Privacy Policy and Personal Data Protection

September 2023

Who We Are

We are Skaloup and our website address is: https://skaloup.com/

Introduction and Background

The Privacy and Personal Data Protection Policy presented here aims to guide the management, in a broad aspect, of the activities and operations of processing personal data existing in the Skaloup. This document integrates the compliance program of Skaloup to the General Law of Data Protection (Brazilian Law No. 13,709/2018) and other laws that deal with the topic.

Using the present document, the Skaloup intends to adapt its personal data processing operations to the legal regulations on the subject, and in particular, to the GLDP approved in Brazil in August 2018.

We emphasize that the GLDP is a comprehensive law that is aimed at different economic agents in Brazil, whether in the public, private, or third sector; it brings the legal prescriptions for personal data to be used in the activities of these agents.

In May 2018, the General Data Protection Regulation (Regulation EU 2016/679 – “GDPR”) came into force. Considering that this regulation has points of contact with the activities developed by Skaloup in the European Union, we consider it appropriate to also address this regulation, adjusting it to the conformities of the GLDP.

In performing some of the activities provided for in its charter, Skaloup performs personal data processing operations in line with the best interests and rights of the holders of personal data, and may be characterized as Controller of Personal Data, Operator of Personal Data, Controller and Operator of Personal Data or Co-Controller of Personal Data, by the definitions of the GLDP, reinforcing, in all the positions it occupies, its commitment to compliance with the applicable rules on privacy and protection of personal data.

The compliance adjustments related to the process of compliance with the GLDP include an interpretation of the Brazilian law to define legal obligations, a survey of relevant facts for its application, and the assessment of flows and processes that contribute or not to the adjustments to the legal standard.

Terms and Definitions

PERSONAL DATA: Information related to an identified or identifiable natural person. In addition, considered personal data are those used to form the behavioral profile of a given natural person.

SENSITIVE PERSONAL DATA: Personal data concerning the racial or ethnic origin, religious conviction,  political opinion, membership of a labor union or a religious, philosophical, or political organization, data concerning health or sex life, genetic or biometric data when linked to a natural person.

NATIONAL   DATA   PROTECTION   AUTHORITY   (“NDPA”):   Public Administration body responsible for ensuring, implementing, and enforcing compliance with the GLDP throughout the national territory. The NDPA was established by the GLDP as a federal public administration body with technical autonomy, an integral part of the Presidency of the Republic, its nature is defined as transitional and subject to transformation by the Executive Branch into an indirect federal public administration entity, subject to a special autarkic regime and linked to the Presidency of the Republic.

GENERAL DATA PROTECTION LAW (“GLDP”): A normative diploma (Brazilian Law No. 13,709, dated August 14, 2018) that provides for the processing of personal data in digital or physical media performed by a natural person or legal entity, of public or private law, aiming to defend the holders of personal data while allowing the use of data for various purposes, balancing interests and harmonizing the protection of the human person with technological and economic development.

PERSONAL DATA PROCESSING AGENTS: The controller and the operator of personal data.

PERSONAL DATA CONTROLLER: A natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data.

PERSONAL DATA OPERATOR: A natural or legal person, under public or private law, who processes personal data on behalf of the Controller.

PROCESSING OF PERSONAL DATA (“PROCESSING”): Any operation performed with personal data, such as those concerning collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, deletion, evaluation, information control, modification, communication, transfer, dissemination or extraction.

ANONYMIZATION: Use of technical means, reasonable and available at the time of processing personal data, by which data loses the possibility of an association, directly or indirectly, with an individual.

Anonymized data is not considered personal data for the GLDP.

PERSONAL DATA SUBJECT (“DATA SUBJECT”): Natural person to whom the personal data that are subject to processing relate.

OFFICER OR DATA PROTECTION OFFICER (“DPO”): A natural or legal person appointed by the Treatment Agent to act as a communication channel between the Controller, the data subjects, and the National Data Protection Authority.

SUPPLIERS: In the context of Skaloup suppliers are considered to be other third-party contractors and subcontractors, natural or legal persons, not framed as business partners.

THIRD PARTY: Any individual or legal entity contracted by Skaloup to develop or assist in the development of its activities, both as suppliers of goods or services and as business partners.

COMMERCIAL PARTNERS: In the context of Skaloup, commercial partners are considered third-party contractors, whether individuals or legal entities, who act on its behalf: Consultants, Contractors, and Commercial Agents (those who indicate activities in which Skaloup may act as a contractor).

Guidelines

This Privacy and Personal Data Protection Policy sets out the guidelines of the Skaloup for the protection and use of personal data that are in any way part of its activities and is based on the General Law on Personal Data Protection, as well as other national and international standards that deal with the protection and privacy of personal data, particularly in compliance with therefore mentioned General Data Protection Regulation of the European Union.

Applicability and Recipients

This Privacy and Personal Data Protection Policy applies (i) to the employees of Skaloup; (ii) to all third parties, whether natural or legal persons acting for or on behalf of Skaloup in operations involving processing of personal data that are performed within the scope of the activities conducted by Skaloup; (iii) to personal data processing agents outside Skaloup that in any way deal with the Institution; and (iv) to the owners of personal data whose data are processed by Skaloup.

Adherence to this Po/icy is mandatory for all recipients listed above insofar as they relate to Skaloup. All operations involving the processing of personal data carried out in the course of the activities conducted by Skaloup shall be subject to the legal regulations and to those set out herein.

Concepts

This Policy establishes concepts, guidelines, and rules defined with the intention that its addressees understand and comply with the legal standards that address the protection of personal data, in a dynamic and comprehensive or future holder of personal data, third parties,  and personal data processing agents external to the Skaloup in the scope of its activities.

The information covered by this Po/icy includes all data held, used, or transmitted by or on behalf of Skaloup, in any form of media. This includes personal data recorded on paper, held on computer systems or portable devices, as well as personal data transmitted orally.

Objectives

The objectives of Skaloup’s Privacy and Personal Data Protection Policy are to

• Define guidelines and responsibilities of the Skaloup that ensure and reinforce the commitment to compliance with applicable personal data protection laws;
• Determine the rules to be followed in the conduct of personal data processing activities and operations performed by Skaloup and by the recipients of this Policy, within the scope of the activities of Skaloup, which ensure their compliance with the applicable personal data protection legislation and, in particular, with the GLDP.

This Policy must be analyzed together with the obligations outlined in the documents mentioned below, which contain information in general, complementing it when appropriate:

1. Privacy policies, information security standards, and terms and conditions of use addressing confidentiality, integrity, and availability of [?]
2. Employment contracts of employees of Skaloup and other similar documents, which contain confidentiality obligations regarding information held by the Institution;

• Any internal rules dealing with personal data protection that are current or will be periodically drawn up and updated.

Privacy and Personal Data Protection Principles

Under the GLDP, the Skaloup will comply with the following principles of personal data protection when processing personal data:

• PURPOSE: the Skaloup will process personal data only for legitimate, specific, explicit purposes informed to the data subject, without the possibility of further processing in a way incompatible with those purposes;
• ADEQUACY: the Skaloup will process personal data in a manner compatible with the purposes informed to the data subject, and according to the context of the processing;
• NECESSITY: the processing of personal data carried out by the Skaloup will be limited to the minimum necessary to achieve its purposes, with data scope that is relevant, proportional, and not excessive for the processing;
• FREEDOM OF ACCESS: the Skaloup shall ensure that the subjects of personal data can consult easily and free of charge the form and duration of the processing, and the completeness  of their data;
• DATA QUALITY: the Skaloup will guarantee to the owners of personal data the accuracy, clarity, relevance, and updating of the data, according to the need and for the fulfillment of the purpose of its processing;
• TRANSPARENCY: the Skaloup shall ensure that the personal data subjects are provided with clear, precise, and easily accessible, Information on the conduct of the processing and the respective personal data processing agents, subject to commercial and industrial secrecy;
• SECURITY: Skaloup shall use technical and administrative measures to protect personal data against unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or disclosure;
• PREVENTION: the Skaloup shall adopt measures to prevent damage as a result of the processing of personal data;
• NON-DISCRIMINATION: the Skaloup will ensure that it is impossible to process personal data for unlawful or abusive discriminatory purposes;
• LIABILITY AND ACCOUNTABILITY: the Skaloup undertakes to demonstrate the adoption of effective measures capable of proving compliance with and enforcement of personal data protection regulations, and the effectiveness of such measures.

Institutional Commitment to Personal Data Processing

The Skaloup is committed to periodically evaluating the purposes of its processing operations, considering the context in which these operations take place, the risks and benefits that may be generated for the holder of personal data, and the legitimate interest of the Institution.

In this regard, there must be a legal basis and a defined purpose for all personal data processing operations within the scope of the activities conducted by the Skaloup.

Personal data processing operations by Skaloup may only be carried out:

• Upon provision of consent by the personal data subject;
• To fulfill a legal or regulatory obligation;
• For conducting studies by research organization;
• When necessary for the performance of a contract or preliminary proceedings related to a contract to which the data subject is a party;
• For the regular exercise of rights in judicial, administrative, or arbitration proceedings;
• For the protection of the life or physical safety of the data subject or a third party;
• For the protection of health, exclusively, in a procedure performed by health professionals, health services, or health authorities;
• Where necessary in the legitimate interests of Skaloup or third parties;
• For credit protection.

Records of personal data processing operations may be consulted by the personal data and by public authorities that are competent to access and retain data on his/her behalf, safeguarding the rights of the personal data owner.

Institutional Commitment to the Processing of Sensitive Personal Data

Is committed to special precautions and care in the processing of processing data and recognizes that these data present higher risks to the personal data subject.

In this sense, the sensitive personal data listed in Article 5, subsection II of the GLDP, as well as financial data, for this Policy, will have the same stares as sensitive personal data.

• The personal data of children and adolescents will be treated with the same level of care offered to sensitive personal data, and will also be subject to the specific provisions outlined in Chapter II, Section III, of the GLDP, in addition to other applicable specific rules.

Processing operations of sensitive personal data by Skaloup may only be carried out:

• When the data subject or his or her legal guardian consents, specifically and prominently, for specific purposes;
• Without  the provision of the consent of the personal data subject, in cases where the processing is indispensable for:

1. The fulfillment of a legal or regulatory obligation imposed on

2. The performance of studies when Skaloup is in the position of Research Body, guaranteed, whenever possible, the anonymization of sensitive personal data;
3. The regular exercise of rights, including in contract and judicial, administrative, and arbitration proceedings;

1. Protection of the life or physical safety of the data subject or third parties;
2. Health guardianship, exclusively, in a procedure performed by health professionals, health services, or, health authority; 
3. Guarantee of fraud prevention and personal data holder security, in the identification and authentication processes of registration in electronic systems.

Rights of the Personal Data Subjects

In the context of its personal data processing activies, the Skaloup reinforces its commitment to respect the rights of the holders of personal data, namely:

• RIGHT TO CONFIRMATION OF THE EXISTENCE OF PROCESSING: The data subject may seek confirmation from Skaloup of the existence of processing operations on his of her personal data;
• RIGHT OF ACCESS: The personal data subject may request and receive a copy of all personal data collected and stored; 
• RIGHT OF CORRECTION: The personal data subject may request the correction of personal data that are incomplete, inaccurate or out of date;
• RIGHT OF DELETION: The holder of personal data may request the deletion of his/her personal data from databases managed by the Skaloup, unless there is a legitimate reason for maintanining it, such as a possible legal obligation to retain the data. In the event of deletion, the Institution reserves the fight to choose the deletion procedure employed, undertaking to use means that ensure security and prevent recovery of the data;
• RIGHT TO REQUEST THE SUSPENSION OF ILLEGAL PROCESSING OF PERSONAL DATA: The holder of personal data may request at any time from Skaloup the anonymization, blocking or deletion of his/her personal data that has been recognized by the competent authority as unnecessary, excessive or processed in violation of the provisions of the LGPD.
• RIGHT TO OPPOSITION TO THE PROCESSING OF PERSONAL DATA: In the hypotheses of processing personal data not based on obtaining consent, the holder of personal data may submit to the Skaloup an opposition, which will be analyzed based on the criteria present in the GLDP.
• RIGHT TO THE PORTABILITY OF DATA: the holder of personal data may request that Skaloup make his/her personal data available to another service or product provider, respecting the commercial and industrial secrecy of the

Institution, as well as the technical limits of its infrastructure.

• RIGHT TO WITHDRAWAL OF CONSENT: The personal data subject has the right to withdraw his/her consent. However, please note that this will not affect the lawfulness of any processing carried out before the withdrawal. If consent is withdrawn, it may not be possible to provide certain services. Should this be the case, the personal data subject must be informed.

The Skaloup reiterates its commitment to the rights of personal data subjects to transparency and adequate information, highlighting the provision of:

• Information from public and private entities with which Skaloup has shared data use;
• Information about the possibility of not providing consent and the consequences of refusal.

Duties for the Proper use of Personal Data In the development of the work and activities of the Skaloup, all recipients of this Policy are extended the duties of care, attention, and appropriate use of personal data, undertaking to assist the situation to meet its obligations in implementing its strategy for privacy and protection of personal data.

• SPECIFIC DUTIES OF PERSONAL DATA SUBJECTS:

It is incumbent on the holders of personal data to inform Skaloup of any changes to their data in their relationship with the Institution (e.g. change of address); notifying it preferably in the following order:

• Through the platform provided by the Skaloup with which the holder has a relationship;

1. By e-mail addressed to the person in charge of Skaloup with whom the holder relates;

• SPECIFIC DUTIES OF THE EMPLOYEES OF Skaloup:

If its purpose and legal basis are respected, the sharing of personal data of holders of personal data among the Skaloup group is allowed, observing the principle of necessity, and the processing of personal data is always restricted to the purposes and related activities authorized by the Institution.

• DUTIES OF Skaloup EMPLOYEES, PERSONAL DATA PROCESSORS AND THIRD PARTIES:

• No personal data held by Skaloup will be made available or granted access to any person who is not authorized or competent according to the rules of the Institution.
• The necessary authorization for the data processing must be obtained, as well as the necessary documents demonstrating the designation of its competence to carry out the lawful data processing operation.
• Everyone must comply with the standards, recommendations, and guidelines for information security and information security incident prevention determined by the Institution.
• DUTIES OF ALL RECIPIENTS OF THIS POLICY:

Upon suspicion or the actual occurrence of the following actions, all recipients of this Policy must contact the Head of Skaloup:

• Absence of a legal basis justifying the processing of personal data;
• Processing personal data without authorization by Skaloup in the scope of its activities;
• Personal data processing operation that is performed in violation of the Information Security Policy of the Skaloup;
• Unauthorized deletion or destruction by Skaloup of personal data from digital platforms or physical collections on all premises of or used by the Institution;
• Any other violation of this Policy or any of the data protection principles outlined in section 7 above.

Relationship With Third Parties

The liability established by the GLDP, in case of property damage, moral, individual, or collective arising from violations of the legislation for the protection of personal data is joint and several. This means that all agents in the chain involving the processing of personal data can be held reliable for any damage caused.

For this reason, the possibility that Skaloup may be held liable for the actions of third parties implies that we must use our best efforts to verify, assess, and ensure that such third parties comply with the applicable data protection legislation.

• Thus, all contracts with third parties must contain clauses relating to the protection of personal data, establishing duties and obligations involving the topic, and attesting to the commitment of the third parties to the applicable personal data protection laws. It should also be noted that these contracts will be reviewed and submitted for approval by Skaloup and its technical team, by the regulatory framework in force.
• All third parties must sign the term of acceptance of this Policy, submitting the activities contracted in the scope of the relationship with Skaloup also to this regulation.

Compliance With Personal Data Protection Laws

Seeks compliance with the rules and guidelines of the  GLDP to ensure its commitment to ensuring the proper processing of personal data for legitimate purposes that may be subject to its activities and reinforces its commitment to good privacy and data protection practices with the following actions:

• Production and dissemination of information, regardless of format, that describes the individual responsibilities of the recipients of this Policy concerning the privacy and the protection of personal data;
• Provision of training, guidance, and advice to Skaloup employees and third parties, including, but not limited to, online courses, workshops, internal meetings, regular talks, and lectures, among other initiatives; communal content made available in digital and/or face-to-face format.
• Incorporation of concern and care in the treatment of personal data in all stages of its activities, including but not limited to administrative routines, and service provision, among others.
• Identifying and further evaluating the risks that may compromise the achievement of the objectives of Skaloup in the area of privacy and protection of personal data; defining, creating, and, implementing action plans and policies to mitigate the risks identified; as well as maintaining a continuous evaluation of the scenarios to assess whether the measures implemented do not require new guidelines and attitudes.

As of the entry into force of the GLDP, the Skaloup Officer – also referred to as Data Protection Officer (Skaloup DPO) assisted by his technical team, will have the following responsibilities:

• Monitor compliance with applicable personal data protection laws by Skaloup policies;
• Guide the recipients of this Policy on the privacy and personal data protection regime of the Skaloup;
• Ensure that data protection rules and guidelines are informed and incorporated into the routines and practices of

• Organize training on personal data protection in the Skaloup;
• To provide clarifications, offer information, and present reports on personal data processing operations and their impacts on the relevant public authorities (e.g. Public

Prosecutor’s Office, National Authority for the Protection of Personal Data, etc.);

• Respond to requests and complaints from personal data subjects whose data have been processed by a unit of the Skaloup.
• Assist in audits or any other evaluation and monitoring measures involving data protection;
• Prepare privacy and data protection impact reports, and technical opinions, and review documents about data protection.

Information Security

The information security and personal data incident prevention rules will be contained in the internal regulations of Skaloup and related documents.

Reinforces its commitment to employ appropriate technical and organizational measures in dealing with personal data, and to make efforts to protect the personal data of personal data subjects from unauthorized access, loss, destruction, and unauthorized sharing, among other things.

International Transfer of Personal Data

In cases where the Skaloup is permitted   to   process   personal   data regardless of data subject consent, the Skaloup may transfer personal data to other countries provided that, alternatively

• The country is classified as having an adequate level of data protection assigned by  the  NDPA, or the transfer is authorized by the NDPA;
• Until there is a list of adequate-level countries released by the NDPA, the country is classified by the European Commission, through an Adequacy Decision, as an adequate-level country to the GDPR criteria;
• The international personal data controller provides the Skaloup with at least one of the safeguards below:
• Regularly issued codes of conduct or binding corporate rules approved by the European Commission;

1. Standard Contractual Clauses issued by the NPA or the European Commission;
2. Seals and Certificates of compliance or adequacy to the protection of personal data granted by entities recognized by the NDPA or the European Commission.

• Obtain explicit and prominent consent from personal data subjects to conduct international transfer operations of personal data, with prior information on the international nature of the operation and highlighting that the country does not have an adequate level of data protection recognized or that there are no safeguards of the compliance of the processing agent, as the case may be.

May transfer personal data to other countries in those cases where it is authorized to process personal data based on consent, provided that it obtains the explicit and unambiguous consent of the data subjects to international transfers of personal data, with prior notice of the international nature of the operation.

• If the country does not have an adequate level of data protection recognized or if there are no safeguards for the compliance of the data controller, such information should be provided to the personal data subject beforehand to make him or her consent to the risks of the transaction.
• Through its digital platforms, the Skaloup undertakes to inform the holders of personal data of the occurrence of international transfer operations of personal data, designating the set of data forwarded, the purpose of the sending, and its destination.

Data Protection Culture and Training

For the expansion of the culture of personal data protection in the Institution, the recipients of this Policy undertake to participate in the training workshops, meetings, and capacity building offered by Skaloup.

To help them understand their duties and how to comply with them, the employees of the Skaloup whose functions require the regular processing of personal data, or those responsible for the implementation of this Policy, undertake to participate in additional training.

Commitment to Ongoing Monitoring

Is committed to ensuring the appropriate processing of personal data for legitimate purposes that may be the subject of its activities and reinforces its commitment to good privacy and data protection practices, undertaking to keep up to date with the standards and recommendations issued by the NDPA or other competent authorities.

To reinforce the Institution’s permanent commitment to privacy and the protection of personal data, the Skaloup undertakes to revisit this Policy periodically and, at its discretion, promote modifications that update its provisions, and all changes made will be communicated in due course through the Institution’s official channels.