BUSINESS PRIVACY AND DATA PROTECTION POLICY - TATOH

1. OBJECTIVE

To establish the guidelines and orientations necessary for the protection of Personal Data at "TATOH", aiming to:

  • Be compliant with the General Data Protection Law (Federal Law No. 13,709/2018);
  • Protect the rights of data subjects, involving customers, employees, partners, or suppliers against the risks of Personal Data violations;
  • In accordance with Legitimate Interest and the Principle of Purpose;
  • Observing Confidentiality, Availability, and Integrity in its processes and treatments;
  • Transparency regarding the company's procedures in the processing of personal data; and
  • Promote awareness among employees regarding the protection of Personal Data and privacy issues.

2. SCOPE

This policy applies, regardless of their attributions and responsibilities, to all employees of the Company and its affiliates, understood as the companies controlled by it, under common control and/or affiliates, hereinafter jointly referred to simply as "TATOH".

3. COMPLEMENTARY DOCUMENTATION

  • Federal Law No. 13,709/2018
  • Code of Conduct and Ethics
  • Internal Audit Policy
  • Information Security Policy
  • Confidentiality and Non-Disclosure Agreement - NDA
  • Normative Management Policy (Regulation)
  • Clean Desk and Screen Procedure
  • Personal Data Handling Policy
  • Consent Use and Management Policy
  • Procedure for Sharing Personal Data with Third Parties
  • Procedure for Responding to Personal Data Breach Incidents

4. CONCEPTS AND ACRONYMS

  • ANPD: National Data Protection Authority;
  • Legal Basis: Legal hypotheses for the processing of personal data according to the LGPD;
  • Master: Employees responsible for disseminating the privacy culture;
  • Personal Data: Information relating to an identified or identifiable natural person;
  • Sensitive Data: Personal data related to racial origin, health, sexual life, among others;
  • LGPD: General Data Protection Law;
  • Security Measures: Technical or organizational measures to protect personal data;
  • Third Party: Natural or legal person who uses personal data for economic purposes;
  • Processing: Operations performed with personal data, such as collection, storage, deletion, etc.

5. GENERAL PROVISIONS

The employees of "TATOH" are responsible for knowing, understanding, and applying this policy, as well as all guiding documents related to data protection and privacy.

All areas are responsible for adapting their normatives (policies, standards, procedures, and confidential procedures) in compliance with the topic related to data protection and privacy, so that personal data processing activities occur correctly and in the terms intended by "TATOH".

Violation of any of the Company's data protection and privacy policies may result in serious consequences for "TATOH" and the employees involved. Therefore, failure to comply with this Policy or to report knowledge of a violation of this Policy may result in disciplinary action for any employee involved.

5.1. Roles and Responsibilities

5.1.1. Information Security

  • Analyze violations and leaks of Personal Data as well as collect technical evidence;
  • Report to the Privacy Committee, the DPO, and the Board Committee events related to Personal Data leakage;
  • Implement and monitor security measures to ensure compliance with applicable legislation and regulations;
  • Review and keep updated policies, standards, and procedures related to Information Security;
  • Provide support and analyze new tools and systems focusing on Personal Data exposure;
  • Ensure the application of information security measures proportional to the risk generated by the Processing of Personal Data and in line with the expectation of protection of the Personal Data Subject, ensuring the CIA (integrity, availability, and confidentiality) of this information.

5.1.2. Privacy, Information Security, and Data Protection Committee - CPSIPD

  • Propose to the Executive Committee the creation of new internal policies that prove necessary, whenever related to the topic of privacy and data protection, or that prove essential for compliance on the topic;
  • Discuss and propose decision-making to the Executive Committee on the level of risk related to the protection of personal data that the Company may accept in activities involving the processing of personal data;
  • Evaluate, when provoked, the personal data protection impact reports and suggest changes that are necessary to adapt the risk to what is acceptable by the Company;
  • Discuss and express an opinion on the contracting of third parties who will have access to personal data held by the Company, based on due diligence reports;
  • Discuss and address situations related to meeting the rights of data subjects.

5.1.3. Data Protection Officer (DPO)

  • Be responsible for the proper use of Personal Data in their activities;
  • Accept complaints and communications from data subjects (when applicable), provide clarifications and take action;
  • Cooperate and relate to the National Data Protection Authority (ANPD);
  • Propose the review and update of this Policy;
  • Prepare and keep updated policies, standards, and procedures related to privacy that are within their competence;
  • Carry out the data privacy impact analysis ("Data Privacy Impact Report");
  • Define, review, and update privacy notices;
  • Periodically conduct maturity assessments of the Company in relation to privacy initiatives, identifying improvements as well as their evolution;
  • Monitor and support the implementation of action plans to correct gaps in privacy initiatives;
  • Report to the Privacy Committee, Information Security, and the Board Committee events related to Personal Data leakage;
  • Participate and guide from a privacy perspective the projects that involve the Processing of Personal Data in order to validate adherence to the requirements of applicable legislation and regulations;
  • Follow up on exceptions regarding the handling of Personal Data.
  • As provided in article 41 of the General Data Protection Law, the person in charge of personal data processing at TATOH is hereby published for the execution of activities present in the LGPD.
    • Fabricio Barbi, DPO – dpo@barbiadvogados.com.br

5.1.4. Masters

  • Provide support to areas regarding personal data privacy through training and awareness work;
  • Facilitate the collection of evidence on the application of internal privacy and Personal Data protection rules;
  • Disseminate the culture of privacy and Personal Data protection in the respective areas.

5.1.5. Legal

  • Ensure that contracts that include the transfer or Processing of Personal Data contain privacy clauses appropriate to applicable legislation and regulations;
  • Provide legal support in the event of Personal Data leaks;
  • Provide legal support in the interpretation of legislation and regulations related to Personal Data protection;
  • Support the renegotiation of contracts/amendments with suppliers and customers who perform Personal Data Processing;
  • Support the interface with National Data Protection Authorities.

5.1.6. Employees

  • Be responsible for the proper use of Personal Data in their activities;
  • Comply with applicable legislation and regulations, as well as policies, standards, and procedures related to Personal Data protection and the application of appropriate Information Security measures;
  • Report to the Data Protection Officer and Information Security the occurrence of any Personal Data or data security incidents, as well as identified deficiencies related to or possible privacy risks;
  • Participate in data protection training activities as directed.

5.2. Personal Data Protection Principles

This section describes the principles that must be observed in the collection, handling, storage, disclosure, and processing of Personal Data of "TATOH" employees to meet data protection standards at the corporate level and be in compliance with applicable legislation and regulations.

5.3. Legality and Transparency

The Company processes Personal Data fairly, transparently, and in compliance with applicable legislation and regulations. Personal Data is only processed when the purpose/finality of the processing falls under one of the permitted legal hypotheses, listed below:

  • Necessity for the execution of a contract;
  • Requirement arising from law or regulation to which the company is subject;
  • Legitimate interest in the processing, in which case such legitimate interest will be communicated in advance; and
  • Need to provide the Data Subject with the regular exercise of rights in judicial, administrative, or arbitration proceedings.

As in its operations "TATOH" acts as a Personal Data Processor, it is up to the Health Operators to obtain and manage consent from the data subjects, being the main manager of the information.

When, in specific cases, the "COMPANY" is responsible for collecting personal data, being the Data Controller, if the data processing does not fall under the items listed above, the company must obtain the Consent of the Data Subjects for the processing and ensure that this consent is obtained specifically, freely, unambiguously informed. Those responsible for the areas that perform personal data processing must collect, store, and manage all Consent responses in an organized and accessible manner, in accordance with the Consent Use and Management Policy, so that proof of Consent can be provided when necessary.

5.4. Personal Data Handling

The Company provides the Personal Data Handling Policy which assists employees in identifying and documenting the specific purpose (finality) for which personal data will be used and collected.

5.5. Purpose Limitation and Adequacy

The Processing of Personal Data must be carried out in a manner compatible with the original purpose for which the Personal Data was collected, and cannot be collected for one purpose and used for another. Any other purposes must be compatible with the original reason for which the information was collected.

5.6. Principle of Necessity (Data Minimization)

The Company and all its employees may only process Personal Data to the extent that it is necessary to achieve a specific purpose; this is the principle of data minimization according to article 6. The sharing of Personal Data with other areas, companies, and third parties must consider this principle, and may only be shared when they have adequate legal support.

5.7. Accuracy

The Company and all its employees must take reasonable measures to ensure that any Personal Data in their possession is kept accurate and up to date in relation to the purposes for which it was collected, and it must be possible for the Personal Data Subject to request the deletion or correction of inaccurate or outdated data in accordance with article 18 of the LGPD.

5.8. Data Retention and Storage Limitation

The Company and all its employees must be aware of their Processing activities, established retention periods, and periodic review processes, and may not keep Personal Data for longer than necessary to meet the intended purposes.

5.9. Accountability and Reporting

The Company and all its employees are responsible for and must demonstrate compliance with this Policy, ensuring the implementation of various measures that include, but are not limited to:

  • Guarantee that personal data subjects can exercise their rights as described in Section 5.5 of this Document;
  • Personal Data Registry, including:
    • Records of Personal Data Processing activities, with a description of the purposes/finalities of such Processing, the recipients of Personal Data sharing, and the periods for which the Company must retain them;
    • Record of Personal Data incidents and Personal Data breaches;
  • Guarantee that Third Parties who are Personal Data Operators are also acting in accordance with this Policy and with applicable legislation and regulations;
  • Guarantee that the Company, when required, registers with the ANPD a Data Protection Officer; and
  • Guarantee that the Company is complying with all requirements and requests from the ANPD.

5.10. Personal Data Security

The Company is committed to implementing Information Security standards and protecting Personal Data in order to guarantee the fundamental right of the individual to information self-determination.

Confidentiality, integrity, and availability, as well as authenticity, responsibility, and non-repudiation are objectives to be pursued for the security of Personal Data.

5.10.1. Integrity and Confidentiality

The Company must ensure that appropriate technical and administrative measures are applied to Personal Data to protect it against unauthorized or illegal processing, as well as against accidental loss, destruction, or damage. The Processing of Personal Data must also ensure due confidentiality.

Among the most common technical measures, the following can be described:

  • Anonymization means that Personal Data is made anonymous in such a way that the data no longer refers to a directly or indirectly identifiable person. Anonymity must be irreversible;
  • Pseudonymization is a process by which Personal Data no longer directly relates to an identifiable person (for example, by mentioning their name), but is not anonymous, because it is still possible, with additional information, which is kept separately, to identify a person.

5.10.2. Personal Data Confidentiality

All employees with access to Personal Data are bound by confidentiality duties regarding Personal Data through consent to TATOH's Information Security Policy.

5.10.3. Personal Data Privacy by Design and by Default

When implementing new processes, procedures, or systems involving the Processing of Personal Data, measures must be adopted to ensure that Privacy and Data Protection rules are adopted from the design phase to the launch/implementation of these projects.

For new projects involving the Processing of Personal Data, the DPO and the Privacy Committee must be consulted at the beginning of the project, so that appropriate measures are taken for Data Protection and Privacy.

5.11. Sharing Personal Data With Third Parties

Third-party service providers who process Personal Data under TATOH's instructions are subject to the obligations imposed on Operators in accordance with applicable Personal Data protection legislation and regulations. The Company must ensure that the service contract includes privacy clauses that require the third-party Data Operator to implement security measures, as well as appropriate technical and administrative controls to ensure the confidentiality and security of Personal Data and specify that the Operator is authorized to process Personal Data only when formally requested by "TATOH" to do so, with the DPO and the Privacy Committee being consulted.

As a rule, for the sharing of Personal Data, the Procedure for Sharing Personal Data with Third Parties must be followed.

In cases where the service provider is located outside the national territory, standard contractual clauses must be included in the Personal Data protection contract as an Annex to ensure that the due safeguards required by applicable Personal Data protection legislation and regulations are implemented.

5.12. International Data Transfer

TATOH performs international data transfers, within the limits of necessity and appropriate to the purpose. Details about this transfer are shown below.

  • Country: Japan
  • Organization: Toyota Tsusho Corporation
  • Transferred Data:

5.13. Rights of Personal Data Subjects

The Company is committed to the rights of Personal Data Subjects, which include:

  • Information, at the time Personal Data is provided, about how their Personal Data will be processed;
  • Information about the Processing of their Personal Data and access to the Personal Data that the Company holds about them;
  • Correction of their Personal Data if it is inaccurate, incorrect, or incomplete;
  • Deletion, blocking, and/or anonymization of their Personal Data in certain circumstances. This may include, but is not limited to, circumstances where it is no longer necessary for "TATOH" to retain the Personal Data for the purposes for which they were collected;
  • Restriction of the Processing of their Personal Data in certain circumstances;
  • Object to the Processing, if the Processing is based on legitimate interest;
  • Withdraw Consent at any time, if the Processing of Personal Data is based on the individual's Consent for a specific purpose;
  • Review of decisions made solely based on automated Processing of Personal Data;
  • Filing a complaint with the Company or the National Authority, if the Personal Data Subject has reason to suppose that any of their Personal Data protection rights has been violated.

5.14. Data Breach Management

All incidents and potential data breaches must be reported to the CSIRT channel and to the Data Privacy Officer, as described in the Personal Data Breach Incident Response Procedure. All employees must be aware of their personal responsibility to forward and escalate potential problems, as well as to report breaches or suspected Personal Data breaches as soon as they identify them. At the time an incident or actual breach is discovered, it is essential that incidents are reported and formalized in a timely manner.

Data Breaches include, but are not limited to, any loss, deletion, theft, or unauthorized access to Personal Data controlled or processed by "TATOH".

5.15. Internal Audit

The Company must ensure that periodic reviews exist to confirm that Privacy initiatives, their system, measures, processes, precautions, and other activities including Personal Data protection management are effectively implemented and maintained and are in compliance with applicable legislation and regulations.

Additionally, and as provided in the Internal Audit policy, the topic must be evaluated with due periodicity and according to existing risks.

6. GENERAL DATA PROTECTION LAW

Federal Law No. 13,709/2018, known as the General Data Protection Law ("LGPD"), applies to all employees of the Company, regardless of their attributions and responsibilities, with regard to the data processing performed by "TATOH", as well as by third parties who do so on its behalf.

For notice purposes, the same terms will apply to the definitions set forth in article 5 of the LGPD. If you have any questions about the terms used in this normative, we suggest consulting the table below:

| Term | Definition | |----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Personal data | Any information related to a natural person, directly or indirectly, identified or identifiable. | | Sensitive personal data| Special category of personal data referring to racial or ethnic origin, religious conviction, political opinion, membership in a union or religious, philosophical or political organization, health or sex life, genetic or biometric data relating to a natural person. | | Data subject | Natural person to whom personal data refers, such as former, present, or potential customers, employees, contractors, business partners, and third parties. | | Processing | Any operation performed with personal data, such as those relating to: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction. | | Anonymization | Process by which data loses the possibility of association, directly or indirectly, with an individual, considering the reasonable and available technical means at the time of processing. |

Employees are obligated to respect all TATOH Normatives whenever they use personal data accessed due to the employment relationship, refraining from extracting, copying, sharing, transmitting, or publishing any data relating to natural persons, including personal data related to other employees, suppliers, customers, etc.

This privacy clause applies in conjunction with other policies applicable to the relationship between the parties. Any changes may be made at any time and will be duly communicated to employees in order to ensure maximum transparency.

7. REVISION HISTORY

| PAGE | VERSION | ISSUE DATE | REASON FOR CHANGES | REQUESTED BY | |--------|--------|-----------------|-----------------------|----------------| | All | 01 | 07/20/2022 | Document creation | CPSIPD |