Privacy and data protection guidelines at Itaipu
Itaipu Binacional recognizes the importance of privacy and the protection of personal data of its stakeholders. Therefore, it hereby clarifies the procedures employed in the use of personal data of its internal and external stakeholders, including users of this Portal.
We understand that fundamental values include the protection of the regular exercise of rights by the holder of personal data and the provision of services that benefit them, respecting their legitimate expectations and fundamental freedoms, in accordance with current legislation. Therefore, privacy is one of the principles defined in Itaipu’s Information Security, Privacy and Data Protection Policy, available at this link .
About browsing our pages
When you start browsing our Portal, cookies are added to your electronic devices to improve your experience and security procedures regarding the use of your data during your visit. To learn more about cookie management, click here .
About access to our facilities and the Hotspot Network
To enter our facilities, you must be authorized and, for this, your identification will be carried out using personal data.
Our internal environments are monitored, so whenever you access Itaipu facilities, your images may be collected and processed for facial recognition, with the aim of protecting your own security and the assets of one of the most important critical infrastructures¹ in Brazil and Paraguay. The images are treated in accordance with this guideline and other security regulations of the Entity.
Whenever you need to use our Hotspot network, you will be asked for your personal data for registration.
The data provided in these processes may also be used to verify compliance with our policies and standards or as part of an investigation procedure in the event of a possible violation.
For what other purposes can your data be used?
Itaipu may use personal data when necessary in its relationship with its stakeholders, when provided or when publicly available, such as in the following contexts:
| Macroprocess | Activity | Relationship with ITAIPU |
| People Management | Personnel Routine Management – Functional information, payment, benefits, … | Employees, dependents, interns and young apprentices |
| Occupational Health and Safety Management | Employees, interns and young apprentices | |
| Career Cycle Management – selection, remuneration, performance, corporate education. | Employees, interns and young apprentices | |
| Labor Relations Management | Employees | |
| Legal Management | Consultative and preventive management | Employees, interns and young apprentices |
| Litigation Management | Employees, interns and young apprentices | |
| Management of Infrastructure, Services and Corporate Security | Corporate Security Management – security of people and assets. | Employees, interns, young apprentices, suppliers, partners, university audience, PTI, visitors, others |
| Operational Service Management – contracts. | Employees, interns, young apprentices, suppliers, outsourced employees, partners | |
| Infrastructure Management | Suppliers, outsourced employees | |
| Information Technology Management | Customer service – incidents, services, access. | Employees, interns, young apprentices, suppliers, outsourced employees, partners, visitors |
| IT Infrastructure Management – security, … | Employees, suppliers, outsourced employees | |
| Finance Management | Asset Management | Employees, suppliers, outsourced employees |
| Tax and Fiscal Management | Employees, suppliers, outsourced employees | |
| Stakeholder Relationship Management | Business Communication | Employees, interns, young apprentices, suppliers, outsourced employees, partners, visitors |
| Promotion of institutional socio-environmental actions | Partners, visitors | |
| Institutional Relationships | Partners, visitors | |
| Agreement Management | Employees, partners | |
| Demonstration management | Employees, interns, young apprentices, suppliers, outsourced employees, partners, visitors, others | |
| Transparency and disclosure of information | Employees, interns, young apprentices, suppliers, outsourced employees, partners, visitors, others | |
| Business Management | Reputation, brand and image management – sponsorships | Partners, others |
| Documentation and Information Management | Employees, interns, young apprentices, suppliers, outsourced employees, partners, others | |
| Corporate Governance | Compliance Management – audits | Employees, interns, young apprentices, suppliers, outsourced employees, partners, others |
| Supply Logistics | Supplier Management | Employees, suppliers, outsourced employees |
| Inventory Management | Employees, suppliers, outsourced employees |
What are the legal bases for the use of personal data?
The legal bases used by Itaipu for the processing of personal data are the following:
– Compliance with legal or regulatory obligations;
– Execution of contracts or preliminary procedures thereto;
– Regular exercise of rights in proceedings;
– Protection of the life or physical safety of the holder or third party;
– Health protection;
– Guarantee of fraud prevention and security of the holder;
– Serve legitimate interests, in fulfilling its mission, in support and promotion of its institutional activities.
In some cases, Itapu may request your consent to use personal data.
How long is your data processed?
The personal data collected will be processed for the period necessary to achieve the purposes stated above, and may be kept to comply with legal obligations or other circumstances provided for by law.
Where is your data stored?
Due to its nature as a binational entity, Itaipu may eventually store your data on servers located in both Brazilian and Paraguayan territory. Data processing in both territories is in accordance with the Personal Data Processing and Protection Standard . Data storage outside these territories will occur if strictly necessary to achieve the above purposes, after carrying out a risk assessment of such procedure.
Who is your data shared with?
We also clarify that, as a general rule, when collecting your data, only Itaipu has access to this information. Any possible situation of sharing with third parties will occur with your consent, in cases provided for by law or at the request of a competent authority.
How do we protect your data?
Itaipu adopts specific technical standards and organizational procedures to protect the integrity, confidentiality and availability of your personal data, in accordance with its Information Security, Privacy and Personal Data Protection Policy and its Personal Data Processing and Protection Standard , in order to prevent incidents in its use, such as loss, theft or improper access. Both standards are based on universal privacy principles and the data protection regime provided for in Law 13.709/2018 (LGPD).
Itaipu also remains vigilant with the relevant legislation and seeks to adopt best practices to guarantee the security of the personal information it uses and, thus, ensure the privacy of its audiences, including its partners and other interested parties. The content of these practices is part of specific Learning Paths, designed to adequately train its employees and partners on the subject, with the aim of ensuring that good governance principles are applied by them when carrying out any action involving the processing of personal data.
What about your rights regarding data processing?
According to the LGPD (Law 13.709/2018), you may, at any time:
- Have access to information about the form and duration of processing of your data;
- Request the updating or correction of your data;
- Request the deletion of your processed personal data; and
- Request the revocation of consent, in accordance with the Law.
To learn more about how we use personal data at Itaipu, please contact the Data Protection Officer (DPO), Alexandre Mugnaini. To learn how, follow the instructions below.
How to Make a Request – Data Privacy
Requests to the DPO, related to privacy and protection of personal data, must be made through the Itaipu Ombudsman Channel.
- Click on the link “Talk to the DPO”, or on the Ombudsman button on the Itaipu page, or click here .
- In the “Type of Manifestation” field, select the item “Personal data privacy – LGPD”. This type of Manifestation requires your identification, since we will process your personal data. Read the information presented carefully.
- Please correctly provide the requested personal data.
- Correctly provide the requested Manifestation data – in the Subject field, enter the reason for your request (examples of requests based on Art. 18 of Law 13.709/2018)
- In the “Manifestation” field, detail your request so that we can respond to it as quickly as possible.
- In the “Attachments” field, you will need to insert a photo of your identification document – the attachment will be used to ensure that you are the holder of the personal data you are requesting, or their legal representative. Click on “Insert attachment”, locate and select the file containing the photo of your identification document, and click on “Save Attachment” (your file must be in .doc, .pdf, .jpg format, with a maximum size of 5MB).
- Click the “Submit” button.
- The system will automatically generate a protocol number, access password and deadline for the response, so that you can monitor the processing of your request through the Itaipu website. This information is for personal use, non-transferable and known exclusively to the data subject to whom the filed request refers or his/her legal representative. You are entirely responsible for any and all damages caused by providing this information to third parties.
1. Critical infrastructures – facilities, services, assets and systems whose interruption or destruction, in whole or in part, causes serious social, environmental, economic, political, international or security impact on the State and society.
