Privacy and Personal Data

The Federal Constitution of Brazil states that privacy is an inviolable human right. Article 5 of the Federal Constitution, item X declares that people intimacy, private life, honor, and image are inviolable, ensuring the right to compensation for material or moral damage resulting from a violation. In line with this principle, Cosan guarantees the security and privacy of the personal data of all its stakeholders.

The Personal Data Holder Rights Channel was created to show Cosan’s commitment to the security and privacy of information collected from its customers, suppliers, and employees. Through this Channel, the data holder will be able to make requests related to his/her personal data, under the terms of the General Law for the Protection of Personal Data (“LGPD”).

Data collection

Cosan collects, stores, and uses personal data, including data called “cookies”. For that reason, we recommend reading its Privacy Policy which explains what data is collected and for what purpose. Regarding the “cookies”, in compliance with its Privacy Policy, Cosan collects cookies to provide to the user a better browsing experience on its web pages.

Cookies are small pieces of text placed on the user’s computer hard drive when visiting certain websites and applications. Cosan may use cookies to obtain information, for example, if the user has visited Cosan’s websites before or if he/she is a new visitor, helping Cosan to identify what features can improve the user experience. Cookies can enhance your online experience by saving your preferences while you visit a website. When visiting Cosan website, you will be informed about what types of cookies will be collected so that you can disable such cookie collections.

Recurring verification of our Privacy Policy is recommended, which is subject to change without notice.

Common questions:

What is LGPD?

Law No. 13,709 was approved in August 2018 and came into force in September 2020. This law establishes rules on any activity that can be carried out with personal data, from collection, storage, sharing, and disposal (activities known as “treatment”), aiming at more protection for citizens and sanctions for companies for non-compliance.

But what is personal data?

It is any information related to an individual that can identify him/her from the collected data, for example: name, age, CPF, e-mail, geolocation, etc.

And what is sensitive data?

The LGPD also brings the concept of sensitive personal data, which is information that, because it allows discrimination, should be treated with even more care, such as: information of racial or ethnic origin, religious belief, political opinion, and data related to health.

What are the users' rights?

1. Right to access

The holder has the right to receive a confirmation on the treatment or not of his/her personal data and, if that is the case, to consult that data and additional information related to his/her treatment (such as, for example, the sharing of information with public and private entities).

2. Right to correction

If the holder requests it, the Controller has an obligation to correct personal data that are incomplete, wrong, or outdated.

3. Right to anonymize, block or delete unnecessary, excessive, or treated data in non-compliance with the LGPD

The holder has the right to request that the Controller make his/her personal data anonymous, that is, impossible to associate with the holder. In addition, he/she may restrict the processing of his/her data and request the disposal of the data if it (i) is not necessary or suitable for the purpose for which it was provided or (ii) when the treatment does not follow the provisions of the LGPD.

4. Right to Portability

The right to data portability allows holders to request the transfer of their personal data to another Controller, but this right still depends on additional regulation by the National Authority.

5. Right to delete data processed with consent

When the treatment depends on consent, the holder may, upon express request, demand the destruction of the data that are the object of treatment.

6. Right to informed consent

The holders have the right to refuse to give consent, when it is necessary for the processing of the data, as well as to be informed about the consequences of that decision. In addition, they may regret the consent previously given and, at any time, revoke the authorization by express expression.

7. Right to object to treatment

Holders have the right to object to the processing of their personal data at any time, even in situations that do not depend on their consent, should they find that it is being carried out in breach of the LGPD.

Who are the main LGPD characters?

A) Holder

It is the natural person to whom the personal data refer. For example, users, customers, policyholders, brokers, employees, among others linked to our business.

B) Controller

Who defines how personal data can be treated, considering the purpose for which it was collected. The Controller is responsible for the personal data processed in his environment and in the environment of third parties who process the data at his/her own direction.

C) Operator

It is the person who carries out the treatment and processing of personal data under the Controller’s instructions. The Operator may only process data for the purpose determined by the Controller.

D) Data Protection Officer (DPO)

Person or area indicated by the Controller who assists the company in the area of privacy and acts as a communication channel with the Holders and the National Data Protection Authority (ANPD).

E) National Data Protection Authority (ANPD)

Public agency responsible for overseeing, implementing, and supervising compliance with the Law.

What are the 10 principles for processing personal data?

1. Purpose

Have a specific, legitimate, explicit, and informed purpose.

2. Suitability

Use of data in compliance with the stated purpose.

3. Need

Use (only) of strictly necessary data.

4. Free access

Information, in a simple and free way, to the full data.

5. Data quality

Accurate, relevant, and up-to-date data.

6. Transparency

Clear, accurate, and true information to data subjects.

7. Security

Technical and administrative measures to protect data.

8. Prevention

Adoption of previous measures to avoid damage to the holders.

9. Non-Discrimination

Do not use data for discriminatory, abusive, or unlawful purposes.

10. Accountability

Demonstrate the adoption of effective measures to comply with the standards.