This policy applies to the processing of Personal Data (any information that identifies or may identify an individual) directly or indirectly collected by CARBONEXT TECNOLOGIA EM SOLUÇÕES AMBIENTAIS LTDA (“CARBONEXT”), from all individuals, including but not limited to current, future or potential job applicants, collaborators, professionals, customers, suppliers, business partners, partners, subcontractors or any third parties.
Personal Data is any information that identifies or can identify an individual, such as names, ID numbers, identification codes, and addresses, among others.
This document defines the rules, principles and values that must guide the attitudes, behaviors and decision-making of all Collaborators, members of the Board of Directors, the Executive Board, as well as the occupants of managerial functions, employees and interns, customers, suppliers, business partners, partners, subcontractors or any third parties respecting the Personal Data Protection legislation, including, but not limited to Law No. 13.709/2018 and Law No. 13.853/2019 or the General Data Protection Law, in addition to the best practices adopted in international standards, such as the General Data Protection Regulation (GDPR) in force in the European Union.
Any operation with data carried out by an individual or by a legal entity governed by public or private law, such as those relating to the collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, disposal, evaluation or control of the information, modification, communication, transfer, dissemination or extraction.
Personal Data shall be used only for the legitimate and specific purposes for which it was collected and duly informed to the subjects. Any type of processing incompatible with the specific purpose, as well as for discriminatory, not provided for by law or abusive purposes, is prohibited.
Examples of the purpose of Personal Data Processing by Carbonext include recruitment management, human resources management, accounting and financial management, finance, treasury and tax management, risk management, provision of IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management, occupational health and safety management, information security management, customer/partner relationship management, sales and marketing management, supply management, internal and external communication, event management, compliance with obligations against corruption practices or any other legal determinations, data analysis operations, legal corporate management, and the implementation of compliance processes, among others.
The Processing of Personal Data can only be carried out if it is in accordance with the specific purpose and in accordance with one of the legal bases provided for in Law No. 13.709/2018, namely:
Only the minimum Personal Data necessary to achieve the specific purpose defined by Law must be collected.
Personal Data will be maintained by Carbonext accurately and, when necessary, will be updated according to the need and for the fulfillment of the purpose of its processing.
Personal Data shall be deleted, to the extent possible, from the CARBONEXT database after the specific purpose has been achieved.
CARBONEXT implements appropriate technical and administrative measures to protect Personal Data against accidental or illegal alteration or loss, as well as from unauthorized use, disclosure or access.
Collaborators will receive access passwords to several work instruments, such as: access to e-mail, intranet, payment control systems, systems with job information, salaries and collaborator benefits, among many others, according to the activity performed.
Every password received is personal and not transferable. Access passwords are granted to the person, in a demonstration of trust, and cannot under any circumstances be transferred or assigned for others to use and have access to Personal Data, among other information of a confidential nature. In the same way, it is strictly forbidden to:
In the normal course of its business, Carbonext may share Personal Data with duly authorized Collaborators and Third Parties to maximize the quality and efficiency of its services and commercial operations.
CARBONEXT may also be required to disclose Personal Data to Governmental Authorities, courts and government agencies when required by law, regulation or legal process, or defend the interests, rights or property of CARBONEXT or related third parties.
Carbonext will not share Personal Data with other individuals or legal entities, unless the respective subject requests or has given prior approval for such sharing.
CARBONEXT is a company committed to preserving the privacy, privacy and image of the subject of Personal Data. Thus, whenever possible Personal Data should be converted into Anonymized Data.
As one of the legal bases for the processing of Personal Data, consent must be obtained by the free, informed and unequivocal statement of the subject, who must agree to the Processing for a certain and specific purpose.
CARBONEXT will not perform processing other than that informed and, if the initial purposes are changed, a new consent must be obtained from the subject.
The Processing of Personal Data relating to children and adolescents shall be carried out by Carbonext solely and exclusively for the provision of services or benefits directly to a child or adolescent, provided that the specific, prior, express and prominent consent of at least one of the parents or the legal guardian is obtained, in accordance with applicable law.
Sensitive Data may only be subjected to Processing with the specific and prominent consent of the subject, for specific purposes.
Unless necessary to comply with legal or regulatory obligation; regular exercise of rights, including administrative, judicial or arbitration, or guarantee of protection against fraud and security of the subject, Carbonext will not treat any type of Sensitive Data.
CARBONEXT is committed to ensuring the protection of Personal Data in accordance with applicable laws. The following are the rights of the personal data subjects:
CARBONEXT may share your personal data internationally with third parties and business partners, which are relevant for the purpose of enabling the provision of services to Users, in accordance with applicable law, for the specific purpose of providing services to CARBONEXT.
In all cases where there is an international transfer of your data, Carbonext undertakes to take all necessary measures for the security and protection of your personal data.
CARBONEXT will appoint a Collaborator or a Third Party as Data Protection Officer, who will have the attributions defined in Law No. 13.709/2018 and in this Policy.
Any Data Breach or possibility of violation must be urgently and immediately informed to the Personal Data Protection Officer at the e-mail [email protected], which will be responsible for proceeding with the initial analysis and the adoption of immediate prevention and correction measures, necessary for the preservation of data and information security.
The Personal Data Protection Officer shall prepare an occurrence report, detailing the facts and the protective and corrective measures adopted on an emergency basis. Based on this report, the internal investigation procedure will be established to identify potential violations of information security rules, as well as the evaluation of the effectiveness of the measures adopted on an emergency basis and the necessary measures to be adopted with internal and external bodies.
Third Parties who may store or process Personal Data on behalf of Carbonext shall immediately notify Carbonext in case of Data Breach or possibility of Data Breach, identifying Personal Data that has been or may have been compromised, and following Carbonext's guidelines on the procedures to be taken.
In the event of a Data Breach involving Personal Data, the Personal Data Protection Officer shall assess the need to notify the Data Breach to the competent Governmental Authorities, as the case may be, especially the possibility of the breach causing damage or risks to the rights and freedoms of individuals.
It will be the responsibility of the Personal Data Protection Officer to keep a record with information of any Personal Data Breaches, including their effects and the actions taken by Carbonext in relation to them. Such registration shall always be available for verification by Governmental Authorities, in accordance with the legislation.
Any Data Breach or possibility of violation must be urgently and immediately informed to the Personal Data Protection Officer, through the mailto:[email protected] email [email protected] which will be responsible for proceeding with the initial analysis and the adoption of immediate prevention and correction measures, necessary for the preservation of data and information security.
Violation of any determinations described in this Policy may result in disciplinary actions described in the other rules and policies of Carbonext, as well as in sanctions in accordance with current legislation. For the application of any disciplinary actions and/or sanctions, Carbonext will take into account the severity of the violation, the damage and/or loss actually caused, and the degree of guilt or bad faith of the Collaborator or Third Party responsible.
This Policy shall enter into force from the date of its publication and shall continue to be valid until it is revoked, or new determinations are included.
This Policy must be read and interpreted in conjunction with the Carbonext Code of Ethics and Organizational Conduct and must be used as a consultation mechanism in case of doubt regarding internal, commercial conduct and contacts with its competitors, partners, third parties and government authorities.
In case of questions, doubts or requests, please contact the Carbonext DPO, Ms. Franciele Salvador, through the email [email protected] or via mail, at the address: Rua Tabapuã, no. 1123, Conj. 107, Itaim Bibi, CEP 04.533-014, City of São Paulo, State of São Paulo, Brazil.
Policy approved by Carbonext's Partners at a meeting held on August 02, 2021.
Last update: August 02, 2021.