1. SCOPE

1.1. This document (“Policy”) covers rules applicable to the storage and deletion of personal data controlled by CÂMARA DE MEDIÇÃO E ARBITRAAGEM EMPRESARIAL – BRASIL (CAMARB) (“CAMARB”), third parties contracted by it and any subcontractors in order to ensure the appropriate and timely disposal and elimination of information and documents containing personal data.

1.2. Personal data subject to this Policy, in accordance with applicable legislation, is any and all information related to an identified natural person or that can be identified through reasonable efforts by CAMARB, or that can be individualized through the processing given to such information by CAMARB, even without being identified.

 

2. APPLICATION

2.1. The Policy applies to all employees, directors, advisors, partners, suppliers and service providers involved in the processing of personal data controlled by CAMARB and/or its head office. 

 

3. OBJECTIVES

3.1. The objectives of this Policy are:

a) Ensure that CAMARB does not maintain control of more personal data than necessary for their respective purposes nor for a longer period than is appropriate or authorized by applicable legislation or by the holders of such personal data, in order to comply with the General Personal Data Protection Law – LGPD (Law No. 13.709, of August 14, 2018) and other applicable laws and regulations;

b) Regulate the management of the inventory of personal data controlled by CAMARB by designating deadlines or triggers for deleting, anonymizing or blocking the processing of personal data according to their retention purposes and characteristics of the processing activity;

c) Instruct CAMARB employees, directors, partners, suppliers and service providers regarding the need and importance of controlling the storage and secure deletion of personal data; and

d) Define the attributions, authorities and responsibilities in the information sharing process.

 

4. PERSONAL DATA INVENTORY CONTROL

4.1. Employees, directors, partners, suppliers and service providers involved in personal data processing operations, controlled by CAMARB, are responsible for the registration, access control, storage, blocking and deletion of personal data in accordance with the procedures established by this Policy.

4.2. CAMARB maintains a Record of Personal Data Processing Operations indicating each category of personal data controlled by CAMARB, the respective purposes, legal bases for processing, processing operations to which the data will be subject, sharing of data with other companies in the economic group and with third parties, as well as their respective life cycle.

4.3. Employees responsible for CAMARB's activities involving the processing of personal data must register them in the Personal Data Processing Operations Registry with the CAMARB Personal Data Processing Officer, and must also ensure that they are updated as there is a change in the activity or process. If the activity or process involves third parties, the person responsible for the contract must ensure that the sharing with the third party and their respective role in the life cycle of the personal data is recorded in the Personal Data Processing Operations Registry.

 

5. STORAGE OF PERSONAL DATA

5.1. Physical and digital documents and other information containing personal data will be stored under the control of CAMARB as long as their lawful and determined purposes subsist, as recorded in the Personal Data Operations Processing Register.

5.2. It is the responsibility of the employees responsible for activities involving the processing of personal data, with the assistance of the Personal Data Processing Officer, to prepare timelines recording the specific safeguarding periods for information and documents containing personal data, taking into account their processing purposes, statute of limitations, contractual periods and legal or regulatory periods for mandatory storage.

5.3. The Personal Data Processing Operations Record corresponding to each set of reported activities will be updated whenever it is necessary to adjust the temporality tables for a given set of personal data.

5.4. Documents containing personal data stored for different purposes will be physically or logically segregated so that only the persons involved in their processing activities can access them and have knowledge of their content.

5.5. In the event that personal data required for more than one purpose needs to be deleted in relation to any of the purposes in accordance with this Policy, all processing of the personal data will be blocked for the purpose in question, but will continue to be stored and used for the other purposes that remain.

 

6. DELETION OF PERSONAL DATA

6.1. Personal data, in any medium, will be deleted in cases where CAMARB’s responsible employees or the Person in Charge of Personal Data Processing verify that there is no longer any processing purpose that justifies its maintenance due to (i) review of inventory or Record of Personal Data Processing Operations; (ii) exercise of the right of the holder of personal data that obliges CAMARB to discard them; (iii) revocation of the holder’s consent for the processing of personal data, in cases where CAMARB processes such data based on their consent; (iv) instruction from a third party controller of personal data as regulated in a data sharing agreement or similar instrument signed with CAMARB; or (v) by order of the Judiciary or competent authorities.

6.2. Once the possible need to delete personal data is known, the following should be consulted: (i) the business areas identified in the Personal Data Processing Operations Registry as users of such data; and (ii) the Privacy and Data Protection Committee, represented by the CAMARB Personal Data Processing Officer, so that they can give their opinion on the disposal or partial safeguarding of personal data if they are necessary to comply with legal or regulatory duties, for contracts, due to a statute of limitations or due to an ongoing administrative or judicial process.  

6.2.1. If the decision is made to delete personal data, it must be disposed of securely and irretrievably by the employees responsible for the activity, for example, by shredding or incinerating documents and overwriting media. In addition, CAMARB must ensure that: (i) personal data is deleted from backups and legacy systems, or its processing is blocked if its deletion is not technically feasible considering the resources and available technologies to CAMARB; (ii) that other business areas that may have copies of the data proceed with its secure disposal; and (iii) that other companies in the economic group and third parties that have personal data under CAMARB's control proceed with the secure disposal of personal data in accordance with the respective contracts signed with CAMARB.

6.2.2. If a decision is made to partially safeguard personal data, CAMARB will block its processing and access for the purposes that led to its deletion, keeping only the necessary and segregated data for the remaining purposes.

6.3. CAMARB may anonymize personal data when it decides to delete or block it as described in this Policy, as well as when one or more of CAMARB's business areas consider that such data has some use for some activity or process without anyone being identified or identified individually. In this case, reasonable technical means available at the time will be used, which ensure that it is impossible to associate, directly or indirectly, such personal data with an individual, so that the respective holders can no longer be identified also by the use of reasonable and available technical means. Once anonymized, such information will no longer be considered personal data for all purposes.

 

7. RESPONSIBILITIES

7.1. Each employee, director, advisor, partner, service provider and supplier of CAMARB is responsible for observing the rules of this Policy regarding the protection of personal data that they access, receive from others and share with others, as well as for assisting the CAMARB Personal Data Processing Officer to carry out their duties and tasks.

7.2. Failure to comply with the rules of this Policy will result in the application of disciplinary or contractual sanctions to the person responsible for non-compliance in accordance with the CAMARB Code of Conduct, without prejudice to CAMARB's compensation for losses and damages suffered.

 

8. CAMARB'S PRIVACY GOVERNANCE

8.1. CAMARB has a global personal data protection program based on a contract between the companies, which establishes a minimum basis for the protection of personal data. In addition, CAMARB maintains a local privacy and personal data governance program based on policies and rules relating to data protection under the constant supervision of its Personal Data Protection Officer and its managers.

8.2. CAMARB's storage practices and deletion of personal data must be updated and changed whenever it is identified that they are inadequate to the minimum level required by the General Personal Data Protection Law - LGPD, other applicable laws and regulations, seeking to rise to at least the most rigorous level among them.

8.3. An annual review meeting is hereby established.