Privacy Policy

Publication Date: 08/04/2021 03:00

1. PURPOSE

This policy describes the practices adopted with respect to personal data collected by Norte Energia S.A.'s systems, maintained by contracted companies or directly transferred by them, for operation and management of actions and services.

Its purpose is to ensure that personal and sensitive data for anyone who has any relationship, commercial or otherwise, with Norte Energia S.A., is protected and that established rights are respected, in line with current data protection legislation.

2. SCOPE

This policy applies when personal and sensitive data are subject to processing for the execution of Norte Energia S.A.'s business processes, including: collection, recording, organization, structuring, storage, adaptation, alteration, recovery, consultation, transmission, disclosure or provision, alignment or combination, restriction, deletion or destruction.

3. RESPONSIBILITIES

3.1. EXECUTIVE BOARD

  • Encourage the establishment of a data privacy compliance culture at Norte Energia;
  • Monitor the evolution of the privacy program within Norte Energia in a timely manner;
  • Discuss major issues identified related to data privacy matters at Norte Energia;
  • Ensure the relevance of the corporate processes of Norte Energia's privacy program.

3.2. SUPERINTENDENT OF RISKS, INTERNAL CONTROLS AND COMPLIANCE

  • Discuss and define the strategy and oversight of the privacy program, executive privacy advocate and the main point of contact for Senior Management/Shareholders;
  • Manage budgets related to privacy, initiatives and investments;
  • Ensure support to the Privacy Committee for the formalization/execution of initiatives related to privacy;
  • Ensure that the issue of Privacy is on the agenda of Senior Management/Shareholders and is relevant in Reports and Targets;
  • Be responsible for validating the Data Privacy Impact Reports (RIPDs) that are prepared;
  • Be the focal point of contact with data subjects, regulatory bodies and the National Data Protection Authority – ANPD;
  • Periodically report to senior management/shareholders; 
  • Oversee/execute the implementation of the Roadmap and Privacy Strategies;
  • Update Norte Energia's understanding on Privacy through the preparation and validation of policies, documents, internal regulations, e-books, workshops and e-learning;
  • Create a matrix of privacy risks and mitigation measures;
  • Formalize the Incident Response process within Norte Energia, including its definition in a RACI matrix;
  • Establish the procedure to respond to Data Subject rights requests (SARs);
  • Oversee the actions/work plan of the privacy leaders and Privacy Officer;
  • Support people, business processes and technology related to the Privacy Committee;
  • Manage the Privacy Impact Assessment or a new process at the corporate level; 
  • Manage the personal data inventory and update it when necessary;
  • Engage when new internal Privacy Program workflows are added, such as privacy impact assessments and third-party oversight, to ensure a reasonable workload;
  • Coordinate activities relevant to the mapping of new processes for the processing of personal data;
  • Manage the actions relevant to the privacy GAPs identified during process mapping.

3.3. LEGAL SUPERINTENDENT

  • Provide legal and strategic guidance for business processes and for the Privacy Committee; 
  • On an ongoing basis, identify and communicate existing requirements, new laws and regulations applicable to Norte Energia and possible adjustments based on legislative changes; 
  • Coordinate the review and implementation of privacy compliance with the Privacy Committee, including policies, procedures, tools, among others;
  • Support the preparation of Impact Reports for processing personal data configured as high risk, especially those classified as Legitimate Interest; 
  • Indicate and validate legal bases for the processing of personal data; 
  • Classify new projects based on the Law; 
  • Define legal safeguards for the processing of personal data; 
  • Develop, analyze and review contracts.

3.4. TECHNOLOGICAL RESOURCE MANAGEMENT

  • Define the Information Security Policy and standards that support the Privacy Program and the mapping of new privacy-related risks; 
  • Work with the Privacy Committee to coordinate the controls and processes used to ensure the secure management, storage, transfer and disposal of personal data; 
  • Establish alignment with Norte Energia's operating modes regarding information security policies and standards that refer to data privacy; 
  • Design the improvement plan for existing controls; 
  • Implement data anonymization actions;  
  • Manage the cookie management process;  
  • Evaluate third-party IT companies on privacy and data protection matters; 
  • Develop and maintain data protection and privacy TAGs; 
  • Create and maintain data labeling (Data Classification); 
  • Handle incidents of personal data breaches; 
  • Assist in crisis management during personal data breaches.

4.  METHODOLOGY 

4.1. TERMS AND DEFINITIONS

Legal basis: These are the 10 LGPD hypotheses that authorize the processing of personal data;

Employees: All directors, board and team members who have an employment agreement and are included on the payroll of any company that maintains legal relationships with Norte Energia S.A. This includes those working full-time, part-time, temporary workers and interns;

Consent: Free manifestation provided by the Data Subject, authorizing the processing of personal data for a specific defined purpose;

Controller: individual or legal entity, under public or private law, who is responsible for decisions regarding the processing of personal data;

Encryption: a process that seeks to eliminate the chances of third parties gaining unauthorized access to data. When data is encrypted, an algorithm is applied to encode it such that it no longer has the original format and therefore cannot be read. Data can only be decoded to the original format using a specific decryption key;

Sensitive Personal Data: Personal data on racial or ethnic origin, religious conviction, public opinion, membership in a union or organization of a religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data when linked to an individual;

Personal Data: Any information that identifies or can identify a person, such as names, phone numbers, identification codes, document numbers, addresses, email etc.;

Data Protection Officer (DPO): Individual or legal entity appointed by Norte Energia S.A. to monitor data protection compliance and act as a communication channel between the controller, the data subjects and the National Data Protection Authority;

Operator: individual or legal entity, of public or private law, that performs the processing of personal data on behalf of the controller;

Privacy by Design: Any action taken involving the processing of personal data must be conducted with data protection and privacy in mind throughout the process. Initial development of processes, systems and products must seek to mitigate concerns about privacy and data collection, ensuring compliance and its protection, with the desired result being the incorporation of privacy into the design of new products, services or processes;

Privacy Program: set of policies, standards and practices that are part of the entire legal and technical framework in relation to the processing of personal data;

Data Subject: Individual to whom the personal data being processed refers;

Processing: All operations conducted in relation to personal data. For example: collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, assessment, information control, communication, transfer, dissemination or extraction;

Data breach: Any security incident involving data integrity, in an internal or external environment, regardless of nature or cause, that in any way causes accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed by a company that maintains legal relations with Norte Energia S.A. or by any third party hired on behalf of Norte Energia S.A.

4.2. CONTEXT AND CONCEPTUALIZATION

Norte Energia S.A., a legal entity governed by private law, concessionaire for the use of a public asset for electricity generation, headquartered at SEPS EQ 702/902, Conjunto B, Bloco B, 3º Andar, Edifício General Alencastro, Brasília, DF, ZIP Code (CEP) 70.390-025, registered under the Corporate Taxpayer Registry (CNPJ) No. 12.300.288/0001-07 ("Norte Energia") recognizes the importance of personal data privacy and security for employees, suppliers, service providers, communities, indigenous peoples and other partners, obtained as a result of business and social and economic relationships. Therefore, it presents the procedures adopted in the use of stakeholder personal data, internal and external, including users and visitors of websites under the domain of Norte Energia S.A.
In a general context, the Brazilian General Personal Data Protection Law ("LGPD") aims to ensure the protection and privacy of personal and sensitive data, as well as to preserve data subjects residing in Brazil, in addition to creating guidelines for the collection, storing and sharing of this information. 

According to the Law, the processing of personal and sensitive data can only be conducted in the following cases:

I.    Upon express and unambiguous consent of the Data Subject;
II.    For compliance with a legal or regulatory obligation by the controller;
III.    By the public administration, for the processing of data necessary for the execution of public policies;
IV.    To conduct studies by a research body;
V.    For the execution of agreements or related items;
VI.    For exercising rights in proceedings;
VII.    For protection of life and physical integrity;
VIII.    For health protection;
IX.    To serve the controller's legitimate interests;
X.    For credit protection.

It is noteworthy that the LGPD encompasses all information related to personal and sensitive data that are processed in Brazil, in addition to all data in transit through the country. As such, it will only be possible to transfer personal data to other countries when they have national or regional laws equivalent to the rules for data protection defined for Brazil.

The LGPD, among other requirements, guarantees data subjects a series of new rights related to the control and protection of their personal information, which are detailed in item 4.7 Data Subject Rights.

The LGPD also creates the National Data Protection Authority (ANPD), a government agency aimed at regulating and supervising the enforcement of the law.

Norte Energia S.A. understands one of its fundamental values to be the protection of the regular exercise of rights by the Personal Data Subject, as well as the provision of services that benefit them, respecting their legitimate expectations and fundamental rights and freedoms, under the terms of current legislation.

We hereby inform that the personal data collected can only be processed for the specific purpose informed and only for the period necessary to achieve the purpose that justified its collection and/or processing, being held for the fulfillment of a legal obligation or other hypotheses provided for by law.

Norte Energia S.A. clarifies that it adopts specific technical standards and organizational and governance procedures to protect the integrity, confidentiality and provision of personal data, always seeking to prevent incidents during use, as well as unauthorized access.

4.3. GUIDELINES

4.3.1. Processing of personal and sensitive data 

Norte Energia S.A. seeks to ensure that the data in its possession are:

a) Processed legally, fairly and transparently;
b) Collected for specific, explicit and legitimate purposes and will not be processed further in a manner incompatible with those purposes; 
c) Appropriate, relevant, and limited to the necessary extent, according to the purposes for which they are processed, within the concept of collection minimization;
d) Accurate and, where applicable, up to date;
e) Kept in order to allow the identification of data subjects for a defined period of time for processing, and deleted or anonymized when such period is over;
f) Securely kept and protected against unauthorized or unlawful access and/or processing, and against accidental loss, destruction or damage, using appropriate techniques and measures to ensure its integrity and confidentiality.

4.3.2. Personal and Sensitive Data Security

Following the concepts of this Policy and Privacy by Design, Norte Energia S.A. adopts technical and organizational measures that support the security and confidentiality of the Personal Data and Sensitive Personal Data it processes.

Security measures and protocols are adopted to avoid loss, damage or improper processing of Personal Data, whether carried out deliberately or accidentally.

The data shall be accessed only by duly authorized professionals, respecting the principles of proportionality, necessity, purpose, security and fitness for purpose, in addition to the commitment to confidentiality and preservation of privacy under this policy.
Personal Data security is incorporated by default in systems, agreements and services provided by Norte Energia S.A., throughout the collection, processing and storage operations of personal and sensitive data.

Norte Energia S.A. is aware of the relevant legislation and seeks to employ the best practices to support the security of the personal information it uses and thus ensure the privacy of the public, including its partners, stakeholders and other interested parties.

4.3.3. Breach and Leakage of Personal Data

Norte Energia S.A. has procedures for managing and responding to incidents of breach and leakage of Personal Data that include:
a) Notification to the National Data Protection Authority (ANPD) of any personal data breaches between 24 and 72 hours after the Officer becomes aware of the incident;
b) Notification to Norte Energia S.A. of any personal data breaches or leakage within 24 hours after becoming aware of the incident from partners and suppliers (Operators);
c) Informing, when necessary, the Data Subject when the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects.

4.4.  WHAT DATA IS OBTAINED FROM THE DATA SUBJECT

Due to the fact that Norte Energia S.A. is responsible for the construction and management of the Belo Monte hydroelectric complex, which includes the Belo Monte and Pimental Hydroelectric Power Plants, the Data Subject's personal data is collected when provided by them through the service channels, i.e. full name, personal documents, phone, electronic address (e-mail), gender, date of birth, city, state, among others. It is noteworthy that regardless of the data provided by the Data Subject, Norte Energia S.A. processes relevant and necessary data in order to fulfill the purposes declared to the Data Subject. Data is also collected from affected subjects during the implementation of the Basic Environmental Plan, Protection of Indigenous Villages, Employees and Third-Party Service Providers when operating at the Belo Monte HPP and to ensure the Dam Safety Plan (PAE).

It is the Data Subject's duty to provide correct and updated information. Norte Energia S.A. is not responsible for the accuracy or veracity of the information provided by the Data Subject as it is collected.

4.5 PURPOSES FOR WHICH THE DATA SUBJECT'S PERSONAL DATA IS USED

Norte Energia S.A. processes Personal Data for the provision of its services, as well as for contracting services and supplies from third parties and also for processing the labor, social security and tax routines of its employees, and does so in order to comply with legal and regulatory obligations in force, agreements entered into between the parties and for the Company's legitimate interest or other purpose provided by law. Most of the personal data processed is intended to comply with legal or regulatory obligations and to establish a contractual relationship with the Data Subject, which includes the management, administration, provision, expansion and improvement of services provided by Norte Energia S.A.

Norte Energia S.A. may also process personal data based on its legitimate interest or upon the consent of the Data Subject for specific purposes.

4.6. COOKIES

Cookies are pieces of information stored directly on devices at the time of access to websites, blogs or applications. When accessing any of the websites or applications, the Data Subject is asked to accept which information will be used.
Cookies help Norte Energia S.A. to better understand the behavior and preferences of users of its websites or application to provide a better user experience.
Thus, Norte Energia S.A. employs two categories of cookies on its websites, namely:

Essential Cookies: essential cookies are for the functioning of the website and cannot be disabled. They are divided into authentication cookies, which help systems identify who the user is; and technical cookies, which enable the website's functionalities. Some cookies are essential to access specific areas of the website. They allow navigation on the website and the use of its applications. Without these cookies, services that require them cannot be provided.
Analytical Cookies: Analytical cookies are used to better understand the behavior of users during usability and to analyze data on actions taken on the website, in order to verify the performance of systems, and do not collect personal data.
It should be noted that Norte Energia S.A. uses third-party cookies to also assess the navigability of its websites, but does not collect data to offer products and services.

4.7. DATA AND RECORD STORAGE

Data shall be stored in databases, when in logical format, and in a specific location, when physical, for the period necessary to achieve the intended purposes, in a safe and controlled environment, observing the data protection requirements provided for in Brazilian legislation.

The processing of the subject's Personal Data will cease and its elimination will occur when:

a)    The purpose for which consent was obtained is achieved or when the personal data collected is no longer necessary or pertinent to the attainment of the specific purpose;
b)    The end of the legal treatment period is reached;
c)    The Data Subject may request the revocation of consent by sending an email to privacidade@norteenergiasa.com.br; and
d)    There is a legal determination.
However, due to law, regulation or court order, the Subject's data may be kept for a longer period, after which it shall be deleted using safe disposal methods, namely:
a)    Direct deletion from the database;
b)    Anonymization of information;
c)    Data masking; and
d)    Destruction in case of physical information.

4.8. DATA SUBJECT RIGHTS

Norte Energia S.A. acknowledges and respects the rights of the Data Subjects, as specifically provided for in articles 18 and 19 of the Brazilian General Personal Data Protection Law (LGPD). Norte Energia S.A. provides the necessary means for the Personal Data Subjects to exercise their rights mentioned below, free of charge, clearly and with easy access, considering the applicable and current legislation and regulations. When Norte Energia S.A. is the Data Controller, Data Subjects may request:

Right to the criteria of decisions based on personal data, carried out in an automated manner: Norte Energia S.A. enables Data Subjects to request information regarding the processing of data performed in machine-readable mode, based on personal and sensitive data;
Right of access: the Data Subject may have easy and free-of-charge access to personal data being processed, both in the physical and electronic formats, as well as information on the form and duration of processing, and on the entire set of personal data being processed;
Right to rectify: the Subject may request to rectify, update and/or supplement their personal data stored by Norte Energia S.A.;
Right to erase: the Data Subject may request that their personal data be erased, unless another legal assumption for the continuity of the processing or laws supporting the processing apply;
Right to data portability: Data Subjects may seek to receive their personal data in a structured manner so that they can be transmitted to another service provider, upon express request.
Data Subjects may exercise the aforementioned rights through the privacidade@norteenergiasa.com.br channel or through the website https://www.norteenergiasa.com.br/pt-br/.

4.9. INTERNATIONAL TRANSFER OF PERSONAL DATA 

The data collected and stored by Norte Energia S.A. are kept on servers in Brazil, in a format that favors the exercise of the pertinent rights. In specific cases, the data may be processed by a provider with infrastructure outside the Brazilian geographic territory, always respecting Brazilian legislation.

To better provide its services, Norte Energia S.A. may, under certain circumstances and when necessary, transmit personal data with partners and suppliers headquartered in other countries, always in accordance with the applicable legislation and the relevant contractual clauses.

4.10. SHARING PERSONAL DATA WITH THIRD PARTIES

Personal data may eventually be processed by legitimate third parties, provided such processing is authorized by Norte Energia S.A., and exclusively for the purpose of achieving the intended purpose.

Norte Energia S.A., as the party responsible for the processing of personal data, contractually requires that our carefully chosen suppliers and partners act in a secure manner and adopt all technical security measures to comply with applicable legislation regarding the protection and privacy of Personal Data and, additionally, this Policy.

Data may be shared with competent judicial, administrative or governmental authorities, whenever there is a request, request or court order

4.11. GENERAL PROVISIONS

The content of this policy may be changed at any time, according to a purpose or need, such as to adjust to and/or comply with a provision of law or standard that has equivalent legal force, not requiring prior or subsequent communication from Norte Energia S.A., and it is up to the Data Subject to verify whenever accessing our websites and services.

Should there be any questions about the conditions set forth in this policy, please contact our customer service channel by email: privacidade@norteenergiasa.com.br or the company website: https://www.norteenergiasa.com.br/pt-br/contato.