Data Protection Policy

1. Introduction

1.1. Presentation and Objectives

This document defines the guidelines and strategies for the protection of personal data within the scope of the processes and activities of the companies Horizon Serviços Técnicos de Seguros Ltda (CNPJ 29.234.610/0001-31) and Servitas Serviços Auxiliar de Seguros Ltda (CNPJ 83.618.009/0001-98), hereinafter referred to as Horizon Servitas.

This document also defines the information life cycle along with Horizon Servitas' processes and activities, as well as the treatment to be carried out at each stage of this life cycle.

In this Data Protection Policy document, the data protection requirements defined in LAW No. 13,709, OF AUGUST 14, 2018 – General Data Protection Law are observed;

1.2. Related Documents

This Data Protection Policy is related to other internal standards and procedures of Horizon Servitas, such as:

  • Code of Conduct and Ethics;
  • Information Security Policy;
  • Information Classification Policy;

1.3. Definitions

In this Data Protection Policy, the concepts defined in Article 5 of LAW No. 13,709, OF AUGUST 14, 2018 – General Data Protection Law apply, in addition to the concepts below:

  • DPO (Data Protection Officer): equivalent to the concept of Data Protection Officer cited in the General Data Protection Law;
  • ROPA (Record Of Processing Activities): equivalent to the Record of Personal Data Processing Operations cited in the General Data Protection Law, in this document it will be referred to as "Record of Operations" and in a reduced form as ROPA;
  • DPIA (Data Protection Impact Assessment): equivalent to the Personal Data Protection Impact Report cited in the General Data Protection Law.

1.4. Authors

This Data Protection Policy is authored by the Information Security and Data Protection Committee under the advice of Tracker Segurança da Informação.

The application of this policy, its review and maintenance are the responsibility of the Information Security and Data Protection Committee, whose list of members is available at the end of the Information Security Policy currently in force.

Questions about the application of this policy or suggestions for changes and improvements can be directed to the email laureano@horizonsts.com.br.

1.5. Version and Revision

This Data Protection Policy is in version 1.1, approved on December 4, 2025.

This document must be reviewed and a new version must be prepared, approved, disseminated and distributed according to the requirements defined in the Information Security Policy.

1.6. Relationship with the Information Security Policy

In order to ensure the information security of personal data, the guidelines and definitions of this Data Protection Policy are subject to all the definitions of the Information Security Policy, such as:

  • Logical information security management;
  • Physical information security management;
  • Commitment of senior management;
  • Scope of application;
  • Training and periodic evaluation;
  • Awareness and dissemination of culture;
  • Review and update;
  • Periodic internal and external audit;
  • Incidents and disciplinary measures;

1.7. Physical and Logical Information Life Cycle

Within the scope of this Data Protection Policy, physical and logical data are organized according to the following life cycle:

  • Data Collection: consists of obtaining information from the holder or third parties on behalf of the holder. Within the scope of LAW No. 13,709, it covers the following treatment situations: collection, production and reception;
  • Data Storage: consists of the physical or logical archiving of information in the horizonsts.com.br's environment or a third-party environment on behalf of the horizonsts.com.br. Within the scope of LAW No. 13,709, it covers the following processing situations: archiving and storage;
  • Access to Data: consists of the use of data for data processing. Within the scope of LAW No. 13,709, it covers the following processing situations: use, access, processing, evaluation or control of information, modification and extraction;
  • Data Sharing: consists of making data available to operators on behalf of the horizonsts.com.br. Within the scope of LAW No. 13,709, it covers the following processing situations: transmission, distribution, communication, transfer and dissemination;
  • Elimination: consists of the definitive exclusion of the data or its anonymization so that the data makes it impossible to identify an individual. Within the scope of LAW No. 13,709, it covers the following processing situations: elimination;

1.8. Principles of Data Protection and Information Security.

The following data protection and information security principles must be observed by Horizon Servitas throughout the lifecycle of personal data:

  1. Purpose: the processing of personal data can only occur after a clear purpose has been defined, duly registered in the purpose map and with a defined legal basis.
  2. Adequacy: the processing must be restricted to the defined purpose and must not occur in a way that is incompatible with such purpose.
  3. Necessity: the information obtained must be restricted to the minimum necessary for the achievement of the previously defined purpose, covering only the data relevant to it.
  4. Free Access: the holders of personal data must have a service channel that allows them to consult about the form, treatment and security of their personal data.
  5. Data Quality: the data processed must be clear, accurate, relevant and up-to-date, in relation to their respective specific purposes.
  6. Transparency: the holders of personal data must have a service channel that allows them to obtain clear and accurate information about the processing carried out with their data, including in relation to the processing agents involved.
  7. Security: Horizon Servitas shall plan, implement, maintain, critically analyze, and continuously improve technical and administrative information security management measures.
  8. Prevention: the technical and administrative measures of information security management must also act to prevent the occurrence of incidents.
  9. Non-Discrimination: under no circumstances will the processing of personal data be used in discriminatory, unlawful or abusive situations.
  10. Accountability and Accountability: Horizon Servitas must have controls and mechanisms in place to demonstrate the effectiveness of its information security and data protection measures.

2. DATA PROTECTION ORGANIZATION

2.1. Data Protection Responsibilities

  1. The person in charge of personal data protection.
    1. The Data Officer of Horizon Servitas is Mrs. Laureano Dalla Costa, under the position/function of Director.
    2. The activities of the person in charge consist of:
      • Accept complaints and communications from data subjects, provide clarifications and adopt measures;
      • Receive communications from the national authority and take action;
      • To guide employees, contracted companies regarding the practices to be taken in relation to the protection of personal data;
      • Track data protection compliance through the implementation of administrative and technical data protection controls.
    3. The data officer is responsible for monitoring and applying all resolutions issued by the ANPD to the organization.
  2. The information security and personal data protection committee.
    1. Horizon Servitas must maintain an information security and personal data protection committee.
    2. The information security and personal data protection committee is responsible for defining and enforcing the company's personal data protection policies.
    3. The data officer will be supported in his duties by the Information Security and Data Protection Committee.
  3. The working group on personal data protection.
    1. Horizon Servitas must maintain a working group on personal data protection with direct representatives from all sectors that process personal data.
    2. The personal data protection working group is responsible for maintaining the Registry of Personal Data Processing Operations (ROPA).
    3. The Data Officer will be supported in his or her duties by the Data Protection Working Group.
  4. Registration of Personal Data Processing Operations - ROPA.
    1. Horizon Servitas must maintain a Register of Personal Data Processing Operations (ROPA).
    2. The Register of Personal Data Processing Operations (ROPA) must contain, together with the purposes by sector, the types of data processed, the resources involved and the associated legal basis.
    3. Horizon Servitas' responsibility for the processing of personal data, whether controller or operator, must be included in the Register of Personal Data Processing Operations (ROPA).
    4. The Register of Personal Data Processing Operations (ROPA) must contain a list of the other data processing agents (operators and controllers) with whom Horizon Servitas shares personal data, including the existence of an international transfer.

2.2. Privacy Management Controls

  1. Information Security and Privacy Governance Program.
    1. Horizon Servitas must maintain an ongoing and up-to-date Information Security and Data Privacy Governance program.
    2. Action Plans in Information Security and Data Privacy;
      • Information Security and Data Protection Committee;
      • ROPA - Registration of Personal Data Processing Operations;
      • Risk Management in Information Security and Privacy;
      • Information Security Policy;
      • Data Protection Policy;
      • Information Classification Policy;
      • Information Security Incident Response Plans;
      • Security Policy for Suppliers and Service Providers;
      • Action Plans in Information Security and Data Privacy;
      • Internal and external audits of information security and privacy;
    3. The above elements must be properly defined in Horizon Servitas' Information Security Policy or related documents.

2.3. Technical Privacy Controls

  1. Technical/technological controls for information security.
    1. Horizon Servitas must maintain an information technology policy that includes technological controls for information security.
    2. Technical/technological controls must be described throughout the data life cycle in the Information Technology Policy or related documents.
    3. The encryption controls used by the company must be formalized in the Information Technology Policy or related documents.
  2. Privacy controls by design and privacy by default.
    1. In all Horizon Servitas projects, systems, and resources, privacy should always be set and configured by default.
    2. Horizon Servitas' business projects, products, or services must be evaluated under a checklist of privacy requirements before being made effective into the organization's structure.
    3. Information systems and information technology infrastructure tools must be evaluated under a checklist of privacy requirements before being incorporated into the Horizon Servitas framework.

2.4. Fulfillment of Privacy Requests

  1. Privacy Reporting.
    1. In order to comply with the right to Confirmation of Data Processing, Horizon Servitas must prepare and maintain a standard personal data processing report, which demonstrates the processing carried out during the life cycle of the data subjects.
    2. Horizon Servitas must prepare and maintain a standard data protection impact report (DPIA), which will be extracted from the information security and privacy risk analysis.
  2. Data Privacy Portal.
    1. Horizon Servitas shall maintain a portal of publications on data privacy information.
    2. Information about the data officer and his duties must be included in the data privacy portal.
    3. The processing of data of children and adolescents must be published and updated on the privacy publication portal.
    4. The possibility for the holder to request a list of purposes of legitimate interest applied to the processing of their personal data must be published on the portal.
    5. The communication channels for handling requests related to data privacy must be published on the data privacy portal.
  3. Data Subject Service.
    1. Direct customer service employees and the general public should be trained on how to route privacy requests to the appropriate service channel.
    2. Requests for personal data processing reports must be duly registered and prioritized for immediate response, according to the company's technical and human availability.
    3. Requests for adequacy/correction of data must be duly registered and prioritized for immediate response, according to the company's technical and human availability.
    4. Requests for deletion and respective deletion of data must be duly registered and prioritized for immediate response, according to the company's technical and human availability.

3. DATA LIFECYCLE PROTECTION

3.1. Data Protection in the Collection Phase

  1. General guidelines for data collection.
    1. No collection of personal data may be carried out at Horizon Servitas without the respective purpose being duly registered in the Registry of Personal Data Processing Operations (ROPA).
    2. Horizon Servitas must strictly collect the data necessary for the fulfillment of the registered purposes.
    3. For traceability purposes, the purposes of physical and logical data collection must generate entry records (logs) of the data in the company.
    4. The collection of sensitive digital data must be done through means protected by encryption or password.
    5. All data collection from children and adolescents must be carried out together with obtaining specific consent from legal guardians.
  2. Data collection in the form of a controller.
    1. All data collection in the form of a controller should be carried out only when formally associated with a legal basis provided for by law.
    2. In the case of data collection for the fulfillment of a contract, the specific purpose of processing must be clearly stated in the contract.
    3. In the case of data collection by consent, the specific purpose of processing must be clearly stated in the consent, along with the information for revoking it.
  3. Data collection in the form of an operator.
    1. In collection situations where Horizon Servitas is the operator of the personal data, a contract must be established with the controller of the personal data.
    2. In case Horizon Servitas is the operator of the personal data, the respective controller must be informed of all recorded shares (ROPA) involving its data.
    3. The responsibility of the parties, as controller and operator, must be clearly defined in the contract or in a complementary document.
    4. The contract with the data controller shall define the purposes of processing the data possible to Horizon Servitas.

3.2. Data Protection in the Storage Phase

  1. General guidelines for data storage.
    1. All Horizon Servitas' personal data storage resources must be properly registered in the Personal Data Processing Operations Registry (ROPA).
    2. Personal data in Horizon Servitas' possession must be stored only in physical and/or logical environments managed by the company or by duly contracted service providers.
    3. Storage environments supported by encryption control must be properly documented.
    4. The physical and logical storage of sensitive data must have extra security controls. Ex. encryption.
    5. Only the data strictly necessary for the fulfillment of the registered purposes must be stored.
    6. The data must be stored only for the period of time strictly necessary for the fulfillment of the purposes recorded.
  2. Storage of personal data abroad.
    1. If personal data is stored in the company's own environment, abroad, all the requirements of this policy must also be observed in this environment.
  3. Anonymized data storage.
    1. Situations of anonymized processing must be duly registered in the Registry of Personal Data Processing Operations (ROPA).
    2. In situations of anonymized processing, there must be a technical report from the information technology sector that proves the irreversibility of the anonymized data.
  4. Personal Data Retention Time.
    1. In cases of contract fulfillment and consent, the retention time is the duration of the respective contracts and consents.
    2. In cases of compliance with a legal obligation, the retention time is the respective duration of the legal obligation.
    3. In cases of regular exercise of rights, the retention period is the respective duration of the exercise of the right.
    4. For the other legal bases not mentioned in this section, the retention time of personal data must be defined in the Register of Personal Data Processing Operations (ROPA).

3.3. Data Protection in the Access Phase

  1. General guidelines for data access.
    1. No access to personal data may be made at Horizon Servitas without the respective purpose being duly registered in the Registry of Personal Data Processing Operations (ROPA).
    2. All access to personal data must be supported by authentication controls and access controls, duly defined in the information security policy.
    3. Data access supported by encryption control (secure channel) must be properly documented.
    4. For traceability purposes, access to physical and logical personal data must generate access records (logs) according to the criticality of the information accessed, especially in the case of sensitive data.
    5. Data export options in information systems, such as exporting spreadsheets and files, must have specific logs.
  2. Access for purposes of legitimate interest.
    1. All purposes involving legitimate interest will be subject to a Legitimate Interest Assessment (LIA). LIA evaluations will subsequently be forwarded for review and deliberation by the Information Security and Privacy Committee.
    2. The approval by the Information Security and Data Protection Committee must contain the justification for the purpose of legitimate interest.
  3. Specific access for the health area.
    1. Operators of private health care plans are prohibited from processing health data for the practice of risk selection in the contracting of any modality, as well as in the contracting and exclusion of beneficiaries.

3.4. Data Protection in the Sharing Phase

  1. General guidelines for data sharing.
    1. No sharing of personal data may be carried out in Horizon Servitas without it being duly registered in the Registry of Personal Data Processing Operations (ROPA).
    2. The sharing of personal data will only occur with duly hired processing agents.
    3. Only the personal data strictly necessary for the fulfillment of the contract established with the operator will be shared.
    4. The correction of internal data to Horizon Servitas must be passed on to all shared entities, in a registered and formal manner.
    5. The deletion of data internal to Horizon Servitas must be passed on to all shared entities, in a registered and formal manner.
    6. For traceability purposes, personal data shares must generate a sharing record (logs).
  2. Data protection instructions to the operator.
    1. For all shares carried out, Horizon Servitas will formally notify the operator of data protection instructions.
    2. Every 12 months, Horizon Servitas will request data protection evidence from data processors.
    3. The evidence of data protection of operators will be analyzed by the Information Security and Data Protection Committee , which will issue an opinion regarding the privacy of each operator.
    4. New contracts of suppliers should only occur after evaluating compliance with privacy and data protection requirements.
  3. Sharing in the health area.
    1. Communication or shared use between controllers of sensitive personal data related to health with the objective of obtaining economic advantage is prohibited, except in the cases provided for by law.
  4. International Data Transfer.
    1. In cases of international transfer identified in the Register of Operations (ROPA), evidence of law compatible with data protection or specific clauses that address the protection of personal data must be attached to the operator's contract.
    2. For cases in which there is no international transfer , the contract with the operator must have a clause that explains the processing of data within the national territory.

3.5. Data Protection in the Phase-Out

  1. General guidelines for data deletion.
    1. At the end of a purpose, when the legal basis is no longer applicable, the personal data involved must be deleted, anonymized or associated with a new purpose.
    2. If the deletion is motivated by an explicit request from the data subject, formal evidence of such request must be recorded before the deletion of the data.
    3. In situations of anonymization of data, evidence their irreversibility.
    4. For traceability purposes, personal data deletion operations, whether physical or logical, must generate deletion logs (logs).

4. DATA PROTECTION INCIDENTS

4.1. Data Protection Incident Log

  1. General incident logging guidelines.
    1. The handling of data protection incidents follows the definitions of the Information Security Policy.
    2. The communication of a data protection incident to the ANPD and to the data subject must be carried out as soon as possible from the moment of analysis and verification of the incident, not exceeding a maximum period of two business days.
    3. In cases where Horizon Servitas is the operator of the personal data, the communication must be made to the respective Controller as soon as possible, with a maximum period of 72 hours.

4.2. Data Protection Incident Handling

  1. General incident handling guidelines.
    1. The handling of data protection incidents follows the definitions of the Information Security Policy.
    2. The communication of a data protection incident to the ANPD and to the data subject must be carried out as soon as possible from the moment of analysis and verification of the incident, not exceeding a maximum period of two business days.
    3. In cases where Horizon Servitas is the operator of the personal data, the communication must be made to the respective Controller as soon as possible, with a maximum period of 72 hours.

Talk to us!