Privacy and Personal Data Processing Policy

1. Intro

In respect of its commitment to privacy and social responsibility, ARION makes available its Privacy and Personal Data Protection Policy (“Policy”). The purpose of this Policy is to serve as a minimum standard to which ARION, its employees, and suppliers must adhere. In this way, it will explain in a simple, objective and transparent way how Personal Data is processed, in compliance with current legislation, with special attention to Law No. 13,709/2018 (General Personal Data Protection Law - LGPD)

All Data users are required to comply with this Policy when processing Personal Data on behalf of ARION. Any violation of this Policy may result in disciplinary action, including even dismissal, and/or breach of contract with ARION.

ARION, as a market research and public opinion firm, collects and analyzes information about individuals (Personal Data) in order to carry out its work, as well as for commercial and business purposes. This may include current, past, or future employees, suppliers, and customers, as well as other people she may communicate with. In addition, ARION may occasionally be required by law to process certain types of Personal Data in order to comply with certain legal obligations. Information can be obtained from any type of individual or organization.

Below will be described the minimum standards for how Personal Data must be treated, collected, processed, and stored in order to comply with ARION's data protection standards.

2. Scope

This Policy applies to ARION, including its employees, with the support of suppliers and customers. Because ARION understands that it is everyone's responsibility to have Personal Data processed and treated in accordance with this Policy and its data protection principles.

Therefore, anyone who works for ARION has some degree of responsibility to ensure that Personal Data is collected, stored, and treated in an appropriate manner.

ARION encourages and expects all its suppliers to comply with the principles presented here.

3. About National Laws, including the LGDP

This Data Protection Policy is governed by the General Personal Data Protection Act (LGPD) and is based on transparency, respect for privacy, informational self-determination, and the maintenance of best practices related to the management and security of personal data. It applies subsidiarily and complements any applicable national legislation. In the event of a conflict, the relevant national laws will prevail over this Policy. Any registration, notification, or reporting requirements for data processing in accordance with national laws must be observed

4. About the Processing of Personal Data

ARION considers the legitimate and correct treatment of Personal Data and the maintenance of the trust of those with whom it deals a vital component of its business operations, committing itself to acting ethically and responsibly with regard to this Personal Data, as well as to always offer a degree of confidentiality and security.

All Personal Data must be treated appropriately, regardless of how it is collected, recorded, and processed - whether on paper, in a computer file, database, or recorded in other materials and there are commonly accepted principles to safeguard.

ARION follows the principles relating to Personal Data, which will be explained in more detail below, which determine that such data be treated following the rights of the data subjects, that is, in a fair, legitimate, appropriate, relevant (not excessive) manner, with a specific and precise purpose, kept safe for the time necessary for the purpose.

4.1. Treatment Specification

Personal Data must be collected only for specific, explicit and legitimate purposes and will not be treated in a manner that is incompatible with or exceeds such purposes. The competent DPO (Officer) must be consulted as to whether the Personal Data Protection Impact Report (RIPD) should be conducted. They must be treated and collected in a legal, fair and transparent manner in relation to the Data Subject. Also, Data Subjects must be informed about how their data is being treated. In general, Personal Data must be collected directly from the individual in question. When this is not the case, the legal basis on which the treatment is justified must be documented.

Personal Data must be treated in such a way as to ensure adequate security so that they are not revealed, disseminated, accessed, or manipulated. Therefore, where methodologically possible and where the expenses are not disproportionate to the risks of the Data Subject.

General Measures and Considerations In addition to its market research business, ARION follows the ABEP National Code and the ESOMAR International Code.

4.2. Data Minimization

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed. It must be determined whether and to what extent the processing of Personal Data is necessary to fulfill the purpose for which the processing is undertaken. Where the purpose allows it and where the expense involved is proportional to the intended purpose, anonymized data must be used instead of Personal Data.

4.3. Accuracy

Personal Data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that Personal Data that is inaccurate, taking into account the purpose for which it is processed, is erased or corrected without delay.

4.4. Storage Deadline

Personal Data should not be kept in a manner that allows the identification of Data Subjects for longer than necessary to achieve the purpose for which the Personal Data is processed. ARION will not keep Personal Data longer than necessary for the purpose or purposes for which they were collected. ARION will take all reasonable steps to destroy or delete from its systems any Personal Data that is no longer necessary.

5. Legal Bases for Data Processing

ARION will collect, process and use Personal Data only on the following legal bases, provided that such legal basis exists under applicable national legislation. One of these legal bases is also required if the purpose of collecting, processing and using Personal Data changes from the original purpose, unless there is a clear compatibility between the original purpose and the new purpose.

5.1. Respondent Data

Respondents are the most common Data Subjects in ARION's business. Consequently, the correct processing of your Personal Data is at the core of ARION's business.

5.1.1. Consent to Data Processing

Personal Data may be processed after the Data Subject's consent. The declaration of consent must be obtained in writing or electronically for documentation purposes. In some circumstances, such as telephone interviews, consent may be given verbally. In all cases, the granting of consent must be documented.

Any consent will be valid only if it constitutes an express, free, specific, informed and unambiguous indication of the Data Subject's wishes who, by making a statement or by means of an affirmative action, indicates agreement with the processing of Personal Data.

5.1.2. Data Processing in the Contractual Relationship

Personal Data may be processed when necessary in the context of a contract to which such Data Subjects are parties, in order to comply with applicable obligations and duties. This also applies when such treatment is necessary to enter into or terminate a contract. This especially applies to respondents (including mystery customers) when signing up for ARION panels.

5.1.3. Data Processing as a Legal Obligation

The processing of Personal Data is also permitted if national legislation requires, requires or allows it. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with applicable legal provisions.

5.1.4. Processing of Sensitive Personal Data

Sensitive Personal Data is all personal data about: ethnic origin, religious conviction, political opinion, membership in a trade union or organization of a religious, philosophical or political nature, related to health or sexual life, genetic or biometric data, when linked to a natural person. They can be processed only if required by law or if the Data Subject has granted their explicit consent. Sensitive Personal Data may also be processed if it is mandatory to assert, exercise, or defend legal claims. Before relying on these provisions, you should consult the DPO, as well as the applicable national legislation.

5.1.5. User Data and Internet

If Personal Data is collected, processed and used on websites or applications, the Data Subject must be informed about this in a privacy statement including, if applicable, information about cookies. The privacy statement and any information about cookies must be integrated in such a way that they are easy to identify, directly accessible, easy to understand and continuously available by and to the Data Subject.

5.2. Personal Data Provided by Customers

The transmission of Personal Data to ARION by its customers is a common occurrence. It usually happens to offer us a sample or to enhance an existing sample. In relation to any Personal Data received in this way, ARION will be the Operator and may only process this Personal Data in accordance with the instructions agreed with or received from the customer. These instructions may include restrictions on transfers to other parties or transfers to other countries, as well as specific security requirements. Any such restrictions must be complied with. Regardless of any customer requirements, any Personal Data provided by a customer may only be:

  • Treated for the purpose for which they were provided;
  • Kept for the time required for the purpose, without exceeding it;
  • Subject to the same security requirements as ARION's own Personal Data

5.3. Employee Data

5.3.1. Data Processing in the Employment Relationship

In employment relationships, Personal Data may be processed if necessary to initiate, execute or terminate the employment contract. When starting an employment relationship, the candidate's Personal Data may be processed. If the candidate is rejected, their data must be deleted due to the retention period, unless the candidate has agreed to remain on file for a future selection process.

In the existing employment relationship, data processing must always be related to the purpose of the employment contract, if none of the following circumstances for authorized data processing are applicable. There must be a legal basis for processing Personal Data relating to the employment relationship, but which were not originally part of the execution of the employment contract. This may include legal obligations, collective regulations with employee representatives, employee consent, or the legitimate interest of the company.

5.3.2. Consent to Data Processing

Employee data may be processed with their consent. Statements of consent must be submitted voluntarily.

5.3.3. Data Processing According to Legitimate Interest

Personal Data may also be processed to fulfill a legitimate interest of ARION, when applicable law allows the processing of Personal Data based on a legitimate interest. Within the work context, legitimate interests are generally legal or financial in nature.

Control or supervisory measures that require the processing of employee data can be taken only if there is a legal obligation to do so or if there is a legitimate reason. Even if there is a legitimate reason, the proportionality of control measures must also be examined before their application. The company's justified interest in executing the control measure (e.g. compliance with internal company rules or security interests) must be considered in relation to any employee interest that deserves protection and that may exempt the application of the measure, which will be executed only if considered appropriate.

5.3.4. Processing of Sensitive Personal Data

Sensitive Personal Data (Special Categories of Data) may be processed only if required by law or if Data Subjects have granted their explicit consent. This data may also be processed if it is mandatory to claim, exercise or defend legal actions.

6. Transfer of Personal Data

To carry out activities supported by cloud computing services, ARION uses servers that may be located in other countries. In any case of hosting on cloud servers, ARION contractually establishes, with providers of such service, data protection and information security clauses compatible with Brazilian legislation.

The Transfer of Personal Data to recipients outside or within ARION is subject to authorization requirements for the processing of Personal Data. The data recipient (whether this is any subcontractor) must be required to use the data only for the defined purposes. For external transfers, the requirements of this paragraph and those of paragraph 7, Outsourced or Third-Party Data Processing apply cumulatively.

When Personal Data is sent by a third party (such as a sample supplier) to ARION, it must be ensured that the Personal Data can be used for the intended purpose.

7. Data Processing Performed by Subcontractors or Third Parties

In many cases, ARION uses external suppliers to process Personal Data. In these cases, a data processing agreement on behalf of ARION must be concluded with that provider. This can be done both by including appropriate provisions in the contract governing the general relationship with the supplier and in a separate, specific document. With regard to processing on behalf of ARION, the provider may only process Personal Data in accordance with ARION's instructions. When instructing a vendor, the following requirements must be met:

  • Where the Personal Data in question falls under paragraph 5.2 (customer data), any relevant customer requirements must be passed on to the supplier.
  • The supplier must be chosen based on their ability to meet the required technical and organizational protection measures and in line with the ARION supplier approval process.
  • The provider must not subcontract the treatment without the prior written consent of ARION.
  • Instructions must be submitted in writing by means of an appropriate contract. The instructions regarding data processing and the responsibilities of ARION and the supplier must be documented.
  • Before data processing begins, ARION must be sure that the provider will comply with its obligations. A vendor can document their compliance with data security requirements, in particular, by presenting appropriate certification. Depending on the risk of data processing, revisions must be repeated regularly during the term of the contract. ARION must retain the right to audit supplier compliance.

8. Rights of Data Subjects

Even if ARION processes Personal Data, they remain the Data Subjects, who have the rights provided for here, and may be exercised upon request to our Manager through the service channel presented in this Policy.

The rights are:

Confirmation and Access: Data Subjects may request information regarding which Personal Data relating to them was stored, how the data was collected and for what purpose. If Personal Data is transferred to third parties, information regarding the identity of the recipient or regarding the categories of recipients, must be provided.

Correction: If Personal Data is incomplete, inaccurate, or out of date, Data Subjects may require that they be corrected or amended.

Anonymization: The Data Subject may request the anonymization of their Personal Data, so that they are no longer related to them. In this way, Personal Data cannot be associated with any individual.

Opposition: If you do not agree with any purpose, Data Subjects can object to the treatment at any time. This Personal Data must be blocked for the treatment to which you have objected.

Revocation of Consent: The Data Subject may choose to withdraw consent for any purpose that they have consented to. This revocation will not affect the legality of any Treatment carried out previously.

Elimination: The Data Subject may request that their data be deleted if the processing of such data has no legal basis or if the legal basis is no longer applicable. This applies if the purpose for the data processing has been prescribed or ceases to apply for other reasons. Retention periods must be observed in relation to conflicting interests that deserve protection.

Objection: Data subjects generally have the right to object to the processing of their data and this must be taken into account if the protection of their interests prevails over the interests of the data controller due to their particular personal situation. This does not apply if a legal obligation requires the processing of such Personal Data.

Portability: The Data Subject has the right to request that the Personal Data provided by him/her be made available in an easy-to-read format, such as a Word or Excel document.

NOTE: The applicable contract with the customer must be consulted regarding any process to be followed and the customer must be informed of such request immediately.

9. Confidentiality of Personal Data - Treatment

Personal Data is subject to the confidentiality of the information. Employees may have access to Personal Data to the extent appropriate to the type and scope of the task they will perform. This requires carefully delimited and distributed roles and responsibilities, including limitations. Any unauthorized collection, treatment, or use of such data by employees is prohibited. Therefore, data processing carried out by an employee without having received the assignment to carry out such processing as part of their legitimate functions is not authorized. In addition, employees are prohibited from using Personal Data for their own personal or business purposes, from disclosing it to unauthorized persons, or from making it available in any other way.

This obligation will remain in effect even after the employment relationship is terminated. ARION employees' employment contracts must contain appropriate confidentiality obligations.

10. Personal Data Security - Treatment

ARION will process all Personal Data it holds in accordance with its Information Security Policy and will take appropriate security measures against illegal or unauthorized processing of Personal Data and against the accidental loss of, or accidental damage to, Personal Data. Personal Data must be protected from unauthorized access or disclosure, illegal processing, and accidental loss, modification, or destruction. This applies regardless of whether the data is processed electronically or on paper. Technical and organizational measures to protect Personal Data are part of the Information Security Policy and must be continuously adapted to technical developments and advances.

11. Data Protection Incidents

It is the duty of all employees to inform the DPO immediately of cases of violations of this Data Protection Policy or other Personal Data protection regulations. Any failure to deal with serious flaws under this Policy will be treated with sanctions/punishments.

Below are some examples of violations:

  • Improperly transfer Personal Data to third parties;
  • Improperly transfer Personal Data abroad, without proper authorization
  • (International Transfer);
  • Improper access to Personal Data;
  • Do not report the loss of Personal Data, even if it occurs internally.

In the event of a data protection violation, a notification must be issued immediately to ensure that:

  • Any accountability obligation under the LGPD can be fulfilled;
  • To inform the customer if they are affected; and
  • All communication to interested parties can be managed.

12. Responsibilities and Sanctions

12.1. Gestion

The person responsible for ensuring that measures are in place so that any data processing is carried out in accordance with these data protection requirements will be the DPO together with the company's administration. It is also the responsibility of all competent employees to ensure that the requirements of this Policy are met.

In the event that the ANPD conducts a data protection audit, the DPO must be informed immediately.

Judicial prosecution may take place regarding the improper processing of Personal Data or other violations of the Data Protection Act, resulting in claims for compensation. In addition, violations for which individual employees are responsible may lead to sanctions under labor law.

12.2. Data Protection Officers

The Data Protection Officer is the Data Protection Officer (“DPO”). Among their functions, they must carry out checks and instructions to employees regarding this Data Protection Policy and the LGPD. In the case of ARION, the person in charge is outsourced. The “DPONET” Company, through a signed contract, will be responsible for the role of the DPO - Responsible.

Below we will highlight some of the main activities of the DPO:

  • To be the first point of contact for the ANPD and for individuals whose data is being processed (employees, clients, etc.).
  • You must instruct the organization and its employees regarding applicable data protection laws using this Policy. Such instructions can be done through training or workshops.
  • Monitor compliance with data protection law, advise on data protection impact reports, train staff, and assist with internal audits.
  • Carry out your activity regardless of professional orders, not being dismissed or penalized for carrying out your task.
  • Have access to adequate resources that allow the DPO to fulfill its obligations in accordance with applicable data protection law and this Data Protection Policy.

The Data Protection Officer must promptly report any data protection risks.

13. Definitions

For a better understanding of this document, this Policy considers:

Anonymization: Use of reasonable technical means available at the time of treatment, by means of which a data loses the possibility of being associated, directly or indirectly, with an individual

ANPD: National Data Protection Authority - Public administration body responsible for overseeing, implementing, and supervising compliance with this Law throughout the national territory.

Consent: Free, informed and unambiguous statement by which the holder agrees to the processing of their personal data for a specific purpose.

Controller (Treatment Agent): Natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data. It is responsible for establishing practices and policies aligned with applicable legal requirements.

Personal Data: Information related to an identified or identifiable natural person, i.e., an identifiable natural person is one that can be identified, directly or indirectly, especially by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Sensitive Personal Data: Personal data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data related to health, or data relating to sexual life or sexual orientation, when linked to a natural person.

Person in charge: Person appointed by the controller and operator to act as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD)

Operator (Treatment Agent): Natural or legal person, governed by public or private law, who processes personal data on behalf of the controller.

Data Users: These are the employees of ARION whose work involves the processing of Personal Data. Data users must protect the data and Personal Data they handle, in accordance with this Policy and any applicable data security procedures, at all times.

Data Subject: Natural person to whom the personal data being processed refer, that is, they are all living persons about whom ARION holds Personal Data. All

Data Subjects have legal rights in relation to their personal information.

International Data Transfer: Transfer of personal data to a foreign country or international organization of which the country is a member.

Treatment: Any operation carried out with personal data, such as those related to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction. The processing also includes the transfer of Personal Data.

14. Approval and Term

This document was approved on 10/01/2020 by the Executive Board and the Security Steering Committee and is valid as of the date of its publication. The validity of this document is for an indefinite period.

15. Revision History

Version: 1.0
Date: 10/01/2020
Item or Page: All
History: Issuance of document

Selo de Privacidade