The mission of Serpro is to connect government and society with digital solutions. In our operation, one of our imperative values is information security. Therefore, preserving privacy and protecting personal data of every brazilian citizen is a daily responsibility.
The Federal Data Processing Service – Serpro, a public-held company linked to the Ministry of Economy, considering:
I. the foundations of Law No. 13,709, of August 14, 2018, which provides for the Protection of Personal data:
a) respect for privacy’
b) informative self-determination’
c) freedom of expression, information, communication and opinion;
d) the inviolability of intimacy, honour and image;
e) economic and technological development and innovation;
(f) free enterprise, free competition, consumer protection; and
g) human rights, the free development of personality, the dignity and the exercise of citizenship by natural persons;
II. the full content of Federal Law Nº. 13,303 of 30th June 2016, called the State-Owned Companies Law (in Portuguese: Lei das Estatais);
III. the full content of Federal Law Nº. 12,527, of 18th November 2011, called Law of Access to Information (in Portuguese: Lei de Acesso à Informação - LAI);
IV. the full content of Federal Law Nº. 12,965, of 23rd April 2014, called Brazilian Civil Rights Framework for the Internet (in Portuguese: Marco Civil da Internet); and
V. the full contents of the Serpro Security Program (in Portuguese: Programa Serpro de Segurança - PSS) and Corporate Policy of Information Security (in Portuguese: Política Corporativa de Segurança da Informação - PCSI);
It undertakes by making publicly available and accessible to its customers, users, other interested parties and the general public this Statement, which shall be effective as follows.
Under this Statement, the concepts ahead shall means:
a) categorization of information: organization of information processing within Serpro, corresponding to the so-called “information classification” in other companies, to ensure unity and consistency in the processing of data and information;
b) customer: natural or legal person who has a business relationship with Serpro under a service contract;
c) confidentiality: the attribute that grants information is accessible only to authorized persons;
d) business continuity: the ability of the organization to sustain the delivering of products or services at an acceptable level previously defined after incidents of interruption;
e) personal data: information related to the identified or identifiable natural person;
(f) integrity: ensuring the accuracy and completeness of information and processing methods;
g) partner: a legal entity with whom Serpro maintains a cooperative relationship
reciprocal, by means of agreements, terms of cooperation or another one;
h) information security: set of practices and methods aimed at preserving the confidentiality, integrity and availability of information treated within the organization;
(i) data holder: the natural person whose personal data are processed by someone;;
j) processing: any operation performed with personal data, such as those referred to the collection, production, reception, classification, use, access, cross-breeding, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, diffusion or extraction; and
k) user: natural or legal person who accesses Serpro services regardless of whether they hold data recorded in its systems and services, but, for such access, he/she to provides personal data of any nature, with explicit utilization acquiescence.
Serpro acts following its institutional mission, respecting the right to privacy and aiming the best use of information technology for the satisfaction of their customers and society, the sustainability and business autonomy, ensuring the stability and continuity of its services.
“Privacy”, under this Statement, is considered to be the certainty attribute by customer, user and other interested parties concerning:
(a) the way the services, systems, processes and people in the management
Serpro professionals act and behave concerning these agents; and
b) the reasonable expectation of discretion and the preservation of their interests and information of any kind.
The concept of privacy excludes information:
a) “public” by legal determination;
b) “public” for the processing and shared use of policy enforcement data public;
c) object of a final and unappealable judicial decision, for the disclosure or exhibition of same;
d) “ostensive” with active safety duty;
e) “overt” with passive safety duty;
f) already given, by other means, to public knowledge;
g) necessary for the protection of the life or physical safety of persons;
h) necessary for the protection of health;
(i) collected and managed under legal labour relationship between the company and its employees, fundamental to the exercise of the executive power; and
j) registration data necessary for Serpro's legitimate performance in reaching its institutional mission.
3.2 Categorization of Information
Serpro maintains a framework for categorizing information, following the Law on Access to Information (LAI), and ensures, under article 8th of Federal Law Nº. 5,615 of 13th October 1970, for the confidentiality of the information it processes, whether personal or not, always keeping in line with good security and technology, and with the most advanced governance methods, employing ISO/ABNT standards, COBIT/ISACA, ITIL, TOGAF, SABSA and alike.
4.0 PRINCIPLES OF PERSONAL DATA PROTECTION
The protection of personal data adheres to the following principles regarding its application, management and interpretation.
4.1 Principle of Purpose
Any practice of personal data processing within the company in kept compliante with its very nature, scope and institutional mission and, above all, it is carried out in compliance with Law.
4.2 Principle of Protectivity
The processing of personal data under Serpro concerns the rights of data holders and the contractual and legal requirements.
4.3 Principle of Actuality
This Declaration is dynamic and consistent with the state of the art in technology and should be read and interpreted in its latest version, published at www.serpro.gov.br.
4.4 Principle of Integrity
The services provided by Serpro are focused on public purpose and on the fulfillment of their institutional mission under the law and in no circumstances shall converge with particular interests, especially those who offer or who may cause prejudice to the Federal Public Administration or the company services.
4.5 Principle of Universality
Serpro acts on its customers' behalf and does not practice any police of “priority” or “non-priority” among them, especially regarding the neutrality of such treatment concerning service levels agreed, except in the hypotheses in which, by contractual disposition, such differentiation is explicit.
4.6 Customer Data Protection
Serpro treats customer data with due regard of secrecy for manipulated elements, according to article 8th of the Federal Law Nº 5,615, of 13th October 13 1970, and under no circumstances will they be provided to third parties except as provided by law or with the consent of the contracting customer.
Any request for the elements of customers property handled under Serpro responsibility unless otherwise provided by law must be ordered directly from the customer.
5.0 COMPLIANCE AND GOVERNANCE
5.1 Legal Compliance
I. Its compliance to the applicable Law and its commitment to the guarantee of future accordance with the content of Federal Law Nº 13.709, of 14th August 2018, when its entry into force; and
II. Its adherence to the principles written above, prioritizing the achievement of compliance as soon as possible, concerning the Law entry into force.
5.2 Risk Governance, Compliance and Information Security
Serpro, following its Rules of Conduct, the Law on Access to (LAI) and the complementary rules issued by the Department of Information Security and Communications (DSIC/PR), maintains an adequate "Information Security Program" and a "Corporative Information Security Policy", besides the "Business Continuity Policy" and the "Corporate Risk Management Policy, Internal Control and Compliance", and of an entire internal regulatory substrate related to the information security and good corporate governance practices.
Serpro has instances of governance and management of Information Security, acting under contemporary best practices frameworks such as ISO / ABNT, COBIT / ISACA, COSO, ITIL, TOGAF, SABSA and related models.
5.3 IT Governance
Serpro, under the terms of Federal Law Nº 13.303 / 2016 (State Law), maintains Information Technology Governance, responsible for the elaboration and conduction of the IT Strategic Plan (PETI) and the IT Master Plan (PDTI).
Similarly, in the area of IT Governance, Serpro declares itself compliant to the contemporary best practice frameworks such as ISO/ABNT, COBIT/ISACA, ITIL, TOGAF, SABSA and related models.
Serpro may publish specific rules for each service, subordinate to the general principles of this Estatement, without prejudice to the provisions of contracts concluded.
In the absence of specific rules for a given service or in case of conflict between an agreement and this Declaration shall prevail the terms of this Declaration.
Serpro is not responsible for malicious practices or misuse of content from other sites, as well as data security breaches or illegal behavior of third parties, whether these trading partners or not.
Thus, Serpro is committed to offering the best in terms of security to services that every citizen accesses, acquiring new and effective assets, applying methodologies designated as best practices and taking steps state of the art for information security.
6.2 Information Collection
For various services, Serpro collects data indispensable for the proper functioning of applications, such as name and CPF (or Corporate Name and CNPJ, in the case of Legal), address, email, contact phone numbers, and more. The holder may choose not to grant any of this information. In this situation, the application notifies you of the consequences of non-authorization in terms of both service limitations and denying access to the application, stating the reasons.
Serpro may also collect and store information about the holder's navigation, IP address, pages accessed, dwell time, and mobile devices. Information from other sources, partner listings or other Union bodies can also be added to our database.
6.3 Cookies and similar technologies
Most browsers are preset to accept cookies in automatic fashion. In the settings, you can change this rule; however, without cookies, some features of the site may not work properly .
All users' personal and browsing data is stored in proprietary and reserved databases, providing information security collected.
6.5 Use of Information
The information collected during browsing allows the customized offer of our services, the study of preferences and, consequently, an experience of navigation closest to each user's interests.
Serpro may also use this information for the purpose of communicating with users and customers. This way, notices and service information may be sent by Serpro, which may be inhibited by the user.
The information may also be used for audits, statistical analysis, data science, development and improvement of services provided by the company.
6.6 Sharing Information with Third Parties
Serpro does not pass on to third parties, partners or in any commercial dealings, the information collected.
Any information about Serpro customers and users only shall be passed on upon their express approval or by court order.
Serpro Ombudsman (Ouvidoria) is the service channel for the presentation of complaints, suggestions, requests, complaints and compliments about practices, procedures Serpro's processes and processes, and can be accessed at
Personal Data Protection Principles
SGAN Quadra 601 Módulo "V"
Horário de atendimento: 8h às 18h