top of page

Version: 3.0   Date: 10/11/2021   Author: LGPD Committee 




Information is a valuable asset for MD2 CONSULTORIA and is essential for us to be able to fulfill our mission of providing excellent service. We prioritize the privacy and security of the information of our employees, customers and business partners.

This Data Protection and Privacy Policy complies with the laws in force, ABNT NBR ISO/IEC 27701:2019  and complements the Information Security Policy.


Our objective is to establish guidelines and principles that ensure data protection and privacy, allowing MD2 CONSULTORIA employees, customers and business partners to adopt safe and adequate standards of behavior in relation to the protection of personal data and other internal and confidential data of the organization. 

Guide in relation to the adoption of controls and processes to meet information security requirements and legislation regarding the protection of personal data such as law 13709/2018 (LGPD).

Safeguard the information of MD2 CONSULTORIA, ensuring basic requirements of confidentiality, integrity and availability.

Prevent incidents with security and data processing such as inappropriate use of databases, processing of data without hypotheses provided for by law, data leakage and legal liability of the company, our partners and employees.

Minimize the risk of assessment by the regulatory agency (ANPD), lawsuits, loss of market confidence, institutional exposure of the company due to non-compliance and other negative impacts that the lack of security and adequate processes in the legislation may cause.

Guarantee the rights of holders provided for in Article 18 of Law 13709/2018.




Information relating to an identified or identifiable natural person.


Personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data, when linked to a natural person.


Natural person to whom the personal data that are the object of some treatment refer.


Any operation carried out with personal data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer , diffusion or extraction.


  Natural or legal person, of public or private law, who are responsible for decisions regarding the processing of personal data;


Natural or legal person, governed by public or private law, who processes personal data on behalf of the controller.


Person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD).


Any operation carried out with personal data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer , diffusion or extraction;



This policy applies to all users of information handled by MD2 CONSULTORIA, including any individual or organization that has or has had a relationship with the company, such as: employees, former employees, suppliers, service providers, business partners, who have owned or have or will have access to MD2 CONSULTORIA's information and make use of, or have made use of, computer resources and access to the company's data services and/or databases. 



The objective of information security and protection of personal data treated by MD2 CONSULTORIA is to ensure the effective management of all aspects related to security and governance of data use, providing support to critical business operations and minimizing the risks identified in each department and /or respective business process or data processing and its impacts on the organization.

The Presidency, Executive Board, and the personal data protection committee, or LGPD Committee are committed to an effective management of personal data protection at MD2 Consultoria and adopt appropriate measures to ensure that this policy is properly communicated, understood and followed in all organization levels. Periodic reviews will be carried out in order to keep this policy realistic, applicable without compromising the MD2 Consultoria business, ensuring its primary purpose.

MD2 Consultoria declares as a personal data protection policy:  

  • Develop, implement and fully follow the policies, rules and procedures for the protection of personal data, ensuring the basic requirements of confidentiality, integrity and availability of MD2 Consultoria information, achieved through the adoption of control against threats from internal and external sources.

  • Make policies, rules and procedures for the protection of personal data available to all interested and authorized parties such as: Employees, service providers, partners and where applicable in suppliers and customers.

  •   Ensure education and awareness of the personal data protection practices adopted by MD2 Consultoria to all interested and authorized parties such as: Employees, service providers, partners.

  •   Fully comply with law 13709/2018 and the information security requirements applicable by other relevant legislation and specific contractual clauses with a business partner.

  • Fully deal with incidents of data use and/or information security, ensuring that they are duly recorded, classified, investigated, treated and, when necessary, communicated to interested parties (ANPD/OWNERS/DIRECTORS). 

  • Ensure business continuity by adopting continuous improvement and action plans with information security objectives and legal use of data.

  • Continuously improve the management of information security, data quality, governance of the frameworks of data records based on the legal hypotheses provided for in the LGPD.



Our business processes and their respective data handling are constantly reviewed so that they naturally respect the data privacy aspect (privacy by design). The risks we identify are calculated and their mitigation prioritized with formalized action plans, actions and possible incidents formalized and dealt with, indicators for monitoring aspects related to the protection and use of personal data are established and monitored.


We generate reports and indicative panels for the person in charge and leaders of MD2 CONSULTORIA with the objective of enabling governance and constant improvement in all aspects related to GDPR compliance so that a diligent state is established and maintained.


MD2 CONSULTORIA understands that corporate information is an essential asset for our activities and to safeguard the quality of our services.


We understand that the manipulations of our information are carried out by different means and support, storage and communication, which are vulnerable to external and internal factors that can compromise the security of corporate information.


MD2 CONSULTORIA, through its general management and executive council, promotes, encourages and strongly encourages the maintenance and constant evolution of this internal policy of data protection of the people with whom the organization maintains any type of commercial, administrative or assistance relationship, guaranteeing the treatment of your personal data for the purposes established between the parties in accordance with the law and our moral and ethical principles.



MD2 CONSULTORIA collects the personal data of the holders following the following principles:

  • They are collected only for specified, explicit and legitimate purposes;

  • They are collected in an appropriate, relevant and limited way to the needs of the purpose for which they are processed (data minimization).

  • We provide below the data collected, according to each type of holder:

  • Clients: when signing a contract, we collect contact data to maintain activities and occasionally, if allowed, to offer other services made available by MD2 CONSULTORIA;

  • Collaborators: the data required by labor legislation, and those we need for communications between contractor and contractor;

  • Business partners: data of the company's partners hired according to legal need for the purpose of effecting the service provision contract

  • Candidates in the selection process: the data required (professional and academic experience, education and contact) to carry out the selection process and communication between the contractor and candidates;



The General Data Protection Law (LGPD) provides, in its chapter III - Art.17, that every natural person is guaranteed the ownership of his personal data and guaranteed the fundamental rights of freedom, intimacy and privacy.


No Art. 18, the LGPD provides that the holder of personal data has the right to obtain from the controller, upon request, the list of data processed by him, which must be answered within a reasonable time, in the case of a simple query, or more complex queries that can be answered within 15 days.


MD2 CONSULTORIA's Privacy Policy is intended to guarantee the rights of holders provided for in the LGPD, through the following types of requests:

  1. Simple Query and Data Confirmation

  2. Complete Consultation

  3. Revocation of Consent

  4. Correction/Update/Completion of data

  5. Deletion/Anonymization of unnecessary data

  6. Opposition to data processing

  7. data sharing

  8. data portability

In order to carry out the requests, the holder must provide the following personal data so that we can identify and authenticate the applicant as well as respond to him/her.


In order to carry out requests, the holder must contact the Data Officer, via the e-mail, informing in the “Subject:” field the type of request desired.


Attention: The email sent must contain only 1 type of request for greater agility and organization of demands.


I. Simple Query and Data Confirmation

In this request, the holder of the personal data performs a simple query at MD2 Consultoria, to confirm the existence of data processing and to obtain the registration data considered as a simple query.

II. Complete Consultation

In this request, the holder of the personal data carries out a complete consultation, for the confirmation of all the data processed by MD2 CONSULTORIA.

III. Revocation of Consent

As provided in § 5 of art. 8 of the LGPD, every holder of personal data has the right to request the revocation of consent according to the purpose of data processing. The applicant will receive confirmation of receipt of the request by email.


It is worth mentioning that every request for revocation of consent will undergo a validation of the legal possibility of revocation of it, as it will depend on the purpose of the data processing.

V. Correction/Update/Completion of data

At this stage, the holder of personal data has the right to request adjustments to their data, thus keeping them clear, accurate with quality for carrying out a treatment. The applicant will receive confirmation of receipt of the request by email.

IV. Deletion/Anonymization of unnecessary data

The data subject or legal representative may request the deletion or anonymization of the data, where the data will be effectively deleted from the databases of MD2 Consultoria. The applicant will receive confirmation of receipt of the request by email.


It is worth mentioning that every request for deletion/anonymization will undergo a validation of the legal possibility of deletion or anonymization, as it will depend on the purpose of the data processing.

SAW. Opposition to data processing

The data subject or legal representative has the right to object to the processing of data concerning him. The applicant will receive confirmation of receipt of the request by email.


It is worth mentioning that every request for opposition to the processing of data will undergo a validation of legal possibility, as it will depend on the purpose of the data processing.


VII. data sharing

The data subject or legal representative has the right to request information from private or public entities regarding the sharing of data concerning him.

VII. data portability

The holder of personal data or the legal representative has the right to obtain from the controller the portability of data concerning him/her to another service or product provider, subject to commercial and industrial secrets.


It is worth mentioning that every request for data portability will undergo a validation of legal possibility, as it will depend on the purpose of data processing.

Tratamento de dados pessoais



The LGPD / INFORMATION SECURITY COMMITTEE is created, which is composed of the participation of senior representatives from the information technology, legal, HR, marketing, communication departments, led by the Person in Charge (DPO).


Analyze, review and propose the approval of policies and rules related to the protection of personal data;


Ensure the availability of resources necessary for effective management of the personal data protection program;


Ensure that data governance and security activities comply with this policy;


Promote the dissemination of the Personal Data Protection Policy and disseminate the culture of data protection, legal use, the concept of data privacy from the beginning and by default at MD2 CONSULTORIA.



Conduct the management and operation of data governance, continuous reviews of business processes based on this policy and based on the definitions of the LGPD / INFORMATION SECURITY COMMITTEE;


Support the LGPD/INFORMATION SECURITY COMMITTEE in its deliberations;


Identify, assess and communicate threats and the protection of personal data and implement corrective measures to reduce inherent risks;


Take reasonable action to enforce the terms of this policy;


Manage and report incidents of inappropriate use and security.



Manage the business processes and processing of formalized data and information generated under their responsibilities throughout their life cycle, including the creation, handling and their disposal, within the legal framework of data records in the systems, their use controls until the moment of its exclusion or anonymization in case of end of use purposes or lack of legal framework for treatment;


Identify, classify and label the information generated or under the responsibility of the area, adjusting the classification and labeling when necessary. All relevant business processes that process personal data must be formalized, as well as their respective data processing/purposes and legal hypotheses that support the respective treatments;


Review the business processes/data processing and identification of assets and their classifications periodically or whenever there are changes in systems or relevant databases and/or directives of the LGPD COMMITTEE;


Authorize and review access to information and information systems under its responsibility;


Request the granting or revocation of access to information and systems in accordance with the procedures adopted by MD2 CONSULTORIA.



Read, understand and fully implement the terms of the personal data protection policy as well as the additional published rules and procedures;


Send questions or requests for clarification on the personal data protection policy to the LGPD COMMITTEE when necessary in a documented manner;


Communicate to the LGPD COMMITTEE and generate notification in the incident system of any event that may violate this policy and its published standards;


Sign the term of use of MD2 CONSULTORIA's information systems and knowledge of this policy, formalizing the knowledge and full acceptance of its terms and content and assuming the responsibilities for its compliance;


Respond under the non-observance of this policy its inherent rules and procedures according to the sanctions and punishments provided.

sancoes e punicoes


Violations, even if by omission, or failed attempt of this policy, its published rules and procedures, may result in penalties that include verbal warnings, formal notifications, unpaid suspension, contract cancellation (in the case of business partners or service providers), and dismissal for just cause of the employee of the company.  


Application of sanctions and punishments may be carried out in accordance with the definition of the LGPD COMMITTEE, where the severity of the incident or threat and/or damage caused will be evaluated, in addition to the recurrence and the hypotheses provided for in the contracts and/or in article 482 of the CLT, may the LGPD COMMITTEE, in the disciplinary use assigned to it in conjunction with the HR and/or legal department, apply the appropriate penalty.  

For violations that are related to criminal activities or that may cause damage to MD2 CONSULTORIA or the holders of the information, the violator will be held responsible for the damages and legal measures will be applied.



The Executive Board of MD2 CONSULTORIA declares itself committed to a Governance program that involves the Security and Protection of the Personal Data of its clients and any person or entity about their business, guaranteeing their Confidentiality, Integrity and Availability, in accordance with Brazilian legislation, good practices of data governance.  


We are committed to the fundamentals and principles of use of personal data governed by law 13.709/2018 for the use of data in a way that is consented to by its holder or framework in our right or duty of treatment through the 10 cases provided for by law. We are committed to raising awareness of our entire team of employees, directors and executives and to adequate processes for the legal use of data.  



Reference: Corporate Privacy Policy

MD2 CONSULTORIA is concerned with the privacy of the data of people who entrust us with their personal data for business purposes such as customers, prospective companies, our employees and business partners. 

We have built our personal data protection policy and mechanisms for their protection, as well as a review of business processes to ensure the legal use of data and new processes to meet the rights of data subjects. 

We only process the data necessary for our business routine, we do not approach people in a massive or direct way, we only obtain the minimum data to meet any request from our customers, or the general public and partners about our products and services. The data of our employees is stored and used for the execution of their contract with the company, whether in employee x employer or contracting contractor relationships. 

We elected our supervisor, Mr. Italo de Souza Lucena, e-mail: and telephone: 31 984035688, which is available to the national authority or holders to fulfill their rights under the law.


MD2 CONSULTORIA assumes the role of Controller of personal data and, for this purpose, establishes mechanisms for the protection of this data and the services to provide the holders of the information we treat to exercise their rights to confirm the treatment, access, possibility of updating, portability, among others. .

MD2 CONSULTORIA in the role of Controller treats personal data of customers, potential customers in prospect, employees, service providers and suppliers. To this end, we carry out the appropriate frameworks in the hypotheses provided for in Law, reviewing and formalizing our data processing processes, formalizing each critical step where data is collected, stored, shared, processed and thus, calculating risks and planning mechanisms to mitigate them to avoid this inappropriate and data leakage in the light of technological mechanisms of digital security, policies and procedures and processes reviewed and designed with the aspects of privacy by nature (privacy by design).


Government, partners, customers, employees, individual service providers, business partners, service providers (accounting, R&S), and suppliers.



The basis of our LGPD compliance program is established from this Policy, where we seek to address all procedures on the topic of Information Security and legal use of personal data that transact with the company. For this, we have established some key mechanisms that establish a structured framework for a Privacy and Information Management System (3.2 ABNT NBR ISO/IEC 27701:2019) - SGPI, which considers privacy protection as potentially affected by the processing of personal data.

  This Policy will present the set of processes that establish the mechanisms for Data Security in our custody, considering processes, people, infrastructure and technology for their use, following the principles, fundamentals and legal hypotheses provided for by law and the observation of all articles that govern the LGPD and finally the management mechanisms of continuous improvement that aim to observe this general policy (this document, in this revision and version) and all other processes of Security and legal use of data, in a true cycle of monitoring and improvements possible, or that may be required by regulations, directives and legal ordinances from the communications and/or new requirements of the ANPD (National Agency for the Protection of Personal Data).

bottom of page