Privacy Policy | IRIS – Institute for Reference on Internet and Society
This Privacy Policy aims to provide the general public with detailed information on the activities of processing personal data carried out by
Instituto de Referência em Internet e Sociedade (IRIS – Institute for Reference on Internet and Society), CNPJ (Tax ID) No. 23.333.533/0001-90, with an address at Avenida do Contorno, 2905, office 405, Santa Efigênia, Belo Horizonte – MG, Brazil, CEP 30.110-915 (hereinafter addressed as “IRIS”, “We” or “Institute”)
in the activities related to our institutional website and other pages through which additional services to the functioning of the website are made available.
This is version 2.0 of our Privacy Policy, last updated on November 3, 2021, as an update to the previous version, dated July 23, 2020, and effective until the publication date of any subsequent version. IRIS undertakes to communicate publicly and directly to all users if there are any subsequent changes to this document, as well as to make the previous versions available and inform the date they were changed. Although this is version 2.0 of this Privacy Policy, version 1.0 was originally available only in Portuguese.
If you do not agree with this Policy, we kindly ask you to refrain from using our website, as well as the functionalities included therein.
- What personal data do we handle?
Personal data refers to any information that can be used to identify a person. Some usual examples of personal data are common identifying information, such as name, ID number, photographs, address, among others. Furthermore, information that is less obvious, but which also allows for the identification of a person, is also personal data. Some examples of this are internet usage data and digital records that allow the identification of individuals, such as IP addresses, information regarding the configuration of the equipment used to access the network, etc.
It should be noted that personal data only concern natural persons – that is, individuals. In this sense, this policy does not encompass the processing of data relating to legal persons, such as companies, organizations, institutions, associations, etc., whether of public or private legal nature.
The processing of your personal data on our website varies according to your utilization. We respect your privacy and are committed to using your data as little as possible and only for the purposes presented here, following local and international personal data protection regulations applicable to the Institute’s activities. More specifically, our personal data processing practices are aligned with the requirements of both the Brazilian General Personal Data Protection Act (LGPD – Law No. 13.709/2018) and the European Union’s General Data Protection Regulation (GDPR – EU Regulation 2016/679). Below, we provide a brief table that illustrates the data processing activities involved in the IRIS website:
| Activity | Goal | Collected data | Legal base |
| Newsletter | Sending of periodic emails containing contents related to the projects carried out at the Institute | Consent | |
| Events | Registration for events, for booking and certification purposes | Name, E-mail | Consent |
You have the right to ask us to stop the processing of your personal data at any time, as well as to request detailed information on how we process this data. First, the deletion of personal data relating to our newsletter can be done in a simplified way through the unsubscribe link present in institutional emails sent to subscribers.
For further information and requirements, we ask that users send a request to our data protection officer – Victor Barbieri Rodrigues Vieira – through the e-mail address victor@irisbh.com.br, specifying their names and the purpose of the contact. Alternatively, it is possible to fulfill these requirements through all of our communication channels on social networks, or by calling +55 31 984047961.
Please be advised, however, that it may be necessary to provide some personal data in order for us to comply with these requirements. The purpose of this is to verify if, in fact, the data of the requesting person matches those of the user about which the request for information or data deletion is concerned. We do this to prevent third parties from gaining access to the personal data of users of our website.
- Data processing in our papers
To perform some of the research for the papers available on the website, we carry out qualitative and quantitative analysis based on court decisions, transparency reports from companies and entities relevant to the context of the studies we perform, as well as interviews and questionnaires carried out with the participation of people and third parties, among other documents. Several of these documents involve personal data or are formulated based on anonymized data of the users of the services responsible for the reports.
The use of this data by IRIS is solely and exclusively for the purpose of conducting our scientific studies. This processing activity is exempt from the application of the Brazilian General Data Protection Law by art. 4, II, b, of this same law, applying the hypotheses of arts. 7 and 11, also from the LGPD (which deals with the legality of the processing of personal data for studies by research bodies, ensuring, whenever possible, the personal data anonymization).
Despite this, IRIS performs all its scientific activities in accordance with the provisions of the General Regulation on Data Protection of the European Union (GDPR). This means that the processing of personal data by the Institute during these activities will be based on any of the legal hypotheses for processing that exist in this regulation – usually, the consent of the data subjects to participate in interviews or the Institute’s legitimate interest in using publicly available information.
In any event, in compliance with the legal requirements of the GDPR and the best international practices in information security, all personal data processed in the performance of the Institute’s research activities will be subject to the appropriate safeguards to guarantee privacy, and the rights of the involved data subjects. Techniques such as anonymization of disclosed data and storage of information in computing environments protected by strong cryptography are some examples of the techniques adopted by IRIS to guarantee these rights.
- Use of cookies on our website
When a user visits our website, cookies are placed on their internet browser. These cookies are used as little as possible, collecting and storing the user’s personal data to enable the various functions provided by the website.
More specifically, cookies collect information about the user’s equipment, as well as information about how one uses the website, to make the visibility of the visual aspects of our page adequate (specific layout depending on the device, such as a smartphone or a computer, and the characteristics of each device such as resolution and screen size). We also use cookies to collect anonymized information about the website’s performance (analytics), as well as the users’ language preferences.
Third-party cookies used on the website are provided by companies whose services are contracted by IRIS, and they process data only in the manner and for the contracted purposes. Below, we provide a table listing the companies that supply third-party cookies used on the site:
| Supplier | Goal |
| Google Analytics
|
Collection of anonymous data relating to the performance of the pages on the website |
| Enables features related to the playback of videos on the website | |
| OneTrust | Enables features related to the website’s cookie settings, such as the cookie banner, the settings menu and the preferences of the user regarding active and inactive cookies in a session |
The user is free to object to the use of cookies on our websites through our cookie settings menu. However, it is worth pointing out that some of them are essential for the proper functioning of the page. User’s non-consent to the use of strictly necessary cookies, therefore, may render the website unusable, or impair some of its functionality. Because of this, we do not provide the option to turn them off directly in the website’s cookie settings panel. The user, however, is free to use third-party tools to stop the use of strictly necessary cookies that we use, being, however, aware that their experience will be impacted.
- Sharing with third parties and international transfer
The processing of personal data relating to the Newsletter and events is carried out entirely by our internal communication team. In addition, we do not share data with third parties directly.
IRIS, however, uses the tools provided by WordPress and Google’s G Suite to manage the pages online: from the metrics made possible by the use of cookies to the information in the Newsletter and booking for our events. Thus, this information is stored on servers of these companies located outside of Brazil, which constitutes the only case of international data transfers carried out by IRIS.
Finally, in very rare exceptions and if necessary because of legal determinations or judicial orders, IRIS can share users’ personal data with State entities. In a situation like this, unless there is a court order to keep this data sharing a secret (for criminal investigation purposes, for example), users affected by the order will be informed about the sharing of their personal data as quickly as possible.
- Data retention period
We process users’ data only for how long it is necessary for the purposes of each of the processing activities we carry out.
In the case of data processing for events carried out by IRIS, therefore, this processing lasts for 5 (five) years after the events are carried out, for evidential purposes in the case of a lawsuit filed by the data subject. After this period, all collected data will be permanently deleted from our servers. Newsletter data processing is carried out continuously for as long as the subject’s consent lasts.
The users have the right to withdraw their consent to the data processing activities carried out by the Institute. For this, just get in touch with us through the e-mail address victor@irisbh.com.br, or through the number +55 31 984047961, or through any of our communication channels on social networks. We emphasize that proof of user identity may be required for us to comply with the requirements in question, in order to protect the rights of our users as a whole.
- Privacy Policy Updates
Considering the various changes and improvements that we always seek to bring to our online platform, IRIS may, at any time, update this Privacy Policy, in order to adapt it to the reality of the digital environment we provide.
These updates may include changes in the data processing activities carried out by the Institute, additions to the services we provide to users, changes in the providers of website maintenance services, adjustments, and miscellaneous provisions aimed at better protecting the rights of the personal data subjects that use our digital services. Aiming to meet the expectations of the personal data subjects and respecting the values we protect as an institute that researches privacy, data protection, and digital rights, we always seek to keep this document up to date. We will provide maximum transparency regarding the processing of users’ data, including sending e-mails to notify Newsletter subscribers and participants of future events when there is any change in this Policy.