Sertras and the LGPD

Learn about our compliance measures with the General Data Protection Law and find out what our role is and what your rights are.

Requests

Date Officer

He will be the company's representative with the National Data Protection Authority; data subjects; controllers and operators. In addition, he will also be responsible for ensuring that the Company develops and follows best practices (governance) in the personal data processing, playing a key role in adapting to the LGPD, insofar as he plays a role of privacy and data protection manager.

Marcos Castro

lgpd@sertras.com.br

Data Officer

Privacy and Data Protection Policy

1 - General Information and Definitions

This Privacy and Data Protection Policy aims to demonstrate the responsibility and commitment of SERTRAS in relation to the personal data processing following and respecting all the rights of data subjects provided for in Law 13.709/2018 (General Data Protection Law - LGPD). As a condition of accessing the SERTRAS website, systems and portals, you declarethat you have read carefully and fully, being fully aware of this. Policyand demonstrating that you are in agreement with the terms stipulated herein, authorizing the obtaining of the data and information mentioned herein, as well as its use for specific purposes.

Important definitions:

LGPD: Federal Law 13.709/2018 - General Law for the Data Protection. Holder: Natural person to whom the personal data refers. Personal data:Information relating to the identified or identifiable natural person. Sensitive Data:Any information that could be used to embarrass or discriminate against a person. User: All individuals over 18 years of age who access our website voluntarily or who access our system and portal through authentication. Data Processing:Any action carried out with the personal data from its capture to the fulfillment of its purpose. Purpose:Purpose for which the data is used, we only collect necessary and essential data to achieve the purpose. Legal Basis:These are fundamental requirements for carrying out data processing. It can be consulted in article 7 of Law 13.709/2018. Collection:Data capture process. Data Officer:Professional responsible for the data protection culture within the company. They also operate in the communication channel between data subjects; controller; operator and ANPD, meeting their demands. System: Tool used to perform the requested service, where only authorized persons have access; also used to promote business relationship.

2 - Target Audience

This Policy applies to all users of our website, portal and SERTRAS system.

3 - Who we are

In the market for 8 years, our company specializes in supplier management, being a reference in risk management in the supply chain of large companies. Our services analyze legal entities and their compliance with legislation, labor obligations, financial health, compliance, general data protection law, among other analyses. Registered under CNPJ 22.584.068/0001-06, SERTRAS GESTÃO DE FORNECEDORES LTDA is responsible for this Policy and for all data processing mentioned herein, we are located at Rua General Oswaldo Pinto da Veiga, N° 350, Sala 501, Vila Santa Cecília, Volta Redonda / RJ, Brazil.

4 - Personal Data Processing

Sertras handles the processing of personal data, adopting, since the beginning, transparency and clarity with the data subject. All data is stored on servers that have a high level of security compatible with the market. We also adopt all the principles and practices of good faith provided for in the LGPD, always respecting the data subject and complying with their rights. The processing of personal data can be carried out in accordance with the legal bases provided for in article 7 of Law 13.709/2018, such as for:

  • compliance with legal and regulatory obligations;
  • contract execution;
  • serve the legitimate interests of our customers;
  • protection of the life or physical safety of the Holder;
  • vsituations in which the consent of the Personal Data Subject is collected;
  • regular exercise of rights.

Data processing will be limited to activities necessary to achieve the purpose, carried out, when applicable, in compliance with legal or regulatory obligations and performance of contracts. All of our processing activities have a legal basis that underlies them, among those permitted by law, the period of data processing until its deletion is informed to the data subject in advance and whenever requested, a way to maintain transparency with the data subject in every treatment performed.

5 - Collection and Use of Personal Data

The collection and source of data may vary according to the requested service and purpose, we may collect data in the following ways:

  • System and Website: collects data that the user provides voluntarily in order to promote a business relationship; identify and authenticate them.
  • Service Provision: collects data in order to perform the contracted service, each area of ​​the company follows its flow and procedures for collection. The list of collected data is informed to the holder according to the service provided and can be consulted in the terms and conditions of the service together with its respective contract.
  • Candidate Portal: collects data that the user provides voluntarily in order to register their resume in the selection processes carried out by our company.
  • LGPD Portal: collects data that the user provides voluntarily in order to promote the management of requests regarding the rights of data subjects.
  • Cookies: collects data in order to provide the correct functioning of our website, only essential cookies are collected.

Types of service provision:

  • Third Party Management
  • Homologation
  • Compliance
  • Performance evaluation
  • Labor audits, LGPD and/or Compliance

Occasionally, other types of collection not provided for in this Policy may be carried out provided that they are previously informed to the holders, or even if the collection is allowed based on a legal basis provided for by Law 13.709/2018.

The entire data collection process is governed by security standards and techniques that aim to meet and respect all the rights of data subjects, complying with all requirements provided for in the LGPD.

6 - Data Sharing

Our company does not share your personal data with third parties, and the sharing may only be carried out to comply with a legal or regulatory obligation; contract execution; fulfillment of an order issued by some public authority. In such cases, the sharing of personal data will be informed in advance and will observe all applicable laws and rules that aim to ensure the security of data for all users, adopting technical security standards and procedures in accordance with the LGPD.

7 - Rights of the Holder

Every data processing process mentioned in this Policy is in accordance with the standards set by the LGPD and all rights of the holders are respected.

The data subject's rights are guaranteed in accordance with article 18 of the LGPD, namely:

  • Right to confirmation: The holder may request Sertras to confirm or not the processing of data.
  • Right of access to data: The holder may request access to all his/her data, if the data processing of the respective holder is identified.
  • Right of correction: The holder may request correction of data that are incomplete, inaccurate or out of date whenever they confirm the veracity of the new data sent.
  • Right to anonymization and deletion of data: In accordance with the LGPD, the data subject may request the anonymization or deletion of excessive or unnecessary data.
  • Right of exclusion treated with consent: Allows you to request the exclusion of your personal data when the processing of these data is optional and has your consent as a legal basis, except for the maintenance of data necessary to comply with article 16 of the LGPD.
  • Right to information about sharing: The holder may request to know which public or private companies their data is being shared.
  • Right to information about consent: The data subject has the right to know if the processing of data is being carried out by consent or other hypotheses.
  • Right of portability of personal data: Allows you to require SERTRAS to provide you, or third parties you have chosen, with your personal data in a structured format.
  • Right to revoke consent: When the legal basis for processing is only the consent of the data subject, the subject may request its revocation at any time by express manifestation.

Right to revoke consent: When the legal basis for processing is only the consent of the data subject, the subject may request its revocation at any time by express manifestation. You must fill in the application indicating which right you want to exercise.

To ensure that the user who intends to exercise his rights is in fact the owner of the data object of the request, we may request some information to authenticate the owner, following the applicable security procedure and in accordance with the law.

After confirming whether there is data processing or not and with the applicant authenticated, we provide a report in accordance with the holder's request within the period provided for in article 19 of the LGPD.

8 - Data Security

Our company understands and respects the data of the data subjects treated by us and therefore adopts internal procedures and standards that aim to meet a high level with regard to data security, our entire team is trained and receives recurring audits that help us map the entire data processing flow within our corporation, from capturing it to the fulfillment of its purpose and thus avoiding security incidents, we also adopted some measures related to good data governance practice, namely:

  • Monitoring and constant updating of procedures and internal rules by the Data Supervisor and whether they are being complied with;
  • We maintain an audit and training program for our workforce;
  • The data is kept for the necessary period stipulated according to the service;
  • We only handle the minimum data necessary to comply with the laws, contracts and requirements previously communicated;
  • All users of the systems and portal are identified and sign the term of civil and criminal responsibility for the data they access;
  • Access control throughout the system and portal with single and non-transferable login, tracking from the origin of access;
  • Our servers are monitored 24 hours a day, have security certification and end-to-end encryption with TLS 1.2 protocol and private key;
  • Safety manuals defined by area and process;
  • Action plan for possible security incidents.

Our security measures aim to make the data protection environment within our company increasingly secure, we aim at the entire context and purpose of the processing. We also understand that we have adopted all appropriate measures to protect data, we understand that it is also the duty of the data subject to look after their data and not share information with unauthorized persons. In the event of any security incident that could generate risk or damage to the data subject, all measures provided for in the LGPD will be adopted, and if necessary, we will immediately communicate those affected to the National Data Protection Authority.

9 - Cookies

What are cookies?

This website uses cookies, which are small text files that are saved on your browser after you visit a website. These files may contain various information depending on the website you are visiting, from information related to the pages visited and other data voluntarily provided to the website.

This page describes what information is collected, how we use it, and why we sometimes need to store these cookies.

Use of cookies

Cookies on our website are essential for you to be able to navigate the entire website and use its features. These cookies do not collect information about you that could be used for marketing purposes or to track where you browse the internet.

Account Related Cookies

If you create an account with us, we use cookies to manage the registration process and general administration. These cookies are deleted when you log out of our website/portal, but in some cases they may remain later to remember your website preferences when you leave.

Login-related cookies

We use cookies when you are logged in so that we can remember this action. This saves you from having to log in every time you visit a new page. These cookies are removed or cleared when you log out of our website/portal to ensure that you can only access restricted resources and areas while logged in.

Third Party Cookies

In some special cases, we also use cookies provided by trusted third parties. The following section details which third party cookies you may encounter through this website.

This website uses Google Analytics, which is one of the most widespread and trusted analytics solutions on the web, to help us understand how you use our website and how we can improve your experience. These cookies can track items such as how much time you spend on the website and which pages you visit.

For more information about Google Analytics cookies, see the official Google Analytics page.

Disabling cookies

You can choose to reject or block all or specific types of cookies set through your visit to our website by clicking on cookie preferences. Disabling cookies will generally result in the disabling of certain functionality and features of this website. Therefore, it is recommended that you do not disable cookies as we only use essential cookies.

10 - Contact and Data of the Data Supervisor

If you have any questions regarding the Privacy and Data Protection Policy or need to address any matter related to data protection as well as exercise your rights, you can contact us through our website or choose one of the emails listed below:

Name of data manager: Marcos Castro

For questions and information: marcos.castro@sertras.com.br

To exercise your rights: lgpd@sertras.com.br

11 - Update and Change

SERTRAS is committed to keeping the information contained in this Policy updated and revised, ensuring its compliance with the responsible bodies. You can make changes at any time. Any changes made that are necessary will be communicated in advance and you will have access for knowledge and new reading through our website.

12 - Other Information

This Policy must be read in addition to our Terms and Conditions for the respective service and, whenever possible, read and interpreted together with the contracts. The forum of Volta Redonda/RJ is elected for any dealings related to this document.

Terms

Terms and Conditions of Service

These terms and conditions apply to any company that carries out the Sertras Supplier Certification and Approval process.
Version 23 July 2021

1 - Details of Changes

This new version of the terms and conditions of the services was necessary to comply with the General Law for the Protection of Personal Data in Brazil.

Revisions History
revision number Description Approved in
5 Update of the effective date 26/11/2018
6 Adaptation to LGPD 17/02/2021
7 Changes in the wording of the LGPD text where it said “will be” was replaced by “Poderá”. 23/07/2021

2 - Scope

The following Terms and Conditions apply to the simplified registration, certification, prospection and risk assessment services of supplier companies, provided by Sertras Gestão de Suppliers Limitada or by Sertras Consultoria e Gestão Limitada, hereinafter referred to as "Sertras", and the company customer, hereinafter referred to as “supplier”, “supplier”, “suppliers” or another similar term, participating in the Global Catalog of Materials and Services Suppliers, called “Catalogue”.

3 - Accept these terms and conditions

These terms and conditions are considered accepted by the suppliers if one of the following actions is taken by the Supplier:

  1. Once selected the option “I declare that I have read and accept the terms and conditions” in the registration form, or;
  2. When the supplier makes payment for any paid certification, or;
  3. When the supplier makes payment for any paid certification, or;
  4. If you send by e-mail the authorization to issue a bank slip and/or electronic invoice.

4 - Definitions

Supply Company: Any company that can offer products or services to one or more purchasing companies.

Purchasing Company: Company that has a Non-Disclosure Agreement and/or contract signed with Sertras, which allows its employees to access the catalog and/or request specific assessments from suppliers

Public User: Any individual or legal entity (buyer or supplier) that accesses the Sertras website and performs a search without the need for identity authentication or registration on the portal. The data that can be viewed is reduced to basic company information (name, address, contact, products and services).

Public Information: Any document or information from a company (legal entity) that can be obtained directly from a government agency or legal institution for this purpose. Some examples and not limited to these are: CNPJ Card, Sintegra, MTE Slave Labor List, Articles of Association, Credit Protection Agencies, among others.

Private Information: Any document or information from a company that can NOT be obtained directly from a government agency or legal institution.

Confidential information: Any document or information that can only be presented to buyers authorized by the supplier. Only private information can be considered confidential information. The supplier may indicate to Sertras at any time for which purchasing companies it considers its private information to be confidential. If this request is made after the first risk assessment, Sertras has a period of 5 (five) business days from the date of receipt of the request to transform the private information into confidential information.

Risk Assessment or Supplier approval: Corresponds to the service provided by Sertras which can be summarized in the following steps:

  1. Classification of suppliers according to the policy of each buyer;
  2. Obtaining public information and documentation;
  3. Request for information and private documentation;
  4. Transcription of information to internal systems;
  5. Assessment of information (validation) and generation of “risk ratings”;
  6. Delivery of information and documents to buyers.

As there is unrestricted access to public information, the risk assessment can be performed only with the information described above. Sertras does not need authorization to obtain and analyze it. Risk scores are generated in the analysis and may be different for each purchasing company.

Commercial Certification Plan: It is the technique that is used to approve a supplier. Who defines which technique should be used is the Purchasing Company. These plans allow the supplier to be reassessed as many times as necessary for a period of 12 (twelve) months from the invoice issuance date.


IMPORTANT:

The supplier DECLARES THAT If it chooses a plan other than that requested by the purchasing company, it may be rejected or not accepted by the purchasing company. SERTRAS always informs which plan is needed and is not responsible for the supplier's decision, with no possibility of refunding values ​​for having chosen a plan that was not suitable.

Each supplier can only choose one commercial plan per CNPJ. If the supplier wants to reduce its plan to one of lower value and complexity, it must wait for the validity period of the current certification to expire. If it needs to upgrade its plan, it must pay the difference from the current plan to the higher plan.

The deadline for obtaining public information and carrying out the first analysis by Sertras is up to 7 (seven) days from the date of payment of the annuity or billing authorization. The grade may be modified with the receipt of valid documents for the process.

Validation: It is the process of verifying the information received and transcribed and the risk assessment of the supplier.

Basic information: It is the public information of the supply company added to the contact details that have been informed.

Certification:It is the way we call the service as a whole and which considers the following steps:

  1. Guide the supplier to complete a questionnaire (if necessary);
  2. Request, receive and organize documents;
  3. Obtain information and documents directly from public websites (Eg. FGTS, INSS and etc.);
  4. Check the CNPJ in public lists (eg. List of Slave and Child Labor of the MTE);
  5. Validate the information (Risk Assessment);
  6. Make information available to the purchasing companies (risk ratings and documents);
  7. Update, when necessary, the documentation and information with expiration;
  8. Other processes (eg. Purchase of information from third parties).

All evaluated suppliers will be qualified and will be assigned grades.

THE ACT OF CARRYING OUT THE PROCESS WITH SERTRAS DOES NOT GUARANTEE THAT THE PURCHASING COMPANIES WILL CONSIDER THEM IN PURCHASE PROCESSES OR ENTER INTO ANY SERVICE AGREEMENT.

Our work is limited to carrying out the assessment and making the information available.
Occasionally, we send an e-mail to our buyer base disclosing the suppliers and, if any buyer requests to find suppliers indicating the product or service they wish to purchase, our team searches the database for the companies that sell these products and indicates them to the buyers. If many suppliers are found in this search, we provide the buyers with information about the suppliers of the highest certification plan. THIS POINT IS NOT A RULE and may not happen.

Sertras does not deliver printed or e-mailed certificates. The supplier can monitor its evaluation directly on the Sertras website, authenticating its identity through its username and password.

LGPD: General personal data protection law. This law refers to the protection of the information of individuals, these terms have a specific section that deals with our obligations with this data.

5 - Minimum participation requirements

The Sertras Global Catalog pursues the following objectives:


For purchasing companies:

  1. Be an important information tool for supplier selection decision making;
  2. Deliver certified, updated, validated and useful information;
  3. Be the first choice of buyers when looking for (prospecting) suppliers in the market;
  4. Reduce risks in the supply chain;
  5. When hired, be an integral part of the purchasing company's supplier management area;
  6. Carry out the work through structured and auditable processes to ensure information transparency and objectivity.

For supplier companies:

  • Publicize certified (approved) companies to buyers from different companies and sectors;
  • Be a single channel in the approval processes of different purchasing companies;
  • Count on as many purchasing companies as possible so that the certification process carried out is valid for many buyers;
  • Ensure that the information provided is consistent and true;
  • Make the information available to the purchasing companies transparently, that is, in a way that the supplier can see its information in the same way as it is seen by the buyer;
  • Make their information available in a catalog of products and services that is used to prospect suppliers for different industries.

All requirements of each certification plan seek to demonstrate the following:

  • That the supply company is constituted following all the laws of the geographic area where it provides services or was incorporated;
  • That the supply company complies with and respects labor and social responsibility standards commonly accepted in Brazil and worldwide;
  • That the supply company does not practice acts of corruption or slave labor;
  • Among others.

6 - Exclusion from the catalog

In accordance with the previous requirements (section 5) a supplier may be excluded from the Sertras Catalog, without notice or the right to return the amount paid, in the following cases:

  1. If the company's CNPJ is blocked, written off or suspended by the Federal Revenue Service;
  2. If the company is on a Brazilian or foreign black list, such as the MTE (Ministry of Labor and Employment) child and slave labor list, Colombia's money laundering list (known as the Clinton list), or other restrictive lists (also known as black lists) requested by purchasing companies;
  3. If it is involved in corruption, illegal acts or sanctions according to the Brazilian Government Transparency Portal, with the Registry of Disreputable and Suspended Companies (CEIS) or any other similar;
  4. If it fails to comply with any mandatory requirement of the contracted plan.

Important Note: Sertras obtains this information from public domains and/or third parties. If the supplier demonstrates to Sertras that the information obtained from third parties was incorrect, it may be included again in the Catalog, for the remaining period of validity of the certification, reducing the days that the company was disabled. The supplier understands that Sertras complies with the principle of keeping the information validated, therefore it is exempt from liability for third-party information errors.

If Sertras does not receive or is unable to obtain any information from the supplier and after 30 (thirty) days have passed since the beginning of the certification process, Sertras will finalize the analysis generating the supply risk score. This period is not mandatory and may be much shorter depending on what is requested by the purchasing company. As the service is valid for 12 months, the supplier will be able to send the requested documents updated and their evaluation will be redone.

Important: The risk rating that is presented to buyers may vary for each one as buyers can assign different weights to each document or information evaluated. Every supplier requested by a buyer will be evaluated and will be given a grade. Sertras cannot refuse to provide a service based on item II of article 39 of the Consumer Protection Code, which determines that “the supplier of products or services, among other abusive practices, is prohibited from: (...)II – refusing to meet the demands of consumers, to the exact extent of their stock availability, and also in accordance with the uses and customs;”. Thus, even if the supplier does not approve or contract a paid risk assessment plan or expressly indicate that its information is private and confidential, this service will be provided, but only with public information.

7 - Communication between the parties

ommunication between Sertrasand the Supplierwill be mostly by e-mail. However, telephone numbers are available so that the supplier can contact Sertras Paper documents will not be accepted.

Sertras is under no obligation to carry out field visits to the supplier. If this happens, it cannot be considered a rule or an obligation.

In the Sertras Catalog, the supply company will indicate at least one contact person with telephone and e-mail for registration. E-mails will be sent to this person and may contain the following information:

  • Request for additional information;
  • Request for additional documentation;
  • Request for information update;
  • Information collection deadline expiration reminders;
  • Certification expiration reminders;
  • Commercial information about the service (promotions, offers, among others);
  • Information on the entry of new buyers who view the supplier's information;
  • Any other information needed for the future relationship.

The supplier declares that it understands that all information will be sent by e-mail and that it is its responsibility to change the contact person, keep their information updated and verify the content of all e-mails.

It also authorizes Sertras to make telephone contacts with the contact person.

The supplier also indicates a contact person with a telephone and e-mail address for purchases and/or bids. This person's information will be made available as follows:

For purchasing companies: Access to complete information.

For public users: Only name, e-mail and phone number of the main business contact.

7.1.- LGPD in the communication between the parties

Considering that the main objective of every legal entity is to sell products or services, regardless of their mission or legal form, Sertras only requests contact details so that the supplier can fulfill this purpose.

Purchasing companies understand that a company that cannot be contacted does not exist.

Considering that every Brazilian company is subject to LGPD, the supply company declares that:

  1. Acts in accordance with Law 13.709/2018 (LGPD) controlling and protecting the personal data of individuals to which it has access for the development of its business;
  2. When submitting employee contact details for this service, it will always inform First and Last Name, business contact telephone and business e-mail. Never hand over its employees' private data, except when necessary to authenticate a user;
  3. The commercial contact data will be publicly available on the Setras website;
  4. It is the supplier's responsibility to keep all authorized data updated, informing any changes.

8 - Supply Company Obligations

  • Follow Sertras' guidelines on filling out the questionnaire and sending the information;
  • Check the questionnaires completed by Sertras and report any errors or omissions;
  • Do not make available documents that infringe local copyright or copyright law;
  • Send the complete documentation and at once. Avoiding shipments at different times unless explicitly requested by a Sertras employee;
  • Do not attempt to tamper or interfere with the functionality of Sertras' computer systems;
  • Keep its information in the Catalog updated throughout its term.

9 - Sertras' obligations

  • Respond to all supplier queries both in writing and over the phone;
  • Validate the information with the utmost care and professionalism, once all the documentation has been received and obtained;
  • Update information received and validated within a maximum period of 10 (ten) business days, provided that it is received in its entirety;
  • Only disclose the entirety of the information to the Purchasing Companies since they have signed the Confidentiality and Use Agreement of the Sertras Global Catalog of Companies Providing Materials and Services;
  • Delete the supplier's information from the Catalog within 10 (ten) business days from the express request of the supplier's legal representative in writing. Sertras may keep public and basic information in the catalog (Corporate Name, CNPJ, Telephone, Address, main activity). Sertras may also delete the entirety of the information if it deems it convenient.
  • If an individual is approved, their information can only be presented to purchasing companies and never on the public portal.

10 - Fees, Payments and Indemnities.

Sertras may maintain a free level for prospecting suppliers, however, in the case of prospecting, companies registered in this level have the last priority of being presented to purchasing companies.

The free service may be discontinued without notice. The supplier will not be obliged to pay, but Sertras will not be obliged to take any action on the free information.

Sertras' service can be paid directly by the supply company interested in certification or by a purchasing company interested in subsidizing the supplier's certification.

If a third party (purchasing company) wishes to subsidize the service, Sertras will contact the supplier and inform which company is subsidizing the service.

Sertras may obtain public information from the supplier at any time, but its information will only be made available in the catalog if the supplier sends the minimum information, which implies that it has accepted these terms and conditions in accordance with section 3 of this document.

The subsidy is valid for 1 (one) year and, if it wants to continue qualifying after this period, it must ask the purchasing company to renew the subsidy or pay directly for the new annuity. During the term of the subsidy, if the supplier receives any notice of collection from Sertras, it must be communicated to Sertras and ignored.

Field inspections, audits or other services provided by Sertras are not included in any catalog subsidy.

If a subsidized provider wants to be certified on a higher plan, it can do so by paying the difference between the plans.

When the service is subsidized, the information will only be presented to the purchasing company that made the subsidy. If the supplier wishes to present its information to another purchasing company, it must pay directly for its certification.

Sertras' different commercial plans, paid for by the supplier, are available and updated on its website http://www.sertras.com.

The annual fee will be adjusted annually in January of each year according to the IPCA variation or the indicator that better reflects the reality of the market, such as the union readjustment of Sertras workers. When the readjustment is informed, it will only govern for new contracts or renewals, and no retroactive effect can be applied to the supplier.

Sertras' service begins with the search for information on the CNPJ of the supplier company on public or private websites and carrying out the first risk assessment. This will happen when the supplier approves the contracting of the certification service or when the evaluation is requested by a buyer.

We will understand that the service has been approved and contracted when the authorization to issue the bank slip and/or Electronic Invoice is received by e-mail, or when payment for the service is identified. In compliance with article 49 of LAW No. 8078, OF SEPTEMBER 11, 1990 (Consumer Defense Code), the supplier company will have up to 7 (seven) calendar days from the contracting date to withdraw from the hiring.

The annual fee will preferably be paid in advance, but Sertras may agree with the supplier on a payment term that will necessarily be recorded in the Issued Invoice.

If Sertras starts the service only with the authorization and the supplier does not comply with the payment commitment, the supplier's CNPJ may be informed to the credit protection agencies and protested in a notary's office.

If the supplier does not send the documentation and additional information requested within the deadlines, Sertras will complete the process. This means that we will not continue to insist with recurring phone calls or e-mails for it to send the information. Sertras will send at least one expiration notice to the supplier's contact person.

Note 1: Purchasing companies may require the supplier to be certified or evaluated in a specific plan to transfer data to their internal systems or to invite the supplier to purchase and contracting processes.

Note 2: The certification or risk assessment does not oblige any purchasing company to hire any services and/or products from the supplier.

Note 3:Sertras is not responsible for the supplier selection criteria used by the purchasing companies. Accordingly, if the supplier refrains from sending any information that is not mandatory (for example: Quality certificate) and because of this is disqualified from some selection process, the supplier is solely responsible for this choice.

Sertras' liability is limited to the amount of the annual fee paid by the supplier. In case of failures in the validation process or in the availability of information under Sertras' responsibility (excludes responsibility for information purchased from third parties) Sertras may indemnify the supplier. The amount of compensation will be determined according to the severity of the error. For example, if the error was the name of the contact and this did not harm the supplier at all, there will be no compensation.

The Supplier is responsible for the veracity of the information delivered. If it is fraudulent and causes any damage to Sertras or any purchasing company, the Supplier will indemnify Sertras for the costs of losses, expenses, costs or damages in the form of joint and several liability.

Sertras may market other services within the Catalog, for example, inter-company advertising, highlights, commercial information services, among others. These other services will be subject to their own terms and conditions, and may have additional fees and different terms, but acceptance of these terms and conditions does not imply acceptance or contracting of other services.

IF THE SUPPLIER STARTS THE PROCESS AND DOES NOT SEND DOCUMENTS, IT WILL BE ANALYZED IN ANY WAY, THEREFORE, THE FAILURE TO SEND DOCUMENTS DOES NOT EXEMPT THE SUPPLIER FROM PAYMENT OF THE ANNUAL FEE.

The available payment methods are:

  • Bank slip
  • Bank transfer

11 - General Personal Data Protection Law - LGPD

The vast majority of the information requested and analyzed refers to the legal entity. The only information processed on individuals is the following:

11.1.- Information on partners, administrators, managers and people who will work in a purchasing company

For the people above, the following data may be requested:

  • CPF
  • Full name
  • Occupation
  • Phone
  • e-mail
  • Nationality
  • Service time

Data collection will be carried out through the Articles of Incorporation / Bylaws / Election Minutes / Individual Entrepreneur Request, sent by the supply company or filling out forms by the company itself.

The above data is required to search the individual in restrictive lists of corruption, money laundering or others available in Brazil and abroad. This data may be processed to comply with Law no. 12.846/2013, known as the anti-corruption law.

The data of the people at this point are processed confidentially, anonymizing the CPF following the format currently used by the Federal Revenue, only presenting the central six digits.

Due to its purpose, authorization from the data subject is not required to process it, but their fundamental rights are guaranteed.

11.2.- Contact person information for the correct business relationship

From these people, as mentioned in section 7.1, we only request the following data:

  • Name;
  • Surname;
  • business contact phone, and;
  • business email.

11.3.- Additional information that may be requested in the future

Bearing in mind that, on the date of adaptation of these terms and conditions, the LGPD, although in force, is not yet fully regulated, it may be possible that in the future it will be required to individualize users of our systems. If this happens, Sertras will modify its terms and conditions and will only request the information required to identify and individualize the user.

11.4.- Commitments in force since the beginning of Sertras

Sertras is committed to protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person, regarding the processing of personal data, including in digital media, ensuring that:

  1. In case of need to collect personal data essential for the provision of the service, this will be carried out upon prior approval of the terms and conditions. The data thus collected may only be used to perform the services specified in these terms and conditions;
  2. he processing of personal data will take place in accordance with the legal bases provided for in the hypotheses of Arts. 7 and/or 11 of Law 13.709/2018 to which the services will be submitted, and for legitimate, specific, explicit and informed purposes to the holder;
  3. The processing will be limited to the activities required to achieve the purposes of executing the agreement and the contracted service, using them, when applicable, in compliance with a legal or regulatory obligation;
  4. The requirement of consent in public documents collected in accordance with Art 7 paragraph 4 of Law 13,709/2018 is waived, keeping the rights of the holder and the principles provided for in the law.
  5. Observing the legitimate interest in maintaining personal data for the exercise of the right, we will keep the personal data subject to processing for a period of 5 years after the service is in force, respecting the statute of limitations set out in art. 27 of the Consumer Protection Code.

Terms and conditions are subject to change. Suppliers should visit the Sertras website (www.sertras.com) and verify these changes. If there are no objections within 5 (five) business days after the new terms are published, they will be considered accepted by the Supplier.

About LGPD

The new culture imposed by the law has a major impact on business activity, requiring operational adjustments in data processing, so that privacy and transparency go hand in hand. As a result, through this portal we want to obtain a transparent relationship from the beginning with our holders.

What is the General Data Protection Law and to whom does it apply?

The General Data Protection Law - LGPD (Law No. 13.709, of 2018) provides for the processing of personal data of natural persons, defining the cases in which such data can legitimately be used by third parties and establishing mechanisms to protect data subjects against inappropriate uses.

The Law is applicable to the processing of data carried out by natural persons or legal entities governed by public or private law, and aims to protect the fundamental rights of freedom and privacy and the free development of the personality of the natural person.

It is defined as data processing, according to Art 5: Any operation carried out with personal data, such as that referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, diffusion or extraction.

The LGPD encompasses all those who process personal data, regardless of the medium, the country of headquarters or the country where the data is located, provided that the processings are carried out in national territory.

What are the treatment agents?

Controller –natural person or legal entity, governed by public or private law, who is responsible for decisions regarding the processing of personal data;

Operator – natural person or legal entity, governed by public or private law, who processes personal data on behalf of the controller.

What is the data officer and what is their role?

Person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD).

What is Personal Data?

Any information that could lead to the identification of an individual Eg. (full name, CPF number, RG, address, telephone, among others).

And Sensitive Personal Data?

Information that can be used to embarrass, discriminate against the holder. Eg. (political opinion, religious conviction, genetic data, health data, among others).

Who is the Data Subject?

Identified or identifiable natural person to whom the personal data being processed refers.

What is the owner service process?

The data subject may request assistance to exercise their rights through the LGPD Portal present on this website in the request party where they will have access to all the rights that can be exercised. The entire service process will be conducted by the data manager via the e-mail lgpd@sertras.com.br, following the flow defined in Sertras' procedures.

Before submitting any information to Sertras, it must ensure the identity of the requestor. For this, it performs authentication through a specific security procedure, in order to prove the identity of the requestor.

How will it be made available?

Confirmation of existence will be provided, upon request of the holder in simplified format, within a period of up to 24 hours from the request, the other rights will be met after authentication of the requestor and will have a period of up to fifteen days from the request, as provided for in article 19 of the LGPD. The information and data will be provided, at the discretion of the holder, by electronic, secure and suitable for this purpose or in printed form.

Some benefits we get from being LGPD compliant

customer relationship

Through our adopted measures, we transmit to our customer a greater level of confidence with regard to the privacy and security of its data, it is our duty to always seek improvements and adopt best practices regarding data processing.


Process control

With perfect adequacy, we were able to obtain greater control over the processes present in the company that perform data processing, seeking improvements and perfect compliance.


Security

Perfect adequacy involves the adoption of appropriate administrative and technical measures to protect the personal data of the holders, in all the company's processes we have the guarantee that the data processing follows all the principles of good faith provided for in the LGPD.


Organizational culture

The adoption and awareness of data protection generates a more solid organizational culture within the company, we are constantly looking for process improvements, always aiming at compliance with data treatment and respect for data subjects.