Privacy Policy

CBAA group is composed of four (4) companies, CBAA – ASFALTOS LTDA, a legal entity under private law, enrolled with the National Corporate Taxpayers’ Register (CNPJ) under No. 05.099.585/0001-62, with its principal place of business at Travessa Nove de Janeiro, No. 2155, Fátima, Zip Code 66060-585, Belém/PA; BEST, a legal entity under private law, enrolled with the National Corporate Taxpayers’ Register (CNPJ) under No. 83.332.908/0001-20, with its principal place of business in Ananindeua Industrial District , Sector C, Block 08, S/N, Lots 03 to 06, Zip Code 67.035-330 – Industrial District – Ananindeua/PA; GGFT, a legal entity under private law, enrolled with the National Corporate Taxpayers’ Register under No.03.031.874/0001-02, with its principal place of business in Ananindeua Industrial District, Sector C, Block 08, S/N, Lots 03 to 06, Zip Code 67.035-330 – Industrial District – Ananindeua/PA and CABOCLO, a legal entity under private law, enrolled with the National Corporate Taxpayers’ Register (CNPJ) under No. 01.512.723/0001-32, with its principal place of business at Rod. PA 320, S/N, Zip Code 68.748-000 – Rural Area – São Francisco do Pará/PA, so that all companies in the
group primarily act as data controllers, collecting data from their employees,customers, suppliers, and service providers.

The protection of data within the company is a fundamental and foundational criterion in the development of work routines, adoption of new technologies, and establishment of internal conduct and policies, always based on the following principles:

• Respect for privacy;
• Informational self-determination;
• Freedom of expression, information, communication and opinion;
• Inviolability of privacy, honor and image;
• Economic and technological development and innovation;
• Free enterprise, free competition and consumer protection;
• Human rights, free development of personality, dignity and exercise
• of citizenship by natural persons.

This privacy policy applies to the following cases of collection and processing of personal data and the following individuals:

• Processing of personal data, including in digital media, by a natural person or legal entity of public or private law, with the aim of protecting the fundamental rights of freedom and privacy, and the free development of the personality of the natural person.
• Processing operation carried out within the national territory;
• Processing activity aimed at offering or providing goods or services or processing data ofindividuals located within the national territory;
• Personal data, the subject of the processing, that have been collected within the national territory.

In order for this policy to be fully understood, it is important to present certain concepts and definitions.

Personal data: information related to an identified or identifiable natural person;
Sensitive personal data: personal data concerning racial or ethnic origin, religious beliefs, political opinions, membership in a trade union or religious, philosophical, or political organization, data concerning health or sex life, genetic or biometric data when linked to a natural person;
Anonymized data: data related to a data subject who cannot be identified, considering the use of reasonable technical means available at the time of its processing;
Database: a structured set of personal data established in one or several locations, in electronic or physical form;
Data Subject: the natural person to whom the personal data being processed refers to;
Controller: the natural person or legal entity, public or private, who is responsible for making decisions regarding the processing of personal data;
Data Processor: the natural person or legal entity, public or private, who processes personal data on behalf of the controller;
Data Protection Officer: a person appointed by the controller and data processor to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD);
Data Processing Agents: the controller and the data processor;
Processing: any operation performed on personal data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction;
Anonymization: the use of reasonable technical means available at the time of processing, through which data loses the possibility of direct or indirect association with an individual;
Consent: the freely given, informed, and unambiguous expression by which the data subject agrees to the processing of their personal data for a specific purpose;
Block: temporary suspension of any processing operation, with the personal data or database being kept;
Deletion: removal of a single data or set of data stored in a database, regardless of the procedure employed;
International Data Transfer: transfer of personal data to a foreign country or international organization of which the country is a member;
Shared use of data: communication, dissemination, international transfer, interconnection of personal data, or shared processing of personal databases by public bodies and entities in the fulfillment of their legal competencies, or between these and private entities, reciprocally, with specific authorization, for one or more permitted modes of processing by these public entities, or between private entities;
Personal Data Protection Impact Assessment: documentation by the data controller that contains the description of personal data processing activities that may pose risks to civil liberties and fundamental rights, as well as measures, safeguards, and risk mitigation mechanisms;
Research body: a body or entity of direct or indirect public administration, or a non-profit private legal entity duly organized under Brazilian law, with its principal place of business and jurisdiction in the Country, that includes in its institutional mission or statutory or corporate purpose the basic or applied research of a historical, scientific, technological, or statistical nature.
National authority: A government agency responsible for ensuring, implementing, and overseeing compliance with this Law throughout the national territory.

The act of processing data by the company should always aim to respect the following principles.

Purpose: processing carried out for legitimate, specific, explicit, and informed purposes to the data subject, without the possibility of subsequent processing that is incompatible with those purposes;
Adequacy: processing compatible with the purposes informed to the data subject, in accordance with the context of the processing;
Necessity: processing limited to the minimum necessary for the fulfillment of its purposes, with the inclusion of relevant, proportionate, and not excessive data in relation to the purposes of data processing;
Free access: guarantee, to data subjects, of easy and free access to information about the way and duration of data processing, as well as the entirety of their personal data;
Data quality: guarantee, to data subjects, of accuracy, clarity, relevance, and currency of data to meet the needs and purposes for which they are processed;
Transparency: guarantee, to data subjects, of clear, accurate, and easily accessible information about the processing activities and the data processing agents involved, while respecting commercial and industrial secrets;
Security: use of technical and administrative measures capable of protecting personal data against unauthorized access, as well as accidental or unlawful situations of destruction, loss, alteration, communication, or disclosure;
Prevention: adoption of measures to prevent harm resulting from the processing of personal data;
Non-discrimination: impossibility of processing for illicit or abusive discriminatory purposes;
Responsibility and accountability: demonstration, by the data processing agent, of the adoption of effective measures capable of proving observance and compliance with personal data protection standards including the effectiveness of such measures.

Based on these guiding principles, all work routines are carried out through the integrated and computerized system present in the company, ensuring that each employee only has access to the data necessary for them to perform their duties.

The company restricts itself to collecting only personal data necessary for compliance with its legal and contractual obligations, mostly from adult individuals.
The type of personal data collected depends on the data subject, so employees, service providers, customers, and suppliers provide different types of data based on the specific needs of the company. Occasionally, the company may collect sensitive personal data; however, when it does so, it is for the purpose of protecting the life and physical integrity of individuals, as well as preventing fraud and ensuring their security. It is possible, in situations required by law, for the company to collect personal data from children and adolescents. However, this only occurs with the express consent granted by their legal guardian.

As a general rule, the company processes personal data based on the following reasons:

• Upon the provision of consent by the data subject;
• For compliance with a legal or regulatory obligation by the data controller;
• When necessary for the performance of an agreement or for the performance of preliminary procedures related to an agreement to which the data subject is a party, at the request of the data subject;
• For the regular exercise of rights in judicial, administrative, or arbitral proceedings, the latter in accordance with Law No. 9.307, dated September 23, 1996 (Arbitration Law);
• For the protection of the life or physical integrity of the data subject or third parties;
• When necessary to fulfill the legitimate interests of the data controller or third parties, except when fundamental rights and freedoms of the data subject that require the protection of personal data prevail; or
• For the protection of credit, including as provided in relevant legislation.

The company shares the data collected by it to a greater or lesser extent, depending on the qualification of the data subject as a customer, employee, service provider, or supplier, in order to fulfill its legal obligations, especially in the areas of labor, tax, fiscal, and accounting.
Similarly, data may be shared, when required, by judicial order or by police authority, as well as for the protection of the company’s rights in administrative or judicial proceedings.
The acts of data sharing are always carried out with all possible technological precautions to prevent any leakage or unauthorized access.
In addition, the data processors who receive the shared data typically have their own portal for such sharing, which is equipped with the necessary safeguards. They also have a well-defined and implemented privacy policy.
The company does not engage in any form of international data sharing with the data it collects.

The personal data collected by the company is stored using well-defined procedures and state-of-the-art systems that aim to ensure a high level of control, organization, and protection.
In this way, access to personal data is always monitored by the system, protocols, employees, and security cameras, ensuring that any irregularities are easily identified and corrected.

The personal data collected and processed by the company is retained in its database as long as the data subject has an active legal relationship with the company.
Once the legal relationship between them is terminated, depending on each case, the company applies its retention rules to only delete the data after the specified period.
This period is necessary for the company to fulfill any eventual legal or contractual obligations that may arise, even after the legal relationship with the data subject has ended, or to protect its rights in any judicial, extrajudicial, or administrative proceedings.
The deletion of such data is always accompanied by a record of the action, either through the log of the computer system used by the company, or through registration in the respective control book.

The LGPD (Brazilian General Data Protection Law) establishes that data subjects have the following rights against data controllers and data processors:

• Confirmation of the existence of processing;
• Access to the data;
• Correction of incomplete, inaccurate or outdated data;
• Anonymization, blocking, or deletion of data that is unnecessary, excessive or processed in non-compliance with the provisions of this Law;
• Portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;
• Deletion of personal data processed with the consent of the data subject, except in the cases provided for in Article 16 of this Law;
• Information about the public and private entities with which the controller has shared data;
• Information about the possibility of not providing consent and about the consequences of refusal;
• Revocation of consent, in accordance with § 5 of Article 8 of this Law.

These rights can be exercised by data subjects free of charge, under the terms below. Data subjects can exercise their rights, as provided by the LGPD and listed above, by submitting a physical request at the reception of the data
by sending an email directly to the data protection officer.
Address: encarregado.lgpd@localhost

GENERAL REQUEST FOR DATA SUBJECTS, UNDER THE TERMS OF THE LGPD (LAW No. 13,709) – Download
The deadline for responding to the request is five (5) business days.
Any and all complaints regarding the violation or suspected violations of the terms of this policy should be reported directly to the Data Protection Officer, using the email address provided above.

This Privacy and Data Protection Policy (PPDP) is governed by the LGPD and will be periodically updated, whenever necessary, either due to internal adjustments by the company or because the National Data Protection Authority (ANPD) has issued rules to enhance the conducts of good practices and governance. The jurisdiction of the judicial district of Belém/PA is hereby elected to settle any matters related to this document: encarregado.lgpd@localhost