TESK Advogados is committed to protecting the personal data processed,
ensuring respect for the principles of legality, purpose, necessity,
adequacy, security, and prevention. The implementation of technical and
administrative measures guarantees protection against unauthorized access, information
leakage, and other incidents.
2. Objective and Scope
This Information Security Policy aims to ensure the integrity, confidentiality, and
availability of the data processed by TESK Advogados, in compliance with the
General Data Protection Law (LGPD - Law No. 13.709/2018) and other applicable legislation.
It is intended for all partners, associate lawyers, employees, clients, service
providers, and third parties who relate to the Firm directly or indirectly.
3. Fundamental Concepts
For the purposes of this Information Security Policy, the following
concepts will be adopted:
3.1. Anonymization: Use of technical means so that a piece of data loses the possibility
of association with an individual;
3.2. National Data Protection Authority (ANPD): Body responsible for
monitoring compliance with the LGPD;
3.3. Database: structured set of personal data, established in
one or several locations, in electronic or physical support;
3.4. Blocking: temporary suspension of any processing operation,
through the storage of the personal data or the database;
3.5. Consent: free, informed, and unequivocal manifestation by which the data subject
agrees to the processing of their personal data for a determined
purpose;
3.6. Controller: Person or company that decides on the processing of data;
3.7. Anonymized data: Data that cannot be associated with an individual;
3.8. Personal Data: Information related to an identified or
identifiable natural person;
3.9. Sensitive Data: Personal data about racial or religious origin, health, sexual life,
among others;
3.10. Deletion: exclusion of data or a set of data stored in a
database, regardless of the procedure employed;
3.11. Data Protection Officer (Encarregado): Person appointed to act as a communication channel between the
controller, data subjects, and the ANPD;
3.12. LGPD: General Data Protection Law – Law No. 13.709/2018;
3.13. Processor (Operador): Person or company that performs the processing of data on behalf
of the controller; 3.14. Data protection impact assessment: controller's documentation
containing the description of the personal data processing processes
that may generate risks to civil liberties and fundamental rights,
as well as measures, safeguards, and risk mitigation mechanisms;
3.15. Personal data subject: Natural person to whom the processed data
refers;
3.16. International data transfer: transfer of personal data to a
foreign country or international body of which the country is a member;
3.17. Processing: every operation performed with personal data, such as those
referring to collection, production, reception, classification, use, access,
reproduction, transmission, distribution, processing, filing,
storage, deletion, evaluation or control of information,
modification, communication, transfer, dissemination, or extraction;
3.18. Shared use of data: communication, dissemination, international
transfer, interconnection of personal data, or shared processing
of personal databases by public bodies and entities in the fulfillment
of their legal competencies, or between these and private entities, reciprocally,
with specific authorization, for one or more modalities of processing
permitted by these public entities, or between private entities;
4. Rights of Data Subjects (clients, employees, contractors, and suppliers)
Under the terms of the LGPD, the following are rights of the data subjects:
4.1. facilitated access to information regarding the processing of their data, which
must be made available in a clear, adequate, and conspicuous manner;
4.2. confirmation of the existence of processing;
4.3. access to the data;
4.4. correction of incomplete, inaccurate, or outdated data;
4.5. anonymization, blocking, or deletion of unnecessary, excessive data,
or data processed in non-compliance with the provisions of the LGPD;
4.6. data portability to another service or product provider, upon
express request, in accordance with the regulation of the national
authority, observing commercial and industrial secrets;
4.7. deletion of personal data processed with the consent of the subject,
except in the hypotheses provided for in art. 16 of the LGPD;
4.8. information about public and private entities with which the controller
has shared data use;
4.9. information about the possibility of not providing consent and about the
consequences of refusal;
4.10. revocation of consent, by express manifestation of the subject,
through a free and facilitated procedure;
4.11. right to petition regarding their data against the controller, before the
ANPD and before consumer protection agencies;
4.12. opposition to processing carried out based on one of the hypotheses of
consent waiver, in case of non-compliance with the provisions of the
LGPD;
4.13. request for review of decisions taken solely based on
automated processing of personal data that affect their interests,
including decisions intended to define their personal, professional,
consumer, and credit profile or aspects of their personality;
4.14. provision, upon request, of clear and adequate information
regarding the criteria and procedures used for the automated
decision, observing commercial and industrial secrets.
5. Retention Period
For the purposes of this Information Security Policy, the following
data retention periods will be adopted:
5.1. Suppliers and service providers: documents must be
stored for 10 years (partnerships) and 05 years (consumption) from the date of
termination of the contractual bond (Art. 205, CC – general term; Art. 27, CDC –
specific term for consumer relations);
5.2. Labor Law: documents inherent to employees and service providers
must be retained and stored for 2 (two) years from the
termination of the employment contract, considering the last 5 (five) years of
hiring (information provided to the Ministry of Economy, INSS, Caixa
Econômica Federal, CAGED, RAIS, e-Social), with the exception of FGTS deposits
(30 years) and payment of social security contributions (10 years);
5.3. Tax Law: up to 5 (five) years, counted from the constitution of the debt
(National Tax Code – article 173, I). Example: Income Tax Return,
IPTU, IPVA;
5.4. Criminal Law: must be calculated based on the penalties for the crimes. For
example, for a crime with a penalty above 2 years and below 4 years, the
statute of limitations occurs in 8 years;
5.5. Civil Law: the retention of documents must be stored in accordance with
articles 205 and 206 of the Civil Code, observing the nature of the object of the action;
5.6. Social Security Law: storage is provided for a period of 10 (ten) years, which
applies to the payroll, the family allowance receipt and record,
medical certificates relating to leave and disability, or the
social security contribution payment slip;
5.7. Clients - litigation: retention period of 05 (five) years from the conclusion
6. Data Sharing with Third Parties
TESK Advogados does not sell the processed personal data under any circumstances. However,
they may be shared securely and only for the necessary purposes, with:
6.1. Companies involved in the service contracting process;
6.2. Companies responsible for providing benefits, including health
insurance, life insurance, and private pension plans;
6.3. Educational entities and providers dedicated to professional
development and corporate education;
6.4. National or international partner firms involved in the area of
operation of TESK Advogados;
6.5. Institutions specialized in independent research and legal analysis for
publications;
6.6. Financial institutions used for the provision of banking services;
6.7. Data processors who perform the processing of personal information
following the guidelines established by the organization, such as:
technology service providers; marketing companies and agencies
organizing institutional events; service providers specialized in
internal and external communication; data and document management and
storage companies.
6.8. Public bodies, judicial and extrajudicial authorities, governmental
entities, competent regulatory or tax agencies, before which the
organization must comply with legal or regulatory obligations, as
required by applicable legislation;
6.9. Potential buyers or sellers and their consultants in corporate
transactions such as mergers and acquisitions, asset sales, or for
conducting due diligence, always observing the due obligations of
confidentiality and protection of personal data;
7. International Data Transfer
TESK Advogados may perform the international transfer of data under the following
conditions:
7.1. to countries or international organizations that provide a degree of
personal data protection adequate to the LGPD;
7.2. when the controller offers and proves guarantees of compliance with the
principles, the rights of the data subject, and the data protection regime provided
for in the LGPD, in the form of: a) specific contractual clauses for a given
transfer; b) standard contractual clauses; c) binding corporate
rules; d) seals, certificates, and codes of conduct regularly issued;
8. Personal Data Protection and Information Security Measures
TESK Advogados adopts all administrative and legal measures to ensure that
personal information is protected against unauthorized access or violations, such
as, but not limited to:
8.1. Limited and controlled access: only specific and authorized persons
are permitted to access personal information, and only when
essential for the execution of related activities;
8.2. Professional secrecy: all employees who have access to personal
information are required to maintain total confidentiality regarding them; 8.3. Secure storage: the processed data is stored on own or contracted
servers, with rigorous controls to ensure the integrity
and security of the information, such as access controls, backup and
data recovery, VPNs, firewalls, and antivirus;
8.4. Data encryption: we use advanced software to encrypt the
collected information, ensuring that it remains protected throughout
the entire storage and transmission process;
8.5. Commitment to legislation: we strictly follow the principles
established by applicable legislation, including proper storage
and deletion of data when requested by the data subject;
8.6. Transparency to the data subject: the data subject has the right to access all their
stored information, ensuring total transparency on how their
data is processed;
8.7. Governance: we adopt personal data management and governance
tools for information mapping, measuring the organization's
degree of maturity in accordance with the LGPD;
8.8. Training: we conduct regular training for our team and
implement internal security policies, aligned with best
governance practices;
8.9. Sanctions for violations: in case of non-compliance with this Privacy
and Information Security Policy, we apply administrative,
disciplinary, and legal sanctions to employees or third parties who
misuse information and personal data.
9. Final Provisions
9.1. TESK Advogados reserves the right to modify this Information
Security Policy at any time, aiming to improve data protection and
meet legal requirements. We recommend that you periodically consult
this page to stay informed about any changes;
9.2. This Information Security Policy will be reviewed every 2 (two) years
or whenever necessary, following internal approval processes.
Any updates will be duly communicated and made available on the
TESK Advogados website.
10. Contact for further information
To exercise your rights or clarify doubts about this Information Security Policy,
please contact us at the email: contato@teskadvogados.com.br
Our goal is to respond to all requests within a reasonable timeframe, according to
technical and operational feasibility.
TESK Advogados 555 Alameda Doutor Carlos de Carvalho, Suite 94 Centro Curitiba Parana Brazil Tel. +55 41 3503 2401 contato@teskadvogados.com.br ouvidoria@teskadvogados.com.br www.teskadvogados.com.br
