1. INTRODUCTION AND OBJECTIVE

In the daily life of Beontag, or "Company", whether in the conduct of business, in the search for new products, services and opportunities, or in the organization of its internal structure, the processing of personal data is an indispensable part of this reality. Beontag understands that it must act with responsibility and transparency, taking care of such information and providing them with technical and administrative security measures.  
This Policy provides guidelines and establishes rules related to the privacy and protection of personal data of customers, employees and third parties during the processing of personal data by the Beontag, and in the relationship with third parties, in which there is sharing or shared use of personal data.  
With this document, Beontag aims to be in compliance with the applicable data protection regulations, promoting transparency and good faith towards the Data Subjects, by protecting their personal data and their civil rights and liberties, as well as the best practices within its reach.  
Beontag adopts 8 pillars, to be demonstrated throughout this Policy, for the implementation of an effective Privacy and Personal Data Protection Program in the company:

   • Commitment and support of the top management

   • Group responsible for the Program

   • Structuring of rules and instruments

   • Communication and training

   • Mapping and Internal Controls

   • Communication channel with Data Subjects and Supervisory Authorities

   • Crisis management plan

   • Continuous monitoring of the program

2. SCOPE

The Policy applies to Beontag in full, by all Beontag Employees, interns, Senior Management and all its subsidiaries, mainly to the business and operational areas that carry out international transfer of personal data, as well as service providers, partners and third parties with whom Beontag shares personal data, who act as controllers and operators/processors of personal data within the scope of the relationship with Beontag, both in Brazil and abroad.  
The guidelines provided herein are applicable to all internal Beontag processes in which there is, at some point, processing of personal data and/or sensitive personal data of any Data Subjects.

3. REFERENCES

   • Beontag Consent Management Policy;  
   • Beontag Security Incident Crisis Management Procedure;  
   • Beontag Data Retention and Deletion Policy;  
   • Beontag International Data Transfer Policy;  
   • Beontag New Processing Activity Registration Policy;  
   • Procedure for requesting the Data Subject of personal data    

4. TERMS AND DEFINITIONS

• Supervisory Authority: National authorities acting in the guidance, supervision, supervision and protection of personal data, such as ANPD (National Data Protection Authority – Brazil), ICO (Information Commissioner's Office – United Kingdom) or CNIL (Commission Nationale de l 'Informatique et des Libertés – France), Commission de la protection de la vie privée – Belgium, Office of the Data Protection Ombudsman – Finland, Guarantor per la protezione dei dati personali – Italy, Commission Nationale pour la Protection des Données – Luxembourg, GIODO (The Bureau of the Inspector General for the Protection of Personal Data – Poland), Information Commissioner – Slovenia, Datainspektionen – Sweden, European Data Protection Supervisor – Europe, Agencia de Acceso a la Información Pública – Argentina, Unidad Reguladora y de Control de Datos Personales – Uruguay.
• Beontag: Beontag Group
• Controller or controllers: natural or legal person(s), of public or private law, who are responsible for decisions regarding the treatment of personal data.
• Anonymised data: data relating to a Data Subject that cannot be identified, considering the use of reasonable technical means available at the time of treatment.
• Personal data: information related to the individual identified or identifiable. That is, information(s) that identifies a natural person either directly (first and last name, document number, e-mail address, phone number, IP address) or indirectly, from associations and profiling (address, marital status, occupation, income, financial history, credit score).
• Sensitive Personal Data: personal data on racial or ethnic origin, religious conviction, political opinion, trade union membership or organization of a religious, philosophical or political nature, data on health or sexual life, genetic or biometric data, when linked to an individual.
• Data Protection Officer (DPO) or Person in Charge: this is the person responsible at Beontag who acts as the Company's representative before the Supervisory Authority, as a communication channel between the controller and the data subjects, and the person responsible for disseminating, guiding and monitoring about the Privacy and Data Protection Standards in the Company.
• Security Incident: any adverse event related to a breach of the security, technical or administrative, of personal data, leading to the loss of one or more basic principles of Information Security (Confidentiality, Integrity and Availability) and that may bring risks or damage to the Data Subjects. Examples of incidents are: unauthorized access, accidental or unlawful, resulting in data leakage, loss, destruction or alteration of personal data, among other forms of illicit or inappropriate data processing.
• Underages: refers to children (up to twelve years old) and teenagers (between twelve and eighteen).
• Privacy and Data Protection Standards: any and all national or international legislation that has been edited and promulgated to promote and protect the privacy and protection of personal data, such as: General Data Protection Regulation (“GDPR”) – Regulation (EU) 2016/679 - European Union; General Personal Data Protection Law (“LGPD”) – Law No. 13.709/2018 (Brazil); United Kingdom General Data Protection Regulation (“UK GDPR”) – United Kingdom; Legislative Decree No. 196/2003 and Legislative Decree No. 101/2018 – Italy; French Data Protection Act (“FDPA”) - Law No. 2018-493 and Decree No. 2018-687 (France); Ley de Protección de los Datos Personales – Law No. 25.326 (Argentina); Data Protection Law – HE 9/2018 – VP (Finland), Personal Data Protection Law and Habeas Action Law – Date No. 18.331/2008 – Uruguay.
• Program: refers to Beontag's Privacy and Personal Data Protection Program.
• Operator or operators: natural or legal person(s), public or private law, who performs the processing of personal data on behalf of the controller. Data processing Impact Report: personal data protection impact report is the controller's documentation that contains the specificities of certain data processing activities that may generate risks to the Data Subjects, providing measures, safeguards and risk mitigation mechanisms, whose purpose is to identify and mitigate the risks related to the protection of personal data in a given processing activity. 
• Third Parties: suppliers, partners, consortium members, service providers, or subcontractors of the Company, including, for example, consultants, lawyers, expediters, as well as individuals and legal entities that are commercial representatives of Beontag.
• Legitimate Interest Evaluation Test: this is a test to be conducted in parallel to the Impact Report, whenever the hypothesis of processing is the legitimate interest of Beontag and the Data Subject, to demonstrate whether the legitimate interest is applicable in the specific context and for the intended purpose, with analysis of the need, legitimacy, balance and safeguards. 
• Data Subject: natural person to whom the personal data that is the object of processing by Beontag refers, such as customers, employees, third parties, shareholders, candidates of the selection process, partners of a legal entity. 
• International transfer: transfer of personal data to another country and/or international organization, at any time of processing, including for mere storage. 
• Shared use of data: communication, dissemination, international transfer, interconnection of personal data or the shared treatment of personal databases by public agencies and entities, in compliance with their legal competencies, or between them and private entities, reciprocally, with specific authorization, for one or more treatment modalities permitted by those public entities, or between private entities.

5. ASSIGNMENTS AND RESPONSIBILITIES

It is the duty of everyone at Beontag and Third Parties with whom there is sharing or shared use of personal data, to carry out the processing of personal data in compliance with this Policy.

5.1. Upper Administration

The Upper Administration shall:

• Support the initiatives of the Person in Charge/DPO and Data Protection Committee by providing information and access to data, whenever necessary;
• Support the Person in Charge/DPO and the Data Protection Committee with financial resources and commitment to the Beontag Privacy and Data Protection Program;
• Encourage and apply good personal data processing practices on a daily basis at Beontag, ensuring that Beontag employees and their third parties adhere to the Company's internal policies and procedures;
• Formally approve the policies, goals and strategies related to Beontag's Privacy and Data Protection Program, as well as the necessary measures for its implementation and monitoring;
• Allow the Person in Charge/DPO to have access to all information, facilities and resources necessary for the execution of his/her duties at Beontag.

5.2. Data Protection Committee

The Data Protection Committee of Beontag is formed by the following areas:

• Compliance;
• Information Technology; and
• Legal.

As needed, the Beontag Data Protection Committee may request the participation of other areas.

The Committee's responsibilities are:

• To support the Person in Charge/DPO in the execution of his activities;
• To observe any regulatory, jurisprudential and good practice changes related to data protection;
• To execute the activities of the Privacy and Data Protection Policy before Beontag;
• To develop and to review the policies, procedures and other internal documents related to the Program;
• To propose goals and strategies related to the Privacy and Data Protection Program;
• To analyze the forms for recording new treatments of personal data, observing the legal, technical and administrative aspects, to approve or disapprove the treatment flow, with any adjustments and application of security measures;
• To prepare and review the data processing impact report and the legitimate interest assessment test, where applicable;
• To monitor the signs and resolve any security incidents, applying the appropriate remediation measures and recording the evidence;
• To monitor the guidelines of Supervisory Authorities and carry out any adjustments of the program to such guidelines;
• To assist the Person in Charge/DPO in communicating to the Data Subjects and the applicable Supervisory Authority in case of a security incident, in compliance with the Beontag Security Incident Crisis Management Procedure.

5.3. Data Protection Officer (DPO)/Person in Charge

• To receive requests, complaints and communications from the Data Subjects, as well as provide clarifications, adopt measures and address them internally when necessary, recording all appropriate evidence, according to the Request Procedure of the Data Subject of Beontag;
• To receive communications from the Supervisory Authority, as well as provide clarifications, adopt measures and address them internally when necessary; 
• To guide Employees, interns and Senior Management regarding the practices to be taken;
• To monitor the adequacy of personal data protection standards, as well as internal policies elaborated on this topic;  
  To conduct training related to the Program;
• To advise and monitor the preparation of an Impact Report on the Protection of Personal Data and a Legitimate Interest Assessment Test;
• To communicate with the agents responsible for data processing (controllers, co-controllers, operators/processors) with whom Beontag has a relationship and organize demands arising from such relationships;
• To perform the other duties determined by Beontag;
• To access and to ensure the information relevant to the processing of personal data at any time;
• Actively act in cases of security incident with personal data, in accordance with the Security Incident Crisis Management Procedure;
• To promote Beontag awareness and compliance measures to improve the Program;
• To manage and internally address any reports, requests and questions sent to the Beontag Privacy Channel.

5.4. Information Technology

• Perform continuous monitoring of Beontag's security standards, adjusting them whenever possible to security incident risks;
• To analyze the evidence of security incidents, technically, and applying the necessary measures;
• To propose measures and technical solutions for the protection of personal data at Beontag;
• To perform periodic tests on Beontag systems and environments to monitor and improve internal safety standards;
• To guide, together with the Person in Charge/DPO, on information security and technical protection of personal data within Beontag;
• To ensure security standards in line with the requirements of the applicable Privacy and Data Protection Standards, good market practices, as well as any new legal and regulatory requirements applicable to Beontag;
• To implement and improve internal tools and mechanisms that make it possible to guarantee the rights of the Data Subjects;
• To assist in security incidents involving personal data, in accordance with the Security Crisis Management Procedure;
• To present results and action plans related to security and information technology assessments to Senior Management for internal privacy and data protection improvement at Beontag.

5.5. Legal and Compliance

   • To inform and instruct employees and Third Parties continuously of this Policy and other instruments that are part of Beontag's Privacy and Personal Data Protection Program;  
   • To monitor the effectiveness of the Beontag Program, proposing applicable adequacy measures;  
   • To ensure the adequacy of contracts with Third Parties, through appropriate clauses to the Privacy and Data Protection Rules applicable to the specific case;  
   • To monitor the guidelines of Supervisory Authorities and jurisprudence of courts regarding the application of privacy and data protection laws, communicating to the Data Protection Committee, whenever necessary, about relevant updates to Beontag;  
   • To assist in conducting internal investigations related to privacy and data protection violations and Beontag Program Policies and Procedures.

5.6. Managers responsible 

   • To know and apply the operational procedures so that Beontag complies with the applicable Privacy and Data Protection Standards, as well as in relation to the processing carried out in its area;  
   • To communicate with the Person in Charge/DPO to formally register, from the Form for Registration of New Processing of Personal Data, any new activities involving processing of personal data related to the processes of the area under their management and send to the Data Protection Committee, which will analyze and approve or disapprove, with or without adjustments to be implemented;  
   • To monitor and participate in the activities of the Data Protection Committee, when requested;  
   • To participate in training and implement adequacy measures as required by the Working Group.

5.7. Marketing

   • To support the Data Protection Committee and the Person in Charge/DPO with actions to promote Beontag's culture of privacy and data protection;  
   • When necessary, assist in the analysis of risks to Beontag's image and reputation, with regard to privacy and data protection issues  
   • To advise the Data Protection Committee and the Person in Charge/DPO with disclosure of preventive measures for security incidents and crisis management procedures.

5.8. Employees or Third Parties 

   • To exercise the functions established in this document respecting the duties of loyalty, diligence and good faith;  
   • To avoid situations of conflict that may affect the interests of Beontag;  
   • To keep Beontag information confidential;  
   • To act actively in the prevention and protection of personal data about any security incidents;  
   • To comply with data retention and proper deletion guidelines in accordance with this Policy and the Data Retention and Erasure Policy. To inform the Data Protection Committee about improper retention of data or improper deletion;  
   • To collect consent from Data Subjects in cases where this is necessary, as provided in the Beontag Consent Management Policy;  
   • To comply with the guidelines proposed in this Policy and in the other materials of Beontag's Privacy and Personal Data Protection Program;  
   • To inform the manager of the department responsible for personal data about treatment for communication to the Data Protection Committee of new projects involving personal data.   
   • In the case of third parties, whenever it is necessary to have access to personal data of which Beontag is the controller of personal data, enter into a confidentiality agreement (NDA) and/or sign a contract in which there is a confidentiality and privacy clause and protection of personal data.

6. GENERAL PROVISIONS

6.1. General Concepts

6.1.1. Processing of Personal Data  
The processing of personal data is any operation carried out with the data, such as collection, production, reception, classification, adaptation, alteration, consultation, organization, structuring, dissemination, use, access, reproduction, transmission, distribution, processing, archiving, storage, disposal, evaluation or control of information, modification, communication, transfer, dissemination or extraction.   
By the broad legal definition, any above action involving personal data constitutes a treatment activity. The mere visualization, from the access to personal data, already characterizes the processing and, therefore, will be covered by the Privacy and Data Protection Standards.  
Beontag, concerned about the compliance of each processing carried out under its responsibility, seeks to raise awareness among its Employees and Third Parties to continuously adopt security measures.  
Examples of processing carried out by Beontag:  
   • Collection, reception, use and storage of personal data for registration of new customers and maintenance of the existing customer base;  
   • Collection of personal data for access to Company facilities;  
   • Control of employee information and transmission to public bodies in compliance with current laws;  
   • Archiving of personal data of third parties, for the legal deadline;  
   • Deletion of personal data of terminated employees, after the mandatory period of custody has elapsed.

6.1.2. Agents Responsible for the Processing of Personal Data

Controllers are responsible for the decisions to be made regarding the processing of personal data, while operators/processors are responsible for conducting the processing activities as determined by the controller.   
Also, there is the figure of the co-controller, which is the one who exercises joint controllership of personal data with other controllers, so that decision-making is collective competence and the attributions, responsibilities and burdens are determined in a formal agreement between the parties.  
Beontag will act sometimes as controller, sometimes as co-controller, sometimes as operator/processor, depending on the processing and the specific relationship.  
Whenever Beontag acts as a controller, co-controller or operator of personal data, it must:   
   • To handle personal data in accordance with the principles set forth in the item. 6.3 of this document and in accordance with applicable data protection laws;   
   • To conduct training and register the participation of senior leadership and key employees who deal with personal data;  
   • To ensure that individuals authorized to carry out any type of processing of personal data have committed to confidentiality or are under an appropriate obligation of confidentiality;   
   • To process personal data only in accordance with the instructions of the data controller or co-controller, unless otherwise required by the Supervisory Authority;   
   • To register all personal data treatment activities and sensitive personal data containing the department and the person responsible for each activity, the category of the data Subject, its purpose, types of data processed, its sources, with whom the data is shared, existence of international transfer of data, its retention period, systems used during the treatment activity, its proper legal basis, among other pertinent information;  
   • To prepare, record and file the personal data impact report (RIPD) whenever required by law, legal, administrative or institutional obligation;  
   • To implement appropriate technical and organisational measures to ensure proper data processing and in accordance with the applicable principles of privacy and protection of personal data;   
   • In case of transfer of Personal Data outside Brazil, apply the protection measures;   
   • To formalize the relationship with controllers, co-controllers and operators/processors through a contract, agreement or other formal legal act containing the applicable clauses and provisions;   
   • Do not appoint another operator/processor without specific prior authorization from the controller;  
   • To assist the controller in fulfilling its obligations with respect to obligations to the Supervisory Authority and Data Subjects, such as responding to requests related to the rights of Data Subjects (item 6.4 of this document);   
   • To notify the controller or co-controller within a reasonable time in relation to any personal data breach or incident with personal data;  
   • After the end of the provision of services, delete existing copies of personal data, at the request of the controller, unless the legislation requires the conservation of the data or is necessary for defense in judicial, administrative or arbitration proceedings;  
   • Make available to the data controller all information necessary to demonstrate compliance with its legal obligations and allow and cooperate with audits, including inspections, conducted by the controller or another auditor appointed by it;   
   • To carry out and register guarantees that the rights of the Data Subjects are fully fulfilled.

6.2. Relationship with Operators/Processors 

Whenever Beontag establishes a relationship with an agent that acts as an operator/processor of your personal data, it must ensure that the operator has in place appropriate technical, security and organizational measures to ensure compliance with principles and good practices that concern the privacy of the Data Subjects and protection of the personal data that will be processed. In addition, a contract or agreement must be entered into with this Operator defining its qualification and delimiting its attributions and obligations in relation to data protection.

6.3. Principles and Legal Bases

Beontag only carries out processing operations that are in line with the requirements of the applicable Privacy and Protection Standards. There will be no data processing that does not have a specific purpose in accordance with the applicable legislation. Beontag respects the essential principles for the processing of personal data.

6.3.1. Legal Bases

All personal data is processed by Beontag for legitimate and lawful purposes. Depending on the personal data and the specific purpose, as well as the location of the processing, Beontag will assign an adequate legal basis to process the data after careful analysis of the characteristics of the processing flow. There will be no processing without adequate compliance with the appropriate legal basis, in accordance with the law of the specific data processing jurisdiction.   
It is possible that the legal bases will change according to the course of the life cycle of the processing of personal data, resulting from the change in the purpose of the processing, which will consequently change the company's data mapping/inventory. Therefore, Beontag's mapping/inventory of personal data must be updated periodically, at least annually, and whenever necessary, to faithfully reflect the data processed by the Company and the proper purpose and corresponding legal basis. If, after updating, it is identified that there is no longer a legal basis for Beontag to continue the processing, it must be stopped immediately and the appropriate retention and disposal measures adopted.

 6.3.2. Principles

The principles represent fundamental elements that must be strictly considered in all data processing to ensure compliance with the Privacy and Data Protection Standards and global good practices. Beontag shall always process data in accordance with the principles below:  
(i) Legality and Justice  
All processing of personal data must take place on a valid and applicable legal basis, never in disagreement with any applicable legislation, always in a fair and balanced manner in the relationship with the Data Subjects.  
(ii) Transparency  
Beontag shall be clear, precise and unambiguous with Data Subjects so that they know, in all contexts, how and for what we process their personal data.  
Transparency includes accessibility and ease of communications with the Data Subjects so that there is maximum understanding about the performance of processing and the respective agents.  
(iii) Non-Discrimination  
Under no circumstances may personal data and sensitive personal data be processed for unlawful or abusive discriminatory purposes.  
(iv) Purpose   
The processing of the data must take place for legitimate, specific, explicit and informed purposes to the Data Subject, without the possibility of further processing in a manner incompatible with these purposes.

(v) Adequacy  
It refers to the compatibility of the processing with the purposes informed to the Data Subject, according to the context of the processing and in a manner consistent with one of the legal bases.   
(vi) Necessity and Minimization   
This is the limitation of the performance of the processing to the minimum necessary for the accomplishment of the intended purpose, covering only the relevant data, in a proportional and not excessive way.   
(vii) Free Access, Quality and Accuracy of Data   
To the Data Subjects, Beontag will guarantee the easy and free consultation on the form and duration of the processing, as well as accurate and clear information on the performance of the processing and the agents involved, provided that it does not violate commercial or industrial secrecy of Beontag or Third Party.  
We also ensure the quality, accuracy, relevance and updating of personal data, according to the need and for the fulfillment of the purpose of its processing.   
(viii) Security, Prevention and Limitation (Integrity and Confidentiality)   
Beontag adopts security standards appropriate to its operations, especially when they involve processing personal data, using technical and administrative measures capable of protecting personal data from security incidents.   
No personal data should be retained for longer than necessary, so Beontag periodically evaluates the retention periods of each data and adopts disposal measures, when necessary.  
All security measures implemented by Beontag, as well as the actions taken in relation to personal data throughout its processing are duly documented internally.  
(ix) Accountability and Responsibility  
Beontag adopts the necessary measures to demonstrate and prove the adoption of effective measures capable of proving compliance and compliance with the rules for the protection of personal data and even the effectiveness of such measures.   
We also assume that we are responsible for any form of processing of personal data that occurs within our organization, adopting a serious and respectful attitude towards the data and the respective Data Subjects. 

6.4. Rights of Data Subjects

Beontag ensures compliance with the rights of the Data Subjects of the processing of personal data that it carries out, in accordance with the provisions mentioned below:  
   • Right to Transparency of Information: It is the right of the Data Subjects to be informed in a clear and accessible way about the collection and use of their data by Beontag, and all the specificities related to the processing activities that occur within the scope of the Company.  
   • Right of Processing Confirmation and Right of Access: Data Subjects have the right to obtain confirmation that Beontag processes their personal data and to have access to specific information about their processing.  
   • Right of Rectification: The Data Subject of personal data may request rectification on the registration of his personal data, such as inaccurate, incorrect or outdated data;  
   • Right of Deletion/Right to Erasure: The Data Subject has the right to delete his/her personal data and may request the deletion, blocking or anonymization of his/her personal data processed by Beontag in certain cases. This may include, but is not limited to, circumstances in which it is no longer necessary for Beontag to retain your personal data for the purposes for which it was collected.   
   • Right to Restriction of Processing: The Data Subject may request the restriction or suppression of the processing of their personal data. In these cases, Beontag may store the personal data, but may not use them in some specific cases according to the specific request of the Data Subject and provided that there is no hypothesis in which such processing is necessary, such as legal or regulatory obligation.  
   • Right of Opposition: The Owner may object to the processing of data when it is based on legitimate interest.  
   • Right to Portability: The Data Subject may request the portability of his/her personal data to another service or product provider, upon express request. This practice makes it possible to transfer, transmit or copy personal data to a Third Party, so that there is security and the usability of the data is not affected.  
   • Right Related to Automated Decisions: Data Subjects have the right not to be subject to a decision based only on an automated process, including the definition of profiles, which produces direct or indirect legal effects to the Data Subject. Automated decision processes are those made by automated means that have no involvement of humans.  
In order to meet the requests of the Data Subjects, the Beontag has tools and mechanisms that aim at the speed and effectiveness in the response or observance of these rights, as well as the proper filing of the measures that are adopted in relation to this request, as detailed in the Request Procedure of the Data Subject.  
To this end, we make available a communication channel to Data Subjects, publicly accessible on our website. Which can be accessed by the following means: https://www.contatoseguro.com.br/beontag.

7. SPECIFIC GUIDELINES

7.1. Access to Personal Data

Beontag understands that improper access qualifies security incidents. For this reason, access is limited to employees who justifiably need personal data to conduct their activities, in line with the previously mapped treatment flows.

7.2. Retention and Disposal

The personal data processed by Beontag shall be permanently deleted, through systemic deletion or destruction of physical documents, as soon as they achieve their purposes, at the request of the Data Subject when applicable, or at the request of the Supervisory Authority.   
However, it is possible that Beontag retains the personal data, when authorized its conservation for specific hypotheses provided for by law.  
When personal data is retained after fulfilling its original purpose, it must be encrypted or anonymized to protect the identity of the data subject in the event of a personal data incident.  
With regard to the retention of personal data in cases where the data is processed for the purpose of exercising rights, both of activation of parties and of defense in legal, administrative or arbitration proceedings, the period provided for in specific laws of prescription and limitation of actions shall be observed for the purposes of data retention.   
During the period of any legal proceeding in which there may be a need for the use of data by the CCRR Group, such data may be stored following the CCRR Group's security measures, principles and internal guidelines regarding the processing of data for as long as the judicial discussion lasts.  
As established in the Personal Data Retention and Elimination Policy, the standard period of retention of personal data by the CCRR Group is 5 years after the termination of the link that gave rise to the processing of such data, such period is due to the statute of limitations, decay and tax periods generally adopted in national legislation.  
In exceptional cases where custody periods are not foreseen or clear in the current legislation or there is no peaceful understanding about the term, as well as where the feasibility of retention is under discussion, the Supervisor/DPO must analyze the situation and possibly trigger the Data Protection Committee to resolve to declare the retention period of a given document that contains personal and related data, always taking into account the guidelines of this policy and all other policies relating to privacy and data protection of the CCRR Group.

7.3. International Transfer

Beontag adopts restrictive conduct regarding the international transfer of personal data, understanding that it should not be carried out indiscriminately and only when strictly necessary for the conduct of its activities or when there is a security standard compatible with its guidelines, always in accordance with the provisions of the Privacy and Data Protection Standards, as established in the International Data Transfer Policy.

7.4. Processing of Personal Data of Minors

Beontag does not, as a rule, process personal data of minors (children and adolescents). However, there are times when it will be necessary to treat them. In these cases, the data will be processed in the best interest of the minor and in strict accordance with the legal hypotheses that allow such processing.  
The personal data of children and teenagers, as well as sensitive data, must be subject to greater protection compared to other personal data.

7.5. Privacy by Design and Privacy by Default 

In consideration of the principle of Privacy by Design, all products and services that are created by Beontag are subject to analysis to ensure the privacy and protection of personal data of the Data Subjects and compliance with all principles, guidelines and rules of the subject from the design phase to the launch/implementation of these products and services.

7.6. Disclosure of Personal Data to Third Parties

The Beontag must ensure that the personal data in its possession are not disclosed to unauthorized third parties, including family members or friends of its employees, private entities and government agencies, without the company's authorization or court order to do so.   
All employees must exercise caution when requested to disclose personal data to third parties and must seek authorization from the Data Protection Committee or the Person in charge/DPO to do so, including in the case of a court order.   
All requests to provide data to third parties must be supported by appropriate documentation and properly stored with the authorization of the Data Protection Committee or the Data Protection or Person in charge/DPO.

7.7. Data Protection Impact Assessment and Legitimate Interest Assessment 

The Data Protection Committee shall prepare, with the assistance of the Person in Charge/DPO and the other business departments of Beontag, the report of the impact assessment of personal data protection for Beontag's data processing activities.  
Such evaluation aims at an in-depth analysis of the risks involved with the processing carried out by Beontag, as well as technical, administrative and legal measures that should be implemented for greater security of personal data processed in specific flows.  
The content of the report should include a description of the processing processes of “common” personal data and sensitive personal data that may present risks to civil liberties and fundamental rights, as well as the technical, administrative and legal measures that should be implemented to mitigate risks and greater security of personal data processed in specific flows.   
In cases where the legal basis of legitimate interest is attributed, it will be necessary to prepare an assessment so that it is possible to consider whether this basis is appropriate for the treatment or not, and must be duly approved or disapproved by the Person in Charge/DPO.  
This is documentation from the controller containing the Legitimate Interest Impact Assessment, where the processing of personal data is based on legitimate interest, assessing whether the processing may create risks to civil liberties and fundamental rights through its legitimacy, necessity, balancing, and safeguards.

7.8. Security Incidents

Any suspected violations and incidents related to the processing of personal data carried out by Beontag or by third parties on its behalf must be immediately reported to the Person in Charge/DPO, according to the internal communication channels and guidelines provided for in the Security Incident Crisis Management Procedure.  
The Person in Charge/DPO will take all relevant information about the incident to the Data Protection Committee, so that they analyze the criticality and complexity of the occurrence and take the relevant measures and decisions.  
The application aims to prevent and mitigate losses arising from information security incidents or service disruptions directly affecting your information assets, trust between stakeholders, damage to reputation or market value.  
All possible measures should be provided in order to minimize all impacts caused, as well as recover the integrity of the data and its confidentiality.

8. TECHNICAL STANDARDS

Beontag will follow the technical, physical and digital standards for the protection of personal data, its integrity and confidentiality.

9. SAFETY MEASURES

9.1. Educational Actions

In order to train its employees, Beontag will conduct annual training on privacy and data protection, prepared by the Data Protection Committee and coordinated by the Person in Charge/DPO.  
Employees who are hired will also receive training, in order to understand basic concepts and observe compliance with Beontag's Privacy and Personal Data Protection Program.  
In addition, with the assistance of the Human Resources Department, other actions will be carried out to raise awareness and ensure compliance with the guidelines, such as:  
   • sending emails with newsletters/content pills on privacy and data protection topics, applicable standards and the Company Program.

9.2. Risk supervision and mitigation

Beontag's Privacy and Personal Data Protection Program will be overseen by the Data Protection Committee, from:  
   • The annual review of this Policy;  
   • Constant monitoring of signs of security incidents and documentation of implemented adequacy measures.   
The Compliance, Information Technology and Legal areas will also contribute to the supervision and mitigation of risks, from:  
   • Continuous monitoring of Beontag's safety standards;  
   • Analysis of the technical aspects of evidence of security incidents;  
   • Constant review and implementation of tools and mechanisms that ensure the security of personal data processed by Beontag.

10. PRIVACY CHANNEL

The Channel is an easily accessible means of communication between the Data Protection Officer/Person in Charge of Beontag and the Data Subjects of personal data, so that they can exercise their rights in contact with the Company. Beontag makes efforts to comply with requests within legal limits and reasonable limitations, and is always committed to the transparency and protection of personal data.  
In addition, the Privacy Channel may be used to report any violations related to privacy and protection of personal data, so that the Company can take the appropriate investigation, risk mitigation and action in relation to the specific case.  
The Privacy Channel can be accessed via: lgpd@beontag.com.  
Any questions, queries, clarifications, exceptions, requests regarding the application of this International Data Transfer Policy may also be sent directly to the Data Protection Committee through the email comitelgpd@beontag.com or to the Person in Charge by email lgpd@beontag.com.

11. INVESTIGATIONS AND SANCTIONS

Any complaints, even if suspected, of violations of this Policy will be forwarded to the Data Protection Committee and submitted to an internal investigation procedure by Beontag's Compliance Department. If it is found, after a robust investigation, that there has been a violation, sanctions may be applied by Beontag, proportional to the nature or severity of the infraction committed, according to resolution by the Data Protection Committee.  
Any Employee or Third Party that violates any provision of this Policy will be subject to disciplinary sanctions and related consequences, such as: (i) verbal or written warning; (ii) suspension; (iii) dismissal without cause; (iv) dismissal with cause; (v) exclusion of the Third Party from the Company's list of suppliers; (vi) filing of a relevant lawsuit.  
In addition, the person responsible for the practice of an unlawful act may suffer judicial and/or administrative punishments, in accordance with the legislation of the country in which there is jurisdiction.  
If Beontag is ordered to indemnify damages of a moral or material nature, proven in any judicial or administrative action of any nature, the harasser will be called to participate in the process or will be notified back to reimburse Beontag for the amounts spent, duly updated in the molds of current legislation.  
Failure to report violations of privacy or the integrity of personal data that represent a violation of Beontag's internal rules and applicable legislation constitutes non-compliance with this Policy and may be duly punished. Recklessness, negligence and willful failure are also considered violations of this Policy and may be subject to disciplinary sanctions.

12. FINAL PROVISIONS

This document must be read and interpreted in conjunction with the other Policies and Procedures adopted by Beontag related to Data Protection, as well as with related laws and regulations.  
This Policy, as well as the other documents that complement it, are available on the intranet or, in case of unavailability, may be requested from Beontag's Person in Charge/DPO.  
Any questions regarding this Policy should be addressed to the Data Protection Committee by email comitelgpd@beontag.com or to the Person in Charge by email lgpd@beontag.com.  
This Law enters into force on the date of its publication.

13 - DATA CONTROLLER AND CONTACT DETAILS

The DPO of Beontag group, chosen as the focal point of communication with data subjects and ANPD is Suzane Oliveira Silva, who can be contacted via email: lgpd@beontag.com.br and by telephone +55 (11) 99620-7865.