Embraer works to build the unimaginable in the sectors of commercial and executive aviation, defense and security, at the same time ensuring the highest level of corporate integrity and ethics in all the activities it performs.
To achieve these goals, we need to process personal data in our activities, for example, to communicate with our customers and suppliers, to promote our products and to certify the compliance of our operations.
You can find further details on how Embraer process personal data in our Privacy Policy below. In brief, our policy addresses the following points:
| Principles | There are ten principles that govern our personal data processing activities:
1 Lawfulness, fairness and transparency |
| Data processed | The data required to safely perform our activities, such as name, job title, documents, email, address, date of birth, nationality and computer IP. |
| Purposes | In brief, we process personal data to communicate with the data subjects, to comply with our legal and contractual obligations, to ensure the compliance of our operations, to understand our customer’s profile and to promote our products, in addition to serving our customers. |
| Data Subjects rights | Data Subjects own certain rights regarding their personal data: confirmation of the existence of Personal Data Processing and access; rectification; object; limiting personal data processing and revoking consent; denial of consent; anonymization, blockage or deletion; information on shared use; portability and review of automated decisions. |
| Information security | Embraer employs cybersecurity mechanisms and procedures based on the best market practices (such as frameworks from NIST 800 and ISO27002 special publication) and is submitted to periodic reviews to ensure the company’s ability to detect, control and respond to possible global technological threats. |
| Contact | Any concerns and/or doubts must be immediately reported by clicking on Exercise Rights.
Data Subjects may also report violations related to the topic through the Helpline – Whistleblowing Channel, available at the website www.embraerhelpline.com. |
If you still have questions after reading our Privacy Policy below, you may contact us by clicking on Exercise Rights.
Data Protection Global Policy
1. Definitions:
“Affiliate”: an establishment, in Brazil or abroad, without an independent legal identity but which contains the same root CNPJ as Embraer.
“Controlled Companies”: any company, in Brazil or abroad, which Embraer, either directly or indirectly, is the controlling partner or shareholder, guaranteeing a preponderance in business deliberations and the power to elect a majority of administrators.
“Data Protection Office (DPO)”: group responsible for providing guidelines and inspections on the application of this Policy.
“Data Processing” or “Processing”: any type of activity conducted with Personal Data, including access, storage, cleaning, visualization, collection, deletion and sharing, among others.
“Data Subject”: individual to which the Personal Data refers, which can be, but not limited to, an Employee of the Embraer Group, a customer, a supplier representative or a candidate for a vacancy in the Embraer Group.
“Embraer Group”: Embraer together with its Controlled Companies and Joint Ventures of the group.
“Employee”: any person who works for Embraer, its Controlled Companies or Joint Ventures, including its directors, officers, managers, and employees, irrespective of the employment regimen (employment contract, service provision agreement or internship contract, among others).
“GDPR”: General Data Protection Regulation – European Union (EU) Regulation No. 679/2016, that provides on Personal Data Protection.
“Guidebook”: Guidebook for Events Involving Breach of Personal Data – doc.emb No. 13771.
“Incident”: security breach or possible security breach that accidently or intentionally provokes an unauthorized destruction, loss, blocking, change, disclosure or access to personal data.
“Joint Venture”: all of the companies, in Brazil or abroad, in which the business deliberations and naming of administrators are performed conjointly by Embraer (directly or indirectly) and by one or more partners with significant relevance.
“Legal Bases”: are legal hypothesis that authorize someone to Process Personal Data. It could be, for instance, the data subject’s consent, the need of fulfilling a contract, the fulfillment of a legal obligation or Embraer’s legitimate interest.
“Legal Department”: Embraer’s Compliance and Legal Executive Vice-Presidency, through the Corporate Legal Department.
“Lei Geral de Proteção de Dados” or “LGPD”: Brazilian Law No. 13,709 /2018 as changed and regulated.
“Personal Data”: any type of data or information that may directly or indirectly make feasible the identification of an individual, even though this identification may depend on the association of such data with other elements.
“Procedure”: the Personal Data Protection Governance Corporate Procedure – doc.emb No. 15005 (Embraer Commercial Aviation) and No. 15096 (Embraer S.A.).
“Policy”: this document, the Embraer Group’s Global Personal Data Protection Policy, doc.emb No. 13,762.
“Sensitive Personal Data” or “Sensitive Data”: personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, as well as genetic data, biometric data to unequivocally identify individuals, genetic or health data or sexual orientation.
“Third Party” or “Data Processor” means any engaged individual, except Employees of the Embraer Group, or company and formal or informal business partners that may conduct any type of Data Processing activities on behalf of the Embraer Group
2. The Policy
This Policy applies to the entire Embraer Group, including the Company’s international operations. This Policy provides for ethical business operations and ensures the right to the protection of Personal Data processed by the Group. This Policy shall also apply to Third Parties.
This Policy, and the examples therewith, does not aim to be an exhaustive compendium related to Data Protection, rather it is intended to help the reader understand the subject matter and the critical importance of compliance. Therefore, whenever there is any uncertainty about whether this Policy applies, or if you have any questions about the propriety of any conduct, you must promptly seek advice from the Legal Department and the DPO.
Embraer expects all Employees and Third Parties to: (i) know and follow this Policy; and (ii) recognize and report potential issues related to Data Protection with sufficient time to allow the Legal Department and the DPO to adequately address the potential issue.
This Policy must be read in conjunction with the Code of Ethics and related policies and procedures, especially those concerning information security rules. In the event of conflict between this Policy and other policies of the Embraer Group, the strictest policy or procedure related to the Data Protection shall prevail. In these circumstances, Employees or Third Parties must notify the Legal Department or the DPO to allow them to immediately handle the conflict, recommend the adequate measures to be taken, and review the relevant Policy or procedure, if required.
3. Objective
The purpose of this Policy is to discuss the principles and general rules regarding Data Processing that must guide the Embraer’s Group operations. The Embraer Group, in view of its global footprint, is required to comply with laws and regulations providing for the protection of Personal Data in all countries in which it operates—including the GDPR and LGPD.
4. Scope
This Policy applies to the Embraer Group, including the Company’s international transactions and any business activities managed or conducted on behalf of the Embraer Group by Third Parties.
The Legal Department and the DPO will assist the Controlled Companies and the Joint Ventures in the adoption of rules and procedures that promote the principles and objectives proposed by this Policy.
5. Guidelines
5.1 Principles – All Processing activities conducted by those who are required to comply with this Policy must follow the principles set forth below:
5.1.1 [LAWFULNESS, FAIRNESS AND TRANSPARENCY] Respect lawfulness, fairness and transparency in Data Processing activities, which means that Personal Data must be processed only whenever there is an applicable Legal Basis, with maximum transparency to Data Subjects and in accordance with the ethical principles that guide the activities of the Embraer Group;
5.1.2 [PURPOSE LIMITATION] To process with legitimate, specific, explicit and informed purposes to the Data Subject and achieving the purpose that justifies the collection of Personal Data, not using Personal Data for purposes other than those for which it was obtained;
5.1.3 [DATA MINIMISATION AND NECESSITY] To process the lowest volume of Personal Data required to achieve the purposes that justify its collection; keeping Personal Data for the shortest period of time possible;
5.1.4 [ACCURACY] To adopt reasonable technical and organizational measures to keep the Personal Data quality, which should always be accurate and current at all times, including the possibility of correction requests made by Data Subjects;
5.1.5 [PSEUDONYMIZATION AND STORAGE LIMITATION] To maintain the data inly as long as necessary and to apply, whenever possible, pseudonymization techniques that make it impossible to identify Data Subjects, preventing association with other data or complementary information (which must be stored in a way to ensure that identification does not occur). Therefore, Processing activities must always try to disassociate information that allows the direct identification of Data Subjects;
5.1.6 [INTEGRITY, CONFIDENCIALITY AND INFORMATION SECURITY] To adopt all security measures required to ensure the confidentiality and integrity of Personal Data to prevent cyber security incidents, based on the technical specifications set forth by the Embraer Group;
5.1.7 [ACCOUNTABILITY] To implement measures to demonstrate compliance with this Policy and other rules applicable to Data Protection, including the preparation of written documents with all measures adopted to ensure data protection (from technical studies on security measures to impact assessments, as required pursuant to applicable law).
5.1.8 [NONDISCRIMINATION] to guarantee that Processing of Personal Data is not carry out for unlawful or abusive discriminatory purposes;
5.1.9 [FREE ACCESS] to guarantee to the Data Subjects facilitated and free of charge consultation about the form and duration of the Processing, as well as about the integrity of their personal data
5.1.10 [PREVENTION]: to adopt measures to prevent the occurrence of damages due to the Processing of Personal Data.
5.2 Data Processed
Due its activities, the Embraer Group may Process Personal Data for several reasons, including those listed in the item below. Embraer may receive this Personal Data directly from the Data Subjects, its economic group, or from employers of customers, service providers, suppliers or partners.
Some examples of Personal Data that Embraer may process in the exercise of its function:
A) Name and surname
B) Job title or function
C) Identification document details – including, but not limited to, ID number, Social Security number or Passport number
D) E-mail
E) Address
F) Date of birth
G) Nationality
H) Computer’s IP
5.3 Use of Personal Data
The purpose and type of Personal Data that Embraer Group process may vary according to the interaction and the relationship that the Data Subject has with the Company. Below, we have listed some Personal Data Processing activities carried out by the Embraer Group, within the limits of the law.
A) Communicate with the Data Subjects.We will Process Personal Data in order to communicate with Data Subjects, such as when we respond to a contact request sent through the forms available on our website, evaluate your application for a Embraer´s Group job opportunity or inform you about important maintenance on our aircraft.
B) Comply with legal and regulatory obligations.The Embraer Group Process Personal Data in order to comply with the legal and regulatory obligations to which the Company is subject, from keeping records of your access to our website to preventing money laundering.
C) Comply and enforce our contracts. We may Process Personal Data to negotiate and sign a contract, carry out our obligations under a contract with the Data Subjects, such as making payments and collections, offering services or benefits and ensuring the performance of the object of a contract in general
D) Ensure Compliance of our operations. We can Process Personal Data to ensure effectiveness of our Compliance Program, ensuring the correct management of business relationships, preventing conflicts of interest, dealing with donations and sponsorships, offering and receiving gifts and entertainment, as well as contracting and conducting business with third parties, with special attention to those who can act on behalf of Embraer.
E) To understand our customer and promote our products and activities. We can use Personal Data to better understand the profile of our customers and their interests and, eventually, communicate them about our products, launches or other important news.
F) To serve customers.We can Process Personal Data to respond to demands of our customers, provide personalized service and provide quality maintenance and technical support services.
To achieve those activities, we could use different Legal Basis on a case by case analyses, notably (i) your consent; (ii) the necessity to comply with a legal obligation; (iii) the legitimate interest of the Embraer Group; (iv) for performance of a contract or, eventually, (iv) the exercise of rights in judicial, arbitration or administrative proceedings
5.4 Procedures
5.4.1 Enabling the Exercise of Rights – The Embraer Group shall ensure that Data Subjects are able to exercise their rights, as specified below, and those rights should be attended whenever possible:
5.4.1.1 Confirmation of the existence of Personal Data Processing and access: the request to confirm that Embraer Process Personal Data about you and the request of a copy of your Personal Data that we may have;
5.4.1.2 Rectification: Correcting Personal Data that is processed by the Embraer Group or Third Parties to whom the Embraer Group transferred said Personal Data;
5.4.1.3 Deletion: upon the Data subject request and when there is no legitimate reason to the Embraer Group to maintain the Personal Data, the Personal Data specified in the request will be deleted;
5.4.1.4 Object: the Data Subject has the right to object to the Processing activity of his own data, on grounds relating to his or her particular situation, including in cases where the Embraer Group Process Personal Data based on legitimate interest, for instance to improve our communication with Data Subjects. This request will be granted when the Embraer Group has no proper reasons to continue the Data Processing Activity.
5.4.1.5 Limiting Personal Data Processing and revoking consent: , Data Subjects may request their data to be processed within certain limits—pursuant to applicable law and the Compliance guidelines of the Embraer Group, as well as revoke their consent to Processing activities.
5.4.1.6 Denial of consent: the Data Subject´s right not to provide consent when requested, being informed of the consequences of denying consent.
5.4.1.7 Anonymization, blockage or deletion: Request from the Data Subject to anonymize the data, so that it can no longer be related to the Data Subject and, therefore, no longer being a Personal Data; (b) blockage the Data, temporarily suspending the possibility of Processing the Data; (c) deletion of the Data, in which case the Data will be deleted, with no possibility of reversion, except in cases provided for by law.
5.4.1.8 Information on shared use: Data Subject request to obtain information on the Embraer Group shared uses of Personal Data. This policy has a list of examples of purposes for which we may share Personal Data. Anyhow, if there are questions or if more details are needed, the Data Subject has the right to request for more information.
5.4.1.9 Portability: upon Data Subject Request, the Company should submit the Personal Data to another company, irrespective of the company’s economic group, delivering to Data Subjects or however he/she indicates, in a machine-readable format (i.e., in a structured format that is of common use and automated reading), the data they provided to the Embraer Group; and
5.4.1.10 Review: for decisions exclusively made by the automated means, the Data Subject can request the review of such decision by an Embraer’s Group Employee.
5.4.2 Complying with Information Security Rules
All Processing activities must be based on technical and operating Information Security standards indicated by the Embraer Group to ensure the confidentiality and integrity of Personal Data.
5.4.3 Compliance with the Guidebook
In the event of any Incident which compromises the confidentiality of Personal Data, i.e., whenever unauthorized Third Parties have access to Personal Data kept by the Embraer Group, the procedures set forth in the relevant Guidebook must be immediately adopted. The relevant Guidebook must be read and interpreted in accordance with this Policy.
5.4.4 Following the Corporate Rules for International Transfers of Personal Data
All parties subject to this Policy operating under applicable law- such as LGPD and GDPR – must follow the corporate rules for International Transfer of Personal Data in any transfer of Personal Data to organizations of the same economic group or otherwise that are located outside Brazil. In these cases, the Legal Department and/or the DPO must be consulted prior to any International Transfer of Personal Data.
5.4.5 Maintaining an Active Communication Channel Accessible to Data Subjects
Data Subjects may send any inquiries or complaints related to their rights regarding Personal Data and/or Sensitive Personal Data to the Embraer Group via e-mail to: data.privacy@embraer.com.
5.4.6 Ensure compliance when sharing Personal Data with Third Parties
The Embraer Group has partners and suppliers that assist us in several activities and, for this reason, they may have access to Personal Data controlled by the Embraer Group. To sum up, the Embraer Group shares Personal Data with Third Parties when there is a Legal Basis for this, appropriate contractual measures and to achieve some specific purposes, as indicated below.
Technology Services. The Embraer Group has a number of suppliers that improve our technological infrastructure. For example, we use data hosting services to store part of our database and data intelligence services to improve our efficiency. Partners are only authorized to use Personal Data for the specific purposes for which they were contracted. This sharing is made over legitimate interests or to comply with a Data Subject contract, in a case by case basis.
Suppliers. The Embraer Group is helped by suppliers who can Process Personal Data we collect. Those suppliers are carefully evaluated and should comply with contractual information security and Personal Data protection obligations. These suppliers include, for example, companies that operate in the following fields: (i) property security; (ii) advertising and marketing agencies and tools; (iii) health services and benefits offered to Employees; and (iv) consultancy and external audit companies that may help the Embraer Group to maintain compliance in its processes.
Embraer Group and related companies. Some Personal Data may be shared between Embraer Group companies. We share this data to (i) meet the legitimate interests of the Embraer Group and its interests; (ii) support and development of new products and businesses; (iii) experiences exchange and best practices; (iv) data analysis; (v) among others.
6. Miscellaneous
6.1 Penalties
The Embraer Group and/or its Employees may be investigated by government regulatory agencies in different jurisdictions and, depending on the circumstances, administrative, civil or criminal lawsuits may be filed against them. This may result in high fines and severe penalties, debarments and/or other penalties if the Company and/or its Employees violate the laws and/or regulations providing for protection of Personal Data.
Any Employee that is found in violation of this Policy is subject to disciplinary measures.
Third Parties found in violation of this Policy are subject to the termination of their business relationships and any other redress, without prejudice, and legal measures available to the Embraer Group pursuant to applicable law and relevant agreements.
6.2 Non-retaliation
The Embraer Group shall prohibit retaliation, reprisal or harassment, veiled or otherwise, by any Employee(s) against any individual, including an Employee or Third Party for making, or suggesting to make, any report or notification raising any good faith questions or concerns related to issues regarding: an actual or potential violation(s) of this Policy; and an actual or potential violation of any federal, state or local law or regulation which this Policy shall fall under. The Embraer Group shall take appropriate action, in accordance with this Policy along with the Code of Ethics and Conduct, and the Helpline Policy, as well as any relevant internal policy, against any Employee who violates this non-retaliation statement.
6.3 Training
Embraer Group’s training about protection of Personal Data shall occur in accordance with the schedule annually promulgated by the Legal Department.
6.4 Policy Review
This Policy and related procedures will be reviewed by the Legal Department every two years, without prejudice to changes required by applicable law.
6.5 Data Protection Office (DPO)
The Embraer Group created a work group to assist in the compliance with this Policy, mandatorily consisting of one Legal representative, one Information Technology representative, one Compliance representative, one Human Resources representative, one Internal Audit representative one Corporate Risks and Internal Controls representative, one Communication and Marketing representative and innovation of strategy and digital transformation, in addition to representatives of other Departments based on specific needs. Representatives of other Departments within Embraer may also participate in the DPO, based on specific needs, as well as representatives of Controlled Companies and Joint Ventures, to coordinate the activities of the Embraer Group.
The DPO shall meet regularly, at least once a month, and extraordinarily as required.
The DPO activities, the duties of each area, reporting and other matters are specified in the Procedure, which must be read together with this Policy.
This group will be led by Legal Department namely by the Legal and Compliance Vice-Presidency of Embraer.
6.6 Communication
This Policy must be disclosed by the Legal Department to all parties who are required to comply with it.
6.7 Questions and Reports
Any concerns and/or reports of noncompliance with this Policy must be immediately reported via e-mail to: data.privacy@embraer.com
Data Subjects may also report violations through the Helpline – Whistleblowing Channel, available at www.embraerhelpline.com.
6.8 Effectiveness
This Policy takes effect as of the date of its disclosure, and may be amended at any time, at Embraer’s sole discretion.
6.9 Controlled Companies and Joint Ventures
The implementation of this policy must fulfill the requirements set forth in applicable law and local rules of Controlled Companies and Joint Ventures. No amendment may change the principles of this Policy.
6.10 Information Security
Embraer employs cybersecurity solutions and procedures to guarantee the most proper and applicable treatment, collection, availability, and destruction of personal information used by its corporative systems, business processes and products. These procedures and mechanisms are based on markets’ best practices (like frameworks such as NIST 800 Special Publication and ISO27002) and pass through periodic reviews to guarantee its capabilities to detect, control and respond to possible global cyber threats.
It is important to state that there are no infallible or perfect mechanisms to prevent a cybernetic threat to materialize, but Embraer understands that the necessary protection to enable its business with the right level of security protections to data owners and its personal information are implemented and continually tested.
7. Responsible Department – Legal Department
The Legal and Compliance Vice-Presidency of Embraer, through the Corporate Legal Department, shall be responsible for this Policy, for maintaining it, for the leadership of activities set forth in and related to this Policy, as well as for with the development of DPO activities.
This Policy may be amended as deemed required and appropriate, based on recommendations of the IT Department and Compliance Department and on changes in policies applicable to the Embraer Group or in the applicable laws and regulations.