1 PRESENTATION
This general policy on privacy and protection of personal data (“LGPD Policy” or “Policy”) aims to establish guidelines and orientations for the head office and branches of RAÍX BIOSOLUÇÕES S.A. (“RAÍX”), CNPJ 10.928.920/0001-28, in accordance with and complementing the applicable Personal Data protection legislation, regarding principles, governance, processing of Personal Data, cookies and incident management.
2 PERSONAL DATA
“Personal Data” is any information related to an identified or identifiable natural person. Personal Data can be either direct or indirect, as follows:
- “direct” Personal Data that can be attributed to a specific data subject without the use of additional information (e.g., full name, Tax ID, photo, biometrics and DNA); and
- “indirect” Personal Data that requires additional information so that it can be attributed to a specific data subject (e.g., incomplete name, gender, country of residence, operating system).
Certain Personal Data may also be sensitive. “Sensitive Personal Data” is information related to racial or ethnic origin, religious belief, political opinion, membership in a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, among others.
3 PRINCIPLES
When dealing with Personal Data, RAÍX and its Employees undertake to observe the following principles:
(i) Confidentiality: restricting access to information and resources to authorized persons only.
(ii) Integrity: accuracy of the information and processing methods to which the information is submitted, keeping it accurate, complete and up-to-date.
(iii) Availability: guarantee that authorized users have access to information and information assets when necessary.
(iv) Purpose: processing of Personal Data of data subjects exclusively for legitimate, specific, explicit purposes and in the manner provided, without the possibility of subsequent processing in a manner incompatible with the purposes provided for by law.
(v) Adequacy: commitment to processing the Personal Data of the respective data subjects in a manner compatible with the processing purposes provided for and in accordance with the context of the processing.
(vi) Necessity: processing of Personal Data only strictly necessary to achieve RAÍX's purposes, covering pertinent, proportional and non-excessive data.
(vii) Free access: easy and free consultation by the data subject of Personal Data on the form and duration of the processing of their Personal Data.
(viii) Data quality: taking the necessary precautions to keep the Personal Data of the data subjects accurate, clear and up-to-date, in accordance with the need and to fulfill the purpose of its processing.
(ix) Transparency: clear, precise and accessible dialogue with the data subject, especially when the data subject needs to better understand the processing of his/her data and the respective processing agents, observing commercial and industrial secrets.
(x) Security: adopting technical and administrative measures capable of protecting Personal Data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination.
(xi) Prevention: adopting the necessary measures to prevent the occurrence of damages due to the processing of the Personal Data of the respective data subjects.
(xii) Non-discrimination: not using the data subjects' Personal Data for unlawful or abusive discriminatory purposes.
(xiii) Accountability and accountability: proof of compliance, effectiveness and compliance with applicable Personal Data protection legislation as required.
4 PERSONAL DATA GOVERNANCE
Personal Data Governance is a set of practices that aim to optimize the management of Personal Data flows that circulate in a given organization, with the aim of guaranteeing the privacy and protection of such data by assigning responsibilities to an organizational structure, created specifically to mitigate risks to civil liberties and protect the fundamental rights of the respective holders.
4.1 Application
RAÍX practices data governance daily in its internal and external processes and flows. To this end, it lists and organizes existing Personal Data, including the processes and operations for processing such data, and adopts the following measures:
(i) Culture and awareness. RAÍX promotes awareness among its Employees regarding good privacy and data protection practices.
(ii) Implementation of the rules of the LGPD Policy. This Policy includes principles, governance, processing of Personal Data, cookies, incident management and information security.
(iii) Incorporation of privacy into operations. RAÍX uses the prin