Through its internal governance and management that encompasses privacy and data protection issues, CONCREMAT ENGENHARIA E TECNOLOGIA S.A. (“CONCREMAT” or “Company”), establishes this Policy of Service to the Rights of The Holders (“Policy”).

This Policy aims to establish the procedure for the receipt and processing of requests from Holders, the National Data Protection Authority (ANPD) and other authorities that hold legitimacy, such as the Public Prosecutor’s Office and Procons.

This Policy applies to all processing of Personal Data performed by CONCREMAT. With this, the application of this Policy extends to all employees of the Company, be they: interns, apprentices and trainees, employees, managers, directors, service providers, suppliers, business partners, consultants and third parties, as well as to public agencies and entities with which there may be interaction, and to any other party that maintains a relationship with CONCREMAT, individuals or legal entities, for or without profit.

The exercise of the rights of data subjects consists of the request made by a personal data subject, or by his legal representative, in order to obtain accurate information on the processing of personal data by CONCREMAT. This right will be named ACCESS REQUEST FROM THE DATA SUBJECT (“SATD”).

In view of this request, that is, from SATD, it will be up to the Officer, with the support of the High Administration, and other necessary areas, the registration and measures aimed at meeting the requests of holders.

In order for the owner to exercise his rights and contact CONCREMAT, the Company must disclose its communication channel, preferably through its digital media (websites, social networks, etc.), in a prominent manner and with understandable language.

For the formalization of the Service Procedure, it is appropriate to obtain from the Holder its identification or by its legally constituted representative.

In this way, the applications will be accepted provided that the Personal Data Holder, duly identified by you or your attorney, provided that the power of attorney with specific powers is presented. In order to respect privacy and data protection, SATD will not be able to handle data from persons other than the applicant.

Only after the certification of the identity of the representative can be adopted measures of analysis and fulfillment of the claims. In relation to requests that deal with data from minors, only requests from parents or guardians will be accepted. These must be identified by any valid legal means.

Requests from holders received through e-mails, Customer Service, mail, etc. must be forwarded by the recipient to the Person in charge within a maximum of 24 (twenty-four) hours after receipt.

In cases of receipt of requests by means that do not automatically record the date of receipt (personally by the holder, mail, etc.), the recipient must ensure the registration of the date of receipt for the purpose of counting the service term

Received the SATD and confirmed the identity and/or legitimacy of the applicant, the process must ensure the identification of the category of the holder in attendance, identifying the nature of his relationship with CONCREMAT, as below:

(I) Clients: Any individuals who are part of CONCREMAT’s client companies;

(II) Employees: Employees, former employees, dependents of employees, directors, directors or shareholders of CONCREMAT;

(III) Partners: Individuals related to distributors, suppliers, etc. who have a partnership relationship with CONCREMAT;

(IV) Third Parties: Individuals who do not fall under any of the above.

A) If CONCREMAT is identified only as the Operator of the processing of data objects of the request, the Person responsible will communicate to the requester about the impossibility of service for such reason, as well as indicate the contact details of the Data Controller for the Holder to make the request to him;

B) If it is identified that CONCREMAT is not the agent of processing the data objects of the request, the Data Officer will communicate to the requester of the impossibility of service for such reason and, if possible, indicate the correct processing agent;

C) If the information provided by the Holder is sufficient and CONCREMAT is the Controller of the data, the Person responsible must acknowledge the receipt of the Application to the applicant and inform the estimated period for service.

Personal Data holders may, at any time, request and exercise the rights listed below.

1. Confirmation of the existence of treatment;
2. Access to data;
3. Correction (incomplete, inaccurate, outdated, etc.);
4. Anonymisation, blocking or deletion of unnecessary, excessive or processed data in non-compliance with the provisions of the LGPD;
5. Portability of data to another service provider or product, in the dark of trade and industrial secrets;
6. Deletion of Personal Data processed with your consent;
7. Information of public and private entities with which CONCREMAT made the shared use of data;
8. Withdrawal of consent;
9. Request for review of decisions made exclusively on the basis of automated processing of Personal Data that affects your interests, including decisions designed to define your personal, professional, consumer and credit profile or aspects of your personality.

It is necessary to emphasize that the Data Protection Law (LGPD) does not confer on the holders the absolute exercise of the right, so that each case will be analyzed in its peculiarities, and may even have the request or service denied or partially accepted, upon clarification to the holders of the relevant reasons. If you have doubts about the fulfillment of requests, the Person in charge should request support from the Senior Management.

After the above analysis has been overcome, The SATD shall be evaluated by the Person in charge who may contact internally the relevant department(s) through e-mail messages, calls or meetings for the evaluation and attendance of SATD. The activated department must return with the necessary information within the deadline set by the Person in charge. When necessary, the Person in charge will contact the Card Holder in order to collect further clarifications that are necessary to meet SATD. If necessary, the Person in charge will contact the Card Holder in order to obtain additional information. It is the Responsibility of the Person responsible for ensuring that the information is reviewed and/or received within the internally defined period, so that the deadline with the Holder is met, as well as to assess whether there is any information in which the consent of third parties is necessary or whose service cannot be performed by CONCREMAT.

Confirmation of the existence or access to Personal Data will be granted to the

1. in simplified format, immediately, in which case the Person in charge will be limited to informing whether OR not CONCREMAT controls the applicant’s data; or
2. by means of a clear and complete statement, indicating the origin of the data, the lack of registration, the criteria used and the purpose of the processing, in the absence of commercial and industrial secrets;

The Data Officer will respond to the request for access to the data by providing in full the transcription of the data that CONCREMAT controls of the holder (e.g. Name: transcription of the name; CPF: transcription of the number; Address: address transcript).

To grant access to the data, the Data Officer will only provide physical or digital copies of registration screens or other documents in situations where it is impossible to fulfill the request with the mere transcription of the data.

The Data Subject is entitled to information about the processing of his data, being able to access, among others, depending on future regulation, (a) the specific purpose of the processing; (b) the form and duration of treatment, in the form and business and industrial secrets; (c) the identification of the controller; (d) controller contact information; (e) information about the controller’s shared use of data and purpose; (f) responsibilities of the agents who will carry out the treatment; and (g) what your rights are.

This information and others that assist in the understanding of the Holder about the Processing of his/her data should be included in the Privacy Policy to be made available on all CONCREMAT platforms, in a prominent place and in accessible language.

In circumstances involving incomplete, inaccurate or outdated data or any other cases that require correction, the Applicant must inform in detail in The SATD what data is required to be rectification and the reason (if they are incomplete, inaccurate, outdated), together informing the data already corrected.

The Person in charge will evaluate with the competent areas whether the data can be updated, completed, confirming the accuracy or update. If confirmed, the Data Officer will ask the competent areas to proceed with the correction of the data and, shortly thereafter, respond to the Requester closing and registering the SATD.

Data portability will be regulated by the ANPD. Once such a regulation is made available, it will be up to the Person in charge to update this section.

Portability will not be performed to provide Personal Data that has already been anonymized prior to receipt of SATD.

request anonymization, blocking or deletion of unnecessary, excessive or processed data in non-compliance with the provisions of the LGPD, the Applicant shall inform in detail, in the SATD, what data it intends to anonymize, block or delete and what reasons make it unnecessary, excessive or treated in legal non-conformity.

Once the SATD is received, the identity and legitimacy of the applicant is confirmed, the Person in charge will assess with the competent areas whether the data in question are really unnecessary, excessive or treated in non-compliance with the LGPD. If any of the hypotheses are confirmed, the Data Officer shall request the competent areas to proceed with the anonymization, blocking or deletion of the data, and, next, will respond to the Requester closing and registering the SATD.

If you do not find that the data are unnecessary, excessive or processed in non-compliance with the LGPD, the Person in charge will deny the SATD by detailing the reasons to the holder.

For the deletion or anonymization of Personal Data, the Data Officer shall, except in the legal hypotheses that allow the retention of the data, take the measures for anonymization or definitive deletion of the information in all systems and directories of CONCREMAT, whether in physical or digital environment.

The Data Controller shall also ensure that any joint controllers or operators with whom he has shared the data are communicated so that they proceed in the same way, eliminating or anonymizing the data.

If deemed necessary, in order to guarantee compliance with the request for deletion or anonymization, the Person responsible shall ask the joint controllers or operators with whom CONCREMAT has shared the data, to prove compliance with the deletion.

The request for disposal may be denied when there is concrete evidence that the data can be stored by CONCREMAT for compliance with legal or regulatory obligation, upon documented justification of what the obligations are; and/or exclusive use of CONCREMAT, with the protection of access by a third party, and provided that the data are anonymized.

Anonymization should be performed by omitting part of the data, using reasonable technical means or defined in ANPD regulations, so that it is impossible to associate the data, directly or indirectly, with an individual.

At any time the holder may revoke the consent given for the processing of his/her data.

The Person responsible shall evaluate together with the competent areas what the purpose of the processing is and, if it identifies injury to the performance of contracts and obligations signed with the holder, shall inform the consequences of the revocation.

If the holder chooses to maintain his SATD even after the information of the above item, the Data Controller must arrange to interrupt the processing of the data in question, making arrangements for joint controllers or operators to proceed in the same manner.

The holder may request information about any entities with whom CONCREMAT has shared his/her data.

After the SATD, confirmed the identity and legitimacy of the Applicant, the Person in charge will evaluate with the competent areas any sharing of the data with entities, and, soon after, will respond to the Applicant, informing, at least, what data was shared, when there was the sharing, with which entities and for what purposes.

In the processes of processing Personal Data that imply automated decisions, that is, carried out by computer programs without human interference, for purposes such as the definition of your personal, professional, consumer and credit profile or aspects of your personality, the Holder may request the review of decisions.

In this case, the Person responsible shall ask the competent department to provide a new decision for the Holder concerned by means of the same system used previously or by human decision, at the discretion of the department concerned.

When requested by the Holder, the Person responsible will provide clear and appropriate information regarding the criteria and procedures used in the automated decision, subject to trade and industrial secrets.

All applications made by the holders will be met within 15 (fifteen) calendar days of receipt of the application, unless another period provided for in specific regulations. All procedures and requests must be archived.

If the fulfillment of the application involves complex procedure and requires a longer period, the need must be justified by the Person in charge and communicated to the holder before the end of the 15-day period, indicating the reasons for the delay and the deadline for service.

For the cases of application, the Person in charge must necessarily ensure that the received has actually been issued by the ANPD or by another body or authority competent for this.

In the case of fraudulent application or suspected fraud or illegitimately formulated application, the Person responsible must communicate to the competent sectors and contact directly the ANPD or the body/authority for clarification.

The Person responsible should be incautious of the measures necessary for only legitimate and competent bodies to have access to the information. In requests arising from a body or authority other than the ANPD, these will be handled by the Person in charge together with the Senior Management, with the support of the Legal Department.

The fulfillment of requests from the ANPD or another body must be carried out within the period indicated in the communication or, in the absence of an informed deadline, within fifteen (15) days, unless another period provided for in specific regulations.

Responses to requests from holders, ANPD and competent bodies should always be documented by the Person in charge via his own report containing as many details as possible, such as: identification of the requester, nature of the request, information provided, date of request and service, any communications exchanged.

Inadequate, untimely service or non-compliance with requests from Data Subjects, anpd and other public authorities will imply the application of the sanctions provided for in the Code of Conduct and the General Data Protection Policy, without prejudice to other civil and labor measures.