This Internal Privacy and Data Protection Policy contains information about the collection, use, storage, processing and protection of personal data of all our employees, third parties, partners and customers of Sócrates, and was prepared in accordance with the General Data Protection Law (Law 13.709/18) and the Internet Civil Rights Framework (Law 12.965/14).

We understand that all of our employees, third parties and partners at SÓCRATES value and care about your privacy and the protection of your personal data. Therefore, we have developed this Internal Privacy Policy, the main purpose of which is to inform you about the collection, use, sharing and general processing of your personal data, whether in digital or physical format, with the aim of offering greater transparency about how and for what purposes the company uses your data.

Our goal is to adopt security and privacy measures, in a transparent manner in the processing and protection of personal data, seeking to comply with the General Personal Data Protection Law and giving visibility to our employees and collaborators about the processing of their data, protecting them and complying with the principles of current legislation.

Therefore, to ensure the privacy and protection of your personal data, it is very important that you know and respect the guidelines of Sócrates' Internal Privacy and Personal Data Protection Policy.

The guiding principles of this internal policy, aligned with the General Data Protection Law:

Adequacy: Data processing must be compatible with the purpose informed to the holder.
Necessity: Processing must be limited to the minimum necessary to achieve the proposed purpose.
Free access: Holders have the right to access information about the processing of their data at any time.
Data quality: Data processing must keep them accurate, clear, relevant and up to date, without discrepancies or distortions.
Transparency: Data processing must be explained to interested parties in a transparent and accessible manner, respecting the necessary commercial and industrial confidentiality.
Security: Personal data must be protected by the controller, so that they are not lost, altered, destroyed or accessed inappropriately.
Prevention: It is the responsibility of the controller to adopt measures to prevent damage resulting from the processing of personal data.
No discrimination: The processing of personal data must not be carried out for discriminatory, illegal or abusive purposes.
Responsibility and accountability: Demonstration, to the holders, of the measures used to ensure compliance with the General Personal Data Protection Law.

Information relating to individuals should only be collected to the extent necessary to provide the services and, in all applicable cases, consent for the processing of data must be obtained, in accordance with the General Data Protection Law.

Within the limits established by applicable law, the categories and types of personal data collected by Sócrates may include, subject to the guiding principles mentioned above: (1) your contact details, such as name, title, company name, email address, telephone number or postal address, among others, used to communicate with you, (2) account information, such as username, user ID, data about your registration or participation in trainings, webinars or other events; (3) professional or employment-related information, such as work history, resume, cover letter.

Sócrates may also collect personal data directly through interactions and through its products and services, and personal data collected online may also be combined with personal data provided through offline channels, such as during a meeting, interviews, employment, events held and also automatically, related to the use of our websites and response to our emails through the use of various technologies.

Personal data.
Sócrates will never use the personal data entrusted to it in any other way to obtain them, except with the prior authorization and consent of the holder.

The processing of personal data is based on consent. Consent is the free, informed and unequivocal declaration by which the data subject authorizes Sócrates to process his/her data.

Therefore, in accordance with the General Data Protection Law, data will only be collected, processed and stored with prior and express consent. Consent is required when data is requested from customers, partners and employees who are natural persons, when necessary, by accepting them in the corresponding field of the system, or by accepting the response email with which the service request is completed, in the commercial phase. Prior consent is required when requesting the signature of an appropriate term when hiring new employees, interns and service providers.

Consent will be specific to each purpose described, demonstrating Sócrates' commitment to transparency and good faith towards its users, customers, employees, partners and collaborators, and may be revoked at any time.

Responsibility for the correct processing of personal data within the company is shared among all those who act as operators, and everyone's collaboration is essential to ensure that the company is always in compliance with the law, offering security to all holders of personal data under its control.

Sócrates may disclose personal data to business partners and service providers to support our operations. These business partners and service providers are contractually obliged to maintain the confidentiality and security of the information received on Sócrates’ behalf and not to use it for any purpose other than that for which it was provided.

The sharing of personal data with individuals or entities outside of Sócrates must be restricted to the minimum necessary for the execution of contracts and the provision of services in which the data subjects are involved, or for compliance with any legal obligation. Even when the processing directly involves the provision of services, consent for such processing and sharing must have been obtained in advance.

Sócrates may also disclose personal data that is required by law or legal proceedings, and that is essential for compliance with judicial and administrative determinations and/or for exercising the right of defense in judicial and administrative proceedings, and such data will be maintained, although other data will be excluded.

The external sharing of personal data of customers or company members is prohibited – by any means, telephone, digital or written – without their authorization, and the holder will be duly informed every time the data is shared in a new context not provided for in the consent obtained.

Violation of trade secrets, a concept that includes personal data under your control, may be grounds for dismissal of employees for just cause or termination of contracts with service providers involved in the violation, without prejudice to applicable legal measures.

The processing of personal data at Sócrates must follow the principles defined in this policy, and must be strictly focused on the purposes for which the data was collected, respecting the principles of this policy, the security and information exchange criteria and the corresponding legislation.

Personal data should only be handled by people who need to handle it. This reduces the risk of human error leading to leaks or inappropriate use of information. The best way to ensure this is to divide data into sectors and specific responsibilities within each sector. This way, we will know, in each situation, who the data operators are and will greatly reduce the risks of an information security incident.

To ensure this processing of sectoral data, access by each Sócrates employee or service provider to the company's database is individual and protected by a non-transferable password. Thus, only persons authorized to process personal identification data of employees and service providers, for example, will be able to access it.

The only permitted processing of personal data contained in electronic waste received and managed by Sócrates is its deletion. To ensure that no data stored on the devices that Sócrates receives for management is misused, all data is destroyed during the processing of the materials, with prior certification to the customers from where such data originates. Access by Sócrates employees and service providers to the materials and information about them contained in Sócrates' computer system is restricted to the execution of the Service Order and the role determined for each employee.

Mere access and/or improper use of any personal data stored in technological waste processed by the company is strictly prohibited, under penalty of dismissal for just cause (or termination of the service provision contract), without prejudice to civil and criminal liability.

The personal data collected by Sócrates will be used and stored for the time necessary to provide the service or achieve the purposes listed in this Privacy Policy, taking into account the rights of the data subjects and the data controller. Thus, the data will be kept for the duration of the contractual relationship between the data subject and Sócrates and, after the personal data retention period, they will be deleted from our databases or anonymized, except in the cases legally provided for in art. 16 LGPD, as follows:

I – compliance with legal or regulatory obligations by the controller;
II – study by a research body, ensuring, whenever possible, the anonymization of personal data;
III – transfer to a third party, whenever the data processing requirements provided for in this Law are respected;
IV – exclusive use by the controller, with access by third parties being prohibited, provided that the data is anonymized.

Therefore, when the purpose of processing personal data is achieved, and it is no longer necessary to keep them to comply with legal requirements, the data must, with the exception of the cases mentioned in the previous paragraph, be duly deleted physically and digitally, with communication of this deletion to the data subject in cases where it occurs in a manner other than that provided for in the applicable consent form.

Therefore, Sócrates is committed to the security and privacy of the personal data collected, through the use of technical protection measures and solutions capable of guaranteeing the confidentiality, integrity and inviolability of the data, in addition to security measures appropriate to the risks, with access control to the stored information.

To keep your personal information secure, we use physical, electronic and management tools designed to protect your privacy. We apply these tools taking into account the nature of the personal data collected, the context and purpose of the processing, as well as the risks that could be generated by possible violations of the rights and freedoms of the data subject of the collected and processed data.

Sócrates is committed to adopting best practices to avoid security incidents.

Among the measures adopted, we highlight the following:

Only authorized persons have access to personal data;
Access to personal data is only granted upon commitment to confidentiality;
Personal data stored physically will be kept in a locked location, out of reach of persons who are not expressly authorized to access them.
When stored digitally, they must be kept in a folder protected by encryption and with restricted access via a personal password.

Only copies of personal data should be made when necessary to fulfill the proposed purpose of the processing, and all copies made must be recorded in a separate spreadsheet, which must be stored digitally with the same security criteria.

This Privacy Policy may be updated. Therefore, we recommend that you review this page periodically to detect any changes. However, Sócrates will request your consent before using your information for purposes other than those set out in this Privacy Policy.

Sócrates’ personal data operators must provide all information requested by data subjects in relation to the processing of their personal data, respecting the company’s right to commercial secrecy, when necessary. The purpose of the processing must always be clear and transparent.

Whenever there is a request for the provision of information about personal data by the interested party, operators must inform the Personal Data Protection Officer of the request and then provide the requested information to the interested party.

The person responsible for protecting personal data will be responsible —under the terms of the LGPD— for communication between interested parties, Sócrates and the National Data Protection Authority (ANDP). The person responsible is responsible for verifying existing risks, indicating corrective measures and periodically assessing the security of personal data within the company, and must also carry out the necessary communications with data subjects or public authorities.

Any questions that arise in the company's day-to-day activities regarding the protection of personal data must be forwarded to the person responsible, so that he/she can provide immediate guidance to the operator or seek appropriate guidance from ANDP and other entities specialized in the subject.

The Personal Data Protection Officer will maintain a report assessing risks and impacts related to the protection of personal data, through which the necessary measures to guarantee the security of personal data information will be structured, implemented and evaluated.

Sócrates ONE has appointed Sócrates Baquedano as its Personal Data Protection Delegate, offering the following means of contact for the exercise of property rights:

E-mail: info@socrates.la