Privacy Policy and Data Protection

I - SCOPE AND OBJECTIVE

The present policy defines the procedures through which the firm collects, processes, and stores personal data, applying to all services offered in its portfolio, considering safeguarding data protection rights as part of its social responsibility. This policy applies to individuals who interact with Dannemann Siemsen as clients and employees.

The objectives of the Privacy and Data Protection Policy are:

• To ensure that the data titleholders understand, in a transparent manner, how the firm collects and uses their data, as well as the ways they are shared.
• To explain to the data titleholders their rights and choices related to data which are collected and processed, and how the firm preserves the data titleholders' privacy.

II - DEFINITIONS

The terms adopted in this document follow the definitions set forth in Article 5 of Law 13,709 of 08/14/2018 and subsequent amendments.

III - PROCESSING OF PERSONAL DATA

The dissemination of any information concerning the firm or its clients may only be made by authorized persons, respecting their classification and only after the necessary precautions have been taken in order that such information reaches exclusively to those entitled and with authentic and complete information.

According to the limits applicable by law, Dannemann Siemsen may process the personal data described below.

Personal information collected and processed by the office:

• Identification data, qualification and contact: full name, e-mail, telephone, tax identification number (CPF, Tax Id, Social Security Number, or other similar document), civil identification number (ID, passport, etc.), professional identification number (OAB, CREA, or similar document), international identification numbers (visas, international wallet, or similar document), health identification number (health insurance card, dental card, INSS, life insurance, or similar document), bank account numbers, as well as date of birth.
• Sensitive data: the firm collects, processes and stores the following sensitive data linked to natural persons, such as those related to the race and physical disability of its employees. The collection and processing of this type of data is done exclusively for the purposes of Law No. 8,213/1991. The collection, processing, and storage of data related to race, on the other hand, is done for the exclusive purposes of Law 12,288 of June 20, 2010. Other sensitive data handled includes union membership for union contribution purposes; health-related data, in compliance with Occupational Health Regulatory Standards or in situations such as, for example, when the Human Resources sector is informed about health problems of its employees; fingerprinting for building access; and data related to psychological profiles in the recruitment and selection process.
• Academic and professional data: specifically for the selection processes conducted by the office, information may also be collected, such as schooling, work portfolio, profession, certificates, information related to technical and personal skills, and other similar information voluntarily reported to the Human Resource;
• Information produced in telephone conversations, personal meetings, or in events involving the participation of members of company’s professional staff when they act on behalf of the company;
• Technical data, such as information related to interactions between devices used to access the firm's website, including IP addresses, geographic location, browser type, number of visits to the site, as well as hardware model, searches performed on the firm's website and network information that may be collected by third-party analytical tools working for Dannemann Siemsen that use cookies or similar technologies.

Dannemann Siemsen may collect this information in different ways and, regardless of the source of the data, its processing will be governed by this Privacy Policy. Any doubts may be clarified through our e-mail privacidade@dannemann.com.br.

Forms of data collection

The office collects data through the following sources:

• Instructions received by telephone, post office, courier, e-mail, fax or through the office's website;
• Via surveys, through feedback given to the office by phone, fax, e-mail, through the website, or personally;
• Via cookies when you browse our websites;
• By accessing third-party websites or those of our service providers whose purpose is directly related to Dannemann Siemsen's professional activities;
• During visits at the office;
• Via newsletter subscriptions, articles, news, or other forms of mailing lists;
• At events provided by the office;
• At events organized by the firm's clients or other entities;
• In interactions with suppliers of goods or service providers;
• In the reception of resumes destined for the office and in interviews held during the selection process;
• Through our payment partners for sending invoices and processing payments.

In certain situations, the office may receive personal data from other sources, as per examples below:

• Recruitment agencies, employers and contact references, which may provide information about an individual in a selection process;
• Service providers, for cases in which the firm will use solutions that hold a direct connection with its professional activities (e.g., Google Analytics to monitor visits to the firm's website, among other services that the firm may contract);
• Security partners: the office receives data from the Security Information and Event Management (SIEM) service that is able to gather data from different sources, identify non-standard activities, and block suspicious activities while ensuring security;
• From third parties, in situations where obtaining contact data is essential to the firm's professional activities, such as in cases of violations that clearly threaten the intellectual property rights of the firm's clients;
• Public sources such as, for example, the websites of the National Institute of Intellectual Property (INPI), the World Intellectual Property Organization (WIPO), the Ministry of Economy, the Ministry of Health, the National Library, and the Federal University of Rio de Janeiro, among others, that may support the office's professional activities.

IV - PURPOSE OF THE PROCESSING OF PERSONAL DATA

Reasons for collecting, processing and storing information

The firm will always use personal data based on legal permissives, including:

• Consent by the owner of the personal data;
• By virtue of a contract for services rendered by the firm;
• To comply with legal and regulatory obligations;
• To defend the legitimate interests of the firm, considering the impacts of the use of the information and provided that the interests of the firm do not override the interests of the data subject.

Purpose for which the information is used

We use personal data for purposes related to the provision of our services, so such information will be useful for:

• Registration update, user identity identification and authentication, and any other information that helps us increase security and prevent fraud;
• Effectively offering and providing services, and to guarantee the fulfillment of the contractual obligations undertaken;
• Communication with data titleholders for purposes related to services provided;
• Responding to the requests or comply with the instructions of its clients, or for the performance of contracts to which the data titleholders is a party, at the data data titleholders’ own request, or for the regular exercise of rights in legal, administrative or arbitration proceedings, or based on the legitimate interests for conducting the business of Dannemann Siemsen;
• Conducting the recruitment and selection process, whereby the holder of the personal data has the guarantee that his data will not be used for other purposes;
• Maintaining relationships with data titleholders when sending information related to intellectual property, as well as changes in laws or updates in regulations in certain sectors that are of interest to the subscribers of the circulars and newsletters issued by the office;
• Ensuring the safety of your employees;
• Processing or receiving payments.

Important Considerations about Web Beacons and Navigation Cookies

With respect to the navigation of Dannemann Siemsen's web site, we point out that web beacons are used, but only to obtain statistics on the use of the site, not for selling services, inviting to events, marketing or forwarding to third parties. A web beacon is a technique used in web pages and in e-mails that allows verifying if a user has accessed a specific content.

Regarding the use of cookies, we inform you that these are used to simplify the use of the office website, improving navigation and increasing, for example, the efficiency of the searches performed by users. In this sense, the user must allow cookies (a data package sent to the user's browser whenever the site is visited) to be installed in his or her device. However, if the user is uncomfortable with such an installation, he can change the settings in his own browser to reject cookies. This option can be consulted in the "help" section of the browser. However, if the user chooses to reject the installation of cookies in their browser, they may not be able to access all of the functionality available on the website. A non-exhaustive list of the cookies used by the website www.dannemann.com.br as well as their purposes of use are listed below:

Dannemann Siemsen's website may contain material and links to third-party websites, which also use cookies. However, the office is not responsible for controlling such links, nor for the content uploaded by these third parties, that is, this privacy notice does not apply to such sites. In this case, the user should consult the cookies policies of each of websites responsible to learn how they collect and use personal information, as well as the purposes for using cookies.

V - SHARING PERSONAL DATA

Dannemann Siemsen may share personal data with:

• Providers of software and other information technology for the purpose of managing registration, documentation and other arrangements necessary for the operation of Dannemann Siemsen;
• Correspondents, experts, business partners, partner firms (national and international), auditors, accountants, translators, and financial institutions to assist in the provision of legal services, depending on demand;
• Non-governmental organizations, including Dannemann Siemsen Institute, so that the holder can receive eventual contents and communications that may be of his interest, in the field of Intellectual Property and related areas;
• National or international legal publications;
• Governmental agencies and other authorities, such as the National Institute of Industrial Property (INPI);
• World Intellectual Property Organization (WIPO), Ministry of Economy, Ministry of Health, National Library, Federal University of Rio de Janeiro, among others.

International information transfers

Dannemann Siemsen may transfer personal data outside Brazilian territory, provided that this is done in order to comply with legal or contractual obligations, or when the data titleholder gives his/her consent, or to provide its services in a foreign country, in which situation it will only transfer the minimum data necessary for the provision of the service, ensuring that data protection measures are applied during the transfer process.

Information Security

The firm follows procedures that guide all personal data handling, adopting physical, technical, and organizational security measures to protect its tangible and intangible information assets.

VI - PERSONAL DATA RETENTION

The office keeps personal data only as necessary to:

• Comply with legal obligations, to enforce contracts to which the data subject is a party (at the data subject's own request), or for the regular exercise of rights;
• Resolve problems in the dice holder's account;
• Comply with tax, audit and accounting source obligations, retaining the necessary personal data for the period required by applicable law;
• Ensure the security of data titleholders to prevent fraud;
• Defend the legitimate interests of the firm, without these superseding the rights guaranteed to the data titleholders.

Termination of personal data processing by Dannemann Siemsen will occur in the following cases:

• When the purpose for which the Personal Data Titleholder’s personal data were collected is achieved and/or the personal data collected are no longer necessary or relevant to the achievement of such purpose;
• When the Data Titleholder has in his or her right to request the termination of the processing and the deletion of his or her personal data and he does it;
• When there is a legal determination to do so.

In such cases of termination of personal data processing, except in the cases established by applicable law or by this Privacy Policy, the personal data will be deleted.

The office adopts, for the disposal of physical files, safe ways that guarantee the impossibility of recovering any data, upon evidence or report that ensures the total disposal of the files.

The disposal of electronic media and IT and telecommunication equipment is done by third-party companies that use methods that guarantee the impossibility of data recovery and thus, these are not available for access by unauthorized people, avoiding the leak of sensitive data.

VII - RIGHTS OF THE HOLDERS

Rights to use personal information

In order to preserve the freedom, intimacy and privacy of data titleholders, they may, at any time, request the office to copy their data, in part or fully, provided they request it in advance at privacidade@dannemann.com.br. Additionally, any holder has the following rights over their data stored at the office:

• Right not to authorize the use of personal data for marketing purposes;
• Right to request any kind of update, data correction, deletion or anonymization of his personal data;
• Right to be informed in the ways in which the firm is using and/or sharing its data subjects' data, whether with public or private companies;
• Right to revoke consent previously provided for data processing by the office;
• Right to receive a copy of any of your information that is held by the office, as well as the right to request the transfer of the data to another service provider, provided that you have been previously informed through one of the available communication channels and within the appropriate timeframe;
• Right to request, limit or stop the processing of your information.

Data Confirmation

The firm may request specific data for its clients in order to confirm identities, differentiate homonyms and to allow the client due and safe access to portals and other communication systems at the service of the firm. The purpose of this request is to ensure that security measures are followed, as well as to prevent personal data from being mistakenly passed on to third parties.

VIII - THIRD PARTIES'/CONTROLLERS' RIGHTS AND OBLIGATIONS

In cases where we receive personal data from third parties/controllers to be processed in our activities, it is up to the third parties/controllers that forward the data to us to:

• Prove that the personal data was obtained in accordance with one of the legal bases provided for in the LGPD;
• Keep a record of the personal data processing operations it carries out;
• Prepare data protection impact report, upon request of the national data protection authority,
• Inform the data titleholder if there is any change in the purpose for which the data was collected;
• Be jointly and severally liable if it causes third parties harm due to a violation of the LGPD.

The controller is allowed to formulate good practice and governance rules that stipulate organizational conditions, procedures, security standards, technical standards, specific obligations, internal mechanisms for supervision and risk mitigation, as well as other aspects related to the processing of personal data, provided its competencies are respected.

The controller is permitted to retain data when the processing period has ended to be able to comply with legal and regulatory obligations. The controller may also make exclusive use of such data, provided it is anonymized, and access to it by third parties is expressly prohibited by law.

Data Exclusion Exceptions

Termination of personal data processing will occur in the following cases:

• On the revocation of consent by the data titleholder, where the processing is carried out only on that basis;
• When all the objectives have been met and the obligations arising from services rendered by the office have been extinguished;
• When all the objectives have been met and the legal and regulatory obligations applicable to the treatment have been extinguished;
• When there are no longer situations of legitimate interest to the office that require continued treatment.

Please note that personal data that may have been provided to one or more government agencies (such as the INPI, the Judiciary, etc.), or international entities (such as WIPO) in the course of data processing will NOT be excluded automatically. The firm will only process requests for exclusion, and will eventually exclude, only those personal data that are in its possession at the time the exclusion is requested.

Any requests for exclusion of data before government agencies, national and/or international, should be requested by the owner directly before these agencies.

The principles of prevention and security will also be observed in the deletion of data.

The following exceptions are provided for cases of anonymization, blocking or deletion of unnecessary, excessive or non-compliant data, and/or deletion of personal data processed with the consent of the data subject:

• Compliance with a legal or regulatory obligation;
• Study by research organization, guaranteed, whenever possible, anonymization;
• Transfer to third parties;
• Exclusive use of the Controller (anonymized).

The data retention policy should be amended to define the legal and regulatory reasons for retaining categories of personal data for specified periods of time. This policy needs to be implemented in new and existing systems.

Audit

The Data Controller shall have the right, at its discretion and bearing all associated costs, to (i) appoint an independent expert, or (ii) send an expert or internal auditor, who shall have access to the firm's Data Processing facilities and receive the information necessary to be able to audit the firm's effective compliance with its Data Processing obligations.

The Controller may perform, under the same conditions, ad hoc audits, upon simple written notice of at least twenty-four (24) hours in advance in case of:

• security incident notified by the Operator to the Controller;
• incident of data leakage notified by the Operator to the Controller;
• news or report by a third party or discovered by the Controller about a security incident or data leak whose responsibility can be reasonably attributed to the Operator or which involves personal data under the care of the Operator;
• facts of public knowledge, news or subpoena from competent authorities or any other reliable news that may imply risk to the Personal Data in the Operator's custody or imply risk to the Controller in relation to the Data Processing conducted by the Operator.

In the event of an audit request, if the audit verifies that all processing is being done in accordance with this policy, the firm may seek reimbursement of the Man-Hour amounts corresponding to the time spent by its personnel to comply with the audit requests.

Sanctions

In addition to the responsibility to indemnify the data subject, the LGPD provides for administrative sanctions in the event of non-compliance. Data processing agents are subject to the following penalties as result of violations of the LGPD rules:

• Warning, with indication of deadline for the adoption of corrective measures;
• A fine of up to 2% of the company's or group's revenues limited, in total, to R$50 million per violation;
• Publicizing the infraction after it has been duly ascertained and confirmed;
• Blocking of the personal data corresponding to the violation until it is regularized;
• Deletion of the personal data corresponding to the infringement;

All sanctions will be preceded by an administrative procedure that guarantees the violator's ample defense. The sanctions may be applied cumulatively, by day and infraction, but always based on the gravity and extension of the violation.

Except in those cases where the firm is responsible for collecting the data directly from the data titleholder, the third party/controllers of the personal data sent to the firm will be liable for all fines and penalties imposed on the firm as a result of processing data for which they did not have proper authorization from the data titleholders.

IX - CHANGES TO THE PRIVACY POLICY

The firm is empowered to change this privacy policy from time to time and to post such updates on its website or by e-mail to those who voluntarily opt to receive marketing communications from the firm. However, in order to clients or interested parties receive such notifications, it is essential that their registration data be duly updated. The firm will always request to be informed of any registration changes while the client relationship is active.

This Privacy and Data Protection Policy will be critically reviewed annually, or upon significant changes, to ensure its relevance, adequacy, and effectiveness. Dannemann Siemsen's Privacy and Data Protection Policy should be known and followed by all partners, employees, and service providers. Whenever possible, an independent critical review may be performed to ensure that information security, data privacy, and its internal systems are implemented and operated in compliance with the firm's policies and procedures.

Users who wish to obtain information, clarify doubts or exercise the rights provided by law should send an e-mail to privacidade@dannemann.com.br. The request will be analyzed and answered within the legal timeframe or, in its absence, within a reasonable timeframe, unless there are factual or legal reasons that prevent it from being answered.

Foreman/DPO: Eduardo C. A. de Mello e Souza

Rodolfo Amoedo, nº 300, Barra da Tijuca

Rio de Janeiro, RJ, Brazil, CEP 22.620-350

Date Updated: 09/02/2021

Revision: 07/02/2025