Privacy Policy
- Initial Information
This Privacy Notice applies to the company Eiwa, which we hereby will refer as just EIWA.
EIWA, aiming to act with transparency towards its customers, suppliers, employees, and the market in general, is committed to the best global privacy practices, and for that reason, it has been adopting, as we will see below, measures to ensure compliance with the Brazilian Data Protection Law (in portuguese “LGPD”).
This Notice will help you to, initially, understand the main concepts of the law, such as “personal data”, “sensitive personal data”, “data processing” and “international data transfer”, amongst others.
In addition, this Notice will help you understand:
- How does EIWA work;
- What are the main definitions of the Brazilian Data Protection Law (LGPD) and other concepts relevant to the understanding of this Notice;
- What data does EIWA collect;
- How EIWA processes your personal data;
- How your personal data is used (for what purpose);
- What is the legal basis for this treatment;
- What are your rights (as data subjects);
- If EIWA uses cookies on its website;
- How is your data shared ( and, being that the case, whether there is an “international data transfer” happening);
- What are the measures adopted by EIWA to ensure the security and integrity of your personal data; and finally,
- How to contact EIWA in case of any concerns related to the protection of personal data.
We kindly ask you to read this Notice carefully and, in case of doubt, contact us through email: Info@eiwa.ag .
It is important to keep in mind that this Privacy Notice does not cover third party websites/applications, only the EIWA platform and application.
Remembering that you accept the terms of this Notice when you start using our platform/application, thus tacitly agreeing to the use of your “ personal data ” (a concept that we will see below).
If you do not agree with the terms of this Notice, we kindly ask you to contact us before using our services , so that we can better serve you.
2. Main definitions of the Brazilian Data Protection Law (LGPD) and other concepts relevant to the understanding of this Notice
The main concepts mentioned throughout this Privacy Notice are listed in alphabetical order:
Anonymization, according to the Brazilian General Data Protection Law (article 5, item III, of the law): the anonymized data, according to the law, is the “ data related to the data subject that cannot be identified, considering the use of reasonable technical means available at the time of its treatment ”.
Business Intelligence (“ BI ”): at EIWA, the raw data entered on the platform by its subscribers is used to extract information and insights that benefit all subscribers in the making of important decisions regarding agribusiness.
Controller, according to the Brazilian Data Protection Law (art. 5, item VI, of the law): is the “natural or legal person, of public or private law, who is responsible for decisions regarding the processing of personal data”.
Cookies: cookies are nothing more than pieces of code that give a website some sort of “short-term memory”, allowing it to remember small pieces of your browsing information, such as your login information and browsing preferences, for example, in order to provide you with a more personalized experience.
Data Analytics: consists in the applied use of data, analysis and systematic reasoning to ensure a much more efficient decision-making process. It is considered a segment of BI.
Data Processing, according to the Brazilian Data Protection Law (art. 5, item X, of the law) : is “ any operation carried out with personal data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction”. That is, the entire path that the data goes through, end to end, thus, from the moment that it is collected to the moment it is deleted.
Data Sharing (“ Data Share ”): the customer easily receives and shares market insights through BI dashboards (visual dashboards that contain information, metrics and indicators). According to art. 5, item XVI, of the law, data share is the “communication, dissemination, international transfer, interconnection of personal data or shared treatment of personal data banks by public bodies and entities in the fulfillment of their legal competences, or between these entities and private entities, reciprocally, with specific authorization, for one or more treatment modalities permitted by these public entities, or between private entities”.
Drones: drones are nothing more than unmanned aircraft, of various sizes, which initially had military uses, but nowadays have a very wide range of uses, such as, in case of EIWA, capturing videos and photos of the farming fields, of the planting and harvesting phases, of land, etc.
International Data Transfer, according to the Brazilian Data Protection Law (article 5, item XV, of the law): “ transfer of personal data to a foreign country or international organization of which the country is a member”, such as a datacenter located outside of Brazil (which is nothing more than a centralized physical facility, where corporate computers, the network, storage and other IT equipment that support business operations are located), as it is the case of EIWA, whose datacenters used for data storage (AWS Amazon and Bizneo RH) are located, respectively, in Argentina and in Spain.
Owner (article 5, item V, of the law): “individual to whom the personal data subject to processing refer to”. In another words, business and/or legal entities data are not covered by this law.
Personal Data, according to the Brazilian Data Protection Law (article 5, item I, of the law): according to the Brazilian law, personal data every single piece of “information related to an identified or identifiable natural person ”. Translating: it is all the information capable of identifying you, ranging from name and “CPF” (the Brazilian Individual Taxpayer Registration Number), which makes it possible to identify you immediately, to indirect information, such as a computer's IP (which is nothing more than a kind of "address" of your computer, capable of identifying your machine, and which indirectly can lead to you) or even a car license plate (same principle) .
Sensitive Personal Data, according to the Brazilian Data Protection Law (article 5, item II, of the law): “personal data about racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data concerning health or sexual life, genetic or biometric data, when linked to a natural person”. That is: they are more sensitive data, which by their very nature deserve greater care by the law.
Upload: act of transmitting data from one computer system to another (which in the case of EIWA is cloud storage, which basically consists of a technology that allows users and companies to store, maintain and access data on high availability servers via the internet) over a network .
3. What data does EIWA collect and how does EIWA process your personal data?
As we have already discussed, according to the Brazilian Data Protection Law, personal data is all data linked to an identified or identifiable individual, whether it is capable of identification by direct or indirect means.
At EIWA, the data that users of the platform input, whether via the website or via the EIWA application, are merely business data (harvesting, planting, feasibility studies, and so forth), and may even constitute business secrets, but are never considered personal data, under the terms established by the Brazilian law .
Likewise, in Salesforce CRM, EIWA only stores public data, collected from online LinkedIn browsing, news sites, etc., all data from a public source, which is not considered personal data.
The only personal data that EIWA stores are, therefore:
- Its customers' personal data (restricted to the minimum possible - name and email only – , which is the only information necessary to enable access to the platform), that are stored in the Amazon “AWS” cloud, a reference in the data protection security sector;
- The personal data of candidates from selection processes opened by EIWA and also the personal data from all EIWA employees, which are stored on the Bizneo platform (whose datacenter is located in Spain), which periodically audits its data protection and cybersecurity processes, in order to guarantee constant compliance with the Brazilian Data Protection Law.
Still talking about employee data, storage is carried out in compliance with the law of each of the 3 countries in which EIWA operates. In Brazil, the law requires adherence to the so-called “eSocial”, an online platform from the Brazilian government that unified the delivery of 15 labor law obligations, which must be informed, through digital means, to the government.
This means that the company is obliged, by law, to collect a series of personal data from its employees, which must be sent to the government via eSocial. In this case, the requirement of consent is waived, applying the treatment hypothesis of art. 7, item II, of the Brazilian Data Protection Law, which deals with “compliance with a legal or regulatory obligation by the controller”, as we will see later on.
Then you may ask yourself: how do we treat your personal data and how and where do we collect it?
Basically, your personal data (name and e-mail for the customer, username and password also if the customer uses the application, the user being the data subject's own e-mail address), various sensitive information for those who are candidates in recruitment processes, as well as labor and other information required by law for current EIWA employees) are collected as follows :
- Through WhatsApp conversations (which as we know is encrypted and difficult to hack), when the EIWA employee ONLY collects the name and email of the prospect or customer, with the other data being merely commercial data. These personal data (name and email) are stored in the cloud, on the Amazon AWS platform;
- Via email, if you contact one of our employees to request a quote and, of course, reveal your name and email. These personal data (name and email) are stored on the Amazon AWS platform;
- By email, in the case of new employees, whose data and documents required by law are stored on the Bizneo platform;
- By email, in case of candidates in recruitment processes (whose job advertisements are made through LinkedIn), which also have their personal information entered on the Bizneo platform;
- Through our application (“EIWA Scout”), in which a username (which is the individual's own email) and password are collected, and later stored on the platform Amazon AWS;
- Via e-mail, text messages and other electronic messages, that result in interactions caused by communications sent by EIWA (the so called “email marketing”), which follows an “opt-out” model, which means what a prospect or an EIWA customer may request to be unsubscribed from the company's mailing list at any time.
Amazon AWS cloud is so secure that it even offers the so-called IAM (Identity and Access Management) , which is nothing more than a cutting-edge tool that allows you to securely manage access to services and sources that are out there.
4. How is your personal data used (for what purpose) and what is the legal basis for this treatment?
The personal data listed above are basically used for two purposes :
- Commercial contact with customers (in which only name and email address are collected, and, in the application, user – which is the email itself – and password), all stored in a secure cloud;
- Recruitment and selection and hiring of new employees , whose data is also stored on a secure platform.
The legal basis for the first purpose (commercial contact with customers) is in art. 7, item V, of the law, which allows processing “when necessary to the performance of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject ”.
The second purpose is based on the same article 7, item V, of the law, since a) recruitment is nothing more than a pre-contract, a meeting of wills, in which the data subject authorizes the treatment aiming to participate in the recruitment process, and b) the relationship between EIWA and its employees is also a meeting of wills, a true “employment contract” .
Of course, in the case of new hires, the purpose is also found in art. 7, item II, of the law, which authorizes treatment without consent “for the fulfillment of a legal or regulatory obligation by the controller”, exactly the case of eSocial, as explained above.
Therefore, both purposes waive consent, as provided in art. 7, item I, of the law.
5. What are your rights as holders of personal data?
Your rights, as the holder of personal data, are listed in arts. 9 and 18 of the law. Let's deal with them separately.
According to art. 9 of the law, basically you have the right to easy access to information about the processing of your data, which must be made available in a clear, adequate and ostensible way, including information about :
- The specific purpose of the processing;
- Its form and duration (commercial and industrial secrecy observed);
- The controller’s ID;
- The controller's contact information;
- Information regarding the (possible) shared use of the data by the controller and its purpose;
- The responsibilities of the agents who carry out the treatment; and
- The other rights of the holder provided for in art. 18 of the law.
Art. 18 of the law lists what, exactly, the data owner is entitled to request from the controller:
- Confirmation by EIWA of the existence of the processing of personal data;
- Access to data, to be provided by EIWA;
- The correction of incomplete, inaccurate or outdated data, upon direct request to EIWA;
- The anonymization, blocking or deletion of data considered unnecessary, excessive, or in breach of the law, to be requested from EIWA;
- Data portability to another service or product provider, subject to conditions and express request to EIWA;
- The elimination of personal data that have been obtained with the consent of the owner, which , as we already discussed, is not the case of EIWA (which does not collect personal data on the basis of consent provided for in article 7, item I, of the law), subject to conditions;
- Information from public and private entities with which EIWA has shared data use;
- Information about the possibility of not providing consent and its consequences, which again do not apply to EIWA;
- The revocation of consent, which again does not apply to EIWA.
6. Does EIWA use “cookies” on its website?
Yes, EIWA does use “session cookies” and “ first party cookies” on their website.
Session cookies are basically a cookie that allows the browser to “re-identify” itself to the unique and exclusive server on which the client had previously authenticated itself. This is the classic example of a shopping cart made on a website, where you close the website, and when you return to the same website, your “shopping cart” is still there. It is an essential feature for the proper functioning of the EIWA website, which you can waive, knowing that it will harm or even make the usability of the website unfeasible.
Cookies first party, in turn, are very similar to session cookies, since they are created by the EIWA website itself in order to collect information about you, such as your username, passwords, language preference, payment method, and (possible) products in a shopping cart. It is an essential feature for the proper functioning of the EIWA website, which you can waive, knowing that it will harm or even make the usability of the website unfeasible.
7. How is data stored at EIWA?
As already mentioned, all customer personal data, which is limited to name and email (and in the application, the user - which is the email itself - and password), are stored in the Amazon AWS cloud, a reference in security and data protection.
Candidate data in recruitment processes and employee data, on the other hand, are stored on the Bizneo platform, a Human Resources software that is a global reference in terms of safety and quality.
This is the only personal data stored by EIWA, since a) the data included in the Salesforce CRM is only public data, as mentioned above and b) the data that subscribers input into the platform, which is also stored in the Amazon AWS cloud, are not personal data, being limited to studies related to agriculture, photos and videos of fields, land, plantations and harvests, among others.
Even videos or photos that contain an image that could result in the identification of an individual are not allowed on the platform, as this violates the constitutional right to personal image and would require an Image Use Assignment Term .
8. How is your data shared?
Personal data collected by EIWA is for internal use only and to comply with legislation.
This implies that your data will be shared, basically with the:
- Amazon AWS cloud, which, as we have seen, stores almost all customer and supplier data, as well as documents and information collected by EIWA;
- Bizneo platform, a Human Resources software that is a global reference in safety and quality, where, as we have seen, the data of candidates from recruitment processes and the data of EIWA employees are stored.
- Government, as per the law, through eSocial, as we already explained, which requests a series of data related to EIWA’s employees. EIWA is limited to providing the data strictly necessary to comply with the legislation.
In addition, the data is for internal consumption, and the insights resulting from the platform's data analysis come from anonymized data, to which the Brazilian Data Protection Law does not apply.
9. What are the measures adopted by EIWA to ensure the security and integrity of your personal data?
EIWA invests heavily in technology, so that the notebooks used by its employees have state-of-the-art antivirus, in addition to all reasonable security measures in place to prevent a data leak.
Employees are instructed not to save any personal data on their company notebook, to use a "secure password" (a random password that is stored in an encrypted software), and to log out of the notebook whenever they are at the company's headquarters or even in a public place and need to stay away from the machine, even for a short period of time.
Employees are also instructed to maintain a clean desk policy and not to talk about work matters, let alone mention personal data in public places (such as elevators, restaurants, taxis, or even the company's open space, depending on the criticality of the data).
Furthermore, since the few personal data collected by the company are stored in a cloud that is a reference in data security (Amazon AWS) and also in the Bizneo platform, a Human Resources software that is a global reference in security and quality, EIWA is limited to ensure, in the contracts signed with these suppliers, that they remain in line with the Brazilian Data Protection Law.
10. Does EIWA transfer data internationally?
The answer is yes, since the personal data collected by the company is located in two datacenters, one located in Argentina (headquarters of the Amazon AWS datacenter chosen by EIWA) and the other located in Spain (headquarters of Bizneo RH and its datacenter).
Deciding on a particular country as the “host” of the data is a multi-factorial decision, which takes into account a series of points, such as the business model, the target audience, the price, or even technical issues, among others. others. And due to the global telecommunications infrastructure, it is very common for providers to be located in another country .
According to arts. 33 to 35 of the Brazilian Data Protection Law, the international transfer of data is allowed, by hiring servers abroad, through the use of the mechanism (copied from the European legislation General Data Protection Regulation, the famous “GDPR”) of the “standard contractual clauses”, still pending regulation by the National Data Protection Authority (in portuguese, “ANPD”).
Art. 35, by the way, states that the National Data Protection Authority is responsible for defining the level of security and privacy of these clauses. The law basically says that such clauses must consider “the minimum requirements, conditions and guarantees for the transfer that observe the rights, guarantees and principles of this law”.
Properly deciding on the location of servers is essential to demonstrate that security measures have been taken since the product's conception, and also the adoption of good practices and data governance by the company,
In short, what the law wants is for the data to be transferred to a country with a legislation that is equally or more protective of the personal data being transferred. And this is exactly the case with EIWA, in which, although standard contractual clauses have not yet been used (since they are still pending regulation by the National Data Protection Authority, as mentioned), the data are located in two countries that have robust data protection legislation :
- Amazon AWS cloud datacenter: Argentina has, since 2001, a “Personal Data Protection Law” and a “ Regulatory Decre ” that together form what we call the “Personal Data Protection Act” (known as the “PDPA”) 25.326. In July 2018, the Argentinian data protection authority ( Agencia de Acceso a la Información Pública , “ADPA”) even issued Provision 47/2018 (“Provision 47”) which, under the terms of the PDPA, revoked Provision º 11/2006, related to security measures that the data controllers (such as the AWS customers) would need to consider when processing personal data. Provision 47 outlines new recommended security measures that are in line with international best practices and standards, as well as aim to protect the confidentiality and integrity of personal data during its processing, from data collection to deletion; and
- Spain (Bizneo RH 's global headquarters): Spain is part of the European Union, and adopts rules that are even stricter than Brazilian law itself, and on which Brazil has taken inspiration from in order to create the Brazilian Data Protection Law, which is exactly the General Data Protection Regulation, the famous “ GDPR” .
Therefore, until the National Data Protection Authority regulates the standard contractual clauses, we are in compliance with the Brazilian Data Protection Law also with regard to the international transfer of data, more precisely the use of datacenters abroad.
11. How do you get in touch with EIWA, in case of any need linked to the protection of your personal data?
All requests regarding data protection must be made via email (Info@eiwa.ag), and will be answered immediately, when in simplified format, and within the legal period of 15 days, when the holder requires a clear and complete statement , “that indicates the origin of the data, the lack of registration, the criteria used and the purpose of the treatment, observing commercial and industrial secrets”, according to article 19, items I and II of the law.
(Focusing on continuous improvement, our Privacy Notice is constantly being updated, so we kindly ask you to periodically visit this page to ensure you are aware of any changes made to this document. If changes are made that require consent – which is not usually the case for EIWA – you will be informed in advance. This version of the Privacy Notice is dated 08/08/2022).