The objective of Data Protection at EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA is to ensure the systematic and effective management of all aspects related to the protection of personal data and the rights of its holders, providing support to the critical operations of the business and minimizing identified risks and their possible impacts on the organization.

The Board of Directors and the Management Committee for the Personal Data Protection are committed to an effective management of the Personal Data Protection at EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA. Therefore, they take all appropriate measures to ensure that this policy is properly communicated, understood and adhered to at all levels of the organization. Periodic revisions will be conducted to ensure its continuous relevance and adequacy to the needs of EGATI ENGENHARIA, TECNOLOGIA e NEGÓCIOS LTDA.

It is the policy of EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA to:

Ensure the data subjects the choice of allowing or not the processing of their personal data, except in cases where the applicable law specifically allows the personal data processing without the data subject consent;

Ensure that the personal data processing purpose complies with current legislation and with the applicable legal basis;

Clearly and adequately communicate the personal data processing to the data subject before the data is collected or used for the first time for a new purpose;

Where necessary, provide the data subject with sufficient explanations about his/her personal data processing, as provided for in current legislation;

Limit the personal data collection strictly to what is allowed according to current legislation, and the objectives specified in the data subject consent for the personal data collection, minimizing, whenever possible, the collection of said personal data.

Limit the use, storage, disclosure and transfer of personal data to the strictly necessary to meet specific, explicit and legitimate objectives;

Storage personal data only for as long as necessary to fulfill the stated purposes and subsequently delete, block or anonymize them safely;

Block access to personal data and further processing when the stated purposes expire, except when personal data storage is required by current law.

Ensure the accuracy and quality of processed personal data, except in cases where there is a legal basis for keeping data out of date.

Provide the data subjects with the data processed, clear and easily accessible information about the policies, procedures and practices regarding the personal data processing developed by the organization, including what data is actually processed, the purpose of such processing, and information on how to contact us for further details.

Notify data subjects when significant changes occur in the processing of their personal data.

Ensure that data subjects have the possibility to access and review their personal data, provided that their identity is authenticated with an appropriate level of guarantee, and that there is no legal restriction to such access or review of personal data.

Ensure traceability and accountability throughout the personal data processing, including when personal data is shared with third parties.

Fully address data breaches, ensuring that they are properly recorded, classified, investigated, remedied and documented.

Ensure that, in the event of a data breach, all interested parties are notified according to the requirements and deadlines provided for in the legislation in force.

Document and communicate, as appropriate, all policies, procedures and practices related to privacy and data protection.

Ensure the existence of a person responsible for documenting, implementing and communicating policies, procedures and practices related to privacy and data protection;

Adopt information security controls, both technical and administrative, sufficient to ensure adequate levels of protection for Personal Data.

Provide policies, standards and procedures for the personal data protection to all interested and authorized parties, such as: employees, contracted third parties and, when applicable, customers.

Ensure the education and awareness of employees, contracted third parties and, when applicable, partners and customers, about the personal data protection practices adopted by EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA.

Continuously improve Personal Data Protection Management by systematically defining and reviewing privacy and personal data protection objectives at all levels of the organization.

Ensure the non-discrimination in the personal data processing, making their use impossible for discriminatory, unlawful or abusive purposes.

Ensure the full compliance with personal data protection laws and regulations.

MANAGEMENT COMMITTEE FOR THE PERSONAL DATA PROTECTION – CGPDP

The MANAGEMENT COMMITTEE FOR THE PERSONAL DATA PROTECTION (CGPDP) is constituted with the participation of at least one representative of the board and a senior member of the following areas: Information Technology, Information Security, Human Resources, Legal and Compliance.

The CGPDP shall be responsible for the:

Analysis, review and approval of policies and standards related to the personal data protection;

Ensure the availability of the necessary resources for the effective Personal Data Protection Management;

Ensure that the Personal Data processing is carried out according to the GENERAL PERSONAL DATA PROTECTION POLICY (PGDP) and the legislation in force;

Disclose the PGPDP and take the necessary actions to disseminate a culture of Personal Data protection in the corporate environment of EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA.

RESPONSIBLE FOR THE PERSONAL DATA PROCESSING

The Person responsible for the Personal Data Processing must:

Accept complaints and communications from the data subjects of personal data, provide clarifications and take the necessary measures;

Receive communications from the national data protection authority and take the necessary steps;

Guide employees, contracted third parties and other parties of EGATI ENGENHARIA, TECNOLOGIA e NEGÓCIOS LTDA regarding the practices to be taken regarding the personal data protection;

Meet the other duties, according to the guidelines of the National Data Protection Authority, as defined in complementary standards published by that body;

Support the CGPDP in its deliberations;

Work with the Information Security team in the adjustment of information security standards and procedures necessary to comply with the PGPDP;

Identify and assess key threats to data protection, and also propose and, when approved, support the implementation of corrective measures to reduce risk;

Take appropriate actions to enforce the terms of this policy;

Support the management of personal data breaches by ensuring appropriate processing and communicating, within a reasonable time, the national authority and data subjects affected by the breach where it represents a significant risk or damage to the data subjects.

INFORMATION SECURITY TEAM

The responsibility of the Information Security team is to:

Ensure that Information Security policies, standards and procedures are adjusted to meet the requirements of the General Personal Data Protection Policy;

Take security measures, both technical and administrative, able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of improper or unlawful processing, according to the minimum standards recommended by the national authority for the personal data protection.

Take the measures regarding information security incidents involving the personal data processing, ensuring its detection, containment, elimination and recovery within a reasonable time.

Support the person Responsible for the personal data processing in the communication to the national authority and to the data subject of the personal data in cases of security incident that may cause significant risk or damage to the data subjects.

INFORMATION USERS

The responsibility of the Information Users is to:

Read, understand and fully comply with the terms of the General Personal Data Protection Policy, and also the other applicable personal data protection rules and procedures;

Forward any questions and/or requests for clarifications regarding the General Personal Data Protection Policy, its rules and procedures to the Responsible for the Personal Data Processing or, when applicable, to the Management Committee for the Personal Data Protection;

Communicate to the Responsible for the Data Processing any event that violates this Policy or which may endanger the Personal Data processed by EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA;

Sign the Information Systems Use Statement of EGATI ENGENHARIA, TECNOLOGIA e NEGÓCIOS LTDA, formalizing the awareness and full acceptance of the provisions in the General Policy for the Personal Data Protection, and also other security standards and procedures, assuming responsibility for its compliance;

Be responsible for non-compliance with the General Policy for the Personal Data Protection, rules and procedures related to the Personal Data processing, as defined in the item sanctions and penalties.

Violations, even if by the mere omission or unconsummated attempt of this policy, and also other rules and procedures for the personal data protection, shall be liable to penalties that include verbal warning, written warning, unpaid suspension and even the dismissal for fair cause;

The application of sanctions and punishments will be carried out according to the analysis of the Management Committee for the Personal Data Protection, and the infringement severity should be considered, including the effect achieved, recurrence and hypotheses provided for in Article 482 of the Consolidation of Labor Laws, and the CGPDP, in the use of the disciplinary power assigned to it, should apply the penalty it deems appropriate when a serious misconduct is typified.

In the case of contracted third parties or service providers, the CGPDP shall analyze the occurrence and deliberate on the effect of sanctions and punishments as provided for in the contract;

In the case of violations involving illegal activities or that may incur risks to the data subjects of personal data, or damage to EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA, the infringer shall be liable for the losses, and the relevant judicial measures shall be applicable without prejudice to the terms described in items 6.1, 6.2 and 6.3 of this policy.

The omitted cases shall be evaluated by the Management Committee for the Personal Data Protection for further resolution.

The guidelines established in this policy and in the other rules and procedures for the personal data protection are not exhausted due to continuous technological developments, current legislation and the constant emergence of new threats and requirements. Therefore, it is not an enumerative list, and it is the obligation of the information user of EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA to adopt, whenever possible, other security measures beyond those herein provided, with the objective of ensuring the protection of the personal data processed by EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA.

Anonymization: use of reasonable technical means available at the time of processing, through which a data loses the possibility of association, directly or indirectly

National Personal Data Protection Authority: public administration body responsible for ensuring, implementing and supervising compliance with the General Law on the Personal Data Protection (LAW No. 13,709, AUGUST 14, 2018) in the entire Brazilian national territory;

Blocking: temporary suspension of any processing operation, by custody of the personal data or database;

MANAGEMENT COMMITTEE FOR THE PERSONAL DATA PROTECTION – CGPDP Permanent multidisciplinary working group created by the board of directors of EGATI ENGENHARIA, TECNOLOGIA e NEGÓCIOS LTDA, which purpose is to deal with issues related to the Personal Data Protection;

Consent: free, informed and unambiguous manifestation by which the data subject agrees to the processing of his/her personal data for a specific purpose;

Controller: natural person or legal entity, under public or private law, responsible for decisions concerning the personal data processing;

Anonymized Data: data related the data subject that cannot be identified, considering the use of reasonable technical means available at the processing time;

Sensitive Personal Data: personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or the organization of a religious, philosophical or political nature, and data regarding health or sexual life, genetic or biometric data, when linked to a natural person;

Personal Data: information related to identified or identifiable natural person;

Deletion: deletion of data or data set stored in database, regardless of the employed procedure;

Operator: natural person or legal entity, under public or private law, which conducts the personal data processing on behalf of the controller;

Information Security: the preservation of the confidentiality, integrity and availability of EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA information.

Data Subject: natural person to whom the processed personal data refers to;

Personal data processing: every operation carried out with personal data, such as those related to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or information control, modification, communication, transfer, dissemination or extraction;

Information Users: employees working in any area of the companies that make up EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA or third parties allocated in the provision of services to EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA, regardless of the legal regime which they are subject to, and also other individuals or organizations properly authorized to use or manipulate any information asset of EGATI ENGENHARIA, TECNOLOGIA E NEGÓCIOS LTDA for the performance of its professional activities;

Personal data violation: situation in which personal data is processed in violation of one or more relevant privacy protection requirements.