Privacy and Data Protection Program

I- INTRODUCTION

Premiumbravo is committed to complying with all applicable legal and regulatory requirements related to privacy and personal data protection. In doing so, we consider the lawful and proper treatment of Personal Data (as defined below) as an integral part of our operations. This document describes Premiumbravo’s Personal Data Privacy and Protection Program (“Program”) to ensure compliance with applicable legislation, particularly the California Consumer Privacy Act (CCPA). This Program applies to Premiumbravo, including its branches and any affiliated or subsidiary companies under its administration.

II- GLOSSARY

Without prejudice to the definitions assigned within the scope of the CCPA, for the purposes of this Program, the terms defined below shall have the following meanings:

a) Personal Data – information related to an identified or identifiable natural person, such as a name, identification number, location data, electronic identifiers, or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

b) Employee – refers to any administrator, director, and other employees of the Company.

c) Data Protection Officer – a person appointed by the controller and processor to act as the channel of communication between the controller, data subjects, and the National Data Protection Authority (CNPD).

d) Government – any entity belonging to the direct or indirect public administration, including the State, districts and autonomous regions, as well as their bodies, ministries, secretariats, departments, sub-secretariats, municipalities, companies, institutions, agencies, and government-owned or controlled entities and other public entities.

e) Third Party – refers to any service provider, supplier, consultant, customer, business partner, contractor or subcontractor, tenant, lessee of commercial space, whether a natural person or legal entity, regardless of whether there is a formal contract, who uses the Company’s name for any purpose or provides services, supplies materials, interacts with the Government, or others on behalf of the Company.

f) Data Subject – an individual to whom the Personal Data being processed relates.

g) Processing – any operation or set of operations performed on Personal Data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, erasure, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction.

III- IMPORTANCE OF PRIVACY AND DATA PROTECTION

Personal data is considered valuable assets and should be subject to effective processing in order to fulfill business objectives, meet investors’ and employees’ expectations regarding accuracy and security, and comply with the CCPA and other applicable data protection laws. The CCPA aims, among other things, to ensure good practices in the use of personal data, hold responsible parties accountable for the processing of personal data, and safeguard the rights of data subjects. In the event of non-compliance with the CCPA, Premiumbravo may be subject to legal action and administrative sanctions, including the imposition of fines. Moreover, non-compliance with the CCPA can damage Premiumbravo’s reputation with third parties, including reputational harm, loss of investor trust, negative publicity, loss of business, operational disruptions, sanctions, and litigation.

FOR WHAT PURPOSE IS THE PROGRAM USED?

A well-designed and comprehensive personal data privacy and protection program is an effective risk management tool. CCPA requires all Employees to be aware of and comply with its requirements. It is important that Personal Data is treated in a manner consistent with CCPA and this Program.

BINDING TO THE PREMIUMBRAVO PROGRAM

This Program has been designed to encompass the Premiumbravo company, as well as its branches and any companies that may be under its administration, acting as an economic group. Therefore, we must:

  1. conduct privacy and personal data protection risk assessments, considering applicable laws;

  2. have policies and processes in place to comply with applicable legal requirements;

  3. include privacy and personal data protection in our reports; and

  4. have an incident response process.

DOCUMENTS OF THIS PROGRAM

The ‘Annex 1’ includes a brief description of the documents included in this Program. Several of these documents are internal and serve as a guide for Premiumbravo and its employees.

GOVERNANCE AND LEADERSHIP BY EXAMPLE

The company’s management is committed to complying with all applicable legal and regulatory requirements, including those related to the protection and privacy of Personal Data. It is responsible for setting an example, providing leadership, and overseeing the development, implementation, and operation of the Program. The company has a Personal Data Privacy Committee (Committee), composed of representatives from the Human Resources, Administrative, and Marketing departments, which is responsible for ensuring compliance with this Program, the CCPA, and applicable legal and regulatory requirements related to the privacy and protection of Personal Data. The Data Protection Officer is the designated person who will represent the company to the Government and will be responsible for monitoring and developing this Program, reporting to the Committee. The governance functions and responsibilities within the scope of this Program are described in ‘Annex B’.

COMPLIANCE MONITORING

The DPO (Data Protection Officer) must assess the compliance of this Program, related documents, and all company practices with the CCPA and other applicable Personal Data protection laws through periodic assessments.

COMMUNICATION AND TRAINING

The objective of this Program is to ensure that privacy and personal data protection policies and procedures are incorporated and understood through internal and external communication, including training. The philosophy and guidelines of this Program should be communicated to employees and third parties with whom we do business, when appropriate.

KEY CONTACTS

If you have any questions related to this Program or the documents mentioned herein, please contact the Administrative department (Clara Cardoso – clara.cardoso@premiumbravo.pt)

Annex A

Documents of the Personal Data Privacy and Protection Program

  1. Personal Data Protection Policy

    The Policy is an internal document that describes how Personal Data should be handled by employees to comply with data protection standards and ensure compliance with applicable law, including the CCPA and this Program.

  2. Third parties
    a. Personal Data Protection Clause: When a Third Party (e.g., an IT supplier) processes, retains, accesses, or uses Personal Data for or on behalf of Premiumbravo (and not for its own purposes), it is recommended to have a written contract in place containing specific clauses for the protection and privacy of Personal Data. These clauses are established to ensure that the processing carried out by Third Parties complies with all applicable legal requirements.


    b. Privacy and Data Protection Due Diligence Checklist: The checklist sets out the relevant issues to be considered when conducting due diligence in relation to acquisitions, joint ventures, or other corporate transactions. This checklist is not intended to be exhaustive, and the necessary diligence will depend on the specifics of each transaction.

    c. Confidentiality Clauses (when Premiumbravo is the discloser of Personal Data): When Premiumbravo discloses Personal Data (e.g., directors’ passports/employee information) to Third Parties, specific contractual provisions should be included to ensure that the Third Party recipient of the Personal Data is contractually obligated to comply with applicable law, including the CCPA. Please note that if the Third Party is a supplier who will only process Personal Data on behalf of Premiumbravo, the provisions in ‘item 2a’ above shall prevail.

    d. Confidentiality Clauses (when Premiumbravo is the recipient of Personal Data): When Personal Data (e.g., directors’ passports/employee information) of Third Parties is disclosed to Premiumbravo, those Third Parties may require privacy clauses to be included in the confidentiality agreement or other applicable documents.

  3. Information Security Policy

    It describes the process of protecting the confidentiality, availability, and integrity of information. This policy has been established to protect all assets that contain information, including, among others, documents, computers, mobile devices, and network infrastructure components owned, leased, or maintained, controlled and/or used by the company, as applicable.

  4. Information Security Incident Response Plan

    It defines the structure and processes developed to (i) detect and respond to information security incidents, (ii) determine their scope, risks, and appropriate response, (iii) communicate the findings and risks to all relevant stakeholders, and (iv) reduce the likelihood of recurrence. This plan should be read in conjunction with other policies and procedures, including the Information Security Policy (see item 3 above) and the Privacy and Personal Data Protection Policy (see item 1 above).

  5. Employee Privacy and Data Protection Notice

    It summarizes the ways in which Premiumbravo collects, uses, discloses, and manages Personal Data of its employees and their respective dependents (if applicable), as well as specifies their rights regarding their Personal Data. This notice should be provided to the employee at the time of their onboarding and should be updated whenever necessary.

  1. Notice on Privacy and Data Protection for Applicants

    Summarizes the ways in which the Company collects, uses, discloses, and manages Personal Data of individuals applying for employment with the Company, as well as specifies the rights of data subjects regarding their Personal Data. This notice should be provided to the applicant when their Personal Data is collected.

  2. Policies and Website Notices

    a. Website Data Protection Policy and Privacy Notice – describes the ways in which the Company collects, uses, discloses, and manages Personal Data of website users, as well as specifies the rights of data subjects regarding their Personal Data.

    b. Website Terms of Use – are the terms that govern the use of the Company’s website by users.

    c. Cookie Policy – informs users of the Company’s website how cookies are used and how users can block cookies. Cookies are small text files that store information about the user’s interaction with a website temporarily or permanently on the user’s hard drive.

ANNEX B

Roles and Responsibilities

  1. The management of Premiumbravo

     

    The management of Premiumbravo is responsible for ensuring that the company fulfills its legal obligations regarding privacy and data protection. Premiumbravo has appointed a Data Protection Officer to handle issues related to these areas. If you have any questions or concerns regarding the processing of personal data or about this Policy, please contact the relevant person using the contact information provided: clara.cardoso@premiumbravo.pt.

    2. Company Committee

    The Company Committee is responsible for ensuring compliance with legal obligations related to privacy and data protection, including the CCPA. They are also responsible for appointing and dismissing the Data Protection Officer, who is responsible for monitoring compliance with this Program, periodically reviewing and approving data protection procedures and related policies, handling data protection inquiries from Employees, dealing with data subject requests related to Personal Data, organizing data protection training and consultancy for Employees, and keeping the Committee informed about changes in data processing activities.

    3. Legal Department (outsourced)

    a) To review and approve contracts or agreements with third parties, including entering into personal data protection agreements and any transfer terms if applicable.

    b) To keep the committee informed about any legal requirements regarding data protection, privacy, and cybersecurity, including their updates.

    4. IT Department (outsourced)

    a) ensure that the systems, services, and equipment used to store Personal Data comply with acceptable security standards;

    b) perform regular checks to ensure that the hardware and software are functioning properly; and

    c) evaluate the services of Third Parties that the Company is considering using to store or process Personal Data.

    5. Each Employee

    Responsible for conducting their activities in accordance with applicable legislation, including the CCPA, and ensuring the proper handling of Personal Data under their responsibility.

Scroll to Top