PRIVACY AND PERSONAL DATA PROTECTION POLICY

1. Purpose: 
1.1. This Privacy and Personal Data Protection Policy (”POLICY”) is intended to standardize how personal data is handled by CNAGA, in line with Federal Law 13709 of August 14, 2018, the Personal Data Protection Act (”LGPD”), including guidelines on (i) LGPD and its basic principles; (ii) rights of personal data subjects and how to exercise them; (iii) types of personal data that are handled in the organization; and (iv) consent management.

2. Definitions: 
2.1. For all purposes and rights provided for in this POLICY, the following definitions shall apply:
 
LGPD: Law 13709/2018, also known as the General Data Protection Law, responsible for regulating the processing of personal data in Brazil.
 
Data Subject: Natural person to whom the personal data that is subject to processing refers (as per definition of data subject, inserted in the LGPD).
 
Personal Data: Information relating to an identified or identifiable natural person. They can be (i) identification (e.g. first name, last name, marital status, autographed and electronic signature, place and date of birth, nationality, photograph, age etc.); (ii) contact (e.g. address, e-mail, landline or cell phone etc.); (iii) professional (e.g. position, place of work, e-mail and institutional phone, date of entry and exit from employment, salary etc.); (iv) physical characteristics (e.g. iris color, hair color, private passwords, blood type etc.); (v) academic (academic path, diplomas, certificates, recognitions etc.); (vi) patrimonial (properties, movable and immovable assets, credit history, income and expenses, bank accounts, insurance, credit card number etc.); and (vii) sensitive, as subsequently defined.
 
Sensitive Personal Data: Personal data about racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data concerning health or sex life, genetic or biometric data, when linked to a natural person. They can be (i) ideological (e.g. ideological, philosophical, religious or moral stances. Party political stances or union membership etc.); (ii) health (e.g. appreciation, preservation, care, improvement and recovery about physical or mental health status, genetic information etc.); (iii) about sexual life (e.g. behavior, preferences, sexual practices or habits etc.); (iv) ethnic origin (e.g. ethnicity or region with social, cultural and economic conditions and identity. Customs, traditions and beliefs); and (v) biometric (e.g. iris shape, fingerprints, palm shape, voice pattern or other unique characteristics).
 
Database: a structured set of personal data, established in one or more locations, in electronic or physical support (as defined in the LGPD definition of anonymization).
 
Anonymization: use of reasonable technical means available at the time of treatment, through which data loses the possibility of association, directly or indirectly, with an individual (according to the definition of anonymization, included in the LGPD).
 
Pseudo-anonymization: is the treatment by which a data loses the possibility of association, directly or indirectly, with an individual, except through the use of additional information kept separately by the controller in a controlled and secure environment (as defined in the LGPD definition of anonymization).
 
Controller: Person in charge of decisions concerning processing of personal data.
 
Operator: Person who performs the processing of personal data on behalf of the controller.
 
ANPD: National Data Protection Authority, which is the federal government body responsible for the protection, regulation and supervision of personal data treatment processes in Brazil, involving mainly, but not only, the areas of protection and privacy.
 
Officer or DPO: Person in charge of personal data processing, assigned by the controller and operator to act as a communication channel between the controller, data subjects and ANPD.
 
Data Processing: Any operation carried out with personal data, such as those related to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

3. Principles: 
3.1. CNAGA's Privacy Policy is based on the following principles:
 

  • Confidentiality: restriction of access to information and resources only by authorized persons.
  • Integrity: accuracy of the information and the processing methods to which the information is submitted, keeping it accurate, complete and up-to-date.
  • Availability: ensuring that authorized users have access to information and information assets when needed.
  • Purpose: CNAGA will process your data exclusively for legitimate, specific, explicit purposes and in the manner informed, without the possibility of further processing in a manner incompatible with the purposes provided by law.
  • Appropriateness: CNAGA undertakes to process data in a manner compatible with processing purposes informed and in accordance with the context of processing.
  • Necessity: CNAGA processes only data that is strictly necessary to achieve its purposes, with data scope that is pertinent, proportionate and not excessive in relation to the purposes of data processing.
  • Free Access: CNAGA grants free and easy consultation on the form and duration of the processing of your personal data.
  • Data quality: CNAGA guarantees it will take proper care to keep its data always accurate, clear and up-to-date, according to the need and for the fulfillment of the purpose of its treatment.
  • Transparency: CNAGA will maintain a clear, precise and accessible relationship to better understand the processing of data and respective processing agents, observing commercial and industrial secrets.
  • Security: CNAGA will use technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication or dissemination.
  • Prevention: CNAGA will take all measures required to prevent damage from occurring as a result of the processing of your personal data.
  • Non-Discrimination: CNAGA guarantees it will not use your personal data for unlawful or abusive discriminatory purposes.
  • Accountability and Responsibility: When necessary, CNAGA will demonstrate the effectiveness of the measures adopted, to prove the observance of and compliance with personal data protection standards.
4. CNAGA's application and role: 
4.1. This POLICY applies to CNAGA as a data controller and data operator. For situations in which CNAGA collects data for its own purposes, it is acting as controller. In situations where the collection occurs as a function of the supply of a product or service contracted and defined by its clients, CNAGA is acting as the operator.
 
5. Liability: 
5.1. Liability for the management of CNAGA's Data Governance and enforcement of this POLICY belongs to the entire organization, but primarily to its administrators, who are assisted by an appointed DPO.
 
5.2. Managers, assisted by the DPO, shall be responsible for updating this POLICY.

6. Rights of Holders: 
6.1. Data holders' rights that may be requested to CNAGA, by holders of legal prerogatives, at any time, include: 
  • Confirmation of the existence of personal data processing;
  • Access to information regarding the personal data processed;
  • Correction of incomplete, inaccurate or outdated data;
  • Arrangements for anonymization, blocking or deletion of unnecessary, excessive personal data or data treated in non-compliance with the LGPD;
  • Portability of personal data to another service or product provider, upon express request, in accordance with the ANPD regulations, subject to commercial and industrial secrets;
  • Deletion of personal data processed with the consent of the data subject, subject to exceptions (art. 16, LGPD);
  • Receipt of information from public and private entities with which the controller has shared data;
  • Receipt of information about the possibility of not giving consent and the consequences of refusing to do so; andRevocation of consent, pursuant to paragraph 5 of art. 8 of LGPD.
7. Exercise of Rights by Data Subjects and Potential Third Parties: 
7.1. The holder of personal data may exercise their rights through written communication to be sent to CNAGA, by mail or email, with the subject "LGPD", informing and/or attaching to the document: 
  • Full name, CPF (Individual Taxpayer’s ID) number and e-mail address of the holder, and if applicable, of his/her legal representative;
  • The right they wish to exercise with CNAGA;
  • The date of the request and signature of the holder or his/her legal representative; and
  • Any document that can demonstrate or justify the exercise of rights. 
7.2. If sent by mail, the communication should be sent to the company’s address on its Internet website, to the attention of its DPO, whose details are also available on the respective website. If sent by email, the communication should be forwarded to the company’s DPO at his email (dpo@cnaga.com.br).
 
7.3. The response to the data subject's request will be made within the legal timeframe, and will be written in a clear, accessible and justified manner.
 
7.4. Any third parties who are not data subjects that have demands related to the LGPD and need to contact the company should follow the same procedures described here for data subjects.

8. Types of Data Collected: 
8.1. CNAGA basically collects the following personal data: 
  • As Controller: personal data concerning its employees and eventual natural person customers.
  • As Operator: no processing as an operator. 
8.2. Data on children and adolescents are collected only as the controller, for concession of benefits to its employees and dependents, with the respective information to the government social assistance agency.
 
8.3. All personal data collected are treated in a strictly confidential manner and based on the principles set forth in this POLICY, so as to preserve the rights of the data subjects.

9. Purpose: 
9. CNAGA collects and processes personal data based on the following legal purposes: 
  • Consent;
  • Regular exercise of rights in legal proceedings;
  • Compliance with legal or regulatory obligations;
  • When necessary for the execution of a contract;
  • Protection of health, in procedures performed by health professionals; and
  • When necessary to meet its legitimate interests, except in the event that fundamental rights and freedoms of the data subject prevail and require protection of personal data.
10. Consent: 
10.1. For situations where it is necessary to obtain consent, CNAGA informs the data subject regarding: 
  • Specific purpose of the processing;
  • Form and duration of the processing;
  • Contact details for the company and its DPO; 
11. Data Retention:
11.1. Personal data will be retained as long as necessary to provide our products and services and as needed to comply with our legal obligations, resolve disputes, and enforce our policies.
 
11.2. Retention periods will be determined taking into account the type of information collected and the purpose for such collection, taking into account the requirements applicable to the situation and the need to destroy outdated, unused information in the nearest reasonable time.

12. Policy Update: 
12.1. We reserve the right to modify this POLICY at any time, especially to adapt it to any changes made to our website, either by providing new features or by deleting or modifying existing ones.
 
12.2. Whenever there is a change, our users will be notified via the website itself.