SNOG PRIVACY POLICY

This policy aims to establish data protection guidelines and standards, based on respect for privacy, human rights, freedom of expression, the inviolability of privacy and image; that allow employees to adopt standards of behavior appropriate to the company's goals and needs, best market practice standards and current applicable legislation; highlighting the General Data Protection Law – Law No. 13,709/18, as amended by Law No. 13,853/19.

COVERAGES

Applicable to all Snog employees, collaborators, customers and partners in all its locations and Business Units, who process or have access to personal data.

DEFINITIONS

Personal Data: information related to an identified or identifiable natural person; Sensitive Personal Data: personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person; Anonymized Data: data relating to the holder who cannot be identified, considering the use of reasonable technical means available at the time of its processing; Consent: free, informed and unequivocal agreement by which the holder agrees to the processing of their personal data for a specific purpose; and may be removed at any time by the holder; Holder: natural person to whom the personal data that is subject to processing refers; Processing: any operation carried out with personal data, such as those relating to collection, production, reception, classification, use , access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction; Person in charge: person appointed by the Controller and Operator to act as a communication channel between the Controller , the Data Holders and the National Data Protection Authority (ANPD);Controller: natural or legal person, under public or private law, who is responsible for decisions regarding the Processing of Personal Data;Operator: natural person or legal entity, under public or private law, which carries out the Processing of Personal Data on behalf of the Controller.

GUIDELINES

Snog establishes its PP – Privacy Policy, as an integral part of its SGSI – Information Security Management System and best Corporate Governance practices, in accordance with current legislation, with the adoption of measures to protect the privacy of Data Holders. Personal data.

The Presidency, its executives and Corporate Governance are committed to effective privacy protection. Therefore, they adopt all appropriate measures to ensure that this Policy is adequately communicated, understood and followed at all levels of the organization. Periodic reviews will be carried out to ensure its continued relevance and suitability to Snog's needs.

All Personal Data is classified appropriately to define its Treatment throughout its life cycle.

Any form of transmission, disclosure, transfer or any other Processing of Personal Data without following the guidelines established by this Policy and additional rules is expressly prohibited under penalty of civil and/or criminal proceedings, in addition to the application of labor laws, which may result in termination of the employment contract.

PRINCIPLES OF PROCESSING PERSONAL DATA

All Personal Data Processing must follow the following principles:

Purpose: carrying out the Processing for legitimate, specific, explicit and informed purposes to the Holder, without the possibility of subsequent Processing in a manner incompatible with these purposes;

Adequacy: compatibility of the Processing with the purposes informed to the Holder, according to the context of the Processing;

Necessity: limitation of Processing to the minimum necessary to achieve its purposes, with the scope of relevant Data, proportional and not excessive in relation to the purposes of Data Processing;

Free Access: guarantee, to the Holders, easy and free consultation on the form and duration of the Processing, as well as on the completeness of their Personal Data;

Data Quality: guarantee, to the Holders, of accuracy, clarity, relevance and updating of the Data, according to the need and to fulfill the purpose of its Processing;

Transparency: guarantee, to the Holders, of clear, precise and easily accessible information about the carrying out of the Processing and the respective Processing agents, observing commercial and industrial secrets;

Security: use of technical and administrative measures capable of protecting Personal Data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication or dissemination;

Prevention: adoption of measures to prevent the occurrence of damage due to the Processing of Personal Data

Non-Discrimination: impossibility of carrying out the Processing for illicit or abusive discriminatory purposes; It is

Responsibility and Accountability: demonstration, by the agent, of the adoption of effective measures capable of proving compliance with Personal Data protection standards and, including, the effectiveness of these measures.

PERSONAL DATA PROCESSING HYPOTHESES

Personal Data Processing may only be carried out in the following cases:

By providing Consent by the Holder;To comply with a legal or regulatory obligation by the Controller;To carry out studies by a research body, guaranteeing, whenever possible, the anonymization of Personal Data;When necessary for the execution of a contract or preliminary procedures related to a contract to which the Holder is a party, at the request of the Data Holder; For the regular exercise of rights in judicial, administrative or arbitration proceedings; For the protection of the life or physical safety of the Holder or a third party; When necessary to meet the legitimate interests of the Controller or a third party, except in the case where fundamental rights and freedoms of the Holder prevail that require the protection of Personal Data; it can only be carried out in the following cases: When the Holder or his legal guardian Consents, in a specific and prominent way, for specific purposes; andWithout providing Consent from the Holder, in cases where it is essential for: Fulfillment of legal or regulatory obligations by the Controller; Carrying out studies by a research body, guaranteeing, whenever possible, the anonymization of Sensitive Personal Data; Regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings; Protection of the life or physical safety of the Holder or third parties; Guarantee of prevention of fraud and the safety of the Holder, in the processes of identification and authentication of registration in electronic systems, safeguarding the rights mentioned in art. 9 of the LGPD and except in the event that the fundamental rights and freedoms of the Holder that require the protection of Personal Data prevail.

The processing of personal data of children and adolescents must be carried out in their best interests:

The processing of children's personal data must be carried out with the specific and prominent consent given by at least one of the parents or legal guardian. Controllers must not condition holders' participation in games, internet applications or other activities on the provision of personal information beyond that strictly necessary for the activity. The controller must make all reasonable efforts to verify that consent was given by the person responsible for the child, taking into account the available technologies.

All Personal Data Processing must establish a deadline for its completion, when the Data must be removed, unless there is some legal basis for its preservation, such as:

Compliance with a legal or regulatory obligation by the Controller;Study by a research organization, ensuring the anonymization of Personal Data;Transfer to third parties, as permitted by the LGPD, as in the case of data portability to third parties, when requested by the Data Holder; or, Exclusive use by the Controller, if the data is Anonymized.

It should be noted that Anonymized Data are not considered Personal Data under the LGPD, except when the process used for anonymization can be reversed using exclusive means, or when, with reasonable effort, it can be reversed.

RIGHTS OF PERSONAL DATA SUBJECT

Every Personal Data Holder has the right to obtain from Snog – as Controller, in relation to the Data processed by it, at any time and upon request:

Confirmation of the existence of Processing; Access to processed Data; Correction of incomplete, inaccurate or outdated Data; Anonymization, blocking or deletion of unnecessary, excessive Data or processed in non-compliance with the LGPD; Data Portability to another service or product provider , upon express request and in compliance with commercial and industrial secrets;The elimination of Personal Data processed with the Holder's Consent;Information of public and private entities with which the Controller shared the use of data;Be informed in a clear and transparent manner in the moment of granting your Consent, and the possibility of withdrawing such Consent at any time and with the same ease and using the same means used for granting; Be informed if any type of incident/leakage of your Data occurs.

PRIVACY BY DESIGN

Under the LGPD, Controllers and Operators must adopt technical and administrative security measures capable of protecting Personal Data from unauthorized access, destruction, loss, modification, communication or other types of unauthorized or illegal Processing. Therefore, to guarantee the privacy of Personal Data Holders who are processed by the company, every system involving Processing of Personal Data must follow the following guidelines:

Every system must be developed taking into account the concept of Privacy by Design. In other words, information security measures must be observed from the systems design phase to their implementation. Therefore, the impact on privacy must be analyzed even before its development begins, making the necessary adjustments to ensure that the Privacy of the Holders is preserved; In the design process, the “Privacy Impact Analysis” questionnaire must be completed. , and development can only begin after approval from Legal and the InfoSec area; Unless it is technically unfeasible, the development, testing and approval processes must use Anonymized Data.

RESPONSIBILITIES

All employees of Snog companies are responsible for ensuring compliance with the rules established in current legislation, especially the LGPD. However, some specific areas will have a greater role in guaranteeing the privacy of Data Subjects, according to the responsibilities established below:

RESPONSIBILITIES OF THE PERSON IN CHARGE:

Define privacy standards that meet legal and business demands, in alignment with Corporate Governance and LGPD guidelines, as well as guide all areas of Snog on such standards and demand their compliance; Write and update the Policy, as well as ensure that it is reviewed, according to the frequency defined by Corporate Governance; Receive and evaluate the “Privacy Impact Analysis” questionnaires, recommending adjustments when necessary; Support the company's areas in maintaining compliance with this Policy; Define and maintain the process of respond to the legal demands of Holders regarding their Personal Data; Receive and direct to the Information Technology area and the Legal Department the legal demands of Personal Data Holders; Meet the demands of the ANPD and other government bodies; Coordinate response actions to related incidents to privacy.

CGSI RESPONSIBILITY – INFORMATION SECURITY MANAGEMENT COMMITTEE

Assess information security issues with a focus on protecting Personal Data processed by Snog.

CORPORATE GOVERNANCE RESPONSIBILITIES:

Determine overall privacy management responsibilities, as well as establish guidelines and support privacy initiatives;Review and ensure approval of privacy-related policies;Identify and map all relevant legislation and regulations that Snog companies need to comply with in accordance.

IT RESPONSIBILITIES – INFORMATION TECHNOLOGY

Ensure that logs are generated, stored and processed in accordance with business demands, legal requirements and customer requests; These logs must be protected against improper access/change; eActivities carried out by users with “administrator” or similar credentials must be recorded in logs and reviewed regularly. Implement and manage an access control process for Personal Data based on the concepts of “least privilege” and “access need”, which define granting access to the smallest amount of Personal Data and with the least privilege possible to carry out its functions and meet business demands; Ensure that all Personal Data is safely removed from equipment that is discarded; eDevelop and maintain a continuous process for identifying Personal Data; Meet the demands of the Data Controller in compliance with the legal demands of the Holders in relation to their Personal Data.

LEGAL RESPONSIBILITY

Insert contractual clauses that cover the responsibility of suppliers in complying with this Policy, in addition to current internal standards and procedures; Develop and apply, when necessary, a “confidentiality agreement” between the company and third parties involved (customers and suppliers), which covers the privacy issue;Meet the demands of the Data Controller in compliance with the legal demands of the Holders in relation to their Personal Data.

HUMAN RESOURCES RESPONSIBILITY

Ensure that all employees are formally aware of this Policy, ensuring recycling of this knowledge; Ensure that the Processing of Personal Data carried out by the Human Resources area is in compliance with this Policy and the LGPD.

RESPONSIBILITY OF SUPPLIER MANAGEMENT

Maintain an updated list of service providers; Ensure that suppliers meet the company's privacy demands, using the self-assessment questionnaire (Vendor Risk Assessment)

LEADERSHIP RESPONSIBILITY

Manage compliance with this Policy, by its employees and service providers; Ensure adequate management of changes that may impact privacy; Immediately communicate to the person in charge, in the event of an incident involving Personal Data identified in their respective areas; Submit any new project involving Personal Data to the Person in Charge and InfoSec, still in its design phase, thus aiming to guarantee the concept of Privacy by Design; Ensure that no project is developed and/or implemented without the approval of the Person in Charge and InfoSec.

RESPONSIBILITY OF ALL EMPLOYEES

Observe and enforce all of Snog's general privacy guidelines; Participate in privacy training to which you are invited; Be aware of and sign this Policy; Immediately report to the person in charge, in the event of an incident involving Personal Data;

Employees who do not comply with the rules established in the PP, PSI – Information Security Policy, the Code of Conduct and other Snog policies are subject to disciplinary sanctions that may result in their dismissal.