September 2023

Who We Are

We are Skaloup and our website address is:

Introduction and Background

The Privacy and Personal Data Protection Policy presented here aims to guide the management, in a broad aspect, of the activities and operations of processing personal data existing in the Skaloup. This document integrates the compliance program of Skaloup to the General Law of Data Protection (Brazilian Law No. 13,709/2018) and other laws that deal with the topic.

Using the present document, the Skaloup intends to adapt its personal data processing operations to the legal regulations on the subject, and in particular, to the GLDP approved in Brazil in August 2018.

We emphasize that the GLDP is a comprehensive law that is aimed at different economic agents in Brazil, whether in the public, private, or third sector; it brings the legal prescriptions for personal data to be used in the activities of these agents.

In May 2018, the General Data Protection Regulation (Regulation EU 2016/679 – “GDPR”) came into force. Considering that this regulation has points of contact with the activities developed by Skaloup in the European Union, we consider it appropriate to also address this regulation, adjusting it to the conformities of the GLDP.

In performing some of the activities provided for in its charter, Skaloup performs personal data processing operations in line with the best interests and rights of the holders of personal data, and may be characterized as Controller of Personal Data, Operator of Personal Data, Controller and Operator of Personal Data or Co-Controller of Personal Data, by the definitions of the GLDP, reinforcing, in all the positions it occupies, its commitment to compliance with the applicable rules on privacy and protection of personal data.

The compliance adjustments related to the process of compliance with the GLDP include an interpretation of the Brazilian law to define legal obligations, a survey of relevant facts for its application, and the assessment of flows and processes that contribute or not to the adjustments to the legal standard.

Terms and Definitions

PERSONAL DATA: Information related to an identified or identifiable natural person. In addition, considered personal data are those used to form the behavioral profile of a given natural person.

SENSITIVE PERSONAL DATA: Personal data concerning the racial or ethnic origin, religious conviction,  political opinion, membership of a labor union or a religious, philosophical, or political organization, data concerning health or sex life, genetic or biometric data when linked to a natural person.

NATIONAL   DATA   PROTECTION   AUTHORITY   (“NDPA”):   Public Administration body responsible for ensuring, implementing, and enforcing compliance with the GLDP throughout the national territory. The NDPA was established by the GLDP as a federal public administration body with technical autonomy, an integral part of the Presidency of the Republic, its nature is defined as transitional and subject to transformation by the Executive Branch into an indirect federal public administration entity, subject to a special autarkic regime and linked to the Presidency of the Republic.

GENERAL DATA PROTECTION LAW (“GLDP”): A normative diploma (Brazilian Law No. 13,709, dated August 14, 2018) that provides for the processing of personal data in digital or physical media performed by a natural person or legal entity, of public or private law, aiming to defend the holders of personal data while allowing the use of data for various purposes, balancing interests and harmonizing the protection of the human person with technological and economic development.

PERSONAL DATA PROCESSING AGENTS: The controller and the operator of personal data.

PERSONAL DATA CONTROLLER: A natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data.

PERSONAL DATA OPERATOR: A natural or legal person, under public or private law, who processes personal data on behalf of the Controller.

PROCESSING OF PERSONAL DATA (“PROCESSING”): Any operation performed with personal data, such as those concerning collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, deletion, evaluation, information control, modification, communication, transfer, dissemination or extraction.

ANONYMIZATION: Use of technical means, reasonable and available at the time of processing personal data, by which data loses the possibility of an association, directly or indirectly, with an individual.

Anonymized data is not considered personal data for the GLDP.

PERSONAL DATA SUBJECT (“DATA SUBJECT”): Natural person to whom the personal data that are subject to processing relate.

OFFICER OR DATA PROTECTION OFFICER (“DPO”): A natural or legal person appointed by the Treatment Agent to act as a communication channel between the Controller, the data subjects, and the National Data Protection Authority.

SUPPLIERS: In the context of Skaloup suppliers are considered to be other third-party contractors and subcontractors, natural or legal persons, not framed as business partners.

THIRD PARTY: Any individual or legal entity contracted by Skaloup to develop or assist in the development of its activities, both as suppliers of goods or services and as business partners.

COMMERCIAL PARTNERS: In the context of Skaloup, commercial partners are considered third-party contractors, whether individuals or legal entities, who act on its behalf: Consultants, Contractors, and Commercial Agents (those who indicate activities in which Skaloup may act as a contractor).


This Privacy and Personal Data Protection Policy sets out the guidelines of the Skaloup for the protection and use of personal data that are in any way part of its activities and is based on the General Law on Personal Data Protection, as well as other national and international standards that deal with the protection and privacy of personal data, particularly in compliance with therefore mentioned General Data Protection Regulation of the European Union.

Applicability and Recipients

This Privacy and Personal Data Protection Policy applies (i) to the employees of Skaloup; (ii) to all third parties, whether natural or legal persons acting for or on behalf of Skaloup in operations involving processing of personal data that are performed within the scope of the activities conducted by Skaloup; (iii) to personal data processing agents outside Skaloup that in any way deal with the Institution; and (iv) to the owners of personal data whose data are processed by Skaloup.

Adherence to this Po/icy is mandatory for all recipients listed above insofar as they relate to Skaloup. All operations involving the processing of personal data carried out in the course of the activities conducted by Skaloup shall be subject to the legal regulations and to those set out herein.


This Policy establishes concepts, guidelines, and rules defined with the intention that its addressees understand and comply with the legal standards that address the protection of personal data, in a dynamic and comprehensive or future holder of personal data, third parties,  and personal data processing agents external to the Skaloup in the scope of its activities.

The information covered by this Po/icy includes all data held, used, or transmitted by or on behalf of Skaloup, in any form of media. This includes personal data recorded on paper, held on computer systems or portable devices, as well as personal data transmitted orally.


The objectives of Skaloup’s Privacy and Personal Data Protection Policy are to

This Policy must be analyzed together with the obligations outlined in the documents mentioned below, which contain information in general, complementing it when appropriate:

  1. Privacy policies, information security standards, and terms and conditions of use addressing confidentiality, integrity, and availability of [?]
  2. Employment contracts of employees of Skaloup and other similar documents, which contain confidentiality obligations regarding information held by the Institution;

Privacy and Personal Data Protection Principles

Under the GLDP, the Skaloup will comply with the following principles of personal data protection when processing personal data:

Institutional Commitment to Personal Data Processing

The Skaloup is committed to periodically evaluating the purposes of its processing operations, considering the context in which these operations take place, the risks and benefits that may be generated for the holder of personal data, and the legitimate interest of the Institution.

In this regard, there must be a legal basis and a defined purpose for all personal data processing operations within the scope of the activities conducted by the Skaloup.

Personal data processing operations by Skaloup may only be carried out:

Records of personal data processing operations may be consulted by the personal data and by public authorities that are competent to access and retain data on his/her behalf, safeguarding the rights of the personal data owner.

Institutional Commitment to the Processing of Sensitive Personal Data

Is committed to special precautions and care in the processing of processing data and recognizes that these data present higher risks to the personal data subject.

In this sense, the sensitive personal data listed in Article 5, subsection II of the GLDP, as well as financial data, for this Policy, will have the same stares as sensitive personal data.

Processing operations of sensitive personal data by Skaloup may only be carried out:

  1. The fulfillment of a legal or regulatory obligation imposed on
  1. The performance of studies when Skaloup is in the position of Research Body, guaranteed, whenever possible, the anonymization of sensitive personal data;
  2. The regular exercise of rights, including in contract and judicial, administrative, and arbitration proceedings;
  1. Protection of the life or physical safety of the data subject or third parties;
  2. Health guardianship, exclusively, in a procedure performed by health professionals, health services, or, health authority; 
  3. Guarantee of fraud prevention and personal data holder security, in the identification and authentication processes of registration in electronic systems.

Rights of the Personal Data Subjects

In the context of its personal data processing activies, the Skaloup reinforces its commitment to respect the rights of the holders of personal data, namely:

Institution, as well as the technical limits of its infrastructure.

The Skaloup reiterates its commitment to the rights of personal data subjects to transparency and adequate information, highlighting the provision of:

Duties for the Proper use of Personal Data In the development of the work and activities of the Skaloup, all recipients of this Policy are extended the duties of care, attention, and appropriate use of personal data, undertaking to assist the situation to meet its obligations in implementing its strategy for privacy and protection of personal data.

It is incumbent on the holders of personal data to inform Skaloup of any changes to their data in their relationship with the Institution (e.g. change of address); notifying it preferably in the following order:

  1. By e-mail addressed to the person in charge of Skaloup with whom the holder relates;

If its purpose and legal basis are respected, the sharing of personal data of holders of personal data among the Skaloup group is allowed, observing the principle of necessity, and the processing of personal data is always restricted to the purposes and related activities authorized by the Institution.

Upon suspicion or the actual occurrence of the following actions, all recipients of this Policy must contact the Head of Skaloup:

Relationship With Third Parties

The liability established by the GLDP, in case of property damage, moral, individual, or collective arising from violations of the legislation for the protection of personal data is joint and several. This means that all agents in the chain involving the processing of personal data can be held reliable for any damage caused.

For this reason, the possibility that Skaloup may be held liable for the actions of third parties implies that we must use our best efforts to verify, assess, and ensure that such third parties comply with the applicable data protection legislation.

Compliance With Personal Data Protection Laws

Seeks compliance with the rules and guidelines of the  GLDP to ensure its commitment to ensuring the proper processing of personal data for legitimate purposes that may be subject to its activities and reinforces its commitment to good privacy and data protection practices with the following actions:

As of the entry into force of the GLDP, the Skaloup Officer – also referred to as Data Protection Officer (Skaloup DPO) assisted by his technical team, will have the following responsibilities:

Prosecutor’s Office, National Authority for the Protection of Personal Data, etc.);

Information Security

The information security and personal data incident prevention rules will be contained in the internal regulations of Skaloup and related documents.

Reinforces its commitment to employ appropriate technical and organizational measures in dealing with personal data, and to make efforts to protect the personal data of personal data subjects from unauthorized access, loss, destruction, and unauthorized sharing, among other things.

International Transfer of Personal Data

In cases where the Skaloup is permitted   to   process   personal   data regardless of data subject consent, the Skaloup may transfer personal data to other countries provided that, alternatively

  1. Standard Contractual Clauses issued by the NPA or the European Commission;
  2. Seals and Certificates of compliance or adequacy to the protection of personal data granted by entities recognized by the NDPA or the European Commission.

May transfer personal data to other countries in those cases where it is authorized to process personal data based on consent, provided that it obtains the explicit and unambiguous consent of the data subjects to international transfers of personal data, with prior notice of the international nature of the operation.

Data Protection Culture and Training

For the expansion of the culture of personal data protection in the Institution, the recipients of this Policy undertake to participate in the training workshops, meetings, and capacity building offered by Skaloup.

To help them understand their duties and how to comply with them, the employees of the Skaloup whose functions require the regular processing of personal data, or those responsible for the implementation of this Policy, undertake to participate in additional training.

Commitment to Ongoing Monitoring

Is committed to ensuring the appropriate processing of personal data for legitimate purposes that may be the subject of its activities and reinforces its commitment to good privacy and data protection practices, undertaking to keep up to date with the standards and recommendations issued by the NDPA or other competent authorities.

To reinforce the Institution’s permanent commitment to privacy and the protection of personal data, the Skaloup undertakes to revisit this Policy periodically and, at its discretion, promote modifications that update its provisions, and all changes made will be communicated in due course through the Institution’s official channels.