It applies to all data owners or anyone who has contact or access to the information of which Sabesp is the Controller, regardless of its format (electronic, paper, audiovisual, etc.).
To comply with Laws No. 13,709/2018 (General Law of Data Protection – LGPD), No. 12,965/2014 (Marco Civil da Internet) and other legislation of the same kind;
Establish guidelines regarding the processing of personal data that is provided to the Company or obtained through the website, online services (applications, totems, etc.) and other situations involving the data owners, and may be revised at any time as a result of any regulatory amendments; and
To clarify the subjects and interested parties about the purpose for which Sabesp performs the processing of personal data, as well as how they are obtained or shared among its service providers and partners.
Companhia de Saneamento Básico do Estado de São Paulo – SABESP
Address: Rua Costa Carvalho, 300 – São Paulo, SP, Brasil, CEP 05429-900
Corporate Taxpayer’s ID (CNPJ): 43.776.517/0001-80
To exercise his or her rights, the data owner should make a request directly to the data controller through the methods of communication set forth below:
Data Controller: Eduardo Martelini Daher
Data processing principles
Sabesp hereby complies with the standards set forth in the LGPD and undertakes to process personal data in accordance with the following principles:
- a) only for the purposes determined in this policy, using the appropriate amount of data, pertinent and limited to the need and purpose of the processing;
- b) in a transparent manner, whereby the data owner is guaranteed unrestricted access, data accuracy and user friendly consultation; and
- c) safely, by adopting technical measures capable of protecting personal data and preventing and mitigating damages resulting from any unauthorized access or accidental or unlawful data breach.
The Company will manage personal data during the life cycle of this information; and
Under no circumstances will data be processed for unlawful or abusive discriminatory purposes.
Rights of the subject
The data owner has the following rights, provided by the LGPD and other applicable legislation of the same nature, at any time:
- a) confirm the existence of the processing and access to your personal data;
- b) correct outdated, incorrect, and/or incomplete information;
- c) block or delete unnecessary, excessive, or unlawfully processed data;
- d) anonymizing the data by preventing the connection to the individual;
- e) oppose the processing of your personal data, in case of non-compliance with the law;
- f) rescind consent, in cases of data processing supported by this legal scenario;
- g) receive from the Controller your personal data in a structured form, in order that they can be transmitted to another Controller (portability); and
- h) delete your personal data processed, with permission, being authorized its conservation for:
- compliance with legal or regulatory obligations by the Controller;
- study by a research organization, guaranteeing, whenever possible, the anonymization of personal data;
iii. transfer to a third party, provided that the data processing requirements set forth in Law no. 13,709/18 are observed; or
- exclusive use of the Controller, with no access by third parties, and provided they are anonymous.
Sabesp will meet the requests made by the data owner under the terms of the Law. However, reasonable factors, such as the complexity of the requested action, may delay or prevent its prompt fulfillment, and in the case of delay, Sabesp will provide the data owner with the adequate reasons, provided that such justification has been requested by the data owner; and
The data owner must be aware that his/her request may be legally rejected, either for formal (e.g. incapacity to prove his/her identity) or legal reasons (e.g. request for exclusion of data whose maintenance is a free exercise of right by Sabesp), and in the event that it is impossible to meet these requirements, Sabesp will present the justifications.
Collected data and its purpose
Given the nature of its operation, Sabesp will conduct the treatment of the following data:
- a) The processing of personal data will be carried out to comply with contractual, legal, judicial or regulatory obligations, in particular to meet the following purposes:
- execution of the contract for the rendering of water and sewage sanitation services in its concession area;
- carry out the billing and collection process resulting from the services provided to the data owner;
iii. allow access to our online platforms, provide the operation of all the functionalities made available by our service channels;
- communicate to the data owner about scheduled and/or emergency maintenance and/or interruptions and changes in service channels;
- communicating the data owner about the implementation of new products and services based on the legitimate interest to support and promote the activities of Sabesp or that benefit the data owner;
- respond to requests and questions from the data owner;
vii. contract execution with suppliers;
viii. formalization and maintenance of labor contracts.
- b) The processing of personal data will also be carried out when necessary for the regular exercise of rights in judicial, administrative or arbitration proceedings and other cases of processing provided by law.
Sensitive Personal Information
- a) The processing of sensitive personal information will be performed with the previous and express consent of the data owner, and may be performed without consent when indispensable for the fulfillment of a legal, judicial or regulatory obligation, for the regular exercise of rights in judicial, administrative or arbitration proceedings, and other cases of processing provided by law.
Personal Information on Children and Adolescents
- a) The processing of personal information of children and adolescents will only occur in their best interest and with the previous, specific and outstanding consent of, at least, one parent or legal representative.
Legal Principles for the processing of Personal Data
Except for the cases in which consent is required, the treatment of personal data carried out by Sabesp is supported by the following legal provisions:
- a) for the Controller’s compliance with legal or regulatory obligations;
- b) by the public administration, for the treatment and shared use of data necessary for the execution of public policies foreseen in laws and regulations or supported by contracts, agreements, or similar instruments;
- c) for the performance of studies by research organizations, guaranteeing, whenever possible, the anonymization of personal data;
- d) when necessary for contract performance or preliminary contract-related procedures to which the data owner is a party, at the data owner’s request;
- e) for the regular exercise of rights in judicial, administrative, or arbitration proceedings, the latter under Law 9307 of September 23, 1996 (Arbitration Law);
- f) for life or physical safety protection of the holder or a third party;
- g) for the protection of health, exclusively, in a procedure performed by health professionals, health services or health authorities;
- h) when necessary for the legitimate interests of the Controller or a third party, except where the fundamental rights and freedoms of the data owner require protection of personal data; and
- i) for credit protection, including as to the provisions of the pertinent legislation.
The processing of personal data aims to evaluate and provide the holder with the best performance in the services and results obtained, whether performed by the Company, or by contracted service providers with security and privacy settings;
The data and information collected from the owners will be incorporated into the database and will be their responsibility, in accordance with the Law;
The data and information collected will be stored in a safe and reliable environment, observing the available technology, and can only be accessed by people qualified and authorized by Sabesp;
Data Sharing and Transfer
The owner’s personal data may be shared with government authorities, contracted service providers, financial institutions, bill payment means providers, credit analysis institutions, external audit companies, among others, as long as the legal provisions are respected;
It is possible that some of the data transfers may occur abroad, on which occasion Sabesp undertakes to do so only to countries that provide a level of protection for the owners’ personal data, considering it as adequate to the provisions of the applicable legislation or through the adoption of guarantees and safeguards such as specific clauses, standard clauses, global corporate standards, among others; as well as through the prior acquisition of their specific consent or compliance with the other hypotheses authorized by law; and
Sabesp will not share, sell or provide the data of the owners to third parties, except those described in item 3.8.1.
Disposal of personal data
Personal data on which consent is required will be held until the end of the processing, unless the data owner requests disposal before the end of the period.
Personal data may be held even after the Controller has finished processing it in the following cases:
- a) compliance with legal or regulatory obligations by the Controller;
- b) study by a research organization, guaranteeing, whenever possible, the anonymization of personal data;
- c) transfer to a third party, provided that the data processing requirements set forth in Law no. 13,709/18 are observed; or
- d) exclusive use of the Controller, with no access by third parties, and provided they are anonymous data.
The disposal of data will be in accordance with the legal provisions; and
The period for which Sabesp holds the personal data collected depends on the purpose and nature of the data treatment, which will be treated for the period necessary to:
- a) comply with legal, regulatory and contractual obligations;
- b) continue to provide and improve our products and services;
- c) risk management;
- d) regular exercise of rights in administrative, judicial and arbitration proceedings; and
- e) other purposes foreseen in this Policy.
Data processing security and privacy
Sabesp will undertake all available technical solutions aimed at the security and privacy of the owner’s data under its responsibility, but exempts itself from liability for any damage and/or losses arising from database failures, viruses or invasions, except in cases of intent or fault by the Company; and
Upon the evidence of a security incident resulting in a breach of personal data that may cause some risk to their rights and personal freedoms, whether accidental or illicit, Sabesp, within the adequate deadline, is committed to informing the owners and the National Data Protection Authority – ANPD.
Legislation and jurisdiction applicable to conflict resolution
Any and all disputes arising from the terms set forth in this Policy shall be resolved in accordance with Brazilian law, with jurisdiction in the courts of the city of São Paulo, State of São Paulo, excluding any other, regardless of how privileged it may be.