Privacy and Data Protection

Updated October 2, 2023

INTRODUCTION
This Privacy and Personal Data Protection Policy ("Policy") is intended to disclose the principles and standards of conduct that will guide the actions of the law firm Barcellos Tucunduva Advogados ("BTLAW") in relation to all personal data under its control, including the personal data of its partners, employees, suppliers and service providers, public officials and any other persons, regardless of the means by which such personal data was obtained by BTLAW. Personal Data means, under applicable law, any and all information relating to an identified natural person, or which can be identified or individualized through BTLAW's reasonable efforts.

This Policy applies to BTLAW and all its partners, associates, consultants, employees and trainees and its standards of conduct are also required of third party service providers and workers who process personal data controlled by BTLAW.

BTLAW values the ethical and secure processing of information, without sacrificing respect for the law and the fundamental rights and freedoms of personal data subjects. With this in mind, BTLAW publishes this policy with the aim of informing personal data subjects how it works to establish and demonstrate the ways in which BTLAW manages and protects personal data.

DATA PROTECTION PRINCIPLES
The practices related to the collection, use, sharing, maintenance, deletion and, finally, processing of personal data by BTLAW, observe the following principles inscribed in the LGPD - General Data Protection Law (Law No. 13,709/2108), which must be followed by all its employees, partners, associates, partners, suppliers and service providers in their activities:

• Purpose: the processing of personal data will always be carried out for legitimate, specific, explicit and informed purposes, as well as compatible with BTLAW's corporate interests in accordance with its business objectives, without the possibility of further processing in a manner incompatible with these purposes.
• Adequacy:the processing of personal data will always be compatible with the purposes informed to the data subject, in accordance with the context of the processing.
  Necessity: the processing of personal data, including its collection and storage by BTLAW, will be limited to the minimum necessary for the fulfillment of its purposes, covering data that is relevant, proportionate and not excessive in relation to the purposes of the data processing.
• Free access: BTLAW will guarantee data subjects easy and free consultation on the form and duration of the processing of their respective personal data, as well as access to the entirety of their personal data processed by BTLAW, except in cases where it is legitimate to refuse them such access.
• Data quality: BTLAW will guarantee to data subjects that their personal data will be accurate, clear and up-to-date, as well as that only relevant personal data will be processed by BTLAW, according to necessity and for the fulfillment of the specific purposes of its processing.
• Transparency: as far as possible, BTLAW will provide clear, precise and easily accessible information on the processing of personal data to the respective data subjects, as well as the respective processing agents.
• Security and confidentiality: BTLAW will adopt technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination, always applying security standards appropriate to the specific risks of each activity and observing the state of the art and best applicable market practices.
• Prevention and mitigation of damage:BTLAW will use its best efforts to prevent damage from occurring as a result of the processing of personal data and to mitigate or repair such damage if it does occur.
• Non-discrimination and ethical processing of personal data:no processing will ever be carried out for discriminatory, unethical, unlawful or abusive purposes.
• Responsibility and accountability: BTLAW will adopt mechanisms to confirm and demonstrate the effectiveness of its privacy and data protection governance program, including compliance with applicable legislation.

PERSONAL DATA COLLECTED BY THE BTLAW WEBSITE

The BTLAW website automatically collects some data about browsing behavior on the site through cookies (see below) for statistical purposes, for the duration of the respective cookie, and also the records of accesses to the website, for a period of 6 months of collection, in the form of the Marco Civil da Internet (Law No. 12.965/2014).

BTLAW also collects personally identifiable information and contact details from users of its website, such as name, e-mail address and telephone number if the user uses the "contact us" function, exclusively to establish contact with the user and any consequences of this contact. This data is kept with BTLAW for as long as necessary to fulfill this purpose.

PERSONAL DATA COLLECTED THROUGH COOKIES

BTLAW's website stores certain "cookies" in the user's browser, which are text files through which certain information can be stored and read by BTLAW's servers and certain companies with which it works.

The website uses the following cookies for analytical purposes:

The website also uses functional tools from the companies Nitropack and Weglot, which expire at the end of each session, to collect data from the user's device and system that is necessary for the website to be presented in the most appropriate and optimized way for viewing, perform automatic translation and improve navigation security.

Each user's browser can be configured in the options and tools available in the respective menu to refuse to receive cookies and to remove them at any time.

PERSONAL DATA USED BY BTLAW IN ITS ACTIVITIES
BTLAW possesses and processes various types of personal data in its legal activities:

• Identification and contact data and information relating to the cases of clients contracting BTLAW's legal services, relating to the clients and other persons involved in these cases.
• Data on people related to the cases addressed by BTLAW, which can be collected from public sources such as courts, public administration bodies, registry offices and private information services.
• Data of its employees, partners, associates and service providers related to the fulfillment of their employment contracts, provision of services and expert advice, respective payment and direction of the work performed.
• Data on its partners relating to the making and recording of management and administrative decisions at BTLAW, as well as changes to its articles of association and regulatory documents.
• Data from suppliers of goods and services, also related to contracts signed with BTLAW.
• Profile data, messages and publications from users of LinkedIn and other social networks who connect or contact BTLAW directly through the respective platforms.
• Data of third party participants in webinars, events and lectures, as necessary for their conduct and other purposes arising therefrom.

The personal data collected and used by BTLAW are kept in a protected electronic environment for as long as necessary to fulfill their specific purposes and, thereafter, for as long as necessary to exhaust the legal obligations and prescriptions of rights related to their initial use.

SHARING PERSONAL DATA WITH THIRD PARTIES
BTLAW only shares personal data with public and private companies and entities involved in the provision of its legal services, such as correspondent offices, experts, technical assistants and legal advisors, courts and public administration bodies, and companies responsible for the infrastructure, technology and services used in the hosting of systems and files, management and administration of BTLAW.

Personal data is only shared, transferred or disclosed by BTLAW to third parties as strictly necessary for the fulfillment of the legitimate purposes expressed and informed by BTLAW in this Policy and through the use of legal instruments that bind the third party to comply with the laws, regulations and good practices for the protection of personal data. In addition, BTLAW adopts procedures to ensure that it only shares personal data with third parties that adopt sufficient technical and administrative measures to ensure the adequate security and protection of personal data, in accordance with the risks to which they are exposed.

The sharing, transfer and disclosure of personal data to public authorities and government entities, except in proceedings and other cases in which such sharing is a prerequisite of the activity of advocacy, is always limited to what is necessary for compliance with legal and regulatory obligations, compliance with court orders and requests from competent authorities, and the defense or legal exercise of rights of BTLAW or third parties.

GUIDELINES FOR PROCESSING PERSONAL DATA
Any and all personal data collected, received, obtained or generated by BTLAW will be linked to one or more purposes, validated, recorded and, as best as possible, communicated to the respective owners. No personal data will be collected, received, obtained or generated by BTLAW unless it is necessary for a lawful, certain and specific purpose. All personal data has its life cycle monitored and recorded from the moment BTLAW takes control of the personal data until the moment it is finally disposed of.

BTLAW's personal data processing activities are always based on legal authorization to do so, and are duly recorded in order to control the risks of processing, safeguard measures and the internal and external circulation of personal data. Any processing of personal data in which BTLAW identifies probable harm to the fundamental rights and freedoms of data subjects will be subject to a personal data protection impact assessment in which the risks and possible measures for their mitigation, prevention or elimination will be evaluated.

Only people who need access to certain categories of personal data have access to them, taking into account the role they play in relation to the use of this information, under the terms established in the Information Security Policy and guaranteed through appropriate technical and organizational measures.

Personal documents and databases are stored in digital format for as long as their processing purposes remain and are deleted in a secure and irretrievable manner immediately after all their purposes have been exhausted, when the safeguard period for complying with legal obligations or exercising rights is reached, or in the event of a request from the respective data subject that obliges BTLAW to delete such personal data.

BTLAW maintains a Data Protection Officer and Privacy and Information Security Committees for the development of standards and the application of good practices for the proper processing of personal data in the above terms.

INFORMATION SECURITY
BTLAW adopts technical and organizational information security measures compatible with the level of risk of the activity to guarantee the confidentiality, integrity, availability of data and information, as well as the resilience of its computer systems, databases, physical files and other information repositories, in order to prevent unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication or dissemination of personal data, in the form of its Information Security Policy.

BTLAW maintains a security incident response plan for the rapid assessment, interruption, remediation and, where necessary, mitigation and repair of any damage caused by incidents, and BTLAW undertakes to assist, in good faith and to a reasonable extent, all relevant parties in mitigating or repairing any damage actually suffered.

RIGHTS OF PERSONAL DATA SUBJECTS
BTLAW undertakes to adopt effective measures to guarantee the rights of personal data subjects as specified by the LGPD, and other Brazilian laws and regulations applicable to the protection of personal data, in particular the following:

• easy access to clear information about the processing of personal data by BTLAW, including the specific purposes of the processing, form and duration of the processing, identification and contact details of BTLAW and any other controllers, information about the shared use of data by BTLAW and the respective purpose of its sharing.
• confirmation of existence and information on the processing of your personal data by BTLAW.
• access to personal data held by BTLAW.
• the correction of any incomplete, inaccurate or outdated personal data.
• the blocking, deletion or anonymization of personal data that is held by BTLAW unnecessarily, excessive for the purposes stated by BTLAW or processed in breach of the law and this Policy, as well as the opposition to the use of your personal data in these same situations.
• portability of your personal data to other entities, in interoperable format, upon express request and in accordance with the official regulations on the subject.
• information from public and private entities with which their data has been shared.
• information about the possibility of not giving consent and the consequences of refusing to do so, in cases where your data is collected and processed with consent.
• the revocation of their consent to the collection and processing of data in these same cases.
• the deletion, when required, of personal data collected with your consent, in accordance with the applicable legislation.
• the possibility of reviewing automated decisions that BTLAW may adopt in processes that may affect the rights and interests of data subjects.

BTLAW maintains rules, controls, processes and notices to guarantee the presentation of information to the respective data subjects with due transparency of its personal data processing practices, under the terms of current legislation. However, as BTLAW is a law firm subject to legal and ethical obligations of confidentiality, certain information may be omitted, including in responses to requests for access to data subjects' personal data, as necessary to comply with such obligations.

COMMUNICATION
BTLAW maintains controls and processes that guarantee a prompt response to the rights of data subjects and requests from the competent authorities regarding the protection of personal data, providing direct contact channels with the Data Controller so that data subjects can exercise their rights, make complaints and requests, as well as send suggestions.

PERSONAL DATA CONTROLLER
The associate lawyer below has been appointed by the partners as BTLAW's Data Controller:

Luiz Fernando Plastino Andrade (CIPP/E, CIPM)
Avenida Presidente Juscelino Kubitschek, 1726, 4th floor, São Paulo - SP
ZIP CODE 04543-000
E-mail: [email protected]
Telephone: +55 (11) 3069-9080

These are the duties and responsibilities of the Foreman, always acting with independence, impartiality, decorum and good faith:

• Clarifying queries from data subjects regarding BTLAW's practices with regard to their personal data, as well as receiving, giving internal referral and responding to requests and complaints from data subjects.
• BTLAW's response to requests and complaints from personal data subjects (after approval by the competent decision-making bodies).
• Acting as a communication channel between the ANPD and BTLAW in administrative procedures, including receiving, internally forwarding and submitting BTLAW's response to communications, requests and subpoenas from the ANPD - National Data Protection Authority.
• Report security incidents to the ANPD and data subjects on behalf of BTLAW after assessing the risks and potential for damage to data subjects and approval by the competent decision-making bodies.
• Convening and participating in Privacy Committee meetings to discuss privacy and data protection issues, including the need for risk assessments, the implementation of new practices or the revision of standards, processes and policies, as well as submitting conclusions, requests and the results of the Privacy Committee's work to BTLAW's competent decision-making bodies.
• Participate in the Information Security Committee and other relevant committees relating to privacy and data protection
• Provide guidance to BTLAW's lawyers, employees, contractors and subcontractors on BTLAW's current policies and practices relating to privacy and the protection of personal data.

The partners and management of BTLAW undertake to guarantee the independence of the Person in Charge in the performance of his/her duties and direct access to the necessary management and executive decision-making bodies in relation to issues impacting the privacy and protection of personal data under the control of BTLAW. The person in charge will also be guaranteed access to all information on BTLAW's activities and processes that have the potential to pose a relevant risk to the privacy and protection of personal data and other information relevant to their duties, regardless of their confidentiality classification.

RESPONSIBILITY
Each BTLAW partner, associate, consultant, trainee, employee and service provider is responsible for complying with this Policy and other applicable rules, as well as for enabling the Personal Data Processing Officer and the Privacy Committee to carry out their work properly.

The person in charge and the Privacy Committee shall report on their specific duties directly to the members in charge, and shall only be liable for their actions with intent or fault in their duties and shall be protected from personal liability for the acts and decisions of BTLAW.

__PRESENT

__PRESENT