Protection in the use of personal data
We maintain strict security controls to protect the data of our employees, partners, and clients in accordance with the Brazilian General Data Protection Law (LGPD – Law No. 13,709/2018) and the European General Data Protection Regulation (GDPR EU 2016/679).
This Policy aims to establish internal and procedural regulations to ensure that Casa dos Ventos Energias Renováveis ("CVER") complies with the following norms: (i) privacy and data protection for individual and corporate clients, employees, suppliers, service providers, business partners, lessors, and all holders of personal data and sensitive personal data to which CVER has access in the regular exercise of its business activities; (ii) application to the processing of personal data, including collection, registration, storage, processing, use, sharing, enrichment, and elimination of data; (iii) the General Data Protection Law ("LGPD"); It is recommended that this Policy be read and interpreted in conjunction with Casa dos Ventos' Code of Conduct and other company norms, including those issued by the Data Protection Officer ("DPO").
Casa dos Ventos' Data Privacy and LGPD Compliance Policy applies to its employees, collaborators, administrators, partners, third parties, suppliers, and service providers, regardless of activity location or function. Furthermore, it applies to employees, partners, third parties, suppliers, and service providers of companies affiliated with Casa dos Ventos, including, but not limited to, Special Purpose Entities ("SPEs") holding wind and solar energy projects under development or in the implementation phase.
Brazilian Federal Constitution
Brazilian Civil Rights Framework for the Internet – Law 12.965/14
General Data Protection Law – Law 13.709/18
Processing agents – the controller and the operator.
Internet applications – the set of functionalities that can be accessed via a terminal connected to the internet.
National authority – public administration body responsible for overseeing, implementing, and enforcing compliance with this Law throughout the national territory.
Database – a structured set of personal data, established in one or several locations, in electronic or physical support.
Internet connection – the enablement of a terminal for sending and receiving data packets over the internet, through the assignment or authentication of an IP address.
Controller – natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data.
Personal data – information related to an identified or identifiable natural person. It may include name, surname, nickname, age, residential or electronic address, location data, car license plates, shopping profile, Internet Protocol (IP) number, academic data, purchase history, among others.
Sensitive personal data – personal data concerning racial or ethnic origin, religious conviction, political opinion, trade union membership or membership of a religious, philosophical or political organization, data relating to health or sexual life, genetic or biometric data, when linked to a natural person.
Deletion – exclusion of data or a set of data stored in a database, regardless of the procedure employed.
Data Protection Officer (DPO) – person appointed by the controller and operator to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD).
Internet – the system consisting of a set of logical protocols, structured on a global scale for public and unrestricted use, with the purpose of enabling data communication between terminals through different networks.
Processor – natural or legal person, public or private, who processes personal data on behalf of the controller.
Data subject – natural person to whom the personal data being processed refers.
Data processing – any operation performed with personal data, such as those related to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or extraction.
Shared use of data – communication, dissemination, international transfer, interconnection of personal data or shared processing of personal data databases by public bodies and entities in the exercise of their legal competencies, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing permitted by these public entities, or between private entities.
a) All employees, collaborators, administrators, partners, third parties, and service providers
i. Comply with the guidelines imposed by current legislation, Casa dos Ventos' Code of Conduct, and internal Policies.
ii. Safeguard the assets, data, and information owned by Casa dos Ventos.
iii. Ensure the privacy of data collected and processed by Casa dos Ventos.
iv. Make best efforts to protect the security of data, especially personal and sensitive personal data, under the custody of Casa dos Ventos.
b) Information Technology Area
i. Determine all information security rules to be adopted by Casa dos Ventos and its collaborators.
ii. Determine the rules for processing data legitimately collected by Casa dos Ventos.
iii. Carry out, under the coordination of the DPO and whenever requested by the data subject, the exclusion of all information from Casa dos Ventos' database.
c) Data Protection Officer (DPO)
i. Represent Casa dos Ventos before the National Authority and data subjects.
ii. Determine internal rules for Casa dos Ventos' compliance with the terms of the General Data Protection Law.
iii. Determine data collection, processing, and deletion procedures.
iv. Maintain records of data processing carried out by Data Processors contracted by Casa dos Ventos.
This Policy is governed by the following principles and obligations:
– Every natural person is assured of the ownership of their personal data and the guarantee of their fundamental rights to freedom;
– The General Data Protection Law applies regardless of the means and/or forms of processing collected or received data;
– The data subject has the right to access information about the processing of their data, in order to determine which data has been processed, which is being shared, and the purpose of the processing.
– Casa dos Ventos will maintain records demonstrating the adoption of processing measures in accordance with the principles established in the LGPD;
– The General Data Protection Law mandates that data subjects' data may only be processed if based on the following principles:
Purpose – the processing of personal data must be carried out for legitimate, specific, explicit, and informed purposes to the data subject, observing the original purposes;
Adequacy – the processing of personal data must be compatible with the purposes informed to the data subject, according to the context of the processing;
Necessity – the processing of personal data must be limited to the minimum necessary for the achievement of its purposes, covering pertinent, proportionate, and non-excessive data in relation to the purposes of data processing;
Free access – data subjects are guaranteed easy and free consultation regarding the form and duration of processing, as well as the integrity of their personal data;
Data quality – data subjects are guaranteed that their data is accurate, clear, relevant, and updated, according to the need and for the fulfillment of the purpose of its processing;
Transparency – data subjects are guaranteed the right to clear, precise, and easily accessible information about the processing and the respective processing agents, observing commercial and industrial secrets;
Security – technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination must be used;
Prevention – measures must be adopted to prevent the occurrence of damages due to personal data processing;
Non-discrimination – impossibility of carrying out processing for illicit or abusive discriminatory purposes; and
Accountability and demonstrating compliance – demonstration, by the agent, of the adoption of effective measures capable of proving compliance with personal data protection rules and, including, the effectiveness of these measures;
Aiming at the security of information provided by data subjects, Casa dos Ventos will adopt physical, logical, technical, and administrative security procedures compatible with the sensitivity of the collected information. Whenever necessary, Casa dos Ventos will implement new procedures and technological improvements with the purpose of protecting the data collected from various data subjects.
Personal data is collected when a relationship occurs and/or a contract is signed between the data subject and Casa dos Ventos. The Personal Data collected varies according to the purposes of use and the activities carried out. This Personal Data includes registration data, financial data, and transactional data. Data may be provided directly by its subject, collected as a result of the provision of services or supply of products by Casa dos Ventos, or may be provided by other affiliated companies of Casa dos Ventos or by legitimate external sources.
Casa dos Ventos processes personal data in accordance with the legal bases provided for in the General Data Protection Law (LGPD). Data processing is carried out only by authorized personnel, for the purpose for which it was collected and as consented to by the data subject. Data processing occurs, for example, in the following scenarios: – Comply with contractual obligations with the data subject or with the company to which they belong. – Notify the data subject of changes to the terms of signed contracts. – Perform internal operations, including support and problem-solving. – Reinforce data security and protection procedures. – As necessary, to establish, exercise and defend rights in judicial, administrative or arbitration proceedings. – Comply with legal or regulatory obligations, or as required in judicial proceedings, by any law enforcement or government agency with jurisdiction over Casa dos Ventos. – Use the data subject's personal data to prove business viability with potential partners.
Casa dos Ventos shares personal data when necessary or relevant, for the purposes provided for in contracts with its clients, within strict security standards, always aiming at the confidentiality of information and following data protection and privacy regulations. The sharing of personal information may, for example, occur in the following situations:
– Service providers: personal data may be shared with service providers. Companies that offer services such as authentication systems, digital document signature systems, security services, etc. For these providers, there are terms of protection and proper use of the shared information;
– Affiliates: personal data may be shared between affiliates and/or companies of the same group.
– Public or governmental authorities: data may be shared with public authorities whenever legislation requires or to respond to judicial determinations;
– Commercial operations: data may be shared during a corporate operation, such as an asset sale. In these cases, the data subject will be promptly informed of any change regarding data control. The international transfer of data occurs between Casa dos Ventos' commercial partners, only in cases of proven necessity, limited to the personal data essential for the negotiation and with the explicit consent of the data subject.
The termination of personal data processing will occur in the following hypotheses:
– When the proposed objective is achieved or when there is no longer a need for personal data;
– When the data subject requests the deletion of the data;
– In case of a legal determination to do so. After the termination of data processing, with the exception of cases provided for by law, personal data will be promptly erased and Casa dos Ventos' responsibility for them will cease.
The Casa dos Ventos website may collect cookies and, for this purpose, will request express consent from its users. Cookies have different functions, in particular, they allow easier navigation through pages, remember your preferences, and optimize the user experience for visitors. These cookies may be stored on Casa dos Ventos' computer, allowing future accesses by the same user to be identified. Before the website activates any cookie on a visitor's computer, clear and explicit authorization will be requested for the purpose for which the cookie is intended.
Through the Casa dos Ventos website, or by contacting the Casa dos Ventos Data Protection Officer, any data subject of personal data or sensitive personal data may request:
– Confirmation and access to data
– Rectification of data that is incomplete, incorrect, or outdated
– Restriction of processing of part of their data, indicating which data may be retained by CVER.
– Cancellation or deletion of data
– Portability and transfer of data from Casa dos Ventos to another controller
– Revocation of their unequivocal consent provided to Casa dos Ventos
– Opposition to any data that is not in compliance with the law
– Explanation about the data processed by Casa dos Ventos
– Information about all data transfers or sharing by the Casa dos Ventos Controller
The Board of Casa dos Ventos determines, through this policy, that the Data Protection Officer will always be the Technology Director. The main functions of the Officer are:
– To inform and guide the controller, operator, and other contractors about the obligations and good practices to be adopted regarding the General Data Protection Law.
– To monitor the implementation of the compliance program and adherence to regulations in all data processing activities carried out by Casa dos Ventos, proposing improvements whenever necessary.
– To document all information security measures adopted by Casa dos Ventos, so that, in the event of a data processing incident, there are elements to demonstrate Casa dos Ventos' good faith and commitment.
– To report any data processing incidents to the National Data Protection Authority ("ANPD"), cooperating in any inspections and due diligence.
– To implement the recommendations received from the ANPD regarding appropriate data processing.
– To facilitate communication between the company and data subjects, receiving requests, complaints, and personal data deletion requests.
This policy must be adopted immediately after its approval by the Board of Casa dos Ventos and must be adopted by all employees, collaborators, administrators, partners, and third parties. Any violation of the terms of this Policy must be immediately reported to Casa dos Ventos' Ethical Channel, the Compliance area, or the Ethics Committee for proper investigation and mitigation.
According to current legislation, the data subject's rights are:
– Confirmation of the existence of data processing;
– Access to personal data;
– Correction and updating of data;
– Data portability;
– Deletion of data, when it is excessive, unnecessary, or processed in non-compliance with its intended purpose;
– Request for information regarding data sharing;
– Minimization and limitation of use;
– Revocation of Consent, when applicable.
It is important to note that any request made by the data subject will only be fulfilled upon proof of the applicant's identity. Thus, additional information may be requested from the data applicant. This policy may be altered according to changes in current legislation, technological advancements, or changes in the services provided by the company. The use of information is linked to the version of the Privacy Policy in force during the period of information use. Requests and/or questions regarding consent or personal data management can be sent to dpo@casadosventos.com.br or through Casa dos Ventos' institutional website.