/RESULTS

VIEW BY:

	Information on data protection policy	Law enforcement guidelines	Defence of users in the Judiciary	Public position in favor of privacy	Transparency reports and Data Protection Impact Assessments	User notification

	Informs about data processing	Informs about terms of compliance with data requests from the government	Fights for user privacy in the courts	Fights for user privacy in public debates	Publishes transparency reports about data requests	Tells user about data requests

Show previous research

CLARO

CATEGORY 1. Information on data protection policy

Result:

In this category, CLARO obtained a full star, having met parameters I, II, IV and V.

Claro complies with parameter I, providing clear and complete information on all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In its Privacy Policy, the company informs:

Subscriber Information
A good part of our services requires that you have a unique registration with a user account, thus allowing you to access all Claro services.
When you register, we ask for: your name, your CPF (Brazilian Tax Code), your ID, your date of birth, gender information and your contact details, such as phone and email.

Consumption profile (DC):
In order to improve your experience at Claro, we are continually making improvements to the network, expanding and customizing product and service offerings, sending alerts or notifications. For these purposes, Claro may collect information from its consumption profile, such as: location, resources, devices used, navigation, contracted or researched offers, information provided while using the services, as well as the duration and frequency of its activities ”.

Sub-parameter (b), referring to the situations in which the collection takes place, was also considered fulfilled. This is because, even if there is no specific wording to point out situations where data are collected, in the sections “Subscriber Information” and “Consumer Profile” (see excerpt above), it is informed that the company collects information at the time of registration and “while using the services”.

It was considered that such information is capable of detailing the situations in which the collection occurs.

Sub-parameter (c), referring to the purpose of data processing, was considered met. In the “Consumer Profile” section of Claro’s Privacy Policy (see excerpt above), the company informs that the data collection aims to “improve your experience at Claro”, personalizing offers, making improvements to the network and sending alerts and notifications. Also, in the section “About the processing of personal data”, the company provides detailed information on the purposes of the data processing:

“Claro may carry out the processing of personal data collected for the following purposes:
In order to guarantee your security in the identification, authentication and authorization of access to our products and services;
For the best attendance of your requests and resolution of your doubts;
To keep your data up to date so that we can contact you whenever necessary, whether by phone, e-mail, SMS, direct mail or other means of communication;
To improve your browsing experience on our websites, applications and services;
For use in statistics, studies, research and surveys about your activities and behaviors when using our websites, applications and services;

To publicize our services and those of our partners, and communicate news, features and other information that may be relevant to improve our relationship;
In order for us to preserve our rights and obligations regarding the use of our sites, applications and services;
So that we can provide you with relevant content and send, for example, information about your invoice, consumption, package and promotions, in addition to other facilities;
For sending communications that you have agreed to receive.
Claro, as owner, is responsible for its own database, and can use the information within the limit and purpose of its field of activity. Claro may also use information anonymously, with the objective of continuously improving and personalizing the services we provide to you. ”

Sub-parameter (d), referring to how it is used, was considered fulfilled. In the section “What data does Claro collect and how does it use it?” of its Privacy Policy, Claro details, for example, that subscriber data “are important for some actions, such as filling out your service contract, issuing invoices and also for communicating with you” and further, that traffic data “are fundamental to measure the quality of our services, so that you can understand the invoice and also for your own control “, that bank data is used” only to charge for telecommunications services or other services that you have contracted through Claro “, among others.

Finally, the sub-parameter (e), relating to information regarding the rights of data subjects and the means to exercise those rights, was also considered met. In the Privacy Policy, there is a section “About the rights to access, correct, cancel and contest personal information”, in which the company informs about the existence of these four rights, even if it does not mention all those provided for in the current legislation. The company also informs customers of the means for exercising these rights: through call centers and Claro’s “Talk to Us”.

“About the rights to access, correct, cancel and dispute personal information
We are committed, in every case, to the standards (“models” not to repeat “standards”) of control and security, respecting the required standards. You, Claro customer, have the following rights with respect to your personal data:
Correction of data that may be incomplete, incorrect or outdated;
You can cancel the consent given to Claro at any time. To do this, just contact the call center or the channel we provide, the Fale Conosco Claro (Contact Us);
Claro will keep your information stored for the period required by existing laws. ”

In addition, in its Prepaid Internet Access Service Provision Agreement, it states:

“8.1 In addition to the rights already provided for in this Agreement, the subSCRIBER is guaranteed the rights established in the SMP Regulation and Law no. 12.965 / 2014, such as: a) Free receipt, upon request, of the detailed report of the data traffic used, relative to the maximum period of 6 (six) months prior to your request, provided that your registration is duly updated with CLARO; h) inviolability and confidentiality of the flow of your communications over the internet, except by court order, as provided by law; i) inviolability and confidentiality of your stored private communications, except by court order; m) definitive deletion of your personal data that you have provided to a particular internet application; n) publicity and clarity of any eventual policies for the use of internet connection providers and internet applications. ”

Regarding parameter II, referring to the provision of clear and complete information on the protection of personal data, it was considered that it was, on average, met, since sub-parameters (b), (e) and (f) were met, while sub-parameter (a) was considered only partially met.

Sub-parameter (a), referring to the time and location of data storage, was considered partially fulfilled. In its Privacy Policy, in the section “How long does Claro handle your data?” The company informs the detailed storage terms for each type of data collected. However, regarding registration and billing data, Claro informs only the minimum period for which it stores them. Although it is positive that the company establishes a minimum period, the absence of information on the maximum period for which the company stores its customer data ends up making this period of time too imprecise.

“How long does Claro handle your data?
Claro treats your data for the duration of the provision of its services, but it also needs to keep your data after the end of your relationship with Claro to comply with the law, as in cases where it is necessary to provide data to public authorities or even to the defence in legal proceedings. Some of the deadlines we observe are as follows:

Internet connection: Claro will store connection records for a period of one year, and will not keep records of access to internet functionalities;
Internet functionalities: in Claro’s own applications, the access records to functionalities will be stored for six months;
Registration and billing data will be stored for at least five years. ”

As for the storage location, the company informs in the sections “How long does Claro process your data?” and “On the rights to access, correct, cancel and contest personal information” that the data is processed in Claro’s data centers, on contracted third-party servers or in “clouds”. Such information was considered overly generic, providing little consistent information about the storage location.

“About the rights to access, correct, cancel and dispute personal information
We store your personal data in a safe place. This is often on our own servers, with contracted third parties or in the “cloud”, always with the aim of improving our processes.

As for sub-parameter (b), referring to when / if the data is erased, it was not considered attended to. This is because the company reports only the minimum data storage time.

Sub-parameter (c), related to the company’s security practices, was considered complied with. In the Privacy Policy, the company is committed to following security and control standards, without specifying in this document, however, which are the practices adopted.

“About the rights to access, correct, cancel and dispute personal information?
We are committed, in every case, to the standards (“models” not to repeat “standards”) of control and security, respecting the required standards.

Despite the general information in the Privacy Policy, the company presents more information about the security practices adopted in the Sustainability Report 2018 of the América Móvil group. According to the report, the system adopted in Brazil is the Security Operation Center with ISO 27001 Safety Management Systems certificate. About the system, América Móvil states:

“This is a system that manages information security within a company to efficiently safeguard important data, both financial and confidential, minimizing the risk of illegal or non-permitted access by third parties.”

Sub-parameter (d), referring to who has access to the data, was not considered met. In none of the analyzed documents do we find information about who has access to the data, the company limits itself to informing the client only of with whom the data is shared, a point that will be evaluated in sub-parameter (e).

Sub-parameter (e), referring to the third parties with whom the data is shared, was considered met. The company informs, in the section “With whom does Claro share data?” of its Privacy Policy, the following:

“With whom does Claro share data?
To carry out all its activities, Claro needs to share its data with some third parties. After all, they are the ones who will provide services for you and who must observe certain precautions, such as the security of your data. See who these third parties are:

Call Center companies – so that we can provide assistance.
Technical Service Companies – so that TV customers have their services installed or maintained.
Companies that have content packages sold through Claro’s sales channels and that need some information to activate the content and subscriptions.
Credit and Collection Companies – so that they can collect outstanding invoices.
Authorized Agents – companies that sell products and services under the Claro brand, which are often the gateway for customers.
Telesales Partners – to make offers of products and services to you, by calls or SMS, consulting beforehand if case you have opted not to be called.
Insurance Companies – Claro receives insurance proposals for cell phones and shares its data with the insurance company and the broker for insurance coverage purposes and with a third party for the collection of the premium on the invoice.
Companies that operate top-up platforms and applications.
Public sector, in compliance with inspections by our regulatory body and upon requests from police authorities or judicial decisions.
Partners who handle data collected from NET-Claro-Wi-Fi, My Claro and Claro Banca applications, as described above. ”

In addition, in its prepaid SMP Service Agreement, it states:

15.6 All information on the subSCRIBER’s register is confidential and can only be provided: a) to the subSCRIBER; b) to a representative with a specific power of attorney; c) the judicial authority; and d) to other Telecommunications Service Providers, for specific purposes to provide these services.

Finally, as for sub-parameter (f), related to the purposes of data sharing with third parties, it was also considered met, in view of the details of each sharing as shown above.

Parameter III, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was not considered met. This is because, approximately one month after the request for access to data was made, using the provided email dpo@claroatendimento.com.br, only a generic response was received:

“We advise that Claro’s privacy policy can be consulted on the Privacy Portal available on our website, at the bottom of the page and we clarify that through our website, the customer can automatically consult and receive information about Data Privacy Rights, as well as exercise the rights of consent / revocation of use of their data whenever they want.

Therefore, we ask that you access the Claro website www.claro.com.br, access the Privacy Portal at the bottom of the page (logged in area) and choose the options you want for your privacy rights.

For non-Claro customers, the request can also be made directly on our website.

Finally, we inform you that Claro already acts in compliance with data protection for its customers, working only with the data it needs and dedicating itself to protect them. ”

Our attempts to access the data through the aforementioned portal, however, have not been fruitful, and further attempts to contact the company through the email mentioned above have not been answered.

Parameter IV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was considered met. In its Privacy Policy, the company undertakes to inform the user of any modifications to the document, including providing for the cancellation of consent for the processing of personal data, in case the customer disagrees with the changes.

“Changes to the privacy policy
Claro reserves the right to modify this Privacy Policy at any time and always to keep it updated and available on the website. In such cases, you, our customer, will be informed about the changes made, and you will be authorized, if you disagree with the changes, to cancel your consent for the processing of personal data. ”

Finally, parameter V, referring to the accessibility of information on privacy and data protection, was considered partially met. At the bottom of the homepage of the Claro website, there is a link to the Privacy Policy. When accessing this link, the user is redirected to Claro’s Privacy Portal, which contains the “Privacy Policy”, “Cookies Policy” and “Your privacy rights”. The information on the Privacy Portal is very clear and easily accessible to the customer.

However, the information contained in the Privacy Policy is not presented in Claro’s contracts, a practice that would be recommended so that it could be accessed by all customers, legally consented to by them, and detailed according to each type of service contracted.

CATEGORY 2. Law enforcement guidelines

Result:

In this category, Claro obtained ¼ of a star, having only partially complied with parameter I.

Parameter I, referring to the identification of the competent authorities to request data, was considered partially fulfilled, since the company only informs that it undertakes to provide subscriber data to competent authorities, without, however, identifying them. In its Privacy Policy, the company informs that “in case of legal requests, Claro can share your personal data with the legal authorities, while always obeying the laws existing at the time of the request”, without mentioning which authorities they would be. The company only states that it will be able to share data with Credit Protection institutions:

Privacy Policy
“About sharing personal data
In the event of a court order, Claro may share your personal data with legal authorities, always in compliance with the laws existing at the time of the request;
We can send specific information about our clients to Credit Protection Institutions in order to reduce credit risk and protect people and companies from possible deceptive and fraudulent situations;”

Similarly, in its Code of Ethics, the company states that data transmissions are only carried out following “legal requests from the competent authorities”, without, however, identifying them.

Code of Ethics
“It is strictly forbidden to interfere with communications or transmissions carried out by our customers, such as listening, handling or monitoring conversations, interfering with data transmissions or revealing the existence or content of the customer’s communications, except in cases required by law and / or following orders from competent authorities.
Any request or demand for confidential information by a government authority must be referred to our Legal Department, so that all appropriate measures are taken to protect it and ensure that all applicable requirements are met. ”

Still, in this respect, it is worth noting that the company clarifies:

Prepaid SMP service agreement:
15.6 All information on the subSCRIBER’s register is confidential and can only be provided: a) to the subSCRIBER; b) to a representative with a specific power of attorney; c) the judicial authority; and d) to other Telecommunications Service Providers, for the specific purposes to provide these services.

However, no matter how much the company claims to provide data only in the cases provided for by law and following requests from legal authorities, it does not identify who these authorities are or the legal hypotheses involved. The provision for sharing with Credit Protection institutions is restricted, since it does not expressly mention other circumstances in which the company provides data from its customers.

In addition, the company does not explain to the user the fact that subscriber data and connection records are treated differently under the law. In this sense, it is important that the company clearly state that connection records can only be furnished by court order, according to the Internet Legal Framework (Marco Civil da Internet). With regard to subscriber data, that same law authorizes them to be requested without a court order by competent administrative authorities. Currently, however, in the face of controversy as to what such “competent administrative authorities” are, it is imperative that the company is transparent about its own interpretations of the law it applies when receiving requests for breaches of confidentiality. We recommend that the company distinguish between subscriber data and connection records and identify the competent authorities. Therefore, the parameter was considered only as partially met.

Parameter II, referring to the identification of the competent authorities and the crimes within which the requisition occurs, was not considered met. As mentioned in the previous parameter, the company mentions in its Code of Ethics only that it does not interfere in communications or data transmissions, except “in the cases required by law and / or following legal requests from the competent authorities”, without discriminating which would be the legal provisions applicable or what the competent authorities would be. Due to this lack of information, the parameter was not considered met.

Parameter III, referring to the provision of information on geolocation data, was also not considered met. There was no mention of the theme in the documents analyzed by Claro.

Parameter IV, referring to the promise to provide connection records only by court order strictly under the terms of the legal regulatory use of the internet, was also not considered as complied with. There was no mention of the theme in the documents analyzed by Claro.
Finally, parameter V, relating to the existence of specific guidelines on data delivery to the state, was also not considered met. There was no mention of the theme in the documents analyzed by Claro.

CATEGORY 3: Defence of users in the Judiciary

Result:

In this category, Claro got half a star, because it met parameter I.

Regarding parameter I, referring to the challenge of legislation, we conducted exploratory searches on the websites of the Supreme Federal Court and the Superior Court of Justice for cases in which the company was a party, and we did not find any actions in this regard.

However, in the engagement phase, InternetLab became aware of a rescission action nº 0802518-50.2020.4.05.0000, before the Regional Federal Court of the fifth region (TRF5). In it, the companies Claro, Vivo, TIM and Oil, through an action by Sinditelebrasil (National Union of Telephone and Cellular and Personal Mobile Service Companies), questioned Anatel’s (National Telecommunications Agency) attempt to change the General Consumer Rights Regulation, to that it would be possible to provide, to any recipient of telephone calls, the personal information of the owner of the line originating the call. As they defended the non-alteration of the said regulation, based, among other things, on privacy and data protection arguments, the parameter was considered complied with. As much as InternetLab, exceptionally, recognized the action referred to above in view of its normative importance, we emphasize that, in line with the investigation of the public commitment of the companies under their brand, actions initiated in its own name by the telephone company, and not through associations or equivalents, are preferable for checking compliance with this parameter.

Actions considered in previous versions of Who Defends Your Data, such as Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of data from a logic gate to police authorities, and the Direct Action of Unconstitutionality (ADI) 5642, from ACEL, were not considered, since they did not register changes.

Finally, to investigate parameter II, referring to the contestation of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and on the “Jusbrasil” portal, in both cases using the terms “claro AND secrecy AND breaches “and “claro S/A AND secrecy AND breaches“ and by judgments published between August 1st 2019 and July 31st 2020. In these searches, no lawsuits were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

CATEGORY 4: Public position in favor of privacy

Result:

In this category, Claro got half a star, because it met parameter II.

Parameter I, relating to the company’s general positioning, was not considered met. There were opportunities throughout the year, where companies providing Internet access had the opportunity to express their views on public policies and bills that affect users’ privacy. The postponement of the entry into force of the General Data Protection Law (LGPD) is an example in this regard.

After searching official government websites, specialized and traditional press and corporate pressrooms, we found no material in this regard. During the discussions in the National Congress, regarding the postponement of the LGPD, in addition, no participation by Claro in the discussions at the Congress etc. was found in its press releases.

In our searches, we discovered an article published by the Olhar Digital portal, which stated that in November 2019, there was a security breach in the “Minha Claro Residencial” service portal that exposed personal data (full name, address, date of birth, CPF, e-mail and telephone numbers) of the operator’s customers. According to the report, more than 8 million customers had their data exposed.

In a note sent the the portal, Claro stated:

“Claro informs that it constantly invests in security policies and procedures, adopting strict measures to avoid undue actions against its customers. Regarding the reported fact, the company clarifies that it quickly identified and corrected, on November 14, any vulnerability in the Minha Claro Residencial application and no damage was identified to customers. Claro follows strict standards, with security mechanisms, which are periodically reviewed, in order to always guarantee the privacy of its customers. ” The wording was considered too general and unsatisfactory for the purposes of this report.

Parameter II, relating to the company’s position in the context of COVID-19, was considered met. In its Privacy Policy, in the item “Claro, its data and COVID-19”, the company informs:

“Claro, its data and COVID-19
Claro, in order to contribute with solutions that could alleviate the impact of the pandemic a little, is participating in two initiatives:
The “heat maps”:
First the important information: Claro does not identify you and does not monitor your movements. Claro simply counts the number of lines connected to each antenna at night and during the day, both to confirm if there is isolation and if there is agglomeration at some points.
Push do Bem: Claro made it possible for several small businesses to register on this link. Claro advertises these offers, if you authorize the geolocation sharing in the NET-Claro Wi-Fi, Minha Claro and Claro Banca apps. With that, Claro gives you the opportunity to buy from a local commercial establishment and encourages business for these entrepreneurs”.

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

Result:

In this category, Claro obtained an empty star, as it did not meet any of the parameters.

Parameters I to IV, relating to the Transparency Report, were not met. América Móvil publishes a Sustainability Report every two years, in English and Spanish. The document provides some information on privacy and data protection; however, it does not publish statistics for requests.

Parameter V, in turn, related to the publication of Data Protection Impact Assessments, was also not considered met. No such documents were found in our searches.

CATEGORY 6: User notification

Result:

Claro was not awarded a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

NET

CATEGORY 1. Information on data protection policy

Result:

In this category, NET obtained a full star, having met parameters I, II, IV and V.

Although Net Vírtua’s contracts do not provide substantial information about the company’s data processing practices, we found that some information is available in the company’s Code of Ethics and Privacy Policy.

NET complies with parameter I, providing clear and complete information on all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In its Privacy Policy, which, according to the website where it is located, applies to both mobile and broadband internet services (Claro e NET, consequently), the company informs:

REGISTRATION INFORMATION
A good part of our services requires that you have a unique registration with a user account, thus allowing you to access all NET services.
When you complete your registration, we ask for your name, your CPF, your ID, your date of birth, gender information and your contact details, such as phone and email.

Consumption profile:
In order to improve your experience at Claro, we are continually making improvements to the network, expanding and customizing product and service offerings, sending alerts or notifications. For these purposes, Claro may collect information from its consumption profile, such as: location, resources, devices used, navigation, contracted or researched offers, information provided while using the services, as well as the duration and frequency of its activities.

“Claro may carry out the processing of personal data collected for the following purposes:
In order to guarantee your security in the identification, authentication and authorization of access to our products and services;
For the best attendance of your requests and resolution of your doubts;
To keep your data up to date so that we can contact you whenever necessary, whether by phone, e-mail, SMS, direct mail or other means of communication;
To improve your browsing experience on our websites, applications and services;
For use in statistics, studies, research and surveys about your activities and behaviors when using our websites, applications and services;

To publicize our services and those of our partners, and communicate news, features and other information that may be relevant to improve our relationship;
In order for us to preserve our rights and obligations regarding the use of our sites, applications and services;
So that we can provide you with relevant content and send, for example, information about your invoice, consumption, package and promotions, in addition to other facilities;
For sending communications that you have agreed to receive.
Claro, as owner, is responsible for its own database, and can use the information within the limit and purpose of its field of activity. Claro may also use information anonymously, with the objective of continuously improving and personalizing the services we provide to you. ”

Sub-parameter (d), referring to how it is used, was considered fulfilled. In the section “What data does Claro collect and how does it use it?” in its Privacy Policy, Claro/NET details, for example, that subscriber data “are important for some actions, such as filling out your service contract, issuing invoices and also for communicating with you”, that traffic data “are fundamental to measure the quality of our services, so that you can understand the invoice and also for your own control “, that bank data is used” only to charge for telecommunications services or other services that you have contracted through Claro”, among others.

Finally, the sub-parameter (e), relating to information regarding the rights of holders and the means to exercise those rights, was also considered met. In the Privacy Policy, there is the section “About the rights to access, correct, cancel and contest personal information”, in which the company informs about the existence of these four rights, even if it does not mention all those provided for in the current legislation. The company also informs customers of the means for exercising these rights: the call center and Claro’s “Talk to Us”.

“About the rights to access, correct, cancel and dispute personal information
We are committed, in every case, to the standards (“models” not to repeat “standards”) of control and security, respecting the required standards. You, Claro customer, have the following rights with respect to your personal data:
Correction of data that may be incomplete, incorrect or outdated;
You can cancel the consent given to Claro at any time. To do this, just contact the call center or the channel we provide, the “Contact Us” Claro.
Claro will keep your information stored for the period required by existing laws. ”

With reference to parameter II, referring to the supply of clear and complete information on the protection of personal data, it is considered to have been generally met because sub-parameters (c), (d) and (e) were addressed while sub-parameter (a) was considered only partially met.

Sub-parameter (a), referring to the time and location of data storage, was considered partially fulfilled. In its Privacy Policy, in the section “How long does Claro handle your data?” The company informs the detailed storage terms for each type of data collected. However, regarding registration and billing data, the company only informs the minimum period for which the data is stored. Although it is considered as positive that the company establishes a minimum period, the absence of information on the maximum period for which the company stores its customer data ends up making this period of time too imprecise.

“How long does Claro handle your data?
Claro maintains your data for the duration of the provision of its services, but it also needs to keep your data after the end of your relationship with Claro to comply with the law, as in cases where it is necessary to provide data to public authorities or even to the defence in legal proceedings. Some of the deadlines we observe are as follows:

Internet connection: Claro will store connection records for a period of one year, and will not keep records of access to internet functionalities;

Internet functionalities: in Claro’s own applications, the access records to functionalities will be stored for six months;

Registration and billing data will be stored for at least five years.”

As for the storage location, the company informs customers of this in the sections “How long does Claro process your data?” and “On the rights to access, correct, cancel and contest personal information” that the data is processed in Claro’s data centers, on contracted third-party servers or in “clouds”. Such information was considered overly generic, providing little consistent information about the storage location.

“About the rights to access, correct, cancel and dispute personal information
We store your personal data in a safe place. Often on our own servers, contracted third parties or in the “cloud”, always with the aim of improving our processes.

As for sub-parameter (b), referring to when / if the data is erased, it was not considered attended to. This is because the company reports only the minimum data storage time.

Sub-parameter (c), relating to the company’s security practices, was considered complied with. In the Privacy Policy, the company is committed to following security and control standards, without specifying in this document, however, which are the practices adopted.

“About the rights to access, correct, cancel and dispute personal information
We are committed, in every case, to the standards (“models” not to repeat “standards”) of control and security, respecting the required standards.

“This is a system that manages information security within a company to efficiently safeguard important data, both financial and confidential, minimizing the risk of illegal or non-permitted access by third parties.”

Sub-parameter (d), referring to who has access to the data, was not considered as having been attended to. In none of the analyzed documents do we find information about who has access to the data; the company limits itself to informing whom the data is shared with, a point that will be evaluated in sub-parameter (e).

“With whom does Claro share data?
To carry out all its activities, Claro needs to share its data with some third parties. After all, they are the ones who will provide services for you and who must observe certain precautions, such as the security of your data. See who these third parties are:

Call Center companies – so that we can provide assistance.

Technical Service Companies – so that TV customers have their services installed or maintained.

Companies that have content packages sold through Claro’s sales channels and that need some information to activate the content and subscriptions.

Credit and Collection Companies – so that they can collect outstanding invoices.

Authorized Agents – companies that sell products and services under the Claro brand, which are often the gateway for customers.

Telesales Partners – to make offers of products and services to you, by calls or SMS, consulting beforehand if case you have opted not to be called.

Insurance Companies – Claro receives insurance proposals for cell phones and shares its data with insurance companies and brokers for insurance coverage purposes and with a third party for the collection of the premium on the invoice.

Companies that operate top-up platforms and applications.

Public sector, in compliance with inspections by our regulatory body and upon requests from police authorities or judicial decisions.

Partners who handle data collected from NET-Claro-Wi-Fi, Minha Claro and Claro Banca applications, as described above.”

Finally, regarding sub-parameter (f), relating to the purposes of data sharing with third parties, it was also considered met.

Parameter III, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was not considered met. This is because, approximately one month after the request for access to data was made, through the email dpo@claroatendimento.com.br, only a generic response was received:

“We advise that Claro’s privacy policy can be consulted on the Privacy Portal available on our website, at the bottom of the page and we clarify that through our website, the customer can automatically consult and receive information about Data Privacy Rights, as well as exercise the rights of consent / revocation of use of their data whenever they want.

Therefore, we ask that you access the Claro website www.claro.com.br, access the Privacy Portal at the bottom of the page (logged in area) and choose the options you want for your privacy rights.

For non-Claro customers, the request can also be made directly on our website.

Finally, we inform you that Claro already acts in compliance with data protection for its customers, working only with the data it needs and dedicating itself to protect them. ”

Parameter IV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was considered met. In its Privacy Policy, the company undertakes to inform the user of any modifications to the document, including providing for the cancellation of consent for the processing of personal data, in case the customer disagrees with the changes.

“Changes to the privacy policy
Claro reserves the right to modify this Privacy Policy at any time and to always keep it updated and available on the website. In such cases, you, our customer, will be informed about the changes made, and you will be authorized, if you disagree with the changes, to cancel your consent for the processing of personal data.”

Finally, parameter V, referring to the accessibility of information on privacy and data protection, was considered partially met. At the bottom of the homepage of NET’s website, there is a link to the Privacy Policy. When accessing this link, the user is redirected to Claro’s Privacy Portal, which contains the “Privacy Policy”, “Cookies Policy” and “Your privacy rights”. The information on the Privacy Portal is very clear and easily accessible to the customer.

However, the information contained in the Privacy Policy is not presented in NET’s contracts, a practice that would be recommended so that it could be accessed by all customers, legally consented to by them, and detailed according to each type of service contracted.

CATEGORY 2. Law enforcement guidelines

Result:

In this category, NET obtained a ¼ of a star, having only partially complied with parameter I.

Parameter I, referring to the identification of the competent authorities to request data, was considered partially fulfilled, since the company only informs that it undertakes to provide subscriber data to competent authorities, without, however, identifying them. In its Privacy Policy, the company informs that “in case of legal requests, Claro can share your personal data with the legal authorities, always obeying the laws existing at the time of the request”, without mentioning which authorities they would be. The company only states that it will be able to share data with Credit Protection institutions:

Privacy Policy
“About sharing personal data
In the event of a court order, Claro may share your personal data with legal authorities, always in compliance with the laws existing at the time of the request;
We can send specific information about our clients to Credit Protection Institutions in order to reduce credit risk and protect people and companies from possible deceptive and fraudulent situations;”

Similarly, in its Code of Ethics, the company states that data transmissions are only carried out following “legal requests from the competent authorities”, without, however, identifying them.

Code of Ethics
“It is strictly forbidden to interfere with communications or transmissions carried out by our customers, such as listening, handling or monitoring conversations, interfering with data transmissions or revealing the existence or content of the customer’s communications, except in cases required by law and / or following orders from competent authorities.
Any request or demand for confidential information by a government authority must be referred to our Legal Department, so that all appropriate measures are taken to protect it and ensure that all applicable requirements are met. ”

Still in this regard, it is worth noting that the company refers in the contract to devices from Anatel that contain rights and establish duties:

Net Vírtua Multimedia Communication Service Agreement (SCM)
35.02 The rights and duties of subscribers to the multimedia communication service are provided for in articles 56, 57 and 58 of ANATEL Resolution 614/2013. The PROVIDER’s rights and obligations are provided for in articles 41 to 55 of the same Resolution.

In addition, the company does not explain to the user the fact that subscriber data and connection records are treated differently under the law. In this sense, it is important for the company to clearly state that connection records can only be delivered by court order, according to the Internet Legal Framework (Marco Civil da Internet). With regard to subscriber data, that same law authorizes them to be requested without a court order by competent administrative authorities. Currently, however, in the face of controversy as to what such “competent administrative authorities” are, it is imperative that the company is transparent about its own interpretations of the law it applies when receiving requests for breaches of confidentiality. Therefore, the parameter was considered as only partially met.

Parameter II, referring to the identification of the competent authorities and the crimes within which the requisition occurs, was not considered met. As mentioned in the previous parameter, the company mentions only in its Code of Ethics that it does not interfere in communications or data transmissions, except “in the cases required by law and / or following legal requests from the competent authorities”, without discriminating which would be the legal provisions applicable or who the competent authorities would be. Due to this lack of information, the parameter was not considered met.

Parameter III, referring to the provision of information on geolocation data, was also not considered met. There was no mention of the theme in the NET documents analyzed by.

Finally, parameter V, relating to the existence of specific guidelines on data delivery to the state, was also not considered met. There was no mention of the theme in the documents analyzed from NET.

CATEGORY 3: Defence of users in the Judiciary

Result:

In this category, NET got half a star, because it met parameter I.

Regarding parameter I, referring to the challenge of legislation, we conducted exploratory searches on the websites of the Supreme Federal Court and the Superior Court of Justice for cases in which the company was a party, and we did not find any actions in this regard.

However, in the engagement phase, InternetLab became aware of a rescission action nº 0802518-50.2020.4.05.0000, before the Regional Federal Court of the 5th region (TRF5). In it, the companies Claro, Vivo, TIM and Oi, through an action by Sinditelebrasil, questioned Anatel’s attempt to change the General Consumer Rights Regulation so that it would be possible to provide, to any recipient of telephone calls, personal information of the owner of the line originating the call. As they defended the non-alteration of the said regulation based, among others, on privacy and data protection arguments, the parameter was considered complied with. As much as InternetLab, exceptionally, recognized the action referred to above in view of its normative importance, we emphasize that, in line with the investigation of the public commitment of the companies under their brand, actions initiated in its own name by the telephone company, and not through associations or equivalents, are preferable for checking compliance with this parameter.

Actions considered in previous versions of Who Defends Your Data, such as Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of data from a logic gate to police authorities, and the ADI 5642, from ACEL, were not considered, since they did not register changes.

Finally, to consider parameter II, referring to the contestation of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and on the “Jusbrasil” portal, in both cases using the terms “NET AND secrecy AND breaches” and “NET S/A AND secrecy AND breaches” and by judgments published between August 1st 2019 and July 31st 2020. In the searches, no lawsuits were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

CATEGORY 4. Public position in favor of privacy

Result:

In this category, NET got half a star, because it partially met parameter II.

Parameter I, relative to the company´s general positioning was not considered met. There were opportunities throughout the year, where companies providing Internet access had the opportunity to express their views on public policies and bills that affect users’ privacy. The postponement of the entry into force of the LGPD is an example in this regard.

After searching official government websites, specialized and traditional press and corporate pressrooms, we found no material in this regard. During the discussions in the National Congress, regarding the postponement of the LGPD, in addition, no participation by NET in the discussions at the Congress was found in its press releases etc.

In our searches, we discovered an article () published by the Olhar Digital portal, which stated that in November 2019, there was a security breach in the “My Claro Residencial” service portal that exposed personal data (full name, address, date of birth, CPF, e-mail and telephone numbers) of the operator’s customers. According to the report, more than 8 million customers had their data exposed.

In a note sent to ( ) the portal, Claro stated:

“Claro informs that it constantly invests in security policies and procedures, adopting strict measures to avoid undue actions against its customers. Regarding the reported fact, the company clarifies that it quickly identified and corrected, on November 14, any vulnerability in the My Claro Residencial application and no damage was identified to customers. Claro follows strict standards, with security mechanisms, which are periodically reviewed, in order to always guarantee the privacy of its customers. “

The wording was considered too general and unsatisfactory for the purposes of this report.

Parameter II, relating to the company’s position in the context of COVID-19, was considered met. In its Privacy Policy, in the item “Claro, its data and COVID-19”, the company informs:

“Claro, its data and COVID-19
Claro, in order to contribute with solutions that could alleviate the impact of the pandemic somewhat, is participating in two initiatives:
The “heat maps”:
First, most importantly: Claro does not identify you and does not monitor your movements. Claro simply counts the number of lines connected to each antenna at night and during the day, both to confirm if there is isolation and if there is agglomeration at some points.
The Push for Good: Claro allows for the possibility of several small businesses registering on this link. Claro advertises these offers, if you authorize the geolocation sharing in the NET-Claro Wi-Fi, My Claro and Claro Banca apps. With that, Claro gives you the opportunity to buy from a local commercial establishment and encourages business for these entrepreneurs”.

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

Result:

In this category, NET obtained an empty star, as it did not meet any of the parameters.

Parameter V, in turn, related to the publication of Data Protection Impact Assessments, was also not considered met. No such documents were found in our searches.

CATEGORY 6: User notification

Result:

NET was not awarded a star, as there is no mention of the possibility of user notification in any of the documents analyzed.

OI BROADBAND

CATEGORY 1: Information on Policy and Data Protection

Result:

In this category, Oi Broadband obtained a ¾ star, as it met parameters I and V and partially met parameters II and IV.

Oi meets parameter I, having fulfilled all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In its Privacy Portal, the company informs:

What data we collect:
We collect your data when you voluntarily inform it. Also automatically, when you access our sites, use our services or interact with us. For example, we collect data such as name, email, address, gender, nationality and phone and document numbers, among others. In addition, financial information, such as bank details, bank slip numbers and your credit or debit card information.

In addition to this information, service data, statistics, Oi also collects consumption of your plans, location (when you activate the GPS on your mobile phone) and the way you use our website and applications.

In its Privacy Policy, the company informs exhaustively on the registration and contract data, the financial information, the location data, data on the use of the website and applications, service data, traffic and statistics collected.

We collect your registration and contract data
– Your name, social security number, ID number, passport number, affiliation, address (physical or email), mobile and home phone number, ICCID number (SIM card), date of birth, nationality and profession.
– CPF (Brazilian Tax Code), affiliation, bank details, payment slip numbers, invoice or debit account numbers and gender. – Content of mandate instruments (powers of attorney) used for contracting services
Alternatively, management of service contracts provided by Oi and business telephone numbers.
We collect your financial information
– Invoice information, such as history, payment dates, unpaid amounts or payments received.
– Credit or debit card information, bank account information and other bank information.
We collect your location data
Approximate location data, when you have activated the location function that uses data from the Global Positioning System (GPS) or other technology, and when referring to the signals identified by the base stations of Oi’s mobile network.
We collect your data on how to use Oi’s website and applications
The history of the mode of use and navigation performed by you in the most diverse means and platforms provided by Oi.
We collect your attendance data
The information provided in customer service, through any means provided by Oi.
We collect your traffic data
– The duration of the calls, the usage and the quantity of the packets or the data connection. Or how you are using the data.
– Consumption profile information.
We collect statistical data
Oi surveys information from usage logs to map the profile of voice and data traffic.

Sub-parameter (b), referring to the situations in which the collection takes place, was also considered fulfilled. This is because in the “What data collected” section of the Privacy Portal (see excerpt above), the customer is informed that the data is collected when accessing the website, using the company’s services, activating the cell phone’s GPS and using the website and applications. The Privacy Policy specifies the collection of data on the use of contracted products and services, call history, service data, top-up transactions, among others. It was considered that such information is capable of detailing the situations in which the collection occurs.

Sub-parameter (c), referring to the purpose of data processing, was considered met. In the “Why we use your personal data,” section of the Privacy Portal, the company informs clients that it collects the data to “provide the services you have contracted”. It also informs us that it uses the data to prevent fraud, create offers according to the customer’s profile and “improve” the user experience, both on the website and with the applications.

WHY WE USE YOUR PERSONAL DATA
Most of the time, to be able to provide the services you have contracted. But also to constantly improve the quality of our products, prevent fraud, create offers according to your profile and improve your experience when using our website or applications.

In the Privacy Policy, such information is separated into a table, in which the purpose of its usage is specified, which data are processed and on what legal basis.

In the same document, the company also details what the legal bases are for data processing:

The legal bases for data processing
Oi may process your personal data based on the following legal bases:
– For the correct execution of the contract or provision of the contracted service, or even for any necessary preliminary procedures, and to attend to your eventual requests.
– Or the compliance of legal or regulatory obligations
– In meeting their legitimate interest or the interest of the Oi Group, including, but not limited to, supporting and promoting their activities and in protecting, in relation to the clients, the regular exercise of their rights or provision of services that benefit them somehow.
– By providing your consent, through free, informed and unambiguous expression, for a specific purpose.
– For fraud prevention and security measures.
– For the regular exercise of rights in the context of judicial or administrative proceedings.
– For shared use of data with the Public Administration, for the necessary use for the implementation of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments

The company details exhaustively the data processed, as well as its purposes and legal basis. We consider that the way the company specifies such information is positive.

Sub-parameter (d), referring to how it is used, was considered fulfilled. In the section “The legal bases for data processing” of the Privacy Policy (see excerpt above), the company details how it is used, specifying that the data is used “for the correct execution of the contract or provision of the contracted service”, “For the regular exercise of rights in the context of judicial or administrative proceedings”, “for shared use of data with the Public Administration” etc. It was considered that such information is capable of detailing the way personal data is used.

Finally, the sub-parameter (e), relating to information regarding the rights of holders and the means to exercise those rights, was also considered met. In its Privacy Policy, in the section “What are your rights”, the company informs on what are the rights on personal data provided for in the LGPD (right of access and confirmation of use, correction, deletion), objection, portability, anonymity, request for information and the right to provide or revoke consent) and inform by email on how to exercise these rights. In addition, the company informs that, in order to meet certain legal requirements, it cannot delete or make data anonymous that “is inherent to the provision of the service by Oi”; unless there is a court order to do so.

The General Data Protection Act (LGPD) gives you rights over your personal data, as shown below.
Right of access and confirmation of usage: you have the right to confirm the manner in which your personal data is used and of access to and to request a copy of that data, except in cases of legal secrecy.
Right of correction: you also have the right to request rectification, updating or supplementation of your personal data.
Right of elimination: you can request the deletion of your personal data, unless another legal hypothesis is applicable that prevents exclusion or that makes the continuity of its use necessary.
Right of objection: you can request, temporarily or permanently, the interruption of the use of all or some of your personal data, except if another legal hypothesis that prevents exclusion or that makes it necessary to continue using it is applicable.
Right to Portability: you can request your personal data in a structured way, so that it can be transmitted to another service or product provider, upon request.
Anonymity: you can request that your personal processes data become anonymous, and may require the blocking or elimination of any data considered unnecessary or excessive for the purpose applicable to the specific case or in the event of any use in violation of the applicable legislation, unless, another legal hypothesis is in use that prevents the anonymity, blocking or deletion of such data or that makes it necessary to continue its treatment.
Sharing information: you can request information about public or private entities with which your personal data has been shared for the objective of fulfillling the purposes set out in this Privacy Policy, with the exception of cases of legal secrecy.
Consent: you can also provide and revoke, at any time, the consent previously given to Oi upon express expression, in addition to requesting information about the possibility of not providing consent and about the possible consequences of the refusal.

You can exercise these rights at any time. Just send a message to the email PP-PriváciaDireitoTitular@oi.net.br

You acknowledge that the terms of the rights cited on this page will be ensured by the legal and regulatory terms applicable in each individual case.

Elimination and anonymity
In order to meet certain legal requirements established by regulatory organs or regulatory bodies, with the exception of a court order, data that are inherent to Oi’s service provision, such as subscriber data, billing data, location data and traffic data, cannot be eliminated or made anonymous.

Oi Broadband partially complies with parameter II, having complied with sub-parameter (e), and partially with sub-parameter (c).

Sub-parameter (a), referring to the time and location of data storage, was considered partially fulfilled. Regarding the storage time, the company informs, in the section “retention and end of the use of personal data” in its Privacy Policy, only that the data is kept for a time “strictly necessary for the fulfillment of legal and regulatory obligation after the fulfillment of the contract”, without providing, however, more information. The company does not establish minimum or maximum terms for which the company stores its customer data.

Retention and termination of the processing of personal data
Oil may keep your personal data stored after the end of the contract or the end of the service contracted by you, according to the strict necessities for the fulfillment of the legal or regulatory obligation to which we are subject. Further still, to exercise any right of Oi in administrative, judicial or extrajudicial proceedings, without prejudice to the application of the cases mentioned by art. 16 of the General Personal Data Protection Act (LGPD).
– The personal data used to provide you with a personalized experience will be kept exclusively for the time allowed, in accordance with current legislation.
– Your personal data will be treated only for the period necessary to achieve the intended purposes, as established in item 3 of this Privacy Policy.

As for the data storage location, the Privacy Policy does not offer any information about the data storage location. Such information was also not found in any of the company’s contracts.

As for sub-parameter (b), referring to when / if the data is erased, it was not considered attended to. The company does not clearly establish when data is deleted. The company only informs, in the section “Retention and end of the treatment of personal data” of the Privacy Policy” (see excerpt above) that it keeps the data stored only “as it proves to be strictly necessary for the fulfillment of legal or regulatory obligation”, without expressly providing for data erasure.

As for sub-parameter (c), referring to which safety practices it observes, it was considered that it was partially complied with. In clause 11.3 of the Broadband Adhesion Contract, the company makes a generic mention regarding the preservation of the confidentiality of subscriber data and connection records, without, however, providing any information on how this data would be protected. In its Sustainability Report (p. 31), the company states that the security actions applied to customer information are based on “applicable legal standards, network technology standards, and team awareness.

16:11. Oi is committed to respecting the preservation of intimacy, private life, honor and the image of the parties directly or indirectly involved with regard to data confidentiality, both the subscriber data and those relating to connection records. ”

“Actions for the security of customer information exchanged across the Company are based on the applicable legal norms and seek to define network technology standards and team awareness, mainly in the areas of business, information technology and engineering.
The flow of approvals will assess whether the user needs to have access or not to the package of information being exchanged. Information security management guarantees the minimum-security requirements in product research and development, as well as in tests prior to entry into production, and acts in providing customer information (p. 31).”

In its Privacy Policy, in the “Information Security” section, the company informs:

Information security
Oi is committed to ensuring the security and maintenance of the protection of your stored personal data with the adoption of technical and administrative measures capable of protecting personal data exported from unauthorized access and accidental or illegal situations, in accordance with applicable laws.
Oi’s employees are committed to ensuring the security of your personal data and to respect this Privacy Policy, under penalty of suffering disciplinary sanctions in case of violation of these rules.
We hope that you will also contribute to security by keeping your personal data safe. When registering on Oi’s platforms, choose a password strong enough to prevent others from guessing it.
Oi recommends that you never reveal or share your password with others. You
You are solely responsible for keeping your password confidential and for any action taken through your account on the Oi Group websites and services.
The protections mentioned in this section do not apply to information that you have chosen to share in public areas, such as forums and social networks of other companies.
Oi undertakes to disclose any security incident to you and to the competent organs and bodies and what measures will be applied in this case.

The information contained in the both documents is too vague and brings little guarantees to customers about the practices adopted by the company. The company does not inform, for example, which security standards it adopts, which guidelines it follows, whether encryption is used to transfer personal data from users’ devices or what the principles of information security are that it follows. However, because there is concern in mentioning the topic, the parameter was considered partially met.

Sub-parameter (d), referring to who has access to the data, was not considered met. In the “Information security” section (see excerpt above), the company only informs that it adopts measures to protect data from “unauthorized access”, but does not offer any information about who has access to personal data.

Sub-parameter (e), referring to the third parties with whom the data is shared, was considered as having been met. In its Privacy Policy, the company informs which third parties it shares the data with and for what purposes:

Data sharing
Oi does not share your personal data with companies, organizations or third parties, only in the cases below, and always in accordance with this Privacy Policy and other appropriate security and confidentiality measures:
– Among Oi Group companies for maintenance, promotion and improvement of services.
– For business partners in the development of promotions and joint commercial actions with Oi.
– For marketing service providers, such as email marketing, SMS and serving online ads.
– For sales partners and franchised stores, in collaboration with the sales of products and services provided by Oi.
– For third parties hired or authorized for care related to the execution or management of Oi services, such as, for example, technical support and repair service providers, data analysis, consultancy, invoice printing, credit protection system consultations and customer service centers.
– For government authorities, such as, for example, police authorities, prosecutors, courts of law, consumer protection agencies or Anatel, due to legal, regulatory, judicial orders or other requests from authorities with powers to do so, to protect damage to the property or safety of the Oi Group or its customers, as requested or permitted by law.
– For credit protection institutions, to reduce credit risk and fraudulent use of Oi services.
– For third parties, not provided for here, with your specific consent.
– For debt collection agencies, in cases of default.
– For third parties, due to corporate restructuring in the Oi Group.

Oi will ask you for specific consent to share any sensitive personal data

Finally, regarding sub-parameter (f), relating to the purposes of data sharing with third parties, it was also considered met, The Privacy Policy informs, in some cases, the purpose of data sharing (see excerpt above), as for example, by legal obligation, to reduce the risk of credit and fraudulent use, in cases of default and due to corporate restructuring.

Parameter III, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was not considered met. In a request made by e-mail to ouvidoria@oi.net.br, the response obtained from the company was that “the operator does not provide personal data, by normal means”, and that this request could only be answered only through a court order.

Parameter IV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was considered met. In its Privacy Policy, the company states that in case of changes to the document, the company will disclose it “immediately through a notice highlighted on the homepage” of the website and in other communication channels. Although the company does not commit to sending notifications to the user, we consider the communication effort to be positive and, therefore, the parameter was considered partially met. However, we emphasize that it is recommended that the company send notifications to the user in the event of updating its policies, since the burden of keeping up to date cannot fall only on the user.

Privacy Policy Corrections
Oi has the right, when necessary, without prior notice and with immediate effect, to change, add or revoke, partially or totally, this Privacy Policy, as long as it is in accordance with current legislation. We recommend that you visit this page frequently, or whenever you have questions, to follow any updates or changes to our Privacy Policy. In the event of changes to our Privacy Policy, we will immediately disclose it through a prominent notice on the homepage of our website and in other communication channels and through Oi’s relationship with its customers.

Finally, parameter V, referring to the accessibility of information on privacy and data protection, was considered partially met. This is because Oi has a Privacy Portal, mentioned above, with clear information on the topic. The portal can be easily accessed at the bottom of Oi’s homepage.

The information on the Privacy Portal can be found in more detail in the company’s Privacy Policy. It is important to note, however, that information about the sharing of personal data is not included in the Privacy Portal, and is found only in the Privacy Policy. We recommend that such data are also present on the Portal, for the purpose of greater transparency.

CATEGORY 2. Law enforcement guidelines

Result:

In this category, Oi Broadband obtained ¼ of astar, as it partially met parameters I and IV

Parameter I, referring to the identification of the authorities competent to request data, was considered partially fulfilled. In clause 11 of the Broadband Adhesion Contract, which provides for Oi’s obligations, the company undertakes to provide subscriber data only to competent administrative authorities

11.15 Provide subscriber data, without the need for a prior court order, only to administrative authorities that have legal competence to make the requisition. ”

In its Privacy Policy, the company claims it shares data with government authorities, such as “Police authorities, the Public Prosecution Service, Courts of Justice, consumer protection agencies or Anatel, due to legal, regulatory, court order or other requests from authorities empowered to do so ”.However, the company does not discriminate with which of the aforementioned authorities sharing is carried out without a court order and which of the authorities may have access to the data only with judicial authorization. Although the company identified the authorities, the wording was considered unsatisfactory and for that reason, the parameter was considered only partially fulfilled.

Privacy policy:
Data sharing
Oi does not share your personal data with companies, organizations or third parties, only in the cases below, and always in accordance with this Privacy Policy and other appropriate security and confidentiality measures:
– For government authorities, such as, for example, police authorities, prosecutors, courts of law, consumer protection agencies or Anatel, due to legal, regulatory, judicial orders or other requests from authorities with powers to do so, to protect damage to the property or safety of the Oi Group or its customers, as requested or permitted by law.
– For credit protection institutions, to reduce credit risk and fraudulent use of Oi services.

Parameter II, referring to the identification of the competent authorities and the crimes within which the requisition occurs, was not considered met. No mention of the topic was found in the documents of Oi Broadband analyzed or in the Privacy Policy.

Parameter III, referring to the provision of information on geolocation data, was also not considered met. No mention of the topic was found in the documents of Oi Broadband analyzed or in the Privacy Policy.

Parameter IV, referring to the promise to provide connection records only by court order strictly under the terms of the legal regulatory use of the internet, was also not considered as complied with. Oi Broadband foresees in the contract that connection records are only made available by order of a judge. However, the excerpt is not strictly limited to the terms of the legal regulatory use of the internet (that is, it does not specify that only the date and time of the start and end of an internet connection, its duration and the IP address used will be shared).

11.14. make available the connection and access records to internet applications, autonomously or associated with personal data or other information that may contribute to the identification of the user or the terminal, by court order”

Finally, parameter V, relating to the existence of specific guidelines on data delivery to the state, was also not considered met. In our searches, no documents on this could be found.

CATEGORY 3: Defence of users in the Judiciary

Result:

In this category, Oi Broadband obtained a full star, having met both parameters.

However, in the engagement phase, InternetLab became aware of a rescission action no. 0802518-50.2020.4.05.0000, before the Regional Federal Court of the 5th region (TRF5). In it, the companies Claro, Vivo, TIM and Oi, through an action by Sinditelebrasil , questioned Anatel’s attempt to change the General Consumer Rights Regulation so that it would be possible to provide, to any recipient of telephone calls, personal information of the owner of the line from which the call originated. As they defended the non-alteration of the said regulation based, among other issues, on privacy and data protection arguments, the parameter was considered complied with. As much as InternetLab, exceptionally, recognized the action referred to above in view of its normative importance, we emphasize that, in line with the investigation of the public commitment of the companies under their brand, actions initiated in its own name by the telephone company, and not through associations or equivalents, are preferable for checking compliance with this parameter.

Actions considered in previous versions of Who Defends Your Data, such as ACEL’s Direct Unconstitutionality Action (ADI) 5642, were not considered, as they did not register changes.

Finally, parameter II, referring to the contestation of abusive requests, was considered met. We conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the portal “Jusbrasil”, in both cases by the terms “Oi S /A AND privacy AND breaches” and by judgments published between January 8th, 2019 and July 31st, 2020, and two actions were found in this regard: HC 2205750-04.2019.8.26.0000, at the Court of Justice of São Paulo, and HC 5575105.48.2019.8.09.0000, at the Court of Justice of the State of Goiás. In both actions, the company questions court orders for access password, subscriber data, connection records and location data, both generic requests and for those without suitable or specific reasons. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

In the engagement phase, the company informed InternetLab – that the proper suppression of the parties’ personal data occurred – in processes in which the company contested a request for breach of data confidentiality that would affect users who had nothing to do with the facts investigated.

CATEGORY 4: Public position in favour of privacy

Result:

In this category, Oi Broadband obtained ½ of a star, as it met parameter II.

After searching official government websites, specialized and traditional press and corporate pressrooms, we found no material in this regard. During the discussions in the National Congress, regarding the postponement of the LGPD, in addition, no participation by Oi in the discussions at the Congress was found in its press releases etc.

In the engagement phase, Oi informed InternetLab about some of the company’s initiatives, which were publicly reported, to comply with the LGPD (1, 2, 3, 4). Although the effort to adapt to the Law is positive, the statement was not considered satisfactory for the evaluation of the parameter. This is because the company’s performance was restricted to legal compliance, but not assuming a clearly pro-privacy stance or specifically defending the approval of rules or adoption of techniques that increase the protection of users, in addition to what is already provided for by law.

It is also worth mentioning that in its Sustainability Report, Oi states that, in partnership with SindiTelebrasil, it participated in the discussion of bills at the federal level and with provisional measures that it provides for data protection. However, it does not mention which bills or what positions the company adopted and, in our searches; we did not find any documents or news that indicated the company’s participation in these discussions.

Important discussions about federal legislation in the telecommunications sector took place in 2018. In partnership with the National Union of Telephone and Cellular and Personal Mobile Service Companies (SindiTelebrasil), we participated in the discussion of several bills at the federal level, including: (…) Provisional measures of interest to the telecommunications sector, especially those dealing with tax matters and the protection of personal data. (p. 39)

Furthermore, we also found a news item according to which Vivo, Net and Oi would have shared, among themselves, “personal data of citizens without specific coverage to leverage the number of customers attended to”. According to the report, from the TecMundo portal, the suspicion arises after reports from users who, after contacting one of the companies and receiving a negative response to the provision of internet coverage in their area, were contacted by the other companies to offer other internet plans. The company’s telemarketing attendants confirmed these reports. In a reply on their Portal Oi states:

“Oi informs that it follows the current legislation in relation to telemarketing services and that it preserves the confidentiality of its customers’ personal data. The company adds that it will investigate the case reported by the vehicle”.

However, no explanations were given for the users’ reports or the confirmations by the attendants, nor were norms or techniques that could cope with the allegations specifically defended. For this reason, the company’s response was considered too general and unsatisfactory for the purposes of this report.

Parameter II, relating to the company’s position in the context of COVID-19, was considered met.

Oi, as well as other telecommunications companies, has committed to supply the geolocation data of the mobile lines to the Ministry of Science and Communication (MCTIC). In a section of the website created specifically to address the measures adopted by the company to tackle the COVID-19 pandemic, Oi states that the data provided to the MCTIC are intended only to combat the pandemic and the data will be organized in an aggregated and anonymous way, in accordance with the terms of the LGPD and the legal regulatory framework for use of the internet. It is worth mentioning, however, that the company does not specify what security practices and techniques were adopted to ensure the anonymity of shared data.

“The main mobile phone operators, acting in partnership, are offering MCTIC a unique data solution to monitor population mobility, displacement, agglomeration points and to identify situations of concentration of people and risk of contamination by the new coronavirus. The operators – Algar Telecom, Claro, Oi, Tim and Vivo – will provide the mobility data emitted by cell phones on their mobile networks to MCTIC, which has a room for monitoring this subject and will be able to make the information available to all spheres of public power. The data provided are aimed exclusively at combating covid-19.

With this solution, the data will be stored in a public cloud (Data Lake) and organized in an aggregated, statistical and anonymous way, in accordance with the rules of the General Data Protection Law (LGPD) and the civil Internet Legal Framework (Marco Civil da Internet). Operators will also develop applications and use cases to assist public agencies in mapping the evolution of the new coronavirus epidemic. The initiative could also evolve through an invitation to other companies, universities and start- ups to participate, adding more anonymous and statistical data to Data Lake, or even for the development of other applications and cases. ”

In addition, the company also took a position on Provisional Measure 954/2020, which required telecommunications companies to share customer data with IBGE, the Brazilian Institute of Geography and Statistics, “for the purpose of supporting official statistical production during the emergency situation in public health of international importance due to the coronavirus (COVID-19)”. The Federal Supreme Court with the judgment of ADIs 6,387, 6,388, 6,389, 6,390 and 6,393, however, suspended the MP’s effectiveness.

In an event organized by TeleTime and Mobile Time, “Telecommunications in times of uncertainty: four perspectives”, Oi defended the delivery of data to IBGE by the signing of terms of responsibility:

“We will have to hand it over to IBGE, but upon signing a term of responsibility. Even with the MP, we understand that there should be a receipt, and from there, all the instructions for use and, later, destruction of the information. (…) What is public, we already provide. What is private, and in this case it is massive, is happening through an act of force of the MP, and we still have no outcome. It is recent information, and it has a seven-day term, despite some other factors running in parallel”

We commend Oi’s stance for participating in the discussion on MP 954/2020 and consider that the statements at the event, as well as the information on the company’s website, constitute a public position in favor of privacy, in the context of the COVID-19 pandemic.

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

Result:

In this category, Oi Broadband obtained an empty star, as it did not meet any of the parameters.

parameters I to IV, relating to the publication of transparency reports in Portuguese, accessibility, periodicity of the report and information on data access requests, were not considered met. The company publishes Sustainability Reports every two years, however, the document does not contain significant information about privacy and data protection.

On pg. 31 of the 2018 Sustainability Report, there is information that, in 2018, 694 complaints were received through Anatel channels about the misuse of subscriber data. In 2017, that number was 819 and in 2016, it was 983. On pg. 62, the company claims that the total number of substantiated complaints regarding breaches of privacy and loss of customer data amounted to 31 cases.

However, the company does not publish order statistics, nor does it discriminate between the responsible authorities or the grounds they present and, therefore, the parameter was not considered met.

Parameter V, in turn, relating to the publication of Data Protection Impact Assessments, was also not considered met. No relevant documents were found in our searches.

CATEGORY 6: User notification

Result:

Oi Broadband was not awarded a star, as there is no mention of the possibility of user notification in any of the documents analyzed.

OI MOBILE

CATEGORY 1. Information on data protection policy

Result:

In this category, Oi Mobile was awarded ¾ of a star, as it fulfilled parameters I and V and partially fulfilled parameters II and IV. Although telephone contracts offer little information about the company’s data processing practices, we found that some information is available on the Privacy Portal, on OI’s website and in the Privacy Policy.

Oi meets parameter I, having fulfilled all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In its Privacy Portal, the company informs:

What data we collect:
We collect your data when you voluntarily inform it. Also automatically, when you access our sites, use our services or interact with us. For example, we collect data such as name, email, address, gender, nationality and phone and document numbers, among others. In addition, financial information, such as bank details, bank slip numbers and your credit or debit card information.
In addition to this information, Oi also collects service data, statistics, such as consumption of data of your plans, location (when you activate the GPS on your mobile phone) and the way you use our website and applications.

We collect your registration and contract data
– Your name, social security number, ID number, passport number, affiliation, address (physical or email), mobile and home phone number, ICCID number (SIM card), date of birth, nationality and profession.
– CPF number, affiliation, bank details, payment slip numbers, invoice or debit account numbers and gender. – Content of mandate instruments (powers of attorney) used for contracting services
Or management of service contracts provided by Oi and business telephone numbers.
We collect your financial information
– Invoice information, such as history, payment dates, unpaid amounts or payments received.
– Credit or debit card information, bank account information and other bank information.
We collect your location data
Approximate location data, when you have activated the location function that uses data from the Global Positioning System (GPS) or other technology, and when referring to the signals identified by the base stations of Oi’s mobile network.
We collect your data on how to use Oi’s website and applications
The history of the mode of use and navigation performed by you through the most diverse means and platforms provided by Oi.
We collect your attendance data
The information provided in customer service, through any means provided by Oi.
We collect your traffic data
– The duration of the calls, the usage and the quantity of the packets or the data connection. Or how you are using the data.
– Consumption profile information.
We collect statistical data
Oi surveys information from usage logs to map the profile of voice and data traffic.

WHY WE USE YOUR PERSONAL DATA
Most of the time, to be able to provide the services you have contracted. Also, to constantly improve the quality of our products, prevent fraud, create offers according to your profile and improve your experience when using our website or applications.

In the Privacy Policy, such information is separated into a table, in which the purpose of its usage is specified, which data are processed and on what legal basis.

In the same document, the company also details what the legal bases are for data processing a:

The legal bases for data processing
Oi may process your personal data according to the following legal bases:
– For the correct execution of the contract or provision of the contracted service, or even for any necessary preliminary procedures, and to attend to your eventual requests.
– For the compliance of legal or regulatory obligation
– In meeting their legitimate interest or the interest of the Oi Group, including, but not limited to, supporting and promoting their activities and in protecting, in relation to the clients, the regular exercise of their rights or provision of services that benefit them somehow.
– By providing your consent, through free, informed and unambiguous expression, for a specific purpose.
– For fraud prevention and security measures.
– For the regular exercise of rights in the context of judicial or administrative proceedings.
– For shared use of data with the Public Administration, for the necessary use for the implementation of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments

The company details exhaustively the data processed, as well as its purposes and legal basis. We consider that the way the company specifies such information is positive.

The General Data Protection Act (LGPD) gives you rights over your personal data, as shown below.
Right of access and confirmation of data usage: you have the right to confirm the manner in which your personal data is used and of access to and to request a copy of that data, except in cases of legal secrecy.
Right of correction: you also have the right to request rectification, updating or supplementation of your personal data.
Right of elimination: you can request the deletion of your personal data, unless another legal hypothesis is applicable that prevents exclusion or that makes the continuity of its use necessary.
Right of objection: you can request, temporarily or permanently, the interruption of the use of all or some of your personal data, except if another legal hypothesis that prevents exclusion or that makes it necessary to continue using it is applicable.
Right to Portability: you can request your personal data in a structured way, so that it can be transmitted to another service or product provider, upon request.
Anonymity: you can request that your personal data processed become anonymous, and may require the blocking or elimination of any data considered unnecessary or excessive for the purpose applicable to the specific case or in the event of any use in violation of the applicable legislation, unless, another legal hypothesis is in use that prevents the anonymity, blocking or deletion of such data or that makes it necessary to maintain it.
Sharing information: you can request information about public or private entities with which your personal data has been shared for fulfillling the purposes set out in this Privacy Policy, with the exception of cases of legal secrecy.
Consent: you can also provide and revoke, at any time, the consent previously given to Oi upon express request, in addition to requesting information about the possibility of not providing consent and about the possible consequences of the refusal.

You can exercise these rights at any time. Just send a message to the email PP-PriváciaDireitoTitular@oi.net.br

You acknowledge that the terms of the rights cited on this page will be ensured by the legal and regulatory terms applicable in each individual case.

Elimination and anonymity
In order to meet certain legal requirements established by regulatory organs or regulatory bodies, with the exception of a court order, data that are inherent to Oi’s service provision, such as subscriber data, billing data, location data and traffic data, cannot be eliminated or made anonymous.

Oi Broadband partially meets parameter II by fulfilling sub-parameter (e), and partially sub-parameter (c).

Sub-parameter (a), referring to the time and location of data storage, was considered partially fulfilled. Regarding the storage time, the company informs, in the section “retention and end of the use of personal data” in its Privacy Policy, that the data is only kept for a time “strictly necessary for the fulfillment of legal and regulatory obligation after the fulfillment of the contract”, without providing, however, more information. The company does not establish minimum or maximum terms for which the company stores its customer data.

Retention and termination of the processing of personal data
Oi may keep your personal data stored after the end of the contract or the end of the service contracted by you, according to the strict necessities for the fulfillment of the legal or regulatory obligation to which we are subject. Alternatively, to exercise any right of Oi in administrative, judicial or extrajudicial proceedings, without prejudice to the application of the cases mentioned by art. 16 of the General Personal Data Protection Act (LGPD).
– The personal data used to provide you with a personalized experience will be kept exclusively for the time allowed, in accordance with current legislation.
– Your personal data will be used only for the period necessary to achieve the intended purposes, as established in item 3 of this Privacy Policy.

As for the data storage location, the Privacy Policy does not offer any information about the data storage location. Such information was also not found in any of the company’s contract

With regards to sub-parameter (b) referring to when / if data will be deleted, the measure was not considered met. The company does not clearly establish when data is deleted. The company only informs, in the section “Retention and end of the treatment of personal data” of the Privacy Policy” (see excerpt above) that it keeps the data stored only “as it proves to be strictly necessary for the fulfillment of legal or regulatory obligation”, without expressly providing for data erasure.

As for sub-parameter (c), referring to which safety practices it observes, it was considered that it was partially complied with. In clause 16.11 of the Broadband Adhesion Contract, the company makes a generic mention regarding the preservation of the confidentiality of subscriber data and connection records, without, however, providing any information on how this data would be protected. In its Sustainability Report (p. 31), the company states that the security actions applied to customer information are based on “applicable legal standards, network technology standards, and team awareness.

16:11. Oi is committed to respecting the preservation of intimacy, private life, honor and the image of the parties directly or indirectly involved with regard to data confidentiality, both the subscriber data and those relating to connection records. ”

“Actions for the security of customer information exchanged across the Company are based on the applicable legal norms and seek to define network technology standards and team awareness, mainly in the areas of business, information technology and engineering.
The flow of approvals will assess whether the user needs to have access or not to the package of information being exchanged. Information security management guarantees the minimum-security requirements in product research and development, as well as in tests prior to entry into production, and acts in providing customer information (p. 31). ”

In its Privacy Policy, in the “Information Security” section, the company informs:

Information security
Oi is committed to ensuring the security and maintenance of the protection of your stored personal data with the adoption of technical and administrative measures capable of protecting personal data exported from unauthorized access and accidental or illegal situations, in accordance with applicable laws.
Oi’s employees are committed to ensuring the security of your personal data and to respect this Privacy Policy, under penalty of suffering disciplinary sanctions in case of violation of these rules.
We hope that you will also contribute to security by keeping your personal data safe. When registering on Oi’s platforms, choose a password strong enough to prevent others from guessing it.
Oi recommends that you never reveal or share your password with others. YOU
You are solely responsible for keeping your password confidential and for any action taken through your account on the Oi Group websites and services.
The protections mentioned in this section do not apply to information that you have chosen to share in public areas, such as forums and social networks of other companies.
Oi undertakes to disclose any security incident to you and to the competent organs and bodies and what measures will be applied in such a case.

Such information contained in both documents is too vague and gives little guarantees to customers about the practices adopted by the company. The company does not inform, for example, which security standards it adopts, which guidelines it follows, whether encryption is used to transfer personal data from users’ devices or what the principles of information security are that it follows. However, because there is concern in mentioning the topic, the parameter was considered partially met.

Sub-parameter (e), referring to the third parties with whom the data is shared, was considered met. In its Privacy Policy, the company informs which third parties it shares the data with and for what purposes:

Data sharing
Oi does not share your personal data with companies, organizations or third parties, only in the cases below, and always in accordance with this Privacy Policy and other appropriate security and confidentiality measures:
– Among Oi Group companies for maintenance, promotion and improvement of services.
– For business partners in the development of promotions and joint commercial actions with Oi.
– For marketing service providers, such as email marketing, SMS and serving online ads.
– For sales partners and franchised stores, in collaboration with the sales of products and services provided by Oi.
– For third parties hired or authorized for care related to the execution or management of Oi services, such as, for example, technical support and repair service providers, data analysis, consultancy, invoice printing, credit protection system consultations and customer service centers.
– For government authorities, such as, for example, police authorities, prosecutors, courts of law, consumer protection agencies or Anatel, due to legal, regulatory, judicial orders or other requests from authorities with powers to do so, to protect damage to the property or safety of the Oi Group or its customers, as requested or permitted by law.
– For credit protection institutions, to reduce credit risk and fraudulent use of Oi services.
– For third parties, not provided for here, with your specific consent.- For debt collection agencies, in cases of default.
– For third parties, due to corporate restructuring in the Oi Group.

Oi will ask for your specific consent to share any sensitive personal data.

Parameter IV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was considered met. In its Privacy Policy, the company states that in case of changes to the document, the company will disclose, “immediately through a notice highlighted on the homepage” of the website and in other communication channels. Although the company does not commit to sending notifications to the user, we consider the communication effort to be positive and, therefore, the parameter was considered partially met. However, we emphasize that it is recommended that the company send notifications to the user in the event of updating its policies, since the burden of keeping up to date cannot fall only on the user.

Privacy policy Corrections
Oi has the right, when necessary, without prior notice and with immediate effect, to change, add or revoke, partially or totally, this Privacy Policy, as long as it is in accordance with current legislation. We recommend that you visit this page frequently, or whenever you have questions, to follow any updates or changes to our Privacy Policy. In the event of changes to our Privacy Policy, we will immediately disclose it through a prominent notice on the homepage of our website and in other communication channels and through Oi’s relationship with its customers.

Finally, parameter V, referring to the accessibility of information on privacy and data protection, was considered partially met. This is because Oi has a Privacy Portal, mentioned above, with clear information on the topic. The portal can be easily accessed at the bottom of Oi’s homepage.

CATEGORY 2. Law enforcement guidelines

Result:

In this category, Oi Mobile obtained a ¼ of a star, as it partially met parameters I and IV.

Parameter I, referring to the identification of the authorities competent to request data, was considered partially fulfilled. In clause 16 of the Post-Paid Personal Mobile Service Contract, the company undertakes to provide subscriber data only to competent administrative authorities.

16.13 Oi promises to provide subscriber data, without the need for a prior court order, only to administrative authorities that have legal competence to make the requisition. ”

In its Privacy Policy, the company claims it shares data with government authorities, such as “police authorities, the Public Prosecution Service, Courts of Justice, consumer protection agencies or Anatel, through legal, regulatory, court orders or other requests from authorities empowered to do so”. However, the company does not discriminate with which of the aforementioned authorities sharing is carried out without a court order and which of the authorities may have access to the data only with judicial authorization. Although the company identified the authorities, the wording was considered unsatisfactory and for that reason the parameter was considered partially fulfilled.

Privacy Policy
Data sharing
Oi does not share your personal data with companies, organizations or third parties, only in the cases below, and always in accordance with this Privacy Policy and other appropriate security and confidentiality measures:
– For government authorities, such as, for example, police authorities, prosecutors, courts of law, consumer protection agencies or Anatel, due to legal, regulatory, judicial orders or other requests from authorities with powers to do so, to protect damage to the property or safety of the Oi Group or its customers, as requested or permitted by law.
– For credit protection institutions, to reduce credit risk and fraudulent use of Oi services.

Parameter II, referring to the identification of the competent authorities and the crimes within which the requisition occurs, was not considered met. No mention of the topic was found in the Oi Mobile documents analyzed or in the Privacy Policy.

Parameter III, referring to the provision of information on geolocation data, was also not considered met. No mention of the topic was found in the Oi Mobile documents analyzed or in the Privacy Policy.

Parameter IV, referring to the promise to provide connection records only by court order strictly under the terms of the legal regulatory use of the internet, was also not considered as complied with. Oi Móvel provides in its pre- and post-paid contracts that connection records are only made available by order of a judge. However, the excerpt is not strictly limited to the terms of the legal regulatory use of the internet (that is, it does not specify that only the date and time of the start and end of an internet connection, its duration and the IP address used will be shared). However, because it differentiates the delivery of connection logs and access to internet applications, the parameter was considered partially fulfilled.

16.12 Oi promises to make available the connection and access records to internet applications, autonomously or associated with personal data or other information that may contribute to the identification of the user or the terminal, by court order”

Finally, parameter V, relating to the existence of specific guidelines on data delivery to the state, was also not considered met. In our searches, no documents concerning this issue could be found.

CATEGORY 3: Defence of users in the Judiciary

Result:

In this category, Oi Mobile obtained a full star, as it met the two parameters.

However, in an earlier engagement phase, InternetLab became aware of rescission action nº 0802518-50.2020.4.05.0000, before the Regional Federal Court of the 5th region (TRF5). In it, the companies Claro, Vivo, TIM and Oi, through an action by Sinditelebrasil , questioned Anatel’s attempt to change the General Consumer Rights Regulation so that it would be possible to provide, to any recipient of telephone calls, personal information of the owner of the line from which the call originated. As they defended the non-alteration of the said regulation based, among others, on privacy and data protection arguments, the parameter was considered complied with. As much as InternetLab, exceptionally, recognized the action referred to above in view of its normative importance, we emphasize that, in line with the investigation of the public commitment of the companies under their brand, actions initiated in its own name by the telephone company, and not through associations or equivalents, are preferable for checking compliance with this parameter.

Actions considered in previous versions of Who Defends Your Data, such as ACEL’s Direct Unconstitutionality Action (ADI) 5642, were not considered, as they did not register any changes.

Finally, parameter II, referring to the contestation of abusive requests, was considered met. We conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the portal “Jusbrasil”, in both cases by the terms “Oi S/A AND privacy AND breaches” and by judgments published between January 8th, 2019 and July 31st, 2020, and two actions were found in this regard: HC 2205750-04.2019.8.26.0000, at the Court of Justice of São Paulo, and HC 5575105.48.2019.8.09.0000, at the Court of Justice of the State of Goiás. In both actions, the company questions court orders for accessíng password, subscriber data, connection records and location data, both generic requests and without suitable or specific reasons. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

In the engagement phase, the company informed InternetLab – after proper suppression of the parties’ personal data – of lawsuits in which the company contested a request for breach of data confidentiality that would affect users who had nothing to do with the facts investigated.

CATEGORY 4: Public position in favor of privacy

Result:

In this category, Oi Mobile obtained a ½ of a a star, as it met parameter II.

After searching in official government websites, specialized and traditional press and corporate pressrooms, we found no material in this regard. During the discussions in the National Congress, regarding the postponement of the LGPD, in addition, no participation by Oi in the discussions at the Congress was found in its press releases etc.

In the engagement phase, Oi informed InternetLab about some of the company’s initiatives, which were publicly reported, to comply with the LGPD (1, 2, 3, 4). Although the effort to adapt to the Law is positive, the statement was not considered satisfactory for the evaluation of the parameter. This is because the company’s performance was restricted to legal compliance, but did not assume a clearly pro-privacy stance nor did it specifically defend the approval of rules or the adoption of techniques that increase the protection of users, in addition to what is already provided for by law.

It is also worth mentioning that in its Sustainability Report, Oi states that, in partnership with SindiTelebrasil, it participated in the discussion of bills at the federal level and with provisional measures that it provides for data protection. However, it does not mention which bills or what positions were adopted by the company and, in our searches, we did not find any documents or news that indicated the company’s participation in these discussions.

Important discussions about federal legislation in the telecommunications sector took place in 2018. In partnership with the National Union of Telephone and Cellular and Personal Mobile Service Companies (SindiTelebrasil), we participated in the discussion of several bills at the federal level, including: (…) Provisional measures of interest to the telecommunications sector, especially those dealing with tax matters and the protection of personal data. (p. 39)

Furthermore, we also found a news item according to which Vivo, Net and Oi would have shared, among themselves, “personal data of citizens without specific coverage to leverage the number of customers attended to”. According to the report, from the TecMundo portal, the suspicion arised after reports from users who, after contacting one of the companies and receiving a negative response to the provision of internet coverage in their area, were contacted by the other companies to offer other internet plans. The company’s telemarketing attendants confirmed these reports. In a reply to this news agency, Oi replied:

“Oi informs that it follows the current legislation in relation to telemarketing services and that it preserves the confidentiality of its customers’ personal data. The company adds that it will investigate the case reported by the vehicle”.

Parameter II, relating to the company’s position in the context of COVID-19, was considered met.

“The main mobile phone operators, acting in partnership, are offering MCTIC a unique data solution to monitor population mobility, displacement, agglomeration points and to identify situations of concentration of people and risk of contamination by the new coronavirus. The operators – Algar Telecom, Claro, Oi, Tim and Vivo – will provide the mobility data emitted by cell phones on their mobile networks to MCTIC, which has a room for monitoring this subject and will be able to make the information available to all spheres of public power. The data provided are aimed exclusively at combating covid-19.

With this solution, the data will be stored in a public cloud (Data Lake) and organized in an aggregated, statistical and anonymous way, in accordance with the rules of the General Data Protection Law (LGPD) and the civil Internet Legal Framework (Marco Civil da Internet). Operators will also develop applications and use cases to assist public agencies in mapping the evolution of the new coronavirus epidemic. The initiative could also evolve through an invitation to other companies, universities and start- ups to participate, adding more anonymous and statistical data to Data Lake, or even for the development of other applications and cases. ”

In addition, the company also took a position on Provisional Measure 954/2020, which required telecommunications companies to share customer data with the Brazilian Institute of Geography and Statistics, “for the purpose of supporting official statistical production during the emergency situation in public health of international importance due to the coronavirus (COVID-19)”. The Federal Supreme Court with the judgment of ADIs 6,387, 6,388, 6,389, 6,390 and 6,393, however, suspended the MP’s effectiveness.

In an event organized by TeleTime and Mobile Time, “Telecommunications in times of uncertainty: four perspectives” Oi defended the delivery of data to IBGE by the signing of terms of responsibility:

“We will have to hand it over to IBGE, but only upon signing a term of responsibility. Even with the MP, we understand that there should be a receipt, and from there, all the instructions for use and, later, destruction of the information. (…) What is public, we already provide. What is private, and in this case it is massive, is happening through an act of force of the MP, and we still have no outcome. It is recent information, and it has a seven-day term, despite some other factors running in parallel”

We commend Oi’s stance for participating in the discussion on MP 954/2020 and consider that the statements at the event, as well as the information on the company’s website, constitute a public posture for privacy, in the context of the COVID-19 pandemic.

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

Result:

In this category, Oi Mobile obtained an empty star, as it did not meet any of the parameters.

Parameters I to IV, relating to the publication of transparency reports in Portuguese, accessibility, periodicity of the report and information on data access requests, were not considered met. The company publishes Sustainability Reports every two years, however, the document does not contain significant information about privacy and data protection.

On page 31 of the 2018 Sustainability Report, there is information that, in 2018, 694 complaints were received through Anatel channels about the misuse of subscriber data. In 2017, that number was 819 and in 2016, it was 983. On page 62, the company claims that the total number of substantiated complaints regarding breaches of privacy and loss of customer data was 31 cases.

However, the company does not publish order statistics, nor does it discriminate between the responsible authorities or the grounds they present and, therefore, the parameter was not considered met.

Parameter V, in turn, relating to the publication of Data Protection Impact Assessments, was also not considered met. No relevant documents were found in our searches.

CATEGORY 6: User notification

Result:

Oi Mobile was not awarded a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

TIM Broadband

CATEGORY 1. Information on data protection policy

Result:

In this category, TIM Broadband obtained a full star, having met both parameters.

Tim Broadband complies with parameter I, referring to information on collection and purpose, providing clear and complete information on all sub-parameters.

Sub-parameter (a), referring to which data is collected, was considered met. In its Privacy Policy, in the item “What type of data and for what purpose TIM uses it”, the company specifies the source, the type of data collected, the purpose and the legal basis for processing various personal data processed by it. Among others, it informs that it collects:

“Navigation Data (IP, date and time) and Access Device Data (e.g. IMEI, device model etc.); Subscriber data: email, name, phone and model of the mobile device; Navigation Data and Access Device Data; Information on the use of the Services: volume of internet traffic; Location data (country, city and state) where the access occurred or where the connection is taking place; telephone and SMS and MMS sending records; performance of the telecommunications network and infrastructure. Payment data: credit card numbers and data, top-up transactions, bank information required to provide services; credit information for billing and billing systems. Access Device Data (excluding pages visited)”.

Sub-parameter (b), referring to the situations in which the collection takes place, was also considered met. In the same item referenced above, the company specifies the origin of the collected data. For example, it points out what data is collected in the “Navigation on the Site and in the My TIM application”, in the “Forms of the Site and the My TIM applications”, in the “Use of Services and the My TIM Application”, in “Use of Services”, in the “Registration Forms at Points of Sale”, among others.

Sub-parameter (c), referring to the purpose of data collection, was also considered met. In the same item referenced above, the company specifies the purpose of collecting the various data and it points this out. It specifies, for example, the purposes of “Site Operation: activating essential features, such as antivirus software, adapting content to the screen format, among other functions”, “analytics: understanding your browsing behavior and how the Site and App is being used to improve your experience as a user and meet the needs of our customers.”, “Marketing: targeting content and advertising, ours and our partners, according to their profile and preferences”, among others.

In addition, in the TIM LIVE Service Agreement, the company, in clause 19, establishes:

“19.1 The data of TIM Customers will only be used to provide the Multimedia Communication Service, services ancillary to this Contract and for an improvement of services.”

Sub-parameter (d), referring to how it is used, was considered fulfilled. When specifying the purposes for which it treats personal data, according to the item above, the company also shows examples of its use. For example, when pointing out the purpose of “marketing”; it specifies that the data will be used to target “content and advertising”; .As it shows usage situations in parallel to the purposes, the sub-parameter was considered met.

Finally, sub-parameter (e), referring to the rights of the holders and the means to exercise it, was also considered met. In its Privacy Policy, in the item “what are the rights of the Data subjects”; the company presents a table with the rights and an explanation of each one of them, pointing, for example, to the “Right to confirm the existence of usage of their data. data and to access them ”, the“ right to rectification ”,“ right of exclusion ”,“ right of opposition ”,“ right to request anonymity, blocking or deletion ”,“ right to portability ”, among others. In addition, it offers e-mails from TIM´s Data Protection Officer (DPO) to exercise these rights.

In addition, in the TIM LIVE Service Agreement, the company, in clause 4, establishes:

4.2 The CLIENT’s rights include: (e) the inviolability and secrecy of its communication, respecting the constitutional and legal hypotheses and conditions of breach of telecommunications confidentiality and the communication intermediation activities of the disabled, under the terms of the regulation; (j) respect for your privacy in billing documents and the use of your personal data by the provider;

Concerning parameter II, regarding the provision of clear and complete information on the protection of personal data, it was considered met, with only sub-parameter (a) being considered partially met and sub-parameters (c), (d), (e) and (f) accomplished.

Sub-parameter (a), referring to how long and where the data is stored, was considered partially fulfilled. In its Privacy Policy, in the item “For how long the Data will be stored”, the company establishes:

We will keep your Personal Data only for as long as is necessary to fulfill the purposes for which we collect it, including for the purpose of complying with any legal, contractual, accountability or requests from competent authorities.
To determine the appropriate retention period for Personal Data, in addition to the statute of limitations, we consider the quantity, nature and sensitivity of this Data, the potential risk of damage arising from unauthorized use or the disclosure of your Personal Data, the purpose of Using this Data and whether we can achieve such purposes by other means, and the applicable legal requirements. For example, due to an obligation imposed by the Legal regulatory use of the internet, Data related to IP, date and time of your internet connections, when TIM is responsible for providing this access, will be kept for at least 12 months and referring to applications created by Tim, for at least 6 months.

Although it is positive that the company establishes a minimum period, the absence of information on the maximum period for which some data of its customers are stored ends up making this period too imprecise. In addition, even with the above details on the decision-making process for determining the retention time, little concrete information is offered.

As for the storage location, the company informs in its Privacy Policy, in the item “TIM can transfer your Data to other countries”:

TIM will be able to transfer data to other countries for storage purposes, for example, on servers located abroad, and with a degree of data protection appropriate to that provided for in current legislation. We inform you that your Data may be subject to local legislation and the relevant rules of these countries. By interacting with us, you agree to this international transfer of Data, in cases where it is essential for the provision of services and execution of your contract with us, in accordance with data protection legislation.

Even though there is some information about the fact that personal data can be processed outside of Brazil, clear and complete information about the location of its storage is not provided. In view of this and the issues raised regarding the storage time, the sub-parameter was considered only partially met.

As for sub-parameter (b), referring to when / if the data is erased, it was not considered to have been met. This is because, in the same excerpt mentioned above, in “For how long will Data be stored” in the Privacy Policy, the company informs only the minimum storage period, without expressly pointing out the hypotheses and stating when the data is deleted.

Sub-parameter (c), referring to the safety practices that the company observes, was considered complied with. In its 2019 Sustainability Report, p. 46, the company clarifies:

“At TIM, the management of security and privacy of customer data is carried out in accordance with the ISO 27001 standard, a standard for information security management system (ISMS – Information Security Management System) and has the following mandatory requirements:

Only authorized employees are allowed to access customer registration information and communication data, and only in specific situations;

Suppliers – including Value Added Service (VAS) providers – sign contracts with a confidentiality and privacy clause for customer data.

For clarifying the security standard used to protect their systems, and for providing some information in relation to employees and suppliers who have access to the data, it was considered that the information given was sufficient.

Sub-parameter (d), referring to who has access to the data, was also considered attended to, since the company, (see paragraph above), states that only authorized persons, and suppliers under confidentiality clauses, may have access to the data. Even though more detailed information about which employees can access the data could have been provided, the specific mention of registration information and communication data, and the mention of suppliers, indicate the existence of clearer standards in relation to such accesses, reason why the sub-parameter was considered fulfilled.

Sub-parameter (e), referring to the third parties with whom the data is shared, was considered met. TIM Broadband, in its TIM LIVE Service Agreement, establishes that:

“19.3 The CLIENT authorizes TIM to retain its data and transmit it to TIM GROUP of companies, in addition to financial institutions, credit card companies and business partners in order to provide the service, create and make available to the client new offers and services.”;

In addition, in its Privacy Policy, in the item “With whom TIM shares its Data”, the company specifies with which third parties it will share, pointing to, for example, companies providing “technology services”, “performance analysis”, and “Market research”, among others.

Finally, regarding sub-parameter (f), related to the purposes of data sharing with third parties, it was also considered met. This is because, in the same section of the Privacy Policy, in the item “With whom TIM shares its Data”, the company specifies the purposes of the shares, pointing out, among others:

“Technology Services: We have a number of suppliers that we need to contract to operate the Products and offer the Services, and some of them may handle the Personal Data we collect on our behalf. For example, we use data hosting services to store our database; we also use means of payment services to be able to process the billing data for our Services.
(…)
Performance analysis: The data stored by TIM may be collected by third-party technology and used for statistical purposes (analytics), so that TIM understands who the people are who use its Services, visit its Site and the Application My TIM or in any way interact with TIM.
(…)
Market research: If you answer a market research sent by TIM, it is possible that the results will be shared with our partner responsible for such research. ”

Parameter III, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was considered complied with. Through e-mail to dpo.consumer@timbrasil.com.br , a member of InternetLab gained access to his basic subscriber data, such as name, CPF (Brazilian Tax Code Ref.), date of birth etc. InternetLab stresses that personal data goes beyond the information of a primarily cadastral nature that was shared, and that effective compliance with the data subject’s right of access to data would involve the sharing of other and more detailed information. However, in this edition of Who Defends Your Data, because we were successful in contacting and verifying the functioning of the contact channel with the company, this parameter was considered met.

Regardless, InternetLab praises the procedure which enables the service user the right of accessing their data, which includes a verification of the identity of the applicant data subject, in order to safeguard their privacy and the security of their information.

Parameter IV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was considered met. In its Privacy Policy, the company states: “Rest assured, if relevant changes are made, we will inform you, subject to You checking the most current version on our Site”.

Finally, parameter V, regarding the accessibility of information on privacy and data protection, was also considered complied with. This is because TIM´s Privacy Center is relatively easy to access: on its main page, in the final bar, there is a link to this environment.

CATEGORY 2. Law enforcement guidelines

Result:

In this category, Tim Broadband obtained a quarter of a star, partially fulfilling parameter I.

Parameter I, referring to the identification of the authorities competent to request data, was considered partially fulfilled. In the TIM Live Service Agreement, the company clarifies:

“19.2 TIM treats CLIENT´s data and communications with privacy and confidentiality, and may make them available to the competent bodies and authorities, when requested, including to prevent and suppress illegal acts, according to the applicable legislation.”;

In addition, in its 2019 Sustainability Report (p. 46):

“Subscriber data and telephone communications are only shared with authorities, in accordance with Brazilian law, and for the fulfillment of judicial obligations in breach of telephone and telematic confidentiality.”

The company does not identify the authorities to which it believes the delivery of subscriber data without a court order is due. However, for promising to comply with the legislation in making “data and communications” available to “competent authorities”, the parameter was considered partially fulfilled. We recommend that the company expressly identifies the competent authorities to whom it delivers data without a court order.

In addition, the company does not explain to the user the fact that the law treats subscriber data and connection records differently. In this sense, it is important for the company to clearly state that connection records can only be delivered by court order, according to the Internet Legal Framework (Marco Civil da Internet). With regard to subscriber data, that same law authorizes them to be requested without a court order by competent administrative authorities. Currently, however, in the face of controversy as to what such “competent administrative authorities” are, it is imperative that the company is transparent about its own interpretations of the law it applies when receiving requests for breaches of confidentiality.

Parameter III, referring to the provision of information on geolocation data, was also not considered met. No mention of the topic was found in the TIM Broadband documents analyzed.

Finally, parameter V, relating to the existence of specific guidelines on data delivery to the state, was also not considered met. In our searches, no documents on this topic could be found.

CATEGORY 3: Defence of users in the Judiciary

Result:

In this category, TIM Broadband obtained a full star, because it met both parameters.

However, in the engagement phase, InternetLab became aware of a rescission action nº 0802518-50.2020.4.05.0000, before the Regional Federal Court of the 5th region (TRF5). In it, the companies TIM, Vivo, Claro and Oi, through action by Sinditelebrasil questioned Anatel´s attempt to change the General Consumer Rights Regulation so that it would be possible to provide, to any recipient of telephone calls, personal information of the holder of the line originating the call. As they defended the non-alteration of the said regulation based, among other things, on privacy and data protection, the parameter was considered complied with. As much as InternetLab, exceptionally, recognized the action referred to above in view of its normative importance, we emphasize that, in line with the investigation of the public commitment of the companies under their brand, actions initiated in its own name by the telephone company, and not through associations or equivalents, are preferable for checking compliance with this parameter.

Actions considered in previous versions of Who Defends Your Data, such as Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of data from a logic gate to police authorities, and the ADI 5642, from ACEL, were not considered, since they did not register changes.

Finally, concerning parameter II, regarding the contestation of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases by the terms “TIM S / A AND privacy AND breaches” and by published judgments between August 1st, 2019 and July 31st, 2020. In the searches, no lawsuits were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

However, in an earlier engagement phase, the company informed InternetLab – of Police authority attempts at suppression of some parties personal data – processes which the company challenged, on the grounds that requests for breach of data confidentiality for different reasons lacked due legitimacy in some of the requests. Therefore, the parameter was considered met.

CATEGORY 4. Public position in favor of privacy

Result:

In this category, TIM Broadband obtained a full star, because it met parameters I and II.

Parameter I, regarding the company’s general positioning, was considered attended to. In the engagement phase, InternetLab became aware of the company’s participation in the public consultation on the “National Strategy for Artificial Intelligence”;, prepared by the MCTIC, in which it defended, among others:

“Transparency and explainability: The parties involved in creating and executing AI applications must be committed to transparency and responsible disclosure of information about AI systems. Sufficient information must be provided in order to (i) make stakeholders aware of their interactions with AI systems, (ii) allow those affected by an AI system to understand the reasons for the result obtained and (iii) allow those adversely affected by an AI system contest their results based on easy-to-understand information about the factors and logic that served as the basis for automated decision making.
(…)
Privacy and governance in the use of data: since the massive use of data is of the essence of AI, in addition to ensuring full respect for privacy and data protection, the creation of an environment that ensures its governance, taking into the quality and integrity of the data and guaranteeing legitimate access to them ”.

In addition, it was found that the company positioned itself, both in the common media and in the specialized media, in favor of good practices in privacy and data protection.(1, 2, 3, 4, 5, 6)) As it presented concrete proposals for technical or regulatory innovations, especially in the public consultation mentioned above, the parameter was considered met.

Parameter II, regarding the company’s positioning in the context of COVID-19, was considered met. This is because, in the context of partnerships for population monitoring signed between operators and states and municipalities (see news from TeleTime (), the company was concerned that only anonymous / aggregated data, for example via heat maps and pivot tables, would be shared. During Live “Telecommunications in times of uncertainty: four perspectives”, carried out by the specialized news portal TeleTime on April 23rd, 2020, TIM confirmed this position, emphasizing the sharing of anonymous data only, through its CTIO, Sir Leonardo Capdeville. Other positions in the same direction were identified in the engagement phase. (1, 2, 3)).

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

Result:

In this category, TIM Broadband obtained three quarters of a star, because it met parameters I, II, III and partially met parameter IV.

Parameter I, regarding the publication of transparency reports in Portuguese, was considered complied with, since TIM published this year, in Portuguese, a Sustainability Report on its activities in Brazil. Even though improvements are still possible (see items below), the report contains information on the number of letters received from the judiciary and the number of lawsuits in which the company is involved (see p. 47 of the report – excerpts copied in the analysis of the parameter IV below), which is why the parameter was considered as complied with.

Parameter II, regarding the accessibility of the transparency report, was considered met. This is because the Sustainability Report can be located with two clicks on TIM´s homepage, under “Sustainability”; and, right after, under “Sustainability Report”.

Parameter III regarding the periodicity of the report was considered complied with. Versions published in previous years are available on the access to the reports page.

Parameter IV, regarding information on data access requests, was considered partially met. In its transparency report, the company informs (p. 47):

“In 2019, TIM was involved in just over a thousand lawsuits related to data privacy, of which 801 are awaiting judgement and 239 have been resolved, with 76 cases concluded with decisions in favor of TIM. During the same period, the company recorded three incidents of customer data leaks, which were identified, monitored and managed by the company and appropriately dealt with and resolved. ”

And

“In 2019, TIM received more than 250 thousand letters from the Judiciary with requests for breach of privacy related to:

Telephone interceptions: 381,113

Subscriber data: 513,468

Telephone statements: 595,728.

It is not possible to accurately assess the number of customers affected by requests for information, since different authorities may request data from the same target, either through the line number (MSISDN), IMEI or CPF (Brazilian Tax Code Ref.) in addition to the possibility of requesting of call reports with the records of all numbers, it is currently not possible to specify the number of records in these reports. The numbers correspond to requests handled manually, as well as requests made directly by the competent authorities through the Web service made available for this purpose. ”

The wording above, even though it indicates the number of orders placed, states that “it is not possible to accurately assess the number of customers affected by requests for information”; despite this having already been done by other companies. Therefore, the parameter was considered partially met.

Parameter V, in turn, relating to the publication of Data Protection Impact Assessments, was also not considered met. No relevant documents were found in our searches.

CATEGORY 6: User notification

Result:

TIM Broadband was not awarded a star, as there’s no mention of the possibility of user notification in any of the documents analyzed.

TIM MOBILE

CATEGORY 1. Information on data protection policy

Result:

In this category, TIM MOBILE obtained a full star, having met all parameters.

“TIM Mobile complies with parameter I, referring to information on collection and purpose, providing clear and complete information on all sub-parameters.

Sub-parameter (a), referring to which data is collected, was considered met. In its Privacy Policy, in the item “What type of data and for what purpose does TIM use it”, the company specifies the origin, the type of data collected, the purpose and the legal basis for processing various personal data items. Furthermore, it informs that it collects:

“Navigation Data (IP, date and time) and Access Device Data (e.g. IMEI, device model etc.); Subscriber data: email, name, phone and model of the mobile device; Navigation Data and Access Device Data; Information on the use of the Services: volume of internet traffic; Location data (country, city and state) where the access occurred or where the connection is taking place; telephone and SMS and MMS sending records; performance of the telecommunications network and infrastructure. Payment data: credit card numbers and data, top-up transactions, bank information required to provide services; credit information for billing and billing systems. Access Device Data (excluding pages visited)”.

Sub-parameter (c), referring to the purpose of data collection, was also considered met. In the same item referenced above, the company specifies the purpose of collecting the various data and. It specifies, for example, the purposes of “Site Operation: activating essential features, such as antivirus software, adapting content to the screen format, among other functions”, “analytics: understanding your browsing behavior and how the Site and App is being used to improve your experience as a user and meet the needs of our customers.”, “Marketing: targeting content and advertising, ours and our partners, according to their profile and preferences”, among others.

Sub-parameter (d), referring to how it is used, was considered fulfilled. When specifying the purposes for which it treats personal data, according to the item above, the company also shows examples of its use. For example, when pointing out the purpose of “marketing”; it specifies that the data will be used to target “content and advertising”;. As it shows usage situations in parallel to the purposes, the sub-parameter was considered met.

Finally, sub-parameter (e), referring to the rights of the data subjects and the means to exercise it, was also considered met. In its Privacy Policy, in the item “what are the rights of the Data subjects”; the company presents a table with the rights and an explanation of each one of them, pointing out, for example, the “Right to confirm the existence of usages of their data. and to access them”, the “right to rectification”,“right of exclusion”,“right of opposition”,“right to request anonymity, blocking or deletion”,“right to portability”, among others. In addition, it offers emails from TIM’s Data Protection Officer (DPO) to exercise these rights.

Regarding parameter II, referring to the provision of clear and complete information on the protection of personal data, it was considered met, with sub-parameter (a) being considered partially met and sub-parameters (c), (d), (e) and (f) considered as fully complied with.

“We will keep your Personal Data only for as long as is necessary to fulfill the purposes for which we collect it, including for the purpose of complying with any legal, contractual, accountability or request from competent authorities.
To determine the appropriate retention period for Personal Data, in addition to the statute of limitations, we consider the quantity, nature and sensitivity of this Data, the potential risk of damage arising from unauthorized use or the disclosure of your Personal Data, the purpose of using this Data and whether we can achieve such purposes by other means, and the applicable legal requirements appropriate. For example, due to an obligation imposed by the Legal regulatory use of the internet, data related to IP, date and time of your internet connections, when TIM is responsible for providing this access, will be kept for at least 12 months and referring to applications created by Tim, for at least 6 months. ”

Although it is positive that the company establishes a minimum period, the absence of information on the maximum period for which some customer data are stored ends up making this period of time too imprecise. In addition, even with the above details on the decision-making process for determining the retention time, little concrete information is offered.

As for the storage location, the company informs in its Privacy Policy, in the item “TIM can transfer your Data to other countries”:

“TIM will be able to transfer data to other countries for storage purposes, for example, on servers located abroad, and with a degree of data protection appropriate to that provided for in current legislation. We inform you that your Data may be subject to local legislation and the relevant rules of these countries. By interacting with us, you agree to this international transfer of Data, in cases where it is essential for the provision of services and execution of your contract with us, in accordance with data protection legislation.”

Sub-parameter (c), referring to the safety practices that the company observes, was considered complied with. In its 2019 Sustainability Report, p. 46, the company clarifies:

“At TIM, the management of security and privacy of customer data is carried out in accordance with the ISO 27001 standard, a standard for information security management system (ISMS – Information Security Management System) and has the following mandatory requirements:

Only authorized employees are allowed to access customer registration information and communication data, and only in specific situations;

Suppliers – including Value Added Service (VAS) providers – sign contracts with a confidentiality and privacy clause for customer data. ”

Sub-parameter (d), referring to who has access to the data, was also considered as met, since the company, (see paragraph above), states that only authorized persons, and suppliers under confidentiality clauses, may have access to the data. Even though more detailed information about which employees can access the data could have been provided, the specific mention of registration information and communication data, and the mention of suppliers, indicate the existence of clearer standards in relation to such accesses, reason why the sub-parameter was considered fulfilled.

Sub-parameter (e), referring to the third parties with whom the data is shared, was considered met. TIM Broadband in its TIM LIVE Service Agreement establishes that:

“19.3 The CLIENT authorizes TIM to retain its data and transmit it to TIM GROUP of companies, in addition to financial institutions, credit card companies and business partners in order to provide the service, create and make available new offers and services to the client.”;

In addition, in its Privacy Policy, in the item “With whom TIM shares its Data”, the company specifies with which third parties it will share, pointing, for example to, companies which provide “technology services”, “performance analysis” , “Market research”, among others.

“Technology Services: We have a number of suppliers that we need to contract to operate the Products and offer the Services, and some of them may handle the Personal Data we collect on our behalf. For example, we use data hosting services to store our database; we also use means of payment services to be able to process the billing data for our Services.
(…)
Performance analysis: The data stored by TIM may be collected by third party technology and used for statistical purposes (analytics), with the purpose of TIM understanding who the people are who use its Services, visit its Site and the MEU TIM Application or in any way, they interact with TIM.
(…)
Market research: If you answer a market survey sent by TIM, it is possible that the results will be shared with our partner responsible for that survey. ”

ParameterIII, which assesses whether the company responded in a timely manner to requests for access to data by members of InternetLab, was considered met. Through e-mail to dpo.consumer@timbrasil.com.br , a member of InternetLab gained access to his basic subscriber data, such as name, CPF (Brazilian Tax Code Ref.), date of birth etc. InternetLab stresses that personal data goes beyond the information of a primarily cadastral nature that was shared, and that effective compliance with the data subject’s right of access to data would involve the sharing of other and more detailed information. However, in this edition of Who Defends Your Data, because we were successful in contacting and verifying the functioning of the contact channel with the company, this parameter was considered met.

Regardless, InternetLab praises the procedures available for exercising the right of access to data, which included verification of the identity of the applicant holder, in order to safeguard his privacy and the security of his information.

ParameterIV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was considered met. In its Privacy Policy, the company states: “Rest assured, if relevant changes are made, we will inform you, subject to You checking the most current version on our Site.”;

Finally, parameter V, referring to the accessibility of information on privacy and data protection, was also considered met. This is because TIM´s Privacy Center is relatively easy to access: on its main page, in the final bar, there is a link to this environment.

CATEGORY 2. Law enforcement guidelines

Result:

In this category, “TIM Mobile obtained a quarter of a star, partially fulfilling parameter I.

Parameter I, referring to the identification of the authorities competent to request data, was considered partially fulfilled. TIM Mobile, in its Prepaid Personal Mobile Service Agreement, establishes:

10.4 TIM will dispense confidential and confidential usage of the CLIENT’s data and communications, and may make them available in case of determination by a competent authority. ”
(Note: same wording as clause 10.12 of the post-paid SMP contract and clause 8.4 of the Prepaid SMP Adhesion Term)

In addition, in its 2019 Sustainability Report (p. 46):

“Subscriber data and telephone communications are only shared with authorities, in accordance with Brazilian law, and for the fulfillment of judicial obligations in breach of telephone and telematic confidentiality.”

The company does not identify the authorities to which it believes the delivery of subscriber data without a court order is permissible. However, because it promised to comply with the legislation in making data available to “competent authorities”, the parameter was considered partially fulfilled. We recommend that the company expressly identify the competent authorities to whom it delivers data without a court order.

Parameter II, referring to the identification of the competent authorities and the crimes within which the requisition occurs, was not considered met. No mention was made of the theme in the TIM Mobile documents analyzed.

Parameter III, referring to the provision of information on geolocation data, was also not considered met. No mention was made of the theme in the TIM Mobile documents analyzed.

Finally, parameter V, relating to the existence of specific guidelines on data delivery to the state, was also not considered met. In our searches, no documents on this could be found.

CATEGORY 3: Defence of users in the Judiciary

Result:

In this category, “TIM Mobile obtained a full star, because it met both parameters.

However, in the engagement phase, Internet Lab became aware of a rescission action nº 0802518-50.2020.4.05.0000, before the Regional Federal Court of the 5th region (TRF5). In it, the companies TIM, Vivo, Claro and Oil, through an action by Sinditelebrasil questioned Anatel´s attempt to change the General Consumer Rights Regulation so that it would be possible to provide, to any recipient of telephone calls, personal information of the holder of the line originating the call. As they defended the non-alteration of the said regulation based, among others, on privacy and data protection the parameter was considered complied with. As much as InternetLab, exceptionally, recognized the action referred to above in view of its normative importance, we emphasize that, in line with the investigation of the public commitment of the companies under their brand, actions initiated in its own name by the telephone company, and not through associations or equivalents, are preferable for checking compliance with this parameter.

Actions considered in previous versions of Who Defends Your Data, such as Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among other issues, the delivery of data from a logic gate to police authorities, and the ADI 5642, from ACEL, were not considered, since they did not register changes.

Finally, to ascertain findings in parameter II, regarding the contestation of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases by the terms “TIM S / A AND privacy AND breaches” and by judgments published between August 1st, 2019 and July31st, 2020. In the searches, no lawsuits were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

However, in the initial engagement phase, the company informed InternetLab – of the due suppression of data subjects personal data at the request of police authorities – processes which the company challenged. These requests to breach data confidentiality for different reasons were solicited but lacked legitimacy. Therefore, this parameter was considered met.

CATEGORY 4. Public position in favor of privacy

Result:

In this category, TIM Broadband obtained a full star, as it met parameters I and II.

Parameter I, relating to the company’s general positioning, was considered met. In the engagement phase, InternetLab became aware of the company’s participation in the public consultation on the “National Strategy for Artificial Intelligence”; prepared by the MCTIC, in which it defended, among other things:

“Transparency and explainability: The parties involved in creating and executing AI applications must be committed to transparency and responsible disclosure of information about AI systems. Sufficient information must be provided in order to (i) make stakeholders aware of their interactions with AI systems, (ii) allow those affected by an AI system to understand the reasons for the result obtained and (iii) allow those adversely affected by an AI system contest their results based on easy-to-understand information about the factors and logic that served as the basis for automated decision making.
(…)
Privacy and governance in the use of data: since the massive use of data is of the essence to AI, in addition to ensuring full respect for privacy and data protection, the creation of an environment that ensures its governance, taking into account the quality and integrity of the data and guaranteeing legitimate access to them. ”

In addition, it was found that the company positioned itself, both in the common media and in the specialized media, in favor of good practices in privacy and data protection.(1, 2, 3, 4, 5, 6) As it presented concrete proposals for technical or regulatory innovations, especially in the public consultation mentioned above, the parameter was considered met.

Parameter II, relating to the company’s position in the context of COVID-19, was considered met. This is because, in the context of partnerships for population monitoring signed between operators and states and municipalities (see news from TeleTime (), the company was concerned that only anonymous / aggregated data, for example via heat maps and pivot tables, would be shared. During Live “Telecommunications in times of uncertainty: four perspectives”, carried out by the specialized news portal TeleTime on April 23rd, 2020, TIM confirmed this position, emphasizing the sharing of anonymous data only, through its CTIO, Sir Leonardo Capdeville. Other positions in the same direction were identified in the engagement phase. (1, 2, 3).

CATEGORY 5. Transparency reports and Data Protection Impact Assessment

Result:

In this category, “TIM Mobile obtained three quarters of a star, because it met parameters I, II, III and partially met parameter IV.

Parameter I, regarding the publication of transparency reports in Portuguese, was considered complied with, since TIM published this year, in Portuguese, a Sustainability Report on its activities in Brazil. Even though improvements are still possible (see items below), the report contains information on the number of letters received from the judiciary and the number of lawsuits in which the company is involved (see p. 47 of the report – excerpts copied in the analysis of parameter IV below), which is why the parameter was considered as met.

Parameter II, regarding the accessibility of the transparency report, was considered met. This is because the Sustainability Report can be located with two clicks on TIM’s homepage, under “Sustainability”; and, right after, under “Sustainability Report”;

Parameter III regarding the periodicity of the report was considered complied with. Versions published in previous years are available on access to the reports page.

Parameter IV, regarding information on data access requests, was considered partially met. In its transparency report, the company informs (p. 47):

“In 2019, TIM was involved in just over a thousand lawsuits related to data privacy, of which 801 are awaiting judgement and 239 have been dealt with, with 76 cases concluded with decisions in favor of TIM. During the same period, the company recorded three incidents of customer data leaks, which were identified, monitored and managed by the company and appropriately dealt with and resolved. ”

And

“In 2019, TIM received more than 250 thousand letters from the Judiciary with requests for breach of privacy related to:

Telephone interceptions: 381,113

Subscriber data: 513,468

Telephone statements: 595,728.

It is not possible to accurately assess the number of customers affected by requests for information, since different authorities may request data from the same target, either through the line number (MSISDN), IMEI or CPF (Brazilian Tax Code Ref.), in addition to the possibility of requesting call reports with the records of all numbers, it is currently not possible to specify the number of records in these reports. The numbers correspond to requests handled manually, as well as requests made directly by the competent authorities through the Web service made available for this purpose. ”

Parameter V, in turn, relating to the publication of Data Protection Impact Assessments, was also not considered met. No such documents were found in our searches.

CATEGORY 6: User notification

Result:

TIM Mobile was not awarded a star, as there is no mention of the possibility of user notification in any of the documents analyzed.

VIVO BROADBAND

CATEGORY 1. Information on data protection policy

Result:

In this category, Vivo Broadband obtained ¾ of a star, having met parameters I, II and III and partially met parameter V.

Although broadband telephone contracts offer little information about the company’s data processing practices, we found that some information is available in the Sustainability Report and the Privacy Center, on Vivo’s website. In this section, users have a brief informative video on the main points of data protection by the company and then, through the menu, they can find other more detailed information.

Vivo complies with parameter I, providing clear and complete information on all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In its Privacy Center, under “Data Collected”, the company informs:

“Vivo collects your information according to the service you use. Find out what this information is: Subscriber data: What you provided when you contracted our services, such as name, address, CPF etc.; Volumes of data trafficked on the internet via 2G, 3G and / or 4G network; History of use of contracted products and services: Exactly what the name says, but it is important to know that this history does not involve registration of apps used on your cell phone or what you do on social networks or websites. This only applies to Vivo apps! Then the data is collected to make the app even better; SMS events that are inside and outside the national Vivo network: This collection includes international Vivo events and international roaming operators; History of calls made and received: Accounting and tax information, invoice and customer payments; Top-up transactions and monitoring the use of these credits; Customer service data in stores and in the call center. ”

Further, in the subscription Agreement for the Provision of the Switched Fixed Telephone Service, the company informs what data is collected when installing the service:

5.2.12. Deliver, at the time of installation or whenever requested by VIVO, a copy of personal identification documents, such as RG (Brazilian Identity Card No.), CPF (Brazilian Tax Code Ref.), CNPJ (Company Registration No.), Social Contract, proof of address, among others, that prove the subscriber data informed by the CLIENT when contracting.

Sub-parameter (b), referring to the situations in which the collection takes place, was also considered fulfilled. This is because, even if there is no specific wording to point out situations where data is collected, in the sections “Data Collected”; (see excerpt above) and “For what and how do we collect data?” (see excerpt below), it is informed that “Vivo collects your information according to the service you use”, specifies the collection of data on the use of contracted products and services, call history, service data, Top-up services, among others. It was considered that such information is capable of detailing the situations in which the collection occurs.

Sub-parameter (c), related to the purpose of data processing, was also considered fulfilled. In the Privacy Center, under “For what and how do we collect data”? the company describes some of the purposes, mentioning the improvement of the network service and the more personalized service, among others:

“We want your experience with Vivo to be better and better. Therefore, we will explain here the reasons for collecting all this information. Top-up transactions and monitoring the use of these credits. Improve network performance and increase the quality of our services; Correct failures in mobile, fixed and TV network services even faster; Move the processes for the elaboration of plans, services and personalized offers even closer to your profile; Assess demand by geographic region; Assist in Vivo´s strategic decisions, such as redistributing the signal or reallocating the service portfolio; Improve the relationship experience between you and Vivo, such as sending direct marketing and providing more relevant offers. ”

In addition, in clauses 5.3 and 13.1 of the Adhesion Contract, the company spells out the purposes of data collection, such as its use for sending emails, direct mail, and service provision or for marketing purposes.

5.3 The CLIENT has the option of authorizing VIVO or not, to send him, e-mails, direct mail, inserts or any other communication instrument offering services and / or products from VIVO or related companies or partners, as well as providing to them the registration / personal data provided for in this contract, for the offer of their products and / or services. The CLIENT, can revoke such permissions at any time, by means of a request made to the Customer Relationship Center.

13.1. The CLIENT’s personal data collected by VIVO under this Agreement will be treated in accordance with the current legislation and applicable regulations, exclusively for the purpose of providing the telecommunication service (s) covered by this Agreement, as well as for analysis from the CLIENT’s profile, or for marketing purposes, in order to (i) ensure the adequacy of the best offers in accordance with the CLIENT’s needs; and (ii) to improve the performance of the services provided, which may also be treated by VIVO, its partners or by third parties by contractors hired by VIVO, in an anonymous way in order to allow analysis and construction of standards, behaviors, choices, and consumption for the purposes provided for here.

Sub-parameter (d), referring to how data are used, was considered fulfilled. This is because it indirectly provides information on how to use it in the sections mentioned above (demonstrating the situations in which the collection takes place and its purpose) and information on storage time and place etc.

Finally, the sub-parameter (e), relating to information regarding the rights of holders and the means to exercise those rights, was also considered met. In the Privacy Center, under “Right of Access, Rectification, Opposition and Cancellation”, the company informs about the existence of these four consumer rights over their data. As much as other rights could have been mentioned, such as the right to portability and automated decision review, the wording presented was considered satisfactory. In addition, the same page offers a phone and SMS number so that you can exercise these rights.

The Adhesion Contract also provides forecasts about the rights of the data subjects. Clause 5.3, reproduced above, guarantees the customer the possibility to revoke, at any time, the permissions granted through request in the Customer Relationship Center. Also, in clause 5.1, item (8); the company lists as the customer’s right to “an efficient and timely response by VIVO to its complaints, service requests and information requests”.

Concerning parameter II, referring to the provision of clear and complete information on the protection of personal data, it was considered, on average, that it was attended to, with sub-parameters, (c) and (d) considered attended to and sub-parameters (a), (e) and (f) considered partially met.

Sub-parameter (a), referring to the time and location of data storage, was considered partially fulfilled. In the Privacy Center, under “How long do we store data for,” the company informs:

“In accordance with the legal regulatory use of the internet, Vivo stores its connection records for at least 1 year, which is the information on the time of its internet connections and the IP for sending and receiving data. Your subscriber data (such as full name, address and CPF (Brazilian Tax Code) and billing data (tax documents) are stored for at least 5 years, for judicial and administrative proceedings. We do not record content from app providers, other than the ones we create. Therefore, in this case, according to the Legal regulatory use of the internet, we keep the record for up to 6 months, under confidentiality, in a controlled and security environment. ”

In addition, in the Adhesion Contract, the company informs that personal data is stored for 5 years and that the contracts are kept for 10 years.

13.2 The CLIENT’s personal data collected by VIVO under this Agreement will be stored by VIVO or by a third party subcontracted by VIVO for a period of 5 (five) years, with the Contracts being stored for a period of 10 (ten) years, in order to guarantee compliance with the corresponding applicable legal obligations, with CLIENTS being guaranteed that the storage of their personal data by VIVO or by subcontracted third parties will be carried out by adopting security measures and physical and logical protection of the information.

The information on storage time was considered satisfactory, as detailed storage periods are presented for each type of data collected, also specifying the maximum storage periods. As for the storage location, still in the Privacy Center, in “Where do we process the data?” The company informs:

“Most of the information is handled within Vivo or in companies of the Telefônica Group, always respecting the legislation in force in Brazil. However, sometimes, when we need to process data externally, we do everything with confidentiality clauses and ensuring that all access is audited and monitored, to guarantee your privacy. ”

The wording of the above excerpt was considered excessively broad and unsatisfactory. Even if the company informs that “most of the information is treated within Vivo”, giving a few more details, the hypotheses in which the data are treated externally, in which countries data are stored, what types of data are stored at each location, are not clarified, as well as other relevant information that could have been provided.

As for sub-parameter (b), referring to when / if the data is erased, it was not considered as being met. This is because, in the same passage pointed out above, in “How long do we store the data for?” in the Privacy Center, the company informs only the minimum time for which it stores the data, without guaranteeing that they will be deleted or when they will be deleted.

Sub-parameter (c), related to the company’s security practices, was considered complied with. In the company’s 2019 Sustainability Report (p.34), the company informs some of the security standards it uses to ensure the protection of users, claiming to have developed, “based on the company’s security requirements and market frameworks (ISO27001 and ISO22301, NIST, PCI / DSS etc.) of guidelines to be followed, especially related to secure systems and servers. ” In addition, in the Privacy Center, under “Information Security”, the company informs of some security standards that it uses, such as encryption in the transfer of personal data from user´s devices, declares that it allows access to data only to authorized persons, as the principle of least privilege;, claims to provide auditability of any activities taken with the data, among others issues.

Sub-parameter (d), referring to who has access to the data, was also considered as satisfactory, since the company, see paragraph above, states that only authorized persons, according to the “principle of least privilege”, can have access to the data . Even though more detailed information on which employees can access the data could have been provided, the mention of the principle of least privilege indicates the existence of clearer standards in relation to such accesses, which is why the sub-parameter was considered fulfilled.

Sub-parameter (e), referring to the third parties with whom the data is shared, was considered partially met. Vivo, in the Privacy Center, under “Data Sharing”, and in clause 13 of the Membership Agreement, which provides for the use of the customer’s personal data, the company lists two hypotheses for providing data to third parties: (i) by court order and (ii) at the request of competent administrative authorities. Apart from these two hypotheses, the company undertakes not to provide personal data, except with free consent:

“Vivo may, eventually, support a behavioral study of events that promote the displacement of an audience in a certain location. However, it is important to note that, in this case, it is not possible to individualize this information. Individualized information will only be shared with partners if you authorize it. Your data can be shared: With partners whenever related to the provision of the service contracted by you (for example, when you are roaming); In cases provided for by law and / or by virtue of a court order; With partners, individually, only with their express authorization and always with the possibility to opt out. ”

13.7 Except as provided for in the previous items, there will not be the provision to third parties of other personal data, including connection records, except with free, express and informed consent or in the cases provided for by law identified in clause 13.4 and 13.5 of this Agreement.

The information above, even if it offers some guide for which third parties have access to the data, is excessively comprehensive. They do not determine which third parties can receive them, citing only the example of roaming in the case of the provision of third-party services through Vivo, it does not provide examples of situations in which there may have been express authorization from the user, with no cases of such authorizations found in the analyzed documents and does not determine what data and in which situations they are shared. However, due to the concern with pointing out information on the topic, with a minimum of detail, the sub-parameter was considered partially met.

Finally, regarding sub-parameter (f), related to the purposes of data sharing with third parties, it was also considered that it was partially met. This is because the information produced about the topic, referenced in the analysis of sub-parameter (e) above, is unclear and only states in a general way that the data can be shared “whenever related to the provision of the service contracted by you” or “Individually, only with your express authorization”. No clearer information is given about the possibilities of sharing and their purposes. However, due to the concern with pointing out information on the topic, even with a minimum of detail, the sub-parameter was considered partially met.

Parameter III, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was considered complied with. Through access to the “Meu Vivo” portal, a member of InternetLab gained access to his basic subscriber data, such as name, CPF (Brazilian Tax Code Ref.), date of birth etc. InternetLab stresses that personal data goes beyond the information of a primarily registry nature that was shared, and that effective compliance with the data subject’s right of access to data would involve the sharing of other and more detailed information. However, in this edition of Who Defends Your Data, because we were successful in contacting and verifying the functioning of the contact channel with the company, this parameter was considered met.

Parameter IV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was not considered complied with. No document from Vivo mentioned such a possibility, and it was stated in all sections of the Privacy Center, yet, “Vivo may change the content of this policy at any time. The most recent change happened in December 2018”.

Finally, parameter V, referring to the accessibility of information on privacy and data protection, was considered only partially met. This is because Vivo has a Privacy Center, mentioned several times above, with clear and, in general, complete information on the subject. In addition, the center can be easily accessed on the Vivo homepage.

However, most of such information is not presented in the company’s broadband internet contracts, a practice that would be recommended so that the information could be accessed by all customers, legally consented to by them, and detailed according to each type of information for the service contracted.

CATEGORY 2. Law enforcement guidelines

Result:

In this category, Vivo Broadband obtained half a star, having complied with parameter I and partially with parameters II and IV.

Parameter I, regarding the identification of the competent authorities to request data, was considered fulfilled. In the 2019 Transparency Report (p. 20), the company states that it seeks to comply with legislation and regulatory frameworks at the national level. In its Privacy Center, in the “breach of confidentiality” section, it clarifies that in some situations, “as in the case of court orders and requests from competent authorities”; connection records, voice and data may be shared without the user’s knowledge, “In accordance with the legislation in force in Brazil”. Furthermore, on the same page 20 of the Communication Transparency Report, there is a definition of the competent authorities for interceptions and requesting metadata in accordance with Brazilian law, in addition to mentioning the competence of the “judges of any sphere”:

“Legal interception: According to article 3 of the Brazilian Federal Law n. 9,296 / 1996 (law of interception), only the Judge (of the criminal sphere) was able to determine interception (telephone and telematic), upon request by the Prosecutors (Public Prosecutor’s Office), the Police Commissioner (Police Authority). \
Metadata associated with communications: Competent authorities »Prosecutors, Commissioners of Police and Justice of any sphere, as well as Presidents of the Parliamentary Investigative Commissions: the name and address of the registered user (payment details), as well as the identity of the communication teams (including IMSI IMEI). ”
Judges from any sphere: the data to identify the origin and destination of a communication (for example, telephone numbers, usernames for Internet services), the length of time and duration of a communication and the location of the device. ”

This means that Vivo delivers subscriber data upon request from representatives of the Public Prosecutor’s Office (“Fiscalía”), police authorities (“police commissioners”) and judges. Connection logs and location data are made available only by order of a judge.

Parameter II, referring to the identification of the competent authorities and the crimes within which the requisition occurs, was considered partially answered. In the Communication Transparency Report, it is cited, alongside other legal diplomas, Art. 15 of Law 12.850 / 13 (Criminal Organizations) as “Legal Context” for the request for “metadata associated with communications”. However, there is no mention of Law 9,613 / 98 (Law on the Prevention of Money Laundering) or article 13-A of the CPP, nor any other specification on the scope of which crimes the competent authorities may request data.

Parameter III, referring to the provision of information on geolocation data, was also not considered met. Even if the Transparency Report mentioned above includes the “location of the device” among the data that can be requested by court order, there is no detail about the circumstances in which it shares geolocational data and why, and so does not provide the information required by parameters of that item.

Parameter IV, referring to the promise to provide connection records only by court order strictly under the terms of the legal regulatory use of the internet, was also not considered as complied with. On the one hand, the same passage pointed out above is clear in defining that only judges will have access to data on the origin and destination of a communication, which shows that such access will occur through a court order. However, the excerpt is not strictly restricted to the terms of the Legal regulatory use of the internet (that is, it does not specify that only the date and time of the start and end of an internet connection, its duration and the IP address used will be shared).

Finally, parameter V, relating to the existence of specific guidelines on data delivery to the state, was also not considered met. In our searches, no documents on this could be found.

InternetLab praises Telefónica Global’s conduct of making public its interpretations of which authorities are competent to request user data and under what circumstances. However, we reinforce that there is a need to present such information in Portuguese so that the company is evaluated without restrictions, whether in contracts, in the Sustainability Report, or other materials

CATEGORY 3: Defence of users in the Judiciary

Result:

In this category, Vivo Broadband obtained half a star, because it met parameter I.

However, in the engagement phase, InternetLab became aware of a rescission action nº 0802518-50.2020.4.05.0000, before the Regional Federal Court of the 5th region (TRF5). In it, Vivo, TIM, Claro and Oi, through action by Sinditelebrasil questioned Anatel’s attempt to change the General Consumer Rights Regulation, so that it would be possible to provide, to any recipient of telephone calls, personal information of the holder of the line originating the call. As they defended the non-alteration of the said regulation based, among others, on privacy and data protection arguments, the parameter was considered complied with. As much as InternetLab, exceptionally, recognized the action referred to above in view of its normative importance, we emphasize that, in line with the investigation of the public commitment of the companies under their brand, actions initiated in its own name by the telephone company, and not through associations or equivalents, are preferable for checking compliance with this parameter.

Actions considered in previous versions of Who Defends Your Data, such as Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of data from logical doors to the police authorities, and the ADI 5642 , from MERL, were not considered, since they did not register movements.

Finally, to ascertain compliance with parameter II, regarding the contestation of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases by the terms “vivo S/A AND privacy AND breaches” and by judgments published between August 1st 2019 and July 31st, 2020. In the searches, no lawsuits were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

CATEGORY 4: Public position in favor of privacy

Result:

In this category, Vivo Broadband obtained a full star, because it met parameter II and partially met parameter I.

Parameter I, regarding the company’s general positioning, was considered partially met. In the engagement phase, the company informed InternetLab about its participation in Anatel’s Public Consultation No. 13 on “proposed minimum cyber security requirements for terminal equipment that connect to the Internet and for telecommunications network infrastructure equipment …”, in which it provided comments, in its own name, defending the existence of mechanisms of information security and control of the holders over their personal data on devices connected to the internet.

However, the parameter was considered only partially met in view of the public positioning of the company which was, in most cases, not sufficiently purposeful or transparent.

For example, Vivo offered a contribution to the public consultation on the “National Strategy for Artificial Intelligence”, prepared by the MCTIC, arguing that “the companies themselves create systems and ethical practices in order to gain trust [consumers] ”and affirming that“ Telefónica´s principles encompass several pillars, [such as] ethical and responsible management, corporate governance and internal control, respect for the rights of expression and privacy, commitment to information security, responsible communication and commitment to the society in which we operate. ” As much as the company’s participation in this consultation is commendable, no concrete, normative or technical proposals were found for the protection of its customers.

In our searches, a security breach was discovered that exposed the full name, address, date of birth, RG (Brazilian Identity Card No.), CPF (Brazilian Tax Code Ref.), email, mother´s name and telephone number of 24 million Vivo users. () In its response to the portal that published it, Olhar Digital, Vivo confirmed the vulnerability and stated that there were “considerably fewer” people affected. In addition, it stated that:

“Vivo regrets what has happened and points out that it constantly reviews its security policies and procedures, in the permanent search for the strictest controls in accessing its customer´s data and in combating practices that may threaten their privacy. The company reiterates that it respects privacy and transparency in its relationship with its customers. ”

The wording was considered too general and unsatisfactory for the purposes of this report, since it did not specifically advocate the adoption of techniques that could cope with what happened, nor what specific situations led to it.

In addition, it was also found that Vivo, Net and Oi shared, among themselves, “personal data of citizens without specific coverage to leverage the number of customers” served () According to the report, from the TecMundo portal, the suspicion arises after reports from users who, after contacting one of the companies and receiving a negative response to the provision of internet coverage in their area, were contacted by the other companies to offer other internet plans. The company’s telemarketing attendants confirmed these reports. In its response to the portal, Vivo denied that it shares “with third parties any information that involves the personal data of its customers or prospective customers”; however, no explanations were given for the user´s reports or the confirmations by the attendants, nor did they specifically defend norms or techniques that could cope with the allegations.

Finally, in its Sustainability Report (p.35), the company claims to have held a workshop on “Information Security and Data Protection, aimed at [its] main suppliers.” As much as the initiative is laudable, the mention of the meeting in Vivo´s report does not contain any practical or concrete details about what was defended or demanded in it.

Parameter II, relating to the company’s position in the context of COVID-19, was considered met. This is because, in the context of the partnership for monitoring the population signed between Vivo and the government of the State of São Paulo (see news from Terra (), the company was concerned that only anonymous / aggregated data, for example via heat maps and pivot tables, would be shared. During Live “Telecommunications in times of uncertainty: four perspectives”, carried out by the specialized news portal TeleTime on April 23rd, 2020, Vivo confirmed this positioning, emphasizing the sharing of anonymous data only, through its Vice- President of Data and Artificial Intelligence, Sr. Luiz Médici.

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

Result:

In this category, Vivo Broadband obtained half a star, because it met parameter III and partially met parameters I and IV.

Parameter I, regarding the publication of transparency reports in Portuguese, was considered partially complied with. For the fourth year in a row, we found the publication of 2019 Transparency Report, of the Telefónica Group (document in Spanish), in which there is some detail about the regulatory framework in each country in which the group is present, the number of data requests they received in each country between 2013 and 2017 and, especially in the case of Brazil, which authorities do they consider competent. In addition, Vivo´s 2019 Sustainability Report, in Portuguese, contains information on privacy and data protection, pointing out some security requirements used, company principles on the subject, some relevant links, among others. However, due to the fact that most of the relevant information is presented only in Spanish, in the Telefónica Group report mentioned, the parameter was considered only partially met.

Parameter II, regarding the accessibility of the transparency report, was not considered as having been complied with. This is because the Sustainability Report cannot be found on the Vivo page, the brand under which the company presents its services and products in Brazil, and, even on the Telefônica website, one needs to search for the report in “A Telefônica” and then , “Sustainability” Concerning the Transparency Report on Communications, it cannot even be found on the Telefônica Brazill website, being accessible only through the Telefónica Spain website, under “Responsible Business”, and then “Transparency Report”.

Parameter III regarding the periodicity of the report was considered complied with. Versions published in previous years are available for previous years.

Parameter IV, regarding information on data access requests, was considered partially met. In the Communication Transparency Report (pp. 20 and 21), it is reported that, in 2018, 445,480 interception requests were made and 3,131,634 requests for access to metadata. However, in both cases, there is no information on the number of requests rejected or accepted, stating that “the registration system during the reporting period does not have the mechanisms to filter for rejected requests. It is working to have this data available in the next reports. ” Therefore, the parameter was considered partially met.

Parameter V, in turn, relating to the publication of Data Protection Impact Assessments, was also not considered met. No relevant documents were found in our searches.

CATEGORY 6: User notification

Result:

Vivo Broadband was not awarded a star, as there is no mention of the possibility of user notification in any of the documents analyzed.

VIVO MOBILE

CATEGORY 1. Information on data protection policy

Result:

In this category, Vivo mobile obtained ¾ of a star, having met parameters I, II and III and partially parameter V.

Although post and prepaid mobile phone contracts do not offer substantial information about the company’s data processing practices, we found that some information is available in the Sustainability Report and in the Privacy Center, on Vivo´s website. In this section, users have a brief informative video on the main points of data protection provided by the company and then, through the menu, they can find other more detailed information.

Vivo complies with parameter I, providing clear and complete information on all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In its Privacy Center, under “Data Collected”, the company informs:

“Vivo collects your information according to the service you use. Know what this information is: Subscriber data: What you provided when you contracted our services, such as name, address, CPF (BRAZILIAN TAX CODE REF.) etc.; Volumes of data trafficked on the internet via 2G, 3G and / or 4G network; History of use of contracted products and services: Exactly what the name says, but it is important to know that this history does not involve registration of apps used on your cell phone or what you do on social networks or websites. This only applies to Vivo apps! Then the data is collected to make the app even better; SMS events that are inside and outside the national Vivo network: This collection includes international Vivo events and international roaming operators; History of calls made and received: Accounting and tax information, invoice and customer payments; Top-up transactions and monitoring the use of these credits; Customer service data in stores and in the call center. ”

Sub-parameter (b), referring to the situations in which the collection takes place, was also considered fulfilled. This is because, even if there is no specific wording to point out situations where data is collected, in the sections; “Data Collected”; (see excerpt above) and “For what and how do we collect data?” (See excerpt below), it is informed that “Vivo collects your information according to the service you use”. It specifies the collection of data on the use of contracted products and services, call history, service data, Top-up transactions, among others. It was considered that such information is capable of detailing the situations in which the collection occurs.

Sub-parameter (c), related to the purpose of data processing, was also considered fulfilled. In the Privacy Center, under “For what and how do we collect data”; the company describes some of the purposes, mentioning the improvement of the network service, the personalized service, among others:

“We want your experience with Vivo to be better and better. Therefore, we will explain here the reasons for collecting all this information. Top-up transactions and monitoring the use of these credits; Improve network performance and increase the quality of our services; Correct failures in mobile, fixed and TV network services even faster; Produce processes for the elaboration of plans, services and personalized offers that are even closer to your profile; Assess demand by geographic region; Assist in Vivo´s strategic decisions, such as redistributing the signal or reallocating the service portfolio; Improve the relationship experience between you and Vivo, such as sending direct marketing and providing more relevant offers. ”

Sub-parameter (d), referring to how it is used, was considered fulfilled. This is because it indirectly provides information on how to use it in the sections mentioned above (demonstrating the situations in which the collection takes place and its purpose) and information on storage time and place etc.

Finally, the sub-parameter (e), relating to information regarding the rights of holders and the means to exercise those rights, was also considered met. At the Privacy Center, under “Right of Access, Rectification, Opposition and Cancellation”, the company informs about the existence of these four consumer rights over their data. As much as other rights could have been mentioned, such as the right to portability and automated decision review, the wording presented was considered satisfactory. In addition, the same page offers a phone and SMS number so that you can exercise these rights.

Concerning parameter II, referring to the provision of clear and complete information on the protection of personal data, it was considered, on average, that it was attended to, with sub-parameters (c) and (d) considered attended to and sub-parameters (a), (e) and (f) considered partially met.

Sub-parameter (a), referring to the time and location of data storage, was considered partially fulfilled. In the Privacy Center, under “How long do we store data for”? the company informs:

“In accordance with the Internet Legal Framework (Marco Civil da Internet), Vivo stores its connection records for at least 1 year, which is the information on the time of its internet connections and the IP for sending and receiving data. Your subscriber data (such as full name, address and CPF and billing data (tax documents) are stored for at least 5 years, for judicial and administrative proceedings. We do not record content from app providers, other than the ones we create. Therefore, in this case, according to the Internet Legal Framework (Marco Civil da Internet), we keep the record for up to 6 months, under confidentiality, in a controlled and secure environment. ”

“Most of the information is handled within Vivo or in companies of the Telefônica Group, always respecting the legislation in force in Brazil. However, sometimes, when we need to process data externally, we do everything with confidentiality clauses and ensuring that all access is audited and monitored, to guarantee your privacy. ”

The wording of the above excerpt was considered excessively broad and unsatisfactory. Even if the company informs that “most of the information is treated within Vivo”, giving a few more details, the hypotheses in which the data are treated externally, in which countries the data are stored, and what types of data are stored at each location, among other relevant information could have been provided.

As for sub-parameter (b), referring to when / if the data is erased, it was not considered as having been met. This is because, in the same passage pointed out above, in “How long do we store the data for?” in the Privacy Center, the company informs only the minimum storage time, there is no stipulated period for data to be deleted.

Sub-parameter (c), related to the company’s security practices, was considered complied with. In the company’s 2019 Sustainability Report (p. 34), the company informs some of the security standards it uses to ensure the protection of users, claiming to have developed, “based on the company’s security requirements and market frameworks (ISO27001 and ISO22301, NIST, PCI / DSS etc.) a set of guidelines to be followed, especially related to secure systems and servers. ” In addition, in the Privacy Center, under “Information Security”;, the company informs some security standards that it uses, such as encryption in the transfer of personal data from user´s devices, declares that it allows access to data only to authorized persons, as the principle of least privilege, and claims to provide auditability of any activities taken with the data, among others.

Sub-parameter (d), referring to who has access to the data, was also considered attended to, since the company, (see paragraph above), states that only authorized persons, according to the “principle of least privilege”, can have access to the data. Even though more detailed information on which employees can access the data could have been provided, the mention of the “principle of least privilege” indicates the existence of clearer standards in relation to such accesses, which is why the sub-parameter was considered fulfilled.

Sub-parameter (e), referring to the third parties with whom the data is shared, was considered partially met. Vivo, in its Privacy Center, in “Data Sharing”, and in the “General Clauses of the Post-Paid Personal Mobile Service Provision Agreement”, specifies some circumstances and data sharing with third parties, stating, respectively, that:

“Vivo may, eventually, support a behavioral study at events that promote the displacement of an audience in a certain location. Nevertheless, it is important to note that, in this case, it is not possible to individualize this information. Individualized information will only be shared with partners if you authorize it. Your data can be shared with partners whenever related to the provision of the service contracted by you (for example, when you are roaming); In cases provided for by law and / or by virtue of a court order; With partners, individually, only with their express authorization and always with the possibility to opt out.

“GENERAL CLAUSES OF THE CONTRACT TO PROVIDE THE POST-PAID PERSONAL MOBILE SERVICE:
20.3. VIVO may disclose and commercialize in a list (printed or digital) information contained in its registration relating to the CLIENT, provided that it has authorized the disclosure of its name and Access Code, in the Adhesion Term for the Personal Mobile Service or, even, by verbal authorization via the “Call Center” service, at any time. ”

The information above, even if it offers some guide for which third parties have access to the data, is excessively comprehensive. They do not determine which third parties can receive them, citing only the example of roaming in the case of the provision of third-party services through Vivo, it does not provide examples of situations in which there may have been express authorization from the user, with no cases mentioned of such authorizations found in the analyzed documents and does not determine what data and in which situations they are shared. However, due to the concern with pointing out information on the topic, even with a minimum of detail, the sub-parameter was considered partially met.

Finally, regarding sub-parameter (f), relating to the purposes of data sharing with third parties, it was also considered that it was partially met. This is because the information produced on the topic, referenced in the analysis of sub-parameter (e) above, is unclear and only states in a general way that the data can be shared “whenever related to the provision of the service contracted by you” or “Individually, only with your express authorization”. No clearer information is given about the chances of sharing and their purposes. However, due to the concern with pointing out information on the topic, with a minimum of detail, the sub-parameter was considered partially met.

Parameter III, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was considered complied with. Through access to the “Meu Vivo” portal, a member of InternetLab gained access to his own basic subscriber data, such as name, CPF (BRAZILIAN TAX CODE REF.), date of birth etc. InternetLab stresses that personal data goes beyond the information of a primarily registration nature shared, and that effective compliance with the data subject’s right of access to data would involve the sharing of other and more detailed information. However, in this edition of Who Defends Your Data, because we were successful in contacting and verifying the functioning of the contact channel with the company, this parameter was considered met.

Finally, parameter V, referring to the accessibility of information on privacy and data protection, was considered partially met. This is because Vivo has a Privacy Center, mentioned several times above, with clear and, in general, complete information on the subject. In addition, the center can be easily accessed on the Vivo homepage.

However, most of such information is not presented in the company’s mobile internet contracts, a practice that would be recommended so that the information could be accessed by all customers, legally consented to by them, and detailed according to each type of service contracted.

CATEGORY 2. Law enforcement guidelines

Result:

In this category, Vivo mobile obtained half a star, having complied with parameter I and partially with parameters II and IV.

“Legal interception: According to article 3 of the Brazilian Federal Law n. 9,296 / 1996 (law of interception), only the Judge (of the criminal sphere) was able to determine interception (telephone and telematic), at the request of public prosecutors (Public Prosecutor’s Office), the Police Commissioner (Police Authority).
Metadata associated with communications: Competent authorities “Prosecutors”, Commissioners of Police and Justice of any sphere, as well as Presidents of the Parliamentary Investigative Commissions: the name and address of the registered user (payment details), as well as the identity of the communication teams (including IMSI IMEI). ”
Judges from any sphere: the data to identify the origin and destination of a communication (for example, telephone numbers, user names for Internet services), the length of time and duration of a communication and the location of the device. ”

Parameter II, referring to the identification of the competent authorities and the crimes within which the requisition occurs, was considered partially answered. In the Communication Transparency Report, it is cited, alongside other legal diplomas, Art. 15 of Law 12.850 / 13 (Criminal Organizations Law) as “Legal Context” for the request for “metadata associated with communications”. However, there is no mention of Law 9,613 / 98 (Law on the Prevention of Money Laundering) or article 13-A of the CPP, nor any other specification on the scope of which crimes the competent authorities may request data.

Parameter III, referring to the provision of information on geolocation data, was also not considered met. Even if the Transparency Report mentioned above included the “location of the device” among the data that can be requested by court order, there is no detail about the circumstances in which it shares geolocational data and why, and so did not provide the information required by the parameters concerning that item.

Parameter IV, referring to the promise to provide connection records only by court order strictly under the terms of the legal regulatory use of the internet, was also not considered as complied with. On the one hand, the same passage pointed out above is clear in defining that only judges will have access to data on the origin and destination of a communication, which shows that such access will occur through a court order. However, the excerpt is not strictly restricted to the terms of the Internet Legal Framework (Marco Civil da Internet) (that is, it does not specify that only the date and time of the start and end of an internet connection, its duration and the IP address used will be shared).

Finally, parameter V, relating to the existence of specific guidelines on data delivery to the state, was also not considered met. In our searches, no documents like this could be found.

InternetLab praises Telefónica Global´s conduct of making public its interpretations of which authorities are competent to request user data and under what circumstances. However, we reinforce that there is a need to present such information in Portuguese so that the company is evaluated without restrictions, whether in contracts, in the Sustainability Report, or other materials.

CATEGORY 3: Defence of users in the Judiciary

Result:

In this category, Vivo mobile obtained half a star, because it met parameter I.

Regarding parameter I, referring to the challenge to legislation, we conducted exploratory searches on the websites of the Supreme Federal Court and the Superior Court of Justice for cases in which the company was a party, and we did not find any actions in this regard.

However, in the engagement phase, InternetLab became aware of a rescission action nº 0802518-50.2020.4.05.0000, before the Regional Federal Court of the 5th region (TRF5). In it, Vivo, TIM, Claro and Oi, through an by Sinditelebrasil questioned Anatel´s attempt to change the General Consumer Rights Regulation, so that it would be possible to provide, to any recipient of telephone calls, personal information of the holder of the line originating the call. As they defended the non-alteration of the said regulation based, among others, on privacy and data protection arguments, the parameter was considered as complied with. As much as InternetLab, exceptionally, recognized the action referred to above in view of its normative importance, we emphasize that, in line with the investigation of the public commitment of the companies under their brand, actions initiated in its own name by the telephone company, and not through associations or equivalents, are preferable for checking compliance with this parameter.

Finally, to ascertain compliance with parameter II, regarding the contestation of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases using the terms “vivo S / A AND privacy AND breaches” and in published judgments between August 1st, 2019 and July 31st, 2020. In the searches, no lawsuits were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

CATEGORY 4: Public position in favor of privacy

Result:

In this category, Vivo mobile obtained a full star, because it met parameter II and partially parameter I.

Parameter I, regarding the company´s general positioning, was considered partially met. In the engagement phase, the company informed InternetLab about its participation in Anatel´s Public Consultation No. 13 on “proposed minimum cyber security requirements for terminal equipment that connect to the Internet and for telecommunications network infrastructure equipment …”, in which it provided comments, in its own name, defending the existence of mechanisms of information security and control by data subjects over their personal data on devices connected to the internet.

However, the parameter was considered only partially met in view of the fact that the company´s public position was, in most cases, not sufficiently pro-positive or transparent.

For example, Vivo offered a contribution to the public consultation on the “National Strategy for Artificial Intelligence”, prepared by the MCTIC, arguing that “the companies themselves create systems and ethical practices in order to gain trust [consumers] ”and affirming that“ Telefónica´s principles encompass several pillars, [such as] ethical and responsible management, corporate governance and internal control, respect for the rights of expression and privacy, commitment to information security, responsible communication and commitment to the society in which we operate. ” As much as the company´s participation in this consultation is commendable, no concrete, normative or technical proposals were found for the protection of its customers.

In our searches, it was also found that a security breach exposed the full name, address, date of birth, Identity Card No., CPF, email, mother´s name and telephone number of 24 million Vivo users.(). In its response to the portal that published it, Olhar Digital, Vivo confirmed the vulnerability and stated that there were “considerably fewer” people affected. In addition, it stated that:

“Vivo regrets what has happened and points out that it constantly reviews its security policies and procedures, in the permanent search for the strictest controls in accessing its customer´s data and in combating practices that may threaten their privacy. The company reiterates that it respects privacy and transparency in its relationship with its customers.

In addition, it was also found that Vivo, Net and Oi shared, among themselves, “data of citizens without specific coverage to leverage the number of customers served”. (). According to the report, from the TecMundo portal, the suspicion arises after reports from users who, after contacting one of the companies and receiving a negative response to the provision of internet coverage in their area, were contacted by the other companies to offer other internet plans. The company’s telemarketing attendants confirmed these reports. In its response to the portal, Vivo denied that it shares “with third parties any information that involves the personal data of its customers or prospective customers”; however, no explanations were given for the users’ reports or the confirmations by the attendants, nor were norms or techniques that could cope with the allegations specifically defended. For this reason, the company’s response was considered too general.

Finally, in its Sustainability Report (p. 35), the company claims to have held a workshop on “Information Security and Data Protection, aimed at [its] main suppliers.” As much as the initiative is laudable, the mention of the meeting in Vivo´s report does not contain any practical or concrete details about what was defended or demanded in it.

Parameter II, regarding the company´s positioning in the context of COVID-19, this was considered met. This is because, in the context of the partnership for monitoring the population signed between Vivo and the government of the State of São Paulo (see news from Terra (), the company was concerned that only anonymous / aggregated data, for example via heat maps and pivot tables, would be shared. During Live “Telecommunications in times of uncertainty: four perspectives”, carried out by the specialized news portal TeleTime on April 23rd, 2020, Vivo confirmed this positioning, emphasizing the sharing of anonymous data only, through its Vice- President of Data and Artificial Intelligence, Sr. Luiz Médici.

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

Result:

In this category, Vivo mobile obtained half a star, because it met parameter III and partially parameters I and IV.

Parameter I, regarding the publication of transparency reports in Portuguese, was considered partially complied with. For the fourth year in a row, we found the publication of 2019 Transparency Report, of the Telefónica Group (document in Spanish), in which there is some detail about the regulatory framework in each country in which the group is present, the number of data requests they received in each country between 2013 and 2017 and, especially in the case of Brazil, which authorities they consider competent. In addition, Vivo´s 2019 Sustainability Report, in Portuguese, contains information on privacy and data protection, pointing out some security requirements used, company principles on the subject, some relevant links, among others. However, due to the fact that most of the relevant information is presented only in Spanish, in the Telefónica Group report mentioned, the parameter was considered as only partially met.

Parameter II, regarding the accessibility of the transparency report, was not considered complied with. This is because the Sustainability Report cannot be found on the Vivo page, the brand under which the company presents its services and products in Brazil, and, even on the Telefônica website, it is necessary to search for the report in “A Telefônica” and then, “Sustainability”. Further, the Transparency Report on Communications cannot even be found on the Telefônica Brazil website, being accessible only through the Telefónica Spain website, under “Responsible Business”, and then “Transparency Report”.

Parameter III regarding the periodicity of the report was considered complied with. Versions published in previous years are available on the pages of both reports.

Parameter V, in turn, relating to the publication of Data Protection Impact Assessments, was also not considered met. No such documents were found in our searches.

CATEGORY 6: User notification

Result:

Vivo mobile was not awarded a star, as there is no mention of the possibility of user notification in any of the documents analyzed.

ALGAR

CATEGORY 1. Information on data protection policy

Result:

In this category, Algar obtained a full star, because it met parameters I, III and V and partially parameter II.

Algar addresses, in general, parameter I. The company offers clear and complete information on sub-parameters (a), (b), (d) and (e); and partially complies with sub-parameter (c).

Sub-parameter (a), referring to the collected data, was considered fulfilled. In the “Privacy of Personal Data,” section of its Data Policy, the company informs in a table the type of data collected (registration), what the data are (name, date of birth, bank details etc.) and the purpose of the data usage.

Sub-parameter (b), referring to the situations in which the collection takes place, was also considered fulfilled. In the section “Privacy of Personal Data”, the company informs in clause 4.1.3 some hypotheses of situations in which the collection occurs, such as, for example, when filling out the contract, when contracting other services etc. It was considered that such information is capable of detailing the situations in which the collection occurs.

“4.1.3 – Collection of personal data
4.1.3.1 – Data are collected from the completion of the service provision contract, the contracting of other services or from information inserted in terms, physical or digital forms or forms, when the processing is in accordance with our legitimate interests and does not underestimate their interests related to data protection or fundamental freedoms and rights;
4.1.3.2 – If necessary, Algar Telecom can receive your personal data or usage data from third parties. For example, if you are on another website and choose to be contacted by Algar Telecom, that website will transmit your email address and other personal data to us, so that we can contact you as requested. ”

Sub-parameter (c), related to the purpose of data processing, was considered partially fulfilled. In its Personal Data Privacy Policy (see table reproduced in sub-parameter (a), the company informs four purposes of data processing: (i) identify the customer; (ii) comply with legal obligation; (iii) credit protection and procedures and collection, and (iv) guarantee the customer’s safety. Indirectly, clause 4.1.5.1 (see excerpt below) lists the purpose of processing data for commercial purposes. Such information was considered too general and not very clear. However, as there was a concern to list at least five different hypotheses, the parameter was considered partially fulfilled.

Sub-parameter (d), referring to how it is used, was considered fulfilled. In the same “Personal Data Privacy” section of its Data Policy, the company reports nine hypotheses for using the data collected, for example, to communicate with the customer about his account or to provide access to certain areas and resources of the sites:

“4.1.5 – Data Type
4.1.5.1 – Algar Telecom uses the usage data collected through websites for commercial purposes, including:

Answer your customer´s; questions and requests;

Provide access to certain areas and resources of the sites;

Check the user’s identity;

Communicate with the customer about their account and activities in the service channels;

Adjust content, advertisements and offers provided;

Process payments for products or services;

Improve the website and other service channels;

Develop new products and services;

Process applications and transactions. ”

Finally, sub-parameter (e), which related to information regarding the rights of the data subjects and the means to exercise those rights, was considered fulfilled. In the Personal Data Privacy Policy, as well as in the Data Governance Policy, the company informs what the data subjects’ rights are (limitation or anonymity of the use of their personal data, revocation of consent, access to data etc.). The company also informs that the exercise of the right of the holders can be carried out by requesting the Person in Charge of Personal Data or through the Customer Service Channel. The company makes the e-mails and contacts available:

Privacy Policy
4.3.1 – Basic Rights
The client / user may ask our Responsible Person for Personal Data to confirm the existence of treatment of Personal Data, in addition to the display or rectification of their Personal Data, through our Service Channel.

4.3.2 – Data limitation, opposition and exclusion
Through the Service Channels, the customer / user may also request:

The limitation or anonymity of the use of your Personal Data;

Express your opposition and / or revoke consent regarding the use of your Personal Data;

Request the deletion of your Personal Data that has been collected and registered by Algar Telecom, as long as the minimum legal term related to data storage has elapsed; or,

Data portability to another telecommunications service provider, upon express request, in accordance with the regulations of the national authority;

Cancel the marketing communications we send when you wish.

4.4.3 – Service Channels
In case of any doubt regarding the provisions of this Policy, the customer / user may contact us through the service channels:

Chat Online Help:
www.algartelecom.com.br Client area;

Customer Service Center:
For You: 103 12 / (34) 9 9884 0123;
Micro and small businesses: 0800 942 1212 / (34) 9 9779 0112;
Medium and large companies: 0800 941 2822 / (34) 9 9889 2822.

Official Social Networks:
https://www.facebook.com/algartelecom/
https://twitter.com/algartelecom/

Letter:
Algar Telecom – Customer feedback center, Rua José Alves Garcia, 415 Bairro Brasil, Uberlândia MG;

Consent Portal;

Person In charge for the Processing of Personal Data (DPO):
Alexandre da Silva Simões e-mail: dpo@algartelecom.com.br

Ombudsman:
https://www.algar.com.br/ouvidoria/

Governance of Personal Data
4.11 – Guidelines for responding to requests and requests

4.11.1 – Response to the request from the personal data holder

4.11.1.1 – The procedures for responding to requests by personal data holders will be governed by the procedure for responding to requests for personal data holders, available at Algar Telecom's document library (https://book.algarnet.com.br)
4.11.1.2 – All associates, accredited or service providers have the duty to notify the person in charge of processing personal data, without undue delay, about any request received from the holder of personal data, before responding to the request, seeking, whenever possible, guidance on best practices in communication to be established with the holder of personal data
4.11.1.3 – In cases of doubt and specific situations, the associate, accredited or service provider must forward the requisition to the person in charge for the processing of personal data, so that he / she can respond in the most appropriate way to the specific applicable legislation and the stipulated good practices, whether internally or observed in the market.

4.12 Access to personal data by the data subjec
4.12.1 – The data subject may request access to his personal data at any time, and the associate, accredited or service provider of the area responsible for the treatment must ensure that the identity of the data subject is proven according to the procedure for replying to requests from the data subject
4.12.2 – The requisition and subsequent access to personal data should preferably occur electronically, except when the holder of personal data expressly requires the sending of personal data in a physical way or disclosure in an oral way. Visual aids can be used to make information even more intelligible and easy to understand.

4.13 – Elimination and / or blocking the processing of personal data at the request of the holder of personal dat;

4.13.1 – The data subject can request at any time the elimination and / or blocking of the usage of his personal data, and the associate, accredited or service provider of the area responsible for the use of personal data must send the request for elimination / blocking to the person in charge. for the processing of personal data so that the necessary measures can be taken as indicated in the procedure for responding to the request of the data subject;
4.13.2 – If it is impossible to delete, the data subject must be informed of this decision, explaining the reasons why this personal data cannot be deleted;
4.13.3 – The IT infrastructure area must establish mechanisms when restoring personal data that prevent the personal data of the subject who has requested its deletion from being restored to the virtual environment.

4.13 – Elimination and / or blocking the processing of personal data at the request of the data subject

4.13.1 – The personal data subject can request at any time the elimination and / or blocking of the sharing of his personal data, and the associate, accredited or service provider of the area responsible for the treatment must send the request for elimination / blocking to the person in charge for the processing of personal data so that the necessary measures can be taken as indicated in the procedure for responding to the request of the data subject;
4.13.2 – If it is impossible to delete, the data subject must be informed of this decision, explaining the reasons why this personal data cannot be deleted;
4.13.3 – The IT infrastructure area should establish mechanisms when restoring personal data that prevent the personal data of the holder who has requested its deletion from being restored to the virtual environment.

Parameter II, regarding the provision of clear and complete information on the protection of personal data, was considered partially met, as the company provides clear and complete information on sub-parameters (b), (c) and (d); and partially complies with sub-parameters (a), (e) and (f).

Sub-parameter (a), referring to the time and location of data storage, was considered partially fulfilled. Regarding the storage location, the company informs, in its Personal Data Privacy Policy and in the Data Governance Policy, which stores the data on Algar´s own servers in Brazil and on servers in the cloud.

4.1.9 – Storage Servers
The collected data will be stored on Algar Telecom´s own servers located in Brazil, as well as in an environment of use of resources or servers in the cloud (cloud computing), which means, in the latter case, transfer or processing of data outside of Brazil, fulfilling international data transfer provisions, pursuant to article 33 of the General Data Protection Law or other applicable rules.
Data Governance:
4.5.1 – The storage of personal data can be done in a physical way (storing identity badges, cards, cards, papers with hand-written notes, forms, invoices, contracts and other paper documents, for example) or digital (in media such as CD, DVD, Blu-Ray, external HD, pen drive, SD memory card, on Algar Telecom´s digital platforms or on a service contracted for this purpose);
4.5.2 – In the case of storage outside Brazil, the data protection management must be attentive to the country where the hardware is located and, if located abroad, Algar Telecom´s legal area must be contacted to verify whether there is legal and contractual support for personal data to be stored in that country;
4.5.3 – The physical and digital means of storing personal data must ensure their quality, and must be kept accurate and updated, according to the need to fulfill the purpose of treatment;
4.5.4 – When the personal data subject requests the correction or updating of his personal data, the person in charge of processing personal data, after analyzing the request, must activate the responsible areas to ensure that the physical and digital media where these personal data are replicated and stored are also updated

Such information on the storage of personal data was considered satisfactory.

As for the storage time, in the same document, the company informs that it keeps registration and identification data for up to 5 years after the end of the relationship. As for the “other data”, the company claims to store “as long as the relationship lasts and there is no request for deletion or revocation of consent”.

Thus, as the information regarding the storage time was considered unsatisfactory, it was considered that the sub-parameter was only partially met.

As for sub-parameter (b), referring to when / if the data is erased, it was considered that it was attended to. This is because; the company undertakes to delete the data “after the deadline and the legal need”:

Personal Data Privacy Policy
4.2.2 – Data Exclusion
4.2.2.1 – The data may be deleted before this period, if requested by the client / user. However, it may happen that the data needs to be kept for a longer period, under the terms of article 16 of the General Data Protection Law, in order to comply with a legal or regulatory obligation, fulfillment of the contract, transfer to a third party (respecting the data processing requirements provided for in the same law);
4.2.2.2 – After the deadline and the legal necessity, the data will be deleted using safe disposal methods or used anonymously for statistical purposes.

Data Governance
Elimination of personal data

4.9.1 – Personal data must be stored for a limited period, taking into account the specific purpose of the treatment;
4.9.2 – After fulfilling the purpose of the treatment and after the storage period determined by the temporality table, the data can be safely deleted, whether recorded in physical or digital media;
4.9.3 – The elimination of personal data may also be carried out at the request of the data subject or the National Data Protection Authority;
4.9.4 – For data deletion, the definitions indicated in the secure data deletion procedure must be followed;
4.9.5 – The preservation of personal data after reaching its purpose will only be possible in the event of Algar Telecom´s compliance with a legal or regulatory obligation;
4.9.6 – The request for the elimination of personal data by the holder will not be possible when the data has already been anonymized;
4.9.7 – The request may also not be made in the event of compliance with a legal obligation regarding the storage of this data for regulatory purposes, as long as the temporality table is respected.

Sub-parameter (c), related to the company’s security practices, was considered complied with. In its Personal Data Privacy Policy, the company informs:

4.1.8 – Data Security
Algar Telecom will use its best efforts to protect information, especially personal data, applying the necessary administrative and technical protection measures available at the time, demanding from its suppliers the same acceptable level of Information Security, based on best market practices and on contractual clauses

Such efforts mentioned in the Privacy Policy are highlighted in Algar´s Information Security Policy. In the document, the company informs it is committed to “guaranteeing the availability, integrity and confidentiality of personal data, throughout its entire life cycle” and establishes a structure for information security, with information on who are the people who can have access to Algar Telecom systems, the assets made available and procedures to be adopted in the company´s systems and applications.

PERSONAL DATA PROTECTION.

9.1 – Algar Telecom respects privacy. Therefore, it must guarantee the availability, integrity and confidentiality of personal data, throughout its life cycle, in any format of storage or support, through:
b) Adoption of security measures to protect personal data from unauthorized access, accidental or unlawful situations of destruction, loss, alteration, communication or improper or unlawful usage;
c) Storage in a safe controlled and protected manner;
d) Processes of Anonymity and pseudo-anonymity, whenever necessary;
e) Cryptographic guidelines in transmission and storage, whenever necessary;
f) Computer record of operations where the data is used;
g) Safe disposal of personal data at the end of its purpose and its conservation in accordance with legal and regulatory hypotheses;
h) Transfer to third parties in a secure and contractually provided manner;
i) Impact assessment and systematic privacy of data subjects;
j) Management and appropriate handling of incidents involving personal data;
k) Tests, monitoring and periodic evaluations of its effectiveness.

In its Data Governance Policy, the company informs:

4.17.1 – During the entire life cycle of personal data, the existing security guidelines in the Information Security Policy and the Data Privacy Policy of Algar Telecom available in the Algar Telecom document library and Algar Telecom internet portal must be observed;
4.17.2 – The information security management area must ensure the confidentiality, integrity and availability of personal data in all means of storage and transmission of personal data, considering:
a) Technical security controls involved, such as, but not limited to:
Firewall;
Cryptography

Use of VPN to access data outside Algar Telecom´s premises;

Physical and logical access controls;

Two-factor authentication;

Secure storage of physical documents;

Password managers.

b) Ensure that only authorized persons and agents authorized to access personal data have access to personal data in compliance with the need and relevance of granting access;
c) Adoption of information security measures to ensure that personal data remains intact without undue changes, exact, complete and updated;
d) Ensuring that personal data is accessible and usable by authorized persons and entities whenever necessary;
e) Registration of logs and audit trails of the life cycle of personal data;
f) Encryption, pseudo-anonymizing and anonymizing of personal data when applicable;
g) Training in the protection of personal data and supervision of the adoption of the practices taught.

Sub-parameter (d), referring to who has access to the data, was considered as met. In its Information Security Policy, the company provides some guidelines on access to data by Algar Telecom associates:

10.1.1 – Algar Telecom Associates
a) Every associate must have knowledge of all the policies in force in the company, in particular the Information Security Policy, Algar Code of Conduct, Information Security Awareness Training and be consistent with them;
b) All associates must sign the Term of Commitment and Responsibility and Confidentiality Agreement upon admission or whenever requested to by the company;
c) It is forbidden for any associate to misuse information about the company and / or its customers, transmit it to competitors, use it for their own benefit and / or store files and e-mails improperly;
d) Algar Telecom can automatically receive and store information about the activities of anyone using its resources, including IP address, user, applications, screen / page and conversations carried out within or through this company;
e) Any authentication ID (user and password) on the corporate network or in applications provided by Algar Telecom is for personal and non-transferable use and each user will be responsible for storing and using it;
f) At the end of the employment and / or contractual relationship with Algar Telecom associates, it will immediately deactivate the authentication IDs used during the connection or service provision.

10.1.2 – Suppliers, Third Parties and Visitors
a) It is forbidden for any service provider to use information about the company and its customers without authorization or improperly, transmit it to competitors, use it for their own benefit and / or store files and emails improperly;
b) Upon receiving access to any Algar Telecom resources, the service provider will be subject to the company´s internal policies and guidelines and to all criteria established by the “service provision contract” signed at the time of contracting and, if applicable, be penalized as provided for in this document;
c) Any authentication ID (user and password) on the corporate network or in applications provided by Algar Telecom is for personal and non-transferable use and each user will be responsible for storing and using it;
d) At the end of the contractual relationship, the person responsible for the contract of Algar Telecom service providers must ensure that the authentication IDs used during the work are deactivated

In its Privacy Policy, the company informs:

4.1.14 – Access to the Database
Access to the processed data is restricted only to professionals duly authorized by Algar Telecom, and its use, access and sharing, when necessary, will be in accordance with the purposes described in this policy

Sub-parameter (e), referring to the third parties with whom the data is shared, was considered partially met. In its Data Privacy Policy and in its Governance Policy, the company informs that “it shares personal data with authorized partners and suppliers” and that for the data to be shared, the parties must “have signed a contract with clauses referring to data protection and personal data”, but do not determine which third parties can receive them. The information offered by the company was considered unsatisfactory. However, due to the concern with pointing out information on the topic, with a minimum of detail, the sub-parameter was considered partially met.

Privacy Policy
4.1.6 – Sharing
Algar Telecom only shares personal data with partners and authorized suppliers to fulfill the purposes informed in this policy, having to share with third parties and authorities within the scope of compliance with legal or regulatory obligation, public administration, contract fulfillment, studies by research agencies, credit protection or customer / user security. In these cases, Algar Telecom will share the minimum information necessary to achieve its purpose, guaranteeing, whenever possible, the anonymity of personal data.

Data Governance
4.7.1 – The sharing of personal data or documents / files with personal data in national territory can be done for authorized usage agents, with the security measures indicated by the information security management area from the impact report to protection of personal data (DPIA / RIPD), when applicable and only for the purposes of use or prior usage and duly informed and legitimized with the data subject;
4.7.2 – The sharing of personal data with other processing agents, except for the sharing carried out to comply with legal obligations, can only occur if they have signed a contract with clauses referring to the protection of personal data, as provided for in item 4.21 of this document; 4.7.3 – In the event that it is impossible to conclude a contract or addendum with the party in question, a report on the impact of personal data protection (DPIA / RIPD) must be prepared and, based on this report, mitigating controls must be adopted in relation to the security and protection of the processing of personal data;
4.7.4 – The sharing of personal data whose usage has the legal hypothesis of consent can only occur with the consent of the data subject, with knowledge of this sharing, and this must be collected before the start of the processing of personal data;
4.7.5 – Anonymous personal data may be transferred to third parties, provided that the sharing requirements provided for in the applicable legislation and in this document are respected;
4.7.6 – The sharing of personal data should only occur through channels with security measures applied

The company also informs about the possibility of international transfer of personal data:

4.8.1 – If personal data is expected to be transferred to another country, the possibility of sharing with another controller should be submitted to the analysis of the person in charge of processing personal data (DPO), by the information security management area and the legal area, so that they can assess whether the country of destination has a degree of data protection that is adequate to the Brazilian legal system;
4.8.2 – If the receiving controller offers and proves guarantees of compliance with the holder´s rights, international data transfer may also be possible in the form of
(i) specific contractual clauses for a particular transfer;
(ii) standard contractual clauses;
(iii) global corporate standards; and
(iv) stamps, certificates and codes of conduct issued by the National Data Protection Authority;

4.8.3 – The international transfer of personal data can also take place for the purposes listed below:
a) When the transfer is necessary to protect the life of the holder or third parties;
Where the national authority authorizes the transfer;
When the transfer results in a commitment made in an international cooperation agreement;
When the data subject has given his/her specific consent and in particular the transfer of, with prior information on the international character of the operation, clearly distinguishing this from other purposes; or
e) To comply with legal or regulatory obligations by Algar Telecom;
f) When necessary to execute the contract and preliminary procedures related to the contract to which the data subject is a party, at the request of the data subject.

We commend the company’s attitude of offering information on international data transfer and its criteria for sharing data with third parties, a practice that is not common in the industry. However, by not specifying the receivers or types of receivers of the data, the sub-parameter was considered only partially fulfilled.

Finally, regarding sub-parameter (f), related to the purposes of data sharing with third parties, it was also considered that it was partially met. This is because the information brought forward on the topic, referenced in the analysis of sub-parameter (e) above, is unclear and only states that it is carried out to “meet the purposes informed in this policy”. No clearer information is given about the possibilities of sharing and their purposes. However, due to the concern with pointing out information on the topic, with a minimum of detail, the sub-parameter was considered partially met.

Parameter III, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was considered complied with. By accessing the portal as a legal entity representative, a member of InternetLab was able to confirm, “there is no data processing for this data subject”. InternetLab points out that personal data goes beyond information of a primarily registry nature, and that, in the case in question, there was knowledge of the holding of such personal data. However, in this edition of Who Defends Your Data, because we were successful in contacting and verifying the functioning of the contact channel with the company, this parameter was considered met.

Regardless, InternetLab praises the procedure for exercising the right of access to data, which included verification of the identity of the applicant holder, in order to safeguard his privacy and the security of his information.

Parameter IV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was not considered complied with. No Algar document mentioned such a possibility. However, we commend the company´s initiative to keep the history of changes to its policies on record, indicating which items have been modified.

Finally, parameter V, regarding the accessibility of information on privacy and data protection, was considered met. The company has a section entitled “Privacy and Information Security”, which can be accessed at the bottom of its website , which contains the Data Privacy Policies, Service Management, Information Security, Personal Data Governance, Use of Cookies, Services, Term of Use and Site Terms of Use. The information in the documents is clear and easily accessible to the customer.

CATEGORIA 2: Protocolos de entrega de dados para investigações

Resultado:

Nesta categoria, a Algar obteve estrela vazia, pois não atendeu a nenhum dos parâmetros.

O parâmetro I, referente à identificação das autoridades competentes para requisitar dados, não foi considerado cumprido. Em sua Política de Privacidade, a empresa informa apenas que “compartilhar com terceiros e autoridades dentro das hipóteses de cumprimento de obrigação legal ou regulatória, administração pública”, sem especificar quais são as autoridades competentes e em quais hipóteses a empresa compartilha os dados sem mandado judicial. Em nenhum dos documentos analisados, a empresa detalha quais são as autoridades competentes para requisitar dados.

Política de Privacidade
4.1.6 – Compartilhamento
A Algar Telecom somente compartilha os dados pessoais com parceiros e fornecedores autorizados para atendimento das finalidades informadas nesta política, tendo ainda que compartilhar com terceiros e autoridades dentro das hipóteses de cumprimento de obrigação legal ou regulatória, administração pública, cumprimento do contrato, realização de estudos por órgãos de pesquisa, proteção de crédito ou segurança do cliente/usuário. Nestes casos, a Algar Telecom irá compartilhar o mínimo de informações necessárias para atingir sua finalidade, garantindo sempre que possível, a anonimização dos dados pessoais.

Essa redação não esclarece ao usuário o tratamento a que estão submetidos seus dados cadastrais, dados de localização e registros de conexão. Neste sentido, é importante que a empresa informe claramente que registros de conexão somente podem ser entregues mediante ordem judicial, segundo o Marco Civil da Internet. No que se refere a dados cadastrais, essa mesma lei autoriza que sejam requisitados sem ordem judicial por autoridades administrativas competentes, nas hipóteses previstas em lei. Atualmente, entretanto, em face de controvérsia sobre quais são tais “autoridades administrativas competentes”, é imprescindível que a empresa seja transparente acerca de suas práticas e interpretações, no que diz respeito a pedidos de quebra de sigilo, assim como qual o seu entendimento do que considera registros de conexão.

O parâmetro II, referente à identificação das autoridades competentes e dos crimes no âmbito dos quais a requisição ocorrer, não foi considerado atendido. Não foi encontrada menção ao tema nos documentos analisados da Algar, além das cláusulas mencionadas no parâmetro I.

O parâmetro III, referente ao oferecimento de informações sobre dados de geolocalização, também não foi considerado não foi considerado atendido. Não foi encontrada menção ao tema nos documentos analisados da Algar.

O parâmetro IV, referente à promessa de fornecer registros de conexão apenas mediante ordem judicial estritamente nos termos do Marco Civil, também não foi considerado não foi considerado atendido. Não foi encontrada menção ao tema nos documentos analisados da Algar, além das cláusulas mencionadas no parâmetro I.

Por fim, o parâmetro V, relativo à existência de protocolos específicos sobre entrega de dados ao Estado, também não foi considerado não foi considerado atendido. Não foi encontrada menção ao tema nos documentos analisados da Algar, além das cláusulas mencionadas no parâmetro I.

CATEGORY 3. Defence of users in the Judiciary

Result:

In this category, Algar obtained an empty star, because it did not meet any of the parameters.

Actions considered in previous versions of Who Defends Your Data, ACEL ADI 5642, were not considered, since they did not register any changes.

Finally, to ascertain compliance with parameter II , regarding the contestation of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases by the terms “Algar Telecom AND privacy AND breaches” and by judgments published between August 1st, 2019 and July 31st, 2020. In the searches, no lawsuits were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

In the engagement phase, the company informed us about two actions in which the company was a party for contesting abusive requests (Case No. 1009561-39.2019.4.01.3803, TRF-1 and Case No. 11901-75.2016.4.01.3803 1 , 1st Federal Court of Uberlandia). However, as the process in the 1st Federal Court of Uberlandia is in 2016, it is outside the report´s temporal scope. As for the second process informed by the company, in the procedural consultation carried out on the website of the Federal Regional Court of the 1st Region, the action was not found.

We appreciate the company´s participation, however, as the action cannot be found, the parameter was not considered met.

CATEGORY 4: Public position in favor of privacy

Result:

In this category, Algar obtained an empty star, because it didn´t meet any parameters.

Parameter I, relating to the company’s general positioning, was not considered met. On some occasions throughout the year, companies that provide Internet access have had the opportunity to speak out on public policies and bills that affect user´s privacy, regardless of initiatives directly related to the COVID-19 pandemic. The postponement of the entry into force of the Ge LGPD is an example in this regard.

After searching official government websites, specialized and traditional press and corporate pressrooms, we found no material in this regard. During the discussions at the National Congress, regarding the postponement of the LGPD, in addition, no participation by Algar was found through press releases, participation in the discussions at the congress etc.

Parameter II, regarding the company´s positioning in the context of COVID-19, was also not considered met. This is because no positioning of the company could be found, either in searches on Google or in the specialized media, regarding the privacy of its users in this context.

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

Result:

In this category, Algar obtained an empty star, because it didn’t meet any parameters.

parameters I to IV of this category, regarding the publication of a transparency report were not met. Although the company publishes an annual Sustainability report, the document does not contain any information related to requests for data received and fulfilled.

The only information on personal data contained in the 2019 Sustainability Report is in the section “Information security”, which states that there was no record of data leakage in the last year and a section that briefly explores the actions taken by the company to adapt to the LGPD.

“In 2019, there were no data leaks, theft and / or loss of confidential information.

We also maintain efforts to monitor regulatory changes, ensuring that our operations respect Brazilian standards and legislation. We are adapting to the requirements of the National Data Protection Authority (ANPD), created by the General Data Protection Law (LGPD), sanctioned in 2018, which provides for the treatment of personal information, in order to guarantee privacy and secrecy of the data.

With the support of external legal advice, we moved forward in 2019 to adapt to the new law. We hired a professional who initially dedicated himself exclusively to the subject and we acquired technological tools, aiming to mitigate cyber risks, as well as to carry out privacy management in the Company’s daily routine. Algar Telecom is committed, in all its hierarchical spheres, to the adaptation of technological, physical and organizational controls and incorporation of practices of compliance with the new data privacy law until 2020, the year in which the law will come into force”. (p. 41)

Parameter V, in turn, relating to the publication of Data Protection Impact Assessments, was also not considered met. No such documents were found in our searches.

CATEGORY 6: User notification

Result:

Algar was not awarded a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

NEXTEL

CATEGORY 1. Information on data protection policy

Result:

In this category, Nextel obtained ¼ of a star, having met parameter III.

Nextel does not meet parameter I, regarding collection and purpose information, by not providing any information about any of the sub-parameters in its Personal Mobile Service Provision contract.

More specifically, the company does not provide any information about (a) what data is collected; (b) in which situations the collection takes place; (c) the purpose and (d) the way in which it is used, (e) what are and what are the means (e.g. e-mails or links) for exercising the rights of the holders over their data.

Concerning parameter II, referring to the provision of clear and complete information on the protection of personal data, it was considered, on average, that it was not met, since only information in sub-parameter (e) was considered partially met.

More specifically, the company does not provide any information about (a) how long and where personal data is stored; (b) when / if they are deleted; (c) what security practices it observes; (d) who has access to the data; (f) for what purposes the data is shared.

With regard to sub-parameter (e), in its Personal Mobile Service Provision Agreement, Nextel provides:

“VII – subSCRIBER´S RIGHTS AND DUTIES
7.1. In addition to the rights provided for in the other clauses of this instrument and in the regulation of rules, the subscriber may: a. Have the information related to the subscriber itself and included in the NEXTEL register, including the Access Code, kept confidential, which can only be provided in the following cases: (i) the subscriber or proxy with specific powers of attorney to access such information; (ii) for a specialized agency or database in view of the breach of contractual obligations; and, (iii) as a result of administrative or judicial determination. ”

The clause transcribed above was considered excessively generic because it does not provide clear hypotheses in which data can be shared, an activity known to be necessary for the proper functioning of mobile telephone services (e.g. for roaming, business partners etc.) However, because there is concern to mention the topic, the sub-parameter was considered partially met.

Parameter III, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was considered complied with. Through access to the “Nextel Responde” portal, a member of InternetLab was able to confirm, in a few days, that he was not registered as a Nextel customer. InternetLab emphasizes that personal data goes beyond information of a registration nature, and that the effective fulfillment of the right of access to data by its owner would involve sharing other and more detailed information, such as personal data received from other operators or third parties, data for email marketing, financial data etc. However, in this edition of Who Defends Your Data, because we were successful in contacting and verifying the functioning of the contact channel with the company, this parameter was considered met. .

Parameter IV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was not considered complied with. No Nextel document mentioned such a possibility.

Finally, parameter V, regarding the accessibility of information on privacy and data protection, was also not considered attended to. This is because no information about privacy and data protection could be found in an accessible way on Nextel’s website or other environments.

CATEGORY 2. Law enforcement guidelines

Result:

In this category, Nextel got an empty star, because it only partially met parameter I.

Parameter I, referring to the identification of the authorities competent to request data, was considered partially fulfilled. In the same clause 7.1. of its Personal Mobile Service Provision Agreement transcribed above, item (iii), Nextel states that the subscriber’s personal information can only be shared “as a result of administrative or judicial determination.” However, because it did not identify the authorities to whom it could deliver the data on request, the parameter was considered partially fulfilled.

The company does not explain to the user the fact that subscriber data and connection records have different legal treatment. In this sense, it is important for the company to clearly state that connection records can only be delivered by court order, according to the internet legal framework (Marco Civil da Internet). With regard to subscriber data, that same law authorizes them to be requested without a court order by competent administrative authorities. Currently, however, in the face of controversy as to what such “competent administrative authorities” are, it is imperative that the company is transparent about its own interpretations of the law it applies when receiving requests for breaches of confidentiality.

Parameter III, referring to the provision of information on geolocation data, was also not considered met. No mention of the topic was found in Nextel´s analyzed documents.

Parameter IV, referring to the promise to provide connection records only by court order strictly under the terms of the internet legal framework, was also not considered complied with. No mention of the topic was found in Nextel´s analyzed documents.

Finally, parameter V, relating to the existence of specific guidelines on data delivery to the state, was also not considered met. No mention of the topic was found in Nextel´s analyzed documents.

CATEGORY 3: Defence of users in the Judiciary

Result:

In this category, Nextel obtained half a star, because it met parameter I.

However, in the engagement phase, InternetLab became aware of a rescission action nº 0802518-50.2020.4.05.0000, before the Regional Federal Court of the 5th region (TRF5). In it, the companies Claro, Vivo, TIM and Oi, through an action by Sinditelebrasil , questioned Anatel’s attempt to change the General Consumer Rights Regulation, so that it would be possible to provide, to any recipient of telephone calls, personal information of the owner of the line originating the call. As they defended the non-alteration of said regulation based, among others, on privacy and data protection arguments, the parameter was considered complied with. As much as InternetLab, exceptionally, recognized the referred action in view of its normative importance, we emphasize that, in line with the investigation of the public commitment of the companies under its brand, actions initiated in its own name by the telephone company, and not through associations or equivalents, are preferable for checking compliance with this parameter.

We emphasize that, even if Nextel is a company of a different brand from Claro, which is why it is evaluated separately in this report, as part of the same economic group, Claro’s judicial performance was also considered, exceptionally, for this category of Nextel, and because an eventual victory would have had a collective character, reaching beyond customers under the Claro brand.

Finally, to ascertain parameter II, regarding the contestation of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases by the terms “Nextel E privacy E breaches” and by judgments published between August 1st, 2019 and July 31st, 2020. In the searches, no lawsuits were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

CATEGORY 4. Public position in favor of privacy

Result:

In this category, Nextel obtained an empty star, because it did not meet any of the parameters.

Parameter I, relating to the company’s general positioning, was not considered met. On some occasions throughout the year, companies that provide Internet access have had the opportunity to speak out on public policies and bills that affect users’ privacy, regardless of initiatives directly related to the COVID-19 pandemic. The postponement of the entry into force of the LGPD is an example in this regard.

After searching official government websites, specialized and traditional press and corporate pressrooms, we found no material in this regard. During the discussions in the National Congress, regarding the postponement of the LGPD, in addition, no participation by Nextel was found through press releases, participation in the discussions at the congress etc.

Parameter II, regarding the company’s positioning in the context of COVID-19, was also not considered met. This is because no positioning of the company could be found, either in searches on Google or in the specialized media, regarding the privacy of its users in this context.

CATEGORY 5. Transparency reports and Data Protection Impact Assessment

Result:

In this category, Nextel obtained an empty star, because it did not meet any of the parameters.

No Nextel transparency reports were found. As such, parameters I to IV of this category could not be met.

Parameter V, in turn, related to the publication of Data Protection Impact Assessments, was also not considered met. No such documents were found in our searches.

CATEGORY 6: User notification

Result:

Nextel was not awarded a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

SKY

CATEGORY 1. Information on data protection policy

Result:

In this category, Sky obtained ¾ of a star, because it met parameter I and III, and partially met parameter II.

Sky fulfills parameter I as it provides clear and complete information on all sub-parameters.

Sub-parameter (a), referring to the collected data, was considered fulfilled. In clause 19 of the Adhesion contract and clause 7 – which provides for the client’s obligations and rights – in the Broadband Agreement, the company clearly states what data is collected:

“19. Privacy and Data Collection
19.1. The identification data provided by the CLIENT (such as: name, address, RG and CPF, telephone numbers and e-mail addresses) and data related to the provision of SKY Services such as history of products used or purchased, amounts spent by the CLIENT, number of televisions and their buying / consuming habits.”

“7. XII – send a copy of personal identification documents, such as ID, CPF, proof of address, bank account and credit card ownership, among others, both at the time of contracting, and at a later time, as long as requested by the OPERATOR”

In its Privacy Policy (see excerpt below), the company informs what data is collected and in what situations the collection occurs.

Sub-parameter (b), referring to the situations in which the collection takes place, was also considered fulfilled. This is because the company’s Privacy Policy, states in section 2 – “Collected Information”, what data can be collected: during (i) a request in the first interaction on Sky´s digital platforms; (ii) when filling out the records related to the company’s services; (iii) during the use of services and platforms; (iv) when contacting Sky; and (v) “personal data made available by third parties, provided they are legitimately obtained”. It was considered that such information is capable of detailing the situations in which the collection occurs.

Generally, the personal data processed by SKY are requested in your first interaction on our digital platforms, such as, for example, when you want to register for our digital platforms. By completing the registrations related to SKY services or platforms and using SKY platforms and / or services, you declare that you have carefully read all the conditions of this Policy, expressing in a free, informed and unequivocal manner your desire to continue browsing and using said services, and being aware that, for this purpose, SKY will treat your personal data, for the purpose of fulfilling the obligations provided for in the service provision contracts to which you are a party or in the legislation in force, to guarantee your security in the identification and authentication processes on SKY platforms, and / or to enable the exercise of SKY´s legitimate interests, or, for other purposes, for which your consent will be requested, in accordance with the Law.
(…)
When you use the services and platforms offered by the SKY group to make purchases, for example, some information about the transaction and / or data associated with it may be collected, such as the amount paid and the payment method used. This information is handled by SKY primarily to enable the processing and sending of transaction notices, risk management and / or the provision of credit protection and the implementation of anti-fraud measures.

Certain information may also be collected when you contact SKY, either through the Customer Service (SAC) or any other service channel, always in the context of the provision of services you have contracted, compliance with legal obligations or in situations where SKY has a legitimate interest in improving its platforms and / or services provided, in accordance with the applicable legal provisions.

In order to carry out internal audits, to guarantee credit protection, to implement anti-fraud measures or to ensure compliance with the legislation in force, SKY may also eventually treat personal data provided by third parties, if they are legitimately obtained, such as data providers and credit agencies, and / or publicly available.

In summary, SKY will only process your personal data in the cases provided for in this Policy; to fulfill contractual obligations to which you are a party; under a court order; through their free, informed and unequivocal consent, when necessary; or in other cases authorized by law.

Sub-parameter (c), referring to the purpose of data processing, was considered met. In the Adhesion Contract, the company only informs that the collection and use of data aims to provide “the best experience” of the services offered by Sky”. However, in its Privacy Policy, in the section “Information Collected” (see excerpt above), the company states that the subscriber data is treated for “fulfillment of the obligations provided for in the service provision agreements to which you are a party or in the legislation in force, to ensure your security in the identification and authentication processes on the SKY platforms, and / or to enable the exercise of SKY´s legitimate interests, or, for other purposes, for which your consent will be requested, in the form of Law”. The data collected after purchases of the company’s services are treated to “enable the processing and sending of transaction notices, the management of risks and / or the provision of credit protection and the implementation of anti-fraud measures”; the data made available by third parties are treated for internal audits, to guarantee credit protection and to implement anti-fraud measures. It was considered that such information is capable of detailing the hypotheses of data processing.

Membership Agreement
“19. Privacy and Data Collection
19.2. It is now certain and agreed between the Parties that the collection and use of data mentioned above will occur solely and exclusively to provide the CLIENT with the best SKY Services experience.

Sub-parameter (d), referring to how it is used, was considered fulfilled. This is because the company, in the excerpts of the contracts mentioned in sub-parameter (b), informs some purposes of the data processing, as well as some specific hypotheses for the use of the data.

Finally, sub-parameter (e), related to information regarding the rights of the data subjects and the means to exercise those rights, was considered met. In its Privacy Policy, in the “User Rights” section, Sky informs what are the rights of data subjects, such as access, rectification, anonymization, blocking and revocation of consent. In addition, the company also offers an email to exercise these rights and an “LGPD portal”, which it claims is available on the company’s website. However, we did not find such a portal on Sky’s website. Despite the flaw regarding the LGPD portal, as the company offers another means (e-mail) for the exercise of the rights of data subjects, we have considered the sub-parameter fulfilled.

Privacy Policy
“8. User Rights
SKY is concerned with your privacy and, as a result, is committed to protecting all your rights set out in the privacy and data protection laws in force. Do you have the ability to exercise, for example, the rights of access, rectification, making dada anonymous, blocking or deletion of your personal data, as well as requesting information about the public and private entities with which SKY shared your data and / or the revocation of any consent previously provided and its consequences, when applicable.
To exercise these and other rights provided for in the current legislation on privacy and protection of personal data, we ask that you forward your request through the email indicated at the end of this Policy or that you access the link to enter the LGPD portal available on the website www.sky.com.br
11. Questions
If you have questions or concerns regarding this Policy, the processing of data by SKY or the exercise of your rights related to personal data, please contact us at atendimento@sky.com.br . ”

With regards parameter II, regarding the provision of clear and complete information on the protection of personal data, it was considered that it was partially met, since only sub-parameter (b) was considered met; while sub-parameters (a), (c), (e) and (f) were considered partially met.

Sub-parameter (a), referring to the time and location of data storage, was considered partially fulfilled. In its Privacy Policy, the company informs that it “can” store customers’ personal data in the cloud or similar infrastructures on servers in “different countries”. Due to the wide and imprecise wording, this point was considered unsatisfactory.

Privacy Policy:
“3. Information sharing
(…) as usual in the market, SKY can store your personal data in a “cloud system” or similar infrastructures and technologies, whose servers are usually located in several countries, such as the United States of America (…). ”

Storage time information was also not considered satisfactory. The General Communication Conditions set out the minimum period for maintaining subscriber data and connection records. However, although it is considered positive that the company establishes a minimum period, the absence of information on the maximum period for which the company stores its customers’ data ends up making the period of time for which the data is stored too imprecise.

General communication conditions
“8. OPERATOR Obligations and Rights
XV – keep the CLIENT´s subscriber data and connection records for a minimum period of three years. ”

As for sub-parameter (b), referring to when / if the data is erased, it was considered that it was attended to. Sky informs that when the treatment ends, the data is deleted:

Membership Agreement – Value Added Services
“9. Privacy and Protection of Personal Data
9.8. The personal data processed by SKY will be deleted after the end of its use, within the scope and technical limits of the activities, conservation is authorized for the purposes defined by Law. ”

Sub-parameter (c), related to the company’s security practices, was considered partially met. In its Privacy Policy, Sky lists some of the security measures it adopts to preserve the confidentiality of customer data, such as controlling and tracking user access and protecting software, such as antivirus and firewalls. However, both in the Privacy Policy itself, as in the Membership Agreement – Value Added Services, the company does not guarantee the absolute security of the databases. In the event of data breach or misuse, the company assumes responsibility for the losses caused to the customer.

Privacy Policy:
“7. Information on Security
To preserve the confidentiality of your personal data, SKY maintains updated technical, physical and administrative security measures designed especially to provide the necessary protection against loss, disclosure, alteration and any other breaches of your personal data. These measures include the control and tracking of user access, software protections (such as antivirus and firewalls) and data backup. Unfortunately, no matter how secure our system is, it is well known in the technological environment that no security system is completely impenetrable. Therefore, we cannot guarantee absolute security of our database and we cannot guarantee that the personally identifiable information you have provided cannot be intercepted when transmission is made over the Internet. ”

Membership Agreement – Value Added Services
“9. Privacy and Protection of Personal Data
9.5. Within the limits set in the applicable legislation, SKY is responsible for any violation and / or misuse of the data proven stored in its databases and for the losses that it may cause to the CLIENT.
9.7. The systems and procedures used by SKY in the processing of personal data are auditable and structured in order to meet the best security requirements and the standards of good practices and governance, as well as the general principles provided for in the current laws and regulations, ensuring the inviolability of intimacy, honor and image, as well as adequate protection against loss, misuse, unauthorized access, disclosure and alteration of the CLIENT’s personal data. ”

The information in question was considered too generic to comply with the sub-parameter. The company does not inform, for example, which security standards it adopts, which guidelines it follows, whether encryption is used to transfer personal data from users’ devices or what principles of information security it follows.

Sub-parameter (d), referring to who has access to the data, was not considered met. In none of the documents available on the company’s website do we find predictions about who has access to the data. SKY only offers information about data sharing.

Sub-parameter (e), referring to the third parties with whom the data is shared, was considered partially met. In several documents (Privacy Policy, General Conditions for Companies, Broadband Adhesion Contract and Value Added Services Adhesion Contract), the company states that data sharing occurs only with third parties belonging to the Sky group, that is, the controlling, affiliated or subsidiary companies. In addition to the member companies, according to what is contained in clause 3 of the Privacy Policy, personal data may also be shared with other third parties, pointing out the imposition of limits through the terms of confidentiality and the purposes expressed in the contract and under the terms of the LGPD:

Privacy Policy:
Information sharing
SKY is always looking to provide privacy to our customers and users; therefore, our institutional policy is not to share personal data with third parties who are not members of the SKY group.The controlling companies, affiliates and subsidiaries are part of the SKY group. However, in order for us to offer our services and platforms, certain personal data may be shared with unrelated third parties, always respecting Brazilian legislation on the protection of personal data. This sharing, when necessary, will occur for specific and determined purposes, always aiming at the correct functioning of the platforms and services that SKY makes available to you. By using our platforms or services, you express your desire to continue browsing or using said services, being aware that your personal data may be shared with unrelated third parties, and it is certain that SKY will perform such sharing for the purposes of execution of contractual or legal obligations; to enable the exercise of a legitimate interest; and / or upon your consent, when applicable, pursuant to the Law.

General Conditions for Companies:
Final provisions
17.5. SKY respects the privacy of the personal data provided by the CLIENTS, using them only for the purposes of this Agreement, under the terms of the current legislation. The CLIENT hereby authorizes the sharing of this data to SKY service providers, who work with SKY or on behalf of SKY bound by confidentiality agreements.
17.5.1. SKY partner companies may, as long as previously authorized by the CLIENT, use the personal data provided for in the retro clause, with the objective of assisting SKY in the communication established with the CLIENT about SKY´s own offers and / or marketing partners

Prepaid broadband subscription agreement:
19. Privacy and Data Collection
19.3. The data mentioned in clause 19.1 above will be transferred only to SKY partner companies and / or suppliers, with such companies signing confidentiality terms with SKY in which they undertake not to pass on to third parties the data collected from SKY customers.

Membership Agreement – Value Added Services
9.3. The personal data referred to in clause 9.2 may be transferred to partner companies, as well as understood as companies providing goods and services to SKY and / or belonging to the same economic group as SKY, as well as to other third parties, in the manner specified in the “SKY Privacy Policy” referred to in clause 9.9, being certain that, when transferring personal data to third parties, there is a commitment on the part of the receiver to fully comply with the data protection regime provided for in the Brazilian legal system, as well as confidentiality of information, ensuring that there will be no transfer of the CLIENT’s personal data to third parties not authorized by SKY.
9.3.1. It is hereby established that, for the purposes of this Agreement, the personal data referred to in clause 9.2. will be transferred to PARTNER COMPANIES, thus understood as the companies providing VALUE ADDED SERVICES, being certain that, in the transfer of personal data to PARTNER COMPANIES, there is a commitment on the part of the receiver as to the full compliance with the data protection regime provided for in the Brazilian legal system, as well as information confidentiality, ensuring that there will be no transfer of the CLIENT’s personal data to third parties not authorized by SKY.

However, the information above, even if it offers some guide as to which third parties have access to the data, is excessively generic. It does not specifically determine which third parties may receive them and does not determine what data and in what situations they are shared. Still, the prediction that “however, (…) certain personal data may be shared with unrelated third parties” makes the information about which third parties data is shared too inaccurate, since the company does not provide any example or hypothesis of who these “Unrelated third parties” are or what would be the nature of this “certain personal data”. However, due to the concern with pointing out information on the topic, even with a minimum of detail, the sub-parameter was considered partially met.

Finally, regarding sub-parameter (f), related to the purposes of sharing data with third parties, it was also considered partially met. This is because the information disclosed on the topic, referenced in the analysis of sub-parameter (e) above, is unclear and only states in a general way that data can be shared to “offer our services and platforms” or “with the objective to assist SKY in communicating with the CLIENT about offers from SKY itself and / or from marketing partners”. No clearer information is given about the instances of sharing and their purposes. However, due to the concern with pointing out information on the topic, the sub-parameter was considered partially met.

Parameter III, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was considered fulfilled. Through e-mail to atendimento@sky.com.br, an InternetLab member got confirmation, in a few days, that he was not registered as a Sky customer. InternetLab emphasizes that personal data goes beyond information of a registration nature, and that the effective fulfillment of the right of access to data by its owner would involve sharing other and more detailed information, such as personal data received from other operators or third parties, data for email marketing, financial data etc. However, in this edition of Who Defends Your Data, because we were successful in contacting and verifying the functioning of the contact channel with the company, this parameter was considered met.

Parameter IV, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was not considered met. Sky does not include in its contracts the provision of notification to the customer in the event of an update to the privacy policies, but it undertakes to disclose new versions of the contracts through the company’s website or the media. However, the company guarantees to the customer the possibility of formalizing a reasoned opposition to the new version, within a period of 30 days, and guaranteeing the possibility of terminating the contract without penalty, in case it disagrees with the changes. We praise the company’s attitude of guaranteeing customers the possibility of opposing contract updates, but we recommend that the company notify its customers, so that they can exercise this right.

General conditions for companies:
16. Membership Agreement
16.2. Sky undertakes to disclose on the website www.sky.com.br and / or other means of communication, the new versions of this Agreement, the CLIENT being entitled to formally oppose its opposition, in a reasoned manner, in up to 30 ( thirty) days from the disclosure. After this period, the new contractual conditions come into force.

Prepaid contract:
3.Programming:
3.6. The CLIENT is aware that any change in the composition of the Service Plan by SKY is part of the nature of the services provided, as well as being aware that such changes may occur due to changes in legislation, giving the CLIENT the right to terminate the Contract without any penalty, being obliged to make the payment of the remaining amounts, by communicating to SKY within 30 (thirty) days as of the referred alteration, through the website www.sky.com.br or by telephone through the SAC.

Finally, parameter V, regarding the accessibility of information on privacy and data protection, was not considered complied with. The company has no alternative format to contracts in which it makes information about privacy and data protection accessible.

Anyway, we praise the fact that it is easy to find contracts on the company´s website. They are available at the bottom of the home page “general contracts” and “prepaid contracts”, as well as the privacy policy. That way, customers shouldn’t have to struggle to find this type of information. The easy access to this information, however, was not sufficient in this edition of the report for parameter V to be considered met.

CATEGORY 2. Law enforcement guidelines

Result:

In this category, Sky obtained ¼ of a star, partially fulfilling parameter I.

Parameter I, regarding the identification of the competent authorities to request subscriber data, was considered partially met. In its Privacy Policy, the company identifies the competent authorities with which personal data may be shared. However, the list of authorities mentioned is not restrictive; in addition to the identified authorities, information sharing can take place with several other agencies, departments, institutions or public entities that were not expressly mentioned:

Privacy Policy:
3. Information sharing
In order to comply with legal and / or regulatory obligations applicable to SKY, certain personal data may also be shared with and / or transferred to the competent authorities, such as, but not limited to, the Central Bank of Brazil – BCB, the Board of Control of Financial Activities – COAF, the Brazilian Federal Reserve, the Credit Bureau and the State and Municipal Finance Departments or any other agencies, departments, institutions or public entities for which the sending of said personal data is an obligation.

The company does not explain to the user the fact that subscriber data and connection records have different legal treatment. In this sense, it is important for the company to clearly state that connection records can only be delivered by court order, according to the Internet Legal Framework (Marco Civil da Internet). With regard to subscriber data, that same law authorizes them to be requested without a court order by competent administrative authorities. Currently, however, in the face of controversy as to what such “competent administrative authorities” are, it is imperative that the company is transparent about its own interpretations of the law it applies when receiving requests for breaches of confidentiality.

Parameter II, referring to the identification of the competent authorities and the crimes within which the requisition may occur, was not considered complied with. The company undertakes to respect the constitutional and legal assumptions and conditions of breach of confidentiality, without, however, specifying what the assumptions of breach of confidentiality are or which are the competent authorities. Due to this broad wording and the absence of detailed information on the topic, the parameter was not considered met.

GENERAL CONDITIONS FOR THE PROVISION OF THE COMMUNICATION SERVICE
7.2. In addition to other rights provided for in this Agreement and the applicable legislation and regulations, the CLIENT is entitled to:
V – The inviolability and secrecy of their communication, respecting the constitutional and legal hypotheses and conditions for breach of telecommunications confidentiality;

Parameter III, referring to the provision of information on geolocation data, was also not considered met. No mention of the topic was found in Sky´s analyzed documents.

Finally, parameter V, relating to the existence of specific guidelines on data delivery to the state, was also not considered met. No mention of the topic was found in Sky´s analyzed documents.

CATEGORY 3: Defence of users in the Judiciary

Result:

In this category, Sky obtained an empty star, because it did not meet any of the parameters.

Finally, to ascertain the findings in parameter II, regarding the contestation of abusive requests, we carried out exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases using the terms “Sky AND privacy AND breach” and by judgments published between August 1st, 2019 and July 31st, 2020. In the searches, no lawsuits were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is because it gathers judgments from all Brazilian state courts, instead of requiring a search in all individual courts.

In the engagement phase, the company did not contribute with InternetLab, and did not offer legal or administrative lawsuits in which they participated and that could be considered for this category.

CATEGORY 4: Public position in favor of privacy

Result:

In this category, Sky obtained ½ of a star, because it partially met parameter I.

Parameter I, regarding the company’s general positioning, was considered partially met. On some occasions throughout the year, companies that provide Internet access have had the opportunity to speak out on public policies and bills that affect user privacy, regardless of initiatives directly related to the COVID-19 pandemic. The postponement of the entry into force of the LGPD is an example in this regard.

The company participated in the panel “Data protection: how to combat and mitigate risks, losses and damages, at the Seminar on Digital Transformation and Cyber security. As reported by the specialized media, where the head of Information Security at Sky commented on the actions taken by the company to adapt to the LGPD:

“Sky has had a data protection policy for a long time. We follow guidelines from AT&T, which has a very strong focus on data protection and not just on LGPD”.

“The main challenge is the coverage of the LGPD program. Our network is Brazil, so we have customers from Amazonas to Rio Grande do Sul. Furthermore, what can we do to raise awareness not only for consumers, but also for our partners? What concerns us are the partners”

While the initiative to participate in debates on LGPD and data protection is commendable, we have not found any practical or concrete details about what was defended by the company with regard to increasing the protection given to the users of its services.

Parameter II, regarding the company’s positioning in the context of COVID-19, was not considered complied with. This is because no positioning of the company could be found, either in searches on Google or in the specialized media, regarding the privacy of its users in this context.

In the engagement phase, the company did not contribute with InternetLab, neither sharing public events nor relevant participation with us that could be considered for this category.

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

Result:

In this category, Sky obtained half a star, because it met parameters I, II and III.

Parameter I, regarding the publication of transparency reports in Portuguese, was considered complied with. The AT&T group, of which Sky is a member, publishes transparency reports in Portuguese that bring historical information / subscriber data and operating businesses and requests for URL / IP blocking by government entities. In Brazil, the following requests were made:

“January – June / 2019
Historical information: subscriber data 1,015
IP / URL blocking 1

July – December / 2019
Historical information: subscriber data 389
IP / URL block 4”.

Parameter II, regarding the accessibility of the transparency report, was considered met. The Transparency Report can be easily found at the bottom of Sky´s homepage. However, it is worth mentioning that only the last published report can be accessed through the home page, and it is necessary to access the AT&T website to get reports from previous semesters.

Parameter III, regarding the periodicity of the report, was considered complied with, since the company’s transparency reports are published every six months.

Parameter IV, regarding information on data access requests, was not considered complied with. The report does not contain more detailed information on the number of orders received, served and rejected or which authorities it considers competent to do so.

Parameter V, in turn, relating to the publication of Data Protection Impact Assessments, was also not considered met. No such documents were found in our searches.

CATEGORY 6: User notification

Result:

Sky was not awarded a star, as there is no mention of the possibility of user notification in any of the analyzed documents.

/PRESENTATION

/WHO WE ARE

/OUR METHODOLOGY

Companies evaluated

Applied methodology

CATEGORY 1. Information on data protection policy

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

/OUR SOURCES

/RESULTS

CLARO

CATEGORY 1. Information on data protection policy

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

CATEGORY 4: Public position in favor of privacy

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

CATEGORY 6: User notification

NET

CATEGORY 1. Information on data protection policy

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

CATEGORY 4. Public position in favor of privacy

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

CATEGORY 6: User notification

OI BROADBAND

CATEGORY 1: Information on Policy and Data Protection

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

CATEGORY 4: Public position in favour of privacy

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

CATEGORY 6: User notification

OI MOBILE

CATEGORY 1. Information on data protection policy

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

CATEGORY 4: Public position in favor of privacy

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

CATEGORY 6: User notification

TIM Broadband

CATEGORY 1. Information on data protection policy

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

CATEGORY 4. Public position in favor of privacy

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

CATEGORY 6: User notification

TIM MOBILE

CATEGORY 1. Information on data protection policy

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

CATEGORY 4. Public position in favor of privacy

CATEGORY 5. Transparency reports and Data Protection Impact Assessment

CATEGORY 6: User notification

VIVO BROADBAND

CATEGORY 1. Information on data protection policy

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

CATEGORY 4: Public position in favor of privacy

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

CATEGORY 6: User notification

VIVO MOBILE

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

CATEGORY 4: Public position in favor of privacy

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

ALGAR

CATEGORY 1. Information on data protection policy

CATEGORIA 2: Protocolos de entrega de dados para investigações

CATEGORY 3. Defence of users in the Judiciary

CATEGORY 4: Public position in favor of privacy

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

CATEGORY 6: User notification

NEXTEL

CATEGORY 1. Information on data protection policy

CATEGORY 2. Law enforcement guidelines

CATEGORY 3: Defence of users in the Judiciary

CATEGORY 4. Public position in favor of privacy

CATEGORY 5. Transparency reports and Data Protection Impact Assessment

CATEGORY 6: User notification

SKY

CATEGORY 1. Information on data protection policy