Privacy Policy

CONFIDENTIALITY AND DATA PROTECTION POLICY

 

1. POLICY

The senior management of GP Investments, Ltd. (“GP”) values the confidentiality and protection of personal data of individuals and, in this regard, developed this Policy to establish the guidelines, general rules, roles and responsibilities to be complied by GP’s Executive Officers, employees, interns and certain service providers (“Employees”) with respect to the confidentiality and personal data protection, specifically GP’s Employees, clients, partners, and client’s employees and partners, among others (“Data Subjects).

The violation of the Brazilian legislation in force that provides for personal data protection (General Law for the Personal Data Protection or “LGPD”) may result in the application of penalties, including significant fines of up to 2% of the revenues accrued by the company or group operating in Brazil (limited to R$50,000,000.00 per violation), in addition to significant damages to reputation and potential filing of lawsuits by Data Subjects.

All exceptions to this Policy shall be considered and approved by the Compliance Area, which shall analyze and respond to eventual doubts, claims or comments, by email compliancegp@gp-investments.com.

Definitions

Terms in capital letters used in this Policy shall have the following meanings attributed thereto:

“Personal Data” means any information that could identify an individual (e.g.: name, identity card number, email address, telephone number).

“Sensitive Personal Data” means certain Personal Data deemed more sensitive (e.g.: racial or ethnic origin, religion, political opinion, affiliation to trade unions or religious, philosophic or political organization, health or sexual, genetic or biometric information) and that, therefore, shall be differently processed. For purposes of clarification, Sensitive Personal Data is included in the definition of Personal Data for purposes of this Policy.

“Processing” means any activity that involves the processing of Personal Data, including, but not limited to, the collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, exclusion, evaluation and control of information, modification, communication, transfer, disclosure or extraction.

2. RELATED POLICIES

– Website Confidentiality Policy

– Incident Response Policy

3. GUIDELINES

All Employees shall, in the performance of the activities, comply with the following:

• General Rules
• Limit the Personal Data Processing solely to the Personal Data deemed essentially necessary, always in conformity with the principles and purposes set forth in this Policy.
• Whenever necessary, obtain the Data Subject’s proper authorization, in accordance with the procedures established by GP. Solely under extraordinary circumstances, rely on the authorization granted on behalf of the Data Subject, such as, for example, by an Employee on behalf of his/her family member.
• Comply with physical, technical and administrative procedures established by GP to protect the Personal Data (e.g., use of access card, specific cabinet to safeguard documents including personal data, login and password for access to systems and network directories etc.).
• Access solely the Personal Data that is necessary to perform the activities in GP.
• Upon completion of the Personal Data Processing or, as expressly and specifically requested by the Data Subject to exclude the Personal Date (if applicable), the Personal Data shall be excluded or maintained confidential in conformity with the procedures established by GP, except if the maintenance of such Personal Data is required or permitted by applicable legislation or regulation in effect.
• Always comply with the provisions set forth in this document in relation to the sharing of Personal Data with the GP’s partners, which shall ensure that the LGPD and the guidelines set forth herein shall always be complied (if possible, involve the Information Technology Area since the beginning of negotiations for the contracting of partners that may have access to and process the Personal Data so that the Information Technology Area is able to perform the necessary security verifications).
• Principles
• Purposes: perform the Processing for lawful, specific and express purposes, provided that previously informed to Data Subjects (“Purposes”, listed below in item C), not subject to subsequently incompatible Processing, except of authorized by Data Subjects;
• Adequacy: the Personal Data Processing shall be performed in accordance with the Purposes informed to Data Subjects;
• Necessity: limit the Processing to the minimum for performance of the Purposes (applicable, proportional and non-excessive Personal Data in relation to the Purposes);
• Free access: ensure to Data Subjects facilitated and free consultation in relation to the form and duration of the Processing, as well as all respective Personal Data;
• Quality: ensure to Data Subjects accurate, clear and relevant Personal Data, as provided by Data Subjects, as necessary, for performance of the Purposes;
• Transparency: ensure to Data Subjects clear, accurate and easily accessible information on the Processing and the respective Processing agents, subject to business and industrial secrets;
• Security: use technical and administrative measures established by GP to protect the Personal Data from unauthorized accesses and from accidental or unlawful situations of destruction, loss, change, communication or disclosure;
• Prevention: comply with the measures established by GP to prevent damages arising from the Processing;
• Non-discrimination: do not process the Personal Data for unlawful or abusive discrimination purposes;
• Responsibility and rendering of accounts: comply with the measures adopted by GP to ensure the compliance with the Personal Data protection rules, inclusive with respect to the effectiveness of such measures.
• Purposes

The Associates shall use the Personal Data solely for the following purposes:

• operate the website gp-investments.com (“Website”);
• improve the use of and interaction in the Website;
• understand better Data Subjects’ needs and interests, as well as develop and improve the contents provided by GP through the Website or otherwise;
• identify and/or verify the identities and/or information;
• maintain updated records for identification/qualification of each Data Subject (Know your Client – KYC), as set forth in applicable legislation/regulation in force;
• ensure the communication to support, respond to requests/claims or obtain feedback from Data Subjects, providers of goods/services and/or other partners or clients;
• submit notices and/or additional information on GP or the Website;
• commence and/or conclude the transaction initiated by or involving a Data Subject;
• prepare statistics analyses by means of confidentiality in conformity with applicable legislation in force;
• conduct communication and/or marketing campaigns;
• perform financial and/or compliance analysis of the Data Subject, of and when necessary;
• manage the GP’s facilities, as well as the Information Technology infrastructure and support;
• contact, select, contract and manage Employees, including payroll processing, benefit management and professional performance and/or development;
• investigate and/or undertake the necessary measures against suspected violation or violation of this Policy, the applicable legislation/regulation in force or the Terms and Conditions of the Website Confidentiality Policy, as well as prevent and investigate frauds, and manage risks;
• protect the GP’s assets or rights and/or comply/ensure the compliance with obligations;
• comply with other purposes permitted or requested by applicable legislation/regulation in force, as well as respond to the proper authorities or arbitration and administrative proceedings or lawsuits.
• Legal basis for processing

Personal Data

The Personal Data shall be collected, used, transferred or otherwise handled based on one or more of the following legal basis: (i) Consent: upon the Data Subject’s authorization, on a free, informed and unquestionable basis; (ii) Performance of the Agreement: the processing is necessary for the performance of an agreement to which the Data Subject is a party or to undertake the measures requested by the Data Subject before the signature of an agreement; (iii) Legal Requisite: the processing is necessary for purposes of compliance with a legal obligation; (iv) Lawful Exercise of the Rights: the processing is necessary to ensure the lawful exercise of the rights in connection with any arbitration or administrative proceeding or lawsuit; and (v) Lawful Interests: the processing is necessary for the GP’s lawful purposes, except for the priority attributed to the Data Subject’s essential rights that would require the Personal Data protection.

Sensitive Personal Data

The Sensitive Personal Data shall be collected, used, transferred or otherwise handled based on one or more of the following legal basis: (i) Consent: upon the Data Subject’s authorization, on a free, informed and unquestionable basis; (ii) Legal Requisite: the processing is necessary for purposes of compliance with a legal obligation; (iii) Lawful Exercise of the Rights: the processing is necessary to ensure the lawful exercise of the rights in connection with any arbitration or administrative proceeding or lawsuit; (iv) Data Subject’s Security: the processing is necessary to ensure the Data Subject’s security in the identification and registry of the personal file.

• Sharing

GP does not share the Personal Data, except under the terms set forth in this Policy, the Website Confidentiality Policy and/or the applicable legislation in force. GP may share the Personal Data, if necessary, so that the GP’s partners are able to perform the activities on GP’s behalf, in conformity with the limits set forth in this Policy and the applicable legislation in force. Any eventual sharing may also be necessary to resolve disputes/claims or otherwise protect the rights entitled to GP and Employees, clients or partners thereof. In addition, GP may also share personal information with other companies comprising the same economic group (inclusive overseas) for the purposes set forth herein. Anyway, GP shall always remain responsible for the Processing conducted by the GP’s partners. In the event of any doubt, before sharing any Personal Data, please contact GP by email compliancegp@gp-investments.com.

• Retention and Exclusion of Personal Data

The records including the Personal Data shall be maintained during the necessary period to meet the GP’s operational needs, in conformity with applicable legislation/regulation in force, specifically the LGPD. The Employee who has created any record shall be responsible to ensure the storage of such record in a proper place, in accordance with applicable policies (both in physical means – cabinets or specific files and electronic means – specific directories or systems). In addition, the respective area, in addition to being jointly responsible for the proper storage of the records, shall also be responsible for the Personal Data eventually included in the tools and/or applications provided by GP for performance of the activities by the Employees.

Retention

Personal Data should be treated according to the applicable legislation and will cease in the following cases: (i) the end purpose has been achieved and the Personal Data ceased to be necessary or pertinent to achieving the specific purpose desired; (ii) the Treatment period has elapsed; (iii) upon notification from the Data Subjects, including when exercising their right to revoke their consent as provided for in law, subject to the public interest; or (iv) upon determination by a Brazilian authority in case of violations to the provisions in the applicable legislation.

Employees creating records containing Personal Data will be responsible for observing the occurrence of any of the situations above, as well as for adequately and timely excluding the records. However, Employees who in any way had access or used said record(s), and the person responsible for the area, will be jointly liable if said records are not adequately and timely excluded.

Records will be reviewed at least annually by the person responsible for the pertinent area in order to determine the adequate fulfillment of this Policy.

No record shall be destroyed or excluded if any request related to the protection, negotiation, claim, action or audit involving the Personal Data included in such record has commenced before the termination of the Treatment (or such event may potentially take place). In this case, such record shall be retained until resolution of the matters, even in the case one of the situations herein takes place. However, the responsible person for the respective area shall ensure that such record is moved from an active environment to a safe file, with restrict access, as well as that such record shall solely be used for a specific purpose. This same care shall be taken in the event of retention solely for legal/regulatory purposes.

Eventually, the Personal Data may be maintained for statistics analyses in order to improve the GP’s products and services, on a confidential basis, in conformity with the terms set forth in applicable legislation in force.

Periodically, GP may audit the internal processes and procedures related to the Personal Data Processing to verify the conformity with the provisions set forth in this Policy.

Each of the areas shall be responsible for the Personal Data shared with third parties (including and especially the Employee who performed said sharing and, in his absence, his replacement or the area responsible), in the sense that such areas shall ensure the compliance by the third parties with the LGPD and the guidelines set forth herein, as well as that the respective agreements include the proper collaterals (if necessary, the Information Technology Area shall verity the security issues before the contracting and/or sharing of the Personal Data). In addition, the responsible area shall monitor the Personal Data Processing in relation to the shared Personal Data and request the confirmation that such Personal Data has been properly excluded.

Exclusion

As set forth above, the records including the Personal Data shall be timely excluded or destroyed in order to avoid any subsequent recovery. The safe exclusion or destruction methods (not subject to recovery) include the following:

• Electronic means: the electronic records shall be excluded so that the Personal Data cannot be recovered. If the records have been stored in hard disks, removable media and any similar means, the records shall be safely excluded before any disposal or reallocation of the equipment. Otherwise, the equipment shall be physically destroyed by an specialized and authorized company upon issuance of the respective certificate.
• Physical means: all physical means shall be destroyed using cross section crushers.

In the event the abovementioned options are not available or in case of any doubt with respect to the exclusion/destruction of any record, the Information Technology Area shall be contacted for specific guidelines. Eventually, the records may be maintained, provided that such records: (i) are necessary so that GP is able to comply with any legal/regulatory requirement and/or exercise the respective rights and file the necessary appeals to the lawsuits; or (ii) are difficult to be accessed by virtue of technical and/or operational issues (e.g., backup in tape), in the sense that GP shall undertake the best efforts to exclude/destroy the records on a proper and timely basis.

The responsible person for the respective area shall previously approve the destruction or exclusion of the records including the Personal Data and shall maintain the proper registry of such event, including the date (and hour, if applicable), the contents and the destruction or exclusion method.

In case of doubt, the responsible person shall contact GP through email compliancegp@gp-investments.com.

• Support to Data Subjects’ Rights

At any time, Data Subjects may request GP to:

confirm the Personal Data Processing;

• provide access to the Personal Data Processing;
• correct the incomplete, inaccurate or outdated Personal Data;
• make confidential, block or exclude unnecessary or excessive Personal Data, as well as the Personal Data not handled in conformity with the provisions set forth in applicable legislation or regulation in force;
• exclude the Personal Data that has been processed, as approved by the Data Subject, except for (i) the performance of the legal or regulatory obligation assumed by GP; (ii) the study conducted by any research body, subject to confidentiality whenever possible; (iii) the transfer to a third party, provided that in conformity with the Processing requirements set forth in applicable legislation in force; or (iv) the GP’s exclusive use, provided that such Personal Data is not accessed by a third party and is maintained confidential;
• inform the public and/or private entities with which GP has shared such Personal Data;
• inform the possibility of not providing consent and on the consequences of the denial;
• authorize, by means of free and easy procedure, the revocation of the consent (if applicable) and ratify the previously adopted procedures.

The Data Subjects’ eventual requests received by any Employee shall be immediately and exclusively directed to email compliancegp@gp-investments.com and shall be mandatorily responded within fifteen (15) days, although denied. However, before responding to any request, the following shall be considered: (i) confirm the Data Subject’s identity; and (ii) verify whether the request is aligned with the respective areas. The areas eventually involved in such request shall submit, within forty-eight (48) hours as from the receipt of the e-mail, the respective comments.

Although the Data Subject’s request cannot be met (e.g., the Data Subject’s data has not been processed or is incomplete, inaccurate or outdated), a response in this regard shall be provided, in addition to the proper records of the response submitted by GP and information and/or documents based on which such response has been prepared, in conjunction with the Data Subject’s request. Such records shall be always maintained to meet any eventual future confirmation.

• Training

The GP’s employees shall be informed with respect to this Policy and shall be trained upon contracting and at least once per year. By virtue of such training, the GP’s employees are able to be aware of the confidentiality and protection of the Personal Date, including the employees’ respective roles and responsibilities.

• International Transfer of Personal Data amongst the Group Companies

In conformity with the specific requirements set forth in the LGPD, GP and its subsidiaries shall comply with the additional guidelines in the transfer of the Personal Data overseas, as referred to in “Exhibit A” hereto.

• Enforcement

In the event an Employee has become aware of facts or circumstances that characterize (or that would characterize) any violation of this Policy or any other policy, procedure or standard established by GP, the Employee shall immediately inform such facts or circumstances to the Compliance Area, through the GP’s channels or email compliancegp@gp-investments.com. The Compliance Area shall analyze any report and, after proper analysis, adopt the eventually necessary measures. Any eventual non-performance of this Policy shall characterize violation of the obligations assumed by the Employee before GP, which may result in disciplinary measures and, however the case may be, the termination of the employment relationship or agreement entered into with GP.

• Data Protection Officer

At GP, the Data Protection Officer, who is the person appointed to act as the communication channel between GP, the Data Subjects and the National Data Protection Authority, shall be Alexandre Manrubia Haddad Filho, who shall be responsible for eventual claims, doubts and/or comments on this Policy and/or how GP handles the Personal Data through email compliancegp@gp-investments.com. In case of absences, inability to act or vacancies of the Data Protection Officer, the role will be performed by Denilson Ishikawa.

Exhibit A

Global Corporate Standards (BCR)

This Exhibit provides for the guidelines in addition to the GP’s Confidentiality and Data Protection Policy to be complied so that GP is able to transfer the Personal Data from Brazil to other countries, in conformity with the specific requirements set forth in the LGPD (Article 33, item II, letter “c”).

GP has developed a data protection program that defines the guidelines, rules, roles and responsibilities in relation to the confidentiality and personal data protection in order to ensure the confidentiality of the GP’s transactions, in all material respects. GP and its subsidiaries comply with the applicable confidentiality and data protection laws in force, in all countries where GP and its subsidiaries operate, in conformity with the highest worldwide standards, aligned with Data Subjects in jurisdictions that have not implemented yet the personal data protection laws (or that have less protective laws compared to the LGPD).

This Exhibit is applicable to all Personal Data collected and handled directly by GP and its subsidiaries, inclusive in relation to those cases when the GP’s subsidiaries have handled Personal Data on behalf of other GP’s subsidiaries. The contents included in this Exhibit, as well as the contents of the Confidentiality and Data Protection Policy, shall be informed to all GP’s Employees and its subsidiaries and shall be disclosed internally for purposes of consultation.

This Exhibit shall be applicable to the Personal Data Processing of Employees, clients, partners, clients’ employees or partners and candidates, among others.

• Audit

GP may request the audit, as referred to herein, to be conducted by an external auditor. The applicable professional standards of independency, integrity and confidentiality shall be complied during the performance of any audit. The Data Protection Officer shall be informed with respect to the findings and shall report eventual violations to the senior management. A copy of the audit findings may be provided to the National Data Protection Authority, as requested.

GP and its subsidiaries may accept any eventual audit request from a data protection authority in the countries where GP and its subsidiaries operate, in compliance with any eventual order submitted by such authority in connection with the provisions set forth in this Exhibit.

• Mutual Assistance and Cooperation

GP and its subsidiaries shall cooperate and support each other in relation to the following, as deemed reasonably, among others: (i) request and/or claim submitted by a Data Subject; or (ii) investigation or inquiry involving the Personal Data Processing in connection with this Exhibit carried out by a public authority, responsible for data protection or not.

The company that has received the request, claim or notice relating to such investigation/inquiry shall be responsible for any communication deemed necessary, except if otherwise determined by the Data Protection Officer. The company responsible for the processing of the subject matter of such request, claim or investigation/inquiry shall directly assume the costs incurred and/or shall reimburse GP or its subsidiaries, however the case may be.

• Conflict and Precedence

In the event GP or any of its subsidiaries has become aware of any conflict between the national legislation in force and the provisions set forth in this Exhibit that would prevent GP from complying with the provisions set forth in this Exhibit, the Data Protection Officer shall be immediately informed with respect to such conflict. The Data Protection Officer shall decide how to resolve the conflict and shall consult with the proper data protection authority, if necessary. Under any circumstance, in the countries where the local legislation requires a higher personal data protection level, such local legislation shall prevail over the provisions set forth in this Exhibit.

• Contact

Eventual doubts, claims or comments shall be submitted through email compliancegp@gp-investments.com.