Privacy and Data Protection Policy

SUMMARY

NUERNBERMESSE BRASIL – FEIRAS E CONGRESSOS LTDA., registered under CNPJ/MF No. 00.627.805/0001-60 (“Company” or “NMB”), is committed to the security, privacy, and confidentiality of the Personal Data of its employees, clients, suppliers, and all its stakeholders. Furthermore, NMB values the protection of Personal Data of visitors to its website and events.

By recognizing and respecting the legitimate Processing of Personal Data in accordance with current legislation and other applicable regulations, the Company has developed this Privacy and Data Protection Policy (hereinafter, the “Policy”), which must be observed by all employees, contractors, and partners.

The Company undertakes to take all measures to preserve privacy and ensure the protection of each data subject’s Personal Data; and, when collecting, processing, and using Personal Data, we comply with all applicable legislation. NMB is also committed to adopting technical and administrative measures capable of protecting personal data from unauthorized or unlawful access, destruction, loss, alteration, communication, or disclosure, as well as to prevent harm resulting from the processing of personal data.

Only authorized employees may access the Company’s database. Access to personal information is restricted and ensured by best practices and strict compliance standards. The Company undertakes not to sell, rent, or pass on your information to third parties without the prior consent of the data subject.

***

  1. INTRODUCTION

Applicable Laws and Regulations: This Policy is governed by the parameters defined by the General Data Protection Law, No. 13.709/2018 (hereinafter “LGPD”), in accordance with the legal provisions of the Constitution of the Federative Republic of Brazil, in its Article 5, item LXXII; the Habeas Data Law (hereinafter “Habeas Data”), No. 9.507/1997; and finally, the Brazilian Internet Bill of Rights, Law No. 12.965/2014 (hereinafter and collectively referred to as “Applicable Regulations”).

Scope of application: This Policy applies to the Personal Data managed by the Company and which are subject to Personal Data Processing operations.

Purpose: The purpose of this Policy is to demonstrate compliance with the duties provided by the LGPD, as well as to regulate the procedures for Processing Personal Data including the collection, access, retention, and deletion of said data by the Company.

1.1. DEFINITIONS:

For the purposes of this Privacy Policy, in accordance with the LGPD, the following definitions apply:

ANPD: National Data Protection Authority at the federal level responsible for overseeing, penalizing, and regulating matters related to the protection of Personal Data.

Database: Organized set of Personal Data subject to Processing.

Controller of Personal Data Processing: Natural or legal person, public or private, who alone or in association with others, decides on the Processing of Personal Data and the Database (hereinafter, the “Controller”).

Consent or Authorization: Free, informed, and unequivocal expression by which the data subject agrees to the processing of their Personal Data for a specific purpose.

Personal Data: Any information linked to or that may be associated with one or more specific or identifiable natural persons. Some examples of Personal Data include: name, citizenship card, address, email, phone number, marital status, health data, fingerprint, salary, assets, among others.

Data Protection Officer (DPO): Natural or legal person appointed by the Controller (hereinafter, the “DPO”) to act as a communication channel between the Company, the data subjects, and the National Data Protection Authority (hereinafter, the “ANPD”).

Processor of Personal Data: Natural or legal person, public or private, who alone or in association with others, carries out the Processing of Personal Data on behalf of the Controller (hereinafter, the “Processor”).

Complaint: Request by the Data Subject or individuals authorized by them or by Law to correct, update, or delete their Personal Data or revoke the authorization in cases provided by Law.

Data Subject: Natural person whose Personal Data is subject to Processing (hereinafter, the “Data Subject”).

Processing of Personal Data: Any operation or set of operations and technical procedures, whether automated or non-automated, on Personal Data, such as collection, access, storage, recording, retention, use, sharing, modification, or deletion, among others (hereinafter, “Processing”).

1.2. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA:

The Company will apply the principles mentioned below, which must guide and inspire the Processing of Personal Data.

Purpose: Collected Personal Data must be used for a lawful, legitimate, specific, and explicit purpose, which must be previously informed to the Data Subject, clearly and sufficiently (Article 6, item I of the LGPD).

Adequacy: Processing of Personal Data compatible with the purpose informed to the Data Subject (Article 6, item II of the LGPD).

Necessity: Limiting the processing to the minimum necessary for achieving its purposes, covering only relevant, proportionate, and non-excessive data in relation to the processing purposes (Article 6, item III of the LGPD).

Free access: Guarantee to data subjects of easy and free consultation about the form and duration of the processing, as well as the completeness of their personal data (Article 6, item IV of the LGPD).

Data quality: Guarantee to data subjects of the accuracy, clarity, relevance, and updating of data, according to the necessity and for fulfilling the processing purpose (Article 6, item V of the LGPD).

Transparency: Guarantee to data subjects of clear, precise, and easily accessible information about the processing and the respective agents, observing commercial and industrial secrets (Article 6, item VI of the LGPD).

Security: Use of technical and administrative measures able to protect personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination (Article 6, item VII of the LGPD).

Prevention: Adoption of measures to prevent the occurrence of damage due to the processing of personal data (Article 6, item VIII of the LGPD).

Non-discrimination: Guarantee of impossibility of processing personal data for discriminatory, unlawful, or abusive purposes (Article 6, item IX of the LGPD).

Accountability: Demonstration by the controller of the adoption of effective measures capable of proving compliance with the rules of personal data protection, including the effectiveness of such measures (Article 6, item X of the LGPD).

Accountability and Rendering of Accounts: demonstration, by the agent, of the adoption of effective measures capable of proving observance and compliance with Personal Data protection standards and, including, the effectiveness of these measures (article 6, item X of the LGPD).

  1. RIGHTS AND DUTIES

Data Subject Rights: In accordance with Article 18 of the LGPD and other provisions of the applicable data protection regulations, the Data Subject has the following rights:

  • Confirmation of the existence of data processing;
  • Free access to their Personal Data that has been processed, based on Article 9 and Item I of Article 18 of the LGPD;
  • Correction of incomplete, inaccurate, or outdated Personal Data;
  • Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data according to the LGPD;
  • Portability of Personal Data to another service or product provider, upon express request, in accordance with ANPD regulations, subject to commercial and industrial secrets;
  • Deletion of Personal Data processed with the consent of the data subject, except in cases provided for in Article 16 of the LGPD;
  • Information on public and private entities with which the Controller has shared Personal Data;
  • Information on the possibility of not providing consent and the consequences of such refusal.

Rights Request Form: The Company has trained professionals available to answer your questions and requests and to support you in exercising your rights. You may fill out our Rights Request Form (“Form”). It is important to highlight that parents or legal guardians may exercise these rights on behalf of children or adolescents, as per applicable legislation.

Analysis of the Rights Request Form: When we receive your request, our privacy team will review it and respond in one of two ways: (i) your request is lawful and legitimate and will therefore be granted; or (ii) your request is denied due to certain reasons and cannot be fulfilled. Don’t worry — even in case of denial, we will inform you of the reasons your request was not approved. All our responses will always be sent via the same channel through which you contacted us, either email or postal mail.

  • We may need to request specific information from you to confirm your identity and ensure that you are entitled to exercise your rights. This is a security measure to ensure that data is not disclosed to anyone without proper authorization. This measure is particularly necessary given our concern with information processed about children and adolescents;
  • If your request is accepted, we will make every effort to contact our suppliers and business partners who may have access to your Personal Data to ensure appropriate correction, deletion, or other requested actions;
  • The Company may store and maintain a record of rights requests in order to demonstrate to the relevant authorities that responses were provided in a timely and appropriate manner, if necessary.

Response Timeframe: Once your request is received, our team will respond to you within a period of up to fifteen (15) days. If clarification or further information is needed, we may send you follow-up questions to respond to your request satisfactorily, in which case the deadline will be suspended from the date our questions are sent until your response is received.

Non-Compliance with Request: If a request cannot be fulfilled, the Company is committed to clarifying the reasons behind the denial, including:

  • protection of trade secrets and intellectual property of the Company;
  • violation of third-party rights and freedoms;
  • anonymized information, which is therefore not considered Personal Data;
  • obstruction of law and justice;
  • the legitimate interests of the Company;
  • repetitive, recurring, or excessive requests.

Duties of the Company: As the Controller, the Company is obliged to fulfill the following duties:

  • Request and retain a copy of the authorization granted by the Data Subject;
  • Maintain Personal Data under secure conditions to prevent its tampering, loss, consultation, unauthorized or fraudulent use or access;
  • Ensure that the information regarding Personal Data provided to the Processor is true, complete, accurate, up-to-date, verifiable, and understandable, correcting it when it is incorrect and communicating the necessary updates to the Processor;
  • Update the information and promptly communicate any changes in the previously provided Personal Data to the Processor, taking the necessary steps to keep the data accurate and up to date;
  • Provide the Processor only with the Personal Data necessary to fulfill its purpose;
  • Require the Processor to respect data security and privacy conditions during Data Processing at all times;
  • Process inquiries and complaints made by Data Subjects and respond in a timely manner as per the Applicable Regulations;
  • Inform the ANPD and the Data Subject of any security incidents resulting from the irregular processing of Personal Data;
  • Maintain a record of all Personal Data Processing operations, including the legal basis for each specific processing activity.

  1. PERSONAL DATA PROCESSING

Authorization for Personal Data Processing: Physical, electronic or any format document presented to the Data Subject for their knowledge, before or at the moment of Data collection, being the means by which all the contents of this Policy are communicated, notably about the process of Processing the Personal Data that will be collected, the ways to access them and, in general, the purposes for which they were obtained.

Personal Data Processing: The Personal Data managed by the Company will be collected, used, stored, updated, transmitted and/or transferred for the following purposes:

Regarding the Personal Data of our customers:

  • To provide the necessary and desired services and products;
  • Inform about new products or services related or not to those contracted or acquired by the Data Subject, always offering opt-in and opt-out options and aiming at compatibility with the consumption profile of the Data Subject;
  • Fulfill contractual obligations made with the Data Subject;
  • Report changes in products or services for transparency purposes;
  • Evaluate product and service quality, conduct market studies and statistical analyses for internal uses and improvement of offered products and services;
  • Allow Data Subjects to participate in marketing and promotional actions (including participation in contests, raffles and sweepstakes), and their execution on social networks;
  • Facilitate the design and implementation of loyalty programs;
  • Send via physical, electronic, mobile or portable device, by text messages (SMS and/or MMS), commercial, advertising or promotional information about products and/or services, events and/or promotions of a commercial or non-commercial nature, aiming to promote, invite, execute, inform and, in general, carry out campaigns, promotions or contests of commercial or advertising nature – again, always providing opt-in and opt-out options and personalizing the approach according to the Data Subject’s consumption profile;
  • Sharing, including Transfer and Transmission of Personal Data to third parties strictly for purposes related to the Company’s business operations, both internal functioning and core activities;
  • Conduct internal studies on compliance with commercial relationships and market studies at all levels;
  • Conduct optional general surveys and polls aiming at the evaluation of a good or service;
  • Perform internal or external audits typical of the commercial activity the Company develops;
  • Allow affiliated Companies of the Company, with which contracts have been signed committed to the security and proper Processing of the Personal Data processed, to contact the Data Subject with the purpose of offering goods or services of interest – this possibility will be duly included in the Privacy Notice and contractual instruments with clients;
  • Control access to the Company’s offices and facilities, including implementation of areas monitored by video cameras for security reasons;
  • Respond to questions, requests and complaints made by Data Subjects and regulatory and oversight bodies, such as the ANPD, as well as transmit Personal Data to other authorities that, by force of applicable law, must receive Personal Data;
  • Transfer the collected information to different areas of the Company and its affiliated Companies in Brazil and abroad, when necessary for the development of their operations – provided that, according to item II of article 33 of the LGPD, this is expressly foreseen by means of specific or standard contractual clauses, global corporate norms or even certifications, demonstrating compliance with principles and rights introduced by the LGPD;
  • Use various services related to websites, including content downloads and formatting;
  • Register your Personal Data in the Company’s internal information systems and in its commercial and operational databases;
  • Any other activity of similar and/or complementary nature to those described above necessary for the development of the Company’s corporate purpose, duly registered in the Articles of Incorporation.

Regarding the Personal Data of our employees and suppliers:

  • Manage and operate, directly or through third parties, personnel selection and hiring processes, including evaluation and qualification of participants, reference checks, and security studies;
  • Develop human resources management activities for the operation, such as payroll, affiliations to social security entities, occupational health and social security activities, exercise of employer’s sanctioning power, among others;
  • Make necessary payments arising from the employment contract and/or its termination, and other social benefits applicable under the applicable legislation;
  • Contract labor benefits with third parties, such as life insurance, medical expenses, among others;
  • Notify authorized contacts in case of emergencies during working hours or its development;
  • Coordinate the professional development of employees, access to the Company’s IT resources, and assist in their use;
  • Plan business activities;
  • Control access to the Company’s offices and establish security measures;
  • Transfer the collected information to the various areas of the Company and its affiliated Companies in Brazil and abroad, when necessary for the development of their operations and payroll management (portfolio billing and administrative billing, treasury, accounting, among others), observing the provisions of article 33, item II of the LGPD;
  • Register contractors and suppliers in the Company’s systems and process their payments;
  • Conduct trainings;
  • Register your Personal Data in the Company’s information systems and in its commercial and operational databases;
  • Any other activity of similar and/or complementary nature to those previously described necessary for the development of the Company’s corporate purpose.

Data Transfer to Operator. When the Company wishes to send or transmit Data to one or more Operators located in the Country’s territory, contractual clauses must be established or a Personal Data Processing Agreement must be executed, in which, among other things, the following is agreed regarding the scope and purposes of the Processing:

  • The activities the Operator will perform on behalf of the Company;
  • The obligations the Operator must comply with regarding the Data Subject of the Company’s Data;
  • The Operator’s duty to process the Data according to the authorized purpose and observing the principles established in the Applicable Regulations and in systematic integration with Brazilian legal framework, as well as with this Policy. The Operator’s obligation to properly protect the Personal Data and Databases, as well as to maintain confidentiality regarding the Processing of transmitted Data;
  • A description of the specific security measures to be adopted both by the Company and by the Data Manager at its destination.

Validity Period of the Database: The Personal Data under the Company’s control will be kept for the necessary time according to the purpose of the Processing and/or for the time necessary to comply with a legal or contractual obligation, under the terms of article 15 of the LGPD.

Retention and Deletion Period of Personal Data: The Company has a Personal Data retention policy aligned with applicable law. Personal Data are stored only for the time necessary to fulfill the purposes for which they were collected, unless there is any other reason for their maintenance such as compliance with any legal, regulatory, contractual obligations, among others permitted by law.

We always perform a technical analysis to determine the appropriate retention period for each type of Personal Data collected, considering its nature, need for collection and purpose for which it will be processed, as well as any retention needs to comply with obligations or protect rights.

  1. SECURITY MEASURES AND COOKIE POLICY

Web Analysis and Provider Sources: In order to offer the best possible service and continuously improve our website for the benefit of our visitors, we use web analysis software provided by Google Inc. (“Google”), Google Analytics.

This is an analysis service that also uses cookies. The information generated by the cookie regarding the use of this website (including your IP address) is transferred to a Google server in the USA and stored there for 26 months. Google uses this information to evaluate your use of the website, compile reports on website activity for website operators, and provide additional services related to the website and internet usage. Furthermore, Google may transfer this information to third parties if required by law or if third parties process the data on behalf of Google. Under no circumstances will Google link your IP address with other data held by Google.

In any case, this website uses Google Analytics with the extension “anonymizeIP()” to ensure that IP addresses are processed only in abbreviated form and thus to prevent data from being linked to individual persons. However, we would like to point out that in this case you may not be able to use all or part of the functions offered by this website. By choosing to use it, you agree that the data about you collected by Google may be processed in the manner described above and for the purposes stated above.

You may revoke your consent for Google Analytics to collect and use your IP address at any time. Furthermore, this website uses fonts that are loaded directly from a legitimate and trusted provider. As a result, the provider technically obtains your IP address. We do not provide any information about you to the provider and we do not have access to the data collected by the provider. Without further data, i.e., through anonymization techniques, your IP address does not allow any conclusion to be drawn about your identity.

Work With Us on our Website: Regarding online applications submitted through our website, we will process only the Personal Data provided therein for the purpose of processing the application and conducting the selection process for that specific position, or to do so in relation to other positions beyond the one specified in the advertisement, which we may consider suitable to the applicant’s profile according to their declared qualifications.

Cookies/Similar Technologies

A cookie is a small file added to your device or computer by websites you visit. They are widely used to make websites work or work more efficiently, as well as to provide a personalized access experience and to provide information to the website owners. The Company uses cookies to tailor its website according to the use by its visitors to better understand how customers and visitors generally use it. The Company also uses other similar technologies for its websites, including IP addresses, log files, and web beacons, which also help us tailor our website to visitors’ needs.

The Company (or a third party on our behalf) may collect information in the form of Log Files that store website activity and collect statistics about users’ browsing habits, which are generated anonymously and help the Company collect the following data: (i) user browser type and system; (ii) information about the user session (such as source URL, date, time, pages visited, and time spent); and (iii) other browsing or click count data.

Users may manage and disable Cookies in their browser settings, including to be notified before accepting Cookies or simply refuse them. However, it is important to note that some types of cookies are necessary to enable the use of the Company’s website.

  1. INTERNATIONAL DATA TRANSFER

The transfer of any type of Personal Data to countries that do not offer adequate levels of Data protection is prohibited, in accordance with Article 33, item I of the LGPD and ANPD Resolution No. 19/2024. A country is considered to offer an adequate level of Data protection when it meets the standards established by the ANPD, which in no case may be lower than those required by Applicable Regulations, especially Article 34 of the LGPD.

This prohibition does not apply in the following cases:

  • Information for which the Data Subject has granted express and unequivocal authorization for the transfer, with prior information about the international nature of the operation, highlighted among other purposes;
  • Bank or securities transfers, under applicable legislation;
  • Transfers strictly necessary for the execution of the contract between the Data Subject and the Data Controller, or for the execution of pre-contractual measures.

 FINAL CONSIDERATIONS 

  • Considering that the Company conducts business globally, our employees are subject to the laws and regulations of different countries. However, this Privacy Policy is specifically applicable within Brazilian territory and is subject to applicable laws and regulations and potential updates, following legislative changes or internal process modifications, so we recommend that you read its terms regularly;
  • This Policy may contain errors and inaccuracies and may undergo updates or changes in the future. Therefore, we recommend that you periodically visit this page to stay informed about any modifications. Before using information for purposes other than those defined in this Policy, we will request your authorization;
  • If you have any questions, comments, or suggestions related to this Policy, you can contact the Company’s privacy team through the following means:

Data Protection Officer: Michael Johannes Harald Hans Karl Lob

Contact email: lgpd@nm-brasil.com.br

Facebook Instagram Youtube Linkedin

NürnbergMesse Brasil is a subsidiary of the NürnbergMesse Group and one of the largest promoters of business meetings in the country. With a portfolio of more than 10 events, all leaders in their markets, the company moves various segments of the national economy with a high level of professionalism and competence.

NürnbergMesse: The NürnbergMesse Group is among the 15 largest organizers of business meetings in the world. Its portfolio includes more than 120 international trade shows and congresses. Every year, around 30,000 exhibitors and more than 1.5 million visitors take part in the events organized by the multinational, which is present through its subsidiaries in China, North America, Brazil, Greece, Italy and India. The group also has a network of around 50 representatives operating in more than 116 countries.

© 2025 NMB - All rights reserved
Facebook Instagram Youtube Linkedin