/Results

VIEW BY:

	Information on data protection policy	Law enforcement guidelines	Defence of users in the Judiciary	Public position in favor of privacy	Transparency reports and Data Protection Impact Assessments	User notification

	Information on data protection policy	Law enforcement guidelines	Defence of users in the Judiciary	Public position in favor of privacy	Transparency reports and Data Protection Impact Assessments	User notification

Show previous research

CLARO

CATEGORY 1: Information on data protection policy

Resultado:

In this category, Claro Móvel obtained a full star, having met parameters I, II, IV and V.

Claro complies with parameter I, providing clear and complete information on all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In its Privacy Portal, the company extensively lists the data collected (see excerpt below):

What personal data does Claro collect, and for what purposes are they used?

Registration data:

Which Data: name, e-mail, address, telephone, CPF, RG, date of birth and gender.

Purposes: are important for some actions, such as filling out your service contract, issuing an invoice, and also communicating with you.

Navigation Data and Use of Claro Products and Services:

What Data: information about browsers and devices, including IP address, error reports, system activity, date, time and URL, data about calls and telephony including destination, duration and sending of SMS messages. In addition, information about calls made and received, sending SMS, data volume used and antennas that serve you.

Purposes: measure the quality of our services so that you can understand the bill, have your own control, and so that Claro can comply with the determinations provided for by our regulatory body and by law.

(…)

InternetLab also praises Claro’s conduct of clarifying which data it collects from people who are not even its customers, as seen in its Privacy Portal:

If you contacted our Sales Center seeking to hire a product or service but interrupted the contract, your contact is registered and we can contact you to better understand how we can help.

Likewise, if you go to one of our sites and choose some products but leave the cart, we will remind you of that purchase intent to confirm that you are still interested.

We obtain information from companies with legitimate databases of adequate origin, in order to seek to bring new clients to Claro.

We have authorized agents, who sell Claro products and services and perform services as provided for in the regulations. They also prospect clients and are instructed to follow related good practices, including consulting the Do Not Disturb and Do Not Disturb me records.

The sub-parameter (b), referring to the situations in which the collection takes place, was also considered fulfilled. This is because, even if there is no specific wording in this regard, in the same sections mentioned above, the situations in which the collection takes place are indirectly informed (e.g., in navigation and use of products, in filling out the service contract, etc.). It should be noted that such information is capable of detailing the situations in which the collection takes place.

Sub-parameter (c), referring to the purpose of data processing, was considered met. In the same section indicated in sub-parameter (a) above, each type of data is followed by the purpose of its collection and processing. For example, which registration data “are important for some actions, such as filling out your service contract, issuing an invoice and also for communicating with you”, which payment data are “used only to charge for the services of telecommunications or other services that you have contracted through Claro”, which consumption profile data “are important for the formation of your credit profile by Claro and by partners that perform activities related to credit protection and fraud prevention”, among others.

Sub-parameter (d), referring to how it is used, was considered fulfilled. In the same excerpt copied to sub-parameter (a) above, and by pointing out the purposes of its collection as indicated in sub-parameter (c) above, Claro indirectly clarifies the usage of the collected personal data. Also, points at the beginning of your Privacy Portal:

Here, you can find out about the data treatments carried out by Claro at:

mobility services, such as prepaid, control and postpaid plans;

entertainment solutions such as NOW and TV (DTH and cable);

connectivity services, such as Vírtua broadband and Wi-Fi;

Claro Empresas and Embratel solutions.

Finally, sub-parameter (e), relating to information about the rights of holders and means to exercise these rights, was also considered met. On the Privacy Portal, there is the section “What are your rights in relation to your personal data?”, in which the company informs about the existence of the holder’s rights provided for in the General Data Protection Law. The company also informs, in each case, the means for exercising these rights – either through the Privacy Portal itself or by email to Claro’s DPO.

Regarding parameter II, referring to the provision of clear and complete information on the protection of personal data, it was considered, on average, that it was met, as the sub-parameters (a), (c), (f) and (h) were met, while sub-parameters (b), (e) and (g) were considered partially met.

Sub-parameter (a), referring to the time and place of data storage, was considered fulfilled. On its Privacy Portal, in the section “How long does Claro treat your data and where?”, Claro informs the precise storage terms for each type of data collected and the location of its storage. It is noteworthy that the company is categorical about the storage term, implying that these are exact terms – neither maximum nor minimum – and also regarding the location, not claiming that there is storage on third parties or servers in undefined locations.

Claro treats your data for as long as the provision of its services lasts, but it also needs to keep your data after the end of your relationship with Claro to comply with the law, as in cases where it is necessary to provide data to public authorities or even defense in legal proceedings. Some examples of retention periods by Claro are:

three years – internet connection records, and it will not keep records of access to internet functionalities;

six months – records of access to internet functionalities in Claro’s own applications;

ten years – registration and billing data;

one year and three months – recording of the interaction between consumer and customer service agent;

six years – tax documents that include data on calls made and received, date and time, duration and value of the call.

Claro stores data securely and with strict access control. This data is stored on its servers in data centers located in the cities of São Paulo, Campinas and Rio de Janeiro. Claro also hires cloud storage, which is a common and secure market practice. This type of storage, by definition, can be carried out outside the national territory. Claro remains attentive to the ANPD guidelines, which will regulate this type of treatment in the future.

As for sub-parameter (b), referring to when/if the data are deleted, it was considered that it was partially met. This is because, in the same excerpt mentioned above, it is inferred that the data is deleted after the specified period has elapsed. However, it would be ideal if the company explicitly pointed out that the data is erased after these deadlines have elapsed.

Sub-parameter (c), relating to the company’s security practices, was considered met. On the Privacy Portal, the company undertakes to follow security and control standards, without specifying in this document, however, which practices are adopted.

Claro uses:

technical security solutions and measures, aiming to preserve the inviolability of data compatible with international standards and good industry practices;

Appropriate security measures in countering the risk of accidental or illegal loss, alteration, disclosure or unauthorized access.

Despite the generic information on the Privacy Portal, the company presents more details on the security practices adopted in the Sustainability Report 2020 (p. 92) of the América Móvil group. According to the report, the system adopted in Brazil is the Security Operation Center with ISO 27001 Safety Management Systems certificate.

Sub-parameter (d), referring to who has access to the data, was not considered met. We have not found information about who has access to the data in none of the analyzed documents. The company is limited to informing with whom the data is shared, a point that will be evaluated in sub-parameter (e).

The sub-parameter (e), referring to the third parties with whom the data is shared, was considered partially fulfilled. The company informs, in the section “Who does Claro share data with?” from its Privacy Portal, the following:

Claro is considered the controller of personal data, as well as each of the group’s companies. They are:

Claro S/A – provider of mobile telephony, fixed telephony, domestic long distance, cable pay television, fixed and mobile internet and value-added services;

Embratel TVSAT Telecomunicações – provider of pay television services using DTH technology;

Claro Nxt – provider of mobile telephony and national long-distance services.

In order to carry out all its activities, Claro needs to share your data with some third parties. After all, they are the ones who will provide services for you and must observe certain precautions, such as the security of your data. See who these third parties are:

Call Center Companies – Carrying out customer service and prospective customers.

Technical Service Companies – Installation and maintenance of Claro services, such as TV and Internet.

Companies that sell content via Claro – Marketing of third-party content on Claro’s sales channels and that need some information to activate content and subscriptions.

Credit and Collection Companies – Collection of outstanding invoices.

Credit Solutions Companies – Supply of inputs for the development of products aimed at analyzing and granting credit and anti-fraud solutions.

Authorized Agents – Sale of products and services with the Claro brand, which are often the gateway for customers.

Telesales Partners – Offering products and services to you, by calls or SMS, checking in advance if you asked not to be called.

Insurance Company – Propose mobile device insurance and share your data with the insurance company and the broker for insurance coverage purposes, and also with the third party for the purpose of collecting the premium on the invoice.

In addition, in its prepaid SMP Service Provision Agreement, it states:

15.6 All SUBSCRIBER registration information is confidential and can only be provided to: a) the SUBSCRIBER; b) the representative with a specific power of attorney; c) to the judicial authority; and d) to other Telecommunications Service Providers, for specific purposes to provide these services.

Even though the list is commendable, there is no detailed information about which companies, specifically, receive data from Claro, which is why the sub-parameter was considered partially met. In the engagement phase, the company clarified to us that such information can be requested by the holders and provided directly to them; however, for the benefit of maximum transparency, it is expected for the purposes of this report that the information regarding who receives data from the data subjects will be publicly available.

As for sub-parameter (f), relating to the purposes of sharing data with third parties, it was considered that it was met, given the details of each sharing, according to an excerpt from the Privacy Portal mentioned above.

Sub-parameter (g), related to international data transfer, was considered partially met. The company’s privacy policy states: “Claro also hires cloud storage, which is a common and secure market practice. This type of storage, by definition, can be carried out outside the national territory.” Even though it is commendable that there is mention of the hypothesis of international data transfer in Claro’s documents, the parameter was considered partially met, since there is no further specification as to which international entities receive such data.

Finally, sub-parameter (h), referring to the date of the last update of the privacy policy, was considered met. At the end of its Privacy Portal, the company indicates the date of its last update.

Parameter III, which assesses whether the company responded promptly to InternetLab member’s access to data, was not considered met. On 07/21/2021, InternetLab tried, through Claro’s privacy portal, to obtain a copy of a holder’s personal information. The holder was informed by email that an extract would be generated; however, the portal continued to display an error message, which continued to be displayed after approx. 3 months until the closing date of this report. Contact with the company was attempted, requesting the correction of the situation, without success. InternetLab praises the quality of Claro’s privacy rights portal, which is granular, simple, and easy to access. However, error messages prevented the parameter from being serviceable.

Parameter IV, which assesses whether the company promises to send notifications to the user when updating their privacy policies, was considered met. Even if, in its Privacy Portal, the company does not provide information in this regard, during the engagement phase, Claro proved that it communicates with its customers through messages, notifications or emails about changes in its privacy policies. For better clarification of the situation and greater transparency, InternetLab suggests that you publicly promise to send such notifications.

Finally, parameter V, referring to the accessibility of information about privacy and data protection, was considered met. At the bottom of the homepage of Claro’s website, there is a link to the Privacy Policy. By accessing this link, the user is redirected to Claro’s Privacy Portal[1], which includes the “Privacy Policy”, the “Cookie Policy” and “Your Privacy Rights”. The information contained in the Privacy Portal is very clear and easily accessible to the customer.

In addition, the main information contained in the Privacy Policy is presented in Claro’s contracts, according to changes made by the company during the engagement phase of this report. InternetLab praises the fact that the information is also contained in its contracts, an uncommon practice in the industry.

CATEGORY 2: Data delivery protocols for investigations

Result:

Claro obtained a full star in this category, having fulfilled parameters from I to IV and not fulfilling parameter V.

The parameter I, regarding the identification of competent authorities to request data, was considered fulfilled. In its Privacy Portal, the company informs about the situations in which it shares data with the Public Sector:

Public Sector – Compliance with inspections by our regulatory agency — ANATEL — upon requests from competent administrative authorities, such as the Civil Police, Federal Police, Military Police, Legislative Police, in compliance with specific legislation*, State Public Ministry, Federal Public Ministry, Military Public Ministry.

In other situations, through compliance with court decisions.

*Law 12830 of June 20, 2013 (Law of Delegates); Law 12,850 of August 2, 2013 (Organized Crime Law); Law 12,683 of July 9, 2012 (Money Laundering); art. 269 of the Chamber’s Internal Regulations and Resolution 18 of the Chamber of Deputies of December 18, 2003.

Also, in this aspect, it is worth noting that the company clarifies:

Contract for the provision of prepaid SMP services:

“15.6 All SUBSCRIBER registration information is confidential and may only be provided to: a) the SUBSCRIBER; b) the representative with a specific power of attorney; c) to the judicial authority; and d) to other Telecommunications Service Providers, for specific purposes for the provision of these services.”

Regarding identifying competent authorities and crimes under which the request occurs, the parameter II was considered met. In the same excerpt from its Privacy Portal above, the company points out the laws under which the appointed authorities (Military Police, Legislative, etc.) may request data. In addition, it superficially mentions the crimes mentioned in Article 13-A of the Code of Criminal Procedure in the excerpt relating to location data, as transcribed below.

The parameter III, related to offering information about geolocation data, was considered met. The company provides the information on its Privacy Portal, by pointing out “What personal data Claro collects and for what purposes they are used”:

Location Data:

Which Data: geolocation data.

Purposes:

– creation of products and services not related to advertising, such as Claro Valida, explained below;

– measure and implement improvements in the quality of Claro services in your location and comply with the determinations provided for by the regulatory body and by legislation. When necessary for the prevention and repression of crimes related to human trafficking, we provide access to this data in response to court orders or, in the absence of a judicial manifestation within 12 (twelve) hours, upon request from the competent authorities.

Parameter IV, referring to the promise of providing only connection records by court order strictly under Marco Civil, was considered met. On Claro’s Privacy Portal, connection records are defined, and it is promised that they will only be delivered upon court order:

Internet Connection Records:

Which Data: information regarding the date and time of the start and end of an internet connection, its duration and the IP address used by the terminal to send and receive data packets.

Purposes: Compliance with regulatory obligations provided in Law 13.965/14, the Marco Civil da Internet (MCI). Requests for access to connection records are only granted under the Marco Civil da Internet (MCI) terms, always by court order.

Finally, parameter V, relating to the existence of specific protocols for delivering data to the state, was not considered met. No mention of the topic was found in the documents analyzed by Claro.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Claro Móvel got a full star, as it met both parameters.

The parameter I, related to the defense legislation, was considered met. In the engagement phase with companies, Claro presented some actions in this regard. For example, we mention a motion filed jointly with other telephone operators. State Law No. 20.089/2019 of Paraná established the obligation of unrestricted disclosure of users’ access codes on calls, for telephone operators (Ordinary Action 0001787-36.2020.8.16.0004).

Finally, parameter II was also considered met. In the engagement phase with companies, Claro presented to InternetLab, with sensitive information marked, some responses to administrative letters in which it refused to provide personal data to public authorities. For example, he refused to provide data to the Federal Comptroller General, claiming that “providing non-sensitive registration data of a person without prior judicial authorization would violate the Constitution and the infra-constitutional law, regardless of the various laws mentioned in the letter”.

Actions considered in previous versions of Who Defends Your Data, such as Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of data from logical ports to police authorities, and the Direct Action of Unconstitutionality (ADI) 5642[2], from ACEL, were not considered, as they did not register movements.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Claro Móvel got a full star, as it met both parameters.

The parameter I on the overall positioning of the company was considered met. On some occasions throughout the year, Internet access providers had the opportunity to express their opinion on public policies and bills that affect users’ privacy.

During the engagement phase, the company provided us with some situations where it publicly positioned itself in privacy debates. In one of the cases, he defended, in taking subsidies from the National Data Protection Authority regarding the regulation of data processing by micro-enterprises, that the rights of data subjects were not relaxed, seeking to “prevent potentially abusive practices and protect the rights of consumers”.

Even though the parameter was considered met given the statement above, two situations should be highlighted in which the company’s position was, in the view of InternetLab, harmful to the holders’ privacy. For example, in the public consultation on the Brazilian strategy for artificial intelligence, the company defended that the legislation would not need to be updated for artificial intelligence, understanding that the LGPD would already be enough to face the challenges of this technology. Concerning divergent opinions, there is no discussion on how users’ privacy could be protected even in processing personal data by AI algorithms, which present specific challenges such as the possibility of inferring personal information from other information, the tendency to be biased or discriminatory results, among others. In addition, in making subsidies for regulating the duty to communicate security incidents, the company defended, through Brasscom, that only incidents that have the potential to generate risks or damages to the data subject are notified to the national authority, against expanding its duty of public transparency. One of the objectives of this report is to encourage transparency and regulation of data processing practices (such as artificial intelligence) in a protective and specific manner. Thus, such positions of the company and the sector, through Brasscom, must be publicly opposed here.

The parameter II on the company’s position on security measures was considered met. Throughout 2020 and early 2021, Internet access providers had the opportunity to express their views on policies and practices that promote the security of their users’ data, such as: Public Consultation No. 24 by Anatel, on the reassessment of the structure and internal regulations of the Brazilian Communications Commissions – CBC, whose art. 2, IV provides for the actions of the Commission about Political Aspects related to Cyber Security and Artificial Intelligence; the Cyber Security regulation for the Telecom sector, approved by Anatel in 2020; Anatel’s proposal to create a cyber security cooperation group; among others.

In Anatel’s Public Consultation to discuss the proposed minimum cyber security requirements, the company defended a “more incisive action by the Agency in the inspection of equipment sold in retail” to achieve “the desired security, since part of the incidents result from the low level of safety of the equipment”.

However, it is noteworthy that Claro suffered an alleged cyber attack in 2020, and it was even notified by Procon.

In general, however, the company gave generic responses to the case, stating, for example, that “it invests heavily in security policies and procedures and maintains constant monitoring, adopting measures, in accordance with best practices, to identify fraud and protect its customers”[7]. No more robust explanations were given for the case, nor were standards or techniques specifically defended that could face up to the allegations. The company’s response was considered overly generic. However, in this report edition, responses relating to such leaks have not been considered for scoring purposes.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

Claro obtained ¼ of the star in this category, as it partially met parameters I and IV.

On the publication of the transparency report on privacy and data protection, the parameter I was considered partially met. During the engagement phase, the company showed us that its “Social Report”, published by Instituto Claro, for the first time in 2021, presented statistics regarding requests for access to data made by the owners themselves. However, there is no more granular information on the subject nor information on requests to access data made by public authorities.

The parameters II and III relating to the accessibility and frequency of the Transparency Report were not met. América Móvil publishes a Sustainability Report every two years, in English and Spanish. The document presents some information about privacy and data protection. However, it does not publish order statistics. In addition, the aforementioned Instituto Claro Transparency Report is not easily accessible on the Claro website and only presented information on data protection in 2021.

The parameter IV on information on requests for access to data was considered partially met. As there is information about access requests made by holders, it was deemed that the parameter could be considered met; however, information on requests made by public authorities is not available.

The parameter V, turn on the publication of Impact Reports on Data Protection, was also not considered met. No documents in this regard were found in our searches.

CATEGORY 6: User notification

Result:

Claro did not get a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

NET

CATEGORY 1: Information on data protection policy

Result:

In this category, NET obtained a full star, having met parameters I, II, IV and V.

Claro complies with parameter I, providing clear and complete information on all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In its Privacy Portal, the company extensively lists the data collected (see excerpt below):

What personal data does Claro collect, and for what purposes are they used?

Registration data:

Which Data: name, e-mail, address, telephone, CPF, RG, date of birth and gender.

Purposes: are important for some actions, such as filling out your service contract, issuing an invoice, and also communicating with you.

Navigation Data and Use of Claro Products and Services:

What Data: information about browsers and devices, including IP address, error reports, system activity, date, time and URL, data about calls and telephony including destination, duration and sending of SMS messages. In addition, information about calls made and received, sending SMS, data volume used and antennas that serve you.

Purposes: measure the quality of our services so that you can understand the bill, have your own control, and so that Claro can comply with the determinations provided for by our regulatory body and by law.

(…)

InternetLab also praises Claro’s conduct of clarifying which data it collects from people who are not even its customers, as seen in its Privacy Portal:

If you contacted our Sales Center seeking to hire a product or service but interrupted the contract, your contact is registered and we can contact you to better understand how we can help.

Likewise, if you go to one of our sites and choose some products but leave the cart, we will remind you of that purchase intent to confirm that you are still interested.

We obtain information from companies with legitimate databases of adequate origin, in order to seek to bring new clients to Claro.

We have authorized agents, who sell Claro products and services and perform services as provided for in the regulations. They also prospect clients and are instructed to follow related good practices, including consulting the Do Not Disturb and Do Not Disturb me records.

Here, you can find out about the data treatments carried out by Claro at:

mobility services, such as prepaid, control and postpaid plans;

entertainment solutions such as NOW and TV (DTH and cable);

connectivity services, such as Vírtua broadband and Wi-Fi;

Claro Empresas and Embratel solutions.

Claro treats your data for as long as the provision of its services lasts, but it also needs to keep your data after the end of your relationship with Claro to comply with the law, as in cases where it is necessary to provide data to public authorities or even defense in legal proceedings. Some examples of retention periods by Claro are:

three years – internet connection records, and it will not keep records of access to internet functionalities;

six months – records of access to internet functionalities in Claro’s own applications;

ten years – registration and billing data;

one year and three months – recording of the interaction between consumer and customer service agent;

six years – tax documents that include data on calls made and received, date and time, duration and value of the call.

Claro stores data securely and with strict access control. This data is stored on its servers in data centers located in the cities of São Paulo, Campinas and Rio de Janeiro. Claro also hires cloud storage, which is a common and secure market practice. This type of storage, by definition, can be carried out outside the national territory. Claro remains attentive to the ANPD guidelines, which will regulate this type of treatment in the future.

Claro uses:

technical security solutions and measures, aiming to preserve the inviolability of data compatible with international standards and good industry practices;

Appropriate security measures in countering the risk of accidental or illegal loss, alteration, disclosure or unauthorized access.

Claro is considered the controller of personal data, as well as each of the group’s companies. They are:

Claro S/A – provider of mobile telephony, fixed telephony, domestic long distance, cable pay television, fixed and mobile internet and value-added services;

Embratel TVSAT Telecomunicações – provider of pay television services using DTH technology;

Claro Nxt – provider of mobile telephony and national long-distance services.

In order to carry out all its activities, Claro needs to share your data with some third parties. After all, they are the ones who will provide services for you and must observe certain precautions, such as the security of your data. See who these third parties are:

Call Center Companies – Carrying out customer service and prospective customers.

Technical Service Companies – Installation and maintenance of Claro services, such as TV and Internet.

Companies that sell content via Claro – Marketing of third-party content on Claro’s sales channels and that need some information to activate content and subscriptions.

Credit and Collection Companies – Collection of outstanding invoices.

Credit Solutions Companies – Supply of inputs for the development of products aimed at analyzing and granting credit and anti-fraud solutions.

Authorized Agents – Sale of products and services with the Claro brand, which are often the gateway for customers.

Telesales Partners – Offering products and services to you, by calls or SMS, checking in advance if you asked not to be called.

Insurance Company – Propose mobile device insurance and share your data with the insurance company and the broker for insurance coverage purposes, and also with the third party for the purpose of collecting the premium on the invoice.

In addition, in its prepaid SMP Service Provision Agreement, it states:

15.6 All SUBSCRIBER registration information is confidential and can only be provided to: a) the SUBSCRIBER; b) the representative with a specific power of attorney; c) to the judicial authority; and d) to other Telecommunications Service Providers, for specific purposes to provide these services.

Finally, sub-parameter (h), referring to the date of the last update of the privacy policy, was considered met. At the end of its Privacy Portal, the company indicates the date of its last update.

Parameter IV, which assesses whether the company promises to send notifications to the user when updating their privacy policies, was considered met. Even if, in its Privacy Portal, the company does not provide information in this regard, during the engagement phase, Claro proved that it communicates with its customers through messages, notifications or emails about changes in its privacy policies. For better clarification of the situation and greater transparency, InternetLab suggests that you publicly promise to send such notifications.

CATEGORY 2: Data delivery protocols for investigations

Result:

Claro obtained a full star in this category, having fulfilled parameters from I to IV and not fulfilling parameter V.

Public Sector – Compliance with inspections by our regulatory agency — ANATEL — upon requests from competent administrative authorities, such as the Civil Police, Federal Police, Military Police, Legislative Police, in compliance with specific legislation*, State Public Ministry, Federal Public Ministry, Military Public Ministry.

In other situations, through compliance with court decisions.

*Law 12830 of June 20, 2013 (Law of Delegates); Law 12,850 of August 2, 2013 (Organized Crime Law); Law 12,683 of July 9, 2012 (Money Laundering); art. 269 of the Chamber’s Internal Regulations and Resolution 18 of the Chamber of Deputies of December 18, 2003.

Also, in this aspect, it is worth noting that the company clarifies:

Contract for the provision of prepaid SMP services:

“15.6 All SUBSCRIBER registration information is confidential and may only be provided to: a) the SUBSCRIBER; b) the representative with a specific power of attorney; c) to the judicial authority; and d) to other Telecommunications Service Providers, for specific purposes for the provision of these services.”

Location Data:

Which Data: geolocation data.

Purposes:

– creation of products and services not related to advertising, such as Claro Valida, explained below;

– measure and implement improvements in the quality of Claro services in your location and comply with the determinations provided for by the regulatory body and by legislation. When necessary for the prevention and repression of crimes related to human trafficking, we provide access to this data in response to court orders or, in the absence of a judicial manifestation within 12 (twelve) hours, upon request from the competent authorities.

Internet Connection Records:

Which Data: information regarding the date and time of the start and end of an internet connection, its duration and the IP address used by the terminal to send and receive data packets.

Purposes: Compliance with regulatory obligations provided in Law 13.965/14, the Marco Civil da Internet (MCI). Requests for access to connection records are only granted under the Marco Civil da Internet (MCI) terms, always by court order.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Claro Móvel got a full star, as it met both parameters.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Claro Móvel got a full star, as it met both parameters.

The parameter II on the company’s position on security measures was considered met. Throughout 2020 and early 2021, Internet access providers had the opportunity to express their views on policies and practices that promote the security of their users’ data, such as: Public Consultation No. 24 by Anatel, on the reassessment of the structure and internal regulations of the Brazilian Communications Commissions – CBC, whose art. 2, IV provides for the actions of the Commission about Political Aspects related to Cyber Security and Artificial Intelligence[3]; the Cyber Security regulation for the Telecom sector, approved by Anatel in 2020[4]; Anatel’s proposal to create a cyber security cooperation group[5]; among others.

However, it is noteworthy that Claro suffered an alleged cyber attack in 2020, and it was even notified by Procon[6] .

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

Claro obtained ¼ of the star in this category, as it partially met parameters I and IV.

Parameters II and III relating to the accessibility and frequency of the Transparency Report were not met. América Móvil publishes a Sustainability Report every two years, in English and Spanish. The document presents some information about privacy and data protection. However, it does not publish order statistics. In addition, the aforementioned Instituto Claro Transparency Report is not easily accessible on the Claro website and only presented information on data protection in 2021.

The parameter V, turn on the publication of Impact Reports on Data Protection, was also not considered met. No documents in this regard were found in our searches.

CATEGORY 6: User notification

Result:

Claro did not get a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

OI (BROADBAND)

CATEGORY 1: Information on data protection policy

Result:

In this category, Oi Banda Larga obtained a full star, as it fully complied with parameter I, III and V, and partially complied with parameter II

We emphasize, however, that parameter III, relating to requests for access to data made by members of InternetLab to the company, has not yet been evaluated, as the aforementioned request has not yet been made. The results obtained with such a request may improve the company’s final grade in this category.

Oi Broadband met parameter I , as it met all sub-parameters.

The sub-parameter (a) , referring to the data collected was considered fulfilled. In its Privacy Notice, the company informs:

HOW DOES OI COLLECT PERSONAL DATA?

Directly with you, for example, when purchasing services and products or during our selection processes;

Automatically when, for example, you browse our websites or applications.

Through a partner, if, for example, you already have a bond with the third party.

In its Privacy Notice, the company informs and exemplifies the categories of personal data collected:

PERSONAL DATA CATEGORY

REGISTRATION AND CONTRACT DATA: Name, CPF number, RG number, passport number, affiliation, address (physical or e-mail), mobile and residential telephone number, ICCID number (SIM card), date of birth, nationality and profession.

FINANCIAL DATA: Invoice information, such as history, payment dates, outstanding amounts or payments received, credit or debit card information, bank account, among others.

LOCATION AND TRAFFIC DATA: Approximate location data, when you have activated the location functionality of the Global Positioning System (GPS) or collected by ERB antennas (Radio Base Stations), telephone number of outgoing or incoming calls, as well as their respective duration, telephone number related to sending and receiving SMS, use and quantity of packages or data connection, Wi-Fi browsing, consumption profile information.

NAVIGATION DATA ON OI SITES AND APPLICATIONS: Device and navigation data (model, date, time, IP) and cookies.

In its Privacy Policy, the company provides exhaustive information on registration and contract data, financial information, location data, data on the use of the website and applications, customer service, traffic and statistical data collected.

The sub-parameter (b) , referring to the situations in which the collection takes place, was also considered fulfilled. This is because in the “How Oi Collects Personal Data” section of the Privacy Notice (see section above), it is stated that data is collected in the acquisition of services and products, in selective processes; automatically when the cardholder browses the company’s websites or applications; or through partners. The Privacy Policy specifies the collection of data on the use of contracted products and services, call history, service data, recharge transactions, among others. It was considered that such information is capable of detailing the situations in which the collection takes place. It was considered that such information is capable of detailing the situations in which the collection takes place.

The sub-parameter (c) , referring to the purpose of processing, it was considered completed. In the section “For what purposes does Oi collect personal data”, the company informs four hypotheses of purpose:

Provision of Services : If you are one of our customers, as a subscriber to our fiber, we will need to collect your registration, location, financial data, among others, in order to formalize the service provision contract and process payments.

Selection Process : If you want to work with us, we will have to collect professional information, such as educational background, profession, among others, to assess whether your profile is compatible with the position.

Partners : Now, if you are one of our partners, we need to collect registration data from individuals who will work in our facilities, for access control, thus ensuring the security of everyone involved in the operation.

Cookies: In addition, as Oi seeks to increasingly improve its products and services, we may use navigation data and data from technological assets, such as cookies, on our websites to improve the performance of web pages.

In the Privacy Policy, such information is broken down in a table, in which the purpose of the treatment is specified, which data is processed and what is its legal basis.

In the same document, the company also details what are the legal bases for the processing of data:

The legal bases for data processing

Oi may process your personal data based on the following legal bases:

– For the correct execution of the contract or provision of the contracted service, or even for any necessary preliminary procedures, and also to meet your eventual requests.

– To fulfill a legal or regulatory obligation.

– In meeting its legitimate interest or the interest of the Oi Group, including, but not limited to, the support and promotion of its activities and the protection, in relation to the holders, of the regular exercise of their rights or provision of services that benefit them somehow.

– By providing your consent, through a free, informed and unambiguous manifestation, for a specific purpose.

– For fraud prevention and security measures.

– For the regular exercise of rights in the context of judicial or administrative proceedings.

– For shared use of data with the Public Administration, for the treatment necessary for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments

The company details in an exhaustive way what data is processed, as well as its purposes and legal basis specifically for each type of data processing. We consider the way in which the company specifies such information to be positive and, therefore, the sub-parameter was considered met.

Sub-parameter (d) , referring to the form in which the use was considered fulfilled. In the “Learn more” section of the Privacy Notice, the company informs how it uses personal data on Oi’s portals and applications

At Minha Oi, you can view contracted products, monitor consumption, find out about your current offer, recharge and even have access to other Oi services. To make all this possible, we use personal data. For example:

In order to display information about your offer, we need to have access to your personal data, such as your phone number, as well as location and traffic data.

If you want to buy packages, change your offer or contract other services, we will need your registration data, location and traffic data, as well as financial data, to process payments.

Now, if you need technical support, we can use registration data, location and traffic data, as well as navigation data and technological assets, depending on your need.

In addition, we may use registration data, location and traffic data to offer new products and measure the quality of our services.

Virtual Technician

Through the Virtual Technician, we offer solutions to problems with broadband internet or fiber, satellite TV or landline. For this reason, we use personal data, such as registration data, location and traffic data, as well as navigation data and technological asset data, in order to enable the provision of the service.

Oi Play

It’s Oi’s streaming service for you to have access to movies, series and television channels in one place. On this platform, we can use personal data in different ways, such as:

In order to contract the service, we collect registration, location and financial data, among others, in order to formalize the service provision contract and process payments.

In order for you to access the content of channels and platforms, we may need to authenticate your identity, sharing some personal data, such as CPF, with the partner platform.

We may also use navigation data and data from technological assets, such as cookies, in order to improve the performance of our portal and correct any errors.

In the section “Legal bases for data processing” of the Privacy Policy (see section above), the company details how it is used, specifying that the data is used “for the correct execution of the contract or provision of the contracted service” , “for the regular exercise of rights in the context of judicial or administrative proceedings”, “for the sharing of data with the Public Administration” etc. It was considered that such information is capable of detailing the way in which personal data is used.

Finally, sub-parameter (e) , relating to information about the rights of holders and the means to exercise these rights, was considered met. On its Privacy Portal, in the section “Right of holders”, the company informs an email to exercise these rights provided for in the LGPD. Oi provides a specific channel for the data subject, for the representative of a data subject and for employees or former employees.

Rights of holders

Now, if you want to exercise any of the rights provided for in the LGPD, download the XLSX file through one of the links below and send it to the e-mail

PP-PrivacidadeDireitoTitular@oi.net.br

In the section “What are my rights” the company only informs generically that “the General Law for the Protection of Personal Data establishes that you, as the owner of personal data (owner of your own information), have a series of rights, such as access to data that we have about you, correction of outdated information, among others”. In the forms for exercising the rights of the holder, the company specifies and defines the rights listed by law.

In its Privacy Policy, in the section “What are your rights”, the company informs which are the rights to personal data provided for in the General Data Protection Law (right of access and confirmation of processing, correction, deletion , objection, portability, anonymization, request for information and the right to provide or withdraw consent) and inform an email to exercise these rights. In addition, the company informs that, in order to meet certain legal requirements, it cannot eliminate or anonymize data that “are inherent to the provision of the service by Oi”, unless there is a court order to do so.

Parameter II, for the supply of clear and comprehensive information on the protection of personal data, was considered partially met because the company met the sub-parameters (c), (e), (f) and (h) and partly to sub-parameter (g).

Sub-parameter (a) , referring to the time and data storage location was not considered fulfilled. As for the storage time, in the section “How long is my data stored by Oi?” of the Privacy Notice, the company informs that it keeps the data for the period necessary to fulfill the purpose and affirms that it stores the data in accordance with legal regulations. However, the company does not specify what these data would be or what would be the applicable legislation in force. Such information was considered insufficient, since the company does not establish minimum or maximum terms by which it stores its customers’ data.

HOW LONG IS MY DATA STORED BY OI?

Your data will only remain with us for the period necessary to fulfill some purpose, such as, for example, to provide our services, comply with a legal/regulatory obligation, or to help us improve our products. In any case, we will store your data in accordance with the law, in a secure, transparent and for a limited time.

In the “Retention and termination of the processing of personal data” section of the Privacy Policy, the company only informs that the data may be kept after the termination of the contract and generically informs that “the personal data used to provide a personalized experience to you will be kept exclusively for the time allowed, in accordance with current legislation” and that the data are kept for a time “strictly necessary for the fulfillment of legal and regulatory obligations after the performance of the contract”. However, the company does not specify what these data would be or what would be the applicable legislation in force. Such information was considered insufficient, since the company does not establish minimum or maximum terms by which it stores its customers’ data.

Retention and termination of the processing of personal data

– Oi may keep your personal data stored after the termination of the contract or the end of the service contracted by you, as strictly necessary for the fulfillment of legal or regulatory obligations to which we are subject. Or to exercise any Oi’s right in administrative, judicial or extrajudicial proceedings, without prejudice to the application of the hypotheses mentioned in art. 16 of the General Law for the Protection of Personal Data (LGPD).

– Personal data used to provide a personalized experience to you will be kept exclusively for the time allowed, in accordance with current legislation. – Your personal data will only be processed during the period necessary to achieve the intended purposes, as established in item 3 of this Privacy Policy.

As for the data storage location, the Privacy Notice and the Privacy Policy do not provide any information about the data storage location. Such information was also not found in any of the company’s contracts.

As for the sub-parameter (b), referring to when/if the data is deleted, it was not considered fulfilled. The company only informs that the data is stored in accordance with the law and for a limited time (see section above), without specifying deadlines or which are the applicable laws.

In the “Elimination and anonymization” section, the company provides that, due to compliance with legal requirements, certain data, such as registration data, billing data, location data and traffic data, cannot be eliminated or even anonymized. Such information diverges from the legislation currently enacted. The Marco Civil da Internet, for example, establishes the minimum deadlines by which the data must be kept, but does not foresee the prohibition of its elimination. Furthermore, the company only informs, in the section “Retention and termination of the processing of personal data” of the Privacy Policy” (see section above) that it keeps the data stored only “as strictly necessary to comply with a legal or regulatory obligation” , without expressly providing for the deletion of the data.

Elimination and anonymization

– In order to meet certain legal requirements established by regulatory bodies, with the exception of a court order, data that are inherent to the provision of the service by Oi, such as registration data, billing data, location data and traffic data, cannot be eliminated or anonymized.

As for sub-parameter (c) , referring to which safety practices it observes, it was considered that it was met. In its Privacy Notice, in the section “Is my data protected at Oi?”, the company informs:

At Oi, our purpose is to transform the digital environment, applying the best technologies available on the market to guarantee the security of the information we have and live up to the trust you place in us. When we talk about personal data, this concern is even greater and we make every effort to ensure your privacy, so we constantly apply and renew our security protocols, in addition to having internal rules that guide the storage of personal data in safe places, reducing the possibility of unauthorized access or leakage of information.

In its Privacy Policy, in the “Information Security” section, the company informs:

Information security

Oi undertakes to ensure the security and maintenance of the protection of your stored personal data by adopting technical and administrative measures capable of protecting exported personal data from unauthorized access and accidental or illegal situations, in accordance with applicable laws .

Oi’s employees are committed to ensuring the security of their personal data and to respecting this Privacy Policy, under penalty of being subject to disciplinary action in case of violation of these standards.

We hope that you will also contribute to security by keeping your personal data safe. When registering on Oi’s platforms, choose a password strong enough to prevent other people from guessing it.

Oi recommends that you never reveal or share your password with others. You

You are solely responsible for keeping the password confidential and for any action taken through your account on Grupo Oi’s websites and services.

The protections listed in this section do not apply to information you choose to share in public areas, such as forums and other companies’ social media.

Oi undertakes to disclose to you and Organs competent bodies any security incident and what measures will be applied in this case.

In its Sustainability Report, the company details the safety practices it observes. Claims to have ISO 27001 certification and claims to use the antivirus called Endpoint Security EDR. This information was considered sufficient for the sub-parameter.

Oi has ISO 27001 certification, which ensures the quality and reliability of the Company’s Information Security management system, protecting customer data networks across the country against possible cyber attacks.

In 2020, to make public or private companies less vulnerable to cyber attacks, among other risks arising from the online environment, Oi started to offer these cyber security services as a high priority topic.

Amidst the increase in cyber attacks caused mainly by the home office regime adopted by most companies, due to the needs imposed by the pandemic, Oi developed an antivirus called Endpoint Security EDR, which combines artificial intelligence and machine learning to block threats in time real – while the antivirus runs, it identifies the new variants that appear and adapts to combat the threat.

Based on the Company’s experience in protecting its customers’ data and internal systems, Oi, through Oi Soluções, offers this service and intends to expand its offer of security projects in 2021.

The sub-parameter (d) , relating to who has access to the data was not considered fulfilled. In the section “Is my data protected at Oi?” (see excerpt above), the company only informs that it adopts security protocols to protect data from “unauthorized access”, but does not offer any information about who has access to personal data.

The sub-parameter (e) , referring to the third parties with whom the data is shared, was considered met. In its Privacy Notice, the company generically informs some data sharing hypotheses:

DOES OI SHARE MY PERSONAL DATA WITH ANYONE?

To provide our services, Oi has business partners who may have access to some of your personal data. All our partners go through a pre-assessment process, so that only those who share our values will participate in our activities.

We also adopt specific measures to guarantee the security and control of your personal data, even when shared. The commitment we make to you in this notice also extends to the people who work with us. In addition to our partners, we may share your data with government authorities, such as law enforcement authorities, the Public Ministry, Courts of Justice, consumer protection agencies, Anatel, among others, in order to comply with any legal, regulatory or court order .

Likewise, we may share personal data with credit protection institutions to reduce credit risk and fraudulent use of Oi services. Wherever you go, we will share your data in accordance with Brazilian law and we reaffirm our commitment to transparency with you .

In its Privacy Policy, the company informs which third parties it shares data with and for what purposes:

data sharing

Oi does not share your personal data with companies, organizations or third parties, only in these cases below, and always in accordance with this Privacy Policy and other appropriate security and confidentiality measures:

– Between Oi Group companies for maintenance, promotion and improvement of services.

– For commercial partners in the development of promotions and joint commercial actions with Oi.

– For marketing service providers such as email marketing, SMS and online ad serving.

– For sales partners and franchised stores, in collaboration with the sales of products and services provided by Oi.

– For contracted or authorized third parties for care related to the execution or management of Oi services, such as, for example, service providers of technical support and service repair, data analysis, consulting, printing invoices, queries to the credit protection system and customer service centers.

– For government authorities, such as, for example, police authorities, Public Ministry, Courts of Justice, consumer protection agencies or Anatel, due to legal, regulatory, court order or other requests from authorities with powers to do so, to protect damage to the property or safety of the Oi Group or its customers, as requested or permitted by law.

– For credit protection institutions, to reduce credit risk and fraudulent use of Oi services.

– For third parties, not provided for here, with your specific consent.

– For debt collection agencies, in cases of default.

– For third parties, due to corporate restructuring at Grupo Oi.

Oi will ask you for specific consent to share any sensitive personal data

In its Oi Privacy Program, the company presents a data flow in which it informs the paths that the data take within the company, with the holders and with third parties.

The flow is clear and facilitates communication with users. We congratulate the company for the initiative and transparency.

As for the sub-parameter (f) , relating to the purposes of sharing data with third parties, it was considered met. The Privacy Notice and the Privacy Policy inform, in some cases, the purpose of sharing data with third parties (see section above), for example, by legal obligation, to reduce the risk of credit and fraudulent use. Such information was considered sufficient.

As for sub-parameter (g) , relating to the assumptions of international data transfer, it was considered partially fulfilled. In its Privacy Notice, the company informs that it transfers data to other countries for cloud storage or for the provision of services. The company does not specify, however, with which countries, nor under which circumstances. However, as there was a concern to inform about the possibility of international data transfer in its Privacy Notice, the sub-parameter was considered partially met.

DOES OI TRANSFER PERSONAL DATA TO OTHER COUNTRIES?

The internet made it possible to break geographical barriers and connect people around the world and, for this to happen, personal data often circulates between countries. As we seek to employ the best technologies available on the market, in some situations, personal data may be transferred outside Brazil, for example, to cloud storage or, if necessary, to provide a service. In any case, we always do this respecting Brazilian law.

Finally, as for the sub-parameter (h) , related to the date of the last update of the privacy policy, it was considered fulfilled. The company’s Privacy Notice and Privacy Policy show the date of the last update, so the sub-parameter was considered met. However, it is noteworthy that such information is not included in the company’s contracts. We recommend that the practice of reporting the latest update is not limited to the privacy policies and that it be applied to all company documents.

Parameter III, which assesses whether the company responded promptly to the request of requests for access to data InternetLab members, was considered met. After requesting access to data, the company responded, in a timely manner, to the request.

Parameter IV, which assesses whether the company promises to send notifications to the user in the event update their privacy policies, was not considered fulfilled. In its Privacy Notice, the company only informs that the document may be changed and recommends that the holder make periodic visits to the website, without committing to notify the user.

CAN THIS PRIVACY NOTICE CHANGE?

As Oi is always improving its services and products, this Privacy Notice may be updated. Therefore, we suggest your periodic visit to this page.

In its Privacy Policy, the company informs that Oi has the right to change the policy without prior notice and only undertakes to publicize the change on the homepage and other communication channels, without, however, promising to send notifications to users .

Privacy Policy Changes

Oi has the right, when necessary, without prior notice and with immediate effect, to change, add or revoke, partially or totally, this Privacy Policy, provided that in accordance with current legislation. We recommend that you visit this page frequently, or whenever you have questions, to follow up on any updates or changes to our Privacy Policy. In the event of changes to our Privacy Policy, we will immediately disclose it through a prominent notice on the homepage of our website and in other communication channels and Oi’s relationship with its customers.

In clause 7.13 of the IP Connect Service Subscription Agreement, the company undertakes to communicate the contracting party, but does not inform how this communication would take place. In the Broadband Adhesion Contract, the company does not mention the notification to the user in case the contract is updated.

IP Connect Service Subscription Agreement:

7.13 The CONTRACT may be amended at any time by virtue of changes arising from the applicable law and regulations. The CONTRACTING PARTY will be notified by Oi in advance, unless the established deadline does not include prior notice, in which case the change will be automatically applied to this CONTRACT.

Broadband Adhesion Contract :

13.3. This Agreement may be amended, at any time, unilaterally by Oi, upon registration at the Notary Office and publication on the website www.oi.com.br

Due to the broad wording of the contract clause and the lack of commitment to notify the customer in the Privacy Notice and in the Privacy Policy, the parameter was not considered met.

Finally, parameter V, referring to the accessibility of information on privacy and data protection, was considered fulfilled. This is because Oi has a Privacy Portal with clear information on the subject. The portal can be easily accessed at the bottom of Oi’s home page.

However, the company’s Privacy Policy, the most complete document and with more information about the data processing operations carried out by Oi, is not available on the Privacy Portal. To access the document, it is necessary to carry out an active search, through the “from A to Z” section, at the end of the company’s homepage. It is recommended that the Privacy Policy, due to its detail and importance, be made more accessible, preferably on the company’s own Portal.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Oi Banda Larga obtained ¼ of star, as it partially met parameter I

Parameter I, regarding the identification of competent authorities to request data, was considered partially met. In its Privacy Notice and Privacy Policy, the company generally informs that it shares data with government authorities, such as police authorities, the Public Ministry, Courts of Justice or Anatel, in order to comply with legal obligations. However, the company does not discriminate with which of the aforementioned authorities the sharing is carried out without a court order and which of the authorities can only have access to the data with judicial authorization.

DOES OI SHARE MY PERSONAL DATA WITH ANYONE?:

(…) we may share your data with government authorities, such as, for example, police authorities, Public Ministry, Courts of Justice, consumer protection agencies, Anatel, among others, to comply with any legal, regulatory or court order .

In the IP Connect Service Subscription Contract, the company undertakes to respect the legal hypotheses of breach of confidentiality of telecommunications and in the Broadband Adhesion Contract, undertakes to provide registration data only to competent administrative authorities, without, however, identifying them.

IP Connect Service Subscription Agreement:

CLAUSE THREE – RIGHTS AND OBLIGATIONS OF THE CONTRACTING PARTY:

3.1.6 Inviolability and secrecy of its communication, respecting the legal hypotheses of breach of confidentiality of telecommunications.

3.1.7 Privacy in billing documents, in the use of your registration data by Oi and privacy of your personal data.

Broadband Adhesion Contract :

11.15. Provide registration data, without the need for a prior court order, only to administrative authorities that have legal competence for the request.”

Despite the company identifying the authorities in its Privacy Notice and committing to provide registration data only to the competent administrative authorities, the wording of the two clauses was considered unsatisfactory and, therefore, the parameter was considered partially fulfilled.

It is noteworthy that the company does not clarify to the user the fact that registration data and connection records have different legal treatment. In this sense, it is important that the company clearly informs that connection records can only be delivered upon court order, according to the Marco Civil da Internet. With regard to registration data, this same law authorizes them to be requested without a court order by competent administrative authorities. Currently, however, in the face of controversy over what these “competent administrative authorities” are, it is imperative that the company be transparent about its own interpretations of the law it applies when it receives requests for breach of confidentiality.

Parameter II, regarding the identification of competent authorities and crimes under

of which the request occurs, it was not considered fulfilled. No mention of the topic was found in the documents analyzed by Oi Banda Larga.

Parameter III, related to offering information about geolocation data was not considered fulfilled. No mention of the topic was found in the documents analyzed by Oi Banda Larga.

Parameter IV, referring to the promise of providing only connection records by court order strictly under Marco Civil, was was not considered fulfilled. Oi Banda Larga provides in its pre- and post-paid contracts that connection records are only available upon order of a judge. However, the passage is not strictly restricted to the terms of the Marco Civil da Internet (that is, it does not specify that only the date and time of the start and end of an internet connection, its duration and the IP address used will be shared).

Broadband Adhesion Agreement:

11.14. Make connection and access records to internet applications available, autonomously or associated with personal data or other information that may contribute to the identification of the user or the terminal, upon a court order

Finally, parameter V , relating to the existence of specific protocols for delivering data to the state, was not met. In our searches, no documents like this could be found.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Oi Banda Larga obtained a full star , having met both parameters.

As for parameter I , referring to the challenge of legislation, we carried out exploratory searches on the websites of the Federal Supreme Court and the Superior Court of Justice for processes in which the company was a party, and we did not find any actions in this regard.

In the phase of interaction with the companies, we had access to the dispute prepared by Oi, with other telephone companies, against State Law No. 20.089/2019, of the State of Paraná, which imposes on telephone operators, fixed or mobile, the obligation to ensure the identification of telephone calls, under penalty of being fined under the standard[14] . In the lawsuit, the companies argue that the law directly violates the constitutional right to data confidentiality, provided for in art. 5, X and XII of CF/88.

The filing of the action against Law No. 20,089/2019 of the State of Paraná demonstrates a concern with the right to privacy and confidentiality of data and, therefore, the parameter was considered met.

Finally, parameter II , referring to the challenge of abusive requests, was considered met. We carried out exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases for the terms “Oi S/AE secrecy and breach” and for rulings published between 08/01/2020 and 21 /06/2021, and an action was located in this regard: HC 2020.0000746961/TJSP , in the Court of Justice of São Paulo. In the action, the company questions an order from a police authority that requested the provision of access passwords, for a period of 06 months, of any telephone data required by it. The company questions the general nature of the request and requests that the users or telephone terminals targeted by the measures be identified, as well as that it be pointed out to which criminal investigation such order would be linked.

Actions considered in previous versions of Who Defends Your Data, such as the Direct Action of Unconstitutionality (ADI) 5642[15] , from ACEL, were not considered, as they did not register movements.

In this category, we invite companies, at this stage of submission and discussion of the preliminary results of the report, to share with us legal and administrative actions in which they have participated and that may be considered for this category. We also emphasize that processes that occur under judicial secrecy or whose information may violate the privacy of its users may be shared with their numbers, names, requesting authorities and other potentially personal or sensitive data deleted, in order only to prove it to us , the company’s performance in the judicial or administrative defense of its clients, during the period analyzed.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Oi BroadBan obtained ½ star, as it met parameter II.

Parameter I, on the overall positioning of the company, was not considered met. On some occasions throughout the year, Internet access providers had the opportunity to express their opinion on public policies and bills that affect the privacy of users.

After searching official government websites, specialized and traditional press and corporate press rooms, we did not find any material in this regard.

In its Sustainability Report, the company claims (p. 51) to have participated in the discussion of several bills at the federal level, including PL 2630/2020, which deals with fake news, and PL 3477/2020, which deals with on guaranteeing access to the Internet, for educational purposes, to students and teachers of public basic education. Although the insertion of this information is positive, we did not find data, on official websites or in the media, that confirm the participation, in its own name, of the company.

Parameter II, on the company ‘s position on security measures was considered met. Throughout 2020 and early 2021, Internet access providers had the opportunity to express their views on policies and practices that promote the security of their users’ data, such as: Public Consultation No. 24 by Anatel, on the reassessment of the structure and internal regulations of the Brazilian Communications Commissions – CBC, whose art. 2, IV provides for the actions of the Commission with regard to Political Aspects related to Cyber Security and Artificial Intelligence[16] ; the Cyber Security regulation for the Telecom sector, approved by Anatel in 2020[17] ; Anatel’s proposal to create a cyber security cooperation group ; among others.

The company participated in the Congress entitled LGPD – Challenges Faced since its Entry into Force, organized by IBRASPD, the Brazilian Institute for Data Security, Protection and Privacy. The company participated in the panel “CISO and DPO – Pandemic of mega-leakage, how to deal with this scenario and fulfill the right of the holder”, in the person of Fernanda Vaqueiro, CISO da Oi, on September 1, 2021 .

However, it is noteworthy that Oi was one of the companies notified by Procon, in early 2021, for the alleged leak of data from more than 100 million customers. In response, the company informed only:

Oi understands that it is not the object of questioning in the episode, as there is no evidence of data leakage from its customers.

However, no more robust explanations were given about the case, nor were standards or techniques specifically defended that could face up to the allegations. Therefore, the company’s response was considered overly generic.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Oi Broadband got an empty star, as it did not meet any of the parameters

Parameters I to IV , regarding the publication of transparency reports in Portuguese, accessibility, reporting frequency and information on requests for access to data, were not considered met. The company publishes Sustainability Reports; however, the document does not contain significant information about privacy and data protection.

On page 49 of the 2020 Sustainability Report, there is information that in 2020 2,438 complaints were received through Anatel’s channels about improper use of registration data. In 2019, this number was 1,220 and in 2018 it was 684. According to the company, this increase in numbers is due to “changes in the data registered by Anatel, which began to take effect in November 2019; but when these complaints were analyzed, a scenario was found in which 76% of the complaints had other reasons, such as restriction to telemarketing mailing, registration requests, invoice dispute, account reversal and product or service cancellation” (p. 49).

However, the company does not publish application statistics, nor does it discriminate the responsible authorities or the reasons they present and, therefore, the parameter was not considered to have been met.

Finally, parameter V , relating to the publication of Data Protection Impact Reports, was not considered met. No documents in this regard were found in our searches.

CATEGORY 6: User notification

Result:

Oi Broadband got an empty star, as there is no mention of the possibility of user notification in any of the analyzed documents.

OI (MOBILE)

Result:

In this category, Oi Mobile obtained a full star, as it fully complied with parameter I, III and V, and partially complied with parameter II

Oi Mobile met parameter I , as it met all sub-parameters.

The sub-parameter (a) , referring to the data collected was considered fulfilled. In its Privacy Notice, the company informs:

HOW DOES OI COLLECT PERSONAL DATA?

Directly with you, for example, when purchasing services and products or during our selection processes;

Automatically when, for example, you browse our websites or applications.

Through a partner, if, for example, you already have a bond with the third party.

In its Privacy Notice, the company informs and exemplifies the categories of personal data collected:

PERSONAL DATA CATEGORY

REGISTRATION AND CONTRACT DATA: Name, CPF number, RG number, passport number, affiliation, address (physical or e-mail), mobile and residential telephone number, ICCID number (SIM card), date of birth, nationality and profession.

FINANCIAL DATA: Invoice information, such as history, payment dates, outstanding amounts or payments received, credit or debit card information, bank account, among others.

LOCATION AND TRAFFIC DATA: Approximate location data, when you have activated the location functionality of the Global Positioning System (GPS) or collected by ERB antennas (Radio Base Stations), telephone number of outgoing or incoming calls, as well as their respective duration, telephone number related to sending and receiving SMS, use and quantity of packages or data connection, Wi-Fi browsing, consumption profile information.

NAVIGATION DATA ON OI SITES AND APPLICATIONS: Device and navigation data (model, date, time, IP) and cookies.

Provision of Services : If you are one of our customers, as a subscriber to our fiber, we will need to collect your registration, location, financial data, among others, in order to formalize the service provision contract and process payments.

Selection Process : If you want to work with us, we will have to collect professional information, such as educational background, profession, among others, to assess whether your profile is compatible with the position.

Partners : Now, if you are one of our partners, we need to collect registration data from individuals who will work in our facilities, for access control, thus ensuring the security of everyone involved in the operation.

Cookies: In addition, as Oi seeks to increasingly improve its products and services, we may use navigation data and data from technological assets, such as cookies, on our websites to improve the performance of web pages.

In the Privacy Policy, such information is broken down in a table, in which the purpose of the treatment is specified, which data is processed and what is its legal basis.

In the same document, the company also details what are the legal bases for the processing of data:

The legal bases for data processing

Oi may process your personal data based on the following legal bases:

– For the correct execution of the contract or provision of the contracted service, or even for any necessary preliminary procedures, and also to meet your eventual requests.

– To fulfill a legal or regulatory obligation.

– In meeting its legitimate interest or the interest of the Oi Group, including, but not limited to, the support and promotion of its activities and the protection, in relation to the holders, of the regular exercise of their rights or provision of services that benefit them somehow.

– By providing your consent, through a free, informed and unambiguous manifestation, for a specific purpose.

– For fraud prevention and security measures.

– For the regular exercise of rights in the context of judicial or administrative proceedings.

– For shared use of data with the Public Administration, for the treatment necessary for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments

At Minha Oi, you can view contracted products, monitor consumption, find out about your current offer, recharge and even have access to other Oi services. To make all this possible, we use personal data. For example:

In order to display information about your offer, we need to have access to your personal data, such as your phone number, as well as location and traffic data.

If you want to buy packages, change your offer or contract other services, we will need your registration data, location and traffic data, as well as financial data, to process payments.

Now, if you need technical support, we can use registration data, location and traffic data, as well as navigation data and technological assets, depending on your need.

In addition, we may use registration data, location and traffic data to offer new products and measure the quality of our services.

Virtual Technician

Through the Virtual Technician, we offer solutions to problems with broadband internet or fiber, satellite TV or landline. For this reason, we use personal data, such as registration data, location and traffic data, as well as navigation data and technological asset data, in order to enable the provision of the service.

Oi Play

It’s Oi’s streaming service for you to have access to movies, series and television channels in one place. On this platform, we can use personal data in different ways, such as:

In order to contract the service, we collect registration, location and financial data, among others, in order to formalize the service provision contract and process payments.

In order for you to access the content of channels and platforms, we may need to authenticate your identity, sharing some personal data, such as CPF, with the partner platform.

We may also use navigation data and data from technological assets, such as cookies, in order to improve the performance of our portal and correct any errors.

Rights of holders

Now, if you want to exercise any of the rights provided for in the LGPD, download the XLSX file through one of the links below and send it to the e-mail

PP-PrivacidadeDireitoTitular@oi.net.br

HOW LONG IS MY DATA STORED BY OI?

Your data will only remain with us for the period necessary to fulfill some purpose, such as, for example, to provide our services, comply with a legal/regulatory obligation, or to help us improve our products. In any case, we will store your data in accordance with the law, in a secure, transparent and for a limited time.

Retention and termination of the processing of personal data

– Oi may keep your personal data stored after the termination of the contract or the end of the service contracted by you, as strictly necessary for the fulfillment of legal or regulatory obligations to which we are subject. Or to exercise any Oi’s right in administrative, judicial or extrajudicial proceedings, without prejudice to the application of the hypotheses mentioned in art. 16 of the General Law for the Protection of Personal Data (LGPD).

– Personal data used to provide a personalized experience to you will be kept exclusively for the time allowed, in accordance with current legislation. – Your personal data will only be processed during the period necessary to achieve the intended purposes, as established in item 3 of this Privacy Policy.

As for sub-parameter (b), referring to when/if the data is deleted, it was not considered fulfilled. The company only informs that the data is stored in accordance with the law and for a limited time (see section above), without specifying deadlines or which are the applicable laws.

Elimination and anonymization

– In order to meet certain legal requirements established by regulatory bodies, with the exception of a court order, data that are inherent to the provision of the service by Oi, such as registration data, billing data, location data and traffic data, cannot be eliminated or anonymized.

At Oi, our purpose is to transform the digital environment, applying the best technologies available on the market to guarantee the security of the information we have and live up to the trust you place in us. When we talk about personal data, this concern is even greater and we make every effort to ensure your privacy, so we constantly apply and renew our security protocols, in addition to having internal rules that guide the storage of personal data in safe places, reducing the possibility of unauthorized access or leakage of information.

In its Privacy Policy, in the “Information Security” section, the company informs:

Information security

Oi undertakes to ensure the security and maintenance of the protection of your stored personal data by adopting technical and administrative measures capable of protecting exported personal data from unauthorized access and accidental or illegal situations, in accordance with applicable laws .

Oi’s employees are committed to ensuring the security of their personal data and to respecting this Privacy Policy, under penalty of being subject to disciplinary action in case of violation of these standards.

We hope that you will also contribute to security by keeping your personal data safe. When registering on Oi’s platforms, choose a password strong enough to prevent other people from guessing it.

Oi recommends that you never reveal or share your password with others. You

You are solely responsible for keeping the password confidential and for any action taken through your account on Grupo Oi’s websites and services.

The protections listed in this section do not apply to information you choose to share in public areas, such as forums and other companies’ social media.

Oi undertakes to disclose to you and Organs competent bodies any security incident and what measures will be applied in this case.

Oi has ISO 27001 certification, which ensures the quality and reliability of the Company’s Information Security management system, protecting customer data networks across the country against possible cyber attacks.

In 2020, to make public or private companies less vulnerable to cyber attacks, among other risks arising from the online environment, Oi started to offer these cyber security services as a high priority topic.

Amidst the increase in cyber attacks caused mainly by the home office regime adopted by most companies, due to the needs imposed by the pandemic, Oi developed an antivirus called Endpoint Security EDR, which combines artificial intelligence and machine learning to block threats in time real – while the antivirus runs, it identifies the new variants that appear and adapts to combat the threat.

Based on the Company’s experience in protecting its customers’ data and internal systems, Oi, through Oi Soluções, offers this service and intends to expand its offer of security projects in 2021.

Sub-parameter (d) , relating to who has access to the data was not considered fulfilled. In the section “Is my data protected at Oi?” (see excerpt above), the company only informs that it adopts security protocols to protect data from “unauthorized access”, but does not offer any information about who has access to personal data.

Sub-parameter (e) , referring to the third parties with whom the data is shared, was considered met. In its Privacy Notice, the company generically informs some data sharing hypotheses:

DOES OI SHARE MY PERSONAL DATA WITH ANYONE?

To provide our services, Oi has business partners who may have access to some of your personal data. All our partners go through a pre-assessment process, so that only those who share our values will participate in our activities.

We also adopt specific measures to guarantee the security and control of your personal data, even when shared. The commitment we make to you in this notice also extends to the people who work with us. In addition to our partners, we may share your data with government authorities, such as law enforcement authorities, the Public Ministry, Courts of Justice, consumer protection agencies, Anatel, among others, in order to comply with any legal, regulatory or court order .

Likewise, we may share personal data with credit protection institutions to reduce credit risk and fraudulent use of Oi services. Wherever you go, we will share your data in accordance with Brazilian law and we reaffirm our commitment to transparency with you .

In its Privacy Policy, the company informs which third parties it shares data with and for what purposes:

data sharing

Oi does not share your personal data with companies, organizations or third parties, only in these cases below, and always in accordance with this Privacy Policy and other appropriate security and confidentiality measures:

– Between Oi Group companies for maintenance, promotion and improvement of services.

– For commercial partners in the development of promotions and joint commercial actions with Oi.

– For marketing service providers such as email marketing, SMS and online ad serving.

– For sales partners and franchised stores, in collaboration with the sales of products and services provided by Oi.

– For contracted or authorized third parties for care related to the execution or management of Oi services, such as, for example, service providers of technical support and service repair, data analysis, consulting, printing invoices, queries to the credit protection system and customer service centers.

– For government authorities, such as, for example, police authorities, Public Ministry, Courts of Justice, consumer protection agencies or Anatel, due to legal, regulatory, court order or other requests from authorities with powers to do so, to protect damage to the property or safety of the Oi Group or its customers, as requested or permitted by law.

– For credit protection institutions, to reduce credit risk and fraudulent use of Oi services.

– For third parties, not provided for here, with your specific consent.

– For debt collection agencies, in cases of default.

– For third parties, due to corporate restructuring at Grupo Oi.

Oi will ask you for specific consent to share any sensitive personal data

In its Oi Privacy Program, the company presents a data flow in which it informs the paths that the data take within the company, with the holders and with third parties.

The flow is clear and facilitates communication with users. We congratulate the company for the initiative and transparency.

DOES OI TRANSFER PERSONAL DATA TO OTHER COUNTRIES?

The internet made it possible to break geographical barriers and connect people around the world and, for this to happen, personal data often circulates between countries. As we seek to employ the best technologies available on the market, in some situations, personal data may be transferred outside Brazil, for example, to cloud storage or, if necessary, to provide a service. In any case, we always do this respecting Brazilian law.

CAN THIS PRIVACY NOTICE CHANGE?

As Oi is always improving its services and products, this Privacy Notice may be updated. Therefore, we suggest your periodic visit to this page.

Privacy Policy Changes

Oi has the right, when necessary, without prior notice and with immediate effect, to change, add or revoke, partially or totally, this Privacy Policy, provided that in accordance with current legislation. We recommend that you visit this page frequently, or whenever you have questions, to follow up on any updates or changes to our Privacy Policy. In the event of changes to our Privacy Policy, we will immediately disclose it through a prominent notice on the homepage of our website and in other communication channels and Oi’s relationship with its customers.

IP Connect Service Subscription Agreement:

7.13 The CONTRACT may be amended at any time by virtue of changes arising from the applicable law and regulations. The CONTRACTING PARTY will be notified by Oi in advance, unless the established deadline does not include prior notice, in which case the change will be automatically applied to this CONTRACT.

Broadband Adhesion Contract :

13.3. This Agreement may be amended, at any time, unilaterally by Oi, upon registration at the Notary Office and publication on the website www.oi.com.br

Due to the broad wording of the contract clause and the lack of commitment to notify the customer in the Privacy Notice and in the Privacy Policy, the parameter was not considered met.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Oi Mobile obtained ¼ of star, as it partially met parameter I

DOES OI SHARE MY PERSONAL DATA WITH ANYONE?:

(…) we may share your data with government authorities, such as, for example, police authorities, Public Ministry, Courts of Justice, consumer protection agencies, Anatel, among others, to comply with any legal, regulatory or court order .

IP Connect Service Subscription Agreement:

CLAUSE THREE – RIGHTS AND OBLIGATIONS OF THE CONTRACTING PARTY:

3.1.6 Inviolability and secrecy of its communication, respecting the legal hypotheses of breach of confidentiality of telecommunications.

3.1.7 Privacy in billing documents, in the use of your registration data by Oi and privacy of your personal data.

Broadband Adhesion Contract :

11.15. Provide registration data, without the need for a prior court order, only to administrative authorities that have legal competence for the request.”

Parameter II, regarding the identification of competent authorities and crimes under

of which the request occurs, it was not considered fulfilled. No mention of the topic was found in the documents analyzed by Oi Banda Larga.

Parameter III, related to offering information about geolocation data was not considered fulfilled. No mention of the topic was found in the documents analyzed by Oi Banda Larga.

Broadband Adhesion Agreement:

11.14. Make connection and access records to internet applications available, autonomously or associated with personal data or other information that may contribute to the identification of the user or the terminal, upon a court order

Finally, parameter V , relating to the existence of specific protocols for delivering data to the state, was not met. In our searches, no documents like this could be found.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Oi Mobile obtained a full star , having met both parameters.

Actions considered in previous versions of Who Defends Your Data, such as the Direct Action of Unconstitutionality (ADI) 5642[15] , from ACEL, were not considered, as they did not register movements.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Oi Mobile obtained ½ star, as it met parameter II.

After searching official government websites, specialized and traditional press and corporate press rooms, we did not find any material in this regard.

Oi understands that it is not the object of questioning in the episode, as there is no evidence of data leakage from its customers.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Oi Mobile got an empty star, as it did not meet any of the parameters

Finally, parameter V , relating to the publication of Data Protection Impact Reports, was not considered met. No documents in this regard were found in our searches.

CATEGORY 6: User notification

Result:

Oi Mobile got an empty star, as there is no mention of the possibility of user notification in any of the analyzed documents.

TIM BROADBAND

CATEGORY 1: Information on data protection policy

Result:

In this category, TIM Banda Larga obtained a full star , having fully complied with parameters I, IV and V; and partially to parameter II.

Tim Banda Larga complies with parameter I , referring to information on collection and purpose, providing clear and complete information on all sub-parameters.

Sub-parameter (a) , referring to which data is collected, was considered met. In its Privacy Policy, in the section “What type of data and what purpose does TIM handle”, the company presents a table specifying the origin, the type of data collected, the purpose and the legal basis for processing various data processed by her.

Among others, the company informs, in the table, that it collects:

Browsing Data (IP, date and time) and Access Device Data (eg IMEI, device model, etc); Registration Data: email, name, phone and mobile device model; Browsing Data and Access Device Data; Information on the use of the Services: volume of internet traffic; Location data (country, city and state) from where the access occurred or where the call is taking place; telephony records and sending SMS and MMS; performance of the telecommunications network and infrastructure. Payment data: credit card numbers and data, top up transactions, bank information required to provide services; credit information for the billing and billing systems. Access Device Data (excluding visited pages).

Sub-parameter (b) , referring to the situations in which the collection takes place, was also considered met. In the same item mentioned above, the company specifies the origin of the collected data. It points out, for example, which data is collected in “Navigation on the Site and in the Meu TIM application”, in the “Site and in the Meu TIM application forms”, in the “Use of the Services and in the Meu TIM application”, in the “Use of the Services ”, in the “Point of Sale Registration Forms”, among others.

Sub-parameter (c) , regarding the purpose of the data collection, was also considered met. In the same item mentioned above, the company specifies the purpose for collecting the various data it points out. It specifies, for example, the purposes of “Site Functioning: activating essential functionalities such as antivirus software, adapting the content to the screen format, among other functions”, “analytics: understanding your browsing behavior and how the Site and App is being used, to improve your experience as a user and meet the needs of our customers.”, “Marketing: targeting content and advertising, our and our partners, according to your profile and preferences”, among others.

In addition, in the TIM LIVE Service Provision Agreement, the company, in clause 19, establishes:

“19.1 The Parties acknowledge that, by reason of this Agreement, TIM will carry out the processing of the CLIENT’s personal data to the extent necessary to ensure the adequate provision of the SERVICES and, in general, as provided for or in any way authorized in the applicable legislation

Sub-parameter (d) , referring to the way in which it is used, was also considered met. By specifying the purposes for which it treats personal data, as per the item above, the company also shows examples of its use. For example, by pointing out the purpose of “marketing”, it specifies that the data will be used to target “content and advertising”. By showing usage situations parallel to the purposes, the sub-parameter was considered met.

Finally, sub-parameter (e) , referring to the rights of the holders and the means to exercise them, was also considered to have been met. In its Privacy Policy, in the item “What are the rights of Data Subjects”, the company presents a table with the rights and an explanation of each one of them, pointing out, for example, the “Right to confirm the existence of treatment of their data and to access them”, the “right of rectification”, “right of exclusion”, “right of opposition”, “right to request anonymization, blocking or deletion”, “right to portability”, among others. In addition, it offers e-mails from TIM’s Data Protection Officer (DPO) area to exercise these rights.

In addition, in the TIM LIVE Service Provision Agreement, the company, in clause 4, establishes:

4.2. The CUSTOMER’s rights are:

(e) the inviolability and secrecy of its communication, respecting the constitutional and legal hypotheses and conditions of breach of telecommunications secrecy and the intermediation of communication activities of the disabled, under the terms of the regulation;

(j) respect for your privacy in billing documents and in the use of your personal data by the provider;

Regarding parameter II , referring to the provision of clear and complete information on the protection of personal data, it was considered fulfilled, as it meets all sub-parameters.

Sub-parameter (a) , referring to the time and where the data are stored, was considered fulfilled. In the document “Where and for how long does TIM store its data”, the company details some legal deadlines for maintaining personal data, as well as the criteria adopted to determine the appropriate retention period

Storage period

TIM will store and process your Personal Data only for the time necessary to fulfill the purposes of collection, including for the purposes of complying with any legal, regulatory, contractual, accountability, request from competent authorities or others provided for in current legislation, such as guarantee the rights of the holders and their own rights.

In general, for example:

Registration Personal Data can be kept for a period of 5 years, with reference to the Consumer Defense Code, from the end of the relationship of the holder with TIM;

In addition, by obligation contained in the Marco Civil da Internet, the Data related to IP, date and time of your internet connections, when TIM is responsible for providing this access, will be kept for at least 12 months and, as for the applications from TIM, for at least 6 months;

by acting as a communications provider, as established by ANATEL, through Resolution No. 738 of 2020, TIM must keep a record of tax data, subscriber registration data and billing data and outgoing calls and received, as well as the date, time, duration and value of the call, for a period of 5 years.

After the deadlines expire, the Personal Data will be duly eliminated or anonymized by TIM .

To determine the appropriate retention period for Personal Data, in addition to the statutory period of limitation, we consider other criteria, such as the quantity, nature and sensitivity of this Data, the potential risk of damage from unauthorized use or disclosure of your Personal Data, the purpose of processing such data, and whether we can achieve the intended purposes by other means, and applicable legal requirements, among others.

Notwithstanding the above, TIM’s general policy is that no personal data of TIM’s customers should be stored for more than 5 (five) years from the end of the commercial relationship between a customer and TIM. The exception to this rule are situations of compliance with a competent court or administrative order (see our newsletter on “Sharing of Personal Data in Case of Investigation”). Remembering that this is the maximum period, once its purpose is fulfilled and as long as there is no legal obligation or legitimate interest for its maintenance for a longer period.

As for the storage location, the company informs in its Privacy Policy, in the item “TIM may transfer your Data to other countries”:

TIM may transfer data to other countries for storage purposes, for example, on servers located abroad, with a level of data protection adequate to that provided for in current legislation. Please be advised that your Data may be subject to local legislation and the relevant rules of these countries. By interacting with us, You agree to such international transfer of Data, in cases where it is essential for the provision of services and execution of your contract with us, in accordance with data protection legislation.

In the document “Where and for how long does TIM store its data”, the company informs, with details, the places where personal data is stored.

Storage Location

Finally, the data stored by TIM or by contracted suppliers follow strict and adequate levels of information security and consistent with market practices, always seeking to comply with the General Personal Data Protection Law and other applicable and current legislation. In general, personal data is stored:

(i) on servers owned by TIM, located in the states of São Paulo and Rio de Janeiro;

(ii) on third-party servers, contracted by TIM specifically for data storage services (hosting), following contractual controls to ensure compliance with the General Data Protection Law; or

(iii) on third-party servers, hired by TIM to perform some specific temporary service and which includes some type of data processing (for example, a fraud check). In these cases, in addition to contractual controls, we limit the treatment to the minimum necessary and for the shortest time possible (for example, in some situations the data is deleted after a few hours)

Such information was considered sufficient to clarify users about the practices adopted by the company for the retention of personal data.

As for sub-parameter (b ), referring to when/if the data is deleted, it was considered fulfilled. In the document “Where and for how long does TIM store its data”, in the Storage Period section (see section above), the company expressly informs that, after the deadlines that authorize the retention, TIM deletes or anonymizes the personal data.

Sub-parameter (c) , relating to security practices that observes undertaking was considered fulfilled. In its 2020 Sustainability Report, p. 36, the company clarifies:

TIM has also improved governance in this process, with new procedures, controls and investments in prevention, incident handling and monitoring teams. The Company conducts its activities based on ISO 27001 – international standard that describes the best practices for information security management – and NIST (Cyber Security Framework) which supports the management and reduction of cyber security risk. In 2020, an assessment of certification requirements was carried out, identifying a level of compliance higher than 90% of the requirements, and the necessary adjustments to obtain certification will be made until 2022.

By clarifying the security standard used to protect their systems, and by providing some information regarding employees and suppliers who have access to the data, it was considered that the information given was sufficient.

Sub-parameter (d) , relating to who has access to the data was also considered met, as the company claims that only authorized personnel, and suppliers under confidentiality clauses, can have access to data. Even though more detailed information about which employees can access the data could have been provided, the specific mention of registration information and communication data, and the mention of suppliers, indicate the existence of clearer standards in relation to such access, which is why the sub-parameter was considered fulfilled.

Sub-parameter (e) , referring to the third parties with whom the data is shared, was considered met. In its Privacy Policy, in the item “With whom TIM shares its Data”, the company specifies which third parties will share it with, pointing out, for example, companies of “technology services”, “performance analysis”, “research market”, among others.

On its Transparency Portal, the company provides a document entitled “How does TIM use personal data to target third-party advertising materials?” the company informs that it only shares anonymized information with business partners:

In some cases, TIM may use certain information related to your preferences and habits with TIM, to understand what kind of product or service from our commercial partners may be of most interest to you. When we do this, we seek to understand your tastes and your profile and, in doing so, we select products and services from some of our partners that we think may be of interest to you, to target certain advertising materials. By doing this, we do not need to reveal your identity to our partners, ie we do not share your data with them in these situations.

Also, in the document “How does TIM share personal data with third parties?”, TIM generically informs the procedures adopted in data sharing:

TIM, like any large organization, operates in partnership with a number of other companies that provide support in offering TIM products and services. In some cases, in order for these companies to be able to serve us and provide the support we need, it may be necessary to share certain personal data of our customers with these companies. Our partners and suppliers are only authorized to use the personal data received for the specific purposes for which they were contracted, therefore, they will not use your personal data for any other purpose, besides the provision of services provided for in the contract. TIM performs preparatory procedures for hiring new partners and suppliers to ensure that, in the event that it is necessary to share personal data with such companies, contractual obligations of information security and protection of personal data are established to protect our customers’ data.

Such information was considered sufficient to inform about data sharing.

As for sub-parameter (f) , relating to the purposes of sharing data with third parties, it was also considered that it was met. This is because, in the same excerpt of the Privacy Policy, in the item “With whom TIM shares its Data”, the company specifies the purposes of the shares, pointing out, among others:

Technology Services: We have a number of providers that we need to contract to operate the Products and provide the Services, and some of them may handle the Personal Data we collect on our behalf. For example, we use data hosting services to store our database, we also use payment method services in order to process billing data for our Services.

(…)

Performance analysis: Data stored by TIM may be collected by third-party technology and used for statistical purposes (analytics), in order for TIM to understand who are the people who use its Services, visit its Website and the Application My TIM or otherwise interact with TIM.

(…)

Market surveys: If you respond to a market survey sent by TIM, it is possible that the results will be shared with our partner responsible for such survey.

As for sub-parameter (g) , referring to the hypothesis of international data transfer, it was considered met. In its Privacy Policy, the company informs that TIM may transfer data to other countries.

TIM may transfer data to other countries for storage purposes , for example, on servers located abroad, with a level of data protection adequate to that provided for in current legislation. Please be advised that your Data may be subject to local legislation and the relevant rules of these countries. By interacting with us, You agree to such international transfer of Data, in cases where it is essential for the provision of services and execution of your contract with us, in accordance with data protection legislation.

In the document “Where and for how long does TIM store its data”, the company provides detailed information on international transfer practices and informs the main countries in which the data is stored:

International Transfers

When using TIM’s internet services, it is possible for the user to access third-party applications, whose servers are located in other countries, and can capture IP and access time information. This is part of the nature of internet connection services, and it is important that the user always adopt the best security practices when surfing the internet. In addition, TIM may actively carry out the international transfer of personal data that are under its control whenever we hire third-party servers, as per items (i) and (ii) above. As they are “cloud” services, these providers can at any time change the location of the hosting, but we seek to contractually limit these transfers to be made safely and to countries that have laws that adequately guarantee the protection and security of personal data. Nevertheless, the main third-party servers that store personal data under TIM’s control are located in the following countries, in addition to Brazil:

EEA (European Economic Area);

California (USA)

Also, when stored in another location, it is previously validated and approved by the responsible functions.

Such information was considered sufficient for the purposes of this assessment.

Finally, as to sub-parameter (h) , on the date of the last update of the privacy policy, it was considered met. Both the Privacy Policy and the contracts have the date of the last update (with the exception of the Corporate SMP Service Agreement, which has no registration date).

Parameter III, which assesses whether the company responded promptly to the request of requests for access to data InternetLab members, was considered met. InternetLab made a data access request on July 21, 2021. In response, TIM reported:

TIM, in accordance with applicable legal provisions, must identify the applicant and verify the existence of the legitimacy requirements to meet the requests.

Therefore, we kindly ask you to send us your request again, this time accompanied by the necessary documentation (eg a copy of a valid identity document), so that we can provide you with feedback.

This request is also intended to protect holders from improperly communicating their personal data to unauthorized third parties.

Yours sincerely,

Data Protection Officer

After sending the documentation requested by the company, TIM informed, by email, the personal data it had about the holder, as well as a Word file with the supporting screens of the systems in which such data are contained. We consider the requirement of proof of ownership for granting access to data to be positive. Therefore, the parameter was considered met.

Parameter IV, which assesses whether the company promises to send notifications to the user when the update of their privacy policies, was considered met. In its Privacy Policy, the company states:

How and when this Policy can be changed

As we are always looking to improve our Services and offer new features, this Privacy Policy may be updated. Rest assured, if relevant changes are made, we will inform you, without prejudice to You checking our Site for the most current version.

Finally, parameter V , referring to the accessibility of information about privacy and data protection, was considered met. The company has a Privacy Portal with key privacy and data protection information. Furthermore, the company made available Privacy Notices, in which it provides detailed information on the company’s privacy and data protection practices.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Tim Banda Larga got a full star, as it fulfilled all the parameters.

Regarding parameter I , referring to the identification of the competent authorities to request data, it was considered fulfilled. In the document “How does Tim share personal data with third parties?”,

In addition, TIM is subject to a number of legal and regulatory obligations that make certain data sharing with third parties, including authorities, necessary. In many cases, TIM is also required to comply with orders issued by authorities to provide certain data, especially in investigations. We will always protect your rights and will only provide data that is legally required on valid legal grounds.

In the document “How is the sharing of personal data carried out in case of investigation?”, available on the company’s Privacy Portal, it offers an exemplary list of administrative authorities that may request data, in addition to the hypotheses based on court orders:

One of the possibilities of this sharing is to comply with a court order, comply with an extrajudicial request (submitted by the judicial police or the Public Ministry) and request from a competent administrative authority (for example, a police station or a government agency), directed to TIM, requesting the supply TIM customer’s personal data, in compliance with specific and current legislation.

(…)

Some examples of administrative authorities endowed with requisition competence include Prosecutors from the Military, State and Federal Public Prosecutors; Civil, Federal and Legislative Police Stations, presidency of the CPI (Parliamentary Commission of Inquiry), in addition to hypotheses based on a court order.

The information contained in the aforementioned was considered sufficient to inform users about the hypotheses of sharing data with the State; therefore, the parameter was considered met.

Parameter II, regarding the identification of competent authorities and crimes under which the request occurs, was considered met. In the document “How is the sharing of personal data carried out in case of investigation?” informs the criteria analyzed to meet the request for access to data; the most common cases of data request; and presents an exemplary list of legal hypotheses under which the request may occur:

an analysis of the proportionality of that request is made, that is, whether the decision is within the criteria of proportionality and reasonableness required by Brazilian legislation, in particular the Code of Civil Procedure (art. 8) and the Federal Constitution.

(…)

It is not possible to present all the hypotheses that may support a court order, extrajudicial request or request, as well as the competent authorities, which may require such personal data, since such orders must be based on laws that establish this possibility.

Some of the most common examples we’ve seen here at the company include:

Request for telephone number data for criminal investigations and civil actions;

Request for registration data, by order of a court or administrative authority, or police authorities and the Public Ministry;

III. Request for connection records, by court order;

Location of Radio Base Station (telephone antenna, by court order;

Content of private communications, upon court order.

We emphasize, however, that data sharing and the exemplified purposes are not an exhaustive list, with each specific request being analyzed, following the procedures mentioned in this Newsletter.

Also by way of example, we present some of these most common legal fundamentals:

Brazilian Federal Constitution, especially its article 5, X to XII.

Law No. 9296/1996 – Law that regulates legal interception

Law No. 9472/1997 – General Telecommunications Law

Resolution No. 477/2007 – Regulation of Personal Mobile Service – SMP

Law No. 12,830/2013 – On criminal investigation by police chief

Law No. 12,850/2013 – Criminal Organizations Law

Law No. 12.965/2014 – Internet Civil Rights Framework

Decree No. 8.771/2016 – Regulator of the Civil Framework for the Internet

Law No. 12,683/2012 – Money Laundering Law

Law No. 13,344/2016 – Trafficking in Persons

Law No. 15,292/2014 – Law on the Search for Missing Persons

Such information was considered sufficient to clarify the holders.

Also, in the Live Service Provision Agreement, the company informs that in cases of crimes against children and adolescents, provided for in the ECA, TIM will be able to offer all the customer’s registration data to the judicial authorities, pursuant to the Marco Civil da Internet. Therefore, the company identifies both the crime and the competent authority. Such information was considered sufficient for evaluation purposes.

Live Service Agreement

14.1 (g) unilaterally by TIM, if the use of the service is found to commit criminal acts, notably crimes against children and adolescents provided for in the Child and Adolescent Statute and other applicable legislation , safeguarding TIM’s right to seek the eventual compensation for damages against the CLIENT if it has been sued by aggrieved third parties, in the scope of civil or criminal claims that give rise to responsibility for the practice of such offensive acts, through TIM LIVE, and TIM is even entitled to provide all the registration data of the CLIENT to the judicial authorities in accordance with law 12,965/2014 for investigation of the offense and due liability of the offender.

Parameter III, related to offering information about geolocation data, was considered met. In the document “How is the sharing of personal data carried out in case of investigation?”, the company informs that, as a rule, geolocation data can only be requested by means of a court order and clarifies the restricted cases in which the Public Ministry and by the chief of police can make the request:

Finally, we indicate that data on the device’s geolocation is not shared with third parties for the purpose of conducting investigations. However, location data of base stations used by a device, in real time or past tense, can be provided based on a court order, except for cases of prevention and repression of crimes related to trafficking in persons, hypothesis of article 13-B of the Criminal Procedure Code, in which the location data may be requested by a member of the Public Ministry or the police chief.

Parameter IV , referring to the promise of providing only connection records by court order strictly under Marco Civil, was considered met. The company informs, in the document “How is the sharing of personal data carried out in case of investigation?”, that the request for connection records only occurs by court order (see section above).

Finally, parameter V , relating to the existence of specific protocols for delivering data to the state, was considered met. This year, the company included in its Privacy Portal the document entitled “How is the sharing of personal data carried out in the event of an investigation?”, which provides information on the protocols, requirements and hypotheses of data delivery for investigations.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Tim Banda Larga got a full star , as it met both parameters.

Regarding parameter I , referring to the challenge of legislation, it was considered met. In the engagement phase with the companies, the company presented the action, filed together with other telephone operators, in which it contests Law No. 9.182/2021, of the State of Rio de Janeiro. The referred legislation institutes the mandatory alert of missing children and teenagers by cell phone companies to their users and takes other measures. Among other arguments, the companies claim that the law violates the constitutional right to privacy and violates the General Data Protection Law.

Finally, to investigate parameter II , referring to the contestation of abusive claims, we carried out exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases using the terms “ TIM S/AE breaks AND secrecy”; “TIM S/AE personal data”; and “TIM S/AE privacy”, and by judgments published between 08/01/2019 and 07/31/2020. We emphasize that the choice of Jusbrasil as a secondary source is due to the fact that it aggregates judgments from all Brazilian state courts, to the detriment of searching all individual courts.

In the searches, action n° 0830946-86.2014.8.06.0001 was found in the Court of Justice of Ceará , in which the company contests the jurisdiction of the Civil Court to break telephone secrecy. Therefore, the parameter was considered met.

Actions considered in previous versions of Who Defends Your Data, such as Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of data from logical ports to police authorities, and the Direct Action of Unconstitutionality (ADI ) 5642[2] , from ACEL, were not considered, as they did not register movements.

CATEGORIA 4: Postura pública pró-privacidade

Result:

In this category, TIM Banda Larga obtained a full star, as it fully complied with parameter I and partially with parameter II.

Parameter I on the overall positioning of the company, was considered met. On some occasions throughout the year, Internet access providers had the opportunity to express their opinion on public policies and bills that affect the privacy of users.

During the engagement phase, the company sent some contributions to InternetLab for public consultations. Here we highlight the individual contribution of TIM to making of grants for regulation of application of LGPD for microenterprises and enterprises of small size of ANPD, in which TIM believes that “any relaxation measure in favor of economic agents of small and / or startups it must only achieve the position of controller, as defined in article 5, item VI, of the LGPD, not reaching those cases in which the economic agent integrates the chain of processing of personal data as an operator (cf. article 5, item VII , of the LGPD)”.

Parameter II on the company ‘s position on security measures was considered met. Throughout 2020 and early 2021, Internet access providers had the opportunity to express their views on policies and practices that promote the security of their users’ data, such as: Public Consultation No. 24 by Anatel, on the reassessment of the structure and internal regulations of the Brazilian Communications Commissions – CBC, whose art. 2, IV provides for the actions of the Commission with regard to Political Aspects related to Cyber Security and Artificial Intelligence[3] ; the Cyber Security regulation for the Telecom sector, approved by Anatel in 2020[4] ; Anatel’s proposal to create a cyber security cooperation group[5] ; among others.

In February 2021, during the public hearing held in the Chamber of Deputies on the implementation of 5G in Brazil, the company, through its Vice President of Institutional Relations, defended the construction and financing of a center of excellence for Brazilian Security, in order to ensure the security of networks[6] . Therefore, since there was a public positioning of the company, the parameter was considered met.

Also, in 2021, TIM included a new document in its Privacy Portal, entitled “Information Security and Cyber Security Policy”, in which, among other things, it provides a specific communication channel for security cases. We congratulate the company for making available a specific document in which it provides details on security practices and means of exercising rights.

However, it is noteworthy that Tim was one of the companies notified by Procon, in early 2021, for the alleged leak of data from more than 100 million customers. In response, the company informed only:

“It did not identify the occurrence of an attack or leak that would make its customers’ data or its own data vulnerable”.

However, no more robust explanations were given about the case, nor were standards or techniques specifically defended that could face up to the allegations. The company’s response was considered overly generic. However, in this edition of the report, responses related to megaleakage were not considered for scoring purposes.

In this category, we invite companies, at this stage of sending and discussing the preliminary results of the report, to share with us other public events and relevant participations that could be considered for this category.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, TIM Banda Larga obtained three quarters of a star, as it met parameters I, II, III and IV.

Parameter I on the publication of transparency reports in Portuguese, was considered met, as the TIM published this year in Portuguese, a Sustainability Report on its activities in Brazil. Even if there is still room for improvement (see items below), the report contains information on the number of official letters received from the judiciary and the number of lawsuits in which the company is involved, which is why the parameter was considered met.

Parameter II on the accessibility of the transparency report was considered met. This is because the Sustainability Report can be found in two clicks from TIM’s homepage, in “Sustainability” and, right after, in “Sustainability Report”.

Parameter III on the basis of the report, was considered met. Versions published in previous years are available on the reports access page.

Parameter IV on information on requests for access to data, was considered met. In its transparency report, the company informs (p. 54):

In 2020, 687 lawsuits related to data privacy were initiated and 5932 were closed, 293 with favorable decisions. In the 300 processes with unfavorable decisions to the Company, there was a payment of approximately R$ 2 million.

In the same period, TIM received 114 lawsuits related to breach of telephone or telematic confidentiality and 81 cases were closed. Requests to TIM for breach of privacy by the Justice, in 2020, totaled more than 1 million as follows:

Telephone interceptions: 427 thousand

Registration data: 391 thousand

Telephone statements: 600

2) Number of customers whose information was requested (number)

(2) It is currently not possible to accurately gauge the number of customers affected by requests for information, as different authorities may request the same data at different times. [for. 93]

It is worth noting, however, that the wording above, even though it indicates the number of orders placed, states that “it is not possible to accurately gauge the number of customers affected by requests for information”, although this has already been done by other companies.

Finally, parameter V , relating to the publication of Data Protection Impact Reports, was not considered met. No documents in this regard were found in our searches.

CATEGORY 6: User notification

Result:

TIM Banda Larga did not get a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

TIM MOBILE

CATEGORIA 1: Informações sobre a política de proteção de dados

Result:

In this category, TIM Mobile obtained a full star , having fully complied with parameters I, IV and V; and partially to parameter II.

Tim Mobile complies with parameter I , referring to information on collection and purpose, providing clear and complete information on all sub-parameters.

Among others, the company informs, in the table, that it collects:

In addition, in the TIM LIVE Service Provision Agreement, the company, in clause 19, establishes:

In addition, in the TIM LIVE Service Provision Agreement, the company, in clause 4, establishes:

4.2. The CUSTOMER’s rights are:

(j) respect for your privacy in billing documents and in the use of your personal data by the provider;

Regarding parameter II , referring to the provision of clear and complete information on the protection of personal data, it was considered fulfilled, as it meets all sub-parameters.

Storage period

In general, by way of example:

Registration Personal Data can be kept for a period of 5 years, with reference to the Consumer Defense Code, from the end of the relationship of the holder with TIM;

After the deadlines expire, the Personal Data will be duly eliminated or anonymized by TIM .

As for the storage location, the company informs in its Privacy Policy, in the item “TIM may transfer your Data to other countries”:

In the document “Where and for how long does TIM store its data”, the company informs, with details, the places where personal data is stored.

Storage Location

(i) on servers owned by TIM, located in the states of São Paulo and Rio de Janeiro;

(ii) on third-party servers, contracted by TIM specifically for data storage services (hosting), following contractual controls to ensure compliance with the General Data Protection Law; or

Such information was considered sufficient to clarify users about the practices adopted by the company for the retention of personal data.

Sub-parameter (c) , relating to security practices that observes undertaking was considered fulfilled. In its 2020 Sustainability Report, p. 36, the company clarifies:

By clarifying the security standard used to protect their systems, and by providing some information regarding employees and suppliers who have access to the data, we considered the information given sufficient.

Also, in the document “How does TIM share personal data with third parties?”, TIM generically informs the procedures adopted in data sharing:

Such information was considered sufficient to inform about data sharing.

(…)

Market surveys: If you respond to a market survey sent by TIM, it is possible that the results will be shared with our partner responsible for such survey.

TIM may transfer data to other countries for storage purposes , for example, on servers located abroad, with a level of data protection adequate to that provided for in current legislation. Please be advised that your Data may be subject to local legislation and the relevant rules of these countries. By interacting with us, You agree to such international transfer of Data, in cases where it is essential for the provision of services and execution of your contract with us, in accordance with data protection legislation.

International Transfers

EEA (European Economic Area);

California (USA)

Also, when stored in another location, it is previously validated and approved by the responsible functions.

Such information was considered sufficient for the purposes of this assessment.

TIM, in accordance with applicable legal provisions, must identify the applicant and verify the existence of the legitimacy requirements to meet the requests.

Therefore, we kindly ask you to send us your request again, this time accompanied by the necessary documentation (eg a copy of a valid identity document), so that we can provide you with feedback.

This request is also intended to protect holders from improperly communicating their personal data to unauthorized third parties.

Yours sincerely,

Data Protection Officer

Parameter IV, which assesses whether the company promises to send notifications to the user when the update of their privacy policies, was considered met. In its Privacy Policy, the company states:

How and when this Policy can be changed

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Tim Mobile got a full star, as it fulfilled all the parameters.

(…)

The information was considered sufficient to inform users about the hypotheses of sharing data with the State; therefore, the parameter was considered met.

(…)

Some of the most common examples we’ve seen here at the company include:

Request for telephone number data for criminal investigations and civil actions;

Request for registration data, by order of a court or administrative authority, or police authorities and the Public Ministry;

III. Request for connection records, by court order;

Location of Radio Base Station (telephone antenna, by court order;

Content of private communications, upon court order.

We emphasize, however, that data sharing and the exemplified purposes are not an exhaustive list, with each specific request being analyzed, following the procedures mentioned in this Newsletter.

Also by way of example, we present some of these most common legal fundamentals:

Brazilian Federal Constitution, especially its article 5, X to XII.

Law No. 9296/1996 – Law that regulates legal interception

Law No. 9472/1997 – General Telecommunications Law

Resolution No. 477/2007 – Regulation of Personal Mobile Service – SMP

Law No. 12,830/2013 – On criminal investigation by police chief

Law No. 12,850/2013 – Criminal Organizations Law

Law No. 12.965/2014 – Internet Civil Rights Framework

Decree No. 8.771/2016 – Regulator of the Civil Framework for the Internet

Law No. 12,683/2012 – Money Laundering Law

Law No. 13,344/2016 – Trafficking in Persons

Law No. 15,292/2014 – Law on the Search for Missing Persons

Such information was considered sufficient to clarify the holders.

Live Service Agreement

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Tim Mobile got a full star , as it met both parameters.

Actions considered in previous versions of Who Defends Your Data, such as Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of data from logical ports to police authorities, and the Direct Action of Unconstitutionality (ADI ) 5642[2] , from ACEL, were not considered, as they did not register movements.

CATEGORIA 4: Postura pública pró-privacidade

Result:

In this category, TIM Mobile obtained a full star, as it fully complied with parameter I and partially with parameter II.

“It did not identify the occurrence of an attack or leak that would make its customers’ data or its own data vulnerable”.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, TIM Mobile obtained three quarters of a star, as it met parameters I, II, III and IV.

Parameter III on the basis of the report, was considered met. Versions published in previous years are available on the reports access page.

Parameter IV on information on requests for access to data, was considered met. In its transparency report, the company informs (p. 54):

Telephone interceptions: 427 thousand

Registration data: 391 thousand

Telephone statements: 600

2) Number of customers whose information was requested (number)

(2) It is currently not possible to accurately gauge the number of customers affected by requests for information, as different authorities may request the same data at different times. [for. 93]

It is worth noting, however, that the description above, even though it indicates the number of orders placed, states that “it is not possible to accurately gauge the number of customers affected by requests for information”, although this has already been done by other companies.

Finally, parameter V , relating to the publication of Data Protection Impact Reports, was not considered met. No documents in this regard were found in our searches.

CATEGORY 6: User notification

Result:

TIM Mobile did not get a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

VIVO (BROADBAND)

CATEGORY 1: Information on data protection policy

Result:

In this category, Vivo Banda Larga obtained a full star, having complied with parameters I, II and III, and partially with parameter V.

Although broadband telephony contracts provide little information about the company’s data processing practices, we found that most of the information is available in the Sustainability Report, the Privacy Center, and Vivo’s Privacy Policies. In the Privacy Center, users have visual and accessible divisions on “Information Security”, “Exercise of Rights”, among others.

Vivo complies with parameter I, providing clear and complete information on all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In its Privacy Center, under “Data Processing”, the company informs the nature of the information collected.

The same information is repeated in Vivo’s Local Privacy Policy. Also, in the Agreement for the Provision of Switched Fixed Telephone Service, the company informs (clause 13) about the collection of connection records, names, among other data.

The sub-parameter (b), referring to the situations in which the collection takes place, was also considered fulfilled. This is because, even though there is no specific wording to point out cases where data are collected, in the sections “Nature of the collected information” (see section above) and “For what and how we collect it” (see the section below), it is informed that the Data collected are those made available when the services are contracted, through interaction with information channels, among others. It was considered that such information is capable of detailing the situations in which the collection takes place.

Sub-parameter (c), referring to the purpose of data processing, was also considered fulfilled. Under “What We Collect” in the Privacy Center, the company describes some of the purposes.

Furthermore, in clauses 5.3 and 13.1 of the Adhesion Agreement, the company explains data collection purposes, such as its use for sending emails, direct mail, providing services, or marketing purposes.

5.3 The CLIENT has the option of authorizing or not VIVO to send e-mails, direct mail, inserts or any other communication instrument offering services and/or products of VIVO or related companies or partners, as well as providing to these the registration/personal data provided for this contract, for the offer of their products and/or services. Such permissions can be revoked by the CUSTOMER, at any time, through a request made to the Customer Relationship Center.

13.1. The CUSTOMER’s personal data collected by VIVO under this Agreement will be treated under current legislation, and applicable regulations, exclusively to provide the telecommunication service(s) object of this Agreement, as well as for analysis of the CLIENT’s profile, or for marketing purposes, in order to (i) guarantee the adequacy of the best offers according to the CLIENT’s needs; and (ii) improve the performance of the services provided, which may also be handled by VIVO, its partners or by third parties hired by VIVO, in an anonymized manner in order to allow analysis and construction of patterns, behaviors, choices, and consumption for the purposes set forth herein.

Sub-parameter (d), referring to how it is used, was considered fulfilled. This is because it indirectly provides information on how to use the sections mentioned above (demonstrating the situations in which the collection takes place and its purpose) and information about time and place of storage, etc.

Finally, sub-parameter (e), relating to information about the rights of holders and means to exercise these rights, was also considered met. Under “Exercise of Rights” in the Privacy Center, the company lists some ownership of the data subjects. As much as other rights could have been mentioned, such as the right to portability and automated decision review, the wording presented was considered satisfactory. In addition, the same page offers portals, e-mails or telephone and SMS numbers so that these rights can be exercised, depending on the right to which it refers.

It should be noted that, specifically regarding the right to delete personal data, the company simply states “to keep the data for the time necessary” provided for by law, referring the user to its Privacy Policy if you want to know about the “storage periods ”. The wording suggests that the exclusion right cannot be exercised. Ideally, the company should have specified which data can be excluded and which cannot and the reason for this distinction.

The Adhesion Agreement also contains provisions regarding the rights of the holders. Clause 5.3, reproduced above, guarantees the customer the possibility to revoke, at any time, the permissions granted through a request in the Customer Service Center. Also, in clause 5.1.8., the company lists as a customer’s right the “efficient and timely response by VIVO to their complaints, service requests and requests for information”.

Regarding parameter II, referring to the provision of clear and complete information on the protection of personal data, it was considered, on average, that it was met, with sub-parameters (c) and (d) being considered met, the sub-parameters (a), (b), (e), (f), (g) partially met and parameter (h) not met.

Sub-parameter (a), referring to the time and place of data storage, was considered partially fulfilled. Under “Data Processing” and “Data Storage” at the Privacy Center, the company informs the adopted practices.

Also, in the Adhesion Contract, the company informs that personal data is stored for 5 years and that the contracts are kept for 10 years.

13.2 The CLIENT’s personal data collected by VIVO under this Agreement will be stored by VIVO or by a third party subcontracted by VIVO for a period of 5 (five) years, and the Agreements will be stored for a period of 10 (ten) years, in order to guarantee compliance with the corresponding applicable legal obligations, and CUSTOMERS are guaranteed that the storage of their personal data by VIVO or by subcontracted third parties will be carried out through the adoption of security measures and physical and logical protection of the information.

The information on storage time was considered satisfactory, as detailed storage terms are presented for each type of data collected, also specifying the maximum storage terms. As for the storage location, the company informs, in its Telefónica Privacy Policy:

– Information is preferably handled internally at Telefônica Vivo or at companies of the Telefônica Group, always respecting the legislation in force in Brazil.

– In some cases, the information may be shared with partner companies, which require security controls to protect the information.

The wording of the excerpt above was considered to be excessively broad and unsatisfactory. Even if the company informs that “the information is preferably treated internally”, the hypotheses in which the data are treated externally, which countries are stored, what types of data are stored in each location, among other relevant information, are not clarified. could have been provided.

The sub-parameter (b), referring to when/if the data is deleted, was considered partially met. This is because, in the same excerpt mentioned above, in “Data Storage” in the Privacy Center, it is inferred that the data is erased after the aforementioned period has elapsed, but there is no clarification on whether this actually occurs.

Sub-parameter (c), relating to the company’s security practices, was considered met. In the company’s 2020 Sustainability Report (p. 41), the company informs some of the security standards it uses to ensure the protection of users, claiming to have developed, “based on the company’s security requirements and market frameworks (ISO 27001 and ISO 22301, NIST, PCI/DSS etc.), especially related to secure systems and servers”, an “extensive list of protocols to be followed”. In addition, in the Privacy Center, under “Information Security”, the company informs some security standards that it uses, such as encryption in the transfer of personal data from users’ devices, declares to allow access to data only to authorized persons, as per the ‘principle of least privilege’ claims to provide auditability of any activities carried out with the data, among others.

Sub-parameter (d), referring to who has access to the data, was also considered met, since the company, see paragraph above, states that only authorized persons, according to the ‘principle of least privilege’, can have access to the data . Even though more detailed information about which employees can access the data could have been provided, the mention of the principle of least privilege indicates the existence of clearer standards regarding such accesses, which is why the sub-parameter was considered fulfilled.

The sub-parameter (e), referring to the third parties with whom the data is shared, was considered partially fulfilled. Vivo, in the Privacy Center, under “Information Sharing”, in clause 13.4, 13.5 and 13.7 of the Adhesion Agreement, and in Clause 5 of its Local Privacy Policy, the company lists some hypotheses for providing data to third parties.

Adhesion contract:
13.7 Except as provided in the previous items, other personal data, including connection records, will not be provided to third parties, except by means of free, express and informed consent or in the cases provided for by law identified in clauses 13.4 and 13.5 of this Agreement.

The above information, even though it provides some guide to which third parties have access to the data, is exceedingly comprehensive. It does not determine which third parties can receive them, does not provide examples of situations in which there may have been express authorization from the user, with no cases of such authorization being found in the analyzed documents, and does not determine which data and in which situations are shared. However, as there is a concern to provide information on the topic, with a minimum of detail, the sub-parameter was considered partially met.

Sub-parameter (f), relating to the purposes of sharing data with third parties, was also considered to have been partially met. This is because the information provided on the subject, referenced in the analysis of sub-parameter (e) above, as well as in very similar wording in Clause 5 of your local Privacy Policy, is unclear and only generically state that the data can be shared “to guarantee, for example, the provision of the services contracted by you”. No clearer information is given about the sharing assumptions and their purposes. However, as there is a concern to provide information on the topic, with a minimum of detail, the sub-parameter was considered partially met.

Sub-parameter (g), referring to the assumptions of international data transfer, was considered partially met. In its privacy center, as well as in very similar wording in Clause 6 of its local Privacy Policy, the company informs about the sharing of data with the Telefónica Group, of which the company is a part.

The information above does not clarify the hypotheses and situations in which data can be sent abroad in a clear or exhaustive manner. However, as there is a concern to provide information on the topic, with a minimum of detail, the sub-parameter was considered partially met.

Finally, the sub-parameter (h), referring to the date of the last update of the privacy policy, was not met. There are no references to changes in Vivo’s Privacy Center, where most privacy information is presented. Furthermore, its own Local Privacy Policy states, in clause 17, that “this Privacy and Data Protection Policy may be revised at any time and without prior notice”.

The parameter III, which assesses whether the company responded promptly to InternetLab members’ request for access to data, was considered met. InternetLab made a data access request on July 21, 2021, through the company’s privacy portal, which resulted in an error message. After contacting the company’s DPO, the error was corrected, and the holder’s registration information could be accessed through the portal.

The parameter IV, which assesses whether the company promises to send notifications to the user when the update of its privacy policies was not considered met. No Vivo document mentioned such a possibility, and its Local Privacy Policy states, in clause 17, that “this Privacy and Data Protection Policy may be revised at any time and without prior notice.” In the engagement phase, the company informed that its local privacy policy would be updated to notify users in the event of its change. However, on the closing date of this report, the change had not yet been carried out, and the text mentioned here is still included in clause 17.

Finally, parameter V, referring to the accessibility of privacy and data protection information, was considered partially met. This is because Vivo has a Privacy Center, mentioned several times above, with clear and, in general, complete information on the subject. In addition, the center can be easily accessed from the Vivo homepage.

However, most of such information is not presented in the company’s broadband internet contracts; a practice recommended to access the information by all customers, legally consented by them, and detailed according to each type of contracted service.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Vivo Banda Larga obtained a full star, having complied with parameters I, II and V, partially with parameter IV and not meeting parameter III.

The parameter I, regarding the identification of competent authorities to request data, was considered fulfilled. On page 22 of Telefônica’s Transparency Report 2021, there is a definition of which authorities would be capable of intercepting and requesting metadata under Brazilian legislation, in addition to mentioning the competence of “judges from any sphere”:

“Legal Intercept: From the agreement with the 3rd article of the Brazilian Federal Law n. 9.296/1996 (law of interceptaciones), only the Juez (of the criminal sphere) can determine the interceptions (telephonic and telematic), the petition of the Fiscalía (Public Ministry) or the Comisario de Policía (Police Authority).

Metadata associated with communications: Competent Authorities » Fiscal, Police Commissioners and Juices of any sphere, as well as Presidents of the Parliamentary Investigation Commissions: the name and direction of the registered user (dates of subscription), as well as the identity of the equipment of communication (including IMSI or IMEI).”

Jueces of any sphere: the data to identify the origin and destination of a communication (for example, telephone numbers, usernames for Internet services), the closing date, time and duration of a communication and the location of the device.”

This means that Vivo delivers registration data upon request from representatives of the Public Ministry (“Fiscalía”), police authorities (“comisarios de policía”) and judges. Connection records and location data are only available upon the order of a judge.

The parameter II, regarding identifying competent authorities and crimes under which the request occurs, was considered met. In the Transparency Report in las Comunicaciones , Article 15 of Law 12,850/13 (Law on Criminal Organizations) is cited as a “Legal Context” for the request of “metadata associated with communications”. In addition, under “Data Delivery Protocol for Authorities” in its Privacy Center, the company informs the laws that support the delivery of data and competent authorities for requesting confidential data.

InternetLab commends the list of laws that allow the delivery of data to competent authorities in Vivo’s privacy center, in an easily accessible form for its users.

The parameter III, related to offering information about geolocation data was not considered fulfilled. Even though the Transparency Report mentioned above includes “device location” among the data that may be requested by court order, and the Data Delivery Protocol mentions the possibility of “Radio Base Station Location” data, it does not there is any detail about the circumstances in which you share geolocational data and why, not providing the information required by the sub-parameters of that item.

The parameter IV, referring to the promise of providing only connection records by court order strictly under Marco Civil, was considered partially fulfilled. On the one hand, the same excerpt mentioned above is clear in defining that only judges will have access to data on the origin and destination of a communication, from which it follows that such access will take place through a court order. However, the passage is not strictly restricted to the terms of the Marco Civil da Internet (that is, it does not specify that only the date and time of the start and end of an internet connection, its duration and the IP address used will be shared).

Finally, parameter V, relating to specific protocols for delivering data to the state, was considered met. This year, we located a specific section in Vivo’s Privacy Center dedicated to such requests, with the very title “Protocol for the Delivery of Data to Authorities”. InternetLab commends the creation of this new section, to our knowledge, unusual in the industry.

InternetLab also commends Telefónica Global’s conduct of making public different interpretations on the delivery of data, competent authorities, number of rejected and fulfilled requests, among others, in its transparency report. However, we emphasize that there is a need to present such information in Portuguese so that the company is scored without reservations, whether in contracts, the Sustainability Report, or other materials.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Vivo Banda Larga got a full star, as it met both parameters.

The parameter I, related to the defense legislation, was considered met. In the engagement phase with companies, the company presented some actions in this regard. For example, we mentioned an action, filed jointly with other telephone operators, in which amendments to the General Regulation of Consumer Rights of Telecommunications Services – RGC are disputed that would oblige companies to provide, to any recipient of telephone calls, personal data of the person who made the call (Termination Action No. 0802518-50.2020.4.05.0000).

Finally, parameter II was also considered met. In the engagement phase with companies, Vivo presented to InternetLab, with sensitive information marked, several responses to administrative letters in which it refused to provide personal data to public authorities. For example, there are situations in which he denied the delivery of Call History and Location of ERBs to the Public Prosecutor’s Office and the Police Authorities, under the justification of not observing the principle of constitutional reserve of jurisdiction.

Actions considered in previous versions of Who Defends Your Data, such as Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of data from logical ports to police authorities, and the Direct Action of Unconstitutionality (ADI ) 5642[15], from ACEL, were not considered, as they did not register movements.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Vivo Banda Larga obtained half a star, as it met parameter I.

During the engagement phase with companies, Vivo provided us with examples of situations in this regard. For example, in an opinion article published on the Poder 360 portal in September 2021 by Breno Oliveira, legal director of Telefônica Brasil, some privacy techniques and ways to carry out the implementation of the LGPD in a “successful” manner are defended.[16] .

The parameter II on the company’s position on security measures was not considered met. Throughout 2020 and early 2021, Internet access providers had the opportunity to express their views on policies and practices that promote the security of their users’ data, such as: Public Consultation No. 24 by Anatel, on the reassessment of the structure and internal regulations of the Brazilian Communications Commissions – CBC, whose art. 2, IV provides for the actions of the Commission about political aspects related to Cyber Security and Artificial Intelligence[17]; the Cyber Security regulation for the Telecom sector, approved by Anatel in 2020[18]; Anatel’s proposal to create a cyber security cooperation group[19]; among others.

During the engagement phase, the company provided us with a copy of its contributions to Anatel’s Public Consultation nº 24 which defends, mainly, the expansion of dialogue and participation of the private sector in the themes developed by the CBCs. However, in this consultation, there is no mention of security techniques.

It is noteworthy that in 2020 Vivo suffered an alleged cyberattack on its application, in which various customer data were leaked[20]. It was even processed by the Intervozes collective to obtain more information and notified by Anatel and Procon[21]. In the engagement phase, the company presented us with the public responses presented to SENACON on the case, in which it claims to have assessed its internal systems and not investigated any security incident. However, there is no mention of improvements in security techniques.

Finally, in general, before the media, the company refused to comment on the alleged leak and stated that “the number of customers possibly impacted by this illicit action is considerably lower than that disclosed by some specialized press agencies”[22]. No more robust explanations were given for the case, nor were standards or techniques specifically defended that could face up to the allegations. The company’s response was considered overly generic. However, in this report edition, responses relating to such leaks have not been evaluated for scoring purposes.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Vivo Banda Larga obtained ¾ star, as it met parameters I, II and III and partially met parameter IV.

The parameter I on the publication of transparency reports in Portuguese was considered met. For the fifth year in a row, we find the publication of the Informe de Transparencia en las Comunicaciones 2021, by the Telefônica Group (document in Spanish), in which there is some detail on the regulatory framework in each country in which the group is present. In addition, Vivo’s 2020 Sustainability Report, in Portuguese, contains information on privacy and data protection, pointing out some security requirements used, company principles on the subject, and some relevant links, among others. During the engagement phase, the company showed us that its Transparency Report had been translated into Portuguese and published in its privacy center, which is why the parameter was considered met.

The parameter II on the accessibility of the transparency report was considered met. This is because both the Sustainability Report and the Transparency Report in Portuguese can be found on the main page of Vivo’s privacy center.

The parameter III, based on the report, was considered met. Versions published in previous years are available on the pages of both reports.

The parameter IV on information on requests for access to data was considered partially met. In the Report on Transparency in Communications (pp. 22 and 23), it is reported that, in 2020, 363,125 requests for interception and 2,550,060 requests for access to metadata were made. However, in both cases, it is stated that 0 (zero) requests were rejected. During the engagement phase, the company explained that a “rejected request” would consist of not having responded to a certain letter sent by a public authority. The company considers that a letter requesting access to personal data whose answer was negative, as it was answered, was not “rejected”. Thus, the company effectively informs, in its report, that it has responded to all official letters. However, seeking greater transparency for users, it would be necessary to have information on how many requests were denied, ie, how many times it was considered that a certain trade was illegal, excessively generic, etc. For this reason, the parameter was considered partially met.

Finally, parameter V, relating to the publication of Data Protection Impact Reports, was not considered met. No documents in this regard were found in our searches.

CATEGORY 6: User notification

Result:

Vivo Banda Larga did not get a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

VIVO (MOBILE)

CATEGORY 1: Information on data protection policy

Result:

In this category, Vivo Móvel obtained a full star, having complied with parameters I, II and III, and partially with parameter V.

Although we have not located the company’s mobile internet service agreement on its website, most of the applicable information is available in the Sustainability Report, in the Privacy Center and in Vivo’s Privacy Policies. In the Privacy Center, users have visual and accessible divisions on “Information Security”, “Exercise of Rights”, among others.

Vivo complies with parameter I, providing clear and complete information on all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In its Privacy Center, under “Data Processing”, the company informs the nature of the information collected.

The same information is repeated in Vivo’s Local Privacy Policy.

The sub-parameter (b), referring to the situations in which the collection takes place, was also considered fulfilled. This is because, even though there is no specific wording to point out situations where data are collected, in the sections “Nature of the collected information” (see section above) and “For what and how we collect it” (see the section below), it is informed that the Data collected are those made available when the services are contracted, through interaction with information channels, among others. It was considered that such information is capable of detailing the situations in which the collection takes place.

Sub-parameter (c), referring to the purpose of data processing, was also considered fulfilled. In the Privacy Center, under “What We Collect” the company describes some of the purposes.

Sub-parameter (d), referring to the way in which it is used, was considered fulfilled. This is because it indirectly provides information on how to use the sections mentioned above (demonstrating the situations in which the collection takes place and its purpose) and information about time and place of storage, etc.

Finally, sub-parameter (e), relating to information about the rights of holders and means to exercise these rights, was also considered met. In the Privacy Center, under “Exercise of Rights”, the company lists some rights of the data subjects. As much as other rights could have been mentioned, such as the right to portability and automated decision review, the wording presented was considered satisfactory. In addition, the same page offers portals, e-mails or telephone and SMS numbers so that these rights can be exercised, depending on the right to which it refers.

Regarding parameter II, referring to the provision of clear and complete information on the protection of personal data, it was considered, on average, that it was met, with sub-parameters (c) and (d) being considered met, the sub-parameters (b), (e), (f), (g) partially met and parameters (a) and (h) not met.

Sub-parameter (a), referring to the time and place of data storage, was not considered met. At the Privacy Center, under “Data Processing” and “Data Storage”, the company informs some of the practices adopted.

The information on storage time was not considered satisfactory, as the detailed storage deadlines for each type of data collected are not presented, nor is there an indication of the maximum storage deadlines. Unlike Vivo’s broadband internet service, which indicates the exact storage periods in the applicable subscription agreement, such information was not located regarding the mobile internet service. As for the storage location, the company informs, in its Telefónica Privacy Policy:

– Information is preferably handled internally at Telefônica Vivo or at companies of the Telefônica Group, always respecting the legislation in force in Brazil.

– In some cases, the information may be shared with partner companies, which require security controls to protect the information.

Sub-parameter (d), referring to who has access to the data, was also considered met, since the company, see paragraph above, states that only authorized persons, according to the ‘principle of least privilege’, can have access to the data. Even though more detailed information about which employees can access the data could have been provided, the mention of the principle of least privilege indicates the existence of clearer standards regarding such accesses, which is why the sub-parameter was considered fulfilled.

The sub-parameter (e), referring to the third parties with whom the data is shared, was considered partially fulfilled. Vivo, in the Privacy Center, and in Clause 5 of its Local Privacy Policy, the company lists some hypotheses for providing data to third parties.

The above information, even though it provides some guidelines to which third parties have access to the data, is exceedingly comprehensive. It does not determine which third parties can receive them, does not provide examples of situations in which there may have been express authorization from the user, with no cases of such authorization being found in the analyzed documents, and does not determine which data and in which situations are shared. However, as there is a concern to provide information on the topic, with a minimum of detail, the sub-parameter was considered partially met.

Sub-parameter (g), referring to the assumptions of international data transfer, was considered partially met. In its privacy center, as well as in very similar wording in Clause 6 of its local Privacy Policy, the company informs about the possibility of sharing data with the Telefónica Group, of which the company is a part.

The parameter III, which assesses whether the company responded promptly to the request of requests for access to data InternetLab members, was considered met. InternetLab made a data access request on July 21, 2021, through the company’s privacy portal, which however resulted in an error message. After contacting the company’s DPO, the error was corrected and the holder’s registration information could be accessed through the portal.

The parameter IV, which assesses whether the company promises to send notifications to the user when the update of its privacy policies was not considered met. No Vivo document mentioned such a possibility, and its own Local Privacy Policy states, in clause 17, that “this Privacy and Data Protection Policy may be revised at any time and without prior notice.” In the engagement phase, the company informed that its local privacy policy would be updated to provide for notification of users in the event of its change. However, on the closing date of this report, the change had not yet been carried out, and the text mentioned here is still included in clause 17.

Finally, parameter V, referring to the accessibility of information about privacy and data protection, was considered partially met. This is because Vivo has a Privacy Center, mentioned several times above, with clear and, in general, complete information on the subject. In addition, the center can be easily accessed from the Vivo homepage.

However, the contract for the provision of mobile internet services could not be located, and the provision of such information in the contract would be recommended so that it can be accessed by all customers, legally consented by them, and detailed according to each type contracted service.

CATEGORY 2: Data delivery protocols for investigations

Result:

n this category, Vivo Móvel obtained a full star, having complied with parameters I, II and V, partially with parameter IV and not meeting parameter III.

The parameter I, regarding the identification of competent authorities to request data, was considered fulfilled. On page 22 of Telefônica ‘s Transparency Report 2021, there is a definition of which authorities would be competent to intercept and request metadata in accordance with Brazilian legislation, in addition to mentioning the competence of “judges from any sphere”:

“Legal Intercept: From the agreement with the 3rd article of the Brazilian Federal Law n. 9.296/1996 (law of interceptaciones), only the Juez (of the criminal sphere) can determine the interceptions (telephonic and telematic), the petition of the Fiscalía (Public Ministry) or the Comisario de Policía (Police Authority).

Jueces of any sphere: the data to identify the origin and destination of a communication (for example, telephone numbers, user names for Internet services), the closing date, time and duration of a communication and the location of the device.”

The parameter II, regarding the identification of competent authorities and crimes under which the request occurs, was considered met. In the Transparency Report in las Comunicaciones, Article 15 of Law 12,850/13 (Law on Criminal Organizations) is cited as a “Legal Context” for the request of “metadata associated with communications”. In addition, in its Privacy Center, under “Data Delivery Protocol for Authorities”, the company informs laws that support the delivery of data and competent authorities for requesting confidential data.

InternetLab commends the list of laws that allow the delivery of data to competent authorities in Vivo’s privacy center, in an easily accessible form for its users.

The parameter IV, referring to the promise of providing only connection records by court order strictly under Marco Civil, was considered partially fulfilled. On the one hand, the same excerpt mentioned above is clear in defining that only judges will have access to data on the origin and destination of a communication, from which it follows that such access will take place by means of a court order. However, the passage is not strictly restricted to the terms of the Marco Civil da Internet (that is, it does not specify that only the date and time of the start and end of an internet connection, its duration and the IP address used will be shared).

Finally, parameter V, relating to the existence of specific protocols for delivering data to the state, was considered met. This year, we located a specific section in Vivo’s Privacy Center dedicated to such requests, with the very title “Protocol for the Delivery of Data to Authorities”. InternetLab commends the creation of this new section, to our knowledge, unusual in the industry.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Vivo Móvel got a full star, as it met both parameters.

Actions considered in previous versions of Who Defends Your Data, such as Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of data from logical ports to police authorities, and the Direct Action of Unconstitutionality (ADI) 5642[23], from ACEL, were not considered, as they did not register movements.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Vivo Móvel obtained half a star, as it met parameter I.

The parameter II on the company’s position on security measures was not considered met. Throughout 2020 and early 2021, Internet access providers had the opportunity to express their views on policies and practices that promote the security of their users’ data, such as: Public Consultation No. 24 by Anatel, on the reassessment of the structure and internal regulations of the Brazilian Communications Commissions – CBC, whose art. 2, IV provides for the actions of the Commission about Political Aspects related to Cyber Security and Artificial Intelligence[25]; the Cyber Security regulation for the Telecom sector, approved by Anatel in 2020[26]; Anatel’s proposal to create a cyber security cooperation group[27]; among others.

During the engagement phase, the company provided us with a copy of its contributions to Anatel’s Public Consultation nº 24, in which it defends, mainly, the expansion of dialogue and the participation of the private sector in the themes developed by the CBCs. However, in this consultation, there is no mention of security techniques.

It is noteworthy that in 2020 Vivo suffered an alleged cyberattack on its application, in which various customer data were leaked[28], and was even processed by the Intervozes collective to obtain more information and notified by Anatel and Procon[29]. In the engagement phase, the company presented us with the public responses presented to SENACON regarding the case, in which it claims to have assessed its internal systems and not investigated any security incident. However, there is no mention of improvements in security techniques.

Finally, in general, before the media, the company refused to comment on the alleged leak and stated that “the number of customers possibly impacted by this illicit action is considerably lower than that disclosed by some specialized press agencies”[30]. No more robust explanations were given for the case, nor were standards or techniques specifically defended that could face up to the allegations. The company’s response was considered overly generic. However, in this report edition, responses relating to such leaks have not been evaluated for scoring purposes.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Vivo Móvel obtained ¾ star, as it met parameters I, II and III and partially met parameter IV.

The parameter I on the publication of transparency reports in Portuguese was considered met. For the fifth year in a row, we find the publication of the Informe de Transparencia en las Comunicaciones 2021, by the Telefônica Group (document in Spanish), in which there is some detail on the regulatory framework in each country in which the group is present. In addition, Vivo’s 2020 Sustainability Report, in Portuguese, contains information on privacy and data protection, pointing out some security requirements used, company principles on the subject, some relevant links, among others. During the engagement phase, the company showed us that its Transparency Report had been translated into Portuguese and published in its privacy center, which is why the parameter was considered met.

The parameter II, on the accessibility of the transparency report, was considered met. This is because both the Sustainability Report and the Transparency Report in Portuguese can be found on the main page of Vivo’s privacy center.

The parameter III, based on the report, was considered met. Versions published in previous years are available on the pages of both reports.

The parameter IV, on information on requests for access to data, was considered partially met. In the Report on Transparency in Communications (pp. 22 and 23), it is reported that, in 2020, 363,125 requests for interception and 2,550,060 requests for access to metadata were made. However, in both cases, it is stated that 0 (zero) requests were rejected. During the engagement phase, the company explained to us that a “rejected request” would consist in not having responded to a certain letter sent by a public authority. The company considers that a letter requesting access to personal data whose answer was negative, as it was answered, was not “rejected”. Thus, the company effectively informs, in its report, that it has responded to all official letters. However, seeking greater transparency for users, it would be necessary to have information on how many requests were denied, i.e., how many times it was considered that a certain trade was illegal, excessively generic, etc. For this reason, the parameter was considered partially met.

Finally, parameter V, relating to the publication of Data Protection Impact Reports, was not considered met. No documents in this regard were found in our searches.

CATEGORY 6: User notification

Result:

Vivo Móvel did not get a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

ALGAR

CATEGORY 1: Information on data protection policy

Result:

In this category, Algar obtained ¾ star, as it fully complied with parameter II, V and partially with parameter I.

Algar partially complies with parameter I. The company provides clear and complete information on sub-parameters (b), (d) and (e); and partially complies with sub-parameters (a) and (c).

Sub-parameter (a), referring to the data collected, was considered partially fulfilled.In the “Privacy of Personal Data,” section of its Data Policy, the company informs in a table the type of data collected (registration), what the data are (name, date of birth, bank details etc.) and the purpose of the data usage.

Although it’s positive that the company discriminates what registration data is collected, we considered it insufficient for this edition because the description refers only to one type of data collected. The company does not inform other types of data, such as location data, traffic data (such as call duration, consumption profile), among others. Therefore, sub-parameter a was considered partially fulfilled.

Sub-parameter (b), referring to the situations in which the collection takes place, was also considered fulfilled. In the section “Privacy of Personal Data”, the company informs in clause 4.1.3 some hypotheses of situations in which the collection occurs, such as, for example, when filling out the contract, when contracting other services etc. It was considered that such information is capable of detailing the situations in which the collection occurs.

“4.1.3 –Collection of personal data

4.1.3.1 – Data are collected from the completion of the service provision contract, the contracting of other services or from information inserted in terms, physical or digital forms or forms, when the processing is in accordance with our legitimate interests and does not underestimate their interests related to data protection or fundamental freedoms and rights;

4.1.3.2 – If necessary, Algar Telecom can receive your personal data or usage data from third parties. For example, if you are on another website and choose to be contacted by Algar Telecom, that website will transmit your email address and other personal data to us, so that we can contact you as requested. ”

Sub-parameter (c), related to the purpose of data processing, was considered partially fulfilled. In its Personal Data Privacy Policy (see table reproduced in sub-parameter (a), the company informs four purposes of data processing: (i) identify the customer; (ii) comply with legal obligation; (iii) credit protection and procedures and collection, and (iv) guarantee the customer’s safety. Indirectly, clause 4.1.5.1 (see excerpt below) lists the purpose of processing data for commercial purposes. Such information was considered too general and not very clear. However, as there was a concern to list at least five different hypotheses, the parameter was considered partially fulfilled.

Sub-parameter (d), referring to how it is used, was considered fulfilled. In the same “Personal Data Privacy” section of its Data Policy, the company reports nine hypotheses for using the data collected, for example, to communicate with the customer about his account or to provide access to certain areas and resources of the sites:

“4.1.5 – Data Type

4.1.5.1 – Algar Telecom uses the usage data collected through websites for commercial purposes, including:
– Answer your customer´s; questions and requests;
– Provide access to certain areas and resources of the sites;
– Check the user’s identity;
– Communicate with the customer about their account and activities in the service channels;
– Adjust content, advertisements and offers provided;
– Process payments for products or services;
– Improve the website and other service channels;
– Develop new products and services;
– Process applications and transactions.”

Finally, sub-parameter (e), which related to information regarding the rights of the data subjects and the means to exercise those rights, was considered fulfilled. In the Personal Data Privacy Policy, as well as in the Data Governance Policy, the company informs what the data subjects’ rights are (limitation or anonymity of the use of their personal data, revocation of consent, access to data etc.). The company also informs that the exercise of the right of the holders can be carried out by requesting the Person in Charge of Personal Data or through the Customer Service Channel. The company makes the e-mails and contacts available:

The customer/user may ask our Data Protection Officer to confirm the existence of the processing of Personal Data, in addition to the display or correction of their Personal Data, through our Service Channel.

4.3.2 – Data Limitation, Opposition and Deletion
Through the Service Channels, the customer/user may also request:
● The limitation or anonymity of the use of your Personal Data;
● Express your opposition and / or revoke consent regarding the use of your Personal Data;
● Request the deletion of your Personal Data that has been collected and registered by Algar Telecom, as long as the minimum legal term related to data storage has elapsed; or,
● Data portability to another telecommunications service provider, upon express request, in accordance with the regulations of the national authority;
● Cancel the marketing communications we send when you wish.

4.4.3 – Service Channels
In case of any doubt regarding the provisions of this Policy, the customer / user may contact us through the service channels:
● Data Protection Officer (DPO):
○ Alexandre da Silva Simões e-mail: dpo@algartelecom.com.br

Data Governance
4.11 – Guidelines for Responding to Requests and Requests
4.11.1 – Response to the request of personal data holder
4.11.1.1 – The procedures for responding to requests by personal data holders will be governed by the procedure for responding to requests for personal data holders, available at Algar Telecom document library (https://book.algarnet.com.br);
4.11.1.2 – All associates, accredited persons or service providers have the duty to notify the person in charge of processing personal data, without undue delay, of any request received from the holder of the personal data, before responding to the request, seeking, whenever possible, guidance on best practices in communication to be established with the data subject;
4.11.1.3 – In cases of doubt and specific situations, the associate, accredited or service provider must forward the requisition to the person in charge for the processing of personal data, so that he / she can respond in the most appropriate way to the specific applicable legislation and the stipulated good practices, whether internally or observed in the market.

4.12 Access to personal data by the data subject
4.12.1 – The data subject may request access to his personal data at any time, and the associate, accredited or service provider of the area responsible for the treatment must ensure that the identity of the data subject is proven according to the procedure for replying to requests from the data subject;
4.12.2 –The requisition and subsequent access to personal data should preferably occur electronically, except when the holder of personal data expressly requires the sending of personal data in a physical way or disclosure in an oral way. Visual aids can be used to make information even more intelligible and easy to understand.

4.13 – Elimination and/or blocking of the processing of personal data at the request of the data subject
4.13.1 – The data subject can request at any time the elimination and / or blocking of the usage of his personal data, and the associate, accredited or service provider of the area responsible for the use of personal data must send the request for elimination / blocking to the person in charge. for the processing of personal data so that the necessary measures can be taken as indicated in the procedure for responding to the request of the data subject;
4.13.2 – If it is impossible to delete, the data subject must be informed of this decision, explaining the reasons why this personal data cannot be deleted;
4.13.3 – The IT infrastructure area must establish mechanisms when restoring personal data that prevent the personal data of the subject who has requested its deletion from being restored to the virtual environment.

Parameter II, regarding the provision of clear and complete information on the protection of personal data, was considered partially met, as the company provides clear and complete information on sub-parameters (a), (b), (c ), (d), (g) and (h); and partially complies with sub-parameters (e) and (f).

Sub-parameter (a) , referring to the time and location of data storage, was considered fulfilled. Regarding the storage location, the company informs, in its Personal Data Privacy Policy and in the Data Governance Policy, which stores data on Algar’s own servers in Brazil and also on servers in the cloud.

4.1.9 – Storage Servers
The collected data will be stored on Algar Telecom´s own servers located in Brazil, as well as in an environment of use of resources or servers in the cloud (cloud computing), which means, in the latter case, transfer or processing of data outside of Brazil, fulfilling international data transfer provisions, pursuant to article 33 of the General Data Protection Law or other applicable rules.

Data Governance:
4.5.1 – The storage of personal data can be done in a physical way (storing identity badges, cards, cards, papers with hand-written notes, forms, invoices, contracts and other paper documents, for example) or digital (in media such as CD, DVD, Blu-Ray, external HD, pen drive, SD memory card, on Algar Telecom´s digital platforms or on a service contracted for this purpose);
4.5.2 – In the case of storage outside Brazil, the data protection management must be attentive to the country where the hardware is located and, if located abroad, Algar Telecom´s legal area must be contacted to verify whether there is legal and contractual support for personal data to be stored in that country;
4.5.3 – The physical and digital means of storing personal data must ensure their quality, and must be kept accurate and updated, according to the need to fulfill the purpose of treatment;
4.5.4 – When the personal data subject requests the correction or updating of his personal data, the person in charge of processing personal data, after analyzing the request, must activate the responsible areas to ensure that the physical and digital media where these personal data are replicated and stored are also updated

Such information about the storage of personal data was considered satisfactory.

As for the storage time, in the same document, the company informs that it maintains registration and identification data for up to 5 years after the end of the relationship. As for “other data”, the company claims to store “while the relationship lasts and there is no request for deletion or revocation of consent”.

Sub-parameter (b), referring to when/if the data are deleted, was considered met. The company undertakes to delete the data “after the deadline and the legal need” and having fulfilled the purpose of the treatment:

Personal Data Privacy Policy
4.2.2 – Data Deletion
4.2.2.1 – The data may be deleted before this period, if requested by the client / user. However, it may happen that the data needs to be kept for a longer period, under the terms of article 16 of the General Data Protection Law, in order to comply with a legal or regulatory obligation, fulfillment of the contract, transfer to a third party (respecting the data processing requirements provided for in the same law);
4.2.2.2 – After the deadline and the legal necessity, the data will be deleted using safe disposal methods or used anonymously for statistical purposes.

Data Governance
Deletion of personal data

4.9.1 –Personal data must be stored for a limited period, taking into account the specific purpose of the treatment;
4.9.2 – After fulfilling the purpose of the treatment and after the storage period determined by the temporality table, the data can be safely deleted, whether recorded in physical or digital media;
4.9.3 – The elimination of personal data may also be carried out at the request of the data subject or the National Data Protection Authority;
4.9.4 – For data deletion, the definitions indicated in the secure data deletion procedure must be followed;
4.9.5 – The preservation of personal data after reaching its purpose will only be possible in the event of Algar Telecom´s compliance with a legal or regulatory obligation;
4.9.6 – The request for the elimination of personal data by the holder will not be possible when the data has already been anonymized;
4.9.7 – The request may also not be made in the event of compliance with a legal obligation regarding the storage of this data for regulatory purposes, as long as the temporality table is respected.

Sub-parameter (c) on the company’s security practices, was considered met. In its Privacy Policy, the company is generally committed to applying security measures:

4.1.8 – Data Security
Algar Telecom will use its best efforts to protect information, especially personal data, applying the necessary administrative and technical protection measures available at the time, demanding the same acceptable level of Information Security from its suppliers, based on best market practices , from contractual clauses

Such efforts mentioned in the Privacy Policy are highlighted in Algar´s Information Security Policy. In the document, the company informs it is committed to “guaranteeing the availability, integrity and confidentiality of personal data, throughout its entire life cycle” and establishes a structure for information security, with information on who are the people who can have access to Algar Telecom systems, the assets made available and procedures to be adopted in the company´s systems and applications.

PERSONAL DATA PROTECTION
9.1 – Algar Telecom respects privacy. Therefore, it must guarantee the availability, integrity and confidentiality of personal data, throughout its life cycle, in any format of storage or support, through:
a) Usage authorized under the terms of the personal data protection legislation in force;
b) Adoption of security measures to protect personal data from unauthorized access, accidental or unlawful situations of destruction, loss, alteration, communication or improper or unlawful usage;
c) Storage in a safe controlled and protected manner;
d) Processes of Anonymity and pseudo-anonymity, whenever necessary;
e) Cryptographic guidelines in transmission and storage, whenever necessary;
f) Computer record of operations where the data is used;
g) Safe disposal of personal data at the end of its purpose and its conservation in accordance with legal and regulatory hypotheses;
h) Transfer to third parties in a secure and contractually provided manner;
i) Impact assessment and systematic privacy of data subjects;
j) Management and appropriate handling of incidents involving personal data;
k) Tests, monitoring and periodic evaluations of its effectiveness.

In its Data Governance Policy, the company informs, in more detail, the adopted security practices:

4.17.1 – During the entire lifecycle of personal data, the security guidelines in the Algar Telecom Information Security Policy and Data Privacy Policy, available in the Algar Telecom document library and the Algar Telecom portal on the Internet, must be observed;
4.17.2 – he information security management area must ensure the confidentiality, integrity and availability of personal data in all means of storage and transmission of personal data, considering:
a) Technical safety controls involved, such as, but not limited to:
● Firewall;
● Encryption;
● Use of VPN to access data outside Algar Telecom’s premises;
● Physical and logical access controls;
● Two-factor authentication;
● Secure storage of physical documents;
● Password Managers
b) Ensure that only authorized persons and processing agents have access to personal data in compliance with the need and relevance of granting access;
c) Adoption of information security measures to ensure that personal data remain intact without undue changes, accurate, complete and up-to-date;
d) Guarantee that personal data are accessible and usable by authorized persons and entities whenever necessary;
e) Recording of logs and audit trails of the life cycle of personal data;
f) Encryption, pseudonymization and anonymization of personal data, when applicable;
g) Training in personal data protection and supervision of the adoption of the practices taught.

In its Sustainability Report, in the “Information Security” section, the company informs:

We have an ecosystem with systems that are exposed to cyber security risks. To mitigate these risks, we have protection solutions against intentional or accidental contamination, malware and antivirus; framework for detecting anomalies in our internal and external network, cyber attacks and anomalous traffic; and confidential data access control tools. In compliance with Law 13.709 (General Law for the Protection of Personal Data), the Company’s processes and policies were adjusted, communication at all levels of the company was reinforced and a system to protect against data leakage was implemented, in order to comply with legal and enhancing the cybersecurity environment. (p. 40)

The information contained in the documents was considered sufficient.

Sub-parameter (d), referring to who has access to the data, was considered met. In its Information Security Policy, the company informs some guidelines on access to data by Algar Telecom associates:

10.1.1 – Algar Telecom Associates
a) Every associate must have knowledge of all the policies in force in the company, in particular the Information Security Policy, Algar Code of Conduct, Information Security Awareness Training and be consistent with them;
b) All associates must sign the Term of Commitment and Responsibility and Confidentiality Agreement upon admission or whenever requested to by the company;
c) It is forbidden for any associate to misuse information about the company and / or its customers, transmit it to competitors, use it for their own benefit and / or store files and e-mails improperly;
d) Algar Telecom can automatically receive and store information about the activities of anyone using its resources, including IP address, user, applications, screen / page and conversations carried out within or through this company;
e) Any authentication ID (user and password) on the corporate network or in applications provided by Algar Telecom is for personal and non-transferable use and each user will be responsible for storing and using it;
f) At the end of the employment and / or contractual relationship with Algar Telecom associates, it will immediately deactivate the authentication IDs used during the connection or service provision.

10.1.2 – Suppliers, Third Parties and Visitors
a) It is forbidden for any service provider to use information about the company and its customers without authorization or improperly, transmit it to competitors, use it for their own benefit and / or store files and emails improperly;
b) Upon receiving access to any Algar Telecom resources, the service provider will be subject to the company´s internal policies and guidelines and to all criteria established by the “service provision contract” signed at the time of contracting and, if applicable, be penalized as provided for in this document;
c) Any authentication ID (user and password) on the corporate network or in applications provided by Algar Telecom is for personal and non-transferable use and each user will be responsible for storing and using it;
d) At the end of the contractual relationship, the person responsible for the contract of Algar Telecom service providers must ensure that the authentication IDs used during the work are deactivated

In its Privacy Policy, the company informs that access to data is restricted to professionals authorized by Algar:

4.1.14 – Access to the Database
Access to the processed data is restricted only to professionals duly authorized by Algar Telecom, and its use, access and sharing, when necessary, will be in accordance with the purposes described in this policy

Sub-parameter (e), referring to the third parties with whom the data is shared, was considered partially met. In its Data Privacy Policy and in its Governance Policy, the company informs that “it shares personal data with authorized partners and suppliers” and that for the data to be shared, the parties must “have signed a contract with clauses referring to data protection and personal data”, but do not determine which third parties can receive them. The information offered by the company was considered unsatisfactory. However, due to the concern with pointing out information on the topic, with a minimum of detail, the sub-parameter was considered partially met.

Privacy Policy
4.1.6 – Sharing
Algar Telecom only shares personal data with authorized partners and suppliers to meet the purposes stated in this policy, having to share it with third parties and authorities within the scope of compliance with a legal or regulatory obligation, public administration, compliance with the contract, carrying out studies by research bodies, credit protection or customer/user security. In these cases, Algar Telecom will share the minimum amount of information necessary to achieve its purpose, ensuring, whenever possible, the anonymity of personal data.

Data Governance
4.7.1 – The sharing of personal data or documents/files with personal data in national territory can be done to authorized processing agents, with the security measures indicated by the information security management area from the impact report to the protection of personal data (DPIA/RIPD), when applicable and only for the purposes of prior use or treatment and duly informed and legitimated by the holder of the personal data;
4.7.2 – The sharing of personal data with other processing agents, except for the sharing carried out to comply with legal obligations, can only occur if they have signed a contract with clauses relating to the protection of personal data, as provided for in item 4.21 of this document; 4.7.3 – In the event that it is impossible to enter into a contract or amendment with the party in question, a report on the impact of the protection of personal data (DPIA/RIPD) must be prepared and from this report, mitigating controls must be adopted in relation to the security and protection of the processing of personal data;
4.7.4 – The sharing of personal data whose treatment has as a legal hypothesis consent can only occur with the consent of the holder of the personal data, with knowledge of this sharing, and this must be collected prior to the beginning of the processing of personal data;
4.7.5 – Anonymized personal data may be transferred to third parties, provided that the processing requirements provided for in the applicable legislation and in this document are respected;
4.7.6 – The sharing of personal data must only occur through channels with applied security measures

As for sub-parameter (f),related to the purposes of data sharing with third parties, it was also considered that it was partially met. This is because the information brought forward on the topic, referenced in the analysis of sub-parameter (e) above, is unclear and only states that it is carried out to “meet the purposes informed in this policy”. No clearer information is given about the possibilities of sharing and their purposes. However, due to the concern with pointing out information on the topic, with a minimum of detail, the sub-parameter was considered partially met.

Parameter (g), relating to the hypothesis of international data transfer, was considered met. In its Data Governance, the company informs, quite completely, about the conditions and purposes for the international transfer of data:

4.8.1 – If personal data are expected to be transferred to another country, the possibility of sharing with another controller must be submitted for analysis by the person in charge of processing personal data (DPO), by the information security management area and the legal area, so that they can assess whether the country of destination has a level of data protection that is adequate to the Brazilian legal system;

4.8.2 – If the receiving controller offers and proves guarantees of compliance with the rights of the holder, the international transfer of data may also be possible in the form of
(i) specific contractual clauses for a given transfer;
(ii) standard contractual clauses;
(iii) global corporate standards; and
(iv) seals, certificates and codes of conduct issued by the National Data Protection Authority;

4.8.3 – The international transfer of personal data can also take place for the purposes listed below:
a) When the transfer is necessary to protect the life of the holder or third parties;
b) When the National Authority authorizes the transfer;
c) When the transfer results in a commitment assumed in an international cooperation agreement;
d) When the holder has provided its specific and highlighted consent for the transfer, with prior information on the international character of the transaction, clearly distinguishing it from other purposes;
e) To comply with a legal or regulatory obligation by Algar Telecom;
f) When necessary for the execution of a contract and preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject.

Finally, regarding sub-parameter (h), related to the date of the last update of the privacy policy, it was considered fulfilled. The Information Security Policy, Privacy Policy and Data Governance Policy have the last update date (all three were updated on 05/17/2020). However, it is noteworthy that such information is not included in the company’s contracts. We recommend that the practice of reporting the latest update is not limited to the privacy policies and that it be applied to all company documents.

Parameter III, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was not considered met. When we requested access to data through the company’s portal on July 27, 2021[31], we did not get answers.

Parameter IV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was not considered complied with. No Algar document mentioned such a possibility. In the Privacy Policy, the company recommends a periodic consultation of documents, as it reserves the right to change the policies at any time.

4.4.2 – Terms Update
Algar Telecom reserves the right to change the content of this Policy at any time, according to the purpose or need, such as for the adequacy and legal compliance of a provision of law or standard that has equivalent legal force, and the client/user is responsible for verifying it together with Algar Telecom through the website www.algartelecom.com.br.

Finally, parameter V, regarding the accessibility of information on privacy and data protection, was considered met. The company has a section entitled “Privacy and Information Security”, which can be accessed at the bottom of its website , which contains the Data Privacy Policies, Service Management, Information Security, Personal Data Governance, Use of Cookies, Services, Term of Use and Site Terms of Use. The information in the documents is clear and easily accessible to the customer.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Algar obtained a full star, as it met parameters I, II, IV and V.

Parameter I, regarding the identification of competent authorities to request data, was considered fulfilled. In the document Sharing Personal Data with Authorities, the company informs that it only provides registration data to administrative authorities by force of law or by court order. The competent authorities for which the company provides data are Public Prosecutors, Police Authorities, Internal Revenue Service and Presidency of Parliamentary Inquiry Commissions, in accordance with the applicable legal provisions that authorize the breach of confidentiality. Such information was considered sufficient for the purposes of this assessment.

Parameter II, regarding the identification of competent authorities and crimes under which the request occurs, was considered met. In addition to mentioning the competent authorities (see parameter above), the company informs which are the legal cases in which the company provides registration data to the legal authorities:

1988 Federal Constitution – Article 5. Item XII and article 58, para. 3rd.;
– Law 9296/1996 – article 1, sole paragraph – Telephone Interception Law;
– Law 9472/1997 – article 3. – General Telecommunications Law;
– Law 12683/2012 – Article 7, “B” – Money Laundering
– Law 12830/2013 – Article 2. – Criminal Investigation conducted by Police Chief
– Law 12850/2012 – Article 15 – Criminal Organization
– Law 12,695/2014 – article 7. and 10 – Civil Law of the Internet
– Law 13.344/2016 – Article 13-B – Search for Missing Persons
– Anatel Resolution 632/2014 – article 3rd. V – General Regulation on Telecommunications Consumer Rights.

Parameter III, related to offering information about geolocation data, was not considered met. No mention of the topic was found in the documents analyzed by Algar.

Parameter IV, referring to the promise to provide connection records only by court order strictly under the terms of the legal regulatory use of the internet, was considered met. In the document Sharing Personal Data with Authorities, the company differentiates between registration data and connection records, as well as its hypotheses for providing the data:

With regard to the provision of registration data for the investigation of crimes, Algar Telecom provides registration data related to personal qualification, affiliation and address by court order. Algar Telecom will make available registration data to Police Delegates or the Public Prosecutor’s Office when relating to personal qualification, affiliation and address, upon request, without a court order, in accordance with article 15, of Section IV of Law 12,850/2013, of the Law 9613/98 (Article 17-B, Chapter X) and Article 13-A of the Code of Criminal Procedure.

Connection records, understood as the set of information regarding the start and end date and time of an internet connection, its duration and the IP address used by the terminal for sending and receiving data packets will be informed by Algar Telecom upon presentation of a court order or, upon request of the Police Chiefs or the Public Prosecutor’s Office, in accordance with article 15, of Section IV of Law 12,850/2013, of Law 9613/98 (article 17-B, Chapter X) and of article 13-A of the Code of Criminal Procedure.

Algar provides real or past information, only upon court order.

Finally, parameter V , relating to the existence of specific protocols on data delivery to the State, was considered met. The company makes available in its Data Policy a document called “Sharing of Personal Data with Authorities”, in which the company informs specific cases of data delivery to the State. Such a document was considered sufficient for the purposes of this evaluation.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Algar obtained an empty star, because it did not meet any of the parameters.

Regarding parameter I, referring to the challenge of legislation, we conducted exploratory searches on the websites of the Supreme Federal Court and the Superior Court of Justice for cases in which the company was a party, and we did not find any actions in this regard. Companies have had the opportunity, during the intermediary phase, to prove their performance in this regard.

Finally, to investigate parameter II , referring to the contestation of abusive claims, we carried out exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases using the terms “Algar Telecom E secrecy And breaches” and by judgments published between 01/08/2020 and 21/06/2021. In the searches, no actions were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

Actions considered in previous versions of Who Defends Your Data, ACEL ADI 5642, were not considered, since they did not register any changes.

In the engagement phase, the company informed us about two actions in which the company was a party for contesting abusive claims (Case No. 1009561-39.2019.4.01.3803, TRF-1 and Case No. 11901-75.2016.4.01.3803 1 , 1st Federal Court of Uberlândia). However, the process of the 1st Federal Court of Uberlândia dates back to 2016, and is outside the temporal scope of the report. As for the second process informed by the company, in the procedural consultation carried out on the website of the Federal Regional Court of the 1st Region, the action was not found.

We appreciate the company´s participation, however, as the action cannot be found, the parameter was not considered met.

CATEGORY 4: Public position in favor of privacy

Result:

In this category, Algar obtained ½ star, as it met parameter II.

Parameter I relating to the company’s general positioning, was not considered met. On some occasions throughout the year, Internet access providers had the opportunity to express their opinion on public policies and bills that affect the privacy of users.

After searching official government websites, specialized and traditional press and corporate press rooms, we did not find any material in this regard. The journalistic articles about Algar concerned the company’s suitability for the LGPD.

Parameter II, regarding the company ‘s position on security measures, was considered met. Throughout 2020 and early 2021, Internet access providers had the opportunity to express their views on policies and practices that promote the security of their users’ data, such as: Public Consultation No. 24 by Anatel, on the reassessment of the structure and internal regulations of the Brazilian Communications Commissions – CBC, whose art. 2, IV provides for the actions of the Commission with regard to Political Aspects related to Cyber Security and Artificial Intelligence ; the Cyber Security regulation for the Telecom sector, approved by Anatel in 2020 ; Anatel’s proposal to create a cyber security cooperation group ; among others. In addition to several opportunities to discuss the topic in the press and in public discussions.

Algar participated in the Congress entitled LGPD – Challenges Faced Since Its Entry into Force, organized by IBRASPD, the Brazilian Institute for Data Security, Protection and Privacy. The company participated in the panel “CISO and DPO – Pandemic of mega-leakage, how to deal with this scenario and fulfill the right of the holder”, in the person of Alexandre Simões, on September 1, 2021. This participation was considered sufficient to meet the parameter.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Algar obtained an empty star, as it did not meet any parameter.

The parameters I to IV of this category for the publication of transparency report have not been met. Although the company annually publishes a Sustainability Report , the document does not contain any information related to requests for data received, answered and rejected.

The only information on personal data contained in the 2019 Sustainability Report is in the section “Information security”, which states that there was no record of data leakage in the last year and a section that briefly explores the actions taken by the company to adapt to the LGPD. In the section, the company informs that it received 92 requests (without specifying who the requests would be) that were fulfilled in accordance with the legislation.

Since the legislation was in force, we have not recorded Information Security incidents involving personal data, nor have we received any substantiated complaints about breaches of privacy by data subjects. The 92 requests received in 2020 were met in accordance with legislation and within the deadline (p. 45).

Parameter V, in turn, relating to the publication of Data Protection Impact Assessments, was also not considered met. No such documents were found in our searches.

CATEGORY 6: User notification

Result:

Algar was not awarded a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

BRISANET (MOBILE)

CATEGORY 1: Information on data protection policy

Result:

In this category, Brisanet Móvel obtained half star , having met parameter III and partially met parameter V.

Brisanet does not meet the I parameter , having only met the sub-parameter (e) and partially the sub-parameter (b).

Sub-parameter (a), referring to the collected data, was not considered met. In its Privacy Policy, the company informs:

Personal Data can be collected through a form filled out by You, when entering into a contract with Brisanet, in the application, in interactions on the website through cookies or in our stores, among others. In this case, Brisanet assumes the role of controller.
It is important to highlight that Brisanet does not handle Personal Data about your racial or ethnic origin, religious conviction, political opinion, union membership or religious, philosophical or political organization, data relating to your health or your sexual life. Biometric data, such as photos, may be collected solely for the purpose of preventing fraud in providing the service and increasing your own security.

In addition, in the Prepaid Personal Mobile Service contract, the company informs:

2.2. BRISANET will be responsible for asking the CLIENT, prior to activating the Pre-Paid Service, for his/her personal data: a) full name; b) full address; c) registration number in the Registry of Individuals of the Ministry of Finance (CPF/MF), in the National Registry of Legal Entities of the Ministry of Finance (CNPJ/MF) or number of the identity document.

The above information refers to the situations in which the collection takes place, and provides some examples of personal data collected, but it is excessively generic, not clarifying what data the holder actually provides. Therefore, the parameter was not considered met.

The sub-parameter (b), referring to the situations in which the collection takes place, was considered partially fulfilled. This is because the same excerpt mentioned above clarifies the situations in which this can occur (through a form, when entering into a contract with Brisanet, etc.). However, the wording is excessively generic, not being exhaustive in relation to what data is collected in each situation, how the collection takes place during the provision of Brisanet’s services, what are the hypotheses mentioned in the “among others” of the wording of the company’s policy, etc.

Sub-parameter (c), referring to the purpose of data processing, was not considered met. In its documents, Brisanet does not inform for what purposes it treats personal data, informing only and in a generic way, (as will be evaluated in greater detail below), some purposes of data sharing with third parties.

Sub-parameter (d), referring to the way in which it is used, was not considered fulfilled. No details were found about hypotheses for using the data in Brisanet’s documents.

Finally, sub-parameter (e), relating to information about the rights of holders and the means to exercise these rights, was considered met. In the Privacy Policy, the company informs:

In accordance with the law, with respect to your Personal Data, You have the right to confirm the existence of processing, access, correct incomplete or outdated data, block or delete unnecessary data, carry or revoke consent for processing, when applicable.
If you wish to access, correct or update your Personal Data, You may do so at any time, through the channels and procedures informed in this Policy, on our website or “Brisacliente” application.
For Personal Data processed with your consent, You may also review it at any time. This action will not affect the legitimacy of the treatment carried out previously, nor will it affect the treatment carried out based on other legal bases.

In the Privacy Center, there is information about the means to exercise these rights.

Even though some of the rights of the General Data Protection Law (such as the right to portability or to review automated decisions) were not mentioned, the information and the portal made available were considered sufficient to meet the parameter.

Regarding parameter II , referring to the provision of clear and complete information on the protection of personal data, it was not considered met. The company does not provide clear and complete information on any of the sub-parameters.

Sub-parameter (a), referring to the time and place of data storage, was not considered fulfilled. No information was found regarding the storage location, and the information regarding the time was considered excessively generic, not providing minimum or maximum terms or any further details:

Brisanet handles your Personal Data for as long as the provision of its services lasts, but it also needs to keep the data after the end of its contractual relationship to comply with the law, as in cases where it is necessary to provide data to public authorities or even in the performance defense in legal proceedings.

As for sub-parameter (b), referring to when/if the data is deleted, it was also considered that it was not met. This information was not found in Brisanet’s documents.

Sub-parameter (c), relating to the company’s security practices, was not considered met. This information was not found in Brisanet’s documents; only generic mentions of “secure storage” of holder information.

Sub-parameter (d), referring to who has access to the data, was not considered met. In none of the analyzed documents we found information about who has access to the data, the company is limited to providing generic information about data sharing with third parties, a point that will be evaluated in sub-parameter (e).

The sub-parameter (e), referring to the third parties with whom the data is shared, was not met. The company informs in its Privacy Policy:

Brisanet may share your Personal Data with partners and suppliers to the extent necessary and in order to ensure the provision of the contracted service, to comply with regulatory or other obligations provided for in applicable legislation, or to comply with any of the purposes provided for in this Policy . In this case, sharing will take place through the adoption of appropriate technical and business measures, aiming at data confidentiality and integrity.

Even if there is some information on the subject, there is no detailed information about which “partners and suppliers” will receive the data, nor further specification on what types of partners, what regulatory obligations mentioned, etc.

As for sub-parameter (f), relating to the purposes of sharing data with third parties, it was also considered that it was not met, since the above section is, regarding the purposes of sharing, equally excessively generic.

Sub-parameter (g), relating to international data transfer, was not considered met. This information was not found in Brisanet’s documents.

Finally, sub-parameter (h), referring to the date of the last update of the privacy policy, was considered met. At the end of its Privacy Policy, the company indicates the date of its last update.

The III parameter , which assesses whether the company responded promptly to the request of requests for access to data InternetLab members, was considered met. InternetLab made a request for access to data on July 21, 2021. In response, the company informed that there was not, in its banks, any data linked to the owner who made the request.

The IV parameter , which assesses whether the company promises to send notifications to the user when the update of its privacy policies was not considered met. In its Privacy Policy, the company explicitly states that “it reserves the right to change this Policy (…)”, committing only “to disclose on its website any changes made…”

Finally, parameter V , referring to the accessibility of information about privacy and data protection, was considered partially met. At the bottom of the homepage of Claro’s website, there is a link to the Company’s Privacy Center. The information contained in the Privacy Portal is very clear and easily accessible to the customer.

However, the information contained in the Privacy Policy is not presented in Brisanet’s contracts, a practice that would be recommended so that it could be accessed by all customers, legally consented by them, and detailed in accordance with each type of service contracted.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Brisanet obtained an empty star, not having fulfilled any of the parameters.

The I parameter , regarding the identification of competent authorities to request data was not considered fulfilled. In its Privacy Policy, the company only generically mentions sharing “to comply with regulatory or other obligations provided for in applicable law.”

The II parameter , regarding the identification of competent authorities and crimes under which the request occurs, was also not considered met. We do not locate this information in Brisanet contracts.

The III parameter , related to offering information about geolocation data, was also not considered met. We do not locate this information in Brisanet contracts.

The parameter IV , referring to the promise of providing connection logs only by court order strictly in accordance with the Civil Marco, was also not considered met. We do not locate this information in Brisanet contracts.

Finally, parameter V , relating to the existence of specific protocols for delivering data to the state, was not considered met. No mention of the subject was found in the documents analyzed by Brisanet.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Brisanet Móvel obtained an empty star , as it did not meet the parameters.

As for parameter I , referring to the challenge of legislation, we carried out exploratory searches on the websites of the Federal Supreme Court and the Superior Court of Justice for processes in which the company was a party, and we did not find any actions in this regard. We emphasize that our search, for reasons of scope and time, did not look for actions of the type in state courts, relating, therefore, to legislation or interpretation of legislation at the state level.

Finally, to investigate parameter II , referring to the contestation of abusive claims, we carried out exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases using the terms “Brisanet S/AE secrecy and breach” and by judgments published between 08/01/2020 and 06/31/2021. In the searches, no actions were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is due to the fact that it aggregates judgments from all Brazilian state courts, to the detriment of searching all individual courts.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Brisanet got an empty star, as it did not meet the parameters.

The I parameter on the overall positioning of the company, was not considered met. On some occasions throughout the year, Internet access providers had the opportunity to express their opinion on public policies and bills that affect the privacy of users.

After searching official government websites, specialized and traditional press and corporate press rooms, we did not find any material in this regard.

The II parameter on the company ‘s position on security measures was considered met. Throughout 2020 and early 2021, Internet access providers had the opportunity to express their views on policies and practices that promote the security of their users’ data, such as: Public Consultation No. 24 by Anatel, on the reassessment of the structure and internal regulations of the Brazilian Communications Commissions – CBC, whose art. 2, IV provides for the actions of the Commission with regard to Political Aspects related to Cyber Security and Artificial Intelligence[38] ; the Cyber Security regulation for the Telecom sector, approved by Anatel in 2020[39] ; Anatel’s proposal to create a cyber security cooperation group[40] ; among others.

On none of these occasions were Brisanet’s positions found.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Brisanet got an empty star, as it did not meet any of the parameters.

The parameters I to IV relating to the Transparency Report, were not met. No documents of this nature from Brisanet were found.

The parameter V, turn on the publication of Impact Reports on Data Protection, was also not considered met. No documents in this regard were found in our searches.

CATEGORY 6: User notification

Result:

Brisanet did not get a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

BRISANET (BROADBAND)

CATEGORY 1: Information on data protection policy

Result:

In this category, Brisanet Banda Larga obtained half star , having met parameter III and partially met parameter V.

Brisanet does not meet the I parameter , having only met the sub-parameter (e) and partially the sub-parameter (b).

Sub-parameter (a), referring to the collected data, was not considered met. In its Privacy Policy, the company informs:

Sub-parameter (d), referring to the way in which it is used, was not considered fulfilled. No details were found about hypotheses for using the data in Brisanet’s documents.

Finally, sub-parameter (e), relating to information about the rights of holders and the means to exercise these rights, was considered met. In the Privacy Policy, the company informs:

At the Privacy Center, there is information on the means to exercise these rights.

As for sub-parameter (b), referring to when/if the data is deleted, it was also considered that it was not met. This information was not found in Brisanet’s documents.

The sub-parameter (e), referring to the third parties with whom the data is shared, was not met. The company informs in its Privacy Policy:

Sub-parameter (g), relating to international data transfer, was not considered met. This information was not found in Brisanet’s documents.

Finally, sub-parameter (h), referring to the date of the last update of the privacy policy, was considered met. At the end of its Privacy Policy, the company indicates the date of its last update.

The III parameter, which assesses whether the company responded promptly to the request of requests for access to data InternetLab members, was considered met. InternetLab made a request for access to data on July 21, 2021. In response, the company informed that there was not, in its banks, any data linked to the owner who made the request.

The IV parameter, which assesses whether the company promises to send notifications to the user when the update of its privacy policies was not considered met. In its Privacy Policy, the company explicitly states that “it reserves the right to change this Policy (…)”, committing only “to disclose on its website any changes made…”

Finally, parameter V, referring to the accessibility of information about privacy and data protection, was considered partially met. At the bottom of the homepage of Claro’s website, there is a link to the Company’s Privacy Center. The information contained in the Privacy Portal is very clear and easily accessible to the customer.

However, the contract for the provision of broadband internet services could not be located, and the provision of such information in the contract would be recommended so that they can be accessed by all customers, legally consented by them, and detailed according to each type of service contracted.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Brisanet obtained an empty star, not having fulfilled any of the parameters.

The II parameter, regarding the identification of competent authorities and crimes under which the request occurs, was also not considered met. We do not locate this information in Brisanet contracts.

The III parameter, related to offering information about geolocation data, was also not considered met. We do not locate this information in Brisanet contracts.

The parameter IV, referring to the promise of providing connection logs only by court order strictly in accordance with the Civil Marco, was also not considered met. We do not locate this information in Brisanet contracts.

Finally, parameter V, relating to the existence of specific protocols for delivering data to the state, was not considered met. No mention of the subject was found in the documents analyzed by Brisanet.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Brisanet Banda Larga obtained an empty star , as it did not meet the parameters.

Finally, to investigate parameter II , referring to the contestation of abusive claims, we carried out exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases using the terms “Brisanet S/AE secrecy and breach” and by judgments published between 08/01/2020 and 06/31/2021. In the searches, no actions were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is due to the fact that it aggregates judgments from all Brazilian state courts, to the detriment of searching all individual courts.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Brisanet got an empty star, as it did not meet the parameters.

After searching official government websites, specialized and traditional press and corporate press rooms, we did not find any material in this regard.

The II parameter on the company ‘s position on security measures was considered met. Throughout 2020 and early 2021, Internet access providers had the opportunity to express their views on policies and practices that promote the security of their users’ data, such as: Public Consultation No. 24 by Anatel, on the reassessment of the structure and internal regulations of the Brazilian Communications Commissions – CBC, whose art. 2, IV provides for the actions of the Commission with regard to Political Aspects related to Cyber Security and Artificial Intelligence[41] ; the Cyber Security regulation for the Telecom sector, approved by Anatel in 2020[42] ; Anatel’s proposal to create a cyber security cooperation group[43] ; among others.

On none of these occasions were Brisanet’s positions found.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Brisanet got an empty star, as it did not meet any of the parameters.

The parameters I to IV relating to the Transparency Report, were not met. No documents of this nature from Brisanet were found.

The parameter V , turn on the publication of Impact Reports on Data Protection, was also not considered met. No documents in this regard were found in our searches.

CATEGORY 6: User notification

Result:

Brisanet did not get a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

/Presentation

/About Us

/Our Method

Companies evaluated

Applied methodology

CATEGORY 1. Information on data protection policy

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

CATEGORY 4: Public position in favor of privacy

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

CATEGORY 6: User notification

/Our Sources

/Results

CLARO

CATEGORY 1: Information on data protection policy

CATEGORY 2: Data delivery protocols for investigations

CATEGORY 3: Defense of users in the Judiciary

CATEGORY 4: Pro-privacy public stance

CATEGORY 5: Transparency and Data Protection Impact Reports

NET

CATEGORY 1: Information on data protection policy

CATEGORY 2: Data delivery protocols for investigations

CATEGORY 3: Defense of users in the Judiciary

CATEGORY 4: Pro-privacy public stance

CATEGORY 5: Transparency and Data Protection Impact Reports

OI (BROADBAND)

CATEGORY 1: Information on data protection policy

CATEGORY 2: Data delivery protocols for investigations

CATEGORY 3: Defense of users in the Judiciary

CATEGORY 4: Pro-privacy public stance

CATEGORY 5: Transparency and Data Protection Impact Reports

CATEGORY 6: User notification

OI (MOBILE)

CATEGORY 2: Data delivery protocols for investigations

CATEGORY 3: Defense of users in the Judiciary

CATEGORY 4: Pro-privacy public stance

CATEGORY 5: Transparency and Data Protection Impact Reports

CATEGORY 6: User notification

TIM BROADBAND

CATEGORY 1: Information on data protection policy

CATEGORY 2: Data delivery protocols for investigations

CATEGORY 5: Transparency and Data Protection Impact Reports

CATEGORY 6: User notification

TIM MOBILE

CATEGORIA 1: Informações sobre a política de proteção de dados

CATEGORY 2: Data delivery protocols for investigations

CATEGORY 5: Transparency and Data Protection Impact Reports

CATEGORY 6: User notification

VIVO (BROADBAND)

CATEGORY 1: Information on data protection policy

CATEGORY 3: Defense of users in the Judiciary

CATEGORY 4: Pro-privacy public stance

CATEGORY 5: Transparency and Data Protection Impact Reports

CATEGORY 6: User notification

VIVO (MOBILE)

CATEGORY 1: Information on data protection policy

CATEGORY 3: Defense of users in the Judiciary

CATEGORY 4: Pro-privacy public stance

ALGAR

CATEGORY 1: Information on data protection policy

CATEGORY 2: Data delivery protocols for investigations

CATEGORY 3: Defense of users in the Judiciary

CATEGORY 6: User notification

BRISANET (MOBILE)

CATEGORY 1: Information on data protection policy

CATEGORY 3: Defense of users in the Judiciary

CATEGORY 6: User notification

BRISANET (BROADBAND)

CATEGORY 1: Information on data protection policy

CATEGORY 3: Defense of users in the Judiciary

CATEGORY 6: User notification

FAQ

How does InternetLab finance its activities?

How was the “QDSD” project financed?

Who worked on “QDSD”?

Did the project end with the dissemination of results?

Recommendations for the next edition