Privacy

Personal Data Subject: This is the natural person to whom personal data refers.
Personal Data: It is any information relating to an identified or identifiable natural person. Name, ID number such as "RG", CPF, address and date of birth are some examples. Information relating to a legal entity is not Personal Data, but information relating to the contact person or representative of a legal entity counts as Personal Data.
Sensitive Personal Data: Personal data on racial or ethnic origin, religious conviction, political opinion, membership in a trade union or organization of a religious, philosophical, or political nature, data relating to health or sex life, genetic or biometric data, when linked to a natural person. The law brings additional requirements and imposes some restrictions on the processing of sensitive data.
Processing: It is any operation carried out with Personal Data – from collection to disposal. Law No. 13,709, of August 14, 2018, the General Data Protection Law ("LGPD") expressly mentions several examples: collection, production, reception, classification, use, access, reproduction, transmission, distribution, treatment, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.

We process Personal Data if we have, want to have, or have had a business relationship with you, or if we have had contact with you and/or your representatives. The holders of the Personal Data we process include, but are not necessarily limited to:

a) People who show interest in Rabobank or our products and services.
b) People who are otherwise connected to a company or organization with which we have, want to have, or have had a business relationship (e.g., employees, executive directors or representatives of any company, ultimate beneficiaries (UBOs), among others).
c) Security providers and guarantors.

If your company or organization transfers any Personal Data relating to employees, chief executive officers or ultimate beneficial owners (UBOs) to us, we assume that they have been informed of this and that you are duly authorized to do so and on a legal basis to do so.

From time to time, we may also collect Personal Data from employees or executive directors that is not being provided directly by your company or organization, but in any case, you can make this Privacy Statement available to them so that they can learn how We Treat Personal Data.

This Privacy Statement addresses how Rabobank manages the Processing of Personal Data.

Personal Data may be shared within Rabobank to the extent permitted by law. When sharing data within Rabobank, we comply with the rules we have agreed upon within Rabobank, including the Rabobank Privacy Codes.

The Processing of Personal Data is carried out by Rabobank Brasil and, eventually, by the other companies of the Rabobank Group or related parties, as applicable, in the context of their business activities, in accordance with internal regulations and applicable legislation, including the General Data Protection Law – Law 13.709/2018 ("LGPD") and, also as applicable and non-conflicting, the European General Data Protection Rule – (EU) 2016/679 ("GDPR").

Rabobank Group includes Rabobank Brazil and several global affiliates. To identify which division of Rabobank is responsible for managing your Personal Data, please contact us through the Relationship Manager.

Rabobank Brasil processes Personal Data of data subjects with whom it has, wishes to have, or used to have a direct or indirect relationship, including by legal and regulatory requirement, for example of Know Your Customer (KYC) and Know Your Partner (KYP) procedures. This may include:

a) Data of Clients and their related parties or potential clients, such as legal representatives.
b) People who show interest in Rabobank's products and services.
c) Persons who are associated with a business or legal entities with which Rabobank has, or has, or has had a business relationship.
d) Personal Data of customers or third parties, to protect the National Financial System.

We receive your Personal Data because you provide yourself, for example, when you enter into an agreement with us, data that you enter on our website so that we can contact you, and data arising from the services we provide in areas such as payments.

In addition, we may, for example, receive your Personal Data from:

a) Business units within Rabobank Brazil, for example:
I. In the context of combating fraud, money laundering or terrorism
II. Internal Administrative Business Processes
III. To create and run risk models.
IV. To improve our services
V. In the context of our duty of care.

b) Other parties, in the context, for example, of combating fraud, money laundering or terrorism, such as:
I. Suppliers or other parties we work with
II. Public sources such as newspapers, public records, websites, and open sources from social media.
III. Fraud data sharing systems, as required and provided for by regulation of the National Financial System, notably CMN/BCB Joint Resolution No. 06/2023.

We may collect information online, for example, through:

a) Cookies. Our web server may place a "cookie" on your hard drive. We may use cookies to improve your online experience, make it easier for you to use the Site, and collect site access or performance statistics. Certain services rely on cookies, and you can disable these services by declining cookies, as applicable, if they are not cookies that are "essential" to the maintenance of the Site.
b) Tracking Technologies. Tracking technologies may also be used by the Bank or its service providers. For example, we may use trackers to determine whether you have seen certain advertisements or received or opened emails from Rabobank.

Rabobank processes Personal Data for specific purposes and always based on the principle of "minimum necessary", always based on applicable laws and regulations, processing Personal Data with permission only when it does not prejudice individual rights and only when, as controller, Rabobank has a legal basis for the processing.

According to the LGPD, we must keep a record of the Personal Data Processing operations they conduct, especially when based on legitimate interests, of the controller or third parties, except in the case of the fundamental rights and freedoms of the data subject that require the protection of Personal Data.

The LGPD brings hypotheses, known as legal bases, on which the possibility of processing Personal Data is based (in the case of sensitive Personal Data, not all legal bases are available). This means that, for a processing of Personal Data to be lawful, it must be justified by one of these legal bases. Among them, it is worth highlighting some that will be more recurrent for financial and capital markets in the context of data sharing.

i. Consent: the data subject must agree to the processing of their Personal Data for a specific purpose. For consent to be considered valid, it must be free, informed, unambiguous, and related to a specific purpose. In addition, consent can be revoked at any time by the Personal Data Subject.

ii. Compliance with a legal or regulatory obligation: whether a law or regulation requires a certain Data Processing activity. This is the case of various Personal Data processing processes that are conducted to comply with CVM and BACEN regulations, such as the processing conducted for AML/CFT purposes.

iii. Legitimate interest: to meet the legitimate interests of the data controller (acting as controller), as well as of third parties or the data subject itself, provided that the data processing does not pose a material risk to the fundamental rights and freedoms of the data subjects.

We can only provide our best service when we know you well. For this, we need your Personal Data, and we must process it. We do this because we must make a deal with you, but also because we are required by law to do so. Within the legitimate interest intrinsic to its activity, Rabobank Brasil may process Personal Data collected interchangeably within systems, online applications and manually, to develop and provide products and services in addition to improving their means of availability, including its own online applications.

In addition, Rabobank Brasil may process Personal Data to generate indexes or rankings about the relationship of customers with us. These rankings may be shared with customers, but we emphasize that in these situations customers will only receive information with their own Personal Data and that third party Personal Data, including ranking, will be anonymized.

We weigh our interests or the interests of others against your interests and your right to privacy. For example, we analyze whether we cannot achieve the same goal in another way. And if we really need all the data.

Do we want to use sensitive data? Or Personal Data of vulnerable people such as children? Sometimes it is not clear from the applicable law on what legal bases we may process your Personal Data. Either the obligation is not in a law, or the law does not apply directly to us.

As we have an interest in keeping the financial sector healthy, we use this data based on legitimate interest, to seek the motivation for use within a proportionality, which is often not objectively provided for in law or regulation. Examples of this are email, phone, and image recordings to combat fraud and improve the quality of our service. This also helps us train and evaluate employees correctly to serve you better. And also to provide any necessary evidence.

We do not keep your data for longer than is necessary to fulfill the purposes for which we collected the Personal Data or the purposes for which the data is reused. We have a data retention policy. A data retention policy specifies how long we keep the data. Data is sometimes kept for longer, for example if the regulator asks us to keep specific data longer in the context of risk models. In some cases, we use shorter retention periods. In specific situations, we may also keep the data for longer than we are required by the retention period set by us. We will do this if, for example, the judicial authorities request camera footage, in which case we will keep the footage for longer than usual, or if you have lodged a complaint, in which case the underlying data should be kept for longer. Once we no longer require the data for the purposes described in sections 6a to 6i, we may still retain the data for archival purposes, for use in case of legal proceedings, or for historical or scientific research purposes or statistical purposes.

Sensitive Personal Data is defined in section 2 of this Statement, in accordance with the LGPD. We may use biometric data, such as your fingerprint or a facial scan, for identification and authentication purposes, for example.

We participate in incident registries and alert systems for the financial sector and may process information that may contain sensitive data. The purpose of these incident logs and alert systems is to protect our interests and those of financial institutions and their customers, for example, by detecting and recording cases of fraud.

In addition, we process Sensitive Personal Data when this is permitted by law, i.e., when such information has been made public by you or if you give us your permission. If you give us consent to record Sensitive Personal Data relating to you, or you have made that information public yourself, we will only process the information if this is necessary.

If you have given us consent to process Sensitive Personal Data, as with any other consent, you can withdraw it at any time. To do so, please contact your own Rabobank Brazil Relationship Manager or directly as the Data Protection Officer (DPO), see section 18. However, please be aware that by revoking or withdrawing your consent, you may compromise or make it impossible to provide a particular service or product.

Automated individual decisions are decisions that are made in relation to you by computers and not by humans. In this case, you have the right to obtain human intervention and express your point of view and contest the decision. In the following situations, we may use automated decision-making that may affect you:

1. If necessary, we will calculate a credit score from you. We are required to use these credit scores in deciding whether we can provide you with a credit. Authorized employees then use this score to determine whether you can get credit. The decision to provide you with a credit is not fully automated. Although credit decisions can assess an individual's financial condition and aspects, Rabobank's assessment, credit modeling, risk appetite profile and process, for example, are confidential business information and therefore not subject to disclosure, whether in the public or private sphere.

2. When a payment has been made that is not in line with your usual pattern of spending, we may use automated decision-making and stop the payment (temporarily). We do this to prevent fraud on your account. If we stop the payment, we will let you know as soon as possible.

Within Rabobank Brazil, your Personal Data can only be accessed by individuals who need to have access due to their position. All these persons are bound by a duty of confidentiality.

If we want to use information for any purpose other than the purpose for which it was obtained, we may do so if the two purposes are closely related.

If there is not a sufficiently strong connection between the purpose for which we obtained the data and the new purpose, we will ask you to give your consent if we still want to process that data. You can always withdraw your consent. You can contact Rabobank Brazil's relationship manager for this. However, please be aware that by revoking or withdrawing your consent, you may compromise or make it impossible to provide a particular service or product.

The international transfer of Personal Data may be required as below, but only in compliance with the requirements of the LGPD.

a. Inside the Rabobank Group

Your Personal Data may be shared within Rabobank Group, of which Rabobank Brasil is a part, such as because you ask us to do so. Information that has been used to establish your identity may also be used by another division of Rabobank Brazil with which you wish to do business, for example. We may, for example, exchange your data to combat fraud, to prevent money laundering, risk management, internal administration, to improve services for you and in the context of duty of care.

These Rabobank related parties may also be in countries outside the European Union that apply less stringent data protection rules. We share your data with divisions of the Rabobank Brazil Group, in which Rabobank Brazil holds a majority stake, only if the divisions comply with Rabobank Brazil's rules, as set forth in the Rabobank Brazil Privacy Code. Rabobank's Privacy Code outlines the rules that all such divisions of the Rabobank Group must abide by. The Rabobank Brazil Privacy Code ensures adequate protection of your Personal Data.

b. Outside Rabobank Brazil

We may disclose the information we collect to third parties that are not members of the Rabobank Group but acting on our behalf or as required or permitted by law. These third parties may include:
(i) Support service providers to help us manage your financial relationship. This may include check printing companies, data processing companies, companies that provide services on online applications, companies that prepare account statements, or companies that help us market our products to you. These companies are legally required to maintain the confidentiality of the information we provide to them and may not use this information for any purpose other than the provision of services specified on our behalf.
(ii) Companies that work with us under agreements to provide you with financial services that we do not offer but that we believe may be of interest to you. In such cases, we may share information collected by us as described above, but only as necessary to provide these services to you. These companies are legally required to maintain the confidentiality of the information we provide to them and may not use this information for any purpose other than as specified in the contract, and these companies may be held liable for the misuse of your Personal Data.
(iii) Service Providers hired for the purpose of complying with legal or regulatory obligations, such as those related to the sharing of evidence of fraud, under the scope of CMN/BCB Joint Resolution No. 06/2023.
(iv) Other parties, to the extent permitted or required by applicable law, for example, government agencies in response to subpoena and other legal process, or those with whom you have authorized us to share information.

Your Personal Data is also transferred to other parties outside of Rabobank if we are required to do so by law, because we must enter into an agreement with you or because we have engaged another service provider. We transfer your Personal Data to third parties if we are required to do so. Examples of such third parties include national and European supervisors/regulators.

We also transfer Personal Data if this is necessary to perform our agreements with you. For example, we may transfer your data to third parties to enable you to make payments. These third parties and other banks are subject to the supervision of their local regulators. This may mean that your payment and transaction data is transferred to other parties in countries that do not enjoy the same level of Personal Data protection as those in Brazil and the European Union.

If we act as an intermediary, we may share your Personal Data. We also provide your data to other parties that we need to involve in the context of providing services, such as bailiffs, accountants, debt collectors, managing directors, consultants, and lawyers.

If we provide you with credit or loan, we must also transfer data to third parties; For example, regarding your credit level or loan size, or if you do not make a payment on time.

You have the right to obtain from Rabobank Brazil, in relation to the Personal Data processed, upon request to the DPO (see section 18):
I. Confirmation of the existence of the treatment.
II. Access to data;
III. Correction of incomplete, inaccurate, or outdated data.
IV. Anonymization, blocking or deletion of data that is unnecessary, excessive, or processed not in accordance with applicable law.
V. Portability of data to another service or product provider, upon express request, in accordance with the rules of the national authority, observing commercial and industrial secrets and technological restrictions.
VI. Deletion of Personal Data processed with the consent of the data subject, except in the cases specified by Law.
VII. Information from public and private entities with which the controller has shared data.
VIII. Information on the possibility of not providing consent and on the consequences of refusal. IX. Revocation of consent to the processing of Personal Data previously granted.

a. Right to information
This Privacy Statement describes what Rabobank does with your Personal Data. In certain cases, we provide additional or different information. For example, if Rabobank Brazil records your Personal Data in its incident logs, it will inform you about this separately (as far asit is permitted to do so). We will also do this if there are other reasons to provide information in addition to the Privacy Statement. We may do this through a letter, leaving a message in your secure inbox, or in another manner to be determined by us.

b. Right of access and rectification of Personal Data
You can ask us whether we process Personal Data relating to you, and if so, what data this relates to. In this case, we may provide you with access to the data processed by us that relates to you. If you believe that your Personal Data has been managed incorrectly or incompletely, you may request that we amend or supplement the data (rectification).

c. Right to erasure ('right to be forgotten')
You can request that we delete data about yourself that we have recorded, for example, if you object to the processing of your Personal Data. However, be aware that we do not always have to do this or sometimes we cannot do it either. For example, if we still must store your data due to legal obligations.
d. Right to restriction of processing
You may request that we temporarily restrict the Personal Data relating to you that we process. This means that we will temporarily process less Personal Data relating to you.

e. Right to data portability
You have the right to request that we provide you with Personal Data that you have previously provided to Rabobank in the context of a contract with us or with your consent, in a structured, machine-readable format, or that we transfer such data to another party. If you ask us to transfer data directly to another party, we can only do so if this is technically feasible. In some cases, you do not need to submit a request to obtain the data you have provided to us. For example, you can view your transaction data using our online services.

f. Right to object to processing If we process your Personal Data because we have a legitimate interest in doing so, for example if we make recordings of telephone calls but this is not required by law, you can object to this. In this case, we will re-evaluate whether it is in fact the case that your data can no longer be used for this purpose. We will stop processing your data if your interest outweighs our interest. We will inform you of our decision, stating the reason.

g. Right to object to direct marketing
You have the right to request that we stop processing your Personal Data for direct marketing purposes. It may be the case that your objection only relates to being approached through a specific channel, for example, if you no longer wish to be contacted by phone but still want to receive our offers by email. We will then take steps to ensure that you are no longer contacted through the relevant channel.

If you make a request as described above, we will respond within 15 days of receiving your request. In certain cases, we may not be able to comply with your request, for example, because doing so would violate the rights of others, be against the law, or is not permitted by the police, the prosecutor's office or other public authority, or because we have weighed the relevant interests and determined that the interests of Rabobank or others in the Processing of the data take precedence. In that case, we'll let you know about it.

Have you placed an order on us? Then we will reply, at first, within 15 days after we receive the request. We may ask you to further specify your access request. For example, if you ask us to have access to call recordings. We may ask for search keys, such as time and the phone number from which the call was made. In highly specific cases, we may extend the period in which we respond to a maximum of 90 days. In the meantime, we will keep you informed of the progress of your request.

We may ask you to come to the bank to identify yourself when you make a request with us. We want to make sure we give your information to the right person. For example, we will ask you to go to the bank to validate your identity. Sometimes we may be in doubt whether we can send the data to you securely.

We may not comply with your request. For example, because the rights of others would be violated, or because this is not allowed by law or by the police, the prosecutor's office, or another government body. Or because we have made an exchange in which the interests of Rabobank or others to process the data take precedence. In this case, we'll let you know.

Let us know what your question or complaint is and let us look for a solution together. For questions and requests regarding the Processing of Personal Data, you may contact the Data Officer. Our address details are:

1. Name: Banco Rabobank International Brasil S/A
2. Address: Av. Doutor Chucri Zaidan, Edifício Morumbi Corporate – Diamond Tower, nº 1240, 15º Andar, Vila São Francisco, São Paulo, SP, Brazil
3. Zip Code: 04711130

You can contact Rabobank Brazil's Data Protection Officer from 9 a.m. to 6 p.m. local time via email privacidadebrasil@rabobank.com. In addition, you can contact your Relationship Manager for general questions or if you are still unsure that it is a demand directly related to the Processing of your Personal Data or through the support link Contact Us – Rabobank.

Yes, our Privacy Statement may change from time to time. This is possible if there are new activities involving the Processing of Personal Data and these changes are important to you. You can always find the most current version of our Privacy Statement here.