Pharma

Toxicology

Diagnostics

Software

About us

Blog

Contact

PRIVACY POLICY


1. PURPOSE

This Privacy Policy and Personal Data Protection aims to provide guidance on how to manage various activities and operations related to personal data processing at Synvia.

Through this document, the Synvia Group seeks compliance with the General Data Protection Law (Law No. 13.709/2018 – “LGPD”) and other sectoral laws on the subject.

This Policy establishes Synvia's guidelines for the safeguarding and use of personal data that may be processed in its activities, referencing the General Data Protection Law and other national and international norms related to privacy and personal data protection.


2. DEFINITIONS

For the purposes of this policy, the following definitions apply:

  • PERSONAL DATA PROCESSING AGENTS: The data controller and the data processor.

  • ANONYMIZATION: The use of technical means, reasonable and available at the time of personal data processing, through which a data loses the possibility of association, directly or indirectly, with an individual. Anonymized data is not considered personal data for the purposes of the LGPD.

  • NATIONAL DATA PROTECTION AUTHORITY (“ANPD”): A public administration body responsible for ensuring, implementing, and supervising compliance with the LGPD across the national territory.

  • PERSONAL DATA CONTROLLER: A natural or legal person, public or private, responsible for decisions regarding the processing of personal data.

  • PERSONAL DATA: Information related to an identified or identifiable natural person. Data used to form the behavioral profile of a particular natural person is also considered personal data.

  • SENSITIVE PERSONAL DATA: Personal data regarding race or ethnic origin, religious belief, political opinion, membership in a union or religious, philosophical or political organization, data related to health or sexual life, genetic or biometric data when linked to a natural person.

  • DATA PROTECTION OFFICER (“DPO”): A natural or legal person appointed by the Processing Agent to act as a communication channel between the Controller, data subjects, and the ANPD. Will be responsible for implementing the Compliance Program and conducting activities related to data protection in the SYNVIA Internal Controls and Compliance System.

  • SUPPLIERS: In the context of SYNVIA, suppliers are considered other contracted and subcontracted third parties, natural or legal persons, not classified as business partners.

  • GENERAL DATA PROTECTION LAW (“LGPD”): Normative diploma (Law No. 13.709/2018) that provides for the processing of personal data in digital or physical media.

  • PERSONAL DATA PROCESSOR: A natural or legal person, public or private, that processes personal data on behalf of the Controller.

  • BUSINESS PARTNERS: Contracted third parties (natural or legal persons) that act on behalf of Synvia, such as: Consultants, Affiliates, and Commercial Agents.

  • THIRD PARTY: Any natural or legal person contracted by Synvia to develop or assist in the development of its activities (suppliers or business partners).

  • DATA SUBJECT (“SUBJECT”): A natural person to whom the personal data being processed refers.

  • PERSONAL DATA PROCESSING (“PROCESSING”): Every operation performed with personal data (collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, or extraction).


3. APPLICABILITY

This Policy establishes guidelines and rules to ensure that its recipients understand and comply with legislation regarding personal data protection in all interactions with current and future data subjects, third parties, and processing agents external to Synvia within the scope of its activities.

Beyond the concepts defined by the norms, the information covered by this Policy includes all data held, used or transmitted by or on behalf of Synvia, in any type of media. This includes personal data recorded on paper, maintained in computer systems or portable devices, as well as personal data transmitted orally.


4. SPECIFIC OBJECTIVES

The objectives of the Privacy and Personal Data Protection Policy are:

  1. To establish the guidelines and responsibilities of Synvia that ensure and reinforce the Organization's commitment to comply with applicable legislation;

  2. To describe the rules to be followed in conducting activities and operations involving the processing of personal data carried out by Synvia and the recipients of this Policy.

This Policy must be read in conjunction with the obligations set forth in the following documents:

  • Employment contracts of Synvia employees;

  • Information security policies and procedural norms;

  • All internal norms regarding personal data protection developed and updated.


5. PRINCIPLES OF PRIVACY AND DATA PROTECTION

Synvia will comply with the following principles when processing personal data:

  • PURPOSE: Processing only for legitimate, specific, explicit purposes communicated to the subject, without the possibility of subsequent incompatible processing.

  • COMPATIBILITY: Processing compatible with the purposes informed and in accordance with the context.

  • NECESSITY: Processing limited to the minimum necessary (relevant, proportional, and non-excessive data).

  • FREE ACCESS: Facilitated and free consultation about how, duration of processing, and completeness of the data.

  • DATA QUALITY: Assurance of accuracy, clarity, relevance, and timeliness of the data.

  • TRANSPARENCY: Clear, precise, and easily accessible information about the processing and the processing agents.

  • SECURITY: Technical and administrative measures capable of protecting personal data.

  • PREVENTION: Adoption of measures to prevent the occurrence of harm.

  • NON-DISCRIMINATION: Inability to process for illicit or abusive discriminatory purposes.

  • ACCOUNTABILITY AND RESPONSIBILITY: Demonstration of effective compliance with the norms.


6. LEGAL BASES FOR PERSONAL DATA PROCESSING

All processing operations will have a legal basis that legitimizes their execution. Synvia may process personal data:

  1. Upon providing consent by the subject;

  2. To fulfill a legal or regulatory obligation;

  3. For conducting studies by research bodies;

  4. When necessary for the execution of a contract or preliminary procedures;

  5. For the regular exercise of rights in judicial, administrative, or arbitration processes;

  6. For the protection of the life or physical well-being of the subject or third party;

  7. For safeguarding health (in procedures conducted by health professionals/public health authority);

  8. When necessary to meet the legitimate interests of Synvia or third parties;

  9. For credit protection.

Synvia will maintain records of its processing operations, which may be consulted by the data subject and competent public authorities.


7. LEGAL BASES FOR SENSITIVE DATA PROCESSING

Synvia commits to safeguarding and taking special care in the processing of sensitive personal data and financial data. Data from children and adolescents will be treated with the same level of care.

The processing of sensitive data may only occur:

  • With consent: When the subject or legal guardian consents, specifically and prominently.

  • Without consent: In cases where it is indispensable for:

    • Compliance with a legal or regulatory obligation;

    • Conducting studies (ensuring anonymization whenever possible);

    • Regular exercise of rights (contract, judicial, administrative, arbitration processes);

    • Protection of life or physical well-being;

    • Health protection;

    • Guarantee of fraud prevention and security for the subject (identification and authentication in systems).


8. RIGHTS OF PERSONAL DATA SUBJECTS

Synvia reinforces its commitment to respect the rights of subjects:

  • RIGHT TO CONFIRMATION: To confirm the existence of processing of their data.

  • RIGHT OF ACCESS: To request and receive a copy of the collected data.

  • RIGHT TO CORRECTION: To request correction of incomplete, inaccurate, or outdated data.

  • RIGHT TO DELETION: To request deletion of data (unless there is a legitimate reason for retention).

  • RIGHT TO SUSPEND ILLEGAL PROCESSING: To request anonymization, blocking, or deletion of unnecessary or excessive data.

  • RIGHT TO OBJECT: To oppose processing not based on consent (to be analyzed according to LGPD criteria).

  • RIGHT TO PORTABILITY: To request the provision of data to another supplier.

  • RIGHT TO REVOKE CONSENT: To revoke previously given consent (without affecting the legality of prior processing).


9. DUTIES FOR THE PROPER USE OF PERSONAL DATA

Duties of the Subjects

  • To notify Synvia of any changes in their personal data (e.g., change of address).

  • To notify via email: protecaodedados@synvia.com.

Duties of Synvia Employees

  • The sharing of data between companies of the Synvia Group is permitted only if the purpose, legal basis, and principle of necessity are respected.

  • Do not make data accessible to unauthorized persons.

  • Obtain the necessary authorization and documents demonstrating competence for processing.

  • Comply with information security standards.

Duties of All Recipients

Contact the DPO of Synvia in case of suspicion or occurrence of:

  1. Operation without legal basis;

  2. Processing without authorization;

  3. Non-compliance with the Information Security Policy;

  4. Unauthorized elimination/destruction of data;

  5. Any other violation of this Policy.


10. RELATIONSHIP WITH THIRD PARTIES

Considering the joint liability provided in the LGPD, Synvia will make every effort to ensure that third parties comply with applicable legislation.

All contracts with third parties must contain clauses regarding the protection of personal data, being reviewed and submitted for approval by the DPO and technical team.


11. INFORMATION SECURITY

The security standards are contained in Synvia's Information Security Policy. The organization commits to employing adequate technical and organizational measures to protect data against unauthorized access, loss, destruction and improper sharing.


12. INTERNATIONAL DATA TRANSFER

Synvia may transfer data to other countries under the following conditions:

Without consent (when authorized to process data based on another legal basis):

  • Country with an adequate level of protection (by ANPD or adequacy decision from the European Commission/GDPR); or

  • Provision of safeguards (Codes of Conduct, Standard Contractual Clauses, Seals/Certificates).

With consent:

  • Obtaining explicit and highlighted consent for international transfer.

Synvia will inform subjects about the occurrence of international transfers, designating the set of data, the purpose, and the destination.


13. MONITORING AND UPDATING

Synvia commits to periodically reviewing this Policy. All changes made will be communicated in a timely manner via the Organization's official channels.

PRIVACY POLICY


1. OBJECTIVE

This Privacy and Personal Data Protection Policy aims to provide guidance on how to manage the various activities and operations related to the processing of personal data at Synvia.

Through this document, the Synvia Group seeks compliance with the General Data Protection Law (Law No. 13.709/2018 - "LGPD") and other sectoral laws on the subject.

This Policy establishes Synvia's guidelines for safeguarding and using personal data that may be processed in its activities, referencing the General Data Protection Law and other national and international norms related to privacy and protection of personal data.


2. DEFINITIONS

For the purposes of this policy, the following definitions apply:

  • DATA PROCESSING AGENTS: The controller and the operator of personal data.

  • ANONYMIZATION: Use of technical means that are reasonable and available at the time of processing personal data, through which data loses the possibility of association, directly or indirectly, with an individual. Anonymized data is not considered personal data for the purposes of the LGPD.

  • NATIONAL DATA PROTECTION AUTHORITY (“ANPD”): Public administration agency responsible for ensuring, implementing, and supervising the compliance with the LGPD throughout the national territory.

  • CONTROLLER OF PERSONAL DATA: Natural or legal person, public or private, to whom the decisions related to the processing of personal data belong.

  • PERSONAL DATA: Information relating to an identified or identifiable natural person. Data used to form the behavioral profile of a particular natural person is also considered personal data.

  • SENSITIVE PERSONAL DATA: Personal data regarding racial or ethnic origin, religious conviction, political opinion, affiliation to a union or religious, philosophical, or political organization, data related to health or sexual life, genetic or biometric data when linked to a natural person.

  • DATA PROTECTION OFFICER (“DPO”): Natural or legal person designated by the Processing Agent to act as a communication channel between the Controller, data subjects, and the ANPD. Responsible for implementing the Compliance Program and conducting activities related to data protection in Synvia's Internal Controls and Compliance System.

  • SUPPLIERS: In the context of SYNVIA, suppliers are considered other contractors and subcontractors, whether natural or legal persons, not classified as commercial partners.

  • GENERAL DATA PROTECTION LAW (“LGPD”): Normative diploma (Law No. 13.709/2018) that provides for the processing of personal data in digital or physical means.

  • OPERATOR OF PERSONAL DATA: Natural or legal person, public or private, that carries out the processing of personal data on behalf of the Controller.

  • COMMERCIAL PARTNERS: Third parties contracted (natural or legal persons) who act on behalf of Synvia, such as: Consultants, Partner Organizations, and Commercial Agents.

  • THIRD PARTY: Any natural or legal person contracted by Synvia to develop or assist in the development of its activities (suppliers or commercial partners).

  • DATA SUBJECT (“SUBJECT”): Natural person to whom the personal data being processed refers.

  • PROCESSING OF PERSONAL DATA (“PROCESSING”): Any operation carried out with personal data (collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation, control, modification, communication, transfer, dissemination, or extraction).


3. APPLICABILITY

This Policy establishes guidelines and rules to ensure that its recipients understand and comply with the legislation regarding personal data protection in all interactions with current and future data subjects, third parties, and external data processing agents to Synvia in the scope of its activities.

In addition to the concepts defined by the standards, the information covered by this Policy includes all data held, used, or transmitted by or on behalf of Synvia, in any type of media. This includes personal data recorded on paper, maintained in computer systems or portable devices, as well as personal data transmitted orally.


4. SPECIFIC OBJECTIVES

The objectives of the Privacy and Personal Data Protection Policy are:

  1. To establish the guidelines and responsibilities of Synvia that ensure and reinforce the Organization's commitment to complying with applicable legislation;

  2. To describe the rules to be followed in conducting activities and operations for processing personal data carried out by Synvia and the recipients of this Policy.

This Policy must be read in conjunction with the obligations set forth in the following documents:

  • Employment contracts of Synvia employees;

  • Information Security policies and procedures;

  • All internal norms regarding the protection of personal data that may be developed and updated.


5. PRINCIPLES OF PRIVACY AND DATA PROTECTION

Synvia will comply with the following principles when processing personal data:

  • PURPOSE: Processing only for legitimate, specific, explicit, and informed purposes to the subject, without the possibility of incompatible subsequent processing.

  • COMPATIBILITY: Processing compatible with the informed purposes and according to the context.

  • NECESSITY: Processing limited to the minimum necessary (pertinent, proportional, and non-excessive data).

  • FREE ACCESS: Facilitated and free consultation regarding the form, duration of processing, and completeness of the data.

  • DATA QUALITY: Guarantee of accuracy, clarity, relevance, and up-to-date information of the data.

  • TRANSPARENCY: Clear, precise, and easily accessible information about processing and the processing agents.

  • SECURITY: Technical and administrative measures capable of protecting personal data.

  • PREVENTION: Adoption of measures to prevent the occurrence of harm.

  • NON-DISCRIMINATION: Inability to process for illicit or abusive discriminatory purposes.

  • ACCOUNTABILITY: Demonstration of the adoption of effective measures to comply with the regulations.


6. LEGAL BASES FOR PERSONAL DATA PROCESSING

All processing operations will have a legal basis that legitimizes their execution. Synvia may carry out the processing of personal data:

  1. By providing consent from the subject;

  2. For compliance with legal or regulatory obligation;

  3. For conducting studies by a research agency;

  4. When necessary for the execution of a contract or preliminary procedures;

  5. For the regular exercise of rights in judicial, administrative, or arbitral processes;

  6. For the protection of life or physical integrity of the subject or third party;

  7. For the protection of health (in procedures performed by health professionals/health authority);

  8. When necessary to meet the legitimate interests of Synvia or third parties;

  9. For the protection of credit.

Synvia will maintain records of its processing operations, which may be consulted by the data subject and competent public authorities.


7. LEGAL BASES FOR PROCESSING SENSITIVE DATA

Synvia is committed to safeguarding and taking special care in the processing of sensitive personal data and financial data. Data of children and adolescents will be treated with the same level of care.

The processing of sensitive data may only be carried out:

  • With consent: When the subject or legal representative consents, specifically and prominently.

  • Without consent: In cases where it is indispensable for:

    • Compliance with legal or regulatory obligation;

    • Conducting studies (ensuring anonymization whenever possible);

    • Regular exercise of rights (contract, judicial, administrative, arbitral processes);

    • Protection of life or physical integrity;

    • Health protection;

    • Guaranteeing the prevention of fraud and security of the subject (identification and authentication in systems).


8. RIGHTS OF PERSONAL DATA SUBJECTS

Synvia reaffirms its commitment to respecting the rights of data subjects:

  • RIGHT TO CONFIRMATION: Confirm the existence of processing of their data.

  • RIGHT OF ACCESS: Request and receive a copy of the collected data.

  • RIGHT TO CORRECTION: Request correction of incomplete, inaccurate, or outdated data.

  • RIGHT TO DELETION: Request the deletion of data (unless there is a legitimate reason for maintenance).

  • RIGHT TO SUSPEND ILLEGAL PROCESSING: Request anonymization, blocking, or deletion of unnecessary or excessive data.

  • RIGHT TO OBJECT: Object to processing not based on consent (analyzed according to LGPD criteria).

  • RIGHT TO PORTABILITY: Request availability of the data to another supplier.

  • RIGHT TO WITHDRAW CONSENT: Withdraw previously given consent (without affecting the legality of prior processing).


9. DUTIES FOR APPROPRIATE USE OF PERSONAL DATA

Duties of Data Subjects

  • Notify Synvia of any modifications to their personal data (e.g., change of address).

  • Notify via email: protecaodedados@synvia.com.

Duties of Synvia Employees

  • Data sharing between companies of the Synvia Group is only permitted if the purpose, legal basis, and principle of necessity are respected.

  • Do not provide access to data for unauthorized persons.

  • Obtain the necessary authorization and documents that demonstrate the competence for processing.

  • Comply with information security standards.

Duties of All Recipients

Contact the Synvia DPO in case of suspicion or occurrence of:

  1. Operation without legal basis;

  2. Processing without authorization;

  3. Non-compliance with the Information Security Policy;

  4. Unauthorized deletion/destruction of data;

  5. Any other violation of this Policy.


10. RELATIONSHIP WITH THIRD PARTIES

Considering the joint liability provided for in the LGPD, Synvia will make the best efforts to ensure that third parties comply with applicable legislation.

All contracts with third parties must contain clauses related to the protection of personal data, being reviewed and submitted for approval by the appointed person and technical team.


11. INFORMATION SECURITY

The security standards are contained in the Information Security Policy of Synvia. The organization is committed to employing appropriate technical and organizational measures to protect data against unauthorized access, loss, destruction, and improper sharing.


12. INTERNATIONAL TRANSFER OF DATA

Synvia may transfer data to other countries under the following conditions:

Without consent (when authorized to process data on another legal basis):

  • Country with an adequate level of protection (by the ANPD or adequacy decision of the European Commission/GDPR); or

  • Provision of safeguards (Codes of Conduct, Standard Contractual Clauses, Seals/Certificates).

With consent:

  • Obtaining explicit and prominent consent for the international transfer.

Synvia will inform the data subjects about the occurrence of international transfers, designating the set of data, the purpose, and the destination.


13. MONITORING AND UPDATING

Synvia is committed to revisiting this Policy periodically. All changes made will be communicated promptly through the Organization's official channels.

Operational Procedure List

Standard Operating Procedures (SOPs)