Internal Policy on

Data Protection Governance

This INTERNAL POLICY ON DATA PROTECTION GOVERNANCE - IKATEC (”Policy”) has been developed in respect and compliance with Law No. 13,709/2018 - General Data Protection Law (”LGPD”).

In this sense, IKATEC makes every effort to handle personal data, whether from its employees, clients, suppliers, partners, or third parties, with the highest level of security, caution, confidentiality, and compliance with LGPD and other applicable laws.

As an integral part of IKATEC, our employees must always ensure, in the performance of their activities, that the personal data they have access to is treated in accordance with LGPD, other applicable laws, and this Policy.

If you have any questions regarding your rights and responsibilities concerning the processing of personal data, or about this Policy, please contact IKATEC's Data Protection Officer at encarregado@ikatec.com.br

Chat interno

2. DEFINITIONS

In order to assist in the interpretation and application of this Policy, the following words, whether in the singular or plural form, should be understood as follows, for the comprehension of the terms used throughout this document:

Policy: Policy Internal Policy on Data Protection Governance

LGPD: Law No. 13,709/18 - General Data Protection Law

Personal Data :Any information relating to an identified or identifiable natural person (”Data Subject”). An identifiable natural person is one who can be directly or indirectly identified, especially by reference to an identifier (e.g., location data). Art. 5, I, of Law No. 13,709/2018.

Sensitive Personal Data: Any personal data concerning racial or ethnic origin, religious belief, political opinion, union membership, as well as health or sexual life data, genetic or biometric data, when linked to a natural person. Art. 5, II, of Law No. 13,709/2018.

Anonymization :Process by which data loses the possibility of direct or indirect association with a Data Subject, considering reasonable and available technical means at the time of processing. Art. 5, XI, of Law No. 13,709/2018.

Due Diligence: o exame detalhado de informações e documentos de uma pessoa física ou jurídica, com objetivos determinados (contratos em geral etc.).

Data Protection Officer: Person responsible for the protection of personal data at IKATEC and for communication with the National Data Protection Authority (ANPD) and data subjects.

Data Subject: Natural person to whom personal data refers. Art. 5, V, of Law No. 13,709/2018.

Processing: Any operation performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction. Art. 5, X, of Law No. 13,709/2018.

Controller: Natural or legal person with decision-making power over the processing of personal data. Art. 5, VI, of Law No. 13,709/2018.

Processor: Natural or legal person who processes personal data on behalf of the controller. Art. 5, VII, of Law No. 13,709/2018.

ANPD: National Data Protection Authority.

Partner: Any individual or legal entity linked to Ikatec through a contract.

Chat interno

3 - POLICY OBJECTIVE

IKATEC, in the course of its business activities, processes personal data of individuals related to its internal structure, as well as third parties directly or indirectly related to its business.

Therefore, this Policy aims to serve as a fundamental pillar for all internal practices and processes of IKATEC regarding the processing of personal data. It also demonstrates the commitment to protect the rights of employees, customers, suppliers, partners, and third parties. This policy ensures compliance with regulations, transparency in data processing, and the mitigation of information security incidents, based on the following principles:

Ícone transfer

Purpose: Personal data will only be processed for specific and legitimate purposes, with explicit and informed consent from the data subject. Any subsequent processing must be compatible with the initially identified purposes.

Ícone transfer

Adequacy: The processing of personal data must be compatible with the purposes informed to the data subject, in line with the context of the processing.

Ícone transfer

Necessity: Personal data processing should be limited to the minimum necessary for achieving the specified purposes, ensuring the relevance, proportionality, and non-excessiveness of the data collected.

Ícone transfer

Free Access: Data subjects will have facilitated and free access to information regarding the processing, duration, and entirety of their personal data.

Ícone transfer

Data Quality: Processed personal data must be clear, accurate, relevant, and up-to-date, based on their necessity and intended purposes. Outdated or irrelevant data should not be processed for the specified purposes.

Ícone transfer

Transparency: IKATEC will provide data subjects with clear, precise, and easily accessible information about the processing, including details about data controllers and processors, while respecting trade secrets and industrial information.

Ícone transfer

Security: IKATEC will implement security measures, both technical and administrative, to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or dissemination.

Ícone transfer

Prevention: IKATEC will adopt measures to prevent harm resulting from the processing of personal data.

Ícone transfer

Non-Discrimination: IKATEC will never process data for illicit or abusive discriminatory purposes.

Ícone transfer

Accountability and Compliance: IKATEC will take effective measures to demonstrate compliance with data protection regulations and the effectiveness of these measures.

Furthermore, IKATEC believes that ensuring the legitimate, correct, and transparent processing of personal data is essential for the success of its activities and business, as well as for maintaining its image and credibility with stakeholders, employees, customers, suppliers, partners, third parties, the general public, society, and the ANPD. In case of conflicts between the provisions of this Policy and applicable data protection laws, the latter will prevail.

4. SCOPE OF THE POLICY

This Policy applies to all employees who, in the course of their activities, may come into contact with personal data processed by IKATEC or on its behalf.

Additional policies may be created in specific cases, especially when required by law or regulations.

5. HYPOTHESES OF PROCESSING PERSONAL DATA

5.1. COMMON PERSONAL DATA

Regarding the processing of non-sensitive personal data, IKATEC will only process data under the hypotheses authorized by the LGPD. The following are some applicable provisions:

· When necessary for compliance with a legal or regulatory obligation of the controller (Art. 7, II, Law No. 13,709/2018);· When necessary for the execution of a contract or related preliminary procedures in which the data subject is a party (Art. 7, V, Law No. 13,709/2018);· When necessary for the regular exercise of rights in a judicial, administrative, or arbitration process (Art. 7, VI, Law No. 13,709/2018);· When necessary to meet the legitimate interests of IKATEC or third parties, except when the data subject's fundamental rights and freedoms prevail (Art. 7, IX, Law No. 13,709/2018);· For credit protection purposes (Art. 7, X, Law No. 13,709/2018).

In exceptional cases, IKATEC will seek the data subject's consent, which must be freely given, specific, informed, and unambiguous, for designated purposes. This legal basis will only be used as a last resort when no other legal basis justifies the processing of personal data (Art. 5, XII, and Art. 7, I, Law No. 13,709/2018).

5.2. SENSITIVE PERSONAL DATA

IKATEC may also process sensitive personal data based on the hypotheses provided by Article 11 of the LGPD, provided that potential risks are evaluated in conjunction with the Data Protection Officer or the Privacy Working Group, according to the criticality of the data involved.

6. PRIVACY AND PERSONAL DATA TREATMENT PROGRAM

For IKATEC's privacy and personal data treatment program to be effective and yield positive results, it is essential that employees observe the following procedures and consistently apply them during the processing of personal data. Let's take a look:

6.1. Governance

Through its Data Privacy Governance, IKATEC has adopted the hybrid operational structure described below to ensure that the processing of personal data adheres to all aspects of this Policy and complies with all legal obligations. Additionally, all privacy-related actions are well defined, documented, and registered.

The Data Privacy Governance aims to organize and implement policies, procedures, structures, and the company's culture, as well as roles and responsibilities for each data processing agent to address current and future privacy-related issues.

6.2. Responsible Parties for the Privacy Program

The management and implementation of the privacy and personal data protection program should be led, managed, and controlled by the Privacy Working Group and the Data Protection Officer. This facilitates content control, publication dates, review deadlines, and other measures and procedures involving this Policy.

6.3. Privacy Working Group

The Privacy Working Group's main objectives, but not limited to, are to manage and ensure the application of the privacy and personal data protection program. The group should meet monthly/quarterly or whenever necessary to present and monitor IKATEC's privacy and personal data protection program. It should be composed of a hybrid model, including key members from different areas of the company capable of deliberating and deciding on privacy and data protection matters, as follows:

· Data Protection Officer;· Leaders from each major team (HR, DP, Sales, Marketing, Legal Department, etc.);· Information Technology Department.

The Privacy Working Group may autonomously deliberate and make decisions regarding low and medium-risk processing activities. However, for those assessed as high or very high risk, the decision must be escalated to the responsible director at IKATEC.

6.4. Training

All IKATEC employees involved in personal data processing activities should receive periodic training, determined by the Privacy Working Group, specifically covering:

• General Privacy and Data Protection concepts, including the presentation of this Policy and study materials on LGPD principles;• Specific Privacy and Data Protection concepts applied to each area's activities;• Atualizações envolvendo a ANPD e a LGPD;• How to use security controls for IT systems related to daily work;• How to avoid falling victim to common security incidents, such as virus contamination or phishing attacks, for example, by clicking on links received in the form of pop-up promotional offers or unknown emails;• Keeping physical documents containing personal data in drawers and not on desks.

6.5. Data Processing Operations Record

IKATEC must maintain the Personal Data Processing Operations Record (”ROPA”) and update it quarterly or whenever there is a change in the flow of processing activities.

Chat interno

7 - Transparency

All activities of IKATEC involving the processing of personal data of external data subjects (third parties, partners, customers, etc.) must comply with the Privacy Policies available on the website (ikatec.com.br) and this Policy. All operations involving the processing of personal data of internal data subjects (employees) must comply with this Policy, the contract between the parties, and internal data protection communications.

8. Security

To ensure the security of the personal data processed in the course of its activities and to prevent unauthorized or non-authorized access, loss, destruction, or any other action that compromises the integrity, availability, or confidentiality of such information, IKATEC implements all measures suggested by the National Data Protection Authority (ANPD) in its Orientative Guide for Small-Scale Data Controllers. This includes a variety of technologies and security procedures to help protect personal data. The Working Group, the Data Protection Officer, and the Information Technology Department of IKATEC shall work together to keep all processed personal data secure at all times, mitigating the risks associated with any information security incidents.

9. Data Collection, Use, Storage, and Deletion

All activities involving the processing of personal data by IKATEC must comply with all the principles outlined in this Policy and must always be attributed to a specific legal basis.

9.1 Data Collection of Personal Data

The procedure for collecting personal data should be limited to the essential data necessary for fulfilling the specific purpose informed to the data subject, always considering the need to keep the collected data updated.

Direct Data Collection: This type of data collection occurs when the data subject provides their personal data directly, for example, when entering into a contract with the company. In such cases, data subjects must be informed, before the collection, about all the details related to the data processing activity.

Indirect Data Collection: This type of data collection occurs when the data subject does not consciously provide their data, for example, through cookies.

Data Collection by Third Parties: This type of data collection occurs when the data subject provides their data to a particular company, and due to the nature of the business activity, it becomes necessary to share the personal data with a third party not directly connected to the company's business. In such cases, data subjects must be informed in advance, for example, in the Privacy Policies, Terms of Use, and Contracts that include the clause on privacy and protection of personal data, as per the guidance from the legal department and the Data Protection Officer, who must ensure the integrity of all third parties involved.

9.2 USE OF PERSONAL DATA

The use of personal data must be limited to the expectations that the data subject has when providing the information (including cases where the data collection was done indirectly or by third parties). In the event that there is a need to change the purpose previously informed to the data subject, they must be informed again about the intentions and assess the need for any adjustments.

9.3 STORAGE AND DELETION OF PERSONAL DATA

The storage of personal data should be done for the minimum time necessary to meet the intended purpose and comply with any legal obligations that regulate the specific data processing activity, following the Data Retention Policy. Once the purpose has been fulfilled and the legal retention periods have been observed, the data should be deleted through appropriate means.

10. PROCESSING OF SENSITIVE PERSONAL DATA

Data protection legislation classifies certain types of personal data as sensitive due to their potential to generate discrimination against the data subject. The LGPD classifies the following information as sensitive personal data: racial or ethnic origin, religious beliefs, political opinions, membership in a union or religious, philosophical, or political organization, health or sexual life data, genetic or biometric data related to an individual.

In order for the processing of sensitive personal data to be considered lawful and legitimate, these activities must be based on one of the legal grounds provided by the LGPD. They should also receive the highest priority in terms of security, as per the company's policies and applicable legislation.

11. PROCESSING OF PERSONAL DATA OF CHILDREN AND ADOLESCENTS

The processing of personal data of ”children” and ”adolescents” will be treated exceptionally. For these cases, it can only be carried out after obtaining specific and prominent consent from at least one of the parents or the legal guardian. Information about the type of data collected, its use, and the guarantees of other rights of the data subjects protected by the law must be made public.

12. IMPACT REPORT ON PERSONAL DATA PROTECTION

The LGPD defines in Article 5, XVII, that the Impact Report on Personal Data Protection (RIPD) is a ”controller's documentation that contains the description of the processes of personal data processing that may generate risks to civil liberties and fundamental rights, as well as measures, safeguards, and risk mitigation mechanisms.” In other words, when a data processing process is found to potentially pose risks to civil liberties and fundamental rights of data subjects, an RIPD must be prepared to mitigate these risks.

Although required by law, the ANPD has not yet issued regulations or guidelines on the RIPD, which sometimes leads to its indiscriminate use, deviating its purpose as a privacy risk management tool.

According to the ANPD's regulatory agenda, the RIPD is currently in its first phase of the regulatory process, with completion scheduled for the second half of 2022.

Therefore, until the ANPD provides the necessary regulations, the RIPD is not mandatory, as we can observe in the LGPD. However, it may become mandatory according to future regulations and determinations by the ANPD, which may identify activities that require the preparation of this instrument.

Nevertheless, as described in Article 10, § 3 of the LGPD, the ”national authority may request the controller to provide a report on the impact on personal data protection when the processing is based on the legitimate interest of the controller, taking into account trade and industrial secrets.” In this case, the preparation of the RIPD becomes mandatory.

Therefore, it is essential to assess each specific case through a mapping of personal data to determine whether the preparation of the RIPD is necessary, particularly in cases involving high-risk processing or whether continuous monitoring of the processing can be conducted within the Register of Processing Operations (ROPA).

13 - DATA SUBJECT RIGHTS

In every data processing activity, IKATEC must seek to guarantee the rights of data subjects as listed below. In all cases, the identity of the requesting data subjects must be verified, and the process should be conducted under the guidance of the Data Protection Officer (Encarregado).

Regarding the receipt of requests to exercise data subject rights, IKATEC has a communication channel available through the email address: encarregado@ikatec.com.br

Such requests can be made by employees, customers, suppliers, partners, and third parties who have personal data under IKATEC's processing scope. The data subject requests must always be validated by the Data Protection Officer and the Legal Department.

Chat interno

• Right of access: You have the right to access any personal data we hold about you (subject to certain restrictions). In exceptional circumstances, we may charge a reasonable fee for providing such access, but only when permitted by law (e.g., when your request is manifestly unfounded or excessive);

• Right to rectification: You have the right to request the rectification of information you believe is inaccurate. You also have the right to ask us to complete information you believe is incomplete;

• Right to erasure: In some cases, you have the right to have your personal data erased or deleted. Note that this is not an absolute right, as we may have legal or legitimate reasons to retain your personal data;

• Right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances;

• Right to object to processing: You have the right to object to processing if we are able to process your information on the basis of legitimate interests pursued or for purposes other than those for which the personal data was collected;

• Right to data portability: This applies only to information you have provided to us. You have the right to request the transfer of information you have given us to another organization, or to have it provided to you. The right applies only if we are processing information based on your consent or under, or in talks about entering into a contract, and the processing is automated;

• Right to withdraw consent at any time for processing personal data based on consent: You can withdraw your consent to our processing of your personal data where such processing is based on consent. When you withdraw your consent, it does not affect the lawfulness of our processing prior to your withdrawal.

14. COMMUNICATION CHANNEL

As mentioned in the previous item, IKATEC has a communication channel available through the email address: encarregado@ikatec.com.br, provided to data subjects for submitting requests related to their rights, according to articles 17 to 22 of Law 13.709/2018 - General Data Protection Law. The Data Protection Officer is responsible for accepting complaints and communications, providing clarifications or taking actions of interest to data subjects, as well as receiving communications from the National Data Protection Authority (ANPD), in addition to other duties established by law or by the ANPD.

14.1. RESPONSE PROTOCOL

Data subjects (employees, third parties, partners, customers, etc.) must submit requests for their rights by email to the above-mentioned email address. After receiving requests to exercise data subject rights, the Data Protection Officer will analyze them with the Legal Department, and in the case of a straightforward response, will provide a reply within 24 (twenty-four) business hours to the data subject. In cases where a more comprehensive response is required, the response will be provided within 15 (fifteen) days from the date of the data subject's request. The service will be provided free of charge, electronically, and with confirmation that the requester is the data subject or their legally appointed representative. IKATEC may request additional documentation to verify the requester's identity or representation, always ensuring data subject privacy.

15. INTERNATIONAL TRANSFER OF PERSONAL DATA

The LGPD does not prohibit the international transfer of data and allows it in the following cases:

Article 33. The international transfer of personal data is only allowed in the following cases:

I - to countries or international organizations that provide a level of personal data protection equivalent to that established in this Law;

II - when the data controller offers and proves compliance guarantees with the principles, rights of data subjects, and data protection rules provided in this Law, in the form of:

a) specific contractual clauses for a particular transfer;b) standard contractual clauses;c) global corporate rules;d) seals, certificates, and regularly issued codes of conduct.

III - when the transfer is necessary for international legal cooperation between public intelligence, investigation, and prosecution agencies, in accordance with international law instruments;

IV - when the transfer is necessary for the protection of the life or physical integrity of the data subject or a third party;

V - when authorized by the national authority;

VI - when the transfer results from a commitment undertaken in an international cooperation agreement;

VII - when the transfer is necessary for the execution of public policy or legal attribution of public service, with publicity as provided for in item I of the caput of article 23 of this Law;

VIII - when the data subject has provided their specific and prominent consent for the transfer, with prior information about the international nature of the operation, clearly distinguishing it from other purposes; or

IX - when necessary to meet the hypotheses provided for in items II, V, and VI of article 7 of this Law.

The level of data protection in the foreign country will be evaluated by the ANPD, but at the moment, we do not have any regulations on the subject. Additionally, in the future, the ANPD may define the content of standard contractual clauses, global corporate rules, seals, certificates, and codes of conduct to better guide us on this transfer.

In this regard, in the event of an international transfer of personal data, IKATEC must adopt technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or dissemination, and necessary to ensure the integrity, availability, and confidentiality of personal data, in accordance with ANPD regulations.

16. VALIDITY

This Policy was reviewed and approved on 11/06/2023 by the Board, so that this document remains in force, and will be revised within a maximum period of one (01) year or, if necessary, in a shorter period, so that the document always remains up to date.

Cookie Consent

This website uses cookies to help the website function and to track how you interact with it so that we can provide you with an improved and personalized user experience. We will only use cookies if you agree to it by clicking Accept.

View cookiesAccept