1. INTRODUCTION

The Brazilian Center for Research in Energy and Materials (CNPEM), registered under corporate tax ID (CNPJ) number 01.576.817/0001-75, is a social organization overseen by the Ministry of Science, Technology and Innovation (MCTI), and is responsible for managing the Brazilian Synchrotron Light National Laboratory (LNLS), Brazilian Biosciences National Laboratory (LNBio), Brazilian Biorenewables National Laboratory (LNBR), and Brazilian Nanotechnology National Laboratory (LNNano).

This Policy on Privacy and Personal Data Protection (“Policy”) is intended to help data subjects understand how the personal data they provide are collected, stored, and protected, and assist them in decision-making about browsing the CNPEM’s websites.

For more information or for questions related to the Privacy Policy and Program, please email us at lgpd@cnpem.br (available on all CNPEM sites).

2. GUIDING PRINCIPLES

The CNPEM is committed to ensuring and preserving the safety of the personal data of data subjects, as well as handling such data in accordance with current legislation, most notably the Brazilian Personal Data Protection Law (LGPD), Law 13.709 of 2018.

The institutional procedures adopted by the CNPEM are based on full protection of the rights of data subjects, notably the fundamental rights of liberty and privacy and full individual development. Similarly, all practices at the CNPEM are built upon the principles of finality, adaptation, need, free access, data quality, transparency, security, prevention, non-discrimination, responsibility, and accountability.

When the LGPD took effect, the CNPEM revised and updated its Policy as well as its professional routine and internal procedures to ensure that the services provided comply with legal requirements as well as organizational best practices.

3. DEFINITIONS

For the purposes of this Policy, the terms used are defined as follows:

  • Personal data: information related to an identified or identifiable individual.
  • Sensitive personal data: personal data about race or ethnicity, religious beliefs, political opinions, union membership, religious, philosophical, or political affiliations, data related to health or sexuality, genetic data, or biometric data, when linked to an individual.
  • Anonymization: use of reasonable technical resources available when data are handled that make it impossible to directly or indirectly associate such data with an individual; under these circumstances, anonymization is irreversible.
  • Anonymized data: data related to a data subject who cannot be directly or indirectly identified using reasonable technical resources available when the data are handled.
  • Pseudonymization: the process by which personal data are no longer directly linked to an identifiable person but are not completely anonymous since the individual can be identified if supplementary data (maintained separately) about the individual are analyzed.
  • Handling: all operations involving personal data, referring to collection, production, receiving, classification, utilization, access, reproduction, transmission, distribution, processing, archival, storage, elimination, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction.
    Data subject: the individual to whom all handled personal data are related.
  • Data users: employees of any area of the CNPEM or outsourced staff assigned to provide services to the CNPEM, regardless of the contractual regime, as well as other individuals or organizations duly authorized to handle personal data on behalf of the CNPEM as part of their professional activities.
  • Data controller: legal entity that determines the purposes and means of handling personal data.
  • Data operator: legal entity that processes personal data on behalf of the data controller.
  • Data protection officer (DPO): person appointed by the data controller and operator to act as a channel of communication between the controller, data subjects, and the Brazilian National Data Protection Authority (ANPD).
  • Brazilian Personal Data Protection Law (LGPD): Law 13.709 of August 14, 2018 is a Brazilian regulation that has been in force since September 18, 2020.
  • Brazilian National Data Protection Authority (ANPD): the public agency responsible for implementing and ensuring and monitoring compliance with the Brazilian Personal Data Protection Law throughout the country.
  • Valid consent: free, informed, and unequivocal agreement by the data subject to the handling of their personal data for a specific purpose.

4. APPLICABILITY

This policy applies to all employees, potential employees, assigned public servants, interns, apprentices, collaborating researchers, students, volunteers, facility users, advisers, consultants, visitors, and outsourced service providers, as well as any other data subjects who provide their data in order to participate in events, symposia, seminars, or courses held by the CNPEM, and any other activities that require the use of personal data.

5. PERSONAL DATA COLLECTED AND HANDLED BY THE CNPEM

The CNPEM collects data from data subjects through forms on its websites, applications, institutional email, and through interactions on the Center’s social media profiles. To submit a research proposal, request for travel assistance, or to register for events, symposia, or courses held by the CNPEM, data such as the following are collected: full name, Brazilian individual tax ID (CPF), state ID (RG), home address, telephone, email address, level of education, age, sex, country, funding agency, Lattes profile, research group, and nationality and passport number (if the data subject is not Brazilian). For specific events, the CNPEM may collect sensitive data related to race, but only with the valid consent of the data subject.

Personal data from staff, assigned public servants, interns, apprentices, collaborating researchers, advisers, and outsourced service providers may be collected via direct contact between the data subject and the areas within the CNPEM, as well as via public portals and mediation between specialized companies.

The data collected may include: full name, email address, home address, telephone number, Brazilian individual tax ID (CPF), state ID (RG), parents’ names, marriage certificate data, academic and work history, date of birth, marital status, nationality, place of birth, governmental data, signature, military service status, drivers’ license data, race, health information, professional registration (labor associations), biometric data, and bank data.

Personal data may be handled for the following purposes:

  • To fulfill legal obligations.
  • To carry out contractual obligations.
  • To schedule the use of equipment in the CNPEM’s laboratories.
  • To generate participation indicators for scientific events at the CNPEM.
  • To issue certificates to participants in CNPEM events.
  • To generate indicators on publication of scientific articles.
  • To control access to CNPEM facilities.
  • To conduct scientific research involving patient samples.
  • To promote diversity policies.
  • To register intellectual property ownership.
  • To make processes more effective and efficient.
  • To send data subjects information that they previously agreed to receive on topics that the CNPEM deems of interest.
  • To meet demands from data subjects.
  • To lend books.
  • For other purposes; in these cases, a specific statement will be provided at the time that data are collected, or as required under Brazilian law.

If the data subject is on our mailing list because he or she registered on our website, social media profiles, by email, or via other routes, he or she may receive emails that may include promotion of scientific events, calls for research proposals, hours of laboratory operation, etc. To stop receiving such communications, details, and instructions are included at the bottom of all emails, or users can contact us by email at lgpd@cnpem.br.

6. PERSONAL DATA FROM MINORS COLLECTED AND HANDLED BY THE CNPEM

The CNPEM can handle data for minors under 18 years of age when consent is explicitly and clearly provided by the guardian, as determined in the Brazilian Personal Data Protection Law (13.709/2018) in order to contract interns, provide benefits to staff dependents and visitors to the CNPEM.

The CNPEM site currently does not collect or request information from data subjects under eighteen years of age. But because of the anonymous nature of the Internet, data users under eighteen years of age may access the Center’s site and provide personal information. If such a situation occurs and comes to the attention of the CNPEM, the data will not be used under any circumstances without previous consent by the child’s guardian, and all reasonable measures will be taken to avoid recurrence.

7. LEGAL FOUNDATIONS APPLIED IN HANDLING PERSONAL DATA

We process data subjects’ personal data based on the following legal foundations established in the Brazilian Personal Data Protection Law (13.709 of 2018):

  • Consent: we may process your data based on your consent. In these cases, you may withdraw your data at any time without affecting the legality of previous processing. Providing your consent is voluntary.
  • Contract execution: we may process your personal data in order to fulfill or carry out our contractual obligations or to take measures requested by a principal prior to signing a contract.
  • Regular exercise of rights: your data may be used in legal disputes (for example, in the civil, consultative, or labor spheres).
  • Legitimate interest: we may process your personal data as needed for our own legitimate interest. In such cases, we ensure that your interests are not overshadowed by our legitimate interests.
  • Legal obligations: we may handle your personal data as needed to comply with relevant legislation, regulatory requirements, and to respond to judicial requests, court orders, and legal processes.
  • For studies by research organizations, to ensure anonymization of sensitive personal data whenever possible.
  • To protect the life or physical safety of the data subject or third parties.
  • To ensure fraud prevention and safety to the data subject in processes to identify and authenticate registrations in electronic systems, safeguarding the rights mentioned in Article 9 of this Law, except for in cases where the fundamental rights and liberties of the data subject that demand protection of personal data prevail.

8. RIGHTS OF DATA SUBJECTS

The Brazilian Personal Data Protection Law establishes guidelines on the rights of data subjects, who can exercise their rights by emailing a formal request to lgpd@cnpem.br.

The CNPEM will have 15 days to respond to requests from data subjects after verifying the identity of the data subject. Requests will be analyzed as determined according to the Brazilian Personal Data Protection Law.

Data subjects have the following rights with regard to their personal data:

  • The right to information about how the CNPEM accesses their personal data.
  • The right to anonymize, block, or delete unnecessary or excessive data or data that are not in compliance with the Brazilian Personal
  • Data Protection Law.
  • The right to confirmation that data is handled.
  • The right to correct incomplete, incorrect, or outdated data.
  • The right to oppose incorrect data handling.
  • The right to delete data handled without the consent of the data subject.
  • The right to information about not providing consent.
  • The right to information about entities that shared data use with the data controller.
  • The right to move data to other providers of services or products (portability).
  • The right to automatically rescind decisions.
  • The right to revoke consent.

Note that we may not be able to meet some requests if the data handling activity in question involves legal requirements, such as:

  • Compliance with a legal or regulatory obligation by the data controller.
  • Regular exercise of rights in a legal, administrative, or arbitration process.
  • The existence of a valid contract.
  • If the law establishes minimum terms for data retention.

However, the data subject shall be informed if the request cannot be met, along with the legal motive related to the data handling activity.

9. SHARING OF DATA WITH THIRD PARTIES

The CNPEM may share data subjects’ personal data with third parties that assist the institution in providing services, products, and benefits, as well as with administering operations and legal counsel. Third parties involved in CNPEM activities receive instruction in data handling and ensuring data safety, in accordance with the Brazilian Personal Data Protection Law. As a result, other third parties may potentially have access to this data, such as external auditors, public agencies, or official authorities, in order to carry out legal obligations.

10. TIME PERSONAL DATA ARE RETAINED

Personal data from data subjects that are handled by the CNPEM shall be stored for the time needed to complete the task for which they were collected. We may retain personal data for more time if they are the subject of a legal process or otherwise relevant to future litigation, as well as internal investigations or compliance with legal obligations.

11. COOKIES

Cookies are used to observe the habits of users who visit websites and internet portals, making it possible to remember settings, analyze audiences, and show personalized ads. Cookies make it easier to analyze web traffic and/or show when a specific site is visited, ensuring that the data subject’s browser preferences are recorded.

It is important to note that the CNPEM cannot use cookies to access other data stored on the data subject’s device. Cookies cannot upload any types of codes or carry viruses or malware, and thus cannot damage the data subject’s device or terminal.

Data subjects can manage their cookie preferences in their browser when navigating the web. To learn more, access the instructions for enabling or disabling cookies on your internet browser.

12. INFORMATION SECURITY

The CNPEM adopts reasonable measures to protect all the personal data provided by its employees, potential employees, assigned public servants, interns, apprentices, collaborating researchers, students, volunteers, facility users, advisers, consultants, visitors, and outsourced service providers, as well as any other data subjects who provide their data in order to participate in events, symposia, seminars, or courses held by the CNPEM.
The Center implements appropriate policies for collecting, storing, and processing data, as well as security mechanisms to protect against unauthorized access, alteration, dissemination, or destruction of data subjects’ data.

The CNPEM ensures that the protection of data subjects’ personal data is a priority, and if incidents do occur, all measures necessary will be adopted to minimize potential damage, as established in the Center’s internal incident management procedure. Furthermore, the Brazilian National Data Protection Authority (ANPD) and involved data subjects will be informed of any potential incidents, as determined in the Brazilian Personal Data Protection Law.

13. CONTACTING THE BRAZILIAN CENTER FOR RESEARCH IN ENERGY AND MATERIALS

If you have any questions about this Privacy Policy or any requests related to your personal data, please contact the CNPEM’s Data Protection Officer via email at lgpd@cnpem.br.

14. UPDATES TO THE PRIVACY POLICY

The CNPEM may update this Privacy Policy to better meet the needs of our data subjects or better comply with new technologies and organizational practices. As such, we reserve the right to amend this document at any time, without notice. For this reason, we encourage data subjects to periodically return to this Privacy Policy to verify any changes.

15. REVISIONS

This Policy is revised when necessary when there are relevant changes at the CNPEM or according to the understanding of the Data Protection Officer.

Approved by the CNPEM Board of Directors on November 25, 2021.