This Privacy and Data Protection Policy (‘Policy’) establishes rules and guidelines for the processing of personal data by Colégio Visconde de Porto Seguro (‘CVPS’) in accordance with the provisions of Law No. 13709/18 (Brazilian General Data Protection Law – ‘LGPD’).

To meet the legal requirements related to the processing of personal data in order to ensure the legality of CVPS’s internal procedures. This Policy establishes parameters for the processing of personal data carried out by CVPS as a result of its activities.

This Policy is intended for the entire CVPS school community, including students, parents or legal guardians, employees, third parties or service providers, among others.

In this Policy, the following definitions will be used:

• personal data: information relating to an identified or identifiable natural person.
• sensitive personal data: personal data concerning racial or ethnic origin, religious beliefs, political opinions, membership in a trade union or religious, philosophical or political organisation, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
• data subject: natural person to whom the personal data refers.
• controller: person responsible for decisions regarding the processing of personal data. In this case, CVPS.
• operator: person who processes personal data on behalf of the controller.
• liaison: a person designated by the controller and operator to act as a communication channel between the controller, data subjects, and the Brazilian Data Protection Authority (ANPD).
• processing: any operation performed with personal data (such as collection, receipt, use, access, reproduction, storage, and deletion, among others).
• blocking: temporary suspension of data processing operations, provided that the personal data or database is stored.
• elimination: deletion of personal data stored in a database.
• Brazilian Data Protection Authority (ANPD): a public administration body responsible for ensuring, implementing, and overseeing compliance with the LGPD.

Each member of the school community is essential to ensuring the protection of everyone’s personal data. However, to ensure a chain of responsibility and governance regarding the processing of personal data conducted within the scope of CVPS activities, a Personal Data Protection System (‘System’) was created, composed of the liaison and other CVPS managers.

The liaison will be responsible for the proper functioning of the System, ensuring that the school community works together to protect the personal data of students, parents, guardians, staff, and third parties. This function is provided for in the LGPD itself and also includes interfacing with data subjects and competent authorities.

The CVPS managers designated to be part of this System will be responsible, within their areas of expertise, for creating and maintaining a culture of personal data protection.

Initially, managers were appointed to represent the following departments of CVPS: Pedagogical and Educational, Financial, Operations and Facilities, Legal and Compliance, Information Technology, and Human Resources. Other managers may be appointed in the future at the discretion of the liaison.

CVPS collects personal data in various ways, as explained in the table below:

Data category	Collection method	Category description
Student data	Information provided by the data subject	These are the personal data provided by the data owner and/or their legal guardian. This data is necessary to establish a contractual relationship between the data subject and CVPS. The category includes, among other things, the legal name, parentage, information about the legal guardian, postal and e-mail address, telephone number, date of birth, gender, country, official document numbers, and school transcript.
Candidate and/or employee data	Information provided by the data subject	These are personal data provided by the data subject or collected by CVPS during the selection process or at the time of hiring. This data is necessary to establish a contractual relationship between the data subject and CVPS. The category includes, among other things, legal name, parentage, information about professional and academic history, postal and e-mail address, telephone number, date of birth, gender, country, and official document numbers.
Data relating to student performance	Information produced within the scope of the Educational Services Agreement.	These are personal data generated by CVPS and the student regarding their performance. This category includes, among other things, attendance records, assessments, written and spoken assignments, tests, results and grades, warnings, and the student’s entire school transcript in CVPS.
Data relating to employee performance	Information produced within the scope of the Employment Agreement.	These are personal data generated by CVPS and the employee regarding their performance. This category includes, among other things, attendance control, assessments, holidays, benefits, labour and social security incidents, promotions, warnings, and the employee’s entire history in CVPS.
Financial data of legal guardians	Information produced within the scope of the Educational Services Agreement.	These are personal data generated by CVPS in relation to the legal guardian’s fulfilment of financial contractual obligations, as well as personal data provided by the legal guardian. This category includes, among other things, payment history, delinquency or late payment rate, annual school fee amount, and documents required for the analysis of full scholarships and other benefits under Law No. 12101/09.
Employee financial data	Information produced within the scope of the Employment Agreement.	These are personal data generated by CVPS in fulfilling its financial contractual obligations to its employees. This category includes, among other things, the compensation history, the form of compensation, and the nature and components of the compensation.
Student health data	Information provided by the data subject, supplemented by CVPS.	These are personal data provided by the data subject and/or their legal guardian and generated by CVPS in relation to the student’s health. The category includes, among other things, blood type, vaccination history, reports from healthcare professionals, detected allergies, nutritional information, visits to the infirmary, and even the perception, by CVPS professionals, of any health issues that affect the student’s school development, such as visual or hearing impairment.
Employee health data	Information provided by the data subject, supplemented by CVPS.	These are personal data provided by the data subject and supplemented by CVPS with regard to the employee’s health. This category includes, among other things, pre-employment, periodic and termination medical examinations, visits to the infirmary, blood type, vaccination history, detected allergies, nutritional information, absences and leaves justified for health reasons.

CVPS processes personal data in various ways, as exemplified in the tables below, in accordance with the LGPD, always aiming for a balance between the proper provision of services and compliance with its legal obligations regarding the personal data it controls.

DATA OF STUDENTS, PARENTS, AND LEGAL GUARDIANS
Legal basis	Examples of processing
CVPS will process personal data of students, parents, and legal guardians within the scope of the Educational Services Agreement.	Drafting a work proposal • Payroll processing • Payroll compensation • Inclusion of employees and beneficiaries in benefits, such as health insurance • Continued enforcement of contractual employment benefits • Attendance control • Career progression assessment • Access control • Creating user accounts • Among others	Preparation of an Educational Services Agreement • Charge of an annual fee • Issuance and delivery of various payment slips • Socioeconomic profile analysis for granting scholarships in accordance with the requirements of applicable legislation (CEBAS). • Formation of student groups • Student attendance control • Assessment of student performance • Development of educational activities • Access to the Educational Portal • Indication of special educational needs • Transfer of students to a different curriculum, period, class, or school • Control of student exit authorisations • Among others
CVPS will process personal data of students, parents, and legal guardians to fulfil its legal and regulatory obligations	Registration of students’ personal data and school transcripts in government systems, such as the Digital School Registry (SED) and the Educacenso System of the ‘Anísio Teixeira’ Institute of Educational Studies and Research (INEP) of the Ministry of Education. • Preparation and delivery of documents, such as report cards, school transcripts, and graduation certificates. • Among others
CVPS will process students’ personal data, including sensitive personal data, to protect the health of the data subjects	Student’s medical record • Medical care follow-up • Follow-up for students with allergies • Conducting nutritional assessments • Among others
CVPS will process personal data of students, parents, and legal guardians in its legitimate interest, respecting the legitimate expectations, rights, and fundamental freedoms of the data subjects.	Access control • Creating user accounts • System integrations • Among others

EMPLOYEE AND BENEFICIARY DATA
Legal basis	Examples of processing
CVPS will process the personal data of employees and beneficiaries within the scope of the Employment Agreement.	Drafting a work proposal • Payroll processing • Payroll compensation • Inclusion of employees and beneficiaries in benefits, such as health insurance • Continued enforcement of contractual employment benefits • Attendance control • Career progression assessment • Access control • Creating user accounts • Among others
CVPS will process personal data of employees and beneficiaries to fulfil its legal and regulatory obligations.	Compliance with legal obligations expressly stipulated in laws and regulations, especially those of the Ministry of Labour, the Federal Revenue Service, and the Ministry of Education. • Continued enforcement of legal employment benefits • Periodic maintenance and updating of personal data in the employee registration database, as required by law • Measures relating to social security leave • Among others
CVPS will process employees’ and beneficiaries’ personal data, including sensitive personal data, to protect the health of the data subjects	Maintaining contact for emergencies via telephone, e-mail, or address, whether with the employee or the beneficiary • Emergency healthcare services provided on-site at CVPS • Among others
CVPS will process personal data of employees and beneficiaries in its legitimate interest, respecting the legitimate expectations, rights, and fundamental freedoms of the data subjects.	Creating accounts to access internal systems • Confirmation of the identity of our employees and beneficiaries • Controlling access to physical and digital corporate environments • Active and informed monitoring of employee activities on CVPS-owned electronic devices • Among others
CVPS will process personal data of employees and beneficiaries, including sensitive personal data, in the regular exercise of contractual rights and in compliance with legal or regulatory obligations	Granting of medical and dental care benefits • Granting benefits of other kinds • Conducting occupational health examinations for hiring, termination, periodic checkups, and return-to-work assessments in cases of leave • Referral to the Brazilian Social Security Institute (INSS) of employees absent due to medical reasons for periods exceeding 15 days • Among others

DATA ON SERVICE PROVIDERS and/or SUPPLIERS and their AGENTS
Legal basis	Examples of processing
CVPS will process personal data of service providers and/or suppliers and their agents to execute Service Provision Agreements and/or Partnerships	Drafting Agreements or Proposals • Measurement of contracted services • Assessment of contracted services • Making payments • Among others
CVPS will process personal data of service providers and/or suppliers and their agents to fulfil its legal and regulatory obligations	Compliance with legal obligations expressly stipulated in laws and regulations • Among others
CVPS will process personal data of service providers and/or suppliers and their agents in their legitimate interest, respecting the legitimate expectations, rights, and fundamental freedoms of the data subjects	Control access to physical and digital corporate environments • Among others
CVPS will process personal data of service providers and/or suppliers and their agents, including sensitive personal data, for the protection of the health of the data subjects	Emergency healthcare services provided on-site at CVPS • Among others

CVPS guarantees the exercise of the rights conferred by the LGPD to the data subjects of all personal data it controls. All requests made to CVPS will be handled with care, but, in order to ensure the security of personal data, CVPS may verify the applicant’s identity before replying to their request. It should be noted that the rights of the data subjects described below may be subject to legal limitations.

During the period in which the LGPD is in effect, the data subject or their legally appointed representative may contact CVPS at any time to obtain:

The data subject or their legally appointed representative may exercise these and other rights by completing the form in Appendix I of this Policy and submitting it to CVPS, as described in the ‘Contact Us’ section below, or by contacting the ANPD. When submitting a request to CVPS, it is necessary to provide your full name, e-mail address, city and state of residence, and the nature of the request (for example, to obtain information on how CVPS handles personal data, to correct or delete it).

As a rule, CVPS does not intentionally transfer personal data it controls to any foreign country. It is possible, however, that some servers hosting the CVPS databases and those of service providers are located outside the national territory. CVPS actively collaborates with these providers to ensure that the personal data in question will enjoy the same level of security and protection in those territories as it does in Brazil.

Exceptions to this rule relate to the expatriation of teachers and student exchanges, situations in which international transfers may occur with the consent of the data subject and/or their legal guardian to specifically designated entities.

CPVS maintains security controls designed to protect the data subject’s personal data. It should be noted, however, that no security measure is neither effective to perfection, nor fully capable of guaranteeing the absolute security of personal data. CVPS strongly recommends that the entire school community take steps to protect themselves, for example, by not sharing login credentials for their accounts, not sending confidential information using insecure methods (e.g., via unencrypted email), and protecting their electronic devices (e.g., with passwords).

CVPS retains personal data for as long as necessary for the purpose for which it was collected, unless a longer period is required to comply with applicable laws. The retention periods for personal data vary depending on the purposes for which it was collected. Some of the criteria used by CVPS to assess appropriate retention periods include: (i) the nature of the personal data and the activities involved, (ii) when and for how long the data subject interacts with CVPS, and (iii) CVPS’s legal obligations. To provide security and business continuity, CVPS backs up certain data, which it can retain for longer than the original data.

Given the nature of its activities, CVPS processes personal data of minors under 18 years of age (‘Minors’) with the consent of their parents or legal guardians and/or in the provision of their services. CVPS, in accordance with applicable legal requirements, will take reasonable steps to delete personal data of minors that has been improperly collected as soon as it becomes aware of it. To report any misuse of minors’ personal data, please contact CVPS as described in the ‘Contact Us’ section below.

Given the nature of its activities, CVPS processes personal data of minors under 18 years of age (‘Minors’) with the consent of their parents or legal guardians and/or in the provision of their services. CVPS, in accordance with applicable legal requirements, will take reasonable steps to delete personal data of minors that has been improperly collected as soon as it becomes aware of it. To report any misuse of minors’ personal data, please contact CVPS as described in the ‘Contact Us’ section below.

CVPS is the controller of the personal data referred to in this Policy and can be contacted using the methods below. The exercise of data subjects’ rights must be requested from CVPS by completing the Data Subject Rights Exercise Form, which is included in Appendix I of this Policy.

Colégio Visconde de Porto Seguro
Data Protection Liaison
Rua Floriano Peixoto dos Santos, 55 – Gate C – São Paulo/SP
E-mail: privacidade@portoseguro.org.br

APPENDIX I
DATA SUBJECT RIGHTS EXERCISE FORM

In accordance with Law No. 13709/18 (Brazilian General Data Protection Law – ‘LGPD’), the personal data subject may exercise their rights by submitting a request to Colégio Visconde de Porto Seguro (‘CVPS’), which must be done by filling out the information indicated below and presenting documents that prove the applicant’s identity.

Please state your reasons below, if applicable:

To exercise the right(s) claimed above, the applicant must print, complete, scan, and send this Form to privacidade@portoseguro.org.br, attaching a copy of an identification document to allow verification of your identity.

The rights claimed above may only be exercised by the data subject or their legal guardian.

By submitting this Form, the applicant declares that the information provided herein is true, under penalty of law. CVPS may request additional documents, clarifications, and information to continue service.

São Paulo/Valinhos, SP, ______ (day) _________________________ (month) 202___.