About this policy

Version 3.0
Created on: 12/15/2021
Last reviewed on: 08/30/2022
Created and updated by: Antonio Henrique Wendpap de Barros – DPO
Reviewed by: Robson Schmidt – IT Director


Personal data is any data that allows the identification (directly or indirectly) of a living individual. Name, ID Card, CPF, Date of birth, Address, Photo, Gender, IP of a device, among others.

When personal data allows, in addition to identifying an individual, to reveal their racial origin, religious conviction, identity and/or sexual preference, party and/or union affiliation, health status, or that contains their biometric/genetic data such as photos, fingerprints, and the like; This is considered sensitive personal data.

With regard to individuals, the purpose of Executiva Outsourcing’s Third-Party Management is to ensure the legal compliance of its clients’ suppliers, and their respective third-party employees, in accordance with labor, safety and occupational health rights, as provided for in paragraph 7 of Article 10 of Law No. 13429/2017:

“The contracting party is subsidiarily responsible for the labor obligations related to the period in which the temporary work occurs, and the payment of social security contributions will comply with the provisions of article 31 of Law No. 8212, of July 24, 1991.”

To this end, we collect, audit and store all documentation necessary to ensure this compliance on behalf of our clients.

At any time, they can consult this database of audited documents for the purposes of various proofs, issuance of consolidated reports, audits and use as evidence in labor lawsuits.

Thus, there is no direct contractual relationship between Executiva and the suppliers/third-party employees of its clients.

Within the range of documents handled, the following data are contained, but not limited to:

Personal data:

Full Name, Gender, Date of Birth, ID, CPF, CNH, CTPS, Affiliation, Full Address, Salary, Amount of Overtime Worked, Bank Details, Marital Status, Profession, Position, Function, NIT, CAT Registration Number.

We also collect data through SG3 navigation, for process improvements (never to track user actions), such as Essential Cookies and Session Data.

Sensitive personal data:

3×4 photo, Aptitudes for the exercise of the function (positive only), Toxicological results, Signature in own hand.

In specific cases, due to the Controller’s legal obligations, we may process additional sensitive data, such as Race, Social Name and Sexual Orientation.

Personal data is collected through SG3 – Third Party Management System.

Data is collected in two stages:

The first is to register the third-party collaborator in the system. This makes it possible to know who is responsible for the documents, which contractor the employee is allocated to, when to charge each document, and among other essential features of the system.

The second is through the data contained in the documents. The system’s intelligence knows when to charge which documents and from which employees. In this way, it creates pending issues for the listed person in charge of each third-party company to upload the requested documents in PDF. In some cases, when at the client’s request, Executiva receives these documents by e-mail, and inserts them into SG3.

The processing of personal data by Executiva is primarily in the case described in item II of Article 7 of Law 13709/2018 – General Personal Data Protection Law:

“for compliance with a legal or regulatory obligation by the controller”

As described in the purpose of the processing in this policy.

There are documents handled by Executiva that also fall into the following hypotheses:


“VII – for the protection of the life or physical safety of the holder or of a third party;”

  • Those who prove the use of appropriate safety equipment, technical qualification for the exercise of the function, non-intoxication by various agents, etc.

“IX – when necessary to meet the legitimate interests of the controller or of a third party, except in the event that fundamental rights and freedoms of the data holder that require the protection of personal data prevail;”

  • Those that configure good practices of the controller, in order to maintain compliance with internal rules or those of the economic group to which it belongs.

Registration data such as ID, CPF and face photo can also be used in order to ensure the authenticity of the registration in the systems, according to Law 13709/2018 Art. 11, Item II – g):



Law 13.709/2018 – General Data Protection Law (LGPD), in its article 5, provides:

V – data holder: natural person to whom the personal data that are subject to processing refers;

VI – controller: natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data;

VII – operator: natural or legal person, governed by public or private law, who processes personal data on behalf of the controller;

VIII – person in charge: person appointed by the controller and operator to act as a communication channel between the controller, the data holders and the National Data Protection Authority (ANPD-Autoridade Nacional de Proteção de Dados);


In the Third-Party Management process:

The Data Holder is the third-party employee;

The Controller is the Executiva client (CONTRACTING PARTY/ BORROWER);

The Operator is Executiva Outsourcing

The person in charge is Antonio Henrique Wendpap de Barros, DPO.

The processing of data by Executiva Outsorcing, by default, has the duration of the contract with the client (CONTRACTING PARTY / BORROWER), once terminated, the data is returned to the client.

As for documents containing personal data and/or sensitive personal data of employees, received in connection with the provision of the service, these are stored for a maximum period of 5 years.

Data processing may also be discontinued when it is identified that it is no longer necessary for the contracted purposes, or when its necessary retention period provided by law is reached.

Article 6 of the General Data Protection Law, in addition to good faith, establishes that the processing of personal data must follow 10 principles. Among them:

I – purpose: carrying out the processing for legitimate, specific, explicit and informed purposes to the holder, without the possibility of subsequent processing in a manner incompatible with these purposes;

Executiva Outsourcing declares that the processing of data it carries out has no other intention than the legal regularity of the third party, in accordance with what is provided for by law.

The act of informing the data subject about their processing is the responsibility of the client (CONTRACTING PARTY / BORROWER).

II – adequacy: compatibility of the processing with the purposes informed to the holder, according to the context of the processing;

Data processing does not exceed the scope provided here at any time during the data’s life cycle.

III – necessity: limitation of processing to the minimum necessary to achieve its purposes, with coverage of pertinent data, proportional and not excessive in relation to the purposes of data processing;

We are always seeking to remove data that we believe is no longer necessary for the purpose of processing, and new documents are only accepted if we understand that they are essential for the purpose of the service provided.

Data sharing may occur due to the use of third-party tools.

For Third Party Management, Executiva Outsourcing uses:

  • Amazon AWS
  • Goal: Data hosting on a server.
  • Shared data: all personal data provided for in our privacy policy.
  • CNPJ: 23.412.247/0001-10
  • Microsoft
  • Goal: Serving customer suppliers, internal and external communication, which may involve 

personal data, through the Outlook and Teams tool.

  • Shared data: In general, name, email, company you work for, and job title. According to our 

privacy policy, in exceptional cases, when requested by the client, employee documents may

be received by e-mail (Outlook) so that we at Executiva can post them in SG3.

  • CNPJ: 60.316.817/0001-03
  • Movidesk
  • Goal: Exclusively for customer service and its suppliers.
  • Shared data: Name, email, company you work for, client where you are allocated and phone number.
  • CNPJ: 13.375.030/0001-24

The personal data of the holders is not shared with any other third party, or for any other purpose than to ensure the proper provision of the service and improvement of processes.

The law provides for the following rights of the data holder:

Art. 18. The holder of the personal data has the right to obtain from the controller, in relation to the data of the data holder processed by them, at any time and upon request:

I – confirmation of the existence of treatment;

II – access to data;

Due to the nature of the contractual relationship, we are unable to provide formal system access to data subjects. Only Executiva, the client and the person in charge of the third-party company have access to post the documents (usually someone from the Human Resources area). However, the data holder may, at any time, request a list of their personal data under our processing.

The service channel for requests involving personal data is the e-mail address:

III – correction of incomplete, inaccurate or outdated data;

If the data holder wishes to correct any incomplete, inaccurate or outdated data, they must contact the service channel previously informed.

IV – anonymization, blocking or deletion of  unnecessary data, excessive or processed in violation of the provisions of this Law;

If the data holder wishes to have their data blocked, anonymized or deleted, for the reasons mentioned, they must also contact the service channel previously informed. Compliance with the request is subject to review and approval

V – portability of data to another service or product provider, upon express request and subject to commercial and industrial secrets, in accordance with the regulations of the controlling body;

The business model does not configure a modality in which the data holder has any direct relationship with the Operator, and presents a supplier relationship to the Controller.

VI – deletion of personal data processed with the consent of the data holder, except in the cases provided for in article 16 of this Law;

We do not process data based on the consent of the data holder.

VII – information on public and private entities with which the controller has shared data;

VIII – information on the possibility of not providing consent and on the consequences of refusal;

IX – revocation of consent, pursuant to paragraph 5 of article 8 of this Law.

As we do not work with data processing based on the consent of the data subject, the data subject cannot request its revocation .

Our system is hosted on Amazon’s servers in the United States. Executiva ensures the security and integrity of the data, and transfers it in accordance with an Executiva-Client agreement.

  • There is no direct contractual relationship between Executiva and its clients’ suppliers.
  • Outside Executiva, only the controller and the employees responsible for posting the documents of each registered supplier have access to the system (SG3).
  • Executiva, as an Operator, is willing to receive and forward the requests of the holders, related to personal data, to its customers (Controllers). However, it is up to the Controller to evaluate and decide what will be done in response to the request.

This privacy policy is subject to change for the purposes of adapting to new technologies, industry practices, regulatory obligations, among others. The Controller will always be formally notified when this policy undergoes any change.

plugins premium WordPress