PERSONAL DATA GOVERNANCE POLICY

CNAGA, seeking to reflect the support of its senior management to its privacy and personal data protection guidelines, has created this Personal Data Governance Policy (the “POLICY”), which will be governed by the terms and conditions below:

1. What is personal data governance? 
Personal data governance is a set of practices that aim to optimize the management of personal data flows within an organization, to ensure the privacy and protection of personal data by assigning responsibilities to an organizational structure, created especially to mitigate the risks to civil liberties and protect the fundamental rights of the data subjects.

For purposes of the Brazilian legislation, personal data is any information related to an identified or identifiable natural person. They can be direct, i.e., that can be attributed to a specific holder without additional information (e.g., full name, Individual Taxpayer’s ID (CPF), photo, biometrics, DNA); or indirect, which need additional information to be able to determine the holder (e.g., incomplete name, gender, country of residence, operating system).

The law also defines the so-called sensitive personal data, which are those concerning racial or ethnic origin, religious conviction, political opinion, membership of a union or religious, philosophical or political organization, data concerning health or sex life, among others. Also for the purposes of the legislation, the controller is the natural or legal person who is responsible for decisions concerning the processing of personal data; while the operator is the natural or legal person who carries out the processing of personal data on behalf of the controller

According to Article 50 of the General Data Protection Law (”LGPD”), “controllers and operators, within the scope of their competencies, for the processing of personal data, individually or through associations, may formulate good practice and governance rules that establish the organizational conditions, the operating regime, the procedures, including complaints and petitions by data subjects, security norms, technical standards, specific obligations for the various parties involved in the processing, educational actions, internal oversight and risk mitigation mechanisms, and other aspects related to the processing of personal data.”

2. How does CNAGA apply Data Governance in its actions? 
CNAGA practices data governance daily in its processes and flows, both internal and external. To this end, it lists and organizes all personal data existing in the company, including all processes and operations for processing this data. It also exercises governance through the following procedures:
 

  • Culture and awareness: CNAGA encourages awareness of its administrators, employees, partners and suppliers in relation to good privacy and data protection practices. In accordance with best market practices, awareness programs and regular training on this topic are also practiced. 
  • Implementation of various Privacy and Personal Data Protection Policies: CNAGA has five (5) policies applicable to Privacy and Personal Data Protection, in accordance with the LGPD: 
    • This POLICY, which encompasses guidelines on (i) the practices adopted for personal data management in the organization; (ii) the policies applicable to the topic; and (iii) the composition and attributions of CNAGA’s personal data governance structure, also bringing information on the DPO, on its respective support structure and on the Personal Data Privacy and Protection Committee;
    • The General Policy on Privacy and Protection of Personal Data, which includes guidelines on (i) the LGPD and its basic principles; (ii) the rights of the holders of personal data and how to exercise them; (iii) the types of personal data that are processed at the CNAGA; and (iv) the consent management process;
    • The Cookie Policy, which comprises guidelines on (i) what cookies are and what types exist and what their respective functions are; (ii) what types of cookies are used in the CNAGA website; and (iii) how to do and what the consequences are in the case of disabling these cookies;
    • The Incident Handling Policy, which includes guidelines on (i) the principles and concepts relating to the management of incidents and leaks of personal data; (ii) the culture of prevention; and (iii) the procedures to be taken in the event of incidents and leaks of personal data; and
    • The Information Security Policy, which deals with how CNAGA should proceed in relation to the security management of the information in its custody and covers general guidelines on (i) attributions and responsibilities; (ii) penalties; (iii) use of technological resources, internet, corporate email and social networks; (iv) physical access; (v) media disposal; among others. 
  • Creation of a structure responsible for data governance: CNAGA has developed a structure to manage data governance, including the appointment of a Data Officer responsible for the process (DPO), and the creation of a Privacy Committee, as detailed in item 3 of this Policy, transcribed below. 
  • Incorporating privacy into operations: CNAGA uses the principle of “Privacy by Design” for all its new projects and operations; as well as the principle of “Privacy by Default” for all its processes and operations under development or already implemented.
3. Pillars of Data Governance: 
The structuring of data governance cannot do without the full support of the top management for issues related to this topic, as well as the representation of the Data Protection Officer (DPO), who is appointed by the company.
 
Thus, the two main pillars of data governance at CNAGA are the full commitment and support of Senior Management; in addition to the creation of a structure responsible for managing this governance.
 
Thus, the Top Management of CNAGA, represented by its managing partners, hereby declares its full commitment and support to the following fundamental points:
 
  • Company's data governance plan and guiding principles;
  • Privacy and personal data protection policies of the company;
  • Various personal data protection legislations, especially to Law 13709/2018, also known as the General Data Protection Law (LGPD), which is the Brazilian law responsible for regulating the processing of personal data;
  • Supervision and follow-up of all actions necessary for compliance with the legislation and best practices in privacy and protection of personal data;
  • Encouragement and practice of engagement actions, with the respective availability of time and dedication to promote and maintain effective the process of compliance with the legislation and best practices in privacy and protection of personal data; and
  • Practice of support actions, with the respective availability of structure and resources to promote and maintain effective the process of compliance with the legislation and best practices in privacy and protection of personal data. 
To this end, the following resources were instituted to compose the CNAGA's Data Governance structure: 
  • DPO or Data Protection Officer: The DPO is accountable for the organization and has the role of cohosting areas such as IT, legal, and business development around privacy and data protection policies. It is a key role that requires multidisciplinary skills, and has as responsibilities: 
    • Manage the organization's processes for LGPD compliance;
    • Act as a communication channel between the organization and data subjects, accepting complaints and communications, providing clarifications and taking action;
    • Act as a communication channel between the organization and the National Data Protection Authority (ANPD), providing clarifications and adopting measures;
    •  Guide the organization's employees and contractors as to the practices to be adopted in relation to the privacy and protection of personal data;
    • Define and review the rules that have a direct impact on personal data privacy and protection initiatives;
    • Respond timely, when called upon, to identify privacy and personal data protection risks that may violate legislation or impact the rights of the respective owners;
    • Monitor the implementation of initiatives that are associated to the fulfillment of legal demands or privacy legislations;
    • Deliberate on remediation actions and document security incidents that are related to personal data; and
    • Foster the organization's culture of privacy and data protection. 
    • The CNAGA Data Officer or DPO has been duly appointed and is formally indicated on the company’s website and can be contacted at any time, for questions regarding privacy and protection of personal data, by email dpo@cnaga.com.br.
  • Privacy Committee: To assist the organization in decisions about privacy and data protection issues, as well as in the event of a data leakage episode, CNAGA has created an ethics committee, composed of its Administrative Manager, the Financial Manager, and the DPO, which will be triggered in serious cases or those requiring further investigation specific to this subject.