PRIVACY POLICY AND PERSONAL DATA PROTECTION
OBJECTIVE
This Privacy Policy and Personal Data Protection aim to provide guidance on how to manage various activities and operations involving the processing of personal data within Vibra Agroindustrial S/A. It establishes principles, concepts, and guidelines regarding privacy and personal data protection, regardless of the medium or country where the data is located. It is noteworthy that this instrument complies with Federal Law No. 12,965 of April 23, 2014 (Brazilian Civil Rights Framework for the Internet), Federal Law No. 13,709 of August 14, 2018 (General Data Protection Law), and European Regulation No. 2016/679 of April 27, 2016 (General Data Protection Regulation – GDPR).
APPLICATION
This Policy applies to:
• Employees of Vibra;
• Statutory Directors;
• Members of the Board of Directors;
• Third parties/suppliers, whether individuals or legal entities, acting for or on behalf of Vibra;
• External data processing agents unrelated to Vibra who, in any way, relate to the company; and
• Data subjects whose data is processed by Vibra.
All the aforementioned recipients must comply with and adhere to this policy and interpret it in conjunction with relevant current legislation and other company policies and guidelines.
RESPONSIBILITIES
Area
Responsible
Position
Responsibility(ies)
All areas
Area/Process Owner
Review processes to align with this policy.
All areas
Area/Process Owner
Comply with and observe the provisions of this policy.
All policy recipients
Comply with and observe the provisions of this policy.
REVIEW FREQUENCY
The Policy will be reviewed at the company’s discretion.
DEFINITIONS AND CONCEPTS
For the purposes of interpreting this policy, the following are considered:
• DATA PROCESSING AGENTS: The controller and the processor of personal data.
• ANONYMIZATION: The use of technical means, reasonable and available at the time of personal data processing, through which data loses the possibility of direct or indirect association with an individual. Anonymized data is not considered personal data for the purposes of the LGPD.
• NATIONAL DATA PROTECTION AUTHORITY (“ANPD”): A public administration body that is part of the Presidency of the Republic and is responsible for the protection of personal data and privacy.
• CONTROLLER OF PERSONAL DATA: Natural or legal person, public or private, responsible for decisions regarding the processing of personal data.
• PERSONAL DATA: Information related to an identified or identifiable natural person. Personal data also includes data used to form the behavioral profile of a particular natural person.
• SENSITIVE PERSONAL DATA: Personal data about racial or ethnic origin, religious belief, political opinion, union membership, or membership in religious, philosophical, or political organizations, data related to health or sexual life, genetic data, or biometric data when linked to a natural person.
• DATA PROTECTION OFFICER (“DPO”): Natural or legal person appointed by the Data Processing Agent to act as a communication channel between the Controller, data subjects, and the National Data Protection Authority. Responsible for the implementation and conduct of the Personal Data Protection Compliance Program.
• GENERAL DATA PROTECTION LAW (“LGPD”): Law No. 13,709 of August 14, 2018, which regulates the processing of personal data, whether digital or physical, carried out by natural or legal persons, public or private, aiming to defend the rights of data subjects while allowing the use of data for various purposes, balancing interests and harmonizing the protection of the human person with technological and economic development.
• PERSONAL DATA PROCESSOR: Natural or legal person, public or private, who processes personal data on behalf of the Controller.
• DATA SUBJECT (“DATA SUBJECT”): Natural person to whom the processed personal data refers.
• PROCESSING OF PERSONAL DATA (“PROCESSING”): Any operation performed with personal data, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, assessment, information control, modification, communication, transfer, dissemination, or extraction.
FUNDAMENTALS AND PRINCIPLES OF THE GENERAL DATA PROTECTION LAW
The General Data Protection Law has the following fundamentals and principles:
Fundamentals:
• Respect for privacy;
• Information self-determination;
• Freedom of expression, information, communication, and opinion;
• Inviolability of intimacy, honor, and image;
• Economic and technological development and innovation;
• Free enterprise, free competition, and consumer protection;
• Human rights, free personal development, dignity, and the exercise of citizenship by natural persons.
Activities involving the processing of personal data must observe good faith and the following principles:
• Purpose: processing for legitimate, specific, explicit, and informed purposes to the data subject, with no possibility of subsequent processing incompatible with those purposes;
• Adequacy: compatibility of the processing with the purposes informed to the data subject, according to the context of the processing;
• Necessity: limitation of the processing to the minimum necessary for the accomplishment of its purposes, with data relevance, proportionality, and not excessiveness in relation to the purposes of data processing;
• Free access: guarantee to data subjects of facilitated and free consultation on the form and duration of processing, as well as the entirety of their personal data;
• Data quality: guarantee to data subjects of accuracy, clarity, relevance, and updating of data, as needed and for the purpose of processing;
• Transparency: guarantee to data subjects of clear, accurate, and easily accessible information about the processing and the respective data processing agents, respecting commercial and industrial secrets;
• Security: use of technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination;
• Prevention: adoption of measures to prevent damage due to the processing of personal data;
• Non-discrimination: impossibility of processing for illicit or abusive discriminatory purposes;
• Accountability and accountability: demonstration, by the agent, of the adoption of effective measures capable of proving compliance with personal data protection rules and the effectiveness of these measures.
DATA USED
Vibra may collect information actively entered by the Data Subject at the time of contact or registration, as well as information collected automatically when using its products and services, such as IP identification, connection date and time, etc.
Therefore, two types of personal data are processed: those provided by the Data Subject and those collected automatically.
a) Personal data provided by the Data Subject: Vibra collects all data actively entered or submitted by the Data Subject, including but not limited to: Name, Date of Birth, Email Address, Postal Address, Phone Number, CPF (Brazilian Individual Taxpayer Registry) Number, among others.
b) Automatically collected data: Vibra may collect information automatically, including but not limited to: characteristics of the access device, browser, IP (with date and time), IP origin, click information, accessed pages, duration, search terms, among others. For this collection, Vibra may use standard technologies such as cookies, used to improve the browsing experience of the Data Subject according to their habits and preferences. It is noteworthy that it is possible to disable the automatic collection of information through internet browser settings; however, the Data Subject is hereby advised that disabling these technologies may cause certain features that depend on the processing of such data to not function correctly.
LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA
All personal data processing operations within the activities conducted by Vibra will have a legal basis legitimizing their execution, specifying the purpose and designating those responsible for processing.
Vibra commits institutionally to periodically evaluate the purposes of its processing operations, considering the context in which these operations are inserted, the risks and benefits that may be generated to the data subject, and the legitimate interest of the company.
LEGAL BASES FOR THE PROCESSING OF SENSITIVE PERSONAL DATA
Vibra acknowledges that the processing of sensitive personal data represents high risks to the data subject and, for this reason, the company undertakes to safeguard and take special care in the processing of sensitive personal data.
This commitment includes sensitive personal data listed in art. 5, item II of the LGPD, as well as financial data, which, for the purposes of this Policy and Vibra’s LGPD Compliance Program, will have the same status as sensitive personal data.
Processing operations of sensitive personal data by Vibra can only be carried out:
(i) When the data subject or their legal representative specifically and separately consents for specific purposes;
(ii) Without the consent of the data subject, in cases where processing is indispensable for:
a. Compliance with legal or regulatory obligations by Vibra;
b. Conducting studies when Vibra acts as a Research Body, guaranteeing, whenever possible, the anonymization of sensitive personal data;
c. The regular exercise of rights, including in contracts and in judicial, administrative, and arbitral proceedings;
d. Protection of life or physical integrity of the data subject or third parties;
e. Protection of health, exclusively, in procedures carried out by health professionals, health services, or health authorities; or
f. Ensuring fraud prevention and the security of the data subject in the identification and authentication processes for registration in electronic systems.
RIGHTS OF DATA SUBJECTS
Vibra reinforces its commitment to respecting the rights of data subjects, as provided for in the LGPD, including:
• RIGHT TO CONFIRMATION OF THE EXISTENCE OF PROCESSING: the data subject may inquire with Vibra whether processing operations related to their personal data are being carried out;
• RIGHT OF ACCESS: the data subject may request and receive a copy of all personal data collected and stored by Vibra;
• RIGHT TO CORRECTION: the data subject may request the correction of incomplete, inaccurate, or outdated personal data;
• RIGHT TO ERASURE: the data subject may request the deletion of their personal data from databases managed by Vibra, unless there is a legitimate reason for their maintenance. In the event of deletion, the company reserves the right to choose the deletion procedure, committing to use a method that ensures security and prevents data recovery;
• RIGHT TO REQUEST THE SUSPENSION OF ILLEGAL PROCESSING OF PERSONAL DATA: at any time, the data subject may request from Vibra the anonymization, blocking, or deletion of their personal data that has been recognized by a competent authority as unnecessary, excessive, or processed in violation of the LGPD.
• RIGHT TO OBJECT TO PROCESSING OF PERSONAL DATA: in cases of processing of personal data not based on obtaining consent, the data subject may object to Vibra, and the objection will be analyzed based on the criteria present in the LGPD.
• RIGHT TO DATA PORTABILITY: the data subject may request from Vibra that their personal data be made available to another service or product provider, respecting the company’s commercial and industrial secrets, as well as the technical limits of its infrastructure.
• RIGHT TO WITHDRAW CONSENT: the data subject has the right to withdraw their consent. However, it is emphasized that this will not affect the legality of any processing carried out before withdrawal. In the event of withdrawal of consent, it may not be possible to provide certain services. If this is the case, the data subject will be informed.
The rights described above can be exercised by sending a request to the DPO via email at dpo@vibra.com.br.
DUTIES FOR APPROPRIATE USE OF PERSONAL DATA
The duties of care, attention, and proper use of personal data extend to all recipients of this Policy in the development of their work and activities at Vibra, committing to assist the company in fulfilling its obligations in implementing its privacy and personal data protection strategy.
a) SPECIFIC DUTIES OF PERSONAL DATA SUBJECTS:
It is the responsibility of personal data subjects to inform Vibra of any changes to their personal data in their relationship with the company (e.g., change of address).
b) SPECIFIC DUTIES OF VIBRA EMPLOYEES:
The sharing of personal data of subjects among Vibra Units is allowed, provided its purpose and legal basis are respected, observing the principle of necessity. The processing of personal data is always limited to the development of activities authorized by the company.
c) DUTIES OF VIBRA EMPLOYEES, PERSONAL DATA PROCESSORS, AND THIRD PARTIES:
(i) Do not provide or guarantee access to personal data held by Vibra to any unauthorized or competent persons according to the company’s standards;
(ii) Obtain the necessary authorization for data processing;
(iii) Comply with the information security norms, recommendations, guidelines, and prevention of information security incidents published by the company (e.g., Information Security Policy, Security Incident Management Plan, password management guidelines, among others);
(iv) Comply with and observe the General Data Protection Law.
d) DUTIES OF ALL RECIPIENTS OF THIS POLICY:
All recipients of this Policy have a duty to contact Vibra’s DPO in case of suspicion or actual occurrence of the following actions:
(i) Processing of personal data without a legal basis or in violation of the LGPD;
(ii) Processing of personal data without Vibra’s authorization within the scope of its activities;
(iii) Processing of personal data that is not in accordance with Vibra’s Information Security Policy;
(iv) Unauthorized elimination or destruction by Vibra of personal data from digital platforms or physical archives in all company facilities or used by it;
(v) Any other violation of this Policy.
DATA AND INFORMATION SECURITY
The information security and prevention standards against personal data incidents are contained in this Policy, Vibra’s Information Security Policy, Incident Management Plan, and internal regulations and related documents. Vibra reinforces its commitment, as stated in its Information Security Policy, to employ appropriate technical and organizational measures in handling personal data and make efforts to protect personal data of subjects against unauthorized access, loss, destruction, unauthorized sharing, among other scenarios. To request the blocking of information to a specific device or for any other security issues, as well as for questions regarding the interpretation and compliance with this Policy, please contact the Data Protection Officer (DPO) of Vibra Agroindustrial S/A at dpo@vibra.com.br.
DATA SHARING
Vibra may share personal data of subjects with operators, service providers, for the purpose of storing data, developing or improving their solutions and services, all duly committed to complying with current and applicable data protection laws and the rules contained in this policy. Vibra may share personal data with service providers contracted by the subjects, all duly committed to complying with current and applicable data protection laws. Additionally, there may be sharing of personal data with data processors outside Brazil, and Vibra commits to doing so only with countries that provide protection to personal data.
INFORMATION STORAGE
Information and data may be stored for as long as necessary to comply with legal or regulatory obligations and for the exercise of rights in judicial, administrative, or arbitration processes. Data will be retained for each of its purposes and/or according to current legal deadlines. In case of pending litigation, data will be retained until the final decision.
DPO (Data Protection Officer)
Maria Cecília Michetti Nonato is the Data Protection Officer of Vibra Agroindustrial S/A. If you have any doubts or requests regarding the processing of your personal data, please contact her via email at dpo@vibra.com.br.