Privacy Policy

When you file a grievance/report through this Confidential Reporting Channel (via the website or 0800), you may provide us with personal data (information that identifies or may lead to the identification of a natural person) and sensitive personal data (racial or ethnic origin religious conviction, political opinion, membership in a union or organization of a religious philosophical or political organization, data concerning health or sex life, genetic or biometric data) about you biometric data about you; the protestor, reported victim or third party mentioned in the report or report. report.

This Privacy Notice is intended to clarify how DELOITTE treats your personal data and sensitive personal data (together referred to herein only as personal data) when you contact us to use the Whistleblower Channel services Confidential or when you are targeted or quoted in a report.

All personal data collected in this Confidential Reporting Channel will be treated by DELOITTE in accordance with the provisions of the General Law on Personal Data Protection (Law no. 13.709/2018 - "LGPD") and relevant regulations.

To learn more details about the measures we apply to the treatment of personal data, please access DELOITTE's Privacy Policy through the link.

1. What kind of personal data is collected?

Only personal data to be voluntarily provided by the Manifestant will be collected through the registration of the report in this Confidential Reporting Channel - via website or 0800.

Any personal information provided in the report that is considered excessive, unnecessary unnecessary or that have no relevance to the ascertainment of the occurrence will be will be disregarded and will only be stored for the purpose of maintaining the integrity of the original text the original text contained in the report/report/complaint, for the period necessary to achieve the purposes of treatment.

Whistleblower

The personal data of the Manifestant will be collected according to the identification profile profile, which may include name, gender (for statistical purposes), position, area, e-mail, telephone cell phone, type of audience and voice recording (reports via 0800).

In addition, any other personal data contained in the report/report/complaint and in files attached by the report/report/complaint and in files attached by the Manifestation, which may include images, voice recordings, and other types of personal data.

Denounced and third parties

The following personal data of reported persons and third parties may be collected from report/report/complaint voluntarily registered by the Manifestant:

i) First name, last name, job title, and workplace;
ii) Description of the suspected violation of the Code of Ethics, company policies, and/or relevant laws and regulations, including all relevant facts and details;
iii) Any other personal data that may be mentioned by the whistleblower during the description of the incident, which may include images, voice recordings, and other types of personal data.

This Confidential Reporting Channel is not designed or intended to collect personal data from children and adolescents. However, in those situations where the collection these types of personal data is necessary in the context of receiving and investigating investigation of a report/report/complaint, the processing will be in the best interest of the child and/or the adolescent and all the provisions of the LGPD and pertinent regulations will be respected.

2. What is the purpose of the collection of personal data?

Whistleblower:

The treatment of personal data has the objective of allowing the identification and contact between DELOITTE and/or the COMPANY and the Manifestant to clarify doubts, collect additional information information and progress of the investigations, respecting, in any case, the identification profile profile chosen by the Manifestant (identified, confidential or anonymous). Besides Furthermore, this data may be processed for the purpose of complying with legal or regulatory obligations regulatory obligations, regular exercise of rights, and statistical analysis (anonymized).

Denounced and third parties

The purpose of collecting this personal data is to investigate the facts reported and taking the appropriate measures, according to the applicable legislation. Such verification will be conducted by the COMPANY, being DELOITTE a mere intermediary, responsible only for sharing of personal data and reports registered in this Confidential Reporting Channel. Channel. In addition, such data may be treated for purposes of compliance with legal or regulatory legal or regulatory obligations, regular exercise of rights, and statistical analysis (anonymized). anonymized.

3. What is the legal basis justifying the processing of personal data?

All personal data collected will be treated based on legitimate interests of the COMPANY and sensitive personal data based on regular exercise of rights, since both in the context and scope of the services provided by DELOITTE, aim to assist the COMPANY in the investigation, prevention and mitigation of behaviors and deviations of conduct that violate the COMPANY's Code of Ethics, internal policies, pertinent laws and regulations.

It is also possible that the processing of personal data and sensitive personal data occurs for compliance with legal or regulatory obligations, depending on the alleged misconduct committed.

4. With whom do we share the personal data we collect?

The personal data of the Manifestant, reported and third parties may be shared with:

i) The COMPANY, for the purpose of awareness, investigation, and inquiry into the content of the report, always respecting the whistleblower's identification profile;
ii) Authorities, government bodies, and entities, for the fulfillment of legal or regulatory obligations and the regular exercise of rights;
iii) Technology companies that manage integrated systems or are responsible for the storage and security assurance in the processing of collected personal data;
iv) Third-party companies that may replace DELOITTE in providing Confidential Whistleblowing Channel services to the COMPANY.

For further details regarding the aforementioned sharing activities, please contact the Data Protection Officer (DPO) of DELOITTE through the link.

5. For how long is personal data stored?

Personal data will be kept only as long as necessary to fulfill the purposes described herein or as required to comply with legal obligations. purposes described herein or as necessary to comply with legal or regulatory obligations or regulatory obligations and the regular exercise of rights. When personal data is no longer necessary or relevant for the intended purposes, erasure will be arranged.

For statistical purposes, personal data will remain stored in anonymized form.

6. What are the rights concerning personal data?

According to the LGPD, data subjects have several rights over their personal data, among them: confirmation of processing, access to personal data, updating and correction of inaccurate, incomplete or incorrect, incomplete or inaccurate personal data; anonymization, blocking and deletion of unnecessary unnecessary, excessive personal data or data treated in non-compliance with the LGPD; opposition to the processing of personal data, when we no longer have a legitimate or legal need to to process them; information about sharing personal data with public and private entities. public and private entities.

These rights are not absolute and must be interpreted in light of the legislation and other regulations. Thus, DELOITTE will evaluate the right requests individually in order to confidentiality of the Confidential Reporting Channel and not to compromise the the progress of inquiries and investigations that may be underway with the COMPANY. THE COMPANY.

It is important to highlight that when the Manifestant chooses not to identify himself/herself when registering the report, DELOITTE will not be able to guarantee access to the rights set forth in the LGPD, since it will not have access to the will not have access to the identification data of the holder.

If you would like to access any of your rights under the LGPD for free, please contact DELOITTE's DPO at link.

7. Security

DELOITTE will adopt technical and organizational measures to protect the personal data from unauthorized access and from accidental or unlawful destruction, loss alteration, communication, or any form of inappropriate or illicit treatment.

Furthermore, access to personal data is restricted only to DELOITTE's professionals that need professionals who need to access them to develop activities related to the processing of the report.

Whenever possible and applicable, anonymization and encryption techniques will be adopted for security of personal data.

8. Changes

This document can be changed without prior notice, as in cases of legislation or any decision or direction of the National Authority for the Protection of Personal Data ("ANPD"). The Manifestant will be responsible for periodically reviewing the content periodically in order to have access to such modifications.

9. Doubts, requests and complaints

If you have any questions, requests or complaints, please contact our DPO through the link.