Brazil Privacy Policy

Privacy Policy

Recruitment and Selection

1. SCOPE

1 - This Privacy Policy aims to ensure the right to information in relation to the processing of personal data, whenever you interact with us or send us, through this platform, your CV and associated personal information.

2 - With this Policy, we also seek to inform you how we ensure your privacy and protect your personal data.

3 - This commitment is a daily priority in the performance of our activities, and we fully comply with all laws applicable to the protection of personal data, in particular the General Data Protection Law (LGPD - Law 13,709/2018).

4 - In order for us to start, continue and complete a recruitment and selection process, we need to process your personal data. This Policy is intended to provide the legally required information.

5 - If you have any questions about this Policy, please contact us using the details set out in item 14.

2. GENERAL PRINCIPLES

1 - As part of your relationship with us, we follow certain principles of action whenever you access our recruitment platform and provide us with personal data, or interact in a way that allows its collection, especially through the forms provided and the use of cookies.

2 - This Policy is based on the following structuring principles, which we consider to be essential vectors of our action:

(i) Only duly authorised persons process personal data, and only to the extent strictly necessary for specific, legitimate and previously informed purposes;

(ii) Secure personal data processing is a constant priority for us and is reviewed periodically on the basis of technological developments and with ongoing investments;

(iii) We acknowledge that personal data belong to the data subjects and are processed in accordance with the legislation in force, thus respecting and guaranteeing their rights;

(iv) We internally promote and disseminate good practices related to Privacy, Data Protection and Information Security, and review them regularly, as we believe that our improvement process is continuous, recognising that it is always possible to do more and better.

3. DEFINITIONS AND INFORMATION FOR DATA SUBJECTS

1 - We adopt the following definitions within the scope and for the purposes of this Policy, without prejudice to others applicable in accordance with the legislation in force:

(i) Personal Data - any information related to an identified or identifiable natural person is considered personal data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(ii) Processing - refers to all operations performed with personal data, whether automated or otherwise, such as: collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, erasure, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

(iii) Consent - a free, informed and unambiguous statement by which the data subject agrees to the processing of their personal data for a specific purpose, by means of a statement or clear affirmative action.

(iv) Controller - a natural or legal person, governed by public or private law, which is responsible for decisions relating to the processing of personal data. This is the term equivalent to the "controller" used in the GDPR.

(v) Operator - natural or legal person, governed by public or private law, which processes personal data on behalf of the controller. This is the equivalent term of the "processor" in European legislation.

4. WHO IS THE DATA CONTROLLER

Nors Group S.A., together with its subsidiaries, defines the purposes and means of processing personal data. Each of these companies is individually considered as the personal data controller, under the terms of the General Data Protection Law (LGPD).

The contact details of these companies can be consulted at: www.nors.com

5. WHAT PERSONAL DATA DO WE PROCESS IN THE SELECTION AND RECRUITMENT PROCESS?

1 - Nors Group S.A. and its subsidiaries process the following categories and types of personal data as part of recruitment and selection processes:

(i) Identification data: such as name, nationality, identification document, date of birth, CPF and PIS/PASEP number or equivalent social security number;

(ii) Contact details: such as home address, telephone/mobile number and email address

(iii) Personal situation data (where applicable): information on residence permit, work visa and data related to migration processes;

(iv) Professional data: information related to professional experience, data contained in the CV, including job history, academic training, professional and academic certificates, references and letters of recommendation;

(v) Geographic data

(vi) Assessment data: results of evaluations performed by operators (processors), including language tests, leadership evaluations, logical reasoning tests, in addition to simulation exercises performed by Nors' internal teams;

(vii) Data on licences and driving licences: where necessary and applicable, we shall process information related to licences or the National Driving Licence (CNH).

2 - Only if permitted by law and provided that it is suitable for the role to be performed by the candidate, we may also collect personal data relating to criminal convictions or offences, such as, for example, submission of a copy of the criminal record.

3 - If personal data are sent by means other than the recruitment platform – such as email, mail or personal delivery – these data will be entered into the platform by persons authorised for this purpose, and the original media will be safely discarded.

6. PURPOSES OF PERSONAL DATA PROCESSING

As part of the recruitment and selection process, Nors Group S.A. and the companies it controls process personal data for the following purposes:

(i) Recruitment and selection, in accordance with advertised career opportunities;

(ii) Analysis of spontaneous applications sent to us;

(iii) Assessment of applications for internships, whether academic or professional;

(iv) Sending informative communications about career opportunities.

7. HOW LONG DO WE STORE PERSONAL DATA?

1 - Personal data is processed in strict compliance with applicable legislation and stored in specific databases created for that purpose.

2 - The period for which personal data are kept varies according to the purpose for which they were collected. Thus:

(i) We keep records of the recruitment and selection processes for a period of 5 (five) years, after which we safely delete this information;

(ii) We keep personal data concerning spontaneous applications for 1 (one) year, after which we safely delete them;

(iii) After the purpose is fulfilled, personal information will be deleted. If there are open vacancies, we request your consent to keep the data for a period of 1 (one) year so that, if you are not selected for the vacancy for which you applied, you can be considered for future opportunities. You may, at any time, exercise your right to withdraw such consent.

8. LEGAL BASIS FOR PROCESSING

1 - We process personal data within the recruitment and selection process, always in strict compliance with the principle of legality.

2 - According to the circumstances, the processing of personal data may be carried out on the following legal grounds:

(i) Pre-contractual checks, when you apply for an open position;

(ii) Legitimate interests of the company when we process your personal information in the context of spontaneous applications for future opportunities;

(iii) Consent of the data subject, where applicable.

9. DATA SHARING WITH OPERATORS

1 - To achieve the purposes mentioned in the previous items, Nors Group S.A. and its subsidiaries may share personal data, in certain recruitment and selection processes, with operators contracted for these purposes, such as consulting, professional training, building or access control administrators, companies responsible for the maintenance of information systems and IT platforms, as well as companies that carry out psychometric tests, language tests, leadership assessments and reasoning tests, as provided for in the contracts signed with such entities.

2- When we use operators that process personal data on our behalf – which implies access to such data by these entities – we adopt appropriate contractual and technical measures to ensure that these operators provide sufficient and appropriate guarantees for the implementation of technical and organisational measures, that they will act strictly in accordance with our documented instructions, that they will process the data only for the intended purposes and that they will delete or return the data at the end of the service provision, among other obligations provided for by law.

3 - Nors Group S.A. and its subsidiaries undertake to adopt appropriate technical and organisational measures to ensure the security of personal data processing, ensuring the confidentiality, integrity and availability of such information, as required by the applicable legislation on personal data protection.

10. TRANSFERS TO THIRD COUNTRIES AND INTERNATIONAL ORGANISATIONS

If personal data are transmitted to third countries or international organisations, we shall strictly comply with the applicable legal provisions. We shall assess the adequacy of the recipient country or organisation in relation to the LGPD requirements for such transfers, or we shall adopt adequate safeguards that ensure data subjects are able to exercise their rights, and also have access to effective legal measures to protect those rights.

11. WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?

1 - We guarantee, through internal organisational measures that we implement and periodically review, the exercise of your rights as a data subject, within the legal deadlines and in compliance with the obligations provided for in applicable legislation.

2 - Your rights as a data subject, among others provided for by law, are:

(i) Right of access - you have the right to request information about the processing of your personal data, including confirming whether we have carried out this processing, what data are being processed and for what purposes. You may request a copy of the personal data being processed, if you wish. The provision of additional copies may be subject to the charge of a reasonable administrative fee. If the request is made electronically, and unless otherwise indicated, the data will be provided in a common digital format;

(ii) Right to rectification - you have the right to request, without undue delay, the correction of incorrect personal data or the addition of incomplete data. Alternatively, you can directly edit your data through your platform profile;

(iii) Right to erasure - in certain situations, you may request the erasure of your personal data from our records without undue delay whenever any of the applicable legal grounds exist. It should be noted that you can also delete your profile directly on the platform;

(iv) Right to object - you may object to the processing of your personal data on the basis of reasons related to your particular situation. However, it is important to note that the processing of your data is essential for conducting the selection process and for potential hiring. Objecting to processing may make it impossible to continue the recruitment and selection process;

(v) Right to data portability - you have the right to request that your personal data be transferred to another organisation, or to receive them in a structured, commonly used and machine-readable format;

(vi) Right to restriction of processing - you may request the restriction of the processing of your personal data, for example, when you contest their accuracy (during the period in which we verify their accuracy), when the processing is unlawful, or if you have exercised the right to object;

(vii) Right to lodge a complaint with the supervisory authority - you can lodge a complaint with the National Data Protection Authority (ANPD) if you believe that there has been an infringement of the LGPD

(viii) Right to review decisions taken solely on the basis of automated processing - you have the right to request a review of decisions which may be taken solely on the basis of automated processing of personal data, which significantly affect your interests;

(ix) Right to withdraw consent - you may simply withdraw the consent provided. Withdrawal will not compromise the legality of the processing carried out on the basis of prior consent, in accordance with the legislation.

3 - To exercise any of these rights, see item 14 of this Privacy Policy.

4 - After receiving your request by email or other means, we shall take the necessary steps and you will receive our reply immediately, if it is a simple request. This may take up to 15 (fifteen) days, if you request further steps, of which we shall duly inform you and justify.

5 - If a complete and complex response is required, this deadline shall be 15 (fifteen) days and may be extended up to 30 (thirty) days, if the deadline cannot be met, of which we shall duly inform you and justify.

12. WHAT SECURITY MEASURES HAVE WE IMPLEMENTED CONCERNING YOUR PERSONAL DATA?

1 - We adopt appropriate technical and organisational measures to ensure a level of security compatible with the risks involved in the processing of personal data. Such measures are reviewed and improved from time to time, with the aim of ensuring the protection of data as to their availability, authenticity, integrity and confidentiality, as well as preventing any loss, misuse, alteration, unauthorised access or processing, or any other form of unlawful processing.

2 - Our commitment to information security and personal data protection is ongoing and structured around actions aimed at mitigating the risks of breach, considering the context, the purpose of the processing and the level of risk. Among the main measures adopted, we highlight:

(i) Pseudonymisation and encryption of personal data;

(ii) The ability to ensure the continued confidentiality, integrity, availability and resilience of data processing systems and services;

(iii) The ability to promptly restore access to and availability of personal data in the event of physical or technical incidents;

(iv) Implementation of regular testing, evaluation and analysis processes for the effectiveness of technical and organisational measures, in order to ensure ongoing protection of the data processed.

3 - The level of security we adopt takes into account the risks associated with the processing of personal data, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or improper access to personal data that are transmitted, stored or otherwise processed.

13. DATA PROTECTION OFFICER

1 - Nors Group S.A. and its subsidiaries have appointed a Data Protection Officer (DPO), who is responsible for monitoring and ensuring compliance with internal policies and applicable legal rules on the protection of personal data, in accordance with the LGPD.

2 - If you have any questions, requests or questions about how your personal data is collected and processed, you may contact the Data Protection Officer through the following channels:

Contacts of the Data Protection Officer
_________________________________________________
Name: Regina Ferroni
Email: lgpd@nors.com

14. PERSONAL DATA OF CHILDREN

We do not collect, through our recruitment platform, personal data of children (under 12 years old), as defined in Law 8,069/1990 (Statute for Children and Adolescents) and in the LGPD.

15. LINKS TO OTHER WEBSITES

1 - Our recruitment platform may contain links to other external websites.

2 - Nors Group S.A. and its subsidiaries are not responsible for the content, privacy policies or practices of these websites, including those that are referred to or linked to on our platform.

3 - For your security and clarity, we recommend that you carefully read the privacy policies of any other website to which you are redirected from our recruitment platform.

16. WHAT WILL WE DO IF A PERSONAL DATA BREACH OCCURS?

1 - In the event of a personal data breach – understood as any security incident that accidentally or unlawfully results in the destruction, loss, alteration, access or unauthorised disclosure of personal data transmitted, stored or otherwise processed – we shall take all the measures provided for in the applicable legislation and provide the necessary information to the competent authorities and, where applicable, to the data subject.

2 - If the personal data breach represents a significant risk or damage to your rights and freedoms, you will be informed in a clear, objective manner and without undue delay about what has happened. The communication will contain at least the following information:

(i) A general description of the nature of the personal data breach;
(ii) The likely consequences of the incident;
(iii) The measures taken or to be taken to mitigate the effects of the breach, including any corrective actions.

3 - If it is not possible to immediately provide all this information, it may be sent in stages, always as soon as possible, as provided for in the legislation.

17. USE OF COOKIES

1 - Our recruitment platform uses cookies, also called identification files or connection logs.

2 - Cookies are small text files that can be stored on your device (computer, tablet or smartphone) when you access our website. Their role is to ensure the platform functions properly, facilitate navigation, store preferences and allow statistical analysis of platform use, which contribute to a better user experience.

3 - To learn more about the types of cookies we use (e.g. essential, performance, functionality, and advertising cookies), the purpose of each, their duration, whether they are your own or third-party, and how you can manage your preferences directly on your browser, see our Cookies Policy.

18. EMPLOYEE TRAINING

1 - We recognise that the human factor is essential for effective compliance with the rules on personal data protection.

2- For this reason, we provide regular training – initial and ongoing – for all our employees, to ensure that they know and correctly apply the principles, legal rules and good practices related to privacy and the protection of personal data entrusted to us.

19. PRIVACY POLICY UPDATE

This Privacy Policy may be updated at any time, without notice, to reflect relevant legal, operational or technological changes.

We recommend that you check this Policy periodically to stay informed about how we process and protect your personal data.

20. VERSIONS OF OUR POLICY

Version 1 | September 2021

Version 2 | July 2025

Provider	Description	Enabled
_ga	Cookie set by Google Analytics. This cookie is used to distinguish unique users for statistical analysis.
_gat	Cookie set by Google Analytics. This cookie is used to limit the request rate, helping to improve the performance of the site.