ACT DIGITAL, aware of the importance and need to adapt its personal data processing operations to a new and comprehensive regulation on the subject, in this case, the Data Protection General Law (Law No. 13,709/2018 – “LGPD”), passed in August 2018, started in 2019 its process of compliance with the new Law.

This Personal Data Privacy and Protection Policy, which will be referred to as “POLICY” aims to instruct the management of individuals’ data processed by the company, aiming at the protection of personal data and the several activities and operations of personal data processing existing in ACT DIGITAL.

This document is part of ACT DIGITAL’s LGPD compliance program.

In carrying out the activities provided for in its bylaws, ACT DIGITAL performs personal data processing operations in the best interests of the personal data subjects, and respecting their rights, and may be characterized as Personal Data Controller, Personal Data Operator, Controller and Personal Data Operator, in accordance with the definitions in the LGPD, reinforcing, in any position it holds, its commitment to compliance with the applicable rules of privacy and protection of personal data.

1. DEFINITIONS

PERSONAL DATA PROCESSING AGENTS: The personal data controller and operator.

ANONYMIZATION: Use of technical means, reasonable and available at the time of processing personal data, by which a data loses the possibility of direct or indirect association with an individual. Anonymized data are not considered personal data for the purposes of the LGPD.

NATIONAL AUTHORITY ON DATA PROTECTION (“ANPD”): Public administration authority responsible for watching over, implementing and enforcing compliance with the LGPD all over the national territory. The LGPD established the ANPD as a body of the federal public administration with technical autonomy, integral part of the Presidency of the Republic, defining its nature as transitory and subject to be conversed by the Executive Branch into an entity of the indirect federal public administration, subject to a special autonomous entity regime and reporting to the Presidency of the Republic.

PERSONAL DATA CONTROLLER: Natural person or legal entity, of public or private law, in charge of making decisions concerning the personal data processing.

PERSONAL DATA: Information related to an identified or identifiable natural person. Likewise, data used to form the behavioral profile of a certain natural person are considered personal data.

SENSITIVE PERSONAL DATA: Personal Data about racial or ethnic origin, religious belief, political opinion, union membership or organization of religious, philosophical or political nature, data related to health or sexual life, genetic or biometric data when linked to a natural person.

DATA PROTECTION OFFICER (“DPO”): Natural person or legal entity appointed by the Processing Agent to act as a communication channel between the Controller, data subjects and the National Authority on Data Protection.

DATA PROTECTION GENERAL LAW (“LGPD”): A normative diploma (Law No. 13,709, dated August 14, 2018) that provides for the processing of personal data in digital or physical media performed by natural person or legal entity, of public or private law, aiming to defend the holders of personal data and at the same time allow the use of data for different purposes, balancing interests and harmonizing the human person protection with technological and economic development.

PERSONAL DATA OPERATOR: A natural person or legal entity, of public or private law, who performs the personal data processing on behalf of the Controller.

PERSONAL DATA SUBJECT (“DATA SUBJECT”): Natural person to whom the personal data subject to processing relate.

PROCESSING OF PERSONAL DATA (“PROCESSING”): Any operation performed with personal data, such as those concerning collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation, information control, modification, communication, transfer, dissemination or extraction.

2. PURPOSE

The current Policy establishes the guidelines of ACT DIGITAL for the protection and use of personal data that may be processed in its activities, grounded in the LGPD, among other national and international regulations concerning the privacy and protection of personal data.

3. ADDRESSEES

This Policy applies to:

a) Employees of ACT DIGITAL;

b) Any third parties, whether natural persons or legal entities acting for or on behalf of ACT DIGITAL in operations involving the processing of personal data carried out within the scope of the activities conducted by ACT DIGITAL;

c) Personal data processing agents external to ACT DIGITAL who are in any way related to ACT DIGITAL; and,

d) subjects of personal data whose data are processed by ACT DIGITAL.

Adherence to ACT DIGITAL’s program of compliance with personal data protection laws and the regulations arising therefrom, including this Policy, is compulsory to all the addressees indicated above insofar as they relate to ACT DIGITAL. All operations involving the processing of personal data carried out within the scope of the activities conducted by ACT DIGITAL are subject to such regulations.

4. APPLICABILITY

This Policy establishes guidelines and rules to ensure that its addressees understand and comply with the legislation on personal data protection in all interactions with current and future personal data holders, third-parties and personal data processing agents external to ACT DIGITAL.

In addition to the concepts defined by the regulations on personal data privacy and protection, the information comprised in this Policy includes all data held, used or transmitted by or on behalf of ACT DIGITAL in any form of media. This includes personal data recorded on paper, kept on computer systems or portable devices, as well as personal data orally transmitted.

5. MAIN OBJECTIVES

The main objectives of this Privacy and Personal Data Protection Policy are to deal with ACT DIGITAL’s responsibilities, and the required guidelines to ensure and reinforce the Company’s commitment to comply with the applicable personal data protection legislation, and to describe the rules to be followed in the conduct of personal data processing activities and operations carried out by ACT DIGITAL and the addressees of this Policy, within the scope of ACT DIGITAL’s activities, which guarantee its compliance with applicable personal data protection legislation and, in particular, with the LGPD.

This Policy is established to be considered in conjunction with the obligations set out in the documents described below, which deal with information in general, and complement it whenever applicable:

i. ACT DIGITAL employees’ service contracts and other equivalent documents, which provide for confidentiality obligations regarding information held by the Company;

ii. Information security policies and procedures, as well as terms and conditions of use, dealing with confidentiality, integrity and availability of ACT DIGITAL information;

iii. All internal rules regarding personal data protection that may be drafted and updated from time to time.

6. PRINCIPLES OF PERSONAL DATA PRIVACY AND PROTECTION

ACT DIGITAL will comply with the following personal data protection principles when processing personal data:

a) PURPOSE: ACT DIGITAL will carry out the processing of personal data only for legitimate, specific, explicit and informed purposes to the personal data subject, with no possibility of further processing in any way incompatible with these purposes;

b) ADEQUACY: ACT DIGITAL will process personal data in a manner compatible with the purposes informed to the data subject, and according to the context of the processing;

c) NECESSITY: the processing of personal data carried out by ACT DIGITAL will be limited to the minimum necessary for the accomplishment of its purposes, reaching pertinent, proportional and non-excessive data in relation to the purposes of processing;

d) FREEDOM OF ACCESS: ACT DIGITAL will guarantee to personal data subjects easy and free of charge consultation on the form and duration of processing, as well as on the completeness of their data;

e) DATA QUALITY: ACT DIGITAL will guarantee to the personal data subjects the accuracy, clarity, relevance and updating of the data, according to the need and for the fulfillment of the purpose of their processing;

f) TRANSPARENCY: ACT DIGITAL will guarantee to the personal data subjects clear, accurate and easily accessible information about the processing and the personal data processing agents involved in the processing of personal data, in compliance with commercial and industrial secrets;

g) SECURITY: ACT DIGITAL will use technical and administrative measures to protect personal data against unauthorized access and accidental or illicit destruction, loss, alteration, communication or disclosure;

h) PREVENTION: ACT DIGITAL will adopt measures to prevent damages arising from the processing of personal data;

i) NON-DISCRIMINATION: ACT DIGITAL will ensure the impossibility of processing personal data for unlawful or abusive discriminatory purposes;

j) LIABILITY AND ACCOUNTABILITY: ACT DIGITAL undertakes to demonstrate the adoption of effective measures capable of evidencing the observance and compliance with personal data protection regulations, and the effectiveness of such measures.

7. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING

All personal data processing operations in the scope of the activities carried out by ACT DIGITAL will have a legal basis that legitimates their execution, setting forth the purpose and designation of those responsible for processing.

ACT DIGITAL is institutionally committed to periodically evaluate the purposes of its processing operations, considering the context in which these operations are carried out, the risks and benefits that may be generated for the personal data subject, and the legitimate interest of the Company.

ACT DIGITAL may carry out personal data processing operations:

a) Upon consent by the personal data subject;

b) For the fulfillment of a legal or regulatory obligation;

c) When necessary for the execution of a contract or preliminary procedures related to a contract to which the personal data subject is a party;

d) For the regular exercise of rights in judicial, administrative or arbitral proceedings;

e) For the protection of the life or physical safety of the data subject or third-parties;

f) Whenever required to meet the legitimate interests of ACT DIGITAL or third-parties;

g) For the protection of credit.

ACT DIGITAL will record its processing operations based on categories of processing, each of them described accordingly to their purpose(s), serving as an aid and support for its periodic evaluation of compliance with the regulatory framework for personal data protection.

Records of personal data processing operations may be consulted by the personal data subject, as well as by public authorities competent to access and retain data on their behalf, safeguarding the rights of the personal data subject.

8. LEGAL GROUNDS FOR SENSITIVE PERSONAL DATA PROCESSING

ACT DIGITAL recognizes that the processing of sensitive personal data poses greater risks to the data subject, and for this reason the Company is committed to the safeguarding and special care in the processing of sensitive personal data.

This commitment includes the sensitive personal data listed in art. 5, section II of the LGPD, as well as financial data that, for the purposes of this Policy and the LGPD Compliance Program of ACT DIGITAL, will have the same status as sensitive personal data.

The personal data of children and adolescents will be processed with the same level of care required and offered to sensitive personal data, but will also be subject to the proper provisions set out in Chapter II, Section III, of the LGPD, and other applicable specific regulations.

The processing of sensitive personal data by ACT DIGITAL may only be carried out:

a) When the personal data subject or their legal guardian consents, in a specific and outstanding manner, for specific purposes;

b) With no consent of the personal data subject, in cases where the processing is indispensable for:

i. The fulfillment of a legal or regulatory obligation by ACT DIGITAL;

ii. The development of studies when ACT DIGITAL is in the position of Research Body, guaranteeing, whenever possible, the anonymization of sensitive personal data;

iii. For the regular exercise of rights including in judicial, administrative or arbitral proceedings and agreements;

iv. For the protection of the life or physical safety of the data subject or third-parties;

v. Guarantee of fraud prevention and personal data subject security, in the processes of identification and authentication of registration in electronic systems.

9. RIGHTS OF THE PERSONAL DATA SUBJECTS

ACT DIGITAL, in the context of its personal data processing activities, strengthens its commitment to respect the rights of the personal data subjects, namely:

a) RIGHT TO CONFIRMATION OF THE EXISTENCE OF THE PROCESSING: the personal data subject may question, with ACT DIGITAL, whether their personal data are being effectively processed;

b) RIGHT OF ACCESS: the personal data subject may request and receive a copy of all personal data collected and stored;

c) RIGHT OF CORRECTION: the personal data subject may request the correction of personal data that are incomplete, inaccurate or outdated;

d) RIGHT OF DELETION: the personal data subject may request the deletion of their personal data from databases managed by ACT DIGITAL, unless there is a legitimate reason for maintaining them, such as an eventual legal obligation to retain data or study by a research body. In the event of deletion, the Company reserves the right to choose the deletion procedure to be employed, undertaking to use means that guarantee security and avoid data recovery;

e) RIGHT TO REQUEST THE SUSPENSION OF UNLAWFUL PERSONAL DATA PROCESSING: at any time, the personal data subject may request ACT DIGITAL to anonymize, block or delete their personal data that have been recognized by a competent authority as unnecessary, excessive or processed in violation of the LGPD.

f) RIGHT TO OPPOSITION TO THE PROCESSING OF PERSONAL DATA: in the event that processing of personal data is not subject to obtaining consent, the personal data subject may present ACT DIGITAL with an opposition, which will be analyzed in accordance with the criteria disclosed in the LGPD.

g) RIGHT TO DATA PORTABILITY: the personal data subject may request ACT DIGITAL to make their personal data available to another service or product provider, respecting the company’s commercial and industrial secrecy, as well as the technical limits of its infrastructure.

h) RIGHT TO WITHDRAW THE CONSENT: the personal data subject has the right to withdraw their consent. However, it should be noted that this will not affect the legality of any processing carried out prior to the withdrawal. In the event that consent is withdrawn, it may not be possible to provide certain services. Should this be the case, the personal data subject will be informed.

ACT DIGITAL reaffirms its commitment to the rights of the personal data subjects to transparency and adequate information, highlighting the provision of:

i. Information of the public and private entities with which ACT DIGITAL shared the use of data;

ii. Information about the possibility of not providing consent and the consequences of refusal.

10. DUTIES FOR THE PROPER USE OF PERSONAL DATA

The duties of care, attention and appropriate use of personal data extend to all addressees of this Policy in the development of their work and activities in ACT DIGITAL, undertaking to assist the company to comply with its obligations in the implementation of its personal data privacy and protection strategy.

10.1. SPECIFIC DUTIES OF THE PERSONAL DATA SUBJECTS:

It is incumbent on personal data subjects to notify ACT DIGITAL of any modifications to their personal data in their relationship with the company, notifying it preferably in the following order:

a) By e-mail addressed to the person in charge of Human Resources at ACT DIGITAL;

b) By e-mail directly to the EPD of ACT DIGITAL; and

c) By physical means directly addressed to the EPD of ACT DIGITAL.

10.2 SPECIFIC DUTIES OF ACT DIGITAL’S EMPLOYEES

The sharing of personal data of personal data subjects between ACT DIGITAL Units is permitted, provided that its purpose and legal basis are respected, observing the principle of necessity, and the processing of personal data is always restricted to the development of activities authorized by ACT DIGITAL.

10.3. DUTIES OF ACT DIGITAL’S EMPLOYEES, PERSONAL DATA PROCESSING AGENTS AND THIRD-PARTIES

a) Do not make available or grant access to personal data held by ACT DIGITAL to any unauthorized or competent persons in accordance with the company regulations.

b) Obtain the necessary authorization for data processing, and have the necessary documents proving the designation of its competence for carrying out the lawful data processing operation.

c) Comply with the standards, recommendations, guidelines for information security, and prevention of security incident regarding information published by the company (e.g., Information Security Policy, Information Security Incident Response Plan, password management guidelines, among others).

10.4. DUTIES OF ALL ADDRESSEES OF THIS POLICY:

All addressees of this Policy have the duty to contact the Data Protection Officer of ACT DIGITAL upon suspicion or actual occurrence of the following actions:

a) Personal data processing operation carried out with no reasonable legal grounds;

b) Personal data processing without the authorization of ACT DIGITAL in the scope of its activities;

c) Personal data processing in breach of the Information Security Policy of ACT DIGITAL;

d) Unauthorized deletion or destruction by ACT DIGITAL of personal data from digital platforms or physical archives in all the premises owned or used by the Company;

e) Any other breach of this Policy or of any of the data protection principles set out in section 7 above.

11. DUTIES FOR THE PROPER USE OF PERSONAL DATA

The LGPD establishes that the responsibility in case of patrimonial, moral, individual or collective damages deriving from violations to the personal data protection legislation is joint and several, and that all the agents of the chain involving the processing of personal data may be held responsible for eventual damages caused.

In this sense, the possibility of ACT DIGITAL being held responsible for the actions of third-parties implies the need to employ the best efforts to verify, evaluate and ensure that such third-parties comply with the applicable data protection legislation.

In this way, all contracts with third parties will contain clauses relating to the protection of personal data, establishing duties and obligations in this field, and certifying the commitment of third-parties to comply with applicable personal data protection legislation.

It should also be noted that these contracts will be reviewed and submitted for approval to the EPD of ACT DIGITAL and its technical team, in accordance with the regulatory framework in force.

All third-parties must sign the term of acceptance of this Policy, the Information Security Policy and the Security Incident Response Plan, submitting the activities contracted in the relationship with ACT DIGITAL also these regulations as well.

12. PERSONAL DATA PROTECTION LAW COMPLIANCE PROGRAM

The LGPD Compliance Program aims to guarantee ACT DIGITAL‘s commitment to ensure the proper processing of personal data for lawful purposes that may be subject to its activities, and reinforces its commitment to good privacy and data protection practices with the following actions:

a) Producing and disseminating information, regardless of format, describing the individual responsibilities of the addressees of this Policy in the field of personal data privacy and protection;

b) Providing training, guidance and advice to ACT DIGITAL’s employees and third-parties, including, but not limited to, online courses, workshops, internal meetings, regular talks, lectures, among other initiatives; sharing content available in digital and face-to-face format.

c) Incorporating concerns and care in personal data processing in all stages of its activities, including, but not limited to administrative routines, research activities, service provision, academic activities, among others.

d) Identification and further evaluation of the risks that may compromise the achievement of ACT DIGITAL‘s objectives in the field of personal data privacy and protection; defining, creating and implementing action plans and policies to mitigate the risks identified; in addition to maintaining continuous evaluation of scenarios in order to assess whether the measures implemented require new guidelines and attitudes.

From the entry into force of the LGPD, ACT DIGITAL‘s Data Protection Officer, assisted by their technical team, will have the following responsibilities:

a) Conduct the LGPD Compliance Program at ACT DIGITAL, ensuring its enforcement;

b) Monitor compliance with applicable personal data protection legislation, in accordance with ACT DIGITAL‘s policies;

c) Instruct the addressees of this Policy regarding ACT DIGITAL’s regime of personal data privacy and protection;

d) Ensure that data protection rules and guidelines are informed/incorporated into ACT DIGITAL‘s routines and practices;

e) Organize training on personal data protection at ACT DIGITAL;

f) Provide clarifications, offer information and present reports on personal data processing operations and their impacts to the relevant public authorities (e.g., Office of the Public Prosecutor, Brazilian National Authority on Personal Data Protection, etc.);

g) Respond to requests and complaints from personal data subjects whose data have been processed by a unit of ACT DIGITAL.

h) Assist in audits or any other evaluation and monitoring measure involving data protection;

i) Draw up the impact reports on data privacy and protection, technical opinions, and revision of documents with regard to data protection.

13. INFORMATION SECURITY

The standards of information security and prevention against personal data incidents are contained in ACT DIGITAL‘s Information Security Policy, and in the internal regulations and documents related to the subject.

ACT DIGITAL reinforces the commitment stated in its Information Security Policy to employ adequate technical and organizational measures when dealing with personal data, and to make efforts to protect personal data of personal data subjects against unauthorized access, loss, destruction, unauthorized sharing, among other hypotheses.

14. INTERNATIONAL TRANSFER OF PERSONAL DATA

In the hypotheses in which ACT DIGITAL is authorized to process personal data regardless of the data subject’s consent, ACT DIGITAL may transfer personal data to other countries provided that, alternatively:

a) The country is ranked by the ANPD as having an adequate level of data protection, or the transfer is authorized by the ANPD;

b) While there is no list of adequate-level countries released by the ANPD, the country is classified by the European Commission, through an Adequacy Decision, as an adequate level country to the GDPR criteria;

c) The international personal data processing agent provides ACT DIGITAL with at least one of the safeguards below:

i. Regularly issued Codes of Conduct or binding corporate rules approved by the European Commission;

ii. Standard Contractual Clauses issued by the ANPD or the European Commission;

iii. Seals and Certificates of compliance or adequacy to the personal data protection granted by entities recognized by the ANPD or the European Commission.

d) Obtain explicit and outstanding consent from the personal data subjects to perform international transfer of personal data, with prior information on the international character of the operation, and highlighting that the country does not have an adequate level of data protection recognized or that there are no safeguards of compliance by the processing agent, as the case may be.

In cases where ACT DIGITAL is authorized to process personal data on the basis of consent, ACT DIGITAL may transfer personal data to other countries provided that it obtains the explicit and outstanding consent of the personal data subjects to perform international transfer of personal data, with prior information on the international character of the operation.

In case the country does not have an adequate level of data protection recognized or there are no safeguards of compliance of the processing agent, such information should be provided to the personal data subject in advance in order for them to consent to the risks of the operation.

15. TRAINING

The addressees of this Policy undertake to participate in the trainings, workshops, meetings and capacity building proposed by the Data Protection Officer of ACT DIGITAL to expand the personal data protection culture in the Company.

ACT DIGITAL employees whose duties require the regular processing of personal data, or those responsible for the implementation of this Policy, undertake to participate in additional training to help them understand their duties and how to comply with them.

 16. MONITORING

It is reiterated that ACT DIGITAL recognizes its commitment to the adequate processing of personal data for legitimate purposes that may be the object of its activities, and reinforces its commitment to good data privacy and protection practices, committing itself to keeping its LGPD Compliance Program up to date with the standards and recommendations issued by the ANPD or other competent authorities.

ACT DIGITAL is committed to revisiting this Policy regularly and, at its discretion, promoting modifications that update its provisions in order to reinforce the Company’s continuous commitment to personal data privacy and protection. All modifications will be communicated in a timely manner through the Company’s official channels.