The Federal Constitution of Brazil states that privacy is an inviolable human right. Article 5 of the Federal Constitution, item X declares that people intimacy, private life, honor, and image are inviolable, ensuring the right to compensation for material or moral damage resulting from a violation. In line with this principle, Cosan guarantees the security and privacy of the personal data of all its stakeholders.
The Personal Data Holder Rights Channel (Portuguese only) was created to show Cosan’s commitment to the security and privacy of information collected from its customers, suppliers, and employees. Through this Channel, the data holder will be able to make requests related to his/her personal data, under the terms of the General Law for the Protection of Personal Data (“LGPD”).
Law No. 13,709 was approved in August 2018 and came into force in September 2020. This law establishes rules on any activity that can be carried out with personal data, from collection, storage, sharing, and disposal (activities known as “treatment”), aiming at more protection for citizens and sanctions for companies for non-compliance.
It is any information related to an individual that can identify him/her from the collected data, for example: name, age, CPF, e-mail, geolocation, etc.
The LGPD also brings the concept of sensitive personal data, which is information that, because it allows discrimination, should be treated with even more care, such as: information of racial or ethnic origin, religious belief, political opinion, and data related to health.
1. Right to access
The holder has the right to receive a confirmation on the treatment or not of his/her personal data and, if that is the case, to consult that data and additional information related to his/her treatment (such as, for example, the sharing of information with public and private entities).
2. Right to correction
If the holder requests it, the Controller has an obligation to correct personal data that are incomplete, wrong, or outdated.
3. Right to anonymize, block or delete unnecessary, excessive, or treated data in non-compliance with the LGPD
The holder has the right to request that the Controller make his/her personal data anonymous, that is, impossible to associate with the holder. In addition, he/she may restrict the processing of his/her data and request the disposal of the data if it (i) is not necessary or suitable for the purpose for which it was provided or (ii) when the treatment does not follow the provisions of the LGPD.
4. Right to Portability
The right to data portability allows holders to request the transfer of their personal data to another Controller, but this right still depends on additional regulation by the National Authority.
5. Right to delete data processed with consent
When the treatment depends on consent, the holder may, upon express request, demand the destruction of the data that are the object of treatment.
6. Right to informed consent
The holders have the right to refuse to give consent, when it is necessary for the processing of the data, as well as to be informed about the consequences of that decision. In addition, they may regret the consent previously given and, at any time, revoke the authorization by express expression.
7. Right to object to treatment
Holders have the right to object to the processing of their personal data at any time, even in situations that do not depend on their consent, should they find that it is being carried out in breach of the LGPD.
It is the natural person to whom the personal data refer. For example, users, customers, policyholders, brokers, employees, among others linked to our business.
Who defines how personal data can be treated, considering the purpose for which it was collected. The Controller is responsible for the personal data processed in his environment and in the environment of third parties who process the data at his/her own direction.
It is the person who carries out the treatment and processing of personal data under the Controller’s instructions. The Operator may only process data for the purpose determined by the Controller.
D) Data Protection Officer (DPO)
Person or area indicated by the Controller who assists the company in the area of privacy and acts as a communication channel with the Holders and the National Data Protection Authority (ANPD).
E) National Data Protection Authority (ANPD)
Public agency responsible for overseeing, implementing, and supervising compliance with the Law.
Have a specific, legitimate, explicit, and informed purpose.
Use of data in compliance with the stated purpose.
Use (only) of strictly necessary data.
4. Free access
Information, in a simple and free way, to the full data.
5. Data quality
Accurate, relevant, and up-to-date data.
Clear, accurate, and true information to data subjects.
Technical and administrative measures to protect data.
Adoption of previous measures to avoid damage to the holders.
Do not use data for discriminatory, abusive, or unlawful purposes.
Demonstrate the adoption of effective measures to comply with the standards.
Last update: March 17, 2021