Privacy Policy

INTERNAL PRIVACY AND PERSONAL DATA PROCESSING POLICY

The Board of Directors of Iguá Saneamento S.A. (“Iguá”) holds the legal responsibility for setting the overall direction of the company’s business. In exercising these responsibilities, and with the purpose of establishing the general principles that shall govern the processing of personal data across all entities within the group controlled by Iguá (“Iguá Group”), the Board of Directors hereby approves this Internal Privacy and Personal Data Processing Policy (“Policy”).

1. Introduction

Iguá is committed to the processing of personal data in accordance with Law No. 13,709 of August 14, 2018, known as the General Data Protection Law (“LGPD”).

This Policy serves as the foundational pillar for all internal practices and procedures of the Iguá Group related to personal data processing, which must always be guided by the terms set forth herein and by the provisions established in other internal policies and regulations to be developed, which will establish specific rules applicable to the Iguá Group.

2. Basic Concepts and Definitions

The definitions below are essential for understanding the terms used throughout this Policy.

National Data Protection Authorit (ANPD)

Public administration body responsible for overseeing, implementing, and supervising the LGPD. It has the authority to impose sanctions, such as fines, for violations of the LGPD.

Controller The natural or legal person, under public or private law, responsible for decisions regarding the processing of personal data, defining the means and purposes of such processing. (E.g., Iguá is the Controller of its employees’ personal data in relation to the processing activities necessary to execute their employment contracts).
Personal Data

Any information related to an identified or identifiable natural person. (E.g., name, phone number, address, ID, CPF are all personal data.)

Sensitive Personal Data

Data revealing racial or ethnic origin, religious beliefs, political opinions, union membership, or affiliation with religious, philosophical, or political organizations, as well as data concerning health, sex life, genetic, or biometric data. (E.g., blood type, as a genetic data point, is considered sensitive personal data.)

Data Protection Officer (DPO)

 

The natural or legal person appointed by the Controller to act as the communication channel between the Controller, data subjects, and the National Data Protection Authority.

Data Subject

Any natural person to whom the personal data refers. (E.g., Iguá employees are all data subjects.)

Processing Any operation carried out with personal data, including but not limited to collection, sharing, communication, access, reproduction, processing, storage, deletion, and modification.

3. Scope of Application

This Policy applies to the officers, directors, and employees of the Iguá Group. In those entities or investments in which the Iguá Group does not hold control, their representatives shall strive to observe the provisions of this Policy and promote, to the extent possible, the application of its principles.

4. Principles of Personal Data Processing

The entities of the Iguá Group shall strictly comply with the LGPD, ensuring that the principles set forth in this Policy are considered: (i) in the design and implementation of all procedures involving the processing of personal data; (ii) in the products and services offered by the Iguá Group; (iii) in all contracts and obligations executed; and (iv) in the implementation of systems and platforms that allow employees or third parties to access and/or process personal data.

Personal data processing activities must be conducted in good faith and in accordance with the following principles. If any processing activity does not comply with these principles, it must not be performed and should be immediately reviewed.

(i) Purpose. Personal data shall only be processed for a specific, legitimate, explicit, and informed purpose. Subsequent processing that is incompatible with the stated purposes is not allowed.

(ii) Adequacy. Processing must be compatible with the purposes informed to the data subject, in the context of the processing.

(iii) Necessity. Processing must be limited to the minimum data necessary to fulfill its purposes, including only relevant, proportionate, and non-excessive data.

(iv) Free Access. Data subjects shall be guaranteed easy and free access to information about the form and duration of processing, as well as the entirety of their personal data.

(v) Data Quality. Personal data must be accurate, clear, relevant, and up to date, according to the purpose for which it is processed. Outdated or irrelevant data should not be processed.

(vi) Transparency. The Iguá Group shall provide clear, accurate, and easily accessible information to data subjects regarding the processing and the relevant data processing agents, especially the method and duration of processing, respecting commercial and industrial confidentiality.

(vii) Security. The Iguá Group shall implement technical and administrative security measures to protect personal data from unauthorized access, and from accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination.

(viii) Prevention. The Iguá Group shall adopt measures to prevent the occurrence of damage due to personal data processing.

(ix) Non-Discrimination. The Iguá Group shall never process data for illicit or abusive discriminatory purposes.

(x) Accountability and Demonstration: The Iguá Group shall adopt effective measures capable of proving compliance with personal data protection rules and the effectiveness of these measures.

5. Legal Bases for Personal Data Processing

The Iguá Group shall only process personal data in accordance with the legal bases authorized by the LGPD, including but not limited to:

(i) with the data subject’s explicit consent; (ii) for compliance with legal or regulatory obligations; (iii) for the execution of contracts or preliminary procedures related to contracts involving the data subject; (iv) for the regular exercise of rights in judicial, administrative, or arbitral proceedings; (v) to protect the life or physical safety of the data subject or third parties; (vi) to serve legitimate interests of the Iguá Group or third parties, except when overridden by the fundamental rights and freedoms of the data subject; (vii) for credit protection purposes.

6. Data Subjects’ Rights

In accordance with Article 18 of the LGPD, data subjects have the right to obtain from the Iguá Group, at any time and upon request:

(i) confirmation of the existence of processing; (ii) access to their data; (iii) correction of incomplete, inaccurate, or outdated data; (iv) anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data; (v) portability of data to another service or product provider, upon express request, pursuant to ANPD regulations, respecting commercial and industrial secrecy; (vi) deletion of data processed with consent, except where retention is legally permitted; (vii) information on public and private entities with which the controller has shared data; (viii) information about the possibility of withholding consent and consequences of such refusal; (ix) withdrawal of consent.

7. Implementation

The Compliance and Internal Audit department, together with the Legal department of the Iguá Group, shall be responsible for developing and updating internal policies and standards on global data protection management, which shall be mandatory for all Iguá Group officers, directors, and employees.

The Legal department shall report to Compliance and Internal Audit any regulatory developments in this area, including specific rules regarding the processing of employees’ personal data and the handling of data subject requests.

The Information Technology (IT) department, or any department that assumes its functions, shall implement appropriate controls and technological developments in the Iguá Group’s information systems to ensure compliance with internal data protection policies and to keep such developments up to date.

The Iguá Group shall appoint a Data Protection Officer, in accordance with Article 41 of the LGPD, who shall be responsible for ensuring compliance with legal requirements and internal and external policies, and shall support personal data management, taking into account the particularities of the Iguá Group entities.

8. Training

With the support of the Privacy and Data Protection Committee, the Iguá Group shall develop a specific training program to ensure that all employees are aware of this Policy and other internal policies and standards approved by the Committee.

9. Disciplinary Sanctions

All employees must fully comply with this Policy and the internal policies and standards approved by the Privacy and Data Protection Committee. In case of violations, the following disciplinary sanctions may be applied: (i) written warning; (ii) suspension; (iii) termination of employment for cause; (iv) filing of civil or criminal lawsuits, in cases where violations cause harm to the Iguá Group or constitute criminal offenses.

10. Policy Updates

This Policy may be revised and updated from time to time to reflect improvements in personal data processing practices and to enhance the security and transparency of the Iguá Group’s operations.

11. Internal Use Only

This Policy and the internal policies and standards approved by the Privacy and Data Protection Committee are for internal use only and may not be shared externally without prior authorization from the Board of Directors or the Committee. Unauthorized disclosure of these materials may result in the disciplinary sanctions set forth in Section 9 above.