2. DEFINITIONS

In order to assist in the interpretation and application of this Policy, the following words, whether in the singular or plural form, should be understood as follows, for the comprehension of the terms used throughout this document:

Policy: Policy Internal Policy on Data Protection Governance

LGPD: Law No. 13,709/18 - General Data Protection Law

Personal Data :Any information relating to an identified or identifiable natural person (”Data Subject”). An identifiable natural person is one who can be directly or indirectly identified, especially by reference to an identifier (e.g., location data). Art. 5, I, of Law No. 13,709/2018.

Sensitive Personal Data: Any personal data concerning racial or ethnic origin, religious belief, political opinion, union membership, as well as health or sexual life data, genetic or biometric data, when linked to a natural person. Art. 5, II, of Law No. 13,709/2018.

Anonymization :Process by which data loses the possibility of direct or indirect association with a Data Subject, considering reasonable and available technical means at the time of processing. Art. 5, XI, of Law No. 13,709/2018.

Due Diligence: o exame detalhado de informações e documentos de uma pessoa física ou jurídica, com objetivos determinados (contratos em geral etc.).

Data Protection Officer: Person responsible for the protection of personal data at IKATEC and for communication with the National Data Protection Authority (ANPD) and data subjects.

Data Subject: Natural person to whom personal data refers. Art. 5, V, of Law No. 13,709/2018.

Processing: Any operation performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction. Art. 5, X, of Law No. 13,709/2018.

Controller: Natural or legal person with decision-making power over the processing of personal data. Art. 5, VI, of Law No. 13,709/2018.

Processor: Natural or legal person who processes personal data on behalf of the controller. Art. 5, VII, of Law No. 13,709/2018.

ANPD: National Data Protection Authority.

Partner: Any individual or legal entity linked to Ikatec through a contract.

4. SCOPE OF THE POLICY

This Policy applies to all employees who, in the course of their activities, may come into contact with personal data processed by IKATEC or on its behalf.

Additional policies may be created in specific cases, especially when required by law or regulations.

5. HYPOTHESES OF PROCESSING PERSONAL DATA

5.1. COMMON PERSONAL DATA

Regarding the processing of non-sensitive personal data, IKATEC will only process data under the hypotheses authorized by the LGPD. The following are some applicable provisions:

In exceptional cases, IKATEC will seek the data subject's consent, which must be freely given, specific, informed, and unambiguous, for designated purposes. This legal basis will only be used as a last resort when no other legal basis justifies the processing of personal data (Art. 5, XII, and Art. 7, I, Law No. 13,709/2018).

5.2. SENSITIVE PERSONAL DATA

IKATEC may also process sensitive personal data based on the hypotheses provided by Article 11 of the LGPD, provided that potential risks are evaluated in conjunction with the Data Protection Officer or the Privacy Working Group, according to the criticality of the data involved.

6. PRIVACY AND PERSONAL DATA TREATMENT PROGRAM

For IKATEC's privacy and personal data treatment program to be effective and yield positive results, it is essential that employees observe the following procedures and consistently apply them during the processing of personal data. Let's take a look:

6.1. Governance

Through its Data Privacy Governance, IKATEC has adopted the hybrid operational structure described below to ensure that the processing of personal data adheres to all aspects of this Policy and complies with all legal obligations. Additionally, all privacy-related actions are well defined, documented, and registered.

The Data Privacy Governance aims to organize and implement policies, procedures, structures, and the company's culture, as well as roles and responsibilities for each data processing agent to address current and future privacy-related issues.

6.2. Responsible Parties for the Privacy Program

The management and implementation of the privacy and personal data protection program should be led, managed, and controlled by the Privacy Working Group and the Data Protection Officer. This facilitates content control, publication dates, review deadlines, and other measures and procedures involving this Policy.

6.3. Privacy Working Group

The Privacy Working Group's main objectives, but not limited to, are to manage and ensure the application of the privacy and personal data protection program. The group should meet monthly/quarterly or whenever necessary to present and monitor IKATEC's privacy and personal data protection program. It should be composed of a hybrid model, including key members from different areas of the company capable of deliberating and deciding on privacy and data protection matters, as follows:

The Privacy Working Group may autonomously deliberate and make decisions regarding low and medium-risk processing activities. However, for those assessed as high or very high risk, the decision must be escalated to the responsible director at IKATEC.

6.4. Training

All IKATEC employees involved in personal data processing activities should receive periodic training, determined by the Privacy Working Group, specifically covering:

6.5. Data Processing Operations Record

IKATEC must maintain the Personal Data Processing Operations Record (”ROPA”) and update it quarterly or whenever there is a change in the flow of processing activities.

8. Security

To ensure the security of the personal data processed in the course of its activities and to prevent unauthorized or non-authorized access, loss, destruction, or any other action that compromises the integrity, availability, or confidentiality of such information, IKATEC implements all measures suggested by the National Data Protection Authority (ANPD) in its Orientative Guide for Small-Scale Data Controllers. This includes a variety of technologies and security procedures to help protect personal data. The Working Group, the Data Protection Officer, and the Information Technology Department of IKATEC shall work together to keep all processed personal data secure at all times, mitigating the risks associated with any information security incidents.

9. Data Collection, Use, Storage, and Deletion

All activities involving the processing of personal data by IKATEC must comply with all the principles outlined in this Policy and must always be attributed to a specific legal basis.

9.1 Data Collection of Personal Data

The procedure for collecting personal data should be limited to the essential data necessary for fulfilling the specific purpose informed to the data subject, always considering the need to keep the collected data updated.

Direct Data Collection: This type of data collection occurs when the data subject provides their personal data directly, for example, when entering into a contract with the company. In such cases, data subjects must be informed, before the collection, about all the details related to the data processing activity.

Indirect Data Collection: This type of data collection occurs when the data subject does not consciously provide their data, for example, through cookies.

Data Collection by Third Parties: This type of data collection occurs when the data subject provides their data to a particular company, and due to the nature of the business activity, it becomes necessary to share the personal data with a third party not directly connected to the company's business. In such cases, data subjects must be informed in advance, for example, in the Privacy Policies, Terms of Use, and Contracts that include the clause on privacy and protection of personal data, as per the guidance from the legal department and the Data Protection Officer, who must ensure the integrity of all third parties involved.

9.2 USE OF PERSONAL DATA

The use of personal data must be limited to the expectations that the data subject has when providing the information (including cases where the data collection was done indirectly or by third parties). In the event that there is a need to change the purpose previously informed to the data subject, they must be informed again about the intentions and assess the need for any adjustments.

9.3 STORAGE AND DELETION OF PERSONAL DATA

The storage of personal data should be done for the minimum time necessary to meet the intended purpose and comply with any legal obligations that regulate the specific data processing activity, following the Data Retention Policy. Once the purpose has been fulfilled and the legal retention periods have been observed, the data should be deleted through appropriate means.

10. PROCESSING OF SENSITIVE PERSONAL DATA

Data protection legislation classifies certain types of personal data as sensitive due to their potential to generate discrimination against the data subject. The LGPD classifies the following information as sensitive personal data: racial or ethnic origin, religious beliefs, political opinions, membership in a union or religious, philosophical, or political organization, health or sexual life data, genetic or biometric data related to an individual.

In order for the processing of sensitive personal data to be considered lawful and legitimate, these activities must be based on one of the legal grounds provided by the LGPD. They should also receive the highest priority in terms of security, as per the company's policies and applicable legislation.

11. PROCESSING OF PERSONAL DATA OF CHILDREN AND ADOLESCENTS

The processing of personal data of ”children” and ”adolescents” will be treated exceptionally. For these cases, it can only be carried out after obtaining specific and prominent consent from at least one of the parents or the legal guardian. Information about the type of data collected, its use, and the guarantees of other rights of the data subjects protected by the law must be made public.

12. IMPACT REPORT ON PERSONAL DATA PROTECTION

The LGPD defines in Article 5, XVII, that the Impact Report on Personal Data Protection (RIPD) is a ”controller's documentation that contains the description of the processes of personal data processing that may generate risks to civil liberties and fundamental rights, as well as measures, safeguards, and risk mitigation mechanisms.” In other words, when a data processing process is found to potentially pose risks to civil liberties and fundamental rights of data subjects, an RIPD must be prepared to mitigate these risks.

Although required by law, the ANPD has not yet issued regulations or guidelines on the RIPD, which sometimes leads to its indiscriminate use, deviating its purpose as a privacy risk management tool.

According to the ANPD's regulatory agenda, the RIPD is currently in its first phase of the regulatory process, with completion scheduled for the second half of 2022.

Therefore, until the ANPD provides the necessary regulations, the RIPD is not mandatory, as we can observe in the LGPD. However, it may become mandatory according to future regulations and determinations by the ANPD, which may identify activities that require the preparation of this instrument.

Nevertheless, as described in Article 10, § 3 of the LGPD, the ”national authority may request the controller to provide a report on the impact on personal data protection when the processing is based on the legitimate interest of the controller, taking into account trade and industrial secrets.” In this case, the preparation of the RIPD becomes mandatory.

Therefore, it is essential to assess each specific case through a mapping of personal data to determine whether the preparation of the RIPD is necessary, particularly in cases involving high-risk processing or whether continuous monitoring of the processing can be conducted within the Register of Processing Operations (ROPA).

• Right of access: You have the right to access any personal data we hold about you (subject to certain restrictions). In exceptional circumstances, we may charge a reasonable fee for providing such access, but only when permitted by law (e.g., when your request is manifestly unfounded or excessive);

• Right to rectification: You have the right to request the rectification of information you believe is inaccurate. You also have the right to ask us to complete information you believe is incomplete;

• Right to erasure: In some cases, you have the right to have your personal data erased or deleted. Note that this is not an absolute right, as we may have legal or legitimate reasons to retain your personal data;

• Right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances;

• Right to object to processing: You have the right to object to processing if we are able to process your information on the basis of legitimate interests pursued or for purposes other than those for which the personal data was collected;

• Right to data portability: This applies only to information you have provided to us. You have the right to request the transfer of information you have given us to another organization, or to have it provided to you. The right applies only if we are processing information based on your consent or under, or in talks about entering into a contract, and the processing is automated;

• Right to withdraw consent at any time for processing personal data based on consent: You can withdraw your consent to our processing of your personal data where such processing is based on consent. When you withdraw your consent, it does not affect the lawfulness of our processing prior to your withdrawal.

14. COMMUNICATION CHANNEL

As mentioned in the previous item, IKATEC has a communication channel available through the email address: encarregado@ikatec.com.br, provided to data subjects for submitting requests related to their rights, according to articles 17 to 22 of Law 13.709/2018 - General Data Protection Law. The Data Protection Officer is responsible for accepting complaints and communications, providing clarifications or taking actions of interest to data subjects, as well as receiving communications from the National Data Protection Authority (ANPD), in addition to other duties established by law or by the ANPD.

14.1. RESPONSE PROTOCOL

Data subjects (employees, third parties, partners, customers, etc.) must submit requests for their rights by email to the above-mentioned email address. After receiving requests to exercise data subject rights, the Data Protection Officer will analyze them with the Legal Department, and in the case of a straightforward response, will provide a reply within 24 (twenty-four) business hours to the data subject. In cases where a more comprehensive response is required, the response will be provided within 15 (fifteen) days from the date of the data subject's request. The service will be provided free of charge, electronically, and with confirmation that the requester is the data subject or their legally appointed representative. IKATEC may request additional documentation to verify the requester's identity or representation, always ensuring data subject privacy.

15. INTERNATIONAL TRANSFER OF PERSONAL DATA

The LGPD does not prohibit the international transfer of data and allows it in the following cases:

The level of data protection in the foreign country will be evaluated by the ANPD, but at the moment, we do not have any regulations on the subject. Additionally, in the future, the ANPD may define the content of standard contractual clauses, global corporate rules, seals, certificates, and codes of conduct to better guide us on this transfer.

In this regard, in the event of an international transfer of personal data, IKATEC must adopt technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or dissemination, and necessary to ensure the integrity, availability, and confidentiality of personal data, in accordance with ANPD regulations.

16. VALIDITY

This Policy was reviewed and approved on 11/06/2023 by the Board, so that this document remains in force, and will be revised within a maximum period of one (01) year or, if necessary, in a shorter period, so that the document always remains up to date.