Privacy Policy

1. GROUNDS AND GENERAL PROVISIONS

 

1.1 Framework

 

This privacy policy, hereinafter referred to as "Policy", is based on the establishment of a set of rules, standards and principles aimed at regulating the manner of processing, retention and security of personal data collected by Lobito Atlantic Railway S.A "LAR" in the course of its activities, aligned with and appropriate to the current regime on personal data protection, namely, the Constitution of the Republic of Angola, the Personal Data Protection Law - Law No. 22/11, of 17 June, the General Labour Law - Law No. 12/23, of 27 December, the Video Surveillance Law - Law No. 2/20, of 22 January, the Regulation of the Video Surveillance Law, approved by Presidential Decree No. 308/21, of 21 December and other special legislation on data protection that, in each circumstance, may and should be applied.

 

1.2 Purpose

 

This Policy aims at disclosing how the personal data of all employees, suppliers, customers and other Stakeholders are collected and processed by LAR.

 

1.3 Scope of the Policy

 

This Policy covers the collection and processing of personal data, automated or not, carried out by LAR in the context of its relationship with its employees, suppliers of goods and/or services, customers and other stakeholders, both nationally and internationally.

 

1.4 Approval and Review of the Policy

 

a. This Policy and any of its future amendments shall be approved by the Board of Directors of LAR, hereinafter referred to as "BoD", upon proposal discussed by LAR Compliance Committee “ComCo”. The Legal and Compliance Department, hereinafter referred to as "LCD", is the department responsible for coordinating the regular review of this Policy, the Chairman of the ComCo being responsible for proposing any of its amendments to said Committee, being the Secretary of the BoD for presenting the recommendations to the BoD for discussion and approval.

 

b. The Policy should be reviewed whenever necessary to ensure its updating in light of any changes, whether legal or resulting from the evolution of LAR's business.

 

2. PROCESSING AND PROTECTION OF PERSONAL DATA

 

An effective risk management process is therefore a key element of LAR internal control system and is based on the principles, rules and processes outlined in this policy, which ensures value creation, the protection of employees and assets, the promotion of a culture of risk awareness, the optimisation of decision-making, fostering continuous improvement, compliance with laws and regulations, as well as establishing a controlled environment for compliance with LAR's ethical principles, business goals and strategic objectives.

 

2.1 Personal Data Processed by LAR

 

a. The personal data collected and processed by LAR correspond to any information, including image and sound, about a natural person, which may include personal identification, details of private life, address, profession, any union affiliation or health, but not limited to these. 

 

b. LAR collects and processes the aforementioned data in the following situations:

 

i. At the Human Resources Department level:

  • In the recruitment and hiring processes of employees (data on health, address, affiliation, household, remuneration, qualifications, professional experience, among others);
  • In the management processes of the employment contract (data on performance, payroll, holidays, attendance, among others);
  • In any disciplinary proceedings.

ii. At the Commercial Department level:

  • In the relationship with customers;
  • For the preparation of commercial proposals;
  • In the processing of personal data obtained through the scheduling of meetings;
  • in negotiations with a view to establishing commercial engagements;
  • In the customer registration process.

iii. At the Purchasing Department level:

  • In the relationship with suppliers in negotiation processes;
  • With commercial proposals received;
  • In the processing of parties' data inserted in contracts to be signed; and
  • In processing of all confidential information that they have access to within the scope of their specific functions.

iv. At the Finance Department level: 

  • In commercial relationships established with customers and suppliers such as contacts, bank details and all financial information;
  • In the relationship with third parties in the context of financial information reporting;
  • In the relationship with workers in the context of advances and/or salary payments, access to bank details and private address contacts.

v. At the Legal and Compliance Department level:

  • In all third-party investigation processes;
  • In the preparation of contracts and official letters;
  • In the management of the whistleblowing channel;
  • In disciplinary proceedings, where it may issue an opinion;
  • In relation to shareholders’ information and any communication exchanged with public and private entities that is not public knowledge or should not be public knowledge.

vi. At the Asset Security Department level:

  • In the processes of physical access to LAR facilities;
  • In the monitoring by security cameras and respective recordings;
  • In the processing of data recordings obtained via GPS, installed on vehicles owned and used by LAR employees.

vii. At the Environment and Social Department level:

  • In the management of the community complaints and reports mechanism, in the collection of identification data, contacts and information provided by complainants or affected parties;
  • In relations with communities and non-governmental organisations, where it accesses data such as the names of individuals, their roles, contact details and records of interactions;
  • In the registration and management of social, environmental and awareness-raising events, programmes or actions, including access to images and identification data of participants;
  • In the monitoring of environmental and social studies, whenever these include personal data of identifiable individuals or groups.

2.2 Data Controller

 

The entity responsible for data processing is LAR, as a legal entity, which determines the purpose and means of processing to be used.

 

To fulfil its obligation to protect the data it may obtain, LAR fully complies with the provisions set out in the applicable general regime, in particular, in the Constitution of the Republic of Angola, in the Personal Data Protection Law, Law No. 22/11, of 17 June, in the General Labour Law, Law No. 12/23, of 27 December, in the Video Surveillance Law, Law No. 2/20, of 22 January, and in the Regulation of the Video Surveillance Law, approved by Presidential Decree No. 308/21, of 21 December.

 

2.3 Data Protection Officer

 

The LCD and its head, is the Protection Officer responsible for communications between LAR and the National Data Protection Agency "APD", which shall include the following tasks:

 

a. Receive complaints and communications from data subjects, provide clarifications and adopt necessary measures in accordance with this policy and the law or regulations in force.

 

b. Guide employees regarding the procedure or procedures to be observed in relation to personal data protection.

 

c. Coordinate the actions aimed at the implementation of the Policy, namely, the preparation and execution of a training plan to be delivered to the main areas of LAR, that deal with personal data.

 

d. The APD and data subjects can contact LAR through the LCD, via the following email address: compliance@lobitoatlantic.co.ao

 

2.4 Form or Means of Processing Personal Data

 

a. Employees and business partners data collected by LAR is processed in accordance with the applicable laws, in a confidential, transparent, lawful and fair manner; it shall only be collected for the purpose it is intended to be collected, it being explicit and legitimated and shall not be processed for any other reason than the one it was intended to. 

 

b. In the case of data processing in video surveillance systems and/or other electronic control means, the general rule for the collection and processing of sensitive data is in accordance with the Data Protection Law, that shall make available, where the system is installed, any information in addition to the name, address, telephone number and e-mail of the data controller.

 

c. In the case of data processing by means of call recording, LAR will only do so for the purpose of transaction evidence, provided that there is:
(i) Prior, express and unequivocal consent of the data subject; and
(ii) Prior authorisation from the APD, except for recordings involving public services and relating to emergency situations, with prior notification to the APD being required.

 

d. The data is limited and adequate to the need and reason for which is was requested, and appropriate measures must be taken to ensure that inaccurate, unintelligible or incomplete data is deleted or rectified, and that it is retained in a way that allows the identification of its holders.

 

e. Failure to safeguard the provisions of the above paragraph may lead to an internal investigation and consequent disciplinary proceedings, if an express, clear and evident violation of its content is found by those who should have known or acted in accordance, particularly regarding the implied terms of confidentiality of the data obtained.

 

2.5 Purposes and Processing

 

Personal data is collected by LAR for the following purposes:

 

a. Recruitment and management of LAR's human capital;

 

b. Management of commercial, pre-contractual and contractual relationships between individuals, private and/or public legal entities and LAR, namely, the conclusion and execution of contracts.

 

c. Compliance with regulatory obligations, related, in particular, to fraud prevention and control, combating money laundering and terrorist financing or obligations in tax matters.

 

d. The adoption of security means and procedures for people and property that imply, in certain cases, the collection of images in the context of video surveillance.

 

e. Regarding the data of company representatives, they are collected for the purposes of representing their principals.

 

f. Management of complaints.

 

g. Presentation of commercial proposals to potential customers.

 

h. Processing and provision and provision of mandatory information and response to requests from external auditors, within the scope of compliance with legal obligations in force, as well as in response to requests from public authorities such as the Courts, the Attorney General's Office, or any police bodies, provided it is within the scope of an identified process.

 

i. Recording of calls for evidence purposes, when consented to by their holder or authorised by the APD, and any other communications regarding the commercial relationship or for the purpose of complying with legal obligations.

 

2.6 Communication of Data to Institutions

 

a. As a rule, the communication of personal data can only be made by LAR to public and/or private institutions with the unequivocal and expressed consent of holders or with prior notification to the ADP. However, the prior consent of the holder is or can be waived in the following situations:

 

i. Legal determination or judicial decision.

 

ii. Collection of data through public sources;

 

iii. Execution of a contract to which the holder is a party or the formation of a contract or business declaration;

 

iv. Compliance with legal obligations; and

 

v. Pursuit of public interest defined by law.

 

b. Furthermore, the communication of data between institutions and judicial and criminal investigation authorities only requires prior authorisation from the APD.

 

c. In cases where LAR shares the data with a processor, in addition to ensuring compliance with the requirements, formal commitment of the latter to follow its instructions and notification to the APD, it must ensure compliance with the processor's obligations, namely, not to communicate personal data to other recipients, comply with security measures and levels and destroy or return the data to LAR, as per the contract.

 

2.7 Data Retention and Security Measures

 

a. The processing of data by LAR will be kept to the extent necessary for compliance with applicable legal and contractual provisions, namely, those arising from the establishment of relationships with its employees and business partners.

 

b. Notwithstanding the fact that the law does not determine a minimum period for data retention, LAR must take all necessary security measures to protect it, namely from unauthorised access, loss or misplacement, unlawful alteration or destruction, even after the termination of relationships with the data subjects.

 

2.8 Rights of Data Subjects

 

1. Under the applicable law, data subjects have the following rights:

 

a. Right to Information, which consists of the right of data subjects to be informed by LAR, among other aspects, about the purpose of data processing, to whom they may be communicated, what rights they have and under what conditions they can exercise them, as well as which data they must provide mandatorily.

 

b. Right of Access, which consists of the right of data subjects to access their personal data that has been provided by them, without restrictions, without excessive delays or costs, as well as to know any available information about the origin of such data.

 

c. Right of Rectification, which consists of the right of data subjects to demand that their data be accurate and current and may request their rectification from LAR.

 

d. Right to Erasure, which consists of the right of data subjects to demand the deletion of their personal data from LAR records when they are no longer used for the purpose for which it was collected.

 

e. Right to Object, which consists of the right of data subjects to object, at their request and free of charge, to the processing by LAR of personal data for a specific purpose, when the reasons for the claim are legitimated and acceptable.

 

f. Right to Complain to the DPA, which consists of the right to lodge, without prejudice to any other administrative or judicial remedy, a complaint with the supervisory authority.

 

2. To exercise any of their rights, including accessing their data or requesting rectification, deletion or objecting to its processing under the terms of the law, data subjects may address LAR or contact the LCD through the available channels.

 

2.9 LAR Events and Social Responsibility

 

a. The personal data collected by LAR within the scope of Social Responsibility correspond to identification data and, when consented to, image and voice data, and are collected for the purpose of promotion and dissemination of LAR events and social responsibility, which includes the capture and processing of images of participants in the respective events.

 

b. In the event that LAR receives an express request, in writing, requesting the non-disclosure of particular data, under the terms of this clause, it will use all means to ensure that such data are not shared, regardless of paragraph a) above.

 

2.10 Measures to be Take in Case of Non-Compliance

 

a. Cases of non-compliance with the rules established by this Policy should be immediately communicated to the Human Resources Department "HRD" and to the LCD, and may result in disciplinary proceedings, including dismissal and civil and criminal liability of the parties involved.

 

b. Cases that represent breaches of the established internal control system will be discussed within the ComCo and subsequently referred to the decision of the Board of Directors of LAR, for the execution of any necessary measures.

 

3. REGULATORY FRAMEWORK

  • Constitution of the Republic of Angola;
  • Personal Data Protection Law, Law No. 22/11, of 17 June;
  • General Labour Law, Law No. 12/23, of 27 December;
  • Video Surveillance Law, Law No. 2/20, of 22 January; and
  • Regulation of the Video Surveillance Law, approved by Presidential Decree No. 308/21, of 21 December.

 

4. ENTRY INTO FORCE

 

This policy enters into force on the date of its publication in the Service Order.