Privacy Policy
Beontag is committed to follow the best practices in Corporate Governance Policies, based on principles of human rights, ethics, transparency and integrity towards employees, customers, suppliers and overall stakeholders.
1. INTRODUCTION AND OBJECTIVE
In the daily life of Beontag, or "Company", whether in the conduct of business, in the search for new products, services and opportunities, or in the organization of its internal structure, the processing of personal data is an indispensable part of this reality. Beontag understands that it must act with responsibility and transparency, taking care of such information and providing them with technical and administrative security measures.
This Policy provides guidelines and establishes rules related to the privacy and protection of personal data of customers, employees and third parties during the processing of personal data by the Beontag, and in the relationship with third parties, in which there is sharing or shared use of personal data.
With this document, Beontag aims to be in compliance with the applicable data protection regulations, promoting transparency and good faith towards the Data Subjects, by protecting their personal data and their civil rights and liberties, as well as the best practices within its reach.
Beontag adopts 8 pillars, to be demonstrated throughout this Policy, for the implementation of an effective Privacy and Personal Data Protection Program in the company:
• Commitment and support of the top management
• Group responsible for the Program
• Structuring of rules and instruments
• Communication and training
• Mapping and Internal Controls
• Communication channel with Data Subjects and Supervisory Authorities
• Crisis management plan
• Continuous monitoring of the program
2. SCOPE
The Policy applies to Beontag in full, by all Beontag Employees, interns, Senior Management and all its subsidiaries, mainly to the business and operational areas that carry out international transfer of personal data, as well as service providers, partners and third parties with whom Beontag shares personal data, who act as controllers and operators/processors of personal data within the scope of the relationship with Beontag, both in Brazil and abroad.
The guidelines provided herein are applicable to all internal Beontag processes in which there is, at some point, processing of personal data and/or sensitive personal data of any Data Subjects.
3. REFERENCES
• Beontag Consent Management Policy;
• Beontag Security Incident Crisis Management Procedure;
• Beontag Data Retention and Deletion Policy;
• Beontag International Data Transfer Policy;
• Beontag New Processing Activity Registration Policy;
• Procedure for requesting the Data Subject of personal data
4. TERMS AND DEFINITIONS
- Supervisory Authority: National authorities acting in the guidance, supervision, supervision and protection of personal data, such as ANPD (National Data Protection Authority – Brazil), ICO (Information Commissioner's Office – United Kingdom) or CNIL (Commission Nationale de l 'Informatique et des Libertés – France), Commission de la protection de la vie privée – Belgium, Office of the Data Protection Ombudsman – Finland, Guarantor per la protezione dei dati personali – Italy, Commission Nationale pour la Protection des Données – Luxembourg, GIODO (The Bureau of the Inspector General for the Protection of Personal Data – Poland), Information Commissioner – Slovenia, Datainspektionen – Sweden, European Data Protection Supervisor – Europe, Agencia de Acceso a la Información Pública – Argentina, Unidad Reguladora y de Control de Datos Personales – Uruguay.
- Beontag: Beontag Group
- Controller or controllers: natural or legal person(s), of public or private law, who are responsible for decisions regarding the treatment of personal data.
- Anonymised data: data relating to a Data Subject that cannot be identified, considering the use of reasonable technical means available at the time of treatment.
- Personal data: information related to the individual identified or identifiable. That is, information(s) that identifies a natural person either directly (first and last name, document number, e-mail address, phone number, IP address) or indirectly, from associations and profiling (address, marital status, occupation, income, financial history, credit score).
- Sensitive Personal Data: personal data on racial or ethnic origin, religious conviction, political opinion, trade union membership or organization of a religious, philosophical or political nature, data on health or sexual life, genetic or biometric data, when linked to an individual.
- Data Protection Officer (DPO) or Person in Charge: this is the person responsible at Beontag who acts as the Company's representative before the Supervisory Authority, as a communication channel between the controller and the data subjects, and the person responsible for disseminating, guiding and monitoring about the Privacy and Data Protection Standards in the Company.
- Security Incident: any adverse event related to a breach of the security, technical or administrative, of personal data, leading to the loss of one or more basic principles of Information Security (Confidentiality, Integrity and Availability) and that may bring risks or damage to the Data Subjects. Examples of incidents are: unauthorized access, accidental or unlawful, resulting in data leakage, loss, destruction or alteration of personal data, among other forms of illicit or inappropriate data processing.
- Underages: refers to children (up to twelve years old) and teenagers (between twelve and eighteen).
- Privacy and Data Protection Standards: any and all national or international legislation that has been edited and promulgated to promote and protect the privacy and protection of personal data, such as: General Data Protection Regulation (“GDPR”) – Regulation (EU) 2016/679 - European Union; General Personal Data Protection Law (“LGPD”) – Law No. 13.709/2018 (Brazil); United Kingdom General Data Protection Regulation (“UK GDPR”) – United Kingdom; Legislative Decree No. 196/2003 and Legislative Decree No. 101/2018 – Italy; French Data Protection Act (“FDPA”) - Law No. 2018-493 and Decree No. 2018-687 (France); Ley de Protección de los Datos Personales – Law No. 25.326 (Argentina); Data Protection Law – HE 9/2018 – VP (Finland), Personal Data Protection Law and Habeas Action Law – Date No. 18.331/2008 – Uruguay.
- Program: refers to Beontag's Privacy and Personal Data Protection Program.
- Operator or operators: natural or legal person(s), public or private law, who performs the processing of personal data on behalf of the controller. Data processing Impact Report: personal data protection impact report is the controller's documentation that contains the specificities of certain data processing activities that may generate risks to the Data Subjects, providing measures, safeguards and risk mitigation mechanisms, whose purpose is to identify and mitigate the risks related to the protection of personal data in a given processing activity.
- Third Parties: suppliers, partners, consortium members, service providers, or subcontractors of the Company, including, for example, consultants, lawyers, expediters, as well as individuals and legal entities that are commercial representatives of Beontag.
- Legitimate Interest Evaluation Test: this is a test to be conducted in parallel to the Impact Report, whenever the hypothesis of processing is the legitimate interest of Beontag and the Data Subject, to demonstrate whether the legitimate interest is applicable in the specific context and for the intended purpose, with analysis of the need, legitimacy, balance and safeguards.
- Data Subject: natural person to whom the personal data that is the object of processing by Beontag refers, such as customers, employees, third parties, shareholders, candidates of the selection process, partners of a legal entity.
- International transfer: transfer of personal data to another country and/or international organization, at any time of processing, including for mere storage.
- Shared use of data: communication, dissemination, international transfer, interconnection of personal data or the shared treatment of personal databases by public agencies and entities, in compliance with their legal competencies, or between them and private entities, reciprocally, with specific authorization, for one or more treatment modalities permitted by those public entities, or between private entities.
5. ASSIGNMENTS AND RESPONSIBILITIES
It is the duty of everyone at Beontag and Third Parties with whom there is sharing or shared use of personal data, to carry out the processing of personal data in compliance with this Policy.
5.1. Upper Administration
The Upper Administration shall:
- Support the initiatives of the Person in Charge/DPO and Data Protection Committee by providing information and access to data, whenever necessary;
- Support the Person in Charge/DPO and the Data Protection Committee with financial resources and commitment to the Beontag Privacy and Data Protection Program;
- Encourage and apply good personal data processing practices on a daily basis at Beontag, ensuring that Beontag employees and their third parties adhere to the Company's internal policies and procedures;
- Formally approve the policies, goals and strategies related to Beontag's Privacy and Data Protection Program, as well as the necessary measures for its implementation and monitoring;
- Allow the Person in Charge/DPO to have access to all information, facilities and resources necessary for the execution of his/her duties at Beontag.
5.2. Data Protection Committee
The Data Protection Committee of Beontag is formed by the following areas:
- Compliance;
- Information Technology; and
- Legal.
As needed, the Beontag Data Protection Committee may request the participation of other areas.
The Committee's responsibilities are:
- To support the Person in Charge/DPO in the execution of his activities;
- To observe any regulatory, jurisprudential and good practice changes related to data protection;
- To execute the activities of the Privacy and Data Protection Policy before Beontag;
- To develop and to review the policies, procedures and other internal documents related to the Program;
- To propose goals and strategies related to the Privacy and Data Protection Program;
- To analyze the forms for recording new treatments of personal data, observing the legal, technical and administrative aspects, to approve or disapprove the treatment flow, with any adjustments and application of security measures;
- To prepare and review the data processing impact report and the legitimate interest assessment test, where applicable;
- To monitor the signs and resolve any security incidents, applying the appropriate remediation measures and recording the evidence;
- To monitor the guidelines of Supervisory Authorities and carry out any adjustments of the program to such guidelines;
- To assist the Person in Charge/DPO in communicating to the Data Subjects and the applicable Supervisory Authority in case of a security incident, in compliance with the Beontag Security Incident Crisis Management Procedure.
5.3. Data Protection Officer (DPO)/Person in Charge
- To receive requests, complaints and communications from the Data Subjects, as well as provide clarifications, adopt measures and address them internally when necessary, recording all appropriate evidence, according to the Request Procedure of the Data Subject of Beontag;
- To receive communications from the Supervisory Authority, as well as provide clarifications, adopt measures and address them internally when necessary;
- To guide Employees, interns and Senior Management regarding the practices to be taken;
- To monitor the adequacy of personal data protection standards, as well as internal policies elaborated on this topic;
To conduct training related to the Program; - To advise and monitor the preparation of an Impact Report on the Protection of Personal Data and a Legitimate Interest Assessment Test;
- To communicate with the agents responsible for data processing (controllers, co-controllers, operators/processors) with whom Beontag has a relationship and organize demands arising from such relationships;
- To perform the other duties determined by Beontag;
- To access and to ensure the information relevant to the processing of personal data at any time;
- Actively act in cases of security incident with personal data, in accordance with the Security Incident Crisis Management Procedure;
- To promote Beontag awareness and compliance measures to improve the Program;
- To manage and internally address any reports, requests and questions sent to the Beontag Privacy Channel.
5.4. Information Technology
- Perform continuous monitoring of Beontag's security standards, adjusting them whenever possible to security incident risks;
- To analyze the evidence of security incidents, technically, and applying the necessary measures;
- To propose measures and technical solutions for the protection of personal data at Beontag;
- To perform periodic tests on Beontag systems and environments to monitor and improve internal safety standards;
- To guide, together with the Person in Charge/DPO, on information security and technical protection of personal data within Beontag;
- To ensure security standards in line with the requirements of the applicable Privacy and Data Protection Standards, good market practices, as well as any new legal and regulatory requirements applicable to Beontag;
- To implement and improve internal tools and mechanisms that make it possible to guarantee the rights of the Data Subjects;
- To assist in security incidents involving personal data, in accordance with the Security Crisis Management Procedure;
- To present results and action plans related to security and information technology assessments to Senior Management for internal privacy and data protection improvement at Beontag.
5.5. Legal and Compliance
• To inform and instruct employees and Third Parties continuously of this Policy and other instruments that are part of Beontag's Privacy and Personal Data Protection Program;
• To monitor the effectiveness of the Beontag Program, proposing applicable adequacy measures;
• To ensure the adequacy of contracts with Third Parties, through appropriate clauses to the Privacy and Data Protection Rules applicable to the specific case;
• To monitor the guidelines of Supervisory Authorities and jurisprudence of courts regarding the application of privacy and data protection laws, communicating to the Data Protection Committee, whenever necessary, about relevant updates to Beontag;
• To assist in conducting internal investigations related to privacy and data protection violations and Beontag Program Policies and Procedures.
5.6. Managers responsible
• To know and apply the operational procedures so that Beontag complies with the applicable Privacy and Data Protection Standards, as well as in relation to the processing carried out in its area;
• To communicate with the Person in Charge/DPO to formally register, from the Form for Registration of New Processing of Personal Data, any new activities involving processing of personal data related to the processes of the area under their management and send to the Data Protection Committee, which will analyze and approve or disapprove, with or without adjustments to be implemented;
• To monitor and participate in the activities of the Data Protection Committee, when requested;
• To participate in training and implement adequacy measures as required by the Working Group.
5.7. Marketing
• To support the Data Protection Committee and the Person in Charge/DPO with actions to promote Beontag's culture of privacy and data protection;
• When necessary, assist in the analysis of risks to Beontag's image and reputation, with regard to privacy and data protection issues
• To advise the Data Protection Committee and the Person in Charge/DPO with disclosure of preventive measures for security incidents and crisis management procedures.
5.8. Employees or Third Parties
• To exercise the functions established in this document respecting the duties of loyalty, diligence and good faith;
• To avoid situations of conflict that may affect the interests of Beontag;
• To keep Beontag information confidential;
• To act actively in the prevention and protection of personal data about any security incidents;
• To comply with data retention and proper deletion guidelines in accordance with this Policy and the Data Retention and Erasure Policy. To inform the Data Protection Committee about improper retention of data or improper deletion;
• To collect consent from Data Subjects in cases where this is necessary, as provided in the Beontag Consent Management Policy;
• To comply with the guidelines proposed in this Policy and in the other materials of Beontag's Privacy and Personal Data Protection Program;
• To inform the manager of the department responsible for personal data about treatment for communication to the Data Protection Committee of new projects involving personal data.
• In the case of third parties, whenever it is necessary to have access to personal data of which Beontag is the controller of personal data, enter into a confidentiality agreement (NDA) and/or sign a contract in which there is a confidentiality and privacy clause and protection of personal data.
6. GENERAL PROVISIONS
6.1. General Concepts
6.1.1. Processing of Personal Data
The processing of personal data is any operation carried out with the data, such as collection, production, reception, classification, adaptation, alteration, consultation, organization, structuring, dissemination, use, access, reproduction, transmission, distribution, processing, archiving, storage, disposal, evaluation or control of information, modification, communication, transfer, dissemination or extraction.
By the broad legal definition, any above action involving personal data constitutes a treatment activity. The mere visualization, from the access to personal data, already characterizes the processing and, therefore, will be covered by the Privacy and Data Protection Standards.
Beontag, concerned about the compliance of each processing carried out under its responsibility, seeks to raise awareness among its Employees and Third Parties to continuously adopt security measures.
Examples of processing carried out by Beontag:
• Collection, reception, use and storage of personal data for registration of new customers and maintenance of the existing customer base;
• Collection of personal data for access to Company facilities;
• Control of employee information and transmission to public bodies in compliance with current laws;
• Archiving of personal data of third parties, for the legal deadline;
• Deletion of personal data of terminated employees, after the mandatory period of custody has elapsed.
6.1.2. Agents Responsible for the Processing of Personal Data
Controllers are responsible for the decisions to be made regarding the processing of personal data, while operators/processors are responsible for conducting the processing activities as determined by the controller.
Also, there is the figure of the co-controller, which is the one who exercises joint controllership of personal data with other controllers, so that decision-making is collective competence and the attributions, responsibilities and burdens are determined in a formal agreement between the parties.
Beontag will act sometimes as controller, sometimes as co-controller, sometimes as operator/processor, depending on the processing and the specific relationship.
Whenever Beontag acts as a controller, co-controller or operator of personal data, it must:
• To handle personal data in accordance with the principles set forth in the item. 6.3 of this document and in accordance with applicable data protection laws;
• To conduct training and register the participation of senior leadership and key employees who deal with personal data;
• To ensure that individuals authorized to carry out any type of processing of personal data have committed to confidentiality or are under an appropriate obligation of confidentiality;
• To process personal data only in accordance with the instructions of the data controller or co-controller, unless otherwise required by the Supervisory Authority;
• To register all personal data treatment activities and sensitive personal data containing the department and the person responsible for each activity, the category of the data Subject, its purpose, types of data processed, its sources, with whom the data is shared, existence of international transfer of data, its retention period, systems used during the treatment activity, its proper legal basis, among other pertinent information;
• To prepare, record and file the personal data impact report (RIPD) whenever required by law, legal, administrative or institutional obligation;
• To implement appropriate technical and organisational measures to ensure proper data processing and in accordance with the applicable principles of privacy and protection of personal data;
• In case of transfer of Personal Data outside Brazil, apply the protection measures;
• To formalize the relationship with controllers, co-controllers and operators/processors through a contract, agreement or other formal legal act containing the applicable clauses and provisions;
• Do not appoint another operator/processor without specific prior authorization from the controller;
• To assist the controller in fulfilling its obligations with respect to obligations to the Supervisory Authority and Data Subjects, such as responding to requests related to the rights of Data Subjects (item 6.4 of this document);
• To notify the controller or co-controller within a reasonable time in relation to any personal data breach or incident with personal data;
• After the end of the provision of services, delete existing copies of personal data, at the request of the controller, unless the legislation requires the conservation of the data or is necessary for defense in judicial, administrative or arbitration proceedings;
• Make available to the data controller all information necessary to demonstrate compliance with its legal obligations and allow and cooperate with audits, including inspections, conducted by the controller or another auditor appointed by it;
• To carry out and register guarantees that the rights of the Data Subjects are fully fulfilled.
6.2. Relationship with Operators/Processors
Whenever Beontag establishes a relationship with an agent that acts as an operator/processor of your personal data, it must ensure that the operator has in place appropriate technical, security and organizational measures to ensure compliance with principles and good practices that concern the privacy of the Data Subjects and protection of the personal data that will be processed. In addition, a contract or agreement must be entered into with this Operator defining its qualification and delimiting its attributions and obligations in relation to data protection.
6.3. Principles and Legal Bases
Beontag only carries out processing operations that are in line with the requirements of the applicable Privacy and Protection Standards. There will be no data processing that does not have a specific purpose in accordance with the applicable legislation. Beontag respects the essential principles for the processing of personal data.
6.3.1. Legal Bases
All personal data is processed by Beontag for legitimate and lawful purposes. Depending on the personal data and the specific purpose, as well as the location of the processing, Beontag will assign an adequate legal basis to process the data after careful analysis of the characteristics of the processing flow. There will be no processing without adequate compliance with the appropriate legal basis, in accordance with the law of the specific data processing jurisdiction.
It is possible that the legal bases will change according to the course of the life cycle of the processing of personal data, resulting from the change in the purpose of the processing, which will consequently change the company's data mapping/inventory. Therefore, Beontag's mapping/inventory of personal data must be updated periodically, at least annually, and whenever necessary, to faithfully reflect the data processed by the Company and the proper purpose and corresponding legal basis. If, after updating, it is identified that there is no longer a legal basis for Beontag to continue the processing, it must be stopped immediately and the appropriate retention and disposal measures adopted.
6.3.2. Principles
The principles represent fundamental elements that must be strictly considered in all data processing to ensure compliance with the Privacy and Data Protection Standards and global good practices. Beontag shall always process data in accordance with the principles below:
(i) Legality and Justice
All processing of personal data must take place on a valid and applicable legal basis, never in disagreement with any applicable legislation, always in a fair and balanced manner in the relationship with the Data Subjects.
(ii) Transparency
Beontag shall be clear, precise and unambiguous with Data Subjects so that they know, in all contexts, how and for what we process their personal data.
Transparency includes accessibility and ease of communications with the Data Subjects so that there is maximum understanding about the performance of processing and the respective agents.
(iii) Non-Discrimination
Under no circumstances may personal data and sensitive personal data be processed for unlawful or abusive discriminatory purposes.
(iv) Purpose
The processing of the data must take place for legitimate, specific, explicit and informed purposes to the Data Subject, without the possibility of further processing in a manner incompatible with these purposes.
(v) Adequacy
It refers to the compatibility of the processing with the purposes informed to the Data Subject, according to the context of the processing and in a manner consistent with one of the legal bases.
(vi) Necessity and Minimization
This is the limitation of the performance of the processing to the minimum necessary for the accomplishment of the intended purpose, covering only the relevant data, in a proportional and not excessive way.
(vii) Free Access, Quality and Accuracy of Data
To the Data Subjects, Beontag will guarantee the easy and free consultation on the form and duration of the processing, as well as accurate and clear information on the performance of the processing and the agents involved, provided that it does not violate commercial or industrial secrecy of Beontag or Third Party.
We also ensure the quality, accuracy, relevance and updating of personal data, according to the need and for the fulfillment of the purpose of its processing.
(viii) Security, Prevention and Limitation (Integrity and Confidentiality)
Beontag adopts security standards appropriate to its operations, especially when they involve processing personal data, using technical and administrative measures capable of protecting personal data from security incidents.
No personal data should be retained for longer than necessary, so Beontag periodically evaluates the retention periods of each data and adopts disposal measures, when necessary.
All security measures implemented by Beontag, as well as the actions taken in relation to personal data throughout its processing are duly documented internally.
(ix) Accountability and Responsibility
Beontag adopts the necessary measures to demonstrate and prove the adoption of effective measures capable of proving compliance and compliance with the rules for the protection of personal data and even the effectiveness of such measures.
We also assume that we are responsible for any form of processing of personal data that occurs within our organization, adopting a serious and respectful attitude towards the data and the respective Data Subjects.
6.4. Rights of Data Subjects
Beontag ensures compliance with the rights of the Data Subjects of the processing of personal data that it carries out, in accordance with the provisions mentioned below:
• Right to Transparency of Information: It is the right of the Data Subjects to be informed in a clear and accessible way about the collection and use of their data by Beontag, and all the specificities related to the processing activities that occur within the scope of the Company.
• Right of Processing Confirmation and Right of Access: Data Subjects have the right to obtain confirmation that Beontag processes their personal data and to have access to specific information about their processing.
• Right of Rectification: The Data Subject of personal data may request rectification on the registration of his personal data, such as inaccurate, incorrect or outdated data;
• Right of Deletion/Right to Erasure: The Data Subject has the right to delete his/her personal data and may request the deletion, blocking or anonymization of his/her personal data processed by Beontag in certain cases. This may include, but is not limited to, circumstances in which it is no longer necessary for Beontag to retain your personal data for the purposes for which it was collected.
• Right to Restriction of Processing: The Data Subject may request the restriction or suppression of the processing of their personal data. In these cases, Beontag may store the personal data, but may not use them in some specific cases according to the specific request of the Data Subject and provided that there is no hypothesis in which such processing is necessary, such as legal or regulatory obligation.
• Right of Opposition: The Owner may object to the processing of data when it is based on legitimate interest.
• Right to Portability: The Data Subject may request the portability of his/her personal data to another service or product provider, upon express request. This practice makes it possible to transfer, transmit or copy personal data to a Third Party, so that there is security and the usability of the data is not affected.
• Right Related to Automated Decisions: Data Subjects have the right not to be subject to a decision based only on an automated process, including the definition of profiles, which produces direct or indirect legal effects to the Data Subject. Automated decision processes are those made by automated means that have no involvement of humans.
In order to meet the requests of the Data Subjects, the Beontag has tools and mechanisms that aim at the speed and effectiveness in the response or observance of these rights, as well as the proper filing of the measures that are adopted in relation to this request, as detailed in the Request Procedure of the Data Subject.
To this end, we make available a communication channel to Data Subjects, publicly accessible on our website. Which can be accessed by the following means: https://www.contatoseguro.com.br/beontag.
7. SPECIFIC GUIDELINES
7.1. Access to Personal Data
Beontag understands that improper access qualifies security incidents. For this reason, access is limited to employees who justifiably need personal data to conduct their activities, in line with the previously mapped treatment flows.
7.2. Retention and Disposal
The personal data processed by Beontag shall be permanently deleted, through systemic deletion or destruction of physical documents, as soon as they achieve their purposes, at the request of the Data Subject when applicable, or at the request of the Supervisory Authority.
However, it is possible that Beontag retains the personal data, when authorized its conservation for specific hypotheses provided for by law.
When personal data is retained after fulfilling its original purpose, it must be encrypted or anonymized to protect the identity of the data subject in the event of a personal data incident.
With regard to the retention of personal data in cases where the data is processed for the purpose of exercising rights, both of activation of parties and of defense in legal, administrative or arbitration proceedings, the period provided for in specific laws of prescription and limitation of actions shall be observed for the purposes of data retention.
During the period of any legal proceeding in which there may be a need for the use of data by the CCRR Group, such data may be stored following the CCRR Group's security measures, principles and internal guidelines regarding the processing of data for as long as the judicial discussion lasts.
As established in the Personal Data Retention and Elimination Policy, the standard period of retention of personal data by the CCRR Group is 5 years after the termination of the link that gave rise to the processing of such data, such period is due to the statute of limitations, decay and tax periods generally adopted in national legislation.
In exceptional cases where custody periods are not foreseen or clear in the current legislation or there is no peaceful understanding about the term, as well as where the feasibility of retention is under discussion, the Supervisor/DPO must analyze the situation and possibly trigger the Data Protection Committee to resolve to declare the retention period of a given document that contains personal and related data, always taking into account the guidelines of this policy and all other policies relating to privacy and data protection of the CCRR Group.
7.3. International Transfer
Beontag adopts restrictive conduct regarding the international transfer of personal data, understanding that it should not be carried out indiscriminately and only when strictly necessary for the conduct of its activities or when there is a security standard compatible with its guidelines, always in accordance with the provisions of the Privacy and Data Protection Standards, as established in the International Data Transfer Policy.
7.4. Processing of Personal Data of Minors
Beontag does not, as a rule, process personal data of minors (children and adolescents). However, there are times when it will be necessary to treat them. In these cases, the data will be processed in the best interest of the minor and in strict accordance with the legal hypotheses that allow such processing.
The personal data of children and teenagers, as well as sensitive data, must be subject to greater protection compared to other personal data.
7.5. Privacy by Design and Privacy by Default
In consideration of the principle of Privacy by Design, all products and services that are created by Beontag are subject to analysis to ensure the privacy and protection of personal data of the Data Subjects and compliance with all principles, guidelines and rules of the subject from the design phase to the launch/implementation of these products and services.
7.6. Disclosure of Personal Data to Third Parties
The Beontag must ensure that the personal data in its possession are not disclosed to unauthorized third parties, including family members or friends of its employees, private entities and government agencies, without the company's authorization or court order to do so.
All employees must exercise caution when requested to disclose personal data to third parties and must seek authorization from the Data Protection Committee or the Person in charge/DPO to do so, including in the case of a court order.
All requests to provide data to third parties must be supported by appropriate documentation and properly stored with the authorization of the Data Protection Committee or the Data Protection or Person in charge/DPO.
7.7. Data Protection Impact Assessment and Legitimate Interest Assessment
The Data Protection Committee shall prepare, with the assistance of the Person in Charge/DPO and the other business departments of Beontag, the report of the impact assessment of personal data protection for Beontag's data processing activities.
Such evaluation aims at an in-depth analysis of the risks involved with the processing carried out by Beontag, as well as technical, administrative and legal measures that should be implemented for greater security of personal data processed in specific flows.
The content of the report should include a description of the processing processes of “common” personal data and sensitive personal data that may present risks to civil liberties and fundamental rights, as well as the technical, administrative and legal measures that should be implemented to mitigate risks and greater security of personal data processed in specific flows.
In cases where the legal basis of legitimate interest is attributed, it will be necessary to prepare an assessment so that it is possible to consider whether this basis is appropriate for the treatment or not, and must be duly approved or disapproved by the Person in Charge/DPO.
This is documentation from the controller containing the Legitimate Interest Impact Assessment, where the processing of personal data is based on legitimate interest, assessing whether the processing may create risks to civil liberties and fundamental rights through its legitimacy, necessity, balancing, and safeguards.
7.8. Security Incidents
Any suspected violations and incidents related to the processing of personal data carried out by Beontag or by third parties on its behalf must be immediately reported to the Person in Charge/DPO, according to the internal communication channels and guidelines provided for in the Security Incident Crisis Management Procedure.
The Person in Charge/DPO will take all relevant information about the incident to the Data Protection Committee, so that they analyze the criticality and complexity of the occurrence and take the relevant measures and decisions.
The application aims to prevent and mitigate losses arising from information security incidents or service disruptions directly affecting your information assets, trust between stakeholders, damage to reputation or market value.
All possible measures should be provided in order to minimize all impacts caused, as well as recover the integrity of the data and its confidentiality.
8. TECHNICAL STANDARDS
Beontag will follow the technical, physical and digital standards for the protection of personal data, its integrity and confidentiality.
9. SAFETY MEASURES
9.1. Educational Actions
In order to train its employees, Beontag will conduct annual training on privacy and data protection, prepared by the Data Protection Committee and coordinated by the Person in Charge/DPO.
Employees who are hired will also receive training, in order to understand basic concepts and observe compliance with Beontag's Privacy and Personal Data Protection Program.
In addition, with the assistance of the Human Resources Department, other actions will be carried out to raise awareness and ensure compliance with the guidelines, such as:
• sending emails with newsletters/content pills on privacy and data protection topics, applicable standards and the Company Program.
9.2. Risk supervision and mitigation
Beontag's Privacy and Personal Data Protection Program will be overseen by the Data Protection Committee, from:
• The annual review of this Policy;
• Constant monitoring of signs of security incidents and documentation of implemented adequacy measures.
The Compliance, Information Technology and Legal areas will also contribute to the supervision and mitigation of risks, from:
• Continuous monitoring of Beontag's safety standards;
• Analysis of the technical aspects of evidence of security incidents;
• Constant review and implementation of tools and mechanisms that ensure the security of personal data processed by Beontag.
10. PRIVACY CHANNEL
The Channel is an easily accessible means of communication between the Data Protection Officer/Person in Charge of Beontag and the Data Subjects of personal data, so that they can exercise their rights in contact with the Company. Beontag makes efforts to comply with requests within legal limits and reasonable limitations, and is always committed to the transparency and protection of personal data.
In addition, the Privacy Channel may be used to report any violations related to privacy and protection of personal data, so that the Company can take the appropriate investigation, risk mitigation and action in relation to the specific case.
The Privacy Channel can be accessed via: lgpd@beontag.com.
Any questions, queries, clarifications, exceptions, requests regarding the application of this International Data Transfer Policy may also be sent directly to the Data Protection Committee through the email comitelgpd@beontag.com or to the Person in Charge by email lgpd@beontag.com.
11. INVESTIGATIONS AND SANCTIONS
Any complaints, even if suspected, of violations of this Policy will be forwarded to the Data Protection Committee and submitted to an internal investigation procedure by Beontag's Compliance Department. If it is found, after a robust investigation, that there has been a violation, sanctions may be applied by Beontag, proportional to the nature or severity of the infraction committed, according to resolution by the Data Protection Committee.
Any Employee or Third Party that violates any provision of this Policy will be subject to disciplinary sanctions and related consequences, such as: (i) verbal or written warning; (ii) suspension; (iii) dismissal without cause; (iv) dismissal with cause; (v) exclusion of the Third Party from the Company's list of suppliers; (vi) filing of a relevant lawsuit.
In addition, the person responsible for the practice of an unlawful act may suffer judicial and/or administrative punishments, in accordance with the legislation of the country in which there is jurisdiction.
If Beontag is ordered to indemnify damages of a moral or material nature, proven in any judicial or administrative action of any nature, the harasser will be called to participate in the process or will be notified back to reimburse Beontag for the amounts spent, duly updated in the molds of current legislation.
Failure to report violations of privacy or the integrity of personal data that represent a violation of Beontag's internal rules and applicable legislation constitutes non-compliance with this Policy and may be duly punished. Recklessness, negligence and willful failure are also considered violations of this Policy and may be subject to disciplinary sanctions.
12. FINAL PROVISIONS
This document must be read and interpreted in conjunction with the other Policies and Procedures adopted by Beontag related to Data Protection, as well as with related laws and regulations.
This Policy, as well as the other documents that complement it, are available on the intranet or, in case of unavailability, may be requested from Beontag's Person in Charge/DPO.
Any questions regarding this Policy should be addressed to the Data Protection Committee by email comitelgpd@beontag.com or to the Person in Charge by email lgpd@beontag.com.
This Law enters into force on the date of its publication.
13 - DATA CONTROLLER AND CONTACT DETAILS
The DPO of Beontag group, chosen as the focal point of communication with data subjects and ANPD is Suzane Oliveira Silva, who can be contacted via email: lgpd@beontag.com.br and by telephone +55 (11) 99620-7865.
1. OBJECTIVE
Establishing the guidelines, processes, responsibilities and controls in hiring Third Parties for the acquisition of items and services by Beontag, or "Company", preventing, identifying and mitigating material and reputational risks that can be imputed to Beontag due to possible committing, by Third Parties, acts of corruption, fraud, embezzlement, and other related illegalities).
This document also establishes guidelines to ensure the transparency and security of transactions, so that the Third Parties contracted by the Company are aware of and act in strict compliance with applicable laws, codes, rules and regulations.
2. SCOPE
This Policy must be known and fully complied with by all Employees, employees, service providers, interns, Senior Management of Beontag and all its subsidiaries, especially by those who participate, directly or indirectly, in the flow of hiring Third Parties by Beontag. In addition, this Policy shall be complied with by any Third Parties acting on behalf of, in the interest of or for the benefit of Beontag, as applicable.
3. ASSIGNMENTS
- Purchasing Department: It is the responsibility of the Purchasing Department to ensure that the criteria defined in this Policy are fully met.
- Employees: It is the responsibility of employees to follow the criteria defined in this policy.
- Compliance Department: It is the responsibility of the Compliance Department to conduct the Third Party Due Diligence procedure, and to review and monitor, in accordance with the guidelines and in the specific situations identified in this Policy, the hiring of Third Parties identified as Medium and High Risk. After evaluating the risks involved with the Third Parties, the Compliance Department may recommend the approval or disapproval of the contract, duly recording the reasons and evidence for each opinion.
The Compliance area may, in specific situations, adopt stricter procedures than those provided for in this policy for contracting Third Parties, when it deems them appropriate based on a risk assessment. In these situations, the Compliance Department will bring such procedures to the attention of the Employees involved in the hiring so that they are fully complied with.
3.4. Financial Department
It is the responsibility of the financial area to request and analyze the financial documentation for Third Parties contracting, according to the value of the services that will be contracted.
4. RESPONSIBILITIES
a. Responsible for the execution of the Policy's attributions
Purchasing: ensuring the application of the policy in full, making purchases in accordance with this policy, approving, researching, developing and evaluating suppliers in accordance with the legal and ethical principles that govern the Company's activities, in addition to providing support for defining purchasing strategies;
Requester: Correctly specify the material/service to be purchased in accordance with the guidelines and procedures indicated in this policy;
Compliance Department: Conduct Third Party Due Diligence procedure in accordance with this Policy, review and evaluate situations in which warning signs are identified (according to item 7 below), as well as carry out approvals (or disapprovals, if applicable) of the hiring of a Third Party identified as “Medium Risk Third Party” and “High Risk Third Party”, guide the Requestors and the Purchasing Department when necessary and periodically monitor the compliance and effectiveness of this Policy. In case of doubt, guidance is the responsibility of the Compliance area.
b. Responsible for monitoring the execution of the Policy assignments
It is the responsibility of the Purchasing and Compliance area to ensure compliance with this policy's activities through periodic monitoring. The respective duties of the Purchasing and Compliance Departments in monitoring activities related to the hiring of Third Parties will comply with the classification criteria of the Third Parties established in item 7 of this Policy.
c. Responsible for maintaining the Policy
The Compliance area will be responsible for maintaining and updating this policy.
5. TERMS AND DEFINITIONS
The terms set out below will be used throughout the policy with the following meanings:
Government Official: who exercises public function, temporarily or permanently, with or without compensation, by election, appointment, designation, hiring or any form of investiture or bond, mandate, position, employment or public function of any level of government, department, agency or national and foreign body. The equivalent of a Government Official is anyone who works for a company providing a service contracted or associated with the execution of a typical activity of the Public Administration. Also considered as Government Official occupying or candidate for public office; political party or member of political party; representatives of international public organizations; members of the royal family; and any person who carries out activities or represents any of the aforementioned persons or organizations.
Due Diligence: methodical procedure for analyzing information and documents with a predetermined objective of knowing the organization and its managers with which the Company intends to relate and interact, identify any risks related to it and, potentially, adopt measures to mitigate these risks.
Anti-Corruption Standards: any and all national or international legislation that has been edited and promulgated to prevent and combat corruption and economic crime, such as: Foreign Corrupt Practices Act (FCPA) – Legislation on Corrupt Practices in the United States of America, with cross-border effect; Brazilian Anti-Corruption Law (Law No. 12.846/2013 and Decree 8.420/2015) - Compose the Brazilian anti-corruption legislation; United Kingdom Bribery Act (UKBA) – Anti-corruption legislation of the United Kingdom, being the most restrictive law on the subject; French Anti-Corruption Law (Sapin II - Law No. 2016-1691) – Legislation with international coverage; Italian Anti-corruption Legal Framework (Laws 11/06/2012, nº 190, 05/27/2015 No. 69, 01/09/2019 No. 3, 2016 No. 229 and Decrees 12/31/2012, No. 235, 03/14/2013, No. 33, 04/16/2013, No. 62, 08/04/2013, No. 39), Argentina Anticorruption Law No. 27.401).
Politically Exposed Persons: It is Government Officials, former Government Officials or their families who carry out relevant public activities, representing, directly or indirectly, national or international governments, such as:
- Holders of elective mandates of the Executive and Legislative Powers;
- The holders of offices in the Government Union:
- Minister of State or equivalent;
- President, vice-president and director, or equivalent, of indirect public administration entities; and
- The presidents and national treasurers, or equivalent, of political parties;
- Governors and Secretaries of State, State and District Deputies;
- Mayors, Councilors, Municipal Secretaries;
- Persons abroad who are (a) heads of state or government; (b) politicians of higher echelons; (c) occupants of governmental positions of higher echelons; (d) general officers and members of higher echelons of the Judiciary; (e) executives of higher echelons of public enterprises; or (f) leaders of political parties;
- Senior managers of public or private international law entities.
Third Parties: Third Parties are the Company's suppliers, partners, consortiums, service providers, or subcontractors, including, for example, consultants, lawyers, agents, as well as individuals and legal entities that are commercial representatives of the Company.
Undue Advantage: is one that involves any type of illicit profit, gain, privilege or benefit, promised, given or offered for an individual to act contrary to moral, ethical or directly related to the exercise of their function. The concept should be understood broadly and not just the mere payment in cash. The advantage is anything that has any value to the Public or private Agent, even if it has no value to the grantor, such as money or in the form of goods, giveaways, gifts, job vacancies, lunches, dinners, expenses with travel or entertainment, provision of services, benefits and favors, donations, sponsorships.
6. GENERAL GUIDELINES
This Policy has as its main guideline to curb acts of corruption committed by Third Parties contracted by Beontag. Thus, all Company employees must ensure the execution of business, including the contracting of any Third Parties, seeking to safeguard the legal and ethical principles that govern the Company's activities, without granting privileges or benefits of any kind.
For this reason, Employees must conduct due diligence prior to hiring these Third Parties, strictly complying with the procedure and requirements established in item 8 of this Policy, according to the risk classification of the Third Party to be hired.
One of the items to be evaluated as a way to mitigate any risks involved with Third Parties that may relate to Beontag is to identify whether they have mechanisms, procedures and integrity controls implemented internally to prevent any irregularities, especially related to the prevention of acts of corruption and fraud, from occurring within the scope of the provision of services. All Third Parties must be aware of and agree to comply with Beontag's internal rules of ethics and integrity.
In addition, the Beontag has strict rules provided for in its Anti-Corruption Policy regarding payments of any kind made by its employees to intermediaries, Third Parties and Government Officials. Any contracts or commercial relationships maintained with Third Parties must meet the following guidelines:
- Adoption of objective criteria for conducting business (technical, commercial, economic, reputational or legal);
- Legitimate Business Reason: there must be a real and legitimate business reason for engaging the Third Party;
- Quotation: the selection of the Third Party must have been preceded by a quotation process by at least 2 (two) Third Parties;
- Contract: the Third Party must sign a contract (when applicable) describing its attributions and obligations in a clear, specific and transparent manner;
- Compensation: the compensation of the Third Party must not be excessive in view of its functions and compatible with the market value, and payment must be made via transfer to the bank account held by the Third Party;
- Adequate records: the Third Party must present proof with the real value of the service provided and other information necessary for the proper registration of the transaction;
- Anti-Corruption Clause: contracts entered into with Third Parties must contain the Anti-Corruption Clause, by which they undertake to fulfil their obligations in compliance with the Anti-Corruption Standards and act in accordance with the Company's policies.
As a rule, the following hypotheses make the hiring of Third Parties or subcontracting unfeasible and not allowed by Beontag:
- Contracting a Third Party that does not have the technical capacity to meet Beontag's requirements and needs;
- Contracting a Third Party that refuses to observe anti-corruption laws and other applicable laws, rules and internal Policies of Beontag;
- Contracting a Third Party that refuses to adopt recommended mitigation measures after carrying out a Due Diligence procedure;
- Contracting a Third Party that has points of attention and refuses to assume the obligation in relation to the promise, offer or give undue advantage to Public or Private Agents;
- Contracting a Third Party that has points of attention and refuses to assume the obligation not to commit acts of corruption, especially during performance on behalf, benefit or interest of Beontag;
- Contracting a Third Party that may have the objective of obtaining an undue advantage to the detriment of Beontag;
- Contracting a Third Party that provides incomplete, misleading or insufficient information that impairs the proper risk assessment of the Third Party.
- Contracting a Third Party or its partners/main shareholders/directors who have been tried and convicted in a judicial proceeding with res judicata for crimes of corruption, money laundering, fraud, illicit enrichment, environmental crime, use of forced labor, child labor or analogous to slavery, violence, or other crimes provided for in applicable local legislation.
Contracts will only be allowed in disagreement with the provisions of this Policy, in cases of emergency purchases (material or service not planned and necessary to solve an emergency situation, which cannot be postponed), after due analysis as to the urgency and prior approval of the emergency contracting procedure by the Board of Directors of the Department responsible at Beontag, under penalty of immediate termination of the contract between the Company and the Third Party and the imposition of internal sanctions applicable to Employees.
In case of any doubt, situation that generates discomfort, potential warning signs or identified risks, the Compliance Department must be called immediately to assess the situation and provide appropriate guidance.
The renewal of the Due Diligence procedure must occur on a periodic basis of 1 (one) year for Third Parties that have a contract with a term of more than 1 (one) year with Beontag or when new risks or warning signs are identified. If the Requestor requests the Compliance Department, the renewal must be carried out on an exceptional basis.
7. INITIAL RISK CLASSIFICATION
Beontag Third Parties, in accordance with the guidelines of this Policy, will initially be classified into the categories “Low Risk Third Parties”, “Medium Risk Third Parties” and “High Risk Third Parties”, being:
5.1. Low Risk Third Parties: any Third Parties contracted by Beontag for the acquisition of items or services (e.g., raw material suppliers, hiring of painters, etc.) up to the annual amount of R$ 100,000.00 (one hundred thousand Brazilian reais) or US$ 120,000.00 (one hundred and twenty thousand American dollars) and that do not involve any interaction with a Government Official on behalf of the Company or its commercial representatives;
5.2. Medium Risk Third Parties: any Third Parties hired by the Company that provide advisory or consulting services to the Company, including economic, financial, legal, marketing, and communication consulting services, as well as any Third Parties that in any way interact with Government Officials on behalf of the Company, such as its commercial representatives, whose hiring is limited to the annual amount of R$ 150,000.00 (one hundred and fifty thousand Brazilian Reais) or US$ 200,000.00 (two hundred thousand American dollars);
(iii) High Risk Third Parties: High Risk Third Parties are considered to be:
- Any Third Parties hired by the Company that provide advisory or consulting services (indicated above) to the Company in an annual amount greater than R$ 150,000.00 (one hundred and fifty thousand Brazilian reais) or greater than US$ 200,000.00 (two hundred thousand American dollars);
- Any Third Parties whose services to be provided involve interaction with Government Officials on behalf of the Company, such as commercial representatives, and the contracting is in an annual amount greater than R$ 250,000.00 (two hundred and fifty thousand Brazilian reais) or US$ 250,000.00 (two hundred and fifty thousand American dollars);
- Any Third Parties whose services to be provided involve obtaining licenses, permits, authorizations, permits or approvals of any nature with approval before Agents or Government on behalf of Beontag;
- Any Third Parties or their partners/main shareholders/directors hired by the Company that, regardless of the type of service provided, fall within the definition of Government Official or Politically Exposed Persons defined in this Policy;
- Any Third Parties that are headquartered or operate in countries that are subject to international financial sanctions published by government agencies or international organizations, such as: OFAC List, United States Treasury, United States Financial Intelligence Unit List. List of the United Nations, List of the European Union, List of the United Nations Security Council, among others;
- Any Third Parties that list bank accounts for payment located in countries that are subject to international financial sanctions published by government agencies or international organizations;
- Any Third Parties or partners/main shareholders/directors who are being investigated, prosecuted or judged without final conviction for any crime;
- Any Third Parties recommended by Government Officials or Politically Exposed Persons; and
- Third parties or their partners/main shareholders/directors who notoriously have a questionable or disreputable reputation.
As a rule, Third Parties classified as High Risk are not allowed to subcontract under the contract with Beontag. If subcontracting is essential for the fulfilment of the object of the contract with Beontag, the subcontracting request must be approved by the Board of the requesting Department and, subsequently, the subcontractor must go through the Third Party contracting procedure provided for in this Policy, and the subcontractor's disapproval is possible.
8. DUE DILIGENCE
The objective of this mechanism is to minimize the Company's liability for the irregular conduct of Third Parties in conducting its business. The due diligence process involves collecting relevant information from the Third Party by sending a questionnaire to be completed by the Third Party after it has been selected by the Company (i.e., after the quotation process) and prior to signing the contract with the Company.
Beontag has two types of questionnaires, and the questionnaire corresponding to the initial risk classification of the Third Party must be sent in accordance with the guidelines of this Policy, after the Purchasing Department must approve, research and evaluate the third party in accordance with the legal and ethical principles that govern Beontag's activities. If the answers presented by the Third Party indicate possible vulnerabilities, points of attention or irregularities related to corruption or fraud, integrity, ethics or reputation issues, the Purchasing Department, together with the Compliance Department, must evaluate (i) the adequacy of the risk classification of this Third Party; and (ii) the viability of the business, in order to identify any reputational and legal damages that the contracting may bring to Beontag.
If it is identified that the Third Party's classification is inadequate, the risk classification of this Third Party may be changed by the Purchasing area, after validation with the Compliance area. For example, if the Company sent the Third Party a questionnaire of "Low Risk Third Party" and the analysis of the responses presented revealed that the Third Party has a "High Risk Third Party" profile, the risk profile of this Third Party must be changed and should documentation and information contained in the questionnaire for “High Risk Third Party” will be requested.
The identification of Compliance risks in Beontag's relationship with Third Parties does not necessarily mean that the contracting cannot proceed, but that it may be necessary to request additional information, greater robustness in the analysis of the Third Party or there are measures implemented so that there is due mitigation of the identified risks and specific precautions to avoid that these risks imply violation of applicable legislation, internal rules of Beontag or ethical and legal principles that govern Beontag's activities. As such, the absence of identification of risk factors after carrying out the Due Diligence procedure does not guarantee that the relationship with the Third Parties will be absolutely risk-free.
In the event that the responses presented by the Third Party lead to the conclusion that its hiring brings risks to Beontag, damages the Company's image or violates any of the legal and ethical principles that govern Beontag's activities, the Compliance Department may suggest that the hiring of this Third Party be prevented, in a justified and written manner.
a. Stages
The Due Diligence process will involve the following stages:
(i) Questionnaire: before contracting any Third Party, the Purchasing area must request the Third Party to complete a questionnaire, the answers of which will assist the Company in identifying and adapting the risk of corruption and reputation related to that Third Party. The Company has developed two questionnaires, namely (a) a questionnaire for Third Parties identified as “Medium Risk Third Parties” or “High Risk Third Parties”, according to the classification of this Policy; and (b) a questionnaire for Third Parties identified as “Low Risk Third Parties”.
(ii) Independent research: after analyzing the questionnaires corresponding to each Third Party, the Medium and High Risk Third Parties must be submitted to independent research by the Compliance Department in order to identify the history of the Third Party and its main officers/partners about any involvement with wrongdoing or irregularities, including presence in lists of international financial sanctions as well as verification of the reputation of the Third Party and confirmation of the information stated in the questionnaire. The information provided in the questionnaires will be used for consultations in media, government agencies, restrictive lists and other public databases relevant to such verification. It is possible to use corporate tools to collect information about the Third Party and its officers/partners.
(iii) Warning Signs/Red Flags: During the Due Diligence process, special attention should be paid to “warning signs” or “red flags”, that is, any facts or circumstances that may demonstrate a concern with the way the Third Party acts improperly. It is possible that warning signs are identified at any time in the process of hiring Third Parties, even if previously or in the previous analysis they have not been considered warning signs, and must be immediately informed to the Compliance Department for evaluation.
Below are the main warning signs that should guide the analysis of the information sent by the Third Party in response to the questionnaire:
- Reputational risk: the Third Party has a history of public or private bribery practices, or has been the target of criminal or civil actions for any acts of corruption, bid fraud, acts of administrative improbity, money laundering, conflict of interest;
- Links with government or government representatives: the Third Party falls within the definition of a Government Official or Politically Exposed Person, or makes high value and frequent political contributions to candidates and political parties, or has been recommended by a government representative or Government Official;
- Insufficient skills: the Third Party does not have technical experience in the intended business or does not have adequate facilities and/or teams to carry out the work;
- Atypical compensation: the Third Party requests commission, success fees, or substantial anticipation of payments or other substantial payments above market value; or the Third Party requests that an additional amount be added to the price without reasonable justification; or the Third Party requests that payment be made in cash or by bearer check or to another person's account, individual or legal, or to an account outside the country; or the Third Party refuses to document expenses properly; or the Third Party requests donation to a certain philanthropic institution or sponsorship as a condition of the provision of the service.
- Atypical situations: the Third Party refuses to sign an anti-corruption clause in contracts, or refuses to answer the due diligence questionnaire or refuses/creates difficulties in making statements, among other situations provided for in the Company's Anti-Corruption Policy.
- Attempted interference or influence: the Third Party promises or acts to influence the hiring, such as offering meals of excessive value, travel, entertainment to the person responsible for hiring at Beontag and/or its relatives.
(iv) Evaluation: upon receipt of the information and documents requested in the questionnaire, the Purchasing Department will carry out, together with the Company's Compliance Department, an analysis of the information and documents sent to verify that (a) the documentation sent meets all the necessary requirements for the evaluation; (b) the risk initially identified to that Third Party is adequate and (c) if there are warning signs that deserve additional diligence.
(v) Approval: the approval process may follow different rites, depending on the risk involved to that Third Party:
- If it is a Low Risk Third Party where no warning signs related to the reputation and integrity of that Third Party have been identified, the Procurement Department, after the previous steps indicated above have been completed, will store the file of the Third Party procurement process and approve the contracting.
- In the event that a warning sign related to the reputation and integrity of the Third Party has been identified, the Purchasing area, after completing the previous steps indicated above, will forward the Third Party's contracting process file to the Compliance area for evaluation and approval (or disapproval, if applicable). In all situations where there is a disapproval in the contracting of a Third Party, the Compliance area must justify the refusal in writing and inform the requester of the item / service about the refusal;
- In the case of a Medium Risk Third Party or High Risk Third Party, the Purchasing Department, after complying with the previous steps indicated above, will forward the file of the Third Party's hiring process to the Compliance Department to conduct independent research as additional risk mitigation diligence, followed by evaluation and approval (or disapproval, if applicable). In all situations in which there is a recommendation for disapproval in the hiring of a Medium Risk Third Party or High Risk Third Party, the Compliance Department must justify the refusal in writing and inform the Purchasing Department and the requester of the item / service about the refusal.
b. Financial Due Diligence:
The performance of Integrity Due Diligence does not exempt or replace the possibility of carrying out Financial Due Diligence, in order to identify financial health issues, history, books and records related to Third Parties that Beontag seeks to contract or develop a relationship. The Purchasing Department will contact the Finance Department, which will request and analyze the Third Party's documentation, according to the values below:
• Up to R$ 50,000.00 (fifty thousand Brazilian reais) or up to US$ 25,000.00 (twenty-five thousand American dollars):
- Registration form;
- Articles of Incorporation and latest amendments or consolidated contract.
• From R$ 50,000.00 (fifty thousand Brazilian reais) – Up to R$ 500,000.00 (five hundred thousand Brazilian reais) or from US$ 25,000.00 (twenty-five thousand American dollars) – Up to US$ 250,000.00 (two hundred and fifty thousand American dollars):
- Registration form;
- Billing list for the last 12 months (Signed by the accountant);
- Articles of Incorporation and latest amendments or consolidated contract.
• Above R$ 500,000.00 (five hundred thousand Brazilian reais) or above US$ 250,000.00 (two hundred and fifty thousand US dollars):
- Registration form;
- Balance Sheet and Income Statement (DRE) for the last three years;
- Billing list for the last 12 months (Signed by the accountant);
- Articles of Incorporation and latest amendments or consolidated contract.
c. Privacy and Personal Data Protection
In the case of contracting Third Parties whose provision of services/supply of products to Beontag includes the processing of personal data or sensitive personal data, especially in cases involving the processing of data of children and adolescents, systematic analysis of holders with automated processing, treat sensitive personal data or on a large scale, carry out systematic monitoring on a large scale of publicly accessible area and/or treatment based on legitimate interest, specific privacy and data protection Due Diligence must be done in order to identify possible risks and ensure that the Third Party's standards are in accordance with those of Beontag regarding the Data Protection Program.
This Due Diligence will aim to identify whether the Third Party has mechanisms in place to protect the personal data processed and the privacy of the holders involved and will be conducted by the Compliance Department.
9. RATIFICATION
This policy integrates the Company's mechanisms for preventing and combating corruption and the rules relating to the due diligence process prior to contracting a Third Party, provided for in this policy, will be conditions for the ratification of the supplier referred to in the Company's purchase policy.
This policy does not revoke or change the other provisions contained in the Company's policies and procedures.
10. RECORDS
All documentation related to the Third Party contracting process must be filed on the network electronically in the exclusive directory on the network destined to the Purchasing and Compliance Departments, following the criterion defined internally (i.e., creation of specific folders, by diligence, in the internal network of Beontag), and there must be login control and access so that there is no undue access to confidential information about the Company's internal procedures.
11. EXCEPTIONS
Exceptions to this policy must be approved and signed in advance by the Compliance area.
The Requestor or the Purchasing Department, as applicable, will be responsible for the regularization and renewal of the process by sending the questionnaire, entering into a contract, amendment, and any pending documentation existing in relation to the Third Parties.
12. PAYMENT
Full compliance with the rules contained in this policy, in particular the submission, by the Third Party, of the completed questionnaire and other requested information, is a condition for the Company to make any payment to this Third Party.
13. ETHICS CHANNEL
In case of any suggestions or doubts about this Anti-Corruption Policy, access the Beontag Ethics Channel.
It is the responsibility of everyone at Beontag to immediately report any acts or suspicions of non-compliance with this Donation and Sponsorship Policy, as a way to promote ethics and integrity within Beontag, assisting in the detection, prevention and mitigation of any acts of corruption, fraud and other illicit acts, in order to preserve Beontag's image and brand before society, the market and its partners.
The Ethics Channel can be accessed through:
- Telephone 0800 512 7702;
- Web site: https://www.contatoseguro.com.br/beontag
This channel is managed by a specialized company, being an independent, secure, confidential and impartial tool, available 24 hours a day, 7 days a week and 365 days a year to the internal and external public of Beontag. It is possible to make anonymous reports when using the Channel, always maintaining responsibility, ethics and good faith when making reports, which must be consistent and true. There will be no retaliation for sending reports in good faith, and it will be guaranteed that no individual, including Beontag employees, will be exposed or punished for using the channel tool or for participating in investigation processes arising from the reports.
Any situations, doubts, questions, exceptions and/or clarifications on the application of this Policy should be directly to the Compliance Department, through the email: compliance@beontag.com.
14. INVESTIGATIONS AND SANCTIONS
Any complaints, even if suspected, of violations of this Policy will be forwarded to the Data Protection Committee and submitted to an internal investigation procedure by Beontag's Compliance Department. If it is found, after a robust investigation, that there was misconduct, sanctions may be applied by Beontag, proportional to the nature or severity of the infraction committed.
Any employee, third party or partner who violates any provision of this Policy will be subject to disciplinary sanctions, such as:
- Verbal or written warning;
- Suspension;
- Dismissals without due cause;
- Dismissals with cause;
- Exclusion of the Third Party from Beontag's list of suppliers;
- Application of contractually provided sanction, termination of the contract or termination of the commercial relationship with the Third Party;
- Filing of appropriate lawsuit.
The act of not reporting acts of corruption, fraud or other misconduct that represent a violation of Beontag's internal rules and applicable legislation constitutes non-compliance with this Policy and may be duly punished. Recklessness, negligence and wilful failure are also considered violations of this Policy and may be subject to disciplinary sanctions.
15. ANNEXES
ANNEX I – Low Risk Third Party Questionnaire – Brazil
ANNEX II – Low Risk Third Party Questionnaire – Global
ANNEX III – Medium and High Risk Third Party Questionnaire – Brazil
ANNEX IV – Medium and High Risk Third Party Questionnaire – Global