POLICY FOR HANDLING SECURITY INCIDENTS RELATING TO PERSONAL DATA

RESTRICTED AREA

1. PURPOSE:
1.1. The Incident Handling Policy (the “POLICY”) of CNAGA is intended to establish principles, concepts, guidelines and responsibilities for management of any leaks of personal data under handling conducted within the organization. Its ulterior scope is to prescribe actions to:

Comply with the procedures established by Law 13709/18, also known as the Brazilian General Data Protection Law (LGPD);
Mitigate the impacts to the holders of the personal data eventually leaked; and
Mitigate the impacts to the organization.

1.2. This POLICY has been drafted with a focus on the relevant legislation and the principles of transparency, security and broad disclosure.

2. PREVENTION CULTURE:
2.1. CNAGA fosters among its administrators, employees and partners a culture of data leakage prevention and incident handling. To this end, it has defined the following responsibilities in this regard:

2.1.1. Regarding the organization's administrators:

To make every effort to disseminate, before the organization, employees and partners, the best practices for the prevention and treatment of data leakage incidents.
Providing the necessary support so that any suspicions, investigations or accusations of leakage of personal data are duly investigated and treated, pursuant to the legislation in force.
Enabling autonomy and independence for the organization's employees and business partners to make any accusations of personal data leakage without suffering any kind of retaliation.
Provide the means for any incidents to be properly handled and reported to the competent authorities.

2.1.2. Regarding the organization's employees:

Immediately inform the organization's DPO or administrators of any incidents that may have occurred or that they have become aware of.
Make every effort to disseminate, to the organization, colleagues and partners, best practices for preventing and handling data leakage incidents.

2.1.3. Regarding the organization's DPO:

Take all necessary steps, after being aware of it, to inform the data subjects and the authorities, within the legal deadlines, of any incident of personal data leakage occurring in the organization.
To make every effort to disseminate, to the organization, administrators, employees and business partners, the best practices for prevention and treatment of incidents of data leakage.

3. PERSONAL DATA SECURITY INCIDENT PROCEDURES:
3.1. Security incidents concerning personal data are considered to be any confirmed or suspected security weaknesses or adverse events that lead or may lead to the compromise of one or more of the basic principles of confidentiality, integrity, availability and compliance of the personal data being processed in the organization.

3.2. For purposes of this POLICY, examples of security incidents relating to personal data are considered to include, but are not limited to:

Unavailability of the technological environment due to internal and external malicious attack;
Leakage of confidential information (customer information, strategic information, others);
Internal or external attempts to gain unauthorized access to systems, data or even compromise the IT environment;
The act of violating a security policy, explicit or implicit;
Unauthorized use of or access to a system;
Modifications to a system, without the system owner’s prior knowledge, instructions or consent;

3.3. For the purposes of this POLICY, the following are not considered examples of security incidents related to personal data:

Unintentional accidental events (hardware or systemic failures);
Non-malicious events (human error or carelessness that does not infringe the privacy and data protection rules)

3.4. All incidents must be registered with the necessary information to quickly and correctly identify the problem and the necessary action to mitigate it.

3.5. The incident events must be categorized and classified through a severity matrix to have better visibility, treatment, and priority regarding their management.

3.6. All incident events must be recorded in the controls and/or specific tools prepared by the organization for this purpose, with the aim of proper triage and treatment.

3.7. The organization must actively carry out the management of security incidents concerning personal data, using the following procedures:

Detection: identification of incidents through monitoring, reports, complaints, information obtained from partner areas or any other analysis of adverse events;
Registration and analysis: incident registration, analysis, classification as to type, severity and prioritization;
Communication: communication of the incident to the involved parties and, if necessary, to external authorities;
Response: incident containment, forensic analysis, custody of evidence, incident and root cause treatment; and
Finalization: formal closure and case analysis to identify possible improvements in processes, controls and in the incident management procedure itself.

3.8. The investigation of security incidents related to personal data must be carried out exclusively by the organization’s DPO, with the support of the areas he/she deems necessary to guarantee the privacy and confidentiality of the information obtained.

3.9. Security incidents concerning personal data that may entail relevant risk or harm to data subjects must be reported by the organization to the National Personal Data Authority (ANPD - Autoridade Nacional de Dados Pessoais).

3.10. The communication must be made within the period required by law, and must mention, at least:

Description of the nature of the personal data affected;
Information about owners of the data involved;
Indication of the technical and security measures used for the protection of the data, observing commercial and industrial secrets;
Risks related to the incident;
Reasons for the delay, in case the communication was not immediate; andMeasures that have been or will be adopted to revert or mitigate the effects of the damage.