General Data Protection Regulation (GDPR) and (LGPD)
After the European Union adopted a data protection law called the General Data Protection Regulation (GDPR) in force since May 25, 2018, Brazil also decided to have its own personal data protection law aiming to unify and update the laws that dealt with the topic, with the LGPD being based on the GDPR.
LGPD is the first specific data protection law in Brazil and imposes strict rules on the control and processing of personally identifiable information. Walpax Brazil Travel Partnersis committed to ensuring compliance with LGPD and has been consistent in its approach to data protection as part of its overall product standards, since before GDPR and now LGPD.
It is important to clarify that Walpax Brazil Travel Partners processes business data of legal/physical persons. In some specific situations there may be processing of personal data, especially for communication with customers and users. Therefore, we have prepared this FAQ (Frequently Asked Questions) on the collection and processing of personal data related to the services offered by Walpax Brazil Travel Partners.
Questions about LGPD/GDPR
Roles and Definitions
Data Controller: Article 5(VI) to the LGPD and Article 4(7) of the GDPR state that: "'controller' means the natural or legal person, whether governed by public or private law, who is responsible for decisions concerning the processing of personal data." In general, the controller assumes responsibility for all personal data collected and must ensure that the rights of the data subject and the legal obligations of the controller are also covered by the processor.
Walpax Brazil Travel Partners, as a service provider, is the data operator/processor for clients and partners, and controller for suppliers/providers that are contracted to perform various services/supplies.
The GDPR has a broad territorial scope and applies to any activities of a data controller or processor in the European Union, which include the processing of personal data. The question is whether the controller or processor is located in the European Union. The GDPR also applies to controllers or processors located outside the European Union, where the processing serves to offer goods or services to subjects who reside in the European Union or to monitor the behavior of data subjects who reside in the European Union.
Similarly, the LGPD is applicable throughout the Brazilian territory and applies to any activities of a data controller or data operator in the Brazilian territory, which include the processing of personal data. The LGPD also applies to the processing of personal data for the purpose of offering or providing goods or services, or the processing of data of individuals located in the Brazilian territory, or that has been collected in Brazil.
Under its general processing principles, the GDPR requires that processing of personal data must be lawful, proportionate, transparent, adequate, accurate, secure, confidential, limited in time and for designated purposes, and conducted in a responsible manner (which means applying appropriate security - including technical and organizational measures - to ensure integrity and confidentiality).
In accordance with its general principles, the LGPD requires that the processing of personal data must respect the purposes (carrying out processing for legitimate, specific, explicit purposes informed to the data subject, without the possibility of further processing in a way incompatible with those purposes), adequacy (compatibility of processing with the purposes informed to the data subject, according to the context of the processing), necessity (limitation of processing to the minimum necessary to achieve its purposes, with coverage of data that are relevant, proportional and not excessive in relation to the purposes of data processing), free access (guarantee to data subjects offree and easy consultation on the form and duration of the processing, and on the completeness of their personal data), data quality (guaranteeing, to data subjects, the accuracy, clarity, relevance, and updating of the data, in accordance with the need and to fulfill the purpose of their processing), transparency (guaranteeing, to data subjects, clear, precise, and easily accessible information on the conduct of the processing and the respective processing agents, with due observance of commercial and industrial secrets),security (use of technical and administrative measures to protect personal data against unauthorized access and accidental or unlawful destruction, loss, alteration, communication or disclosure), prevention (adoption of measures to prevent damage arising from the processing of personal data), non-discrimination (no processing for discriminatory, unlawful or abusive purposes), and accountability (demonstration, by the agent, of the adoption of effective measures capable of proving compliance with personal data protection rules, including the effectiveness of such measures).
The GDPR defines what is meant by the term "personal data": any data relating to an identified or identifiable individual. Article 4(1) of the GDPR states, "an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or other specific data relating to that person's physical, physiological, genetic, mental, economic, cultural or social identity. "The term clearly includes metadata or other associated data such as IP addresses, cookies or other identifiers - also a combination of these data - that can result in the tracking of the individual. The GDPR has expanded the known catalog of special categories of personal data to include genetic data, biometric data, if used to uniquely identify a natural person, and data related to criminal convictions and offenses.
The LGPD defines what is meant by the term "personal data": information relating to an identified or identifiable natural person, such as name, identification number, location data, IP addresses, cookies or other identifiers - also a combination of these data - that can result in the individual being tracked. The LGPD also treats sensitive data as personal data about racial or ethnic origin, religious belief, political opinion, membership of a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data when linked to a natural person.
Data Subject's Right
Based on the principle that the individual should always be aware of what personal data is being processed, by whom, for what purpose and for how long, the data controller will need to actively provide certain specific or general information. This is in line with the revised data portability concepts of the GDPR and LGPD and the individual's rights to access, refuse or be forgotten. Therefore, organizations involved in processing personal data require robust internal processes with designated roles.
This is when something goes wrong - when internal organizational measures have failed to prevent a data infringement, or the processing of personal data has been found to be outside the lawful purpose. In the event of a data infringement, data controllers need to notify the national authority and the affected individuals within the shortest possible time after becoming aware of the situation. Data operators need to inform data controllers without delay after becoming aware of a personal data infringement.
Walpax Brazil Travel Partners LGPD/GDPR - Questions about your personal data.
P. Does Walpax Brazil Travel Partners process my personal data? If so, what data?
R. Yes, we collect and process personal data from clients and suppliers, such as:
(a) first name last name; (b) business and personal email address; (c) company name; (d) country of operation;
Walpax Brazil Travel Partners applications also record data related to customer or supplier activities within the Walpax Brazil Travel Partnersenvironment, in order to comply with legal obligations as well as statistical analysis for the continuous improvement of service delivery.
P. For what purpose is my data processed?
P. Where is my data stored?
A. Our users' data is stored in a secure environment where we limit access to our users' data so that unauthorized third parties cannot access it. We use SSL (Secure Socket
Layer) certificates so that data transmission between users' devices and our servers is encrypted.
P. Can Walpax Brazil Travel Partnersguarantee that my data will be in a specific location?
A. Where data is transferred, Walpax Brazil Travel Partnersensures that such transfers comply with the international standard set by all applicable standards, including the General Data Protection Regulation (GDPR).
P. Does Walpax Brazil Travel Partnersoperate on security best practices?
R. Yes, we are constantly updating and seeking to meet data security best practices.
P. How do I correct or update my data?
R. You can correct or update your registration data at any time in the login area of the https://www.walpax.com.br/ platform or by contacting our sales department at firstname.lastname@example.org. If you have questions or need help, please contact our support team or customer service
P. Can I delete my data?
R. Yes, you can request the deletion of your personal data via the platform https://www.walpax.com.br/ or by contacting our sales department at email@example.com. However, some data may be kept by Walpax Brazil Travel Partners for a longer period due to legal requirements (e.g. for tax purposes).
P. How can I contact Walpax Brazil Travel Partners?
A. Walpax Brazil Travel Partnerscontact information can be found here https://www.walpax.com.br/contact/ or send a direct email to firstname.lastname@example.org.