Privacy Policy

RESTOQUE’S PRIVACY GOVERNANCE AND PERSONAL DATA PROTECTION POLICY

This Privacy Governance and Personal Data Protection Policy (“Policy”) comprises the principles and standards of conduct that will guide the work of RESTOQUE COMÉRCIO E CONFECÇÕES DE ROUPAS S.A. (“Restoque”) in relation to all pieces of personal data under its control, regardless of the means through which said personal data was collected, received, obtained, or generated by Restoque. For this purpose, this Policy imposes and demonstrates that the management of personal data by Restoque complies with the principles that govern the personal data protection legislation, in addition to establishing a structure of responsibility focused on the implementation and maintenance of the privacy governance practices.

SCOPE
The personal data subject to this policy under the applicable legislation is any and all information related to a natural individual identified or that may be identified through Restoque’s reasonable efforts, or who may be individualized through the processing of this information by Restoque, even if not identified. This includes information about customers, associates, suppliers, and service providers, in addition to other individuals related to Restoque.

APPLICATION
The Policy applies to all associates, officers, managers, directors, partners, suppliers, and service providers involved in the operations to process personal data controlled by Restoque.

PURPOSES
Restoque respects the privacy and informational self-determination of the individuals whose personal data is under its control, always governed by good faith and ethical use of this data. Restoque will never engage in any unlawful trade of personal data and will always act to protect the rights and freedoms of the citizens affected by the processing of personal data by Restoque. In order to achieve these purposes, this Policy also establishes the responsibilities of the Data Protection Officer (the “DPO”) and provides for the creation of a Privacy Committee to implement and uphold the company’s governance practices in privacy and personal data protection.

PRINCIPLES
The practices related to the collection, use, sharing, maintenance, erasure, and processing of personal data by Restoque will observe the principles below, which shall be observed by all its associates, officers, managers, directors, partners, suppliers, and service providers in their activities:

Purpose: the personal data will always be processed for the lawful, specific, and explicit purposes informed to the data subject, as well as compatible with Restoque’s corporate interests and activities, in accordance with the purpose of its business, without the possibility of a later processing that is incompatible with such purposes.

Appropriateness: the processing shall always be compatible with the purposes informed to the data subject, according to the context of the processing.

Need: the processing of personal data, including its collection and storage by Restoque, will be limited the minimum necessary to achieve its purposes, with the use of pertinent and proportional data that is not excessive in relation to the purposes of the processing.

Free access: Restoque will ensure to the data subjects the facilitated and free consultation regarding the form and duration of the processing of their respective personal data, as well as access to the entirety of their personal data processed by Restoque, except in cases it is lawful to deny this access due to the purposes and circumstances of the use of this personal data.

Data quality: Restoque will ensure to the data subjects that their personal data will be accurate, clear, and up to date, and it will also ensure that only relevant personal data will be processed by Restoque, on an as-needed basis and for the achievement of the specific purposes of the processing.

Transparency: as much as possible, Restoque will provide clear, accurate, and easy-to-access information about the processing of personal data to the respective data subjects, as well as respective processing agents.

Security and confidentiality: Restoque will take technical and administrative measures able to protect the personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication or disclosure, always enforcing the safety standards that are adequate for the specific risks of each activity and in accordance with the state of the art and best market practices applicable.

Damage prevention and mitigation: Restoque will make the best efforts to prevent damage due to the processing of personal data and to mitigate or redress such damage if it happens.

Non-discrimination and ethical processing of personal data: there will be no processing for discriminatory, unethical, unlawful, or abusive purposes.

Accountability and rendering of accounts: Restoque will take measures to confirm and demonstrate the effectiveness of its governance program in privacy and data protection, including in the enforcement of the applicable legislation.

PERSONAL DATA PROCESSING GUIDELINES
Any and all personal data collected, received, obtained, or generated by Restoque must be linked to one or more purposes, which must be validated, registered, and reported to the respective data subjects in the best possible way. No personal data will be collected, received, obtained, or generated by Restoque if it is not necessary for one or more certain and specific purposes. Any and all personal data will have its life cycle controlled and recorded from the moment Restoque gains control over the personal data until the moment of its final disposal.

Restoque processes several types of personal data, with the following general purposes:

Data of its officers, managers, and directors, to make and record management and legal decisions of the company, as well as to amend the company’s incorporation documents.
Data of its shareholders for institutional relations, to call meetings, register votes, distribute dividends, and realization of corporate rights and obligations.

Data of all of its associates and service providers for purposes related to the performance of their employment agreements or service agreements, to the respective payment, to internal communication, and to the coordination of the tasks performed, as well as the data required to report the performance of the agreement to the relevant inspection entities and authorities, as per the law, and for the exercise of the corresponding rights.

Data of associates and dependents are also necessary to manage contractual and social security benefits granted to these individuals.

Data of suppliers of goods and services for purposes related to the performance of agreements executed with Restoque and exercise of the corresponding rights.
Data of customers, with the purpose of hiring, delivering, and managing the supply of Restoque products, which implies the collection, access, processing, and custody, including not only registration data but also financial data and customers’ location data required to provide the products, due to their very nature.

Customers’ registration and financial data will also be shared with the relevant authorities in relation to the supply of products by Restoque, in accordance with the applicable legislation.

User data from Restoque’s websites for specific purposes, in the form of their respective privacy warnings and policies.

Personal data processing activities performed by Restoque will always be supported by a legal authorization and recorded in specific documents or systems to control the processing risks, adopt measures to mitigate these risks, and limit the internal and external circulation of the personal data.

Only people who strictly need access to certain categories of personal data will have access to them, considering the position they hold at Restoque in relation to the task requiring certain personal data, and reducing the information accessed to the minimum required, through the proper technical and organizational measures.

Hard and digital documents containing personal data will be stored for as long as their specific purposes subsist. Personal data, on any media, will be erased in a safe and irrecoverable way immediately after the exhaustion of all of its lawful and legitimate purposes, when the term of custody for performance of statutory obligations or exercise of rights has expired, or in the case of a request from the respective data subject forcing Restoque to erase such personal data.

Any and all processing of personal data where Restoque identifies a likely damage to the fundamental rights and freedoms of the data subjects, as well as the processing of sensitive personal data, under the Law, will be subject to an analysis of the impact on the protection of personal data, surveying the expected risks and appropriate measures to mitigate, prevent, or eliminate such risks.

Restoque, through its DPO and Privacy Committee, will work on the development and implementation of policies and good practices rules to ensure the proper processing of personal data, as per above, which will be the subject of a resolution of the Executive Board or of the Board of Directors of the Company, in the scope of the respective responsibilities, the Board of Directors being tasked with the adoption, implementation, and monitoring of general policies and decisions that may affect the company in the long term or its share value, and the Executive Board being tasked with the adoption, implementation, and monitoring of corporate rules on specific processes and policies of the business area, as well as the daily decisions about privacy and personal data protection.

SHARING OF PERSONAL DATA
Personal data may only be shared with, transferred to, or disclosed to any persons, companies, and public or private entities by Restoque as strictly necessary to achieve the lawful, specific and express purposes registered by Restoque and through agreements or other instruments and mechanisms that provide for the compliance with the provisions of this Policy and of the personal data protection laws and regulations applicable by the other party, and which allow the inspection and audit of the performance by Restoque.

Restoque will adopt procedures to make sure that it will only share personal data with companies and private entities that adopt sufficient technical and administrative measures to ensure the proper safety and protection of the personal data, in accordance with the risks to which it is exposed, the protection of the fundamental rights and freedoms of the respective data subjects, and the accountability of the third party before Restoque for its actions and omissions.

The sharing, transfer, and disclosure of personal data to public authorities and government entities will be limited to the minimum required for the performance of statutory and regulatory obligations, for the compliance with court orders and requests made by relevant authorities, and for the protection or exercise of Restoque or third parties’ rights. In these conditions, the lawfulness and legitimacy of the order or obligation, the authority of the requesting party, the extent of the duty, and the respective consequences will always be assessed before granting the authorities or public bodies the access to the personal data in question.

INFORMATION SECURITY
Restoque will always adopt technical and administrative information security measures that are compatible with the state of the art and level of risk assessed to ensure the confidentiality, integrity, availability, and resilience of its informational systems, databases, hard files, and other repositories of information in order to prevent unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication, or disclosure of personal data. The risks and the measures and protocols adopted will be registered in other normative documents that are mandatory for the individuals under Restoque’s responsibility, and they must be reviewed and updated at a reasonable frequency and when relevant events happen.

Restoque will also keep a response plan for safety incidents that ensures the quick assessment, interruption, and remediation and, whenever necessary, the mitigation and redress of the damage that may have been caused by the incidents. Records will be kept on the safety incidents, identifying the categories and personal data subjects affected, in order to enable the immediate report of these incidents to the relevant authorities and respective data subjects, as per the law, and Restoque undertakes to help them in good faith in the mitigation or redress of the actual damage.

RIGHTS OF PERSONAL DATA SUBJECTS
Restoque undertakes to adopt effective measures to protect the rights of all controlled data subjects, as specified by the Brazilian General Data Protection Law (LGPD – Law No. 13,709 of August 14, 2018), and other Brazilian laws and regulations applicable to the privacy and protection of personal data. Especially, the following are legal rights of personal data subjects:

  • Confirmation of the existence of processing of their personal data by Restoque and access to the data;
  • Rectification of incomplete, inaccurate, or outdated personal data under Restoque’s control;
  • Anonymization, blocking, or erasure of personal data that is unnecessary, excessive or processed in violation of the provisions of this Law, as well as in opposition to the processing of personal data by Restoque under the same circumstances;
  • Portability of data to another legal entity similar to Restoque, by means of an express request and respecting the business secrets of Restoque, as this right may be regulated by the government;
  • Information of the public and private entities with which Restoque may share the use of the personal data;
  • Information about the possibility of not granting consent for the processing of personal data by Restoque and about the consequences of withholding consent, as well as the right to withdraw that consent at any time and to the erasure of the personal data processed based on it, it being certain that this data may be kept by Restoque for the exclusive use in other lawful purposes that do not require the consent or anonymization;
  • Possibility of reviewing decisions that affect their interests and which have been made by Restoque solely based on the automated processing of personal data.

Restoque will adopt updated rules, controls, and processes that ensure the presentation of the proper information to the respective personal data subjects, preferably at the moment or in the context of the collection of this data or on the first opportunity after receiving or obtaining it, limited to the situations where it is not possible or there is cause not to deliver certain information to the data subjects. Restoque will also adopt updated rules, controls, and processes that ensure the quick response to the rights of the data subjects, within the terms provided by the applicable laws or regulations for this response, without charges and upon prior and proper confirmation of the identity of the requesting data subject.

There will be direct contact channels with the DPO for the Processing of Personal Data so that the data subjects may exercise their rights, make complaints and requests, and send suggestions in relation to Restoque’s practices. Facilitated channels will also be created for the several categories of personal data subjects with greater data circulation in Restoque’s activities, as much as possible.

DATA PROTECTION OFFICER AND PRIVACY COMMITTEE
Restoque will appoint and keep as DPO an associate or external consultant with theoretical and practical knowledge about personal data protection and information security, tasked with:

  • Acting with independence, impartiality, decorum, and good faith;
  • Advising the Board of Directors, the Executive Board, and other decision-making bodies of the company in relation to communications, requests, and notices issued by the Brazilian Data Protection Authority (ANPD), the Brazilian Securities and Exchange Commission (CVM), and other authorities in relation to privacy and protection of personal data, requests and complaints made by data subjects, and safety incidents, as well as other decisions that may have an impact on the privacy or protection of personal data of any individual;
  • Receiving and internally escalating the communications, requests, and notices issued by ANPD, the Central Bank of Brazil (BACEN), and other authorities, in relation to the privacy and personal data protection, as well as presenting a response to the authority after the approval by the Board of Directors;
  • Receiving and internally escalating the requests and complaints made by personal data subjects, as well as presenting the company’s response to the data subjects after approval by the Executive Board;
  • Answering questions made by personal data subjects about the company’s practices related to their personal data;
  • Instructing the associates, contractors, and outsourced workers of Restoque in relation to the company’s policies and practices in force in relation to the privacy and protection of personal data;
  • Participating in teams of response to safety incidents and report them to ANPD and the data subjects affected on behalf of Restoque, whenever necessary, after the approval by the Board of Directors;
  • Participating, as a consultant, in the review and establishment of processes of the company that may pose a relevant risk to the privacy or protection of personal data of any individual (e.g., leaks, deviation from purpose, and unlawful processing of personal data);
  • Participating in the drafting and review of clauses, drafts, and documents related to the sharing and transfer of personal data and of the privacy policies and warnings of the company for associates, consumers, intranet, website users etc.;
  • Controlling the periodicity and coordinating the reviews of the records of the processing of personal data and of the internal rules on privacy, personal data protection, and information security;
  • Monitoring the evolution of laws, regulations, and good practices regarding privacy, personal data protection, and information security;
  • Coordinating implementation projects and auditing processes and practices related to privacy, personal data protection, and information security, submitting the findings to the Board of Directors, Executive Board, and other decision-making bodies of the company;
  • Participating in the selection of and auditing service providers with a potentially relevant risk to the privacy and personal data protection;
  • Recommending and running assessments of lawful interest, assessments of the impact on privacy, and other risk assessments related to the protection of personal data, discussing its results with the leaders of the affected projects, and, if necessary, submitting the findings to the relevant decision-making bodies;
  • Recommending and running reports of impacts on the personal data protection and send them to ANPD after they are approved by the Internal Governance Committee;
  • Participating in the establishment and review of processes and guidelines to minimize personal data, erase personal data, “privacy by design” (i.e., ensuring the personal data protection from the conception of a project/activity), and “privacy by default” (i.e., ensuring the greatest level of privacy possible whenever there are alternatives or choices).
  • Being informed of all new activities and processes of the company that have a potentially relevant risk for the privacy and protection of personal data.
  • Forming and participating in work groups related to the improvement of the privacy management and mitigation of risks to the privacy and protection of personal data.

All matters related to privacy and protection of personal data will be submitted by the DPO for discussion and approval by the relevant decision-making body, including the need for assessment, implementation, or review of new rules, processes, policies, responses to communications and notices, addressing of incidents, and responses to the requests for the exercise of rights. Urgent matters related to privacy and personal data protection that should be resolved by the Executive Board may be resolved upon and approved by any Restoque Officer when, to the DPO’s discretion, this resolution cannot wait for the discussion at a meeting of the Executive Board, and they shall be ratified.

Restoque’s Board of Directors undertakes to ensure the DPO’s independence in the performance of their roles and the direct access to the Board of Directors, the Executive Board, and the other executive bodies of Restoque, so that the necessary decisions can be made in relation to the matters affecting the privacy and personal data protection under Restoque’s control. The DPO will also be ensured access to all information about new activities and processes of Restoque with a potentially relevant risk for the privacy, personal data protection, and other information relevant to their tasks, regardless of its classification as confidential, provided the applicable corporate policies and rules to ensure its confidentiality and security are observed.

To help the DPO’s works and provide information about the several processes and activities of the Company, Restoque will maintain a permanent Privacy Committee formed by any number of associates from several areas of the company suggested by the DPO.

The duties of the members of the Privacy Committee are as follows:

  • Acting as ambassadors of the culture of privacy and protection of personal data controlled by Restoque and as allies in the governance of privacy and personal data protection;
  • Analyzing matters related to privacy and personal data protection brought by the DPO and gathering information from the several areas of the company that are necessary for their work;
  • Meeting to discuss and resolve on matters, calling the DPO immediately and even out of the usual working hours in case of an emergency involving safety incidents;
  • Discussing and participating in the development of rules, policies, reports, and documents under the DPO’s coordination;
  • Helping the DPO in all of their roles.

The privacy committee will strictly protect the confidentiality about matters related to the discussions in the scope of its roles.

RESPONSIBILITIES
Each associate, officer, service provider, and contractor of Restoque is responsible for their own actions in relation to the personal data processing activities, for the compliance with this Policy and other applicable rules, as well as for allowing the DPO and the Privacy Committee’s good work. The officers, managers, and directors are also responsible for ensuring the good practices in the processing of personal data by the associates and third parties under their responsibility, in accordance with their roles.

The DPO will only be held liable for works performed with intent, in bad faith, or with negligence regarding their roles, being protected against personal liability for executive acts and decisions of Restoque. All associates, service providers, and contractors of Restoque have the duty to help the DPO in their roles and to observe the governance and good practices of Restoque regarding the privacy and personal data protection.

COMMUNICATION
Restoque will maintain controls and processes that ensure the immediate response to the rights of the data subjects and requests made by relevant authorities regarding the protection of personal data, making the following channels for direct contact with the DPO available so that the data subjects may exercise their rights, make complaints and requests, and send suggestions:

RESTOQUE COMÉRCIO E CONFECÇÕES DE ROUPAS S.A.
Attn.: DPO
Rodrigo Prates do Nascimento
Email: privacidade.dados@restoque.com.br