VLI’s Supplier Personal Data Protection Guideline

Home
Corporate Governance
Data Privacy
VLI’s Supplier Personal Data Protection Guideline

Dear business partner,

We are pleased to present VLI’s Supplier Personal Data Protection Guideline (“Guideline”). This document is intended to provide guidance on the key principles that apply to the processing of personal data within the relationship between VLI and its suppliers.

We believe that our principles, values, and practices related to personal data protection should be part of the daily routines of all partners involved in data processing. In this document, we outline the values, principles, and general directions that shape how this processing should be carried out.

The main objectives of this Guideline are to ensure compliance with privacy and data protection laws, safeguard the integrity, reliability, and confidentiality of personal data, and encourage all VLI partners to handle this data ethically and responsibly.

This Guideline supports partnerships that bring mutual value to VLI, its partners, and data subjects, reinforcing our commitment to ethical and transparent governance.

We’re always looking to improve. If you have suggestions, reach out to us at dpo@vli-logística.com.

Supply Management

Introduction

VLI is committed to creating value for its clients and partners through logistics solutions that integrate railways, ports, and terminals. We strive to build a sustainable business model and contribute to a fairer society—one that is environmentally balanced and economically prosperous. To achieve this, we must act and positively influence every partner and all stakeholders in our value chain.

This VLI Supplier Personal Data Protection Guideline aims to clarify what VLI expects from its suppliers whenever they carry out personal data processing activities as part of their relationship with VLI. This includes strict adherence to applicable legislation, the implementation of appropriate security measures, and ethical and responsible conduct in the handling of personal data—always respecting the fundamental rights to freedom and privacy of the data subjects.

Relevant Concepts

For the purposes of this Guideline, “Personal Data Protection Laws” refer to the laws, regulations, and other norms governing personal data processing activities that apply to the personal data processing carried out by VLI’s suppliers, including the Brazilian General Personal Data Protection Law – LGPD (Law No. 13.709/2018).

The terms used in this Guideline should always be interpreted in accordance with the Personal Data Protection Laws. Nevertheless, to facilitate understanding, we provide below examples of how these terms are commonly interpreted:

Personal Data: Any information related to a natural person (an individual), whether that person is already identified or can be identified (for example, through the interpretation or combination of that information with other data). Examples of personal data include names, identification documents (such as CPF and RG), personal or professional email addresses, home or work addresses, browsing data (such as device identifiers, IP addresses, and other digital activity logs), bank details, financial information, behavioral profiles, among others.
Processing: Any operation carried out with personal data, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.
Data Subject: The natural person (individual), identified or identifiable, to whom a personal data item or set of personal data refers.
Controller: The party responsible for making decisions regarding the processing of personal data.
Processor: The party that processes personal data on behalf of the controller.

Scope

This Guideline applies to all VLI suppliers who carry out personal data processing activities within the scope of their relationship with VLI.

The commitments required of the supplier regarding personal data processing must be observed not only by the supplier itself but also by any individuals or entities engaged by the supplier in the execution of a given personal data processing activity—such as employees, advisors, consultants, outsourced personnel, subcontractors, and service providers.

Compliance with Personal Data Protection Laws

VLI values and respects Personal Data Protection Laws and requires all of its business partners who may process personal data within the scope of their relationship with VLI to also comply with these laws.

Respect for Personal Data Protection Laws implies, among other principles, that all data processing activities must be carried out appropriately and strictly within the limits necessary to achieve the intended legitimate purposes.

Decisions on Data Processing and Responsibilities of the Parties

When acting as a controller, the supplier shall make the decisions related to the processing of personal data and shall be responsible for ensuring that such processing activities comply with the obligations assigned to the controller under Personal Data Protection Laws.

When acting as a processor, in addition to complying with the obligations assigned to processors under Personal Data Protection Laws, the supplier must only carry out data processing activities strictly within the limits of VLI’s instructions. In such cases, the supplier must not process personal data for its own benefit or the benefit of third parties, unless previously authorized by VLI or required by law, and must inform VLI about such processing situations whenever legally permitted.

The supplier must always act in a responsible and ethical manner when performing personal data processing activities, indemnifying VLI and data subjects and holding them harmless from any consequences arising from breaches of obligations by the supplier or any third parties involved by the supplier in the processing activities.

Upon request, the supplier shall provide documents, specifications, records, technical clarifications, and other information and evidence related to the processing of personal data by the supplier. The supplier agrees that in certain situations, VLI may request access to its facilities to verify compliance with the obligations undertaken by the supplier.

Data Subject Rights

The supplier and VLI must cooperate with each other to ensure the proper handling of requests made by data subjects whose personal data is processed by the supplier within the scope of its relationship with VLI.

In cases where the supplier acts as a data processor, it must promptly inform VLI if it receives any request or complaint from data subjects, so that VLI, with the supplier’s collaboration, can determine the necessary actions to ensure that the request or complaint is properly addressed.

Confidentiality and Security of Personal Data

VLI’s suppliers must commit to maintaining the confidentiality and security of personal data that is subject to processing activities within the scope of their relationship with VLI.

The supplier must implement appropriate technical and administrative measures to prevent unauthorized access and accidental or unlawful situations involving the destruction, loss, alteration, communication, or dissemination of personal data. These measures must ensure the confidentiality, availability, and reliability of the personal data processed by the supplier. VLI may require the supplier to comply with specific technical and administrative measures as outlined in the agreements signed between the parties.

Whenever acting as a data processor, the supplier must obtain VLI’s prior authorization before granting access to personal data or otherwise disclosing such data to third parties.

Incidents and Other Violations

The supplier must notify VLI within 24 hours of becoming aware of:

Any incident or suspected incident involving personal data processed by the supplier in the context of their relationship with VLI, such as unauthorized access or accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination. The supplier must investigate the incident and promptly provide VLI with all related information;
Any breaches or irregularities in the processing of personal data by the supplier or by third parties engaged by the supplier in any processing activity, presenting VLI with all details of the event, even if such breaches do not result in an actual incident.

Involvement of Third Parties in the Processing of Personal Data

The supplier is responsible for ensuring that any third parties engaged by the supplier to carry out personal data processing activities comply with applicable Data Protection Laws. The supplier will be held accountable for any irregularities or breaches committed by such third parties in relation to personal data processing.

When acting as a data processor, the supplier must obtain VLI’s prior approval before engaging any third party in a personal data processing activity. VLI may request information from the supplier regarding the third parties involved, including details about the measures adopted by those third parties to ensure compliance with Data Protection Laws.

The supplier must require third parties involved in the processing of personal data (including through contractual obligations) to implement personal data protection standards that are at least as protective as those established in this Guideline, in the agreements signed with VLI, and in applicable Data Protection Laws.

International Transfers of Personal Data

The supplier agrees to comply with any restrictions imposed by Data Protection Laws regarding the transfer of personal data to other countries. Whenever personal data is subject to international transfer, the supplier must take the necessary measures to ensure that the data remains adequately protected.

When acting as a processor, the supplier may only transfer personal data outside Brazil after obtaining VLI’s express authorization. Before authorizing the transfer, VLI may require the supplier to implement specific measures to ensure compliance with Data Protection Laws.

Termination of Personal Data Processing

Upon the termination of a given relationship between the supplier and VLI that involves the processing of personal data by the supplier, the supplier must return the personal data to VLI and permanently delete the personal data processed. The deletions must be formally documented and confirmed to VLI. The supplier must also comply with any such requests made by VLI even prior to the end of the relationship.

If the supplier is legally or regulatory required to retain personal data, they may retain only the specific data subject to that requirement. In such cases, the supplier must ensure the implementation of the necessary mechanisms to safeguard the data retained.

Complementary Terms

The supplier agrees that contracts entered into with VLI may include contractual provisions that are consistent with this Guideline and that define the supplier’s obligations regarding personal data processing.

Non-compliance with the principles and commitments set forth in this Guideline may result in disciplinary measures, including contract termination and the supplier’s removal from VLI’s vendor registry, in accordance with VLI’s internal policies.

This Guideline is subject to periodic review, conducted transparently and with the participation of relevant stakeholders.