Privacy and Data Security Policy

Privacy and data security policy [EN]

 

PRIVACY AND DATA SECURITY POLICY

 

GENERAL DATA PROTECTION LAW – 13.709/18

TREMDOCORVOCADO.com.br DPO | DATA PROTECTION OFFICER Dr. Eduardo Oliveira Drª Susana Guimarães

 

TABLE OF CONTENTS

 

GENERAL INFORMATION GLOSSARY, PERSONAL DATA, COLLECTION METHODS AND PURPOSES STORAGE OF PERSONAL DATA SHARING OF PERSONAL DATA INFORMATION SECURITY AND DATA PROTECTION RIGHTS AND DUTIES OF DATA SUBJECTS COMMUNICATION CHANNELS AND PERSONAL DATA REMOVAL COOKIES MUTUAL ASSISTANCE AND COOPERATION WITH THE NATIONAL DATA PROTECTION AUTHORITY (ANPD) DATA CONTROLLER, OPERATOR AND DATA PROTECTION OFFICER (DPO) EFFECTIVE DATE GENERAL PROVISIONS GOVERNING LAW AND JURISDICTION

This Table of Contents aims to guide the reader through the Privacy Policy, allowing you to easily find the information you are looking for.

This Privacy Policy serves to demonstrate credibility, trust, and transparency between the company and the user (data subject), detailing the purpose, necessity, and manner in which we process personal data, ensuring all users access to information and other rights, in accordance with the General Data Protection Law – LGPD.

 

1. GENERAL INFORMATION

 

Welcome to Trem do Corcovado!

Imagine a journey that takes you to the heart of Rio de Janeiro, to the famous Christ the Redeemer, a symbol that enchants the world. Just like this unforgettable journey, our mission is to offer a safe and reliable experience for all our visitors. To achieve this, we value your privacy and carefully handle your personal data, ensuring that your connection with us is as wonderful as the view from up there.

As part of our daily operations, we need to collect personal data from our visitors, whether in digital/online format (website) or physical format (Trem do Corcovado premises). To provide our services responsibly, we prioritize the protection of your information to deliver the best possible experience.

Our Privacy Policy complies with the terms of the LGPD - General Personal Data Protection Law (Law No. 13.709/18).

For us, privacy, security, and transparency are fundamental values, and we will always adopt the best practices to ensure the confidentiality and integrity of your personal data.

Your information will not be sold, exchanged, or transferred to any other company without your consent, except to deliver the requested product or service or in compliance with a legal obligation.

Please read this Privacy Policy carefully to understand how and for what purpose your Personal Data may be collected and processed by Trem do Corcovado.

Our Privacy Policy is published and updated continuously and whenever necessary, for faithful compliance with the General Data Protection Law. For this reason, we invite you to consult it periodically on our website: www.tremdocorcovado.rio

By providing your personal data to Trem do Corcovado, you accept the terms and conditions of this Privacy Policy.

Any questions about the applicable legislation and about processes involving the processing of Personal Data by Trem do Corcovado, including Sensitive Personal Data, should be directed to the "Data Protection Officer" (DPO), through the contact: Email: privacidade.lgpd@agenciadeinteligencia.org Privacy Channel: lgpd-privacidade.com.br/

 

2. GLOSSARY, PERSONAL DATA, COLLECTION METHODS, AND PURPOSES

 

Whenever "we" or "our" are mentioned, we are referring to Trem do Corcovado, and whenever "user," "your," or "data subject" are mentioned, we are referring to you, who are consenting to the terms of this Privacy Policy and the Terms of Use to use and access the Site.

 

2.1. PERSONAL DATA

 

"Personal Data" are information about an identified or identifiable natural person. Examples of Personal Data include: full name, profession, marital status, identification document, driver's license, address, email, phone number, education, IP, and even cookies, among others.

"Sensitive Personal Data" are information about an identified or identifiable natural person that deserves special treatment, given that, either by its nature or its characteristics, its violation can entail significant risks concerning the fundamental rights and freedoms of the person. Examples of Sensitive Personal Data include: data on racial origin, religious conviction, political opinion, health data, biometric data, among others.

"Data Processing" means any operation performed with Personal Data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.

"Data Subject" is You (User), the natural person to whom the Personal Data undergoing Processing refers.

"Anonymized Data": refers to data that was originally related to a person but underwent steps (use of technical means) that ensured its unlinkability to that person; in other words, data that is unable to reveal a person's identity.

"Processing Agents": Data Controller and Data Operator;

"Data Controller": a legal entity that determines the purposes and means of processing personal data;

"Data Operator": a legal entity that processes personal data on behalf of the Controller.

"Data Protection Officer (DPO)": a person appointed by the controller and operator to act as a communication channel between the controller, the Data Subjects, and the National Data Protection Authority (ANPD).

"Consent": a free, informed, and unequivocal manifestation by which the Data Subject agrees to the processing of their personal data for a specific purpose;

"Applicable legislation": consists of all Brazilian legislation, including laws, regulations, orders, decrees, or other guidelines with the force of law, that provide for the processing of personal data.

 

2.2. MINOR'S DATA

 

We understand the importance of protecting the personal data of minors, and therefore, our online services are not formulated or intended for individuals under 18 years of age. If you are a minor, we ask that you do not use our platforms or provide any personal information.

Personal data related to minors is classified as a special data category, requiring differentiated treatment concerning privacy.

Data of children and adolescents under 18 (eighteen) years of age must be provided directly by their respective legal guardians/representatives.

Legal representatives will also be fully responsible in case of access to Trem do Corcovado's websites and platforms by children and adolescents, without prior authorization. They bear full responsibility for supervising the activities and conduct of their respective minors under their guardianship, as well as being aware of the entirety of these Terms.

The user declares that they are legally capable. In the event of access by a user under 18 (eighteen) years of age, with or without the authorization of the legal guardian, the legal guardian will be responsible for all acts performed by the minor, as provided by law.

If a parent or legal guardian becomes aware that their minor child has provided us with information without their consent, the parent or legal guardian should contact us: Email: privacidade.lgpd@agenciadeinteligencia.org Privacy Channel: lgpd-privacidade.com.br/

 

2.3. METHODS OF COLLECTING PERSONAL DATA AND INFORMATION (ABOUT YOU)

 

Personal data is collected through different means, depending on the service offered by us that will be used.

Our methods for collecting personal data are through digital and physical (paper) processes, observing the provisions of Articles 6 and 7 of Law 13.709/18 (LGPD). All technologies used by our organization will comply with current legislation and the terms of this Privacy Policy.

 

2.4. WHICH PERSONAL DATA AND INFORMATION WE USE (ABOUT YOU)

 

Trem do Corcovado respects the principles of transparency and data minimization, meaning that the personal data collected by Trem do Corcovado is the minimum necessary for the investment in its products and the execution of services, according to each purpose, previously informed to the data subjects.

As a Controller, we process your data when you directly provide us with personal data, such as when you register on our website or digital platforms or in any other direct relationship with Trem do Corcovado.

For some data processing activities, the participation of Operator(s) is necessary, who assist us in managing your personal information. This practice is applied, for example, in procedures related to areas such as accounting, logistics, or marketing (Art. 39 of the LGPD).

It is important to emphasize that we adopt all measures to ensure the security of your data during these transactions.

Our personal data processing activities observe good faith, purpose, adequacy, necessity, free access, data quality, security, prevention, non-discrimination, and, most importantly, transparency (Art. 6 of the LGPD).

The processing of personal data by Trem do Corcovado is done only for a specific purpose and is based on the legal bases provided for in the legislation: data subject's consent, contract execution, regular exercise of rights in judicial proceedings, legitimate interest, credit protection, and fulfillment of a legal obligation (Art. 7 of the LGPD).

The legal basis for our personal data processing will depend on the reason (purpose) for which we process your personal data.

Some personal data that we process (including, but not limited to) for the following purposes:

Personal data voluntarily entered or submitted by you/the user, for example: For the sale of Trem do Corcovado tickets, as well as for the cancellation and/or rescheduling of tickets. In these cases, some personal data will be collected, such as: name, email, country, state, CPF, passport number or RNE, phone number, credit card details, or Pix.

Personal data submitted automatically (online) and without any action required from the USERS, such as through Cookies; geolocation, mobile device data, IP address, log data.

Personal data via Direct Contacts: personal data collected directly by certain areas of our company (prospecting, SAC, "work with us," Chat), via website, in person, via WhatsApp, or Social Networks. Utility: to answer calls related to our services, to handle manifestations, complaints, suggestions, technical support, calls related to your Personal Data rights and protection (Communication Channel - Call Center).

Personal data obtained from financial transactions carried out through the acquisition of our services ("Transaction Data"). Transaction Data may include your CPF, financial data, banking data, and credit card number, PIX, among others, and are processed for the provision of products and/or services, and fulfillment of tax obligations.

Marketing Data: personal data collected through forms available on our website, social networks, messages via digital platforms, reminders, thank you notes, marketing campaigns; advertising information (newsletter); contacting potential partners, among others. You may choose not to give your consent, or object (at any time), to the processing of your personal data for direct marketing purposes.

Collect sensitive personal data (accessibility): about your health needs, to ensure your accessibility rights, if you have any disability or reduced mobility.

We may use your personal data to customize your experience with us. This may include displaying content based on your preferences. We may use your personal data to conduct market research and analysis to improve our website and our products. This may include: customizing these channels according to your preferences and interests, making them more compatible with your technology or facilitating their use; maintaining their security and protection; and developing new Trem do Corcovado websites, applications, products, and services.

We may use personal data about you with third parties. For example, if you use a social media feature or make a post on a social media platform, the social media site may provide us with some data about you. We may also obtain your data from partner companies to provide promotions or companies that provide marketing lists that include your personal data, for which your explicit consent was provided for this use, among other business partners.

We may receive your personal data when you directly provide it to a third party for the purpose of purchasing the services we offer. For example: when a friend or relative buys your ticket and provides your personal data. In this process, third parties use their own means to collect data that concerns you and allow Trem do Corcovado to also access this data so that the request can be completed. Third parties who collect data have the legal obligation to obtain the respective consents and authorizations (the "Consents") that you freely and unequivocally wish to give for the processing of your Personal Data. Trem do Corcovado disclaims any responsibility arising from the eventual inadequacy of these Consents.

We may request additional personal data to verify your identity, aiming to prevent incidents and fraud and ensure the privacy of our visitors.

For the defense and administration of the interests of Trem do Corcovado, its partners, and business partners, including compliance with legal determinations, government agency regulations, tax authorities, the Judiciary, and other competent authorities.

For the fulfillment of legal obligations applicable to the tourism, environmental, intellectual property sectors, among others. This action may involve: compliance with obligations to retain certain records for minimum periods; establishment, exercise, or acting in legal proceedings, judicial or administrative processes; compliance with legislation, regulations, court orders, or other legal procedures; detection, prevention, and response to fraud, revealed by contracts or agreements, misuse of the company's websites, applications, products, or services; and the protection of the rights or property of Trem do Corcovado, as well as the safety, health, well-being, rights, or property of the data subject or third parties.

We use personal data for security purposes, to protect Trem do Corcovado, our customers, or our websites. This includes detecting or preventing illegal behavior.

For records and/or reports in our Communication Channel (Complaint – conduct and ethics).

For more information about the purpose and legal basis used to process your personal data, please contact our Data Protection Officers (DPO), through the channels informed in this Privacy Policy, in item 7 (Communication Channels).

 

2.6. THIRD-PARTY WEBSITES AND APPLICATIONS

 

This Privacy Policy does not apply to third-party applications, products, services, websites, or social media features that may be accessed through links we provide for your convenience and information (“Third-Party Applications”).

Trem do Corcovado does not control, manage, endorse, or give any guarantees regarding Third-Party Applications or their privacy practices, which may differ from ours.

Therefore, it is recommended that you consult the respective Privacy Policies of the websites, application providers, and third-party companies, to be properly informed about the use of your personal information and, if you do not agree, you can verify the existence of resources provided by the provider to control your privacy.

 

3. STORAGE OF PERSONAL DATA

 

Trem do Corcovado declares that your Personal Data will be stored in a safe and controlled environment.

We only store your personal information as long as we need it to use it in accordance with the purpose for which it was collected and in accordance with the legal basis for its processing.

We will keep your personal data for as long as necessary to complete transactions with you, as long as there is a contractual, commercial, or institutional relationship, or as long as you do not exercise your right to suppress, cancel, or limit the processing of your data.

Trem do Corcovado may store your collected Personal Data for the time necessary to fulfill the purposes mentioned in this Policy, as well as for compliance with applicable legislation or regulation or when a different period is stated in the specific Consent obtained.

The nature of the Personal Data provided, as well as the purpose of the Processing, will be considered in determining the form and duration of the Processing of your Personal Data by Trem do Corcovado.

Once your user account on our platforms is deactivated, your data will be deleted from our systems, provided there is no legal basis to store it, as defined by law, to comply with legal or regulatory obligations, as well as to exercise or safeguard rights or prevent fraud.

 

4. SHARING OF PERSONAL DATA

 

Trem do Corcovado may share personal data lawfully and transparently.

The sharing of personal data is an operation that must comply with the rules of Conformity with current Law.

Note that all operators acting on our behalf only process your data in accordance with our instructions and fully comply with this Privacy Notice, as well as data protection legislation and any other appropriate confidentiality and security measures.

 

4.1. SHARING WITH THIRD PARTIES

 

It is possible that, in some situations, Trem do Corcovado may need to share your personal data with third parties.

But rest assured, the sharing of personal data with third parties will only occur to achieve a legitimate and specific purpose. Under no circumstances do we sell or commercialize the personal data and information you provide to us.

Some personal data may be shared with partner companies, suppliers, and service providers to carry out our daily business operations and to allow us to maintain an adequate relationship with you.

It is important for you to know that we select our partners with the same level of compliance with the General Data Protection Law that Trem do Corcovado possesses, so that they can ensure an adequate level of protection for your personal data.

Furthermore, these shares are protected by the contracts we have with such partners.

Observing the criteria defined in this Policy, there are cases where we are obliged, by law or regulation, to share your personal data with third parties, such as:

  • For compliance with a judicial order or decision of any other competent authority, according to applicable legislation.

  • Regarding financial transactions. We share transaction data with our service providers only to the extent necessary for the purposes of processing your payments, refunding amounts, and dealing with cancellations, complaints, and inquiries related to these issues.

  • By the legitimate interest of the Controller (provided this does not represent any risk to your rights and freedoms).

  • We may share personal data if a Government Agency or Investigation Body requests it. We may also share personal data when we are investigating potential fraud.

  • We may share personal data with credit protection entities, preventing fraud situations and by judicial order and/or legal or regulatory determination, and in these cases, user consent will not be required for this.

 

5. INFORMATION SECURITY AND DATA PROTECTION

 

Information security and data protection are two essential concepts in today's digital world. Both are related to preserving the confidentiality, integrity, and availability of information, ensuring that it is protected against unauthorized access, misuse, violation, or destruction.

 

5.1 INFORMATION SECURITY

 

Information Security is a broad field that involves implementing controls (from network infrastructure to applications and systems used by organizations), aiming to protect information against threats, whether intentional (such as hackers, cyberattacks, malware) or accidental (such as hardware failures, human errors).

Trem do Corcovado implements security controls at various levels, such as access controls (strong authentication, authorization, and management to control who can access information, encryption) all in compliance with ISO 27.001 and 27.002, appropriate to ensure the security of your Personal Data.

 

5.2. DATA PROTECTION

 

Data protection is an essential part of information security and focuses specifically on protecting personal data.

Trem do Corcovado ensures that your personal data is treated appropriately, respecting the privacy and rights of individuals.

Trem do Corcovado adopts protection procedures in the physical, technical, and organizational fields, establishing guidelines on how personal data should be collected, processed, and stored. It also pays attention to good practices and compliance with specific laws and regulations, such as the General Data Protection Law (LGPD) in Brazil and the General Data Protection Regulation (GDPR) in the European Union.

 

6. RIGHTS AND DUTIES OF DATA SUBJECTS

 

You (the data subject) have the right to easy access to information about the processing of your data, which is provided clearly, adequately, and overtly by our company (Art. 9 of Law 13.709/18-LGPD).

We respect your privacy and are committed to providing the necessary channels so that you can exercise your rights and have adequate and transparent information about the use and processing of your Personal Data.

 

6.1 SOME OF THE RIGHTS GRANTED TO YOU (DATA SUBJECT) ACCORDING TO ART. 18 OF THE LGPD:

 

a) Right of access: Consists of the right to request access to your personal data that we collect and process; b) Right to correction/rectification: This is the right to ask us to change or update your personal data whenever it is incorrect or incomplete; c) Right to erasure: Right to request the deletion of your information from our databases, except in the cases mentioned in item 3 of this Policy and in the cases provided for in article 16 of the LGPD; d) Right to restrict processing: The right to request that the processing of all or some of your personal data be temporarily or permanently ceased, except in the cases mentioned in item 3 of this Policy and in the cases provided for in article 16 of the LGPD; e) Right to object: (a) The right, at any time, to object to the processing of your personal data for reasons related to your particular situation; (b) The right to object to your personal data being processed for direct marketing purposes; f) Right to data portability: Consists of the right to request a copy of your personal data in electronic format and the right to transmit this personal data for use in third-party services; g) Right to withdraw consent: Consists of the right to withdraw (cancel) your consent to the processing of your personal data;

These rights shall be exercised by an express request from the data subject or their legal representative.

 

6.2. SOME OF THE DUTIES OF THE DATA SUBJECT (YOU):

 

a) From the moment you accept the terms of this Privacy Policy, you expressly agree to provide only true, updated, and correct personal data and not to alter your identity or personal data in any way when accessing and using our services or systems. You are solely responsible for any false, outdated, or inaccurate information you provide to Trem do Corcovado; b) You have the responsibility to protect the confidentiality of logins and passwords for accessing the services we offer, not sharing them with third parties, to prevent unauthorized use; c) It is the user's responsibility to keep their device environment (computer, cell phone, tablet, among others) secure, using available tools to ensure security. d) You should be aware that contracts signed with Trem do Corcovado contain General Data Protection Law (LGPD) clauses regarding the processing of personal data, and it is important to read them beforehand. e) Given the inherent characteristics of the internet environment, the application is not responsible for interruptions or suspensions of connection, incomplete or failed computer transmissions, or technical failures of any kind, including, but not limited to, the electronic malfunction of any network, hardware, or software. f) Trem do Corcovado will not be held responsible for direct or indirect damages resulting from, or related to, access, use, or inability to access or use the application.

 

7. COMMUNICATION CHANNELS AND PERSONAL DATA REMOVAL

 

 

7.1. INFORMATION AND QUESTIONS

 

We provide free and easy communication channels to the personal data subject.

To obtain information about your rights, portability, storage period, rectification, deletion of your personal data, and other information, through the channels created exclusively for these purposes: Email: privacidade.lgpd@agenciadeinteligencia.org Privacy Channel: lgpd-privacidade.com.br/

All questions or requests will be directed to our Data Protection Officers (DPO), Dr. Eduardo Oliveira and/or Drª Susana Guimarães.

We will take the necessary measures and/or respond within 15 days (in compliance with the guidelines and deadlines defined in the LGPD).

 

7.2 REMOVAL OF PERSONAL DATA

 

You (data subject/user) have the right to request the deletion of your personal data through our communication channels described above (item 7.1).

However, regardless of your consent or request for deletion, the General Data Protection Law allows personal data to be retained in the following situations:

a) Compliance with a legal or regulatory obligation; b) Transfer to a third party, respecting your rights and the provisions of data protection and privacy laws; c) For exclusive use, with third-party access prohibited, and provided the data is anonymized. d) In cases where there is any issue related to You (the data subject), such as an outstanding payment, a complaint, an unresolved dispute, or other pending issues, we will retain your personal data until the issue is resolved (the legal basis for processing will be the legitimate interest of the Controller).

Your request will be analyzed; however, if it implies an interruption in the provision of services, your relationship with Trem do Corcovado will be terminated, but the obligations arising from the service provision will remain valid, and in this case, your information and Personal Data will continue to be processed by us and/or authorized third parties until the need or purposes provided in this Privacy Policy cease.

Once the purpose of processing your Personal Data has been fulfilled, your personal data will be deleted.

 

8. COOKIES

 

Cookies are small data units stored on the user's computer hard drive through the browser. They allow a Digital Platform to remember information about users' visits, their preferred language, location, and the recurrence of their sessions.

Most internet browsers are set to automatically accept Cookies. The user can change the settings to block the use of Cookies or alert them when a Cookie is being sent to their device.

Therefore, to comply with the transparency requirement, we inform You/Site User how your personal data is processed using cookies or similar tools.

We use Cookies to improve the use and functionality of our website and to better understand how our visitors use the tools and services offered there. Cookies help us adapt our website to your personal needs, make it increasingly easy to use, receive customer satisfaction feedback, and communicate with you from other places on the internet.

The Trem do Corcovado website uses the following cookies:

  • Performance: Performance cookies are used to improve website functionality, collecting data such as visited pages, error messages, and other information relevant to website performance. This type of cookie does not collect personally identifiable information. All information is obtained in an aggregated and anonymous form.

  • Analytical: Analytical cookies are dedicated to recording website usage data so that we can improve it in the future, such as page audience index data and traffic sources.

  • Necessary: Necessary cookies are essential for the regular functioning and other functionalities of the website.

  • Uncategorized: These are cookies that do not belong to any specific classification but help the website function.

You can, at any time and free of charge, change permissions, block, or refuse Cookies.

You can also configure them on a case-by-case basis. However, revoking consent for certain Cookies may prevent some platform features from functioning correctly.

To manage your browser's cookies, simply do so directly in your browser settings, in the Cookie management area.

 

9. MUTUAL ASSISTANCE AND COOPERATION WITH THE NATIONAL DATA PROTECTION AUTHORITY (ANPD)

 

We, at Trem do Corcovado, will cooperate with the ANPD on topics related to the privacy of Personal Data under our Processing (within the limits of the LGPD).

In this regard, we will adopt, among others, the following measures:

  • Regularly and effectively revisiting internal procedures in accordance with the guidelines established by the ANPD;

  • Providing contact information for the Data Protection Officer (DPO);

  • Responding to requests for information or complaints;

  • Applying established recommendations or guidelines;

  • Observing the ANPD's decisions, but never waiving our right to due process.

If the ANPD requests information or issues any order, any employee who receives the information/order must immediately inform the Data Protection Officer (DPO). The DPO must prepare the response to the Authority, Data Operators, service providers eventually involved, administrators, responsible parties, and/or, if necessary, the Privacy and Data Protection Committee.

The Data Protection Officer (DPO) will be the direct and primary contact between us and the ANPD, assuming all responsibilities related to their work in Controller Compliance.

 

10. DATA CONTROLLER, OPERATOR, AND DATA PROTECTION OFFICER (DPO)

 

 

10.1. Trem do Corcovado will act as the CONTROLLER of your Personal Data, meaning we are responsible for decisions regarding Personal Data Processing.

 

According to the LGPD – Law 13.709/18, we (Controller) do not have a conflict of interest with the DATA PROTECTION OFFICER (DPO), adhering to the good observance of Art. 41 of Law 13.709/18, they are:

  • Do not receive instructions on how to exercise their activities;

  • Are not dismissed or penalized for performing their duties;

  • Report to the organization's senior management/leadership;

  • Do not perform other activities that could cause a conflict of interest.

  • Have independence to exercise their obligations;

 

10.2. According to Art. 48 of Law 13.709/18, We (Controller) will communicate to the National Authority and the data subject the occurrence of a security incident that may cause significant risk or damage to the data subjects, through the function of the DATA PROTECTION OFFICER (DPO), as defined in Art. 41 of the LGPD.

 

 

11. EFFECTIVE DATE

 

This Privacy Policy may be updated at any time, as needed and in accordance with the maturity of our company.

 

12. GENERAL PROVISIONS

 

 

12.1. This Privacy Policy may be changed at any time, according to the purpose or need, for adaptation and compliance with legal provisions or norms of equivalent legal force. For this reason, we invite you (Data Subject) to consult it periodically.

 

 

12.2. In case of any doubt regarding the provisions contained in this Privacy Policy, the Data Subject may contact us through the communication channels already described in item 7.

 

 

13. GOVERNING LAW AND JURISDICTION

 

This Privacy Policy will be governed, interpreted, and executed in accordance with the Laws of the Federative Republic of Brazil, especially Law No. 13.709/2018 (LGPD), and the jurisdiction of Rio de Janeiro/RJ is competent to resolve any doubt arising from this document.

To proceed you need to know and agree with our privacy policy.