What is LGPD?

Briefly, the LGPD, or Lei Geral de Proteção de Dados (Lei Nº 13.709/2018), it's the Brazilian General Data Protection Law, a law that establishes your rights as the holder of your own personal data and the duties of the companies that collect your data. The Law is an important achievement for Brazilians, the result of 8 years of debates and aims to ensure the privacy and security of users while establishing limits on the use of their data by companies.

What is the role of POTI RN in the LGPD?

POTI RN is a systems development company. Our main area of expertise is the creation of tailor-made systems for other companies. These companies, who hire us to develop their systems, are our customers. The systems we develop handle a series of data, including personal data from your own customers (data from our customer's customers).

In this context, we have two actors defined by the LGPD: the controller and operator.

The controller is responsible for decisions regarding the treatment of personal data covered by the system. It is the one who will define how your data will be used, the purpose, who will have access and everything else related in this context. The controller is, therefore, the customer of POTI RN, who hired us to develop his system.

The operator is the figure who performs the personal data processing on behalf of the controller. It is the operator who creates and maintains the technological mechanisms that will allow the management of this data. POTI RN is, therefore, the data operator in the context of LGPD.

How to identify the systems in which POTI RN is a data operator?

Unless the contract established between POTI RN and our client has some confidentiality clause, or even if our client objects, our logo is displayed at the bottom of the systems we develop, with a direct link to our website.

How do I identify who is the data controller in the systems that POTI RN develops and how is my data being used?

In all systems developed by us we recommend our customers to create clear, objective and transparent terms and conditions and privacy policies. These terms and policies are usually available on the information pages of the systems or on the registration forms throughout the systems.

If you have any difficulty in identifying this information in a system developed by us, we recommend that you contact the person in charge.

What does POTI RN do to ensure the security of my data and protect my rights?

In addition to a number of technical security features - encryption, exclusive data traffic through security protocols, restricted access to system data, security measures against bots and crawlers and more - we have taken specific measures in the context of LGPD, some of which are present in all of our systems and are listed here:

Access control

Our platforms are developed following a principle of selective permissibility. This means that, in a system that manages registrations for an event, for example, our client can grant different levels of access to information throughout its administrative team. One employee can have access to the registrants' data, while the other may only has access to the event information pages, for example. Within each organization, it is up to the manager (the data controller) to determine the specific rules for accessing data throughout his team.

Access log

Whenever sensitive data is accessed on the administrative platform, the system records in a specific log who was the user of the organization that performed the access. Thus, the manager has a powerful audit tool to inspect any improper access to his clients' personal data.

Check, modify and remove your data

The data owner - you - always has the possibility to check, change or remove your personal data on the platform developed by us for our client - the data controller.

In systems that have an exclusive user area (a place through which you access the system by providing access credentials), all these actions can be performed through the module that presents your registration data (the nomenclature changes, but generally we call this module "My Informations").

When the system does not have an exclusive user area, these requests must be sent to the data controller team, who will carry out the necessary operations through the system's administrative platform.

Some important notes:

To mitigate fraud and other potentially harmful actions, some pieces of information are blocked for editing by the user. It is common, for example, that our systems do not allow you to modify your CPF in your exclusive area. In this case, just make the request to the data controller team for them to make the necessary corrections.

Some systems developed by POTI are subject to special regulations. In cases of systems that manage processes inherent to public policies or are subject to specific legislation, for example, it may not be possible to remove your data completely. These limitations are described in the LGPD itself and do not affect the other security measures adopted throughout the system to safeguard your rights.

Transparency

All systems present a warning to the user about the use of cookies and other technologies, with a direct link to the portal's privacy policy or terms of use.

In the registration forms of the systems developed by us, we add a warning about the Brazilian General Data Protection Law. By clicking on the notice, you have access to an explanatory text on how your data is used by the company (by the data controller) and a link to this page.

Some important notes:

The data controller is solely responsible for developing and defining the terms of use and the privacy policy, which guide the relationship between the data controller and the user, as well as the explanatory text that presents the purposes of data collection. POTI RN just created the mechanisms so that this information is always displayed to the user in a clear, objective and transparent way.

Export of sensitive data

When the controller asks us for a report or some survey of data outside the scope of system functionality that contains sensitive data from its customers, we deliver this data following a special transmission protocol. First, we perform encryption or data protection. Then, we send the protected data through a digital medium without decryption and/or access instructions. Finally, using a second means of contact, different from the one through which the data was sent, we send the access key or decryption. These measures are intended to prevent that, in the event of compromising the controller's infrastructure, the personal data of its customers is accessed by unauthorized personnel.