Beontag is committed to follow the best practices in Corporate Governance Policies, based on principles of human rights, ethics, transparency and integrity towards employees, customers, suppliers and overall stakeholders.
1. INTRODUCTION AND OBJECTIVE
In the daily life of Beontag, or "Company", whether in the conduct of business, in the search for new products, services and opportunities, or in the organization of its internal structure, the processing of personal data is an indispensable part of this reality. Beontag understands that it must act with responsibility and transparency, taking care of such information and providing them with technical and administrative security measures.
This Policy provides guidelines and establishes rules related to the privacy and protection of personal data of customers, employees and third parties during the processing of personal data by the Beontag, and in the relationship with third parties, in which there is sharing or shared use of personal data.
With this document, Beontag aims to be in compliance with the applicable data protection regulations, promoting transparency and good faith towards the Data Subjects, by protecting their personal data and their civil rights and liberties, as well as the best practices within its reach.
Beontag adopts 8 pillars, to be demonstrated throughout this Policy, for the implementation of an effective Privacy and Personal Data Protection Program in the company:
• Commitment and support of the top management
• Group responsible for the Program
• Structuring of rules and instruments
• Communication and training
• Mapping and Internal Controls
• Communication channel with Data Subjects and Supervisory Authorities
• Crisis management plan
• Continuous monitoring of the program
2. SCOPE
The Policy applies to Beontag in full, by all Beontag Employees, interns, Senior Management and all its subsidiaries, mainly to the business and operational areas that carry out international transfer of personal data, as well as service providers, partners and third parties with whom Beontag shares personal data, who act as controllers and operators/processors of personal data within the scope of the relationship with Beontag, both in Brazil and abroad.
The guidelines provided herein are applicable to all internal Beontag processes in which there is, at some point, processing of personal data and/or sensitive personal data of any Data Subjects.
3. REFERENCES
• Beontag Consent Management Policy;
• Beontag Security Incident Crisis Management Procedure;
• Beontag Data Retention and Deletion Policy;
• Beontag International Data Transfer Policy;
• Beontag New Processing Activity Registration Policy;
• Procedure for requesting the Data Subject of personal data
4. TERMS AND DEFINITIONS
5. ASSIGNMENTS AND RESPONSIBILITIES
It is the duty of everyone at Beontag and Third Parties with whom there is sharing or shared use of personal data, to carry out the processing of personal data in compliance with this Policy.
5.1. Upper Administration
The Upper Administration shall:
5.2. Data Protection Committee
The Data Protection Committee of Beontag is formed by the following areas:
As needed, the Beontag Data Protection Committee may request the participation of other areas.
The Committee's responsibilities are:
5.3. Data Protection Officer (DPO)/Person in Charge
5.4. Information Technology
5.5. Legal and Compliance
• To inform and instruct employees and Third Parties continuously of this Policy and other instruments that are part of Beontag's Privacy and Personal Data Protection Program;
• To monitor the effectiveness of the Beontag Program, proposing applicable adequacy measures;
• To ensure the adequacy of contracts with Third Parties, through appropriate clauses to the Privacy and Data Protection Rules applicable to the specific case;
• To monitor the guidelines of Supervisory Authorities and jurisprudence of courts regarding the application of privacy and data protection laws, communicating to the Data Protection Committee, whenever necessary, about relevant updates to Beontag;
• To assist in conducting internal investigations related to privacy and data protection violations and Beontag Program Policies and Procedures.
5.6. Managers responsible
• To know and apply the operational procedures so that Beontag complies with the applicable Privacy and Data Protection Standards, as well as in relation to the processing carried out in its area;
• To communicate with the Person in Charge/DPO to formally register, from the Form for Registration of New Processing of Personal Data, any new activities involving processing of personal data related to the processes of the area under their management and send to the Data Protection Committee, which will analyze and approve or disapprove, with or without adjustments to be implemented;
• To monitor and participate in the activities of the Data Protection Committee, when requested;
• To participate in training and implement adequacy measures as required by the Working Group.
5.7. Marketing
• To support the Data Protection Committee and the Person in Charge/DPO with actions to promote Beontag's culture of privacy and data protection;
• When necessary, assist in the analysis of risks to Beontag's image and reputation, with regard to privacy and data protection issues
• To advise the Data Protection Committee and the Person in Charge/DPO with disclosure of preventive measures for security incidents and crisis management procedures.
5.8. Employees or Third Parties
• To exercise the functions established in this document respecting the duties of loyalty, diligence and good faith;
• To avoid situations of conflict that may affect the interests of Beontag;
• To keep Beontag information confidential;
• To act actively in the prevention and protection of personal data about any security incidents;
• To comply with data retention and proper deletion guidelines in accordance with this Policy and the Data Retention and Erasure Policy. To inform the Data Protection Committee about improper retention of data or improper deletion;
• To collect consent from Data Subjects in cases where this is necessary, as provided in the Beontag Consent Management Policy;
• To comply with the guidelines proposed in this Policy and in the other materials of Beontag's Privacy and Personal Data Protection Program;
• To inform the manager of the department responsible for personal data about treatment for communication to the Data Protection Committee of new projects involving personal data.
• In the case of third parties, whenever it is necessary to have access to personal data of which Beontag is the controller of personal data, enter into a confidentiality agreement (NDA) and/or sign a contract in which there is a confidentiality and privacy clause and protection of personal data.
6. GENERAL PROVISIONS
6.1. General Concepts
6.1.1. Processing of Personal Data
The processing of personal data is any operation carried out with the data, such as collection, production, reception, classification, adaptation, alteration, consultation, organization, structuring, dissemination, use, access, reproduction, transmission, distribution, processing, archiving, storage, disposal, evaluation or control of information, modification, communication, transfer, dissemination or extraction.
By the broad legal definition, any above action involving personal data constitutes a treatment activity. The mere visualization, from the access to personal data, already characterizes the processing and, therefore, will be covered by the Privacy and Data Protection Standards.
Beontag, concerned about the compliance of each processing carried out under its responsibility, seeks to raise awareness among its Employees and Third Parties to continuously adopt security measures.
Examples of processing carried out by Beontag:
• Collection, reception, use and storage of personal data for registration of new customers and maintenance of the existing customer base;
• Collection of personal data for access to Company facilities;
• Control of employee information and transmission to public bodies in compliance with current laws;
• Archiving of personal data of third parties, for the legal deadline;
• Deletion of personal data of terminated employees, after the mandatory period of custody has elapsed.
6.1.2. Agents Responsible for the Processing of Personal Data
Controllers are responsible for the decisions to be made regarding the processing of personal data, while operators/processors are responsible for conducting the processing activities as determined by the controller.
Also, there is the figure of the co-controller, which is the one who exercises joint controllership of personal data with other controllers, so that decision-making is collective competence and the attributions, responsibilities and burdens are determined in a formal agreement between the parties.
Beontag will act sometimes as controller, sometimes as co-controller, sometimes as operator/processor, depending on the processing and the specific relationship.
Whenever Beontag acts as a controller, co-controller or operator of personal data, it must:
• To handle personal data in accordance with the principles set forth in the item. 6.3 of this document and in accordance with applicable data protection laws;
• To conduct training and register the participation of senior leadership and key employees who deal with personal data;
• To ensure that individuals authorized to carry out any type of processing of personal data have committed to confidentiality or are under an appropriate obligation of confidentiality;
• To process personal data only in accordance with the instructions of the data controller or co-controller, unless otherwise required by the Supervisory Authority;
• To register all personal data treatment activities and sensitive personal data containing the department and the person responsible for each activity, the category of the data Subject, its purpose, types of data processed, its sources, with whom the data is shared, existence of international transfer of data, its retention period, systems used during the treatment activity, its proper legal basis, among other pertinent information;
• To prepare, record and file the personal data impact report (RIPD) whenever required by law, legal, administrative or institutional obligation;
• To implement appropriate technical and organisational measures to ensure proper data processing and in accordance with the applicable principles of privacy and protection of personal data;
• In case of transfer of Personal Data outside Brazil, apply the protection measures;
• To formalize the relationship with controllers, co-controllers and operators/processors through a contract, agreement or other formal legal act containing the applicable clauses and provisions;
• Do not appoint another operator/processor without specific prior authorization from the controller;
• To assist the controller in fulfilling its obligations with respect to obligations to the Supervisory Authority and Data Subjects, such as responding to requests related to the rights of Data Subjects (item 6.4 of this document);
• To notify the controller or co-controller within a reasonable time in relation to any personal data breach or incident with personal data;
• After the end of the provision of services, delete existing copies of personal data, at the request of the controller, unless the legislation requires the conservation of the data or is necessary for defense in judicial, administrative or arbitration proceedings;
• Make available to the data controller all information necessary to demonstrate compliance with its legal obligations and allow and cooperate with audits, including inspections, conducted by the controller or another auditor appointed by it;
• To carry out and register guarantees that the rights of the Data Subjects are fully fulfilled.
6.2. Relationship with Operators/Processors
Whenever Beontag establishes a relationship with an agent that acts as an operator/processor of your personal data, it must ensure that the operator has in place appropriate technical, security and organizational measures to ensure compliance with principles and good practices that concern the privacy of the Data Subjects and protection of the personal data that will be processed. In addition, a contract or agreement must be entered into with this Operator defining its qualification and delimiting its attributions and obligations in relation to data protection.
6.3. Principles and Legal Bases
Beontag only carries out processing operations that are in line with the requirements of the applicable Privacy and Protection Standards. There will be no data processing that does not have a specific purpose in accordance with the applicable legislation. Beontag respects the essential principles for the processing of personal data.
6.3.1. Legal Bases
All personal data is processed by Beontag for legitimate and lawful purposes. Depending on the personal data and the specific purpose, as well as the location of the processing, Beontag will assign an adequate legal basis to process the data after careful analysis of the characteristics of the processing flow. There will be no processing without adequate compliance with the appropriate legal basis, in accordance with the law of the specific data processing jurisdiction.
It is possible that the legal bases will change according to the course of the life cycle of the processing of personal data, resulting from the change in the purpose of the processing, which will consequently change the company's data mapping/inventory. Therefore, Beontag's mapping/inventory of personal data must be updated periodically, at least annually, and whenever necessary, to faithfully reflect the data processed by the Company and the proper purpose and corresponding legal basis. If, after updating, it is identified that there is no longer a legal basis for Beontag to continue the processing, it must be stopped immediately and the appropriate retention and disposal measures adopted.
6.3.2. Principles
The principles represent fundamental elements that must be strictly considered in all data processing to ensure compliance with the Privacy and Data Protection Standards and global good practices. Beontag shall always process data in accordance with the principles below:
(i) Legality and Justice
All processing of personal data must take place on a valid and applicable legal basis, never in disagreement with any applicable legislation, always in a fair and balanced manner in the relationship with the Data Subjects.
(ii) Transparency
Beontag shall be clear, precise and unambiguous with Data Subjects so that they know, in all contexts, how and for what we process their personal data.
Transparency includes accessibility and ease of communications with the Data Subjects so that there is maximum understanding about the performance of processing and the respective agents.
(iii) Non-Discrimination
Under no circumstances may personal data and sensitive personal data be processed for unlawful or abusive discriminatory purposes.
(iv) Purpose
The processing of the data must take place for legitimate, specific, explicit and informed purposes to the Data Subject, without the possibility of further processing in a manner incompatible with these purposes.
(v) Adequacy
It refers to the compatibility of the processing with the purposes informed to the Data Subject, according to the context of the processing and in a manner consistent with one of the legal bases.
(vi) Necessity and Minimization
This is the limitation of the performance of the processing to the minimum necessary for the accomplishment of the intended purpose, covering only the relevant data, in a proportional and not excessive way.
(vii) Free Access, Quality and Accuracy of Data
To the Data Subjects, Beontag will guarantee the easy and free consultation on the form and duration of the processing, as well as accurate and clear information on the performance of the processing and the agents involved, provided that it does not violate commercial or industrial secrecy of Beontag or Third Party.
We also ensure the quality, accuracy, relevance and updating of personal data, according to the need and for the fulfillment of the purpose of its processing.
(viii) Security, Prevention and Limitation (Integrity and Confidentiality)
Beontag adopts security standards appropriate to its operations, especially when they involve processing personal data, using technical and administrative measures capable of protecting personal data from security incidents.
No personal data should be retained for longer than necessary, so Beontag periodically evaluates the retention periods of each data and adopts disposal measures, when necessary.
All security measures implemented by Beontag, as well as the actions taken in relation to personal data throughout its processing are duly documented internally.
(ix) Accountability and Responsibility
Beontag adopts the necessary measures to demonstrate and prove the adoption of effective measures capable of proving compliance and compliance with the rules for the protection of personal data and even the effectiveness of such measures.
We also assume that we are responsible for any form of processing of personal data that occurs within our organization, adopting a serious and respectful attitude towards the data and the respective Data Subjects.
6.4. Rights of Data Subjects
Beontag ensures compliance with the rights of the Data Subjects of the processing of personal data that it carries out, in accordance with the provisions mentioned below:
• Right to Transparency of Information: It is the right of the Data Subjects to be informed in a clear and accessible way about the collection and use of their data by Beontag, and all the specificities related to the processing activities that occur within the scope of the Company.
• Right of Processing Confirmation and Right of Access: Data Subjects have the right to obtain confirmation that Beontag processes their personal data and to have access to specific information about their processing.
• Right of Rectification: The Data Subject of personal data may request rectification on the registration of his personal data, such as inaccurate, incorrect or outdated data;
• Right of Deletion/Right to Erasure: The Data Subject has the right to delete his/her personal data and may request the deletion, blocking or anonymization of his/her personal data processed by Beontag in certain cases. This may include, but is not limited to, circumstances in which it is no longer necessary for Beontag to retain your personal data for the purposes for which it was collected.
• Right to Restriction of Processing: The Data Subject may request the restriction or suppression of the processing of their personal data. In these cases, Beontag may store the personal data, but may not use them in some specific cases according to the specific request of the Data Subject and provided that there is no hypothesis in which such processing is necessary, such as legal or regulatory obligation.
• Right of Opposition: The Owner may object to the processing of data when it is based on legitimate interest.
• Right to Portability: The Data Subject may request the portability of his/her personal data to another service or product provider, upon express request. This practice makes it possible to transfer, transmit or copy personal data to a Third Party, so that there is security and the usability of the data is not affected.
• Right Related to Automated Decisions: Data Subjects have the right not to be subject to a decision based only on an automated process, including the definition of profiles, which produces direct or indirect legal effects to the Data Subject. Automated decision processes are those made by automated means that have no involvement of humans.
In order to meet the requests of the Data Subjects, the Beontag has tools and mechanisms that aim at the speed and effectiveness in the response or observance of these rights, as well as the proper filing of the measures that are adopted in relation to this request, as detailed in the Request Procedure of the Data Subject.
To this end, we make available a communication channel to Data Subjects, publicly accessible on our website. Which can be accessed by the following means: https://www.contatoseguro.com.br/beontag.
7. SPECIFIC GUIDELINES
7.1. Access to Personal Data
Beontag understands that improper access qualifies security incidents. For this reason, access is limited to employees who justifiably need personal data to conduct their activities, in line with the previously mapped treatment flows.
7.2. Retention and Disposal
The personal data processed by Beontag shall be permanently deleted, through systemic deletion or destruction of physical documents, as soon as they achieve their purposes, at the request of the Data Subject when applicable, or at the request of the Supervisory Authority.
However, it is possible that Beontag retains the personal data, when authorized its conservation for specific hypotheses provided for by law.
When personal data is retained after fulfilling its original purpose, it must be encrypted or anonymized to protect the identity of the data subject in the event of a personal data incident.
With regard to the retention of personal data in cases where the data is processed for the purpose of exercising rights, both of activation of parties and of defense in legal, administrative or arbitration proceedings, the period provided for in specific laws of prescription and limitation of actions shall be observed for the purposes of data retention.
During the period of any legal proceeding in which there may be a need for the use of data by the CCRR Group, such data may be stored following the CCRR Group's security measures, principles and internal guidelines regarding the processing of data for as long as the judicial discussion lasts.
As established in the Personal Data Retention and Elimination Policy, the standard period of retention of personal data by the CCRR Group is 5 years after the termination of the link that gave rise to the processing of such data, such period is due to the statute of limitations, decay and tax periods generally adopted in national legislation.
In exceptional cases where custody periods are not foreseen or clear in the current legislation or there is no peaceful understanding about the term, as well as where the feasibility of retention is under discussion, the Supervisor/DPO must analyze the situation and possibly trigger the Data Protection Committee to resolve to declare the retention period of a given document that contains personal and related data, always taking into account the guidelines of this policy and all other policies relating to privacy and data protection of the CCRR Group.
7.3. International Transfer
Beontag adopts restrictive conduct regarding the international transfer of personal data, understanding that it should not be carried out indiscriminately and only when strictly necessary for the conduct of its activities or when there is a security standard compatible with its guidelines, always in accordance with the provisions of the Privacy and Data Protection Standards, as established in the International Data Transfer Policy.
7.4. Processing of Personal Data of Minors
Beontag does not, as a rule, process personal data of minors (children and adolescents). However, there are times when it will be necessary to treat them. In these cases, the data will be processed in the best interest of the minor and in strict accordance with the legal hypotheses that allow such processing.
The personal data of children and teenagers, as well as sensitive data, must be subject to greater protection compared to other personal data.
7.5. Privacy by Design and Privacy by Default
In consideration of the principle of Privacy by Design, all products and services that are created by Beontag are subject to analysis to ensure the privacy and protection of personal data of the Data Subjects and compliance with all principles, guidelines and rules of the subject from the design phase to the launch/implementation of these products and services.
7.6. Disclosure of Personal Data to Third Parties
The Beontag must ensure that the personal data in its possession are not disclosed to unauthorized third parties, including family members or friends of its employees, private entities and government agencies, without the company's authorization or court order to do so.
All employees must exercise caution when requested to disclose personal data to third parties and must seek authorization from the Data Protection Committee or the Person in charge/DPO to do so, including in the case of a court order.
All requests to provide data to third parties must be supported by appropriate documentation and properly stored with the authorization of the Data Protection Committee or the Data Protection or Person in charge/DPO.
7.7. Data Protection Impact Assessment and Legitimate Interest Assessment
The Data Protection Committee shall prepare, with the assistance of the Person in Charge/DPO and the other business departments of Beontag, the report of the impact assessment of personal data protection for Beontag's data processing activities.
Such evaluation aims at an in-depth analysis of the risks involved with the processing carried out by Beontag, as well as technical, administrative and legal measures that should be implemented for greater security of personal data processed in specific flows.
The content of the report should include a description of the processing processes of “common” personal data and sensitive personal data that may present risks to civil liberties and fundamental rights, as well as the technical, administrative and legal measures that should be implemented to mitigate risks and greater security of personal data processed in specific flows.
In cases where the legal basis of legitimate interest is attributed, it will be necessary to prepare an assessment so that it is possible to consider whether this basis is appropriate for the treatment or not, and must be duly approved or disapproved by the Person in Charge/DPO.
This is documentation from the controller containing the Legitimate Interest Impact Assessment, where the processing of personal data is based on legitimate interest, assessing whether the processing may create risks to civil liberties and fundamental rights through its legitimacy, necessity, balancing, and safeguards.
7.8. Security Incidents
Any suspected violations and incidents related to the processing of personal data carried out by Beontag or by third parties on its behalf must be immediately reported to the Person in Charge/DPO, according to the internal communication channels and guidelines provided for in the Security Incident Crisis Management Procedure.
The Person in Charge/DPO will take all relevant information about the incident to the Data Protection Committee, so that they analyze the criticality and complexity of the occurrence and take the relevant measures and decisions.
The application aims to prevent and mitigate losses arising from information security incidents or service disruptions directly affecting your information assets, trust between stakeholders, damage to reputation or market value.
All possible measures should be provided in order to minimize all impacts caused, as well as recover the integrity of the data and its confidentiality.
8. TECHNICAL STANDARDS
Beontag will follow the technical, physical and digital standards for the protection of personal data, its integrity and confidentiality.
9. SAFETY MEASURES
9.1. Educational Actions
In order to train its employees, Beontag will conduct annual training on privacy and data protection, prepared by the Data Protection Committee and coordinated by the Person in Charge/DPO.
Employees who are hired will also receive training, in order to understand basic concepts and observe compliance with Beontag's Privacy and Personal Data Protection Program.
In addition, with the assistance of the Human Resources Department, other actions will be carried out to raise awareness and ensure compliance with the guidelines, such as:
• sending emails with newsletters/content pills on privacy and data protection topics, applicable standards and the Company Program.
9.2. Risk supervision and mitigation
Beontag's Privacy and Personal Data Protection Program will be overseen by the Data Protection Committee, from:
• The annual review of this Policy;
• Constant monitoring of signs of security incidents and documentation of implemented adequacy measures.
The Compliance, Information Technology and Legal areas will also contribute to the supervision and mitigation of risks, from:
• Continuous monitoring of Beontag's safety standards;
• Analysis of the technical aspects of evidence of security incidents;
• Constant review and implementation of tools and mechanisms that ensure the security of personal data processed by Beontag.
10. PRIVACY CHANNEL
The Channel is an easily accessible means of communication between the Data Protection Officer/Person in Charge of Beontag and the Data Subjects of personal data, so that they can exercise their rights in contact with the Company. Beontag makes efforts to comply with requests within legal limits and reasonable limitations, and is always committed to the transparency and protection of personal data.
In addition, the Privacy Channel may be used to report any violations related to privacy and protection of personal data, so that the Company can take the appropriate investigation, risk mitigation and action in relation to the specific case.
The Privacy Channel can be accessed via: lgpd@beontag.com.
Any questions, queries, clarifications, exceptions, requests regarding the application of this International Data Transfer Policy may also be sent directly to the Data Protection Committee through the email comitelgpd@beontag.com or to the Person in Charge by email lgpd@beontag.com.
11. INVESTIGATIONS AND SANCTIONS
Any complaints, even if suspected, of violations of this Policy will be forwarded to the Data Protection Committee and submitted to an internal investigation procedure by Beontag's Compliance Department. If it is found, after a robust investigation, that there has been a violation, sanctions may be applied by Beontag, proportional to the nature or severity of the infraction committed, according to resolution by the Data Protection Committee.
Any Employee or Third Party that violates any provision of this Policy will be subject to disciplinary sanctions and related consequences, such as: (i) verbal or written warning; (ii) suspension; (iii) dismissal without cause; (iv) dismissal with cause; (v) exclusion of the Third Party from the Company's list of suppliers; (vi) filing of a relevant lawsuit.
In addition, the person responsible for the practice of an unlawful act may suffer judicial and/or administrative punishments, in accordance with the legislation of the country in which there is jurisdiction.
If Beontag is ordered to indemnify damages of a moral or material nature, proven in any judicial or administrative action of any nature, the harasser will be called to participate in the process or will be notified back to reimburse Beontag for the amounts spent, duly updated in the molds of current legislation.
Failure to report violations of privacy or the integrity of personal data that represent a violation of Beontag's internal rules and applicable legislation constitutes non-compliance with this Policy and may be duly punished. Recklessness, negligence and willful failure are also considered violations of this Policy and may be subject to disciplinary sanctions.
12. FINAL PROVISIONS
This document must be read and interpreted in conjunction with the other Policies and Procedures adopted by Beontag related to Data Protection, as well as with related laws and regulations.
This Policy, as well as the other documents that complement it, are available on the intranet or, in case of unavailability, may be requested from Beontag's Person in Charge/DPO.
Any questions regarding this Policy should be addressed to the Data Protection Committee by email comitelgpd@beontag.com or to the Person in Charge by email lgpd@beontag.com.
This Law enters into force on the date of its publication.
13 - DATA CONTROLLER AND CONTACT DETAILS
The DPO of Beontag group, chosen as the focal point of communication with data subjects and ANPD is Suzane Oliveira Silva, who can be contacted via email: lgpd@beontag.com.br and by telephone +55 (11) 99620-7865.