Privacy Policy

circle-vector-rightarrow-green

PERSONAL DATA PROTECTION POLICY OBJECTIVE

This policy applies to the processing of Personal Data (any information that identifies or may identify an individual) directly or indirectly collected by CARBONEXT TECNOLOGIA EM SOLUÇÕES AMBIENTAIS LTDA (“CARBONEXT”), from all individuals, including but not limited to current, future or potential job applicants, collaborators, professionals, customers, suppliers, business partners, partners, subcontractors or any third parties.

Personal Data is any information that identifies or can identify an individual, such as names, ID numbers, identification codes, and addresses, among others.

This document defines the rules, principles and values that must guide the attitudes, behaviors and decision-making of all Collaborators, members of the Board of Directors, the Executive Board, as well as the occupants of managerial functions, employees and interns, customers, suppliers, business partners, partners, subcontractors or any third parties respecting the Personal Data Protection legislation, including, but not limited to Law No. 13.709/2018 and Law No. 13.853/2019 or the General Data Protection Law, in addition to the best practices adopted in international standards, such as the General Data Protection Regulation (GDPR) in force in the European Union.

PROCESSING

Any operation with data carried out by an individual or by a legal entity governed by public or private law, such as those relating to the collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, disposal, evaluation or control of the information, modification, communication, transfer, dissemination or extraction.

PURPOSE

Personal Data shall be used only for the legitimate and specific purposes for which it was collected and duly informed to the subjects. Any type of processing incompatible with the specific purpose, as well as for discriminatory, not provided for by law or abusive purposes, is prohibited.

Examples of the purpose of Personal Data Processing by Carbonext include recruitment management, human resources management, accounting and financial management, finance, treasury and tax management, risk management, provision of IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management, occupational health and safety management, information security management, customer/partner relationship management, sales and marketing management, supply management, internal and external communication, event management, compliance with obligations against corruption practices or any other legal determinations, data analysis operations, legal corporate management, and the implementation of compliance processes, among others.

ADEQUACY

The Processing of Personal Data can only be carried out if it is in accordance with the specific purpose and in accordance with one of the legal bases provided for in Law No. 13.709/2018, namely:

  • upon consent being given by the subject;
  • for compliance with legal or regulatory obligation by the controller;
  • for the implementation of public policies;
  • for studies carried out by research bodies;
  • for the execution of a contract or preliminary procedures related to a contract to which the subject is a party;
  • for the regular exercise of law in judicial, administrative or judicial proceedings;
  • for the protection of the life or physical safety of the subject or third parties;
  • for the protection of health;
  • to meet the legitimate interests of the controller or third parties;
  • for the protection of credit, including the provisions of the relevant legislation.

MINIMIZATION

Only the minimum Personal Data necessary to achieve the specific purpose defined by Law must be collected.

ACCURACY

Personal Data will be maintained by Carbonext accurately and, when necessary, will be updated according to the need and for the fulfillment of the purpose of its processing.

MINIMUM RETENTION

Personal Data shall be deleted, to the extent possible, from the CARBONEXT database after the specific purpose has been achieved.

SECURITY

CARBONEXT implements appropriate technical and administrative measures to protect Personal Data against accidental or illegal alteration or loss, as well as from unauthorized use, disclosure or access.

Collaborators will receive access passwords to several work instruments, such as: access to e-mail, intranet, payment control systems, systems with job information, salaries and collaborator benefits, among many others, according to the activity performed.

Every password received is personal and not transferable. Access passwords are granted to the person, in a demonstration of trust, and cannot under any circumstances be transferred or assigned for others to use and have access to Personal Data, among other information of a confidential nature. In the same way, it is strictly forbidden to:

  • copy Personal Data to devices for personal use, send or forward Personal Data or emails containing any type of Personal Data to any person who has not been previously and expressly authorized by Carbonext to receive such Personal Data;
  • disclose or publish any Personal Data of Collaborators or Third Parties through the Computing and Communication Resources;
  • search for, view or save on computing resources, such as computers, telephone, email, video conferencing, systems and any type of document containing Personal Data, voice or text messages or emails containing Personal Data, without a legitimate purpose according to their scope of work;
  • providing or using personal passwords of third parties or another Collaborator.

DISCLOSURE

In the normal course of its business, Carbonext may share Personal Data with duly authorized Collaborators and Third Parties to maximize the quality and efficiency of its services and commercial operations.

CARBONEXT may also be required to disclose Personal Data to Governmental Authorities, courts and government agencies when required by law, regulation or legal process, or defend the interests, rights or property of CARBONEXT or related third parties.

Carbonext will not share Personal Data with other individuals or legal entities, unless the respective subject requests or has given prior approval for such sharing.

ANONYMIZATION

CARBONEXT is a company committed to preserving the privacy, privacy and image of the subject of Personal Data. Thus, whenever possible Personal Data should be converted into Anonymized Data.

CONSENT

As one of the legal bases for the processing of Personal Data, consent must be obtained by the free, informed and unequivocal statement of the subject, who must agree to the Processing for a certain and specific purpose.

CARBONEXT will not perform processing other than that informed and, if the initial purposes are changed, a new consent must be obtained from the subject.

DATA OF CHILDREN AND ADOLESCENTS

The Processing of Personal Data relating to children and adolescents shall be carried out by Carbonext solely and exclusively for the provision of services or benefits directly to a child or adolescent, provided that the specific, prior, express and prominent consent of at least one of the parents or the legal guardian is obtained, in accordance with applicable law.

SENSITIVE DATA

Sensitive Data may only be subjected to Processing with the specific and prominent consent of the subject, for specific purposes.

Unless necessary to comply with legal or regulatory obligation; regular exercise of rights, including administrative, judicial or arbitration, or guarantee of protection against fraud and security of the subject, Carbonext will not treat any type of Sensitive Data.

SUBJECT RIGHTS

CARBONEXT is committed to ensuring the protection of Personal Data in accordance with applicable laws. The following are the rights of the personal data subjects:

  • Confirmation of the existence of processing of personal data. Upon request of the Customer, Carbonext will grant confirmation of the existence of processing of personal data, in accordance with applicable law;
  • Access to personal data. You can request access to your personal data collected and stored by Carbonext;
  • Correction of incomplete, inaccurate or outdated data. You may change and edit your personal data, at any time, by sending an email;
  • Information on shared use of data: You may have access to information about the possible sharing of your personal data, in accordance with the provisions of this Policy;
  • Withdrawal of consent. You may revoke the consent that may have given Carbonext for the processing of your personal data, at any time, by express declaration. It is important to inform that the request for revocation will not imply the deletion of personal data previously processed or that are maintained by Carbonext based on other legal grounds;
  • Right to file a complaint with the responsible person: If the subject has a privacy-related complaint against CARBONEXT, they must contact the CARBONEXT Personal Data Protection Officer.

INTERNATIONAL TRANSFER OF PERSONAL DATA

CARBONEXT may share your personal data internationally with third parties and business partners, which are relevant for the purpose of enabling the provision of services to Users, in accordance with applicable law, for the specific purpose of providing services to CARBONEXT.

In all cases where there is an international transfer of your data, Carbonext undertakes to take all necessary measures for the security and protection of your personal data.

DATA PROTECTION OFFICER

CARBONEXT will appoint a Collaborator or a Third Party as Data Protection Officer, who will have the attributions defined in Law No. 13.709/2018 and in this Policy.

PROCEDURES IN CASE OF PERSONAL DATA BREACH

Any Data Breach or possibility of violation must be urgently and immediately informed to the Personal Data Protection Officer at the e-mail ouvidoria@carbonext.com.br, which will be responsible for proceeding with the initial analysis and the adoption of immediate prevention and correction measures, necessary for the preservation of data and information security.

The Personal Data Protection Officer shall prepare an occurrence report, detailing the facts and the protective and corrective measures adopted on an emergency basis. Based on this report, the internal investigation procedure will be established to identify potential violations of information security rules, as well as the evaluation of the effectiveness of the measures adopted on an emergency basis and the necessary measures to be adopted with internal and external bodies.

Third Parties who may store or process Personal Data on behalf of Carbonext shall immediately notify Carbonext in case of Data Breach or possibility of Data Breach, identifying Personal Data that has been or may have been compromised, and following Carbonext's guidelines on the procedures to be taken.

In the event of a Data Breach involving Personal Data, the Personal Data Protection Officer shall assess the need to notify the Data Breach to the competent Governmental Authorities, as the case may be, especially the possibility of the breach causing damage or risks to the rights and freedoms of individuals.

It will be the responsibility of the Personal Data Protection Officer to keep a record with information of any Personal Data Breaches, including their effects and the actions taken by Carbonext in relation to them. Such registration shall always be available for verification by Governmental Authorities, in accordance with the legislation.

Any Data Breach or possibility of violation must be urgently and immediately informed to the Personal Data Protection Officer, through the mailto:ouvidoria@carbonext.com.br email ouvidoria@carbonext.com.br which will be responsible for proceeding with the initial analysis and the adoption of immediate prevention and correction measures, necessary for the preservation of data and information security.

NON-COMPLIANCE

Violation of any determinations described in this Policy may result in disciplinary actions described in the other rules and policies of Carbonext, as well as in sanctions in accordance with current legislation. For the application of any disciplinary actions and/or sanctions, Carbonext will take into account the severity of the violation, the damage and/or loss actually caused, and the degree of guilt or bad faith of the Collaborator or Third Party responsible.

VALIDITY

This Policy shall enter into force from the date of its publication and shall continue to be valid until it is revoked, or new determinations are included.

APPLICATION AND AMENDMENTS

This Privacy Policy applies to all our services. This Personal Data Protection Policy may be subject to updates. Therefore, we recommend visiting this page periodically so that you know about the changes.

QUESTIONS AND COMPLAINTS

This Policy must be read and interpreted in conjunction with the Carbonext Code of Ethics and Organizational Conduct and must be used as a consultation mechanism in case of doubt regarding internal, commercial conduct and contacts with its competitors, partners, third parties and government authorities.

In case of questions, doubts or requests, please contact the Carbonext DPO through the email ouvidoria@carbonext.com.br or via mail, at the address: Rua Gomes de Carvalho, 1510 - 19° andar, Vila Olímpia, CEP 04547-005, City of São Paulo, State of São Paulo, Brazil.

Policy approved by Carbonext's Partners at a meeting held on August 02, 2021.

Last update: August 02, 2021.