This Personal Data Processing Policy for Suppliers/Partners (“Policy”) is aimed at all product suppliers, service providers and partners in general of the 2TM Group, that is, 2TM Participações S.A. and all companies controlled by it and related thereto (“Suppliers/Partners” or “You”) and is intended to inform You on how You should process the personal data received on behalf of the 2TM Group or to which You have had access as a result of the services provided. It is essential for us that all our Suppliers/Partners are in compliance with Laws no. 13,709/2018 ("LGPD") and no. 12,965/2014 ("MCI"), in order to ensure the protection of personal data of all individuals whose data are processed by the Suppliers/Partners, either on behalf of the 2TM Group, or by decision of the Supplier/Partner by virtue of the nature of the services.
1.1. Personal Data means any data that identifies or may directly or indirectly identify an individual and/or is shared by the 2TM Group with You or processed by You on behalf of the 2TM Group for the purpose of performing the agreement (“Personal Data”);
1.2. Personal Data Breach consists of an incident or failure of technical or organizational information security measures that may imply destruction, loss, alteration, modification or unauthorized access to Personal Data or compromise of confidentiality, with the unauthorized disclosure of Personal Data processed under this Agreement (“Personal Data Breach”).
2.1. You undertake to process Personal Data exclusively for the purposes set out and described in the agreement entered into with the 2TM Group, and You may not do so for any other purposes whatsoever. It is incumbent on 2TM Group to establish, change or amend the purposes of the processing of Personal Data. Whenever You, the Supplier/Partner, identify the need for further processing or for other purposes, You must inform the 2TM Group in advance, for its approval.
2.2. You must comply with this Policy throughout the term of the agreement entered into with the 2TM Group until the complete deletion of all Personal Data and other information to which You have had access by virtue of the contractual relationship, ensuring that You will not maintain any copies of hard or electronic documents of Personal Data, on any pretext whatsoever. In the event of processing Personal Data for database enrichment in order to improve the technology of the Supplier/Partner, You must, after processing, anonymize the data.
3.1. When processing Personal Data transferred by the 2TM Group, You must be in compliance with the following guidelines:
4.1. Except when strictly necessary for the performance of our agreement, such as, without limitation, the storage of Personal Data under the responsibility of technological service providers with servers outside the country, You hereby undertake not to transfer the Personal Data outside the country, especially to countries where there is no law to safeguard the protection of personal data or that do not have adequate protection, without the prior and express authorization of Group 2TM. In this case, You hereby undertake to observe the same level of protection as under Brazilian law.
5.1. In case of requests from data subjects related to the exercise of their rights, whether or not related to legal actions; or from public bodies formalized by official letter in inspection processes brought against Group 2TM, and for which the 2TM Group needs some action on your part, You undertake to cooperate and assist within a maximum period of 5 (five) days so that the 2TM Group is able to answer them in up to 15 (fifteen) days, in case of simple request, or within the period established by 2TM Group in the communication addressed to You in this regard, in case of another specific period to answer the request. If such requests are directed directly to You, You must immediately inform the 2TM Group and act according to the instructions given to You.
5.2. You must also cooperate with the 2TM Group for the preparation of any Reports on Impacts on the processing of Personal Data and/or a Report of Legitimate Interest that may be necessary.
6.1. You hereby undertake to register and inform the 2TM Group immediately, and always within a period of less than 24 (twenty-four) hours, of any incident of any nature, physical or technical, concerning information security that may imply the compromise of confidentiality, integrity and availability of Personal Data, with exposure of the reputation of the 2TM Group (or any of its individual companies) or be harmful to its activities. You hereby undertake to actively collaborate with the 2TM Group to implement corrective actions concerning any non-conformity that might have caused the incident and to prevent similar situations from occurring.
6.2. The notification must contain at least the following information:
7.1. You hereby undertake to adopt all organizational and technical security measures provided for by the ISO Standards of the 27000 family and ISSO 15408 in order to maintain the confidentiality, integrity and availability of Personal Data, the resilience of technological infrastructure systems, as well as for the regular assessment of the levels of information security maturity and the risks involved in the processing of Personal Data.
7.2. If at any time You fail to take the organizational and technical measures concerning information security, in accordance with this Policy, You must notify the 2TM Group immediately, always within a maximum period of two (2) business days, and the 2TM Group may take the measures it might deem appropriate, pursuant to the agreement entered into with You and this Policy.
8.1. 2TM Group reserves the right to review and, if necessary, amend the terms of this Policy at any time, so as to ensure its compliance with the legislation, as well as to adjust it to the guidelines of the National Data Protection Authority (ANPD). Whenever there is any material change, the 2TM Group will send You the new version of the Policy, as amended, which will be deemed immediately applicable, effective and binding on the parties.
9.1. This Policy is governed, construed and regulated by Brazilian law and must be read in addition to the respective agreement entered into with the Supplier/Partner. The District Court of São Paulo, where the responsible for the Personal Data processing is based, is hereby appointed, if no other has been appointed in the agreement, since it is the place from which the contractual relations are established with the 2TM Group.