1. Information about Rede D’Or and contact channel
1.1. Introduction
Rede D’Or, a private legal entity registered with the CNPJ/ME under No. 06.047.087/0011-00, headquartered at Rua Voluntários da Pátria, 138 – Botafogo, Rio de Janeiro – RJ, ZIP Code 22270-010 (“RedeD’Or”), considers the protection of information capable of identifying you (“Personal Data”) obtained when you (“Data Subject”) use Rede D’Or’s various services (“Services”), whether remotely or in person, to be extremely important.
Accordingly, this Privacy Notice (“Notice”) aims to regulate, in a simple, transparent, and objective manner, how your Personal Data will be processed and protected by Rede D’Or and the other companies that make up its corporate group.
Please note that this Notice is intended for Rede D’Or customers and other Data Subjects whose Personal Data is processed at Hospital Units, digital channels (platforms, applications, chatbots, emails, websites, and their subdomains), or by its branches or partners.
We are always seeking to offer you Services as efficiently as possible, continuously updating ourselves to do so. For this reason, this Notice may be updated at any time, and it is your responsibility to review it whenever possible.
To access our Services, you declare that you have read this Notice in full and carefully, and that you are fully aware of the terms set forth herein, including the processing of the Personal Data mentioned herein and its use for the purposes specified in this Notice.
If you have additional questions, please contact our Data Protection Officer.
1.2. Data Protection Officer
In accordance with Article 41 of the LGPD, Rede D’Or has appointed a Data Protection Officer (“DPO”).
Our DPO is qualified and responsible for conducting all activities required by the LGPD and the ANPD, including, but not limited to:
Receiving complaints and communications from Data Subjects, providing explanations, and adopting measures;
Receiving communications from the ANPD and adopting the necessary data protection measures; and
Guiding our employees and contractors regarding practices to be adopted in relation to Personal Data protection.
You may contact our DPO via email: dpo.rededor@rededor.com.br
2. Details on the processing of Personal Data
Below, we would like to inform you, in detail, which Personal Data we process, for what purposes it is used, with whom we share it, and what your rights are.
Summary of Personal Data processing
| Processing agent | Rede D’Or |
| Role of the processing agent | Predominantly a controller, i.e., it makes decisions regarding the processing of Personal Data |
| Nature of the processed data | Personal Data provided by the Data Subject and/or automatically collected, of a registration, financial and/or sensitive nature (Article 5, II of Law No. 13,709/2018). |
| Main purposes of processing | Rede D’Or may process your Personal Data to: · create/update registrations in order to enable the provision of its products and services; · send alerts about appointment scheduling and the performance of exams, preventive care, through any communication means; · conduct billing and satisfaction/opinion surveys; · assess résumés sent by candidates and through our business partnerships; · provide products and conveniences to patients, such as, but not limited to, Wi-Fi and 3D printing of morphological ultrasound images and voice-assistance devices; · provide Telemedicine services. |
| Sharing | Operators and service providers essential to our activities; other entities within the Rede D’Or corporate group, such as, but not limited to, D’Or Soluções, Consultoria D’Or, Gestão Total de Saúde, and Instituto D’Or Pesquisa Ensino; authorities/government bodies due to legal or regulatory obligations; other entities that, as a result of corporate transactions such as mergers, acquisitions, and incorporations, become part of the Rede D’Or corporate group. |
| Data Protection | Adoption of technical and administrative security measures that ensure the integrity, availability, and confidentiality of Personal Data. |
| Your rights: | Confirmation of processing, access, correction, etc. For more information, see the “Data Subject Rights” section. |
3. Definitions
If you have any questions about the terms used in this Notice, please refer to the glossary below:
| Term | Definition |
| Anonymization | Process through which personal data loses the possibility of association, directly or indirectly, with an individual, considering the reasonable and available technical means at the time of processing. |
| Controller | A natural person or legal entity, under public or private law, responsible for decisions regarding the processing of personal data. |
| Cookies | Files sent by a website server to users’ computers that store information related to user preferences, such as preferred language, location, session recurrence, and other variables developers deem relevant to make the experience more efficient. |
| Personal data | Any information related to a natural person who is identified or identifiable, directly or indirectly. |
| Cloud Computing | Technology for virtualizing services built from connecting more than one server through a common information network (e.g., the internet) to reduce costs and increase service availability. |
| Sensitive personal data | Category of personal data relating to racial or ethnic origin, religious belief, political opinion, union membership or membership in organizations of a religious, philosophical, or political nature, data concerning health or sex life, genetic or biometric data relating to a natural person. |
| Officer/DPO | Person appointed by us to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD). |
| IP | Abbreviation for Internet Protocol; a set of numbers that identifies users’ computers on the internet. |
| Logs | Records of user activities performed on the website. |
| Website | The electronic address of Rede D’Or websites and their subdomains. |
| Data Subject | Natural person to whom personal data refers, including, but not limited to, former, current, or potential customers, employees, contractors, business partners, and third parties. |
| Processing | Any operation performed with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, extraction |
| Users (also referred to as “you”) | Data Subjects who use services provided by Rede D’Or, either online or offline. |
4. Personal Data processing activities
Which Personal Data is collected about you
In order to provide our Services, the processing of Personal Data is essential. Below we list, by way of example, the Personal Data we process. As our Services are updated, the list of processed Personal Data may also be updated.
Personal Data provided directly by you: Rede D’Or will collect all Personal Data entered or voluntarily submitted by the user when using our Services, digital or otherwise. The collected Personal Data varies according to the type of Service for which you are registered. Below is a non-exhaustive list of services we provide:
| Services provided | Personal Data processed |
| Scheduling of appointments and/or exams | Name; CPF; telephone; health plan data; physician data; type of exam; clinical data. |
| Outpatient care | Name; RG; CPF; sex; date of birth; telephone; address; health plan data; companion data; symptoms and health data. |
| Hospitalizations | Name; RG; CPF; sex; date of birth; telephone; address; health plan data; companion data; symptoms, health data, and medical record. |
| Billing data | Registration information such as name, CPF, address, and telephone; and banking information such as those contained on cards and checks, when applicable. |
| Consultation of performed exams | Login for portal access; name, CPF, email; exam data; physician data. |
| Surveys | Name; CPF; medical record data. |
In some cases, it will be necessary to collect Personal Data from children who have a parental relationship with you or are under your legal responsibility. Depending on the situation, your express consent will be required to carry out processing operations of such Personal Data.
It is your duty to provide correct and up-to-date information. We are not responsible for the accuracy, truthfulness, or lack thereof in the information you provide.
To verify and confirm the accuracy of your Personal Data, you understand that we may, at our sole discretion, perform checks we deem necessary to identify incorrect, untrue, or outdated Personal Data, as well as request additional data and/or documents.
Likewise, we are not obligated to process any of your Personal Data if there are reasons to believe such processing may subject us to violation of any applicable law, or if you are using our Services for illegal, unlawful purposes or purposes contrary to morality.
Personal Data provided by third parties: Under the law, Rede D’Or may receive your Personal Data from third parties, such as partners, service providers, and other independent third-party sources, including public databases of services related to you. Data received from such sources enables Rede D’Or to provide Services to you and will be processed in accordance with this Privacy Notice.
Automatically collected data: Rede D’Or also collects certain information automatically, such as: characteristics of the access device and browser; IP address (with date and time); IP origin; click information; pages accessed; search terms entered on our portals, among others. Such collection is carried out through standard technologies such as cookies, which are addressed in our Cookie Notice. We may use cookies and/or other technologies on our website to improve its functionality, pursuant to our Cookie Notice.
All technologies used will always comply with applicable legislation and the terms of this Notice. We do not use any solely automated decision-making that impacts you.
We also inform you that we may enrich our database by adding information about you collected from other legitimate sources, including databases of other companies within the same economic group as Rede D’Or.
For market intelligence research purposes, disclosure of Personal Data to the press, and advertising activities, the Personal Data you provide will be shared in anonymized form, i.e., in a way that does not allow your identification.
The Personal Data database formed as a result of our Services is our property and under our responsibility, and its use, access, and sharing, when necessary, will occur within the limits and purposes of the business described in this Notice.
5. Use of Personal Data
5.1. For what purposes we use your Personal Data
Personal Data is processed by Rede D’Or for various purposes. Below we present the main hypotheses, without limitation, in which we will process your information:
| Legal basis | Purpose |
| Performance of contracts or preliminary procedures (Item V of Article 7 of Law No. 13,709/18) | i) Management, administration, provision, expansion, and improvement of the Services offered to the Data Subject; ii) Relationship and provision of information related to products and services contracted by Rede D’Or customers; iii) Assessment of whether certain products or Services can be offered and under what conditions. |
| Compliance with legal or regulatory obligations (Item II of Article 7 of Law No. 13,709/18) | i) Retention of medical records for 20 (twenty) years from the last entry, pursuant to Article 6 of Law No. 13,787/2018; ii) Mandatory notification in case of suspected child abuse, pursuant to Article 13 of the Statute of the Child and Adolescent; iii) Obtaining patient consent for medical procedures indicating inherent risks, pursuant to Article 22 of the Medical Code of Ethics; iv) Sharing data with the Ministry of Health to compose the minimum dataset, pursuant to Article 47 of Law No. 8,080/1990 and Article 4 of Decree 29/2017; v) Mandatory notification of diseases pursuant to Law No. 6,259/1975; vi) Retention of Wi-Fi access logs of Hospital and Laboratory Units, pursuant to Article 13 of the Brazilian Internet Civil Rights Framework (Marco Civil da Internet). |
| Protection of health (Item VIII of Article 7 of Law No. 13,709/18) | i) For example, in medical consultations where data such as height, weight, dietary habits, blood pressure, among other information, is collected. |
| To preserve your life and physical integrity depending on the emergency (Item VII of Article 7 of Law No. 13,709/18) | i) In emergency care, such as in the emergency room; ii) Collection of registration data to identify, grant access, and monitor our facilities, as well as record your images in our monitoring and physical security systems (CCTV). |
| Legitimate interests of Rede D’Or, within your expectations and without prejudice to your fundamental rights and freedoms, and never involving sensitive personal data (Item IX of Article 7 of Law No. 13,709/18) | i) Sending informational communications; ii) Promoting events or conducting research related to Rede D’Or’s activities. |
| Fraud prevention activities (Item X of Article 7 of Law No. 13,709/18) | i) Conducting internal investigations. |
| Consent granted by you (Item I of Article 7 of Law No. 13,709/18) | i) Advertising campaigns and linking photos/voice/videos in our communication channels; ii) Sharing with partners to enable the offer of products and services of your interest; iii) Promoting campaigns to monitor your health; iv) When requested by you, use of voice-assistance devices. |
6. Processing of Personal Data of children
Processing of Personal Data of children and minors
The Statute of the Child and Adolescent (ECA) considers a child a person up to 12 years of age (incomplete), and an adolescent a person between 12 and 18 years of age. The LGPD provides that information about the processing of Personal Data of children and adolescents must be provided in a simple, clear, and accessible manner to provide the necessary information to parents or legal guardians and in a way suitable to the child’s understanding.
We are committed to protecting the privacy and Personal Data of minors as required by the LGPD. Therefore, the processing of these types of Personal Data will always occur based on an appropriate legal basis, such as, by way of example: (i) administering and offering benefits to legal guardians when children and minors are dependents, such as in health plans, upon obtaining consent from legal guardians; (ii) performance of contracts; (iii) protection of health; and (iv) compliance with legal and/or regulatory matters.
If the user of our Services is under 18 years of age, legal guardians must supervise the activities of their children or wards. The activities of adolescents over 16 and under 18 must be assisted by legal representatives.
7. Data sharing
With whom we will share your Personal Data
Rede D’Or may need to share your Personal Data with third parties. The situations that will involve the sharing of your information, within legal limits, include:
With partner companies and suppliers in the development and provision of Services made available to you, especially health plan operators with which Rede D’Or’s hospital units are accredited to operate.
With authorities, governmental entities, or other third parties to protect Rede D’Or’s interests in any type of dispute, including lawsuits and administrative proceedings.
In corporate transactions and changes involving Rede D’Or, in which the transfer of information is necessary for the continuity of Services.
Pursuant to a court order or at the request of administrative authorities with legal competence to require it.
Among other companies within Rede D’Or’s economic group.
Where applicable, all Rede D’Or service providers and business partners are subject to strict contracts that prohibit unauthorized use or disclosure of the Personal Data to which they have access.
8. International transfer
Personal Data processed as a result of our Services may be stored on our servers located in Brazil, as well as in cloud computing environments, which may require the transfer of Personal Data outside Brazil.
In addition, international transfers of Personal Data may occur to comply with legal or regulatory obligations, perform a contract, exercise rights in judicial, administrative, or arbitration proceedings, protect life or physical integrity, among other situations authorized by law.
We ensure that your Personal Data will also be protected and properly safeguarded abroad. Such transfer will occur to countries or international organizations that provide a level of protection similar to that provided under Brazilian law, or to companies that contractually commit to adopting a similar level of protection.
We will request your specific consent for such transfers when required and when not supported by another applicable legal basis.
9. Storage of Personal Data
For how long your Personal Data will be stored?
Your Personal Data will be stored in a secure and controlled environment for the period strictly necessary to fulfill each of the purposes described above and/or in accordance with the applicable legal/regulatory retention periods.
10. Data security
How we keep your Personal Data secure and how you can keep it secure
Any Personal Data under Rede D’Or’s care will be stored according to the strictest security standards and legally required levels to prevent or minimize information security incidents, including, but not limited to, measures such as:
Protection against unauthorized access to our systems;
Restricted access by specific individuals to the location where personal information is stored; and
Ensuring that agents, internal employees, or external partners who process Personal Data commit to absolute confidentiality, adopting best practices for handling Personal Data, as determined by corporate policies and procedures.
In addition to technical efforts, Rede D’Or adopts institutional measures aimed at Personal Data protection by maintaining a privacy governance program applied to its activities and governance structure, continuously updated and managed by the DPO.
Although Rede D’Or uses best efforts to preserve privacy and protect Data Subjects’ Personal Data, no information transmission is entirely secure and may still be subject to technical failures, viruses, or similar actions. Therefore, we may partially or fully suspend our Services without prior notice in case of suspected security breach.
In any event, in the remote possibility of such occurrences, Rede D’Or will use best efforts to remedy the consequences, always ensuring proper transparency to you.
If third-party companies process any Personal Data on our behalf, they will comply with the conditions set forth herein and mandatory information security standards.
It is very important that you protect your Personal Data against unauthorized access to your computer, account, or password, as well as ensure you log out when using a shared computer and verify that you are not sharing your information with malicious individuals. It is also important for you to know that, as a rule, we will not send electronic messages with executable attachments (extensions: .exe, .com, among others) or links for downloads. You are jointly responsible for maintaining the confidentiality of your Personal Data and restricted information you provide when using our Services.
All transactions in our digital environments are executed using SSL (secure socket layer) technology, ensuring that your Personal Data is not unlawfully disclosed. In addition, this technology aims to prevent information from being transmitted or accessed by third parties. Make sure that, when accessing our digital environments, they are protected by such technology, represented by the padlock icon in the browser address bar.
You are also responsible for the confidentiality of your Personal Data and must be aware that sharing passwords and access credentials may compromise the security of your Personal Data and our digital environments. We are not responsible for the sharing of passwords and other information with third parties.
When using our digital environments, you may be redirected via link to other portals or platforms that may collect your information and have their own Data Processing Policy.
It is your responsibility to read and accept or reject the Privacy and Data Processing Policies of such portals or platforms outside our digital environments. We are not responsible for third parties’ Privacy Policies or Personal Data processing, nor for the content of any websites or services linked to environments that are not ours.
11. Data Subject rights
In compliance with applicable regulations, with respect to Personal Data processing, Rede D’Or, as the controller of your Personal Data, respects and guarantees to the Data Subject the possibility of submitting requests based on the following rights:
Confirmation of the existence of processing;
Access to Personal Data;
Correction of incomplete, inaccurate, or outdated Personal Data;
Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed Personal Data;
Portability of Personal Data to another service or product provider, upon express request by the Data Subject;
Deletion of Personal Data processed with the Data Subject’s consent;
Information about public and private entities with which Rede D’Or shared your data;
Information about the possibility of refusing to provide consent and the consequences of refusal;
Withdrawal of consent, when applicable.
All requests will be:
Provided free of charge;
Subject to identity validation (so that Rede D’Or directs requests exclusively to the Data Subject).
To exercise your rights as a Personal Data Data Subject, you may click here or access the Privacy page available on the Rede D’Or website.
Rede D’Or emphasizes that your request may be legally denied for formal reasons (such as inability to prove your identity) or legal reasons (such as a request to delete data whose retention is necessary to comply with a legal obligation). In the event it is not possible to comply with such requests, Rede D’Or will provide you with reasonable justifications.
Please note that even after exercising the right to deletion/anonymization/blocking or elimination of Personal Data, we may retain a history of your Personal Data records for auditing, security, fraud control, preservation of rights, and/or when required by law or regulation. Once the retention period and need for storage end, the personal data will be deleted using secure disposal methods or used exclusively in anonymized form for statistical purposes.
12. Applicable law and changes
This Notice was prepared based on Federal Law No. 13,709/2018 – the Brazilian General Data Protection Law (“LGPD”).
Rede D’Or reserves the right, at its sole discretion, to modify, amend, add, or remove portions of this Notice at any time.
If any part of this Notice is deemed inapplicable by the National Data Protection Authority or by an administrative or judicial authority, the remaining provisions shall remain in full force and effect.