I. OBJECT AND OBJECTIVE OF THE DOCUMENT

The LGPD establishes rules and principles for the processing of personal data, including in digital media, with the aim of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.

The LGPD defines that the protection of personal data in Brazil is based on: respect for privacy; informative self-determination; freedom of expression, information, communication and opinion; the inviolability of intimacy, honor and image; economic and technological development and innovation; free initiative, free competition and consumer protection; and human rights, the free development of personality, dignity and the exercise of citizenship by natural persons.

CONCILIG TELEMARKETING E COBRANÇA LTDA, (hereinafter referred to as “CONCILIG” or simply “Controller”) recognizes the value of privacy and data protection as a common good and good business practices; systematically promoting its implementation with the LGPD and applicable regulations. This policy applies to CONCILIG with regard to its performance in accordance with the laws, regulations and governance rules applicable to the Protection of Personal Data.

II. SCOPE OF APPLICATION

With regard to the scope of application, art. 3 establishes that the LGPD applies to any processing operation carried out by a natural person or legal entity governed by public or private law, regardless of the medium, the country of its headquarters or where the data are located, provided that:

I) The treatment operation is carried out in the national territory;

II) The processing activity has as its objective the offer or supply of goods or services or the processing of data of individuals located in the national territory; or

II) The personal data object of the treatment has been collected in the national territory. Personal data whose holder is in the national territory at the time of collection are considered collected in the national territory.

This document applies to all CONCILIG operations that process personal data. This document also applies to CONCILIG operations carried out outside Brazilian territory that process personal data collected in Brazil, or that the processing activity has as its objective the offer or supply of goods or services or the processing of data of individuals located in the Brazil.

III. REFERENCES

Constitution of the Federative Republic of Brazil of 1988– 5 X (“CRFB”); Law 8078/90 – Consumer Defense Code (“CDC”); Law 12.965/14 and its Regulatory Decree 8771/18 – (“Marco Civil da Internet'); Law 13.709/18 (General Data Protection Law – “LGPD”);

IV. DEFINITIONS

V. GENERAL PRINCIPLES

The protection of Personal Data at CONCILIG will be based on the following fundamental principles, mostly provided for by the LGPD:

Principle of Purpose: Processing by CONCILIG must be carried out for legitimate, specific, explicit and informed purposes, with no possibility of further Processing in a manner incompatible with those purposes.

Principle of Adequacy: CONCILIG must guarantee the compatibility of the Treatment with the purposes informed to the holder, according to the context of the Treatment.

Principle of Necessity: The Processing carried out by CONCILIG must be limited to the minimum necessary for the fulfillment of its purposes, covering the relevant, proportional and not excessive data in relation to the purposes of data processing. Thus, the collection of Personal Data by CONCILIG must be limited to what is essential.

Principle of Free Access: CONCILIG must guarantee the Holders easy and free consultation on the form and duration of the Treatment, as well as on the completeness of their personal data.

Principle of Data Quality: CONCILIG must guarantee the Holders accuracy, clarity, relevance and updating of the data, according to the need and for the fulfillment of the purpose of its Treatment.

Principle of Transparency: CONCILIG must guarantee the Holders clear, precise and easily accessible information about the performance of the Processing and about the Controllers and Operators involved therein, observing commercial and industrial secrets. There must be a general policy of transparency regarding CONCILIG's development, practices and policies regarding Personal Data.

Principle of Security: Use by CONCILIG of Security Measures able to protect personal data from unauthorized access and accidental or illegal situations of destruction, loss, alteration, communication or dissemination of Personal Data.

Principle of Prevention: Adoption of measures by CONCILIG to prevent the occurrence of damages due to the processing of personal data.

Principle of Non-Discrimination: CONCILIG shall not carry out any Processing for unlawful or abusive discriminatory purposes.

Principle of Responsibility and Accountability: Demonstration, by CONCILIG, of the adoption of effective measures capable of proving compliance with and compliance with personal data protection rules, and even the effectiveness of these measures.

CONCILIG, through documentation and demonstration of internal processes, will render accounts to the Authorities and Collaborators, and to whoever else it deems relevant, regarding the observance of the measures that give effect to the principles indicated above. This implies a continuous update to the best data protection practices and a corresponding effort to incorporate them into CONCILIG's strategy, organization and business.

The principle of accountability also requires a broader use of risk assessment methodologies, such as the Personal Data Protection Impact Report (DPIA) as a decision-making process centered on the interests of the Data Subject. This implies a duty on the Controller and Operator to perform a DPIA not only on treatments already in progress, but also on the design of a new organization, process, digital platform and algorithm, and so on.

Privacy by design (since conception) and by default (by default)

Principle not expressly provided for by the LGPD, but which is consolidated throughout the world, and according to which CONCILIG must put in place appropriate technical and organizational measures to guarantee, and be able to demonstrate, that any processing of Personal Data is carried out considering all requirements applicable to the protection of personal data, from the beginning of the project or operation.

These measures must be included in the projects from the beginning, considering the cost of implementation, the nature, scope, context and purpose of the treatment, as well as the probability and severity of the risk to the rights and freedoms of the Holder due to the treatment. (“Privacy by design”).

The Controller must ensure that, by default, only Personal Data that is necessary for each specific processing purpose is processed (“Privacy by Default”). This obligation applies to all Personal Data collected, the extent of its treatment, the period of its storage and its accessibility. These measures should be reviewed and updated if necessary, taking into account the evolution of best practices.

The hiring of third parties for data processing must be developed and implemented in such a way that this third party has an appropriate level of security equivalent to the standards of CONCILIG. Qualification of suppliers and contractual clauses aim to protect personal data.

VI - PROCESSING OF PERSONAL DATA

The areas of CONCILIG, with the support of the DPO, have the duty to follow the instructions issued by the National Authority for Data Protection, as well as the best practices to guarantee the privacy and Data Protection of the Holders. When processing data, it is necessary to pay attention to some specificities, such as:

anonymization

Processing of Personal Data includes the following activities: research, collection through any instrument or sensor, listening and recording (photo, video, voice, etc.), identification, use, management, handling, organization, structuring, storage (including physical storage and management and maintenance of the server where Personal Data is stored, even temporarily), comparison, compilation, duplication, profiling conservation, adaptation, modification, integration, correction, inspection, use, extraction, consultation, communication, transmission, dissemination, segregation of views, elimination, cancellation, destruction; pseudonymization, anonymization and encryption.

Personal Data, after being submitted to an effective anonymization process, lose the quality of Personal Data, except when such procedures are reversed or reversible.

Consent

Consent must be given by a clear affirmative act establishing a free, informed and unequivocal statement by which the holder agrees with the processing of his personal data for a specific purpose, which may occur by means of a written or oral statement, including by electronic means. , always subject to verification by the Controller.

It may include the mark in a check box (opt-in) when visiting a CONCILIG website, or another statement or conduct that clearly indicates, in this context, the Holder's acceptance of the proposed treatment of their Personal Data. The Holder's silence and inertia in front of previously marked/selected check boxes do not constitute consent.

Consent must apply to all processing activities carried out for the same purpose. If processing has more than one purpose, consent must be provided for each of these purposes, for example in separate boxes. Pursuant to § 2 of Art.9 of the LGPD, if there are changes in the purpose for processing personal data that are not compatible with the original consent, the controller must previously inform the holder about the changes in purpose, and the holder may revoke the consent, if disagree with the changes.

If the Holder's consent is collected electronically, the request must be clear, concise. The Controller, together with the Operator, are responsible for legally collecting the consent of the Holder and have the obligation to demonstrate before the National Authority that the collection of consent was carried out legally and in full respect of privacy regulations and the LGPD.

For the duration of a Treatment activity based on the consent of the Holder, the obligation to demonstrate this consent exists. After the end of the Treatment activity, the proof of consent must be kept for the time strictly necessary for the fulfillment of a legal obligation or for the company to be able to exercise its rights or defend them in judicial, administrative or arbitration claims.

For Treatment activities based on the Owner's consent, the sharing of Personal Data with third parties can only be carried out with specific and highlighted consent, pursuant to § 5 of Art.9 of the LGPD.

In order to obtain informed consent from children and adolescents, as well as from all vulnerable persons, the Controller must explain in clear and simple language to children how he intends to handle the data he collects. Parents or a legal representative of the child must consent, so a body of information will be needed to allow adults to make an informed decision.

As a general rule, if consent is revoked, all Processing operations that were based on it and took place before consent was withdrawn remain legal.

Privacy Notice

The privacy notice must have a concise, clear, simple and understandable text by the various audiences (eg minors, people with special needs, etc.) and be provided to the Holder at the time of collection of Personal Data, containing:

General information, identification and Contact of the Controller; General and contact information of the Person in Charge - DPO; Object and modalities of the Processing; Purpose and legal basis of the Processing; Source of Personal Data; Recipients with whom the Personal Data will be shared; Data Transfer Personal Data; Responsibilities of the Agents that carry out the treatment (Controller and the Operator); The period of storage of Personal Data; Any use of automated decision-making; The rights of the Holders and the means to exercise them.

The DPO is responsible for approving any Privacy Notice at CONCILIG and the document must be reviewed whenever there is any change in the processing of Personal Data.

VII. RECORDS OF DATA PROCESSING

The LGPD provides that the Controller and the Operator must keep records of the Processing operations they carry out (“Registration” independently of each other). To ensure compliance with the LGPD obligation, it is essential that there be a dynamic mapping of the treatment and its life cycle. The minimum content of the Controller's record must present:

The name and contact details of the Controller and, when applicable, of the Joint Controllers, the legal representative of the Controller and the Person in Charge - DPO; The purposes of the processing; Description of the categories of Holders and categories of Personal Data; The categories of recipients to which the Personal Data has been or will be disclosed, including recipients in third countries or international organizations; Where applicable, international transfers of personal data to another country or an international organization, including identification of that other country or organizationWherever possible, the deadlines provided for the disposal of the different categories of Personal Data; Whenever possible, a general description of the security measures referred to in Art. 46.

VIII. PERSONAL DATA PROTECTION IMPACT REPORT (DPIA)

The Personal Data Protection Impact Report (“DPIA”) is the Controller's documentation that contains the description of the processes for processing personal data that may pose risks to the freedoms and fundamental rights of data subjects, as well as measures, safeguards and mechanisms of risk mitigation. Thus, DPIA is a process aimed at:

Describe the Data Processing project or process and its purpose; Assess the need and proportionality of the Processing; Assess the risks to the Holder's rights and freedoms resulting from the Processing; Determine the mitigation measures, and; When considered necessary, the DPO shall present the results of the DPIA to the National Authority.

The risk must be understood as a risk of negative impact on the Holder's rights and freedoms. The likelihood and severity of the risk to the Holder's rights and freedoms must be determined by reference to the nature, scope, context and purposes of the treatment. The risk must be assessed based on an objective assessment, through which it is established whether the data processing operations involve a risk or a high risk.

The LGPD does not establish hypotheses in which the elaboration of the DPIA is mandatory, defining only that the National Authority can determine its execution. It provides, however, in its Art. 37 that the Controller and the Operator must keep records of the Processing operations they carry out, especially when based on legitimate interest. Thus, the Controller and the Operator must register the Treatment in such a way that it is feasible to prepare the DPIA in all situations in which there is Treatment.

IX) PERSON IN CHARGE (DATA PROTECTION OFFICER)

The LGPD requires organizations that process Personal Data to appoint a person in charge of processing personal data (DPO) who must carry out the activities provided for in § 2 of Art. 41 of the law.

The DPO is selected considering its experience in privacy and data protection, its professional characteristics, its ability to fulfill the tasks assigned to it. Thus, in order to comply with the legislation, CONCILIG appointed Lee, Brock, Camargo Advogados as DPO, who can be contacted through the e-mail address dpo@concilig.com.br.

The Controller and Operator must involve the DPO in all matters relating to the protection of Personal Data and ensure its independence in the performance of functions, noting that they are:

Guaranteed the necessary resources to perform his/her duties; Ensuring that he/she does not receive instructions, nor is penalized for his/her decisions and opinions; Ensuring that the DPO does not act in situations of conflicts of interest.

The DPO must maintain its activity in secrecy and confidentiality, being responsible for:

Ensuring that the Holders' complaints and communications are properly addressed, that clarifications are provided and the necessary measures are taken; LGPD and rules issued by the AuthorityDesign compliance programs and monitor implementation, define data protection governance, standard privacy notices, contractual clauses and best practices.Support the Controller and Operator in negotiating data protection contracts, define the service flow of the Holders' rights; define and implement training and awareness plans for employees; Provide, if necessary, an opinion on the assessment of the impact on data protection and monitor progress; Cooperate and act as a point of reference for the National Authority, receiving communications and adopting measures; Accept complaints and communications from holders, provide clarifications and adopt measures; Guide the entity's employees and contractors regarding the practices to be taken in relation to data protection

X.OS PERSONAL DATA PROCESSING AGENTS

Controller

When acting as Controller, CONCILIG has the duty to consult the instructions issued by the National Authority and also the recognized guidelines and best practices in terms of protection of personal data. The Controller defines the purpose of processing Personal Data and must implement appropriate technical and organizational measures to ensure the protection of Personal Data in accordance with the LGPD. CONCILIG still has the burden of proving compliance with the LGPD and, with the support of the DPO, must:

Plan and implement the appropriate security, privacy by design and by default measures, applying the best practices and the highest market standards; Ongoing training for its own employees and third parties; name;Cooperate with the National Authority in the course of its investigative initiatives;

The Controllers, when joint, must transparently determine, by agreement, their respective responsibilities in relation to compliance with the obligations arising from the LGPD, in particular with regard to the exercise of rights by the Holders.

Operator

CONCILIG, when acting as an Operator, has the duty to consult and comply with the provisions of the LGPD and those eventually issued by the National Authority regarding its responsibilities as an operator.

The following indications are non-exhaustive examples on the subject:

When Processing is carried out on behalf of a Controller, you must not involve another operator (Sub-Operators) in Processing activities carried out on behalf of a Controller without prior specific or general written authorization from the respective Controller.

When seeking an Operator to process Data on its behalf, CONCILIG must ensure that the Operator follows the instructions and that the nature, duration and purpose of the treatment, the type of Personal Data Processed, the categories of the Holders, the obligations and rights of the Controller.

When establishing an agreement, CONCILIG, as Controller, must establish that the Operator:

Process Personal Data only on documented instructions from the Controller, including with reference to the transfer of Personal Data to a third country or international organization, unless required to do so by legislation to which the Operator is subject; in these cases, the Operator must inform the Controller of all legal requirements prior to Processing, unless the law prohibits such information; Ensure that persons authorized to process Personal Data have a contractual or legal obligation to maintain secrecy and confidentiality; security measures required under the terms of, as well as 46 of the LGPD; Respect the conditions established by the LGPD to subcontract another Operator, with the obligation to guarantee that the international transfer of data outside Brazil will be carried out only for countries considered adequate with the legislation of local privacy, and an adequate contractual document is previously signed between the Operator and the Sub-Operator to guarantee the rights of the Holders; Adopt, considering the nature of the treatment, appropriate technical and organizational measures, as far as possible, that allow the Controller to meet the requests of the Holders in the exercise of their rights, as provided for in Chapter III of the LGPD; Provide assistance to the Controller to ensure compliance with obligations related to Security measures (Chapter VII of the LGPD), Notification and Communication of Data Security Incidents ( Art. 48 of the LGPD) and DPIA (Art. 38 of the LGPD); Delete or return, at the sole discretion of the Controller, all Personal Data at the end of the provision of the related services, deleting existing copies, unless expressly provided otherwise in the legislation applicable for the storage of the Personal Data object of the respective; Provide the Controller with all the information necessary to demonstrate compliance with the obligations established in the LGPD;

XI. SAFETY MEASURES

The Controller has a duty to consult and comply with the provisions contained in the LGPD and those that may be issued by the National Authority regarding the security measures applicable to the Processing activities.

Considering the existing conditions, the implementation costs, the nature, scope, context and purposes of the Treatment, as well as the risk and impact on the rights and freedoms of the Holders, the Controller and the Operator must implement technical and organizational measures aimed at guaranteeing a adequate level of security, including, but not limited to, privacy by design (since design) and privacy by default (by default) measures. The Controller and Operator must:

Review and protect all systems, identification of applications and infrastructures and logical access; Review and securely manage Personal and Sensitive Data, with the aim of guaranteeing a high quality of data and so that the Processing is limited to what is necessary and appropriate; Segregate Personal Data and profile users who deal with Personal Data, limiting access and assignments in accordance with what is strictly necessary for execution; Pseudonymize, anonymize and encrypt Personal and Sensitive Data. The choice between the three options must be available to the Controller and the Operator; Permanently ensure the confidentiality, integrity, availability and resistance of the systems used in the Processing; Promptly restore access and availability of Personal Data in the event of security incidents; Test, regularly verify and evaluate the effectiveness of technical and organizational measures to ensure security;

When assessing the adequate level of security, the risks presented by the Processing must be considered, particularly in case of unlawful or accidental conduct that leads to the destruction, loss, alteration, unauthorized disclosure or access to Personal Data transmitted, stored or otherwise Treated.

Adherence to a code of conduct approved by the National Authority or an approved certification mechanism in line with LGPD data protection good practices can be used as elements to demonstrate compliance with the LGPD.

XII. DATA SECURITY INCIDENT AND AUDIT RIGHT

The implementation of security measures within the scope of Art. 46 of the LGPD, together with the measures provided for in the Information Security Policy and in the Security Incident Response Plan, must be appropriate instruments to prevent Data Security Incidents.

The Controller shall have the right, at any time during the term of the Agreement and/or during the entire period in which the Operator retains the Personal Data of the Controller, to carry out an internal assessment or audit to confirm that the Operator and/or Sub-Operator is acting in accordance with this Policy and the GDPR, upon notice by the Operator [insert number of days] working days in advance.

The Operator shall make available, at any time, all information necessary to demonstrate compliance with this Policy and the Contract, and shall allow and contribute to audits, including periodic checks and inspections, by the Controller or by an auditor sent by the Controller, in relation to the Processing of the Controller's Personal Data. In case of any security problems found during such audits, the Operator shall take, at its own expense, all necessary actions to resolve the mentioned problems.

The Controller shall have the right to notify the Operator and/or Sub-Operator of any possible risk of an eventual occurrence of a Security Incident or non-compliance with any Data Protection Laws and Regulations that it finds in its audit, and the Operator and/or Sub-Operator shall , within 30 (thirty) calendar days, take the necessary measures, informing the Controller that it may, at its discretion, carry out a new audit.

The Controller and the Operator have a duty to consult and comply with the detailed instructions in the LGPD and those that may be issued by the National Authority on notification of an incident of personal data.

XIII. THE RIGHTS OF THE HOLDERS

The right to Privacy and Personal Data Protection must be considered against other fundamental rights, in accordance with the principle of proportionality. The Controller must make its best efforts, without undue delay, to provide the Holder with an easy and practical interface for the full exercise of the data protection rights disciplined by the LGPD.

The deadline for a response to the Data Subject's request is, for all rights, immediate for answers in a simplified format, or within a period of up to 15 (fifteen) days, counted from the date of the holder's request, in case of a clear and complete that indicates the origin of the data, the lack of registration, the criteria used and the purpose of the treatment, observing commercial and industrial secrets, provided in a free format of your choice. The response to the Holder's request must be in writing or by means of electronic tools, and must be clear, concise and transparent.

The Controller bears the burden of proving the request is manifestly excessive or unfounded. Furthermore, the exercise of rights is carried out free of charge to the Holder and it is the Controller's responsibility to adopt technical and organizational measures to process the exercise of the Holder's rights.

The Data Subjects have rights, in accordance with the LGPD:

Confirmation of the existence of treatment; Access to data; Correction of incomplete, inaccurate or outdated data; Anonymization, blocking or deletion of data that is unnecessary, excessive or treated in non-compliance with the LGPD; Data portability; Elimination of personal data processed with consent; Information on public and private entities with which the shared use of data was carried out; Information on the possibility of not providing consent and on the consequences of denial; Revocation of consent; e, Review of automated decisions made based on data processing

Right of Confirmation and Right of Access

The Holder has the right to be informed that data processing relating to his own data is in progress and, in the event of an affirmative answer, to obtain access to his Personal Data and receive a copy of them.

Confirmation of the existence or access to Personal Data will be provided in a simplified format, immediately or within a period of up to 15 (fifteen) days through a clear and complete statement, which indicates: the origin of the data and the purpose of the treatment, observing the trade and industrial secrets, provided on, counted from the date of application by the holder.

Personal Data will be stored in a format that favors the exercise of the right of access. The information and Personal Data may be provided, at the Holder's discretion: by electronic means, safe and suitable for this purpose or in printed form. The copying of Personal Data is free of charge.

Right of Correction

The Holder has the right to obtain from the Controller the correction of Personal Data concerning him and which are incomplete, inaccurate or out of date.

Right to Withdraw Consent and Right to Delete Personal Data

The Holder has the right to revoke the previously expressed consent at any time by means of an express manifestation, through a free and facilitated procedure. The interested party also has the right to obtain the elimination of Personal Data processed with the consent of the Owner.

The Controller must eliminate them considering available technology and implementation costs by adopting appropriate measures. Any links, copies or reproductions of your Personal Data must be deleted. Exceptions can only be made to the extent that processing is necessary for:

Compliance with a legal or regulatory obligation by the controller; Study by a research body, guaranteeing, whenever possible, the anonymization of personal data; Transfer to a third party, provided that the data processing requirements set forth in the LGPD are respected

The Controller must inform other Controllers involved in the same data processing about the deletion request.

Right of Opposition

The Holder has the right to obtain from the Controller the anonymization, blocking or deletion of Personal Data:

Unnecessary; Excessive or; Treated in violation of the provisions of the LGPD.

Right to data portability

The Holder has the right to receive Personal Data provided to a Controller in a structured way and has the right to transmit such data to another Controller, without interference from the Controller. When exercising the right to data portability, the Holder has the right to obtain the direct transmission of Personal Data, when technically feasible, from one controller or another.

Right to Information

The Holder always has the right to be fully informed about the Treatment to which his Personal Data is submitted. In particular, the Holder has the right to have information:

The public and private entities with which the Controller carried out shared use of data; About the possibility of not providing consent and the consequences of the refusal;

Right to Review Automated Decisions

The interested party has the right to request the review of decisions taken solely on the basis of automated processing of Personal Data that affect their interests, including decisions aimed at defining their personal, professional, consumer and credit profile or aspects of their personality. .

The Controller must provide, whenever requested, clear and adequate information regarding the criteria and procedures used for the automated decision, observing commercial and industrial secrets.

In case of non-offering of this information based on the observance of commercial and industrial secrecy, the National Authority may carry out an audit to verify discriminatory aspects in automated processing of Personal Data.

XIV. RETENTION TIME

The period of data storage is established by law in most cases. If the Controller decides on a longer period of retention time, it must be recorded properly in the Data Register. Where the law does not provide for a minimum retention period, the Controller must be able to justify the retention period in accordance with the Principles of Responsibility and Accountability, Necessity and Adequacy.

XV.REVISIONS

This Policy is reviewed annually or as agreed by CONCILIG's Privacy Committee, with the participation of the DPO.