Enkel | Data privacy

COMPLIANCE MANAGEMENT IN PERSONAL DATA PROTECTION

Enkel values and promotes a solid and continuous culture of awareness regarding privacy and data protection in the corporate environment.

With this purpose, it offers all Enkelians mandatory compliance modules on the principles and concepts of the General Data Protection Law (Law No. 13.709/2018) and Information Security.

These modules aim to certify Enkelians for the responsible and secure handling of personal data to which they have access, reinforcing the company's commitment to the integrity and confidentiality of information.

Access compliance procedures are made available via e-Learning, online. Several courses are offered, and at the end of each module, as a compliance requirement and contractual guarantee, the Enkelian must achieve a minimum score on the content (80%).

Should the Enkelian not reach the required minimum standard of compliance, they must re-enroll to repeat the module until certification is achieved; Enkel may condition/suspend access.

Additionally, Enkel continuously promotes awareness actions, sending all Enkelians institutional videos, informative materials, and bite-sized knowledge content regarding data protection and privacy.

Enkel also maintains strict control in contractual management, verifying if they are in compliance with current legislation and if they remain updated regarding best practices in privacy and information security.

PROCESSING OF ENKELIANS' PERSONAL DATA

Enkel carries out the processing of Enkelians' personal data for the purpose of complying with the contract, as well as meeting legal and/or regulatory requirements.

Among the main types of personal data processed, the following stand out:

DATA TYPES	DATA
LE (Legal Entity) Identification Data	Corporate Name, Tax ID (CNPJ), address, corporate email and professional contact phone, identification of the legal representative (name and role).
Data of LE representatives/agents	Full name, position/role, email and phone, address, date of birth, marital status, nationality, passport, ID and Tax ID (CPF).
Complementary data	Certifications, registrations, and licenses for contractual execution and access accreditation, identification of any successors or assignees to the contract, numbering of PPEs for access to Enkel premises.
Banking data	Bank, branch, account or Pix key linked to the CNPJ, for payment processing.

Other data necessary for contract management, fulfillment of contractual duties, union obligations, legal obligations, and determinations by supervisory bodies.

Enkel, in compliance with the guidelines of the General Personal Data Protection Law (Law No. 13.709/2018) and the guidance of the National Data Protection Authority (ANPD), processes personal data exclusively for the informed and legitimate purposes, ensuring transparency, security, and confidentiality throughout the data lifecycle.

CARE IN PERSONAL DATA PROCESSING

The processing of personal data by Enkel and its Enkelians must fully observe the guidelines of the Personal Data Management Policy and other corporate policies and procedures related to the topic.

In summary, Enkel establishes the following guidelines:

Access to personal data

Access to personal data will be permitted only to duly authorized persons, observing technical and administrative measures that restrict access exclusively to those involved in activities related to the specific purposes of the processing.

To ensure information security, only access strictly necessary for the execution of the contract will be provided. Unauthorized access to personal data is expressly prohibited.

Collection of personal data

The collection of personal data will be carried out strictly within the limits necessary for the execution of the scope of the contracted object.

When the processing of personal data requires the consent of the data subject, this must be obtained in a free, informed, and unequivocal manner, through formal acceptance, whether in writing, electronically, or by other means that allow proof by Enkel.

Consent will be requested specifically for each processing purpose. If there are multiple purposes, the data subject must consent separately for each one.

Enkel does not process the personal data of children or adolescents. Therefore, personal information of minors is not collected, stored, or shared. Under no circumstances may such data be processed or shared with third parties by Enkel.

Retention and Disposal of personal data

The storage of physical documents containing personal data must be carried out in locked cabinets, with access restricted to authorized persons.

Data stored digitally must be protected by personal passwords and appropriate access controls, in accordance with Enkel's information security policies.

The retention period for personal data must follow what is determined by law or specific regulation.

In cases where there is no defined legal term, Enkel adopts criteria based on the principles of accountability, transparency, necessity, and adequacy, justifying the retention period according to the purpose of the processing.

Personal data will be eliminated when the purpose for which it was collected is achieved and there is no legal basis justifying its maintenance, for example, compliance with legal or regulatory obligations or the need for defense in administrative or judicial proceedings.

Should Enkel choose to keep the data for a period longer than required, such decision must be formally recorded in internal controls and in the records of personal data processing operations.

WHO ENKEL SHARES YOUR PERSONAL DATA WITH

Enkel may share personal data with clients, suppliers, third parties, business partners, and government agencies, always responsibly, transparently, and in compliance with current legislation, especially the General Personal Data Protection Law (Law No. 13.709/2018).

Sharing occurs only when necessary and legitimate, observing specific purposes and appropriate security measures.

Clients and business partners

Enkel shares personal data with clients and business partners when necessary for the provision of cloud services, to enable contract management, administration of benefits, or compliance with legal and regulatory obligations.

Examples of sharing include:

DATA TYPES	WITH WHOM IT IS SHARED
Data of Enkel technicians	Shared with clients for the execution of contracted services.
Information related to partnership programs	Language courses, wellness plans, other facilities offered to Enkelians, which may involve our partners and/or suppliers.

All suppliers, clients, and partners who receive personal data process this information exclusively according to Enkel's instructions, being contractually obliged to comply with the company's Information Security policies and procedures, as well as all applicable legal requirements.

Government agencies and public authorities

Enkel may also share personal data with government agencies, regulatory or judicial authorities, when necessary to:

Comply with investigations, audits, administrative or judicial proceedings;
Fulfill legal, tax obligations, safeguard the company's or third parties' rights, as provided by law.

In all cases, sharing will be carried out within legal limits and in a manner that preserves the privacy and security of the information.

HOW LONG ENKEL STORES PERSONAL DATA

Personal data collected and activity records will be stored in a secure environment and for the time strictly necessary to fulfill the specific purposes for which they were collected and/or according to current legal and regulatory deadlines.

Data processing and retention may also occur for purposes of auditing, information security, fraud prevention, credit protection, and preservation of rights, as permitted by legislation.

In these cases, Enkel may keep the history of records for a longer period when there is a legal, regulatory requirement or legitimate need for legal protection.

After the retention period ends and the legal or contractual necessity ceases, personal data will be safely deleted or anonymized, allowing its use only for statistical purposes or internal studies, without the possibility of identification.

HOW ENKEL PROTECTS YOUR PERSONAL DATA

Enkel adopts technical, physical, and organizational measures to protect information and personal data under its responsibility.

Data is stored in secure operating environments, with restricted and controlled access, not accessible to the general public.

Enkel dedicates continuous efforts to protect the privacy and integrity of sensitive data. However, no system is completely infallible.

Unauthorized use of accounts, hardware or software failures, and other unforeseen factors may eventually compromise information security. For this reason, should Enkelians identify or become aware of any situation that may compromise the security of personal data, they must immediately contact the Data Protection Officer (DPO), using the email address provided at the end of this Policy.

YOUR RIGHTS AS A PERSONAL DATA SUBJECT

Enkel, as a personal data controller, in compliance with current Privacy and Personal Data Protection legislation, especially the General Data Protection Law (Law No. 13.709/2018), respects and guarantees all Enkelians the possibility to exercise the following rights:

Confirmation of the existence of processing of their personal data;
Access to the data being processed;
Correction of incomplete, inaccurate, or outdated data;
Anonymization, blocking, or elimination of unnecessary, excessive data or data processed in non-compliance with the law;
Data portability to another service or product provider, upon express request;
Elimination of personal data processed based on consent;
Information about public and private entities with which their data has been shared;
Information about the possibility of not providing consent and its consequences;
Revocation of consent, at any time;
Review of automated decisions taken solely based on automated processing of personal data;

Opposition to processing carried out without consent, in case of non-compliance with the provisions of the LGPD.

To exercise any of these rights, the data subject must contact Enkel's Data Protection Officer (DPO), using the email address provided at the end of this Policy.

Responses to requests will be provided in writing, preferably electronically, in clear, concise, and transparent language, and addressed within 15 (fifteen) days from the date of the request, free of charge.

PERSONAL DATA PROTECTION OFFICER (DPO)

According to the General Personal Data Protection Law (Law No. 13.709/2018 – LGPD), organizations that process personal data must appoint a Personal Data Processing Officer (DPO), responsible for performing the activities provided for in §2 of Art. 41 of the law.

Enkel's DPO is selected based on their experience in privacy and data protection, professional qualifications, and ability to fulfill assigned tasks, and must perform their duties with secrecy and confidentiality.

The main responsibilities of the DPO include:

Ensuring response to complaints and communications from data subjects, providing clarifications and taking necessary measures;
Designing compliance programs, monitoring their implementation, defining data protection governance, standard privacy notices, contractual clauses, and best practices;
Supporting the negotiation of contracts related to data protection, defining flows for attending to data subjects' rights, and implementing training and awareness plans for Enkelians;
Providing opinions on data protection impact assessments and monitoring their progress;
Acting as a point of contact for the ANPD, receiving communications and taking appropriate measures;
Guiding Enkelians on appropriate personal data protection practices;
Maintaining records of processing operations, mapping the personal data lifecycle, and preparing risk and impact assessment reports, indicating necessary measures to ensure information security.

Enkel's DPO (Personal Data Protection Officer) can be contacted via email: dpo@enkel.cloud.