected]. The Legal Department will handle all complaints and maintain a registered issue tracking system with an accessible handling history. The departments involved in handling complaints will have sufficient independence to ensure fair resolution of complaints. Luby will address each complaint within one month, with possible extensions allowed by applicable law.
5 External Vendors
Luby may engage external vendors to provide various specialized services. These vendors typically act as sub-processors, but there are instances where they may consider themselves, in whole or in part, to be data controllers.
-When Luby acts as a data controller and engages an external vendor as a data processor:
Luby must enter into a data processing contract in order to comply with possible requirements of the American and Brazilian data protection regulations acts. In addition, Luby must provide data subjects with relevant information about the data recipients, as described in Section 3.2 above.
Luby must take the necessary precautions, in particular by implementing standard contractual clauses, to ensure that its suppliers meet the criteria required by law.
-When Luby acts as a data processor and engages an external vendor as a sub-processor:
The controller should be involved in the engagement of other vendors based on the terms and conditions set out in the data processing agreement that governs the processing. In addition, Luby must enter into an appropriate data (sub)processing agreement with the vendor.
-When Luby acts as a data controller and engages an outside vendor that is also a data controller:
This includes assessing whether there is a legal basis for the data processing that includes the transfer as described in Section 3.4 above, ensuring that data subjects have received the required information about data recipients as described in Section 3.2 above.
-When Luby acts as a data controller and engages an outside vendor that is also a data controller:
The controller should be actively involved in the engagement of other vendors, and its consent to the disclosure is essential. Therefore, Luby should seek the controller’s instructions to effect the disclosure, unless such disclosure is already anticipated by the data processing agreement entered into with the controller.
If the vendor is located in a third country not covered by the American and Brazilian law jurisdiction, Luby should specifically advise the data controller to implement the necessary safeguards. These safeguards may be implemented directly by the data controller, or indirectly with the assistance of Luby. For example, Luby may execute the standard contractual clauses on behalf of the data controller pursuant to a power of attorney.
In a situation where the vendor acknowledges its status as a sub-processor, but also claims the status of an independent data controller with its own processing purposes, a mixed approach should be adopted.
-When Luby acts as a data controller and engages an external vendor as a data processor:
Luby must enter into a data processing contract in order to comply with possible requirements of the American and Brazilian data protection regulations acts. In addition, Luby must provide data subjects with relevant information about the data recipients, as described in Section 3.2 above.
Luby must take the necessary precautions, in particular by implementing standard contractual clauses, to ensure that its suppliers meet the criteria required by law.
-When Luby acts as a data processor and engages an external vendor as a sub-processor:
The controller should be involved in the engagement of other vendors based on the terms and conditions set out in the data processing agreement that governs the processing. In addition, Luby must enter into an appropriate data (sub)processing agreement with the vendor.
-When Luby acts as a data controller and engages an outside vendor that is also a data controller:
This includes assessing whether there is a legal basis for the data processing that includes the transfer as described in Section 3.4 above, ensuring that data subjects have received the required information about data recipients as described in Section 3.2 above.
-When Luby acts as a data controller and engages an outside vendor that is also a data controller:
The controller should be actively involved in the engagement of other vendors, and its consent to the disclosure is essential. Therefore, Luby should seek the controller’s instructions to effect the disclosure, unless such disclosure is already anticipated by the data processing agreement entered into with the controller.
If the vendor is located in a third country not covered by the American and Brazilian law jurisdiction, Luby should specifically advise the data controller to implement the necessary safeguards. These safeguards may be implemented directly by the data controller, or indirectly with the assistance of Luby. For example, Luby may execute the standard contractual clauses on behalf of the data controller pursuant to a power of attorney.
In a situation where the vendor acknowledges its status as a sub-processor, but also claims the status of an independent data controller with its own processing purposes, a mixed approach should be adopted.
6 Transfers to Brazil or US
Luby will only transfer personal data to countries that do not provide an adequate level of protection for personal data if appropriate safeguards, such as standard contractual clauses, are in place.
7 Compliance
7.1 Breaches
Luby will report and investigate any suspected Personal Data Breach, document the investigation, and take all necessary actions to assess the scope and severity of the breach and to address it.
-When Luby is a data controller.
Depending on the results of the breach investigation, Luby as the data controller will notify the supervisory authority and affected data subjects as required by applicable law.
-When Luby acts as a data processor:
Luby acting as data processor will notify the controller of personal data breaches without undue delay and, in any event, within the time periods specified in the applicable data processing agreement. They will also assist the Controller in responding to the breach.
7.2 Ease of Access
Luby will ensure that Luby’s Personal Data Protection Policy is easily accessible to its employees, customers and other data subjects.
Luby will report and investigate any suspected Personal Data Breach, document the investigation, and take all necessary actions to assess the scope and severity of the breach and to address it.
-When Luby is a data controller.
Depending on the results of the breach investigation, Luby as the data controller will notify the supervisory authority and affected data subjects as required by applicable law.
-When Luby acts as a data processor:
Luby acting as data processor will notify the controller of personal data breaches without undue delay and, in any event, within the time periods specified in the applicable data processing agreement. They will also assist the Controller in responding to the breach.
7.2 Ease of Access
Luby will ensure that Luby’s Personal Data Protection Policy is easily accessible to its employees, customers and other data subjects.