Privacy Notice

This notice is for any individual who (i) is or was our customer or consumer; (ii) has had any relationship with us, including participating in events and research promoted by the CPFL Group; (iii) visited our physical facilities or interacted with us on our social networks, such as YouTube, Facebook, Twitter, Instagram and LinkedIn; (iv) is a candidate for job openings at the CPFL Group; (v) is a representative, attorney, employee or partner of any customer, supplier, company or entity with which we have a relationship or had any relationship in the past; (vi) carried out any transaction with us; (vii) is an investor in the CPFL Group; and/or (viii) is a potential customer.

In order to facilitate the understanding of the data we process and our purpose, we have made a division by category of data subjects.

See which category of data subject you fit in and know the data about you that may use, where and how they are collected from and their respective purposes.

CPFL Group, in general, does not process personal data of people under 18 years of age, however, when treatment will be necessary, we will also apply the rules contained in item “2.1. Data treatment of people under 18 (eighteen) years of age”.

We process the personal data of our clients and consumers in general to initiate and provide the necessary services, maintaining a business relationship.

Costumers: individuals who use our products or services.Data we can handle

Consumers: potential users or ex-users of our products and services.Data we can handle

Below the list of data that we can handle:

When we hold events, we process the personal data of the participants in these events.

Below a list of data we can handle:

The CPFL Group as a member of the Research and Technological Development Programs in energy efficiency of the electric sector regulated by Law 9,991 of July 24, 2000 and by resolutions of the National Electric Energy Agency (ANEEL), can process the personal data of managers of Institutions of Teaching, teachers and students participating in research projects.

Below the list of data that we can handle:

We process personal data from private individuals who visit our physical facilities or who interact with us on our social networks, for example, YouTube, Facebook, Twitter, Instagram and LinkedIn.

This notice informs how we process personal data of individuals from the process of identifying CVs, for participation in a selection process (which includes direct registration of individuals in CPFL or third-party CV banks), through the pre-selection, selection process and acceptance of the job offer.

When the candidate becomes an employee, the data processing rules are informed directly in the directly in the CPFL Group's internal documents.

Below the list of data that we can handle:<

We processing of data necessary to comply with legal or regulatory obligations relating to the completed employment contract. The data processing rules are informed directly in the directly in the CPFL Group's internal documents.

Specific retention period. In the event that its selection process is unsuccessful or you be a ex employees, the CPFL Group may retain the personal data contained in the table above for a period of 02 (two) years from the selection process for the purposes of auditing and defending the rights of the Group CPFL. In order to keep your personal data in our database so that you can be contacted in future job opportunities appropriate to your profile, it is necessary to provide your consent when completing the registration on the CPFL – Work with us page.

In the case of a former employee, at the end of the employment contract, the processing of personal data will continue to be carried out for the time determined by law, for the purpose of complying with legal obligations, labor or not (e.g. retirement, proof of payment of FGTS and IRPF , PPRA.), for the regular exercise of rights in legal proceedings (defence of the CPFL Group's rights in court) or in the exercise of the legitimate interest of the company or third parties.

If your selection process is successful, all personal information collected so far they will be preserved, even after the end of your employment contract to fulfill a legal or regulatory obligation (for exempla: retirement, proof of payment of FGTS, PPRA, among others) and defense of the CPFL Group's rights, observing the legal prescription rules in force.

The suppliers and service providers (mostly duly constituted companies) that the CPFL Group relates to in order to carry out its business activities, are always the Controllers of personal data of its legal representatives, partners and employees.

In some situations the CPFL Group needs to process the personal information of the individuals mentioned, which it does only in the context of the legal relationship established with the service provider, suppliers and partners.

For this individuals we can treat the following data:

For this individuals we can treat the following data:

We may process personal data of individuals who hold securities of the CPFL Energia Group.

We can process the data of family members of CPFL Group employees to collect information that is required by specific law or regulation, even in the context of CPFL Group endomarketing actions or events aimed at the internal public.

Below a list of data we can hadle:

The CPFL Group does not extract biometrics (face points and/or fingerprints) from the photos of the official documents it collects from the data subjects, nor even from the voice in the event of recordings in the service channels and in the events that it carries out.

Usually, we do not process personal data of children and/or adolescents (considered under the terms of the Childrem and Adolescent Statute - ECA), unless in the context of compliance with legal or regulatory obligations (eg registration in the Social Electricity Tariff, Consumer Unit with Medical Equipment essential to human survival, compliance with a judicial decision in maintenance proceedings) this is necessary, such as participation in educational or research projects promoted or supported by the CPFL Group, to exercise rights in administrative or judicial proceedings, participation in any internal event, hiring a minor apprentice, among others.

When we carry out this type of data processing, we do in order the principle of necessity of the LGPD, always so with the minimum of personal data appropriate to a specific purpose, in the best interest of the childrem and respecting the legal requirements for the treatment of this personal data, including the express consent of those responsible, when necessary or required by law, in terms of § 1, Art. 14.

Find out below the list of rights guaranteed to data subjects by LGPD, which you can request from the CPFL Group.

Security in the delivery of the rights of the holders. We know that malicious people can use this type of request to impersonate you and obtain your data. Thus, to fulfill your request we will use procedures to confirm that the request is being made by you, and may even require sending other information and / or documents to answer your request.

Deadline for reply. Once your identity is confirmed, your request will be answered within 15 (fifteen) days, preferably by e-mail, except in the event of exercising the Data processing confirmation right (answer will always be “yes” or “no”) when this information will be provided whenever possible immediately.

We follow the provisions of laws and regulations that govern privacy and pesonal data protection in Brazil, in particular the General Personal Data Protection Law (Federal Law 13.709 / 2018 – “LGPD”). Below we list the criteria used in the processing of personal data:

• existence of a legal provision that allows such activity (find out the hypotheses that the LGPD foresees for processing data in the Glossary “Legal permission for processing personal data”);
• when defining the purpose of the data processing, we aim to ensure that it is legitimate and specific, and that the data subject is given proper transparency and information about what is done with his personal data;
• we use minimal data, necessary and compatible with the treatment context;
• we adopt adequate security measures that are within our reach to protect personal data against unauthorized access by unauthorized third parties, from accidental or illegal situations, and always making the sensitivity, volume, form and treatment methods compatible;
• if necessary, we request authorization (consent) from the data subject to comply with the purpose previously informed (it may be in a contract, term of use or in a separate document), including the consequences if authorization is not given for data processing. We also provide a channel for the data subject to suspend or withdraw his authorization at any time (see item 3rd What are the arising rights from the processing of data guaranteed by the LGPD and what is the contact channel for me to exercise these rights?);
• when processing data based on the legitimate interest of the CPFL Group or third parties, our focus will always be on the minor impact on the privacy of the data subject, striking a balance between the interests of the CPFL Group or third parties, the data subject's expectation in relation to the treatment of data his personal data and assessing whether there will be any negative impact on your fundamental rights and guarantees. We also provide an easy way for the data subject to exercise his right of opposition to the processing of personal data, that is, he requires that his data is no longer treated based on legitimate interest (see item 3rd What are the arising rights from the processing of data guaranteed by the LGPD and what is the contact channel for me to exercise these rights?);
• we provide a channel for the data subject to exercise their rights related to the personal data we treat about them and to answer questions related to LGPD (see item 3rd What are the arising rights from the processing of data guaranteed by the LGPD and what is the contact channel for me to exercise these rights?)

The CPFL Group's personal data are generally stored in Brazil, however to ensure greater efficiency and better performance of its activities, sometimes personal data may be transferred to foreign countries. In this case, the CPFL Group will continue to be responsible for personal information and will assure data subjects, target audience of this notice, that even with the processing of data in a foreign country, the rights and obligations established to the subjects in this document will be observed, in the laws and regulations that govern the protection of personal data and also in the information security and data protection policies and guidelines of the CPFL Group.

We will keep personal data subject to the following criteria:

(i) for the time necessary to achieve the purpose for which they were collected, observing item II below, as for example while the energy account holder uses the energy distribution services that is done by the CPFL Group companies. For cases of legal representative of a corporate entity's energy bill, while registered as a representative of a legal entity with a relationship with the CPFL Group;

(ii) for the defense of rights in administrative, judicial or arbitration actions or proceedings, such as, for example, after the termination of its energy supply contract, CPFL may, by law, keep your personal and contract data for a period of up to 10 years after the end of the business relationship; and

(iii) when there is a specific law or regulation that requires you to keep personal information for a certain period.

In the accesses made through the Internet, either to our website or application, the history of access records of the data subjects when collected will be stored for a period of up to 06 (six) months as provided for in the Marco Civil da Internet (Law 12.965 / 2014) and respective regulatory decree. If, at the CPFL Group's discretion, the aforementioned record is necessary to defend your rights in a judicial or administrative proceeding, this period may be extended to 10 (ten) years as allowed by the Brazilian Civil Code.

Your personal data will be securely removed or made unidentifiable (anonymization) when there is no longer the purpose of treatment in law or specific regulation that justifies their maintenance in the CPFL Group.

Firstly, the CPFL Group does not sell your personal data to third parties under any circumstances.

In the performance of its activities, CPFL Group may share its personal data with third parties who support its business activities to deliver its services in an appropriate manner, for defense of their rights, to comply with legal or regulatory obligations, for the evaluation of topics by consultants, for the use of services and products accessed through the internet, among others.

The sharing of personal data between the companies that make up the CPFL Energia Group will comply with the current legislation and sectoral rules (for example Aneel regulation), including the express consent of those responsible when necessary or required by law (for example sharing of personal data for commercial purposes between Distributors and other CPFL Group companies).

Personal data sharing will always observe the laws and regulations that govern data protection, internal procedures and policies related to personal data protection and information security.

All third parties hired by the CPFL Group and who process personal data of data subjects are obliged to (i) comply with the obligations and rights established in the laws and regulations governing the protection of personal data, including the LGPD; (ii) carry out data processing operations with confidentiality and only to achieve the purpose established in the contract; (iii) adopt personal data protection and security measures consistent with the applicable sensitivity, volume, format and treatment methods; (iv) ensure in the performance of its activities guarantees similar or better than those established in this Privacy Notice, in the CPFL Group's information security policy and procedures and also in a contract and/or other specific legal document that establishes the rules for handling personal data on that contract, and (v) ensure that its partners, representatives, employees and third parties treat personal data with confidentiality and comply with the obligations set out in the documents informed in the previous item.

For what purposes and recipients we share your personal data:

The CPFL Group adopts security, technical and administrative measures proportional to the sensitivity, volume, format and treatment methods used based on the best market practices aimed at protecting personal data from unauthorized or unauthorized access and situations of destruction, loss, alteration, communication or dissemination.

The data processed by the CPFL Group is stored in a safe environment, with internal security rules and procedures being observed, including information security and cyber. The security measures adopted are periodically tested to ensure the privacy and protection of the personal data of the data subjects.

People who, for the exercise of their activities in the CPFL Group, are trained and authorized to carry out the processing of personal data are committed to confidentiality and preservation of the privacy of the data subjects.

A personal data incident occurs when there is improper disclosure or unauthorized access by third parties to personal data.

Important: No security system is foolproof, inside or outside the internet (how many houses, with locks on the windows, monitoring camera, security have already been victims of a robbery?). Thus, the CPFL Group may also be the victim of fraud, crime or improper access. Thus, the CPFL Group is also not immune to malicious invasion attempts, and may be the victim of fraud, crime or improper access. Anyway, we are prepared to deal with these types of situations.

In the event of exposure of personal data, the CPFL Group will take all necessary measures to eliminate or reduce the impacts on its private life, which includes the application of its incident response plan that has analysis procedures and techniques, including the legal forensic analise, which help areas to identify, monitor, report, categorize their criticality and resolve data breach incidents.

In the event that the data incident entails risks or damages that are relevant to the privacy of the data subject, the CPFL Group will communicate both the data subject impacted on the incident and the ANPD, informing about the event, its impacts and what was and is being done to reduce risks, all as provided for in the LGPD, in the regulations of the National Data Protection Authority and possibly other regulatory bodies in the sector (when applicable).

To communicate to the data subject, the CPFL Group will use the service channels available at the time to contact the data subject, which may be done by telephone, e-mail or letter, at the discretion of the CPFL Group.

In the case of active customers (with contracts in progress), the email address registered in the CPFL Group Database will be used preferably, so do not forget to keep your data always up to date.

Cookies are files that contain an identifier (a sequence of letters and numbers) that is stored by your browser when you access websites and applications using the internet.

In general, the browser you use has a list of identifiers for internet users and when you access a website or an application, the identifier of your equipment (smartphone, notebook, computer, tablet, etc.) is activated and your browser locates this number in the list of identifiers it has and automatically informs the CPFL Group website or application that that code is browsing our website or application. We emphasize that if you are not in a logged area of our website or application (which you have accessed with a login and password) it will be difficult to identify you.

The CPFL Group collects cookies necessary for the functioning of the website or application (that is, to enable the use of the website/application functionalities), with functional analytics objectives to facilitate navigation, for better understanding and optimization of the website's performance session/functionalities of the website or application, evaluate the most viewed pages, bounce rate and also for delivery of content more suitable for those who browse through the internet on our websites and applications.

You can configure your browser to block the use of cookies during your browsing, but depending on the cookies that will be disabled, some features of the website or application may not work correctly. To find out how to disable your cookies, please consult your browser.

The DPO is the natural person appointed by the Controller or Operator to be the contact between them and the ANPD and the data subject. To exercise the function of Data Protection Officer to Mrs. Denise Ramos de Lima who is supported by the cell of attendance to the rights of the data subjects to register and address issues related to the fulfillment of the rights guaranteed by the LGPD, observing flows and procedures to provide and deliver the information to you with greater safety and quality.

The DPO is not authorized to answer questions from channels other than the one officially defined in this privacy notice.

We remind you that our employees' social networks are private and cannot be used for purposes related to their work activities. Therefore, our DPO is not authorized to answer questions and meet requests made by a channel other than the one informed in item 3 above.

In order to keep it updated, we can change this Notice at any time, at which time the updated version will be made available on our institutional website.

Adolescent - natural person, between 12 (twelve) and 18 (eighteen) years of age, according to the Statute of Children and Adolescents (ECA);

Anonymization - use of technical means, whereby data loses the possibility of identifying the individual;

ANPD – National Data Protection Authority - Maximum data protection authority that will be responsible for ensuring compliance with the rules on the protection of personal data, editing rules and procedures as determined in the LGPD, consolidating the understanding of issues related to data protection, requesting information from companies regarding the treatment of data data, carry out records and follow-up of the data subjects' complaint, inspect and apply sanctions to controllers and data operators;

Database - a set of personal data, in one or several physical or electronic locations;

Biometrics - physical or behavioral characteristics of an individual, for example digital collected in transactions carried out through ATMs at your Financial Institution; unlocking the cell phone with digital identification or face points;

Childrem - natural person, under 12 (twelve) years of age, in accordance with the Childrem and Adolescent Statute ("ECA");

Sharing - transfer of personal data with internal areas or third parties;

Controller - It is the person who makes the decision about the processing of personal data;

Consent - free, informed and unambiguous expression of the data subject confirming their agreement with the treatment of their personal data;

Personal data - It is information related to a data subject that allows its identification. For example, your full name, an email address, your parents' name and your date of birth are all considered personal data;

Sensitive personal data - They are personal data about racial, ethnic origin, religious belief, political opinion, union membership, organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data. For the purposes of this privacy notice, whenever we are talking about personal data, we will be referring to both personal data and sensitive personal data;

Data center - Data processing center that hosts a multitude of servers and databases;

Data subject rights - the data subject has the right to obtain from CPFL: (i) confirmation of the existence of processing; (ii) access to data; (iii) correction of incomplete, inaccurate or outdated data; (iv) anonymization, blocking or deletion of unnecessary, excessive or processed data in violation of the General Law for the Protection of Personal Data - "LGPD"; (v) portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets; (vi) deletion of personal data processed with the consent of the holder; (vii) information on public and private entities with which the controller shared data; (viii) information about the possibility of not providing consent and about the consequences of denial; and (ix) revocation of consent;

Deletion - deletion of a personal data or set of personal data stored in a database;

CPFL ENERGIA GROUP. All companies directly or indirectly controlled by the CPFL Group: (i) Electric energy distributors (regulated market) - CPFL Paulista, CPFL Piratininga, RGE, CPLF Santa Cruz; (ii) Electricity traders (free market) - CPFL Brasil, CPFL Meridicional, CPFL Sul Geradora, CPFL Cone Sul, CPFL Brasil Varejista, CPFL Planalto; (iii) Electricity generation: Jaguari, CPFL Transmissão Piracicaba, CPFL Transmissão Morro Agudo, CPFL Transmissão Maracanaú, CPFL Transmissão Sul I; CPFL Transmissão Sul II; (iv) CPFL Renováveis; (v) Service Companies: CPFL Serviços, CPFL Atende, CPFL Finanças, CPFL Infra, CPFL People, CPFL Supre, CPFL Eficiência, CPFL GD;

LGPD - General Data Protection Law. It establishes rules for third parties to use their personal data in commercial activities;

Legal permission for processing personal data. The law determines in which cases the Controller can process personal data: Here we will mention those that are most relevant for the purposes of treatment mentioned in this document, remembering that there is no legal basis more important than the other, there is the most adequate for the purpose of the treatment: (i) consent (when authorization is required); (ii) compliance with a legal or regulatory obligation (when there is a law, regulation or court decision that authorizes or determines the processing of data such as data on the energy bill); (iii) preliminary procedures for contracting or executing contracts (such as when the data subject requests a new electricity connection or changing the ownership of an existing connection); (iv) legitimate interest of the contractor or third parties (there must be a balance between the legitimate interest of the organization or third parties and the expectations and rights and freedoms the data subjects in this case, Sensitive Data cannot be used); (v) credit protection (only for Data that is NOT sensitive); (vi) regular exercise of the right in judicial, administrative or arbitration proceedings (to defend the rights of the Controlling Party or third parties); (vii) protection of the life or physical security of the data subject or third party; (viii) health protection, in a procedure carried out by health professionals, health services or by health entities; (ix) guarantee of fraud prevention of the data subject in the processes of identification and authentication of registrations in electronic systems (only for Sensitive Data).

Operator - It is the person who processes personal data on behalf of the controller;

Retention of personal data - period for which personal data remains stored;

Sub-operator/subcontractor - It is the person who processes personal data is outsourced by the operator;

Site and applications - Refer to the CPFL Group websites and applications;

Data subject -Is the identified or identifiable natural person, to whom the object of data processing refers. Therefore, to whom this privacy notice is addressed;

Treatment. Any and all operations carried out with personal data, which includes the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, disposal, evaluation or control of information, modification, communication, transfer , diffusion or extraction. Thus, whenever we use the term "treatment" we are referring to any of these activities.