Accessibility
A+
A-
PT/BR
EN/US
logo em branco constellation

Privacy Policy

Home / Privacy Policy

1. Scope

This Privacy and Personal Data Protection Policy applies to (i) Constellation employees; (ii) all third parties, individuals or legal entities, who act for or on behalf of Constellation in activities involving the processing of personal data; and (iii) personal data subjects whose data is processed by Constellation. All recipients above are jointly referred to in this policy as “recipients”.

All personal data processing operations are subject to this Privacy and Personal Data Protection Policy, the LGPD, the GDPR, and other applicable laws regarding privacy and personal data protection. Adherence to these standards by all recipients referred to above is mandatory.

CONSTELLATION: Constellation Oil Services Holding S.A. and its subsidiaries, directly or indirectly.

PERSONAL DATA: Information related to an identified or identifiable natural person that enables their identification. Personal data also includes data used to build the behavioral profile of a given natural person.

SENSITIVE PERSONAL DATA: Personal data regarding racial or ethnic origin, religious belief, political opinion,
membership in a union or an organization of religious, philosophical, or political nature, data concerning health or sex life, genetic or biometric data when linked to a natural person.

RECIPIENTS: as defined in item 1 of the Privacy and Personal Data Protection Policy. NATIONAL DATA
PROTECTION AUTHORITY or ANPD: public administration body of the Federative Republic of Brazil responsible for ensuring, implementing, and supervising compliance with the LGPD throughout the national territory.

GENERAL DATA PROTECTION LAW (“LGPD” – Law No. 13,709, of August 14, 2018): governs the processing of personal data in digital or physical means carried out by a natural person or a legal entity, under public or private law, with the objective of protecting personal data subjects and, at the same time, enabling the use of data for different purposes, balancing interests and harmonizing the protection of the human person with technological and economic development.

GENERAL DATA PROTECTION REGULATION (REGULATION EU 2016/679 – “GDPR”): European law on
data protection.

PERSONAL DATA PROCESSING AGENTS: The controller and the processor of personal data.

PERSONAL DATA CONTROLLER: A natural person or legal entity, under public or private law, responsible for decisions regarding the processing of personal data.

PERSONAL DATA PROCESSOR: A natural person or legal entity, under public or private law, that processes personal data on behalf of the Controller.

PERSONAL DATA PROCESSING (“PROCESSING”): Any operation carried out with personal data, such as
those related to collection, production, receipt, classification, use, access, reproduction, printing, transmission, distribution, processing, archiving, storage, deletion, evaluation, control of information, modification,
communication, transfer, dissemination, or extraction.

ANONYMIZATION: Use of technical means that are reasonable and available at the time of processing personal data, by which data loses the possibility of association, directly or indirectly, with an individual. Anonymized data is not considered personal data for LGPD purposes.

DATA SUBJECT (“SUBJECT”): the natural person to whom the personal data that is processed refers.

DATA PROTECTION OFFICER (“DPO”): Professional appointed as the formal person in charge of privacy and data protection, as provided for in the LGPD, GDPR, and other applicable laws; this may be a Constellation employee or a third-party professional.

SUPPLIERS: In Constellation’s context, suppliers are considered the other third parties hired and subcontracted, individuals or legal entities, not classified as business partners.

THIRD PARTY: It is any natural person or legal entity that maintains a relationship with Constellation to develop
or help develop its activities, both as suppliers of goods or services and as business partners.

BUSINESS PARTNERS: third parties hired, whether individuals or legal entities, who act on its behalf as
consultants, accredited parties, customs brokers, and commercial agents / clients (those who indicate activities in which Constellation can act as a contractor).

3.1. Objective

To carry out activities related to its business, Constellation performs personal data processing operations in the best interest of personal data subjects. This Privacy and Personal Data Protection Policy was prepared specifically to regulate Constellation’s personal data processing activities and should be read and interpreted within the legislative context applicable to its activities, such as the LGPD and the GDPR.

Therefore, the objectives of this Privacy and Personal Data Protection Policy are:

  • Define Constellation’s guidelines and responsibilities that ensure and reinforce its commitment to compliance with applicable privacy and personal data protection laws;
  • Determine the rules to be followed in conducting personal data processing activities and operations carried out by recipients, ensuring their compliance with applicable privacy and personal data protection laws and, in particular, with the LGPD and GDPR.

3.2. Guidelines and rules on privacy and personal data protection

All recipients have a duty of care, attention, and proper use of personal data, committing to assist and comply with their obligations in implementing privacy and personal data protection strategies.

3.2.1. Principles Data Protection Principles

Recipients must observe the following principles when collecting, handling, storing, and processing personal data:

  • Purpose and Adequacy: process personal data in a manner compatible with the purpose for which it was collected; collecting for one purpose and using it for a different purpose is prohibited.

  • Necessity: use personal data only to the extent necessary to achieve the original purpose.

  • Free Access: ensure personal data subjects can consult on the form and duration of processing, as well as the completeness of their data.

  • Transparency: ensure personal data subjects have clear, accurate, and easily accessible information about the processing.

  • Data Quality: keep personal data accurate and up to date in relation to the purpose of its processing.

  • Security: apply appropriate technical and administrative measures to protect personal data from unauthorized or unlawful processing.

  • Prevention: adopt measures to prevent damage from personal data processing.

  • Non-Discrimination: do not process personal data for discriminatory, unlawful, or abusive purposes.

  • Accountability: demonstrate the adoption of effective measures in compliance with privacy and personal data protection rules, as well as the effectiveness of such measures.

3.2.2. Rules for Personal Data Processing

3.2.2.1. Personal data processing operations may only be carried out:

  1. With consent provided by the personal data subject.

  2. To comply with a legal or regulatory obligation.

  3. To carry out studies by a research body.

  4. When necessary to perform a contract or preliminary procedures related to a contract to which the personal data
    subject is a party.

  5. For the regular exercise of rights in judicial, administrative, or arbitration proceedings.

  6. To protect the life or physical safety of the personal data subject or third parties.

  7. For health protection, exclusively, in a procedure carried out by health professionals, health services, or a health authority.

  8. When necessary to meet Constellation’s legitimate interests.

3.2.2.2. Constellation must keep records of all personal data processing operations, which may be consulted by the personal data subject as well as by competent public authorities, within legal limits.

3.3. Rules for Processing Sensitive Personal Data

3.3.1. Sensitive personal data processing operations may only be carried out:

  1. When the personal data subject or their legal representative consents, specifically and prominently, for specific purposes.

  2. Without the personal data subject’s consent, when processing is indispensable for:

    • compliance with a legal or regulatory obligation imposed on Constellation;

    • conducting studies when Constellation is in the position of a research body, ensuring, whenever possible, the anonymization of sensitive personal data;

    • the regular exercise of rights, including in contracts and in judicial, administrative, and arbitration proceedings;

    • protection of the life or physical safety of the personal data subject or third parties;

    • health protection, exclusively, in a procedure carried out by health professionals, health services, or a health authority; or

    • ensuring fraud prevention and the personal data subject’s security in identification and registration authentication processes in electronic systems.

3.3.2. Financial data will have the same status as sensitive personal data listed in art. 5, item II of LGPD.

3.3.3. The personal data of children and adolescents will be processed with the same standard of care offered to sensitive personal data and will also be subject to the specific provisions set out in Chapter II, Section III, of the LGPD, in addition to other applicable specific rules.

3.4. Access and Authorizations for Personal Data Processing

3.4.1. The DPO may define, together with each area’s management, restrictions on access to and processing of personal data for certain recipients according to their role and the activity performed.

3.4.2. The processing of personal data by a company belonging to the Constellation Group on behalf of another company in the Constellation Group is authorized, and the processor must follow the controller’s guidance as set out in any contract to be signed, observing international personal data transfer rules whenever applicable.

3.5. International Transfer of Personal Data

Constellation may transfer personal data to other countries provided that, alternatively:

  1. The country is classified as having an adequate level of privacy and data protection as determined by the ANPD or the European Commission; or

  2. The international personal data processing agent provides Constellation with at least one of the safeguards below:

  • Procedures and policies issued at the same level as Constellation’s, or approved by the ANPD or the European Commission;

  • Contractual clauses acceptable to Constellation, the ANPD, or the European Commission;

  • Seals and compliance or adequacy certificates regarding privacy and personal data protection granted by entities recognized by the ANPD or the European Commission; or

  • Obtains explicit and prominent consent from personal data subjects for international personal data transfer
    operations.

3.6. Relationships with Third Parties

All contracts and purchase orders must contain clauses regarding privacy and personal data protection, establishing duties and obligations on the subject and attesting to third parties’ commitment to applicable privacy and personal data protection laws.

3.7. Rights and Duties of Personal Data Subjects

3.7.1. Rights of Personal Data Subjects

Personal data subjects have the following rights:

  • Confirmation of the existence of processing: the personal data subject can seek confirmation from Constellation of the existence of processing operations related to their personal data.

  • Access: the personal data subject may request and receive a copy of all their personal data collected and stored.

  • Correction: the personal data subject may request the correction of personal data that is incomplete, inaccurate, or out of date.

  • Deletion: the personal data subject may request the deletion of their personal data from databases managed by Constellation, unless there is a legitimate reason to keep it. In the event of deletion, Constellation may choose the deletion procedure used, committing to use a method that ensures security and prevents data recovery.

  • Suspension of unlawful processing of personal data: the personal data subject may request from Constellation the
    anonymization, blocking, or deletion of their personal data that has been recognized by a competent authority as unnecessary, excessive, or processed in non-compliance with the LGPD / GDPR.

  • Objection to personal data processing: in cases where processing is not based on obtaining consent, the personal data subject may submit an objection to Constellation, which will be analyzed based on the criteria present in the LGPD / GDPR.

  • Data Portability: the personal data subject may request that Constellation make their personal data available to another service or product provider, subject to the security criteria of its activity.

  • Withdrawal of Consent: the personal data subject has the right to withdraw their consent, but this will not affect the legality of any processing carried out before the withdrawal. If full or partial compliance with the withdrawal of consent is impossible, Constellation must inform the personal data subject.

3.7.2. Duties of Personal Data Subjects

The Constellation Privacy and Personal Data Protection Portal is the main means by which subjects can exercise the rights listed above and can be accessed directly through the Constellation website. Alternatively, the DPO’s email is also available for contact.

3.8. Suspected Violations of This Policy

3.8.1. Any suspected violations of this Policy or the LGPD or GDPR may be reported to the DPO including, but not limited to:

  • Lack of a legal basis justifying the personal data processing operation;

  • Processing of personal data without authorization from Constellation’s within the scope of its activities;

  • Personal data processing operation carried out in non-compliance with information security practices;

  • Unauthorized deletion or destruction by Constellation of personal data from digital platforms or physical collections at all Constellation facilities or those used by it; 

  • Any other violation of this policy or any of the privacy and data protection principles set out in this policy.

3.8.2.

Reports of possible violations of this Policy will be reviewed under the Code of Ethics and Conduct and may subject the offender to the consequences defined in this document.

3.9. Training, Communication and Certification

3.9.1. Recipients of this Policy must undergo training in the format and frequency to be defined by the DPO.

3.9.2. The DPO will be responsible, together with Constellation’s Communication area, for producing materials intended to disseminate this Policy.

3.10. Risk Assessment and Review

3.10.1. The DPO must conduct a procedure to identify and further assess risks related to privacy and personal data protection, and must define, develop, and implement action plans, policies, and additional procedures to mitigate the identified risks.

3.10.2. This Policy must be reviewed every 12 months or more frequently as needed.

Law No. 13,709/2018 (General Data Protection Law – “LGPD”)

Regulation EU 2016/679 (General Data Protection Regulation – “GDPR”)

Code of Ethics and Conduct

 
Scroll to Top