1. FIELD OF APPLICATION
This Personal Data Privacy and Protection Policy applies to (i) Constellation’s employees; (ii) all third-parties, legal or natural persons, acting on behalf of Constellation in activities that involve personal data treatment; and (iii) holders of personal data, whose data are treated by Constellation. All abovementioned recipients are referred to jointly in this policy as “recipients”.
All operations related to personal data treatment are subject to this Privacy and Personal Data Protection Policy, LGPD, GDPR and other applicable laws related to personal data protection and privacy. The adherence to such regulations by all abovementioned recipients is mandatory.
2. TERMS, DEFINITIONS AND ACRONYMS
CONSTELLATION: Constellation Oil Services Holding S.A and all its directly or indirectly controlled companies.
PERSONAL DATA: Information related to the natural person identified or identifiable, which allows their individualization. It will also be considered personal data the data used for the formation of the behavioral profile of the natural person.
SENSITIVE PERSONAL DATA: Personal data related to racial or ethnic origin, religious belief, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data related to health or sexual life, genetic or biometric data when related to the natural person.
RECIPIENTS: defined as per item 1 of the Privacy and Personal Data Protection Policy.
NATIONAL DATA PROTECTION AUTHORITY or ANPD: public administration agency of the Federative Republic of Brazil responsible for protecting, implementing, and supervising compliance with the LGPD throughout the national territory.
GENERAL DATA PROTECTION LAW (“LGPD” - Law No. 13.709, from August 14th, 2018): provides for the treatment of personal data in digital or physical media performed by a natural or legal person, of public or private law, aiming to defend the holders of personal data and, at the same time, allows the use of the data for different purposes, balancing interests and harmonizing the protection of the human being with technological and economic development.
GENERAL DATA PROTECTION REGULATION (REGULATION EU 2016/679 – “GDPR”): European law regarding data protection.
AGENTS OF PERSONAL DATA TREATMENT: Personal data operator and controller.
PERSONAL DATA CONTROLLER: Legal or natural person, of public or private law, that is responsible for decisions regarding the processing of personal data.
PERSONAL DATA OPERATOR: Legal or natural person, of public or private law, that performs the treatment of personal data on behalf of the Controller.
TREATMENT OF PERSONAL DATA (“TREATMENT”): All operation performed with personal data, such as the ones related to the collection, production, reception, classification, use, access, reproduction, printing, transmission, distribution, processing, filing, storage, disposal, assessment, information control, modification, communication, transfer, dissemination or extraction.
ANONYMIZATION: Use of technical, reasonable, and available means when treating personal data, by means of which a data loses the possibility of association, directly or indirectly, with an individual. Anonymized data is not considered personal data for the purposes of the LGPD.
HOLDER OF PERSONAL DATA (“HOLDER”): Natural person to whom the personal data being treated refer to.
DATA PROTECTION OFFICER (“DPO”): Professional designated as data protection and privacy formal officer, as provided for in LGPD, GDPR and other applicable laws, and may be an employee from Constellation or an outsourced person.
SUPPLIERS: In the context of Constellation, suppliers are considered to be other contracted and subcontracted third parties, natural or legal persons, not classified as commercial partners.
THIRD PARTY: Any natural or legal person who has a relationship with Constellation to develop or assist in the development of its activities, both as suppliers of goods or services, as well as commercial partners.
COMMERCIAL PARTNERS: hired third parties, whether natural or legal persons, acting on their behalf as consultants, partners, brokers and commercial agents / customers (those who indicate activities in which Constellation may act as a contractor) shall be considered as commercial partners.
3. DESCRIPTION
3.1. PURPOSE
In order to execute the activities related to its business, Constellation performs operations of personal data treatment, in the best interest of the holders of personal data. This Privacy and Personal Data Protection Policy was specifically elaborated to regulate the treatment of activities of personal data by Constellation and shall be read and construed in the legal context applicable to its activities, such as LGPD and GPDR.
Therefore, the purposes of this Privacy and Personal Data Protection Policy are to:
- Define Constellation’s guidelines and responsibilities that ensure and reinforce the commitment with the compliance with laws related to the applicable personal data privacy and protection;
- Determine the rules to be followed in the performance of personal data activities and treatment operations performed by recipients, ensuring the compliance with the applicable privacy and protection laws for personal data and, specially, with LGPD and GDPR.
3.2. GUIDELINES AND RULES REGARDING PERSONAL DATA PROTECTION AND PRIVACY
All recipients shall provide care, attention, and adequate use of personal data, committing themselves to assist in the compliance with their obligations in the implementation of their privacy and protection strategy for personal data.
3.2.1. Privacy and Personal Data Protection Principles
Recipients shall observe the following principles during the collection, handling, storage, and treatment of personal data:
- Purpose and Adequacy: perform the treatment of personal data in a manner compatible with the purpose for which they were collected, being prohibited to collect for a certain purpose and use for a different one.
- Need: use personal data to the extent necessary to achieve the original purpose.
- Free Access: guarantee to personal data holders the consultation regarding the form and duration of the treatment, as well as the totality of their data.
- Transparency: guarantee to personal data holders, clear, accurate and easily accessible information regarding the performance of the treatment.
- Data Quality: keep personal data in an accurate and updated manner in relation to the purpose of its treatment.
- Safety: apply technical and administrative measures adequate to the protection of personal data regarding illegal or unauthorized treatments.
- Prevention: adopt measures to prevent the occurrence of damages resulting from the personal data treatment.
- Non-Discrimination: not treat personal data for discriminatory, illegal, or abusive purposes.
- Accountability: demonstrate the adoption of effective measures and in compliance with the rules of privacy and protection of personal data, as well as the effectiveness of such measures.
3.2.2. Rules for the Treatment of Personal Data
3.2.2.1. Treatment operations for personal data shall only be performed:
a) Upon consent by the personal data holder.
b) For the compliance of legal or regulatory obligation.
c) For the performance of studies by a research agency.
d) When necessary for the execution of contracts or preliminary procedures related to a contract in which the holder of personal data is part.
e) Regular exercise of rights, including in judicial, administrative and arbitration proceedings.
f) Protection of the life or physical security of the personal data holder or third parties.
g) For the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority
h) When necessary to comply with the legitimate interests of Constellation.
3.2.2.2. Constellation shall keep records of all personal data treatment operations, which may be consulted by the personal data holders as well as by relevant public authorities, within the legal limits.
3.3. RULES FOR TREATMENT OF SENSITIVE PERSONAL DATA
3.3.1. Treatment operations for SENSITIVE PERSONAL DATA shall only be performed:
a) When the holder of personal data or its legal representative consents, in specific and prominent form, for specific purposes.
b) Without the consent from the personal data holder, in cases where the treatment is indispensable for:
(i) the compliance with a legal or regulatory obligation imposed to Constellation;
(ii) conducting studies when Constellation is in the position of research body, ensuring, whenever possible, the anonymization of sensitive personal data;
(iii) regular exercise of rights, including in contract and in judicial, administrative and arbitration proceedings;
(iv) protection of the life or physical security of the personal data holder or third parties;
(v) protection of health, exclusively, in a procedure performed by health professionals, health services or health authority.
(vi) ensuring the prevention of fraud and the security of the personal data holder, in the identification and authentication processes of registration in electronic systems.
3.3.2. Financial data shall have the same status as sensitive personal data listed in art. 5, item II of LGPD.
3.3.3. Personal data of children and adolescents shall be treated with the same standard of care offered to sensitive personal data and shall also be subject to the specific provisions established in Chapter II, Section III, of the LGPD, in addition to other specific applicable standards.
3.4. ACCESS AND AUTHORIZATIONS FOR PERSONAL DATA TREATMENT
3.4.1. The DPO may define, along with the management of each department, the access restriction and treatment of personal data for certain recipients, according to the function and activity.
3.4.2. The processing of personal data by a company from Constellation Group on behalf of another company of the Constellation Group is authorized, and the processor shall follow the guidance of the data controller according to any contract to be signed, observing the rules for the international transfer of personal data whenever applicable.
3.5. INTERNATIONAL TRANSFER OF PERSONAL DATA
Constellation may transfer personal data to other countries as long as, alternatively:
a) The country is classified as having an appropriate level of data privacy and protection attributed by ANPD or by the European Commission; or
b) International treatment agent of personal data offers to Constellation, at least one of the safeguards below:
(i) Procedures and policies issued at the same level as the ones from Constellation or approved by ANPD or by the European Commission;
(ii) Contractual terms acceptable by Constellation, ANPD or European Commission;
(iii) Seals and certificates of compliance or adequacy to privacy and protection of personal data granted by entities recognized by ANPD or by the European Commission; or
c) Obtain explicit and detached consent from the holders of personal data to perform international transfer operations of personal data.
3.6. RELATIONSHIP WITH THIRD PARTIES
All contracts and purchase orders must contain clauses referring to the privacy and protection of personal data, establishing duties and obligations regarding the subject, and attesting the third party's commitment to the applicable privacy and personal data protection laws.
3.7. RIGHTS AND DUTIES OF PERSONAL DATA HOLDERS
3.7.1. Rights of Personal Data Holders
The rights of personal data holders are:
- Confirmation of the treatment existence: the holder of the personal data may request from Constellation the confirmation of the existence of treatment operations related to their personal data.
- Access: the holder of personal data may request and receive a copy of all their personal data collected and stored.
- Correction: the holder of personal data may request the correction of personal data that are incomplete, inaccurate or outdated.
- Elimination: the holder of personal data may request the exclusion of their personal data from the database managed by Constellation, unless there is a legitimate reason for its maintenance. In the hypothesis of elimination, Constellation may choose the elimination procedure to be employed, by committing to use the mean that ensures the security and prevent the data recovery.
- Suspension of unlawful treatment of personal data: the holder of personal data may request from Constellation the anonymization, blocking or elimination of their personal data that has been recognized by the competent authority as unnecessary, excessive or treated in noncompliance with the provisions of the LGPD / GDPR.
- Opposition to the personal data treatment: in the hypothesis of personal data treatment not based on the acquisition of a consent, the holder of the personal data may present a refusal to Constellation, which shall be analyzed based on the criteria present in the LGPD / GDPR.
- Data Portability: the holder of personal data may request Constellation to have their personal data made available to another service or product supplier, subject to the security criteria of their activity.
- Revocation of Consent: the holder of personal data has the right to revoke their consent, but it shall not affect the legality of any treatment performed before the revocation. In cases where it is not possible to fully or partially comply with the consent revocation, Constellation shall inform it to the holder of personal data.
3.7.2. Duties of Personal Data Holders
Constellation’s “Privacy and Data Protection Portal”, accessed directly on Constellation’s website, is the main tool available for holders to demand the rights above. Alternatively, DPO’s e-mail is also available for contact (DPO@theconstellation.com).
3.8. SUSPECTED VIOLATIONS TO THIS POLICY
3.8.1. Any suspected violations with regard to this Policy or to LGPD or to GDPR can be informed to the DPO, including but not limited to:
a) Lack of legal basis justifying the personal data treatment operation;
b) Treatment of personal data without Constellation’s authorization in the scope of the activities it develops;
c) Treatment operation of personal data which is not performed in compliance with information security practices;
d) Unauthorized elimination or destruction of personal data, by Constellation itself, stored in digital platforms or physical files in all Constellation’s premises or those used by it.
e) Any other violation to this policy or any of the principles regarding the data protection and privacy provided for in this policy.
3.8.2. Reports regarding possible violations to this Policy shall be analyzed according to the Constellation Code of Ethics and Conduct and may subject the violator to the consequences defined in that document.
3.9. TREATMENT, COMMUNICATION AND CERTIFICATION
3.9.1. The recipients of this Policy shall be submitted to trainings in the form and periodicity to be defined by DPO.
3.9.2. The DPO shall be responsible for, along with Constellation’s Communication Department, the production of material intended to the dissemination of this Policy.
3.10. RISK ASSESSMENT AND REVISION
3.10.1. The DPO shall conduct a procedure for identification and deeper understanding of the risks related to personal data protection and privacy, and shall also, develop and implement action plans, policies and additional procedures to mitigate the identified risks.
3.10.2. This Policy must be reviewed every 12 months or in a shorter period, as necessary.
4. COMPLEMENTARY REFERENCE
Law No. 13.709/2018 (General Law of Personal Data Protection - “LGPD”)
Regulation EU 2016/679 (General Data Protection Regulation – “GDPR”
Constellation Code of Ethics and Conduct