Corporate IT Disposal and PNRS Compliance Plan

1. Purpose

This Corporate IT Disposal and PNRS Compliance Plan defines the governance structure, technical controls, legal obligations, responsibilities and operational procedures required to ensure that the company performs environmentally compliant, secure and traceable disposal of Information Technology (IT) equipment within Brazil.

The plan ensures alignment with the Brazilian National Solid Waste Policy (PNRS – Law 12.305/2010), its regulatory decree (Decree 10.936/2022), the General Data Protection Law (LGPD – Law 13.709/2018), state and municipal environmental requirements, corporate compliance policies, and applicable IT security standards.

It guarantees: (i) full environmental compliance in the treatment of electronic waste; (ii) secure and irreversible elimination of data stored on corporate devices; (iii) complete traceability from decommissioning to final destination; and (iv) availability of evidence for internal audits, external audits, ESG reporting and regulatory assessments.

2. Scope

This plan applies to all Brazilian business units, subsidiaries, branches, corporate offices, plants, administrative centers, warehouses, operational areas and any location where the company stores, uses, decommissions or disposes of IT assets.

The scope includes, but is not limited to:

• Laptops, desktops, workstations and thin clients;
• Monitors and general peripherals;
• Servers, storage systems, data-center components;
• Network equipment: switches, routers, firewalls, access points;
• Security appliances and telecommunications devices;
• Printers, scanners and multifunction machines;
• UPS units, stabilizers and electrical support equipment;
• Any data-bearing media (HDD, SSD, tapes, modules).

3. Legal and Regulatory Basis

This plan integrates the following mandatory Brazilian laws and corporate compliance requirements:

• PNRS – National Solid Waste Policy (Law 12.305/2010);
• Decree 10.936/2022 regulating the PNRS;
• Environmental regulations of states and municipalities where the company operates;
• LGPD – General Data Protection Law (Law 13.709/2018);
• Applicable transportation, occupational and hazardous-waste regulations;
• Corporate policies around compliance, internal controls and ESG;
• International standards referenced by corporate requirements (ISO 14001, ISO/IEC 27001, etc.).

4. General Principles

The disposal of IT equipment within Brazilian operations shall follow these principles:

• Legal Compliance: adherence to all applicable environmental and data-protection requirements;
• Data Security: elimination of corporate data through irreversible destruction or approved sanitization;
• Environmental Responsibility: routing IT waste to licensed processes and facilities;
• Traceability: documented and auditable custody from decommissioning to final destination;
• Transparency: availability of documentation to auditors, regulatory bodies and ESG reports;
• Operational Integrity: standardized processes managed by qualified teams and certified partners;
• Continuous Improvement: annual review of procedures, metrics and controls.

5. Roles and Responsibilities

5.1 Executive Management

• Approve the plan and ensure resources for implementation;
• Oversee compliance performance at corporate level.

5.2 Information Technology (IT)

• Execute logical decommissioning of IT assets;
• Identify sensitive data and classify hardware accordingly;
• Authorize and document releases for collection.

5.3 ESG / Environmental Management

• Manage environmental indicators related to electronic waste;
• Validate environmental documentation issued by Ecobraz.

5.4 Information Security

• Define minimum data-destruction requirements per device category;
• Review destruction certificates and evaluate risk mitigation.

5.5 Compliance & Legal

• Ensure adherence to PNRS, LGPD, contracts and corporate governance;
• Support responses to audits, clients, and regulatory demands.

5.6 Ecobraz – Specialized Technical Partner

• Perform on-site collection of obsolete IT assets;
• Ensure secure transport, receiving and custody registration;
• Carry out certified data destruction (physical or logical);
• Process equipment for recycling using licensed channels;
• Issue CDF (Final Destination Certificates) and destruction certificates;
• Provide complete inventories and quarterly consolidated reports;
• Maintain full PNRS and LGPD compliance throughout the process.

6. Standard Operating Flow

6.1 Inventory and Classification

• Identify assets eligible for disposal;
• Classify them by type, condition and data-sensitivity level;
• Register items in corporate asset-management systems.

6.2 Logical Decommissioning

• Remove credentials, agents, monitoring tools and production links;
• Document final system shutdown and retirement.

6.3 Release and Collection

• The business unit opens a formal pickup request;
• Ecobraz executes on-site collection, weighing, sealing and photography;
• A collection receipt is issued for corporate records.

6.4 Data Destruction

Performed according to data-sensitivity classification:

• Physical destruction of HDDs, SSDs, tapes and modules;
• Sanitization using approved secure-erasure methods when applicable;
• Ecobraz issues destruction certificates per batch.

6.5 Treatment and Recycling

• Disassembly of equipment into material categories;
• Segregation of recyclable fractions;
• Processing through environmentally licensed recyclers.

6.6 Final Documentation

Ecobraz shall provide:

• Final Destination Certificate (CDF) per batch or project;
• Certificates of data destruction for all data-bearing devices;
• Complete inventory of processed equipment;
• Quarterly consolidated reports for corporate governance and ESG.

7. Indicators and Metrics

• Total volume (kg/tonnes) of processed electronic waste;
• Recycling rate versus non-recyclable fractions;
• Number of destroyed data-bearing devices;
• CO₂-equivalent avoidance (when available);
• Average processing and clearance time per batch.

8. Audits and Governance

This plan shall undergo annual audits conducted by Internal Audit, Information Security, Compliance and ESG teams. Ecobraz must support audits by providing all required documentation, certificates, operational evidence and chain-of-custody information.

9. Document Storage Requirements

All documentation must be retained for a minimum of 5 years:

• Final Destination Certificates (CDF);
• Data-destruction certificates;
• Collection receipts and photographic evidence;
• Inventories and quarterly reports;
• Any regulatory or audit-related documentation.

10. Plan Review

This plan shall be reviewed annually or whenever:

• Relevant legal changes occur;
• Operational or technological changes require updates;
• New audit requirements emerge;
• Corporate governance demands revisions.

11. Conclusion

This Corporate IT Disposal and PNRS Compliance Plan provides a complete, legally aligned and audit-ready framework for end-of-life IT disposal within Brazil. With Ecobraz as the company’s specialized technical partner, the organization ensures environmental compliance, secure data destruction, operational traceability and strong governance in accordance with PNRS, LGPD and corporate standards.

More information: https://ecobraz.org