PERSONAL DATA PROTECTION POLICY

1. INTRODUCTION

This Policy was prepared to establish rules regarding the Protection of Personal Data considering the reality and scope of Vista‘s activities.

In compliance with Law No. 13,709/2018, the General Data Protection Law (“LGPD”), as well as in adherence to best market practices, Vista, through this Policy, defines the guidelines for the protection of personal data in our internal processes, aiming to explain and reaffirm our commitment to privacy, data protection and transparency in the access and processing of personal data collected, accessed or handled.

We recommend that this Policy be periodically consulted in order to ensure that any decision is based on the provisions of this document.

2. SCOPE

This Policy applies to all employees (shareholders, directors, employees, interns), related parties and third parties that have any relationship with us.

3. PURPOSE

To establish the rules, parameters, concepts, criteria and guidelines related to the protection of personal data of all individuals, including, but not limited to, current, future or potential candidates for job or internship vacancies, employees, customers, suppliers, investors, business partners or service providers.

4. MAIN REGULATORY AND INTERNAL REFERENCES

This Policy establishes Vista’s guidelines for the protection and use of personal data that may be processed in its activities, with reference to, but not limited to:

• Law 13.709/2018 (General Data Protection Law or LGPD) – Provides for the processing of personal data in digital or physical media carried out by a natural person or legal entity, under public or private law.
• LAW Nº 12.965/2014 (Civil Rights Framework for the Internet) – Establishes principles, guarantees, rights and duties for the use of the Internet in Brazil.
• Code of Ethics and Conduct.

5. MAIN DEFINITIONS

Data protection and privacy have different approaches to achieving the main objective. Below, we define these terms for the purposes of the scope of this Policy:

5.1. PRIVACY

Right to privacy of personal information and one’s own personal life. It is the control that an individual exercises over the flow of information about oneself.

5.2. DATA PROTECTION

Knowing that privacy is the right to be protected from interference in personal matters, data protection represents the way to implement this protection.

We have adopted a set of internal processes that aim to guarantee the protection of this information against internal and external threats.

In addition, Vista meets the rights of established data subjects, storing records that prove all actions involving personal data for possible audits, inspections by the ANPD (National Data Protection Authority) or even in legal proceedings.

• National Data Protection Authority (“ANPD”): indirect public administration body responsible for overseeing, implementing and monitoring compliance with the General Data Protection Law (LGPD);

• Controller: natural or legal person responsible for decisions regarding the processing of personal data;

• Operator: natural or legal person who processes personal data on behalf of the controller;

• Data Subject: the natural person to whom the personal data that are subject to processing refer. Individual who can be identified directly or indirectly, from a name, an identification or registration number, location data or by one or more specific physical, psychological, genetic, mental, economic, cultural or social identity factors;

• Information: Consists of any personal data in any medium, including but not limited to databases, documents (physical, electronic, magnetic or digital) completed or in development, computer resources, information technology security (domains, media, processes, policies, procedures, measures, security resources), commercial, financial, statistical, legal and/or technical information, related to Vista’s business or employees and, in general, any knowledge or communication transmitted in any form (verbal, written, audiovisual, etc.);

• Personal Data: any information related to an identified or identifiable holder. Such data may include, among many others, name, address, telephone number, CPF, driver’s license number and details of personal business transactions;

• Sensitive Personal Data: information about racial or ethnic origin, religious belief, political position, membership of a union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person, as well as that Information that, even if disseminated within the company, is classified as being for internal use;

• Data Protection Officer (DPO): natural person, appointed by Vista, based on their expertise and knowledge of the subject, responsible for supervising the strategy and coordinating the implementation of personal data protection, as well as acting as a communication channel between Vista, data subjects and the national authority, ensuring compliance with the LGPD;

• Processing: any operation performed with personal data, such as those related to viewing, accessing, collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, blocking, deleting, discarding or destroying;

• Consent: free, informed and unequivocal manifestation by which the holder agrees to the processing of his/her personal data for a specific purpose;

• Anonymization: use of reasonable technical means available at the time of processing, through which data loses the possibility of association, directly or indirectly, with an individual;

• Incident: violation of the security that accidentally causes the destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, stored or subject to any other type of processing; and

• Data leak: refers to the intentional exposure of personal data and/or sensitive data to unauthorized persons. It should be noted that the deliberate use of data for a purpose other than that for which it was collected may also be classified as a data leak.

 

6. DATA COLLECTION AND CONSENT

We use the personal data collected mainly to provide our services, carry out an internal activity or a transaction, in accordance with our internal procedures.

We will always inform data subjects about any legal demands that result in the disclosure of personal data, unless such information is prohibited by law or prohibited by court order, or if the request is urgent. Vista undertakes to contest if it deems the requests excessive, unfounded or made by incompetent authorities.

As for the data subject’s consent, this will be granted through acceptance of our Privacy Policy on Vista websites and platforms, as well as through contractual clauses with related third parties and collaborators.

7. DATA SUBJECT RIGHTS

The data subject has the right to obtain from Vista, as controller, in relation to his/her own data processed by it, at any time and upon request:

• Confirmation of the existence of processing;

• Access to data in an easy, free and transparent manner regarding the form and duration of processing, as well as the completeness of his/her personal data, observing commercial and industrial secrets;

• Correction of incomplete, inaccurate or outdated data;

• Anonymization, blocking or deletion of unnecessary, excessive data or data processed in non-compliance with the provisions of the Law;

• Deletion of personal data processed with the consent of the holder, except in legal cases;

• Information on the public and private entities with which Vista shared data;

• Information on the possibility of not providing consent and on the consequences of refusal;

• Revocation of consent, in accordance with the Law.

8. DATA PROCESSING GUIDELINES

Below, we address the basic guidelines that will regulate data processing.

8.1. CONFIDENTIALITY

All information, whether sensitive or not, must be kept in the strictest and most absolute secrecy, even after the end of the relationship between the parties in the event that it is necessary to store the data, within the legal deadlines provided for and counted from the end of the contractual relationship.

No information, whether sensitive or not, may be extracted or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, etc.) from Vista‘s facilities, unless there is express authorization to do so, so that the duty of confidentiality of the information and the obligations related to the processing of the information are recognized.

8.2. PURPOSE AND ADEQUACY

All information, whether sensitive or not, must be processed exclusively for the purpose informed and consented to by the data subject, which must be legitimate, specific, explicit and compatible with the purposes informed to the subject, according to the context of the processing, with no possibility of subsequent processing, except in the case of a legal exception or new consent.

8.3. NECESSITY

All information, whether sensitive or not, must be limited to the minimum necessary to achieve its purposes, covering pertinent, proportional and non-excessive data in relation to the purposes of data processing.

8.4. DATA QUALITY

All information, whether sensitive or not, must be accurate, clear, relevant and current, in accordance with the need and to fulfill the purpose of its processing.

8.5. NON-DISCRIMINATION

All information, whether sensitive or not, must not be used for discriminatory, illicit or abusive purposes.

8.6. SECURITY MEASURES

All technical and organizational security standards and procedures for the processing of information, whether sensitive or not, must be complied with.

8.7. CLOSURE

All technical and organizational security standards and procedures for the processing of information, whether sensitive or not, must be complied with.

When services are terminated and/or in the cases provided for by law, information, whether sensitive or not, must be destroyed immediately and irreversibly, except to meet the cases provided for by law.

In the event of disposal of any technological support, it must be destroyed or erased using all appropriate measures to prevent subsequent recovery of the information.

9. HYPOTHESES FOR DATA SHARING OR DISCLOSURE

As a rule, data sharing and/or disclosure may only be carried out with the specific consent of the holder. However, in some cases, Vista may disclose personal data collected in order to comply with current legislation or by judicial or administrative order or subpoena, in the following scenarios:

• Investigate, prevent or take measures related to cooperation with public bodies or to protect national security;

• Execution of contracts;

• Investigation and defense of third-party claims;

• Protection of the security or integrity of services;

• Compliance with a legal or regulatory obligation by the controller;

• Study by a research body, ensuring, whenever possible, the anonymization of personal data;

• Transfer to a third party, provided that the data processing requirements set out in the Law are respected;

• When the data is made manifestly public by the holder, safeguarding the rights of the holder.

The hypotheses described above do not exclude others that may exist or that may be created by the authorities.

The international transfer of data will only be made based on the purposes previously established in the legislation or in the Privacy Policy, and provided that the countries or international organizations receiving the data provide a level of personal data protection adequate to that provided for in the LGPD, which will be guaranteed, at least, by means of contractual clauses, global corporate standards or regularly issued seals, certificates and codes of conduct.

10. STORAGE AND DELETION

We keep personal data strictly for the time necessary for the purposes for which they are processed to carry out our business and/or to comply with legal or regulatory obligations.

Such data will be deleted after the end of their processing, within the scope and technical limits of the activities, authorized for storage for the following purposes:

• Compliance with a legal or regulatory obligation by the data controller;

• Transfer to a third party, provided that the data processing requirements are met; or

• Exclusive use by the Controller, with access by third parties prohibited, and, in the event of eventual need, provided that they are anonymized.

11. RECORD OF ACTIVITIES AND ASSESSMENT OF IMPACT ON PERSONAL DATA PROTECTION

The DPO must prepare the RIPD – Personal Data Protection Impact Report, understood as the documentation containing the description of the personal data processing processes that may generate risks to civil liberties and fundamental rights, as well as measures, safeguards and risk mitigation mechanisms.

There must also be collaboration between one party and the other when the preparation of the impact report is necessary, as well as mutual collaboration in any consultation that may occur with the National Authority, when appropriate.

12. FUNCTIONS AND RESPONSIBILITIES

12.1. PERSONAL DATA CONTROLLER – DPO

• Accept complaints and communications from data subjects, provide clarifications and take action;

• Receive communications from the ANPD and take action;

• Must report to the National Authority and the data subject the occurrence of a security incident that may result in significant risk or damage to data subjects.

• Provide guidance on practices to be adopted in relation to the protection of personal data;

• Perform other duties determined internally at Vista, whether as controller or operator.

12.2. COMPLIANCE ADVISORY

• Perform regulatory compliance verification tests related to the topic;

• Analyze internal processes and identify risks or opportunities for improvements in internal controls related to the protection of personal data;

• Record occurrences or notes identified regarding specific failures or incidents; and

• Perform periodic review of this Policy.

12.3. LEGAL ADVICE

• Validate contracts signed between Vista and its related parties regarding the protection of personal data;

• Ensure that contracts or agreements signed contain specific clauses committing to the protection of personal data, when applicable;

• Coordinate the preparation, signing and filing of NDAs (non-disclosure agreements), when applicable;

• Coordinate the handling of any legal demands that may arise due to security incidents related to the protection of personal data; and

• Ensure the proper storage of physical files and media containing personal data.

12.4. HUMAN RESOURCES DIVISION (“HR”)

• Process the personal data of employees, as well as potential candidates or talent pool;

• Coordinate training programs/awareness campaigns on personal data protection; and

• Ensure the proper storage of physical files and media containing employees’ personal data.

12.5. TECHNOLOGY (“IT”)

• Take emergency preventive and/or corrective actions in cases of threats to the integrity of personal data;

• Maintain efficient and up-to-date cybersecurity controls;

• Suggest improvements in procedures related to the storage and processing of personal data;

• Assist the DPO in conducting any incident responses, together with the assistance of other areas necessary to resolve the problem;

• Correct and mitigate detected vulnerabilities;

• Provide, when necessary, the anonymization of personal and sensitive data; and

• Ensure the proper storage of digital files and media containing personal data.

12.6. COLLABORATORS IN GENERAL

• Faithfully comply with the rules established by this policy, as well as notify any security incidents to the DPO;

• Respect the existing controls and mechanisms for protecting personal data;

• Do not use, copy, store or share personal data to which they have access without the prior authorization of the DPO; and

• Ensure the proper storage of physical files and media containing personal data.

13. SERVICE CHANNELS

Vista must indicate the name and contact details of the Data Protection Officer (DPO).

This officer or his/her representative/attorney must assist Vista in fulfilling the rights of data subjects in the manner described by law.

Data subjects may make communications, requests, complaints and ask questions by sending an email to the Personal Data Officer – DPO via the address dpo@vista.eco.br, or another suitable means made available by Vista for the same purpose, provided that his/her identity is proven.

14. INCIDENT RESPONSE

A process must be implemented for reporting and managing incidents that affect sensitive or non-sensitive information, which can identify and record the type of incident, date, detection, who reported it, the effects arising from it, date of solution, description of the solution, etc.

This record must include the recovery of information performed, indicating the person who performed it, the data restored and, when appropriate, which data was necessary to manually record in the recovery process.

In the event of an incident, the person who becomes aware of this situation must immediately notify the DPO, who will take the appropriate measures with the ANPD and deal with the resolution of the case.

Security incidents related to personal data, as defined, must be classified according to their relevance and in accordance with (i) the classification of the personal data and information involved; and (ii) the impact on the continuity of our business.

The DPO must notify the ANPD and the data subject of any security incidents that may result in significant risk or damage, and all measures that will be taken in a timely manner by Vista.

The notification will be made within a reasonable period of time, as defined by the National Authority, and must mention, at least1:

• a description of the nature of the personal data affected;

• information about the data subjects involved;

• an indication of the technical and security measures used to protect the data, taking into account commercial and industrial secrets;

• the risks related to the incident;

• the reasons for the delay, in the event that the notification was not immediate; and

• the measures that have been or will be adopted to reverse or mitigate the effects of the loss.

If it is not possible to provide the information described above simultaneously, it must be provided gradually, without undue delay.

15. AUDIT

Vista reserves the right to verify, at any time, compliance with the security procedures, measures and controls required in this document, including through security audits and tests in relation to information systems, communications, files, legal regulations for the protection of personal data, etc., as well as the procedures that support the execution of this policy.

1 Regulatory reference: Art. 48 of Law No. 13,709/2018 (LGPD).

16. DISCIPLINARY PROCEDURES AND PENALTIES

1. 1. Warning;
   2. Fine of up to 10% (ten percent) of annual revenue;
   3. Publication of the violation;
   4. Blocking and deletion of personal data to which the violation refers;
   5. Temporary suspension or prohibition of the processing of personal data.

In the event of a violation of this policy, the following levels of disciplinary sanctions may occur with respect to the offending employee, in accordance with the provisions of our Code of Ethics and Conduct.

Therefore, when non-compliance with the rules is detected, disciplinary procedures will be carried out resulting in the application of administrative measures, of an educational and/or punitive nature, and the professional may be warned, preventively removed from his/her duties or, in more serious cases, dismissed from his/her institutional duties, as well as the communication, by Vista, of any violations to the competent authorities for civil and criminal liability, when applicable.

17. FINAL CONSIDERATIONS

All employees, without any distinction, must attest to having read and fully understood this document and its subsequent amendments.

This policy will be reviewed by the Compliance Department when requested or, at least, every 2 (two) years. The review will not necessarily result in a new version of the document.

In situations that do not fit or are in disagreement in any way with this Policy, they must be submitted to the DPO, who will analyze the circumstances and grounds and submit them for deliberation by Vista’s General Management.