Information Security Management and Cyber Security
Corporate information is an important asset of an organization and everyone is responsible for maintaining, caring for, storing and making correct, diligent and responsible use of it, preserving the level of secrecy, access and correctness of its contents.
With the current trend towards digitalization, cloud data storage, remote work, virtual processing of processes, virtual payments, and remote access to the company’s network and IT systems, it has become necessary to reinforce the resources for protecting corporate data, systems, and networks. This set of mechanisms for information management and data protection within a company is part of information security and cybersecurity.
Having a comprehensive information security process is a governance practice that aims to ensure access to important content by designated persons, registration and archiving of data, integrity, inviolability, and risk mitigation of attacks on systems or information subtraction.
Copel keeps up with the constant and frequent technological evolutions and, for this reason, information security has always been aligned with the Company’s strategy, being one of its most relevant risks.
The level to be reached by the company in information security is defined by the Board of Directors (CAD), from which the Superintendence of Information Technology, under the scope of the Board of Business Management and with the approval of the Board of Executive Officers (Redir), prepares and carries out the executive management of the strategy.
The Statutory Audit Committee (CAE) is responsible for ensuring the quality and efficiency of the internal control and risk management systems, including supervision of the information security strategy, with annual registration in the Statutory Audit Committee Report. This Committee advises and reports to the Board of Directors (CAD), to which it is directly linked.
In 2024, Copel also established the Cyber Security and Information Security Committee (CSCI), a collegiate body auxiliary to the Board of Directors created with the mission of ensuring the direction and strategic definitions related to support, processes and compliance, related to cyber security and information security, equally considering the areas of controls, business and information technology.
The subject “cybersecurity” is part of the development plan for the Board of Directors and the committees, whose objective is to develop their members’ skills in analyzing vulnerabilities and participating in security actions.
To this end, the Company has a set of strategies, policies, technologies, processes and tools designed and periodically updated to prevent access or malicious attacks to servers and systems in order to ensure confidentiality, availability, integrity, authenticity and responsibility over the authorship of content, preserving the confidence and tranquility of stakeholders.
Among the various practices and documents that govern Information Security at Copel, the following stand out: the Information Security and Cybernetics Policy (NPC 0301) and the Information Technology Policy (NPC 0302), both approved by CAD; internal administrative rules, with emphasis on privacy since conception; information security training; communication plan to employees with cyber security tips; business continuity and contingency plan for possible invasion attempts; vulnerability analysis with simulation of a hacker attack, by means of a contract with a specialized company; monitoring of violations; and measurement of the total number of IT infrastructure incidents.
In addition, Federal Law No. 13,709/2018 – General Law of Personal Data Protection (LGPD), which establishes the duties of legal entities for the protection of the fundamental rights of freedom and privacy, provides for the treatment of personal data, including in digital media, and is also provided for in Copel’s Privacy and Personal Data Protection Policy (NPC 0322).
Cybersecurity Process and Infrastructure
Copel has a series of processes to prevent IT system interruptions and cyber attacks, as well as contingency plans and incident response procedures. Therefore, it is well prepared to react in the event of such events.
The Company’s information technology infrastructure is audited internally and externally. In addition, tests are carried out periodically, including third-party tests, and employees undergo mandatory training on cybersecurity, strengthening the Company’s defenses and culture on this topic. In addition, simulations of hacker attacks take place periodically, with the aim of analyzing the effectiveness and coordinating the optimization of the detection and response structure in the environment to minimize the success of real cyber attacks.
There are internal cyber security targets monitored through the IT and OT Cyber Security Index of the National Institute of Standard and Technology (NIST). These targets are linked to the variable compensation of part of Copel’s executives.
Use and security of personal information
Copel, by means of its Personal Data Protection and Privacy Policy (NPC 0322), is committed to protecting the privacy of personal data of shareholders, clients, officers, employees, legal representatives of corporate clients, legal representatives of suppliers, participants in contests and visitors to Copel’s facilities, which are collected during the relationship with the holder for the accomplishment of contractual obligations (e.g.: rendering of services by Copel), business management activities, as well as for compliance with legal or regulatory obligations.
As a result of this relationship, additional personal data may be collected from the titleholder, always in compliance with the principles established in the data protection legislation.
The processing of personal data occurs in different ways within Copel, adopting the division by categories of holders to better elucidate the ways of processing personal data in our processes. The Privacy and Personal Data Protection Policy (NPC 0322) provides customer privacy information including details about:
- Premises and guidelines: including how the personal data are protected;
- Use and nature of collected data: the personal data collected by Copel are only used to achieve the purposes that originated their collection, being treated in accordance with applicable laws and the General Law of Personal Data Protection (LGPD) according to the purposes listed in Policy;
- Data sharing: in some cases, Copel may share personal data which it controls when required by law, necessary to administer its contractual and/or work relationship or when it has a legitimate purpose in doing so. Such data may be shared with third parties, including service providers, third parties and other group entities, who will treat the data in accordance with the purposes for which it was collected;
- Data subjects’ rights: the data subject has rights related to the privacy and protection of his data, and Copel, in addition to being concerned with the security of this data, is also concerned that the subject has access and knowledge of all his rights. In order to exercise any of the rights stipulated in the legislation, it is necessary to make an express request to Copel through the form available on the Company’s privacy page. Thus, the rights that data subjects have are: treatment confirmation; data access; correction of personal data; anonymization, blocking or deletion; deletion of data processed with consent; information about sharing; Information on the possibility of not providing consent and on the consequences of the refusal; revocation of consent; automated decisions; data portability. Specific information may be requested from the data subject to help Copel confirm their identity, for their own protection. Also, Copel may reject requests always indicating the reasons of fact or law that prevent the immediate execution of the request;
- Retention and disposal: Copel undertakes to maintain the accuracy, integrity, confidentiality and relevance of personal data based on the purpose of the treatment. The retention periods, described in the Temporality Matrix in Annex I, and forms of disposal of personal data must follow the procedures and guidelines set forth in the legislation and in accordance with other Copel policies. At the end of the period and the legal necessity for its storage, personal data will be eliminated and/or anonymized using safe disposal methods, in accordance with Copel’s internal guidelines;
- Response to privacy incidents: in the event of incidents involving personal data, under the terms of the law, all appropriate internal procedures and key personnel of the Company will be put in place to ensure that the necessary measures are taken to mitigate the risks. For this purpose, data protection incidents are considered to be cases of unauthorized access; data leakage; accidental or illicit situations of destruction, loss, alteration or improper communication of personal data; and any inappropriate or unlawful form of data processing.
- Data protection officer contact; and
- Legislation and rules related to the subject.
Secondary use of information
Secondary use of customer data | |
Item | Percentage |
Customers consenting to secondary use | 8% |
Customers rejecting secondary use | 3% |
Note: The Company began processing data for secondary purposes in 2024, collecting consents for specific purposes. The location containing the consent options for the holder to exercise their preferences (opt in/opt out) can be accessed via the link “request personal information”.
In 2023, Internal Audit assessed the effectiveness of relevant privacy controls. In 2024, auditing services were contracted from Ernst & Young (EY) and should be carried out during the year.
Information for users
Copel collects information in several ways in different areas of its websites.
Some information is collected automatically, and may include: IP address, browser type, domain names, access time and website page views. To
access to some functionalities, the user must provide information such as e-mail address, name, CPF/CNPJ, address, telephone number and consumer unit.
Note: Copel’s website uses the Google Analytics advertising feature. The user can deactivate this resource by means of the plugin provided by Google on the link https://tools.google.com/dlpage/gaoptout.
Copel does not sell or rent its user lists to third parties, nor does it authorize third parties to use users’ information, with the exception of providing services to Copel, and only after signing a confidentiality agreement.
Copel does not read the confidential communications of its users and only uses the information captured by the domains and subdomains of www.copel.com to:
- identify the profile and needs of users in order to improve its products and services;
- visualize the delivery of its products and services; and
- promote changes, innovations or promotions to its products and services.
Access and Use Rules
The access to Copel’s website or the use of the resources available therein characterize the adhesion of the users to the terms of the Privacy Policy, whereby the user undertakes to use Copel’s website only for the purposes for which it is intended.
The user must not disable or damage Copel’s website or interfere in the use of other users. Illicit attitudes are dealt with by the Company in conformity with the provisions of the civil and penal legislation in force.
The user assumes any and all responsibility, of civil and/or criminal nature, for the improper use of information, texts, graphs, brands, works, in short, any and all intellectual or industrial property rights of the domains of Copel.
Minors are not allowed to contract or get involved in other legal acts in the sites managed by Copel.
The user, for his own protection, must care for his access data to Copel’s websites, keeping his login and password confidential.
Lilian Renata de Andrade
Board Advisor
Attendance: 8am to 12pm and 1pm to 5pm
Place: Legal and Regulatory Board
Phone: (41) 3310-5321
e-mail: lgpd@copel.com
To request information about the existence of personal data and the treatment performed by Copel or to exercise the other rights of the holders of personal data described in the General Data Protection Act (Law No. 13,709 of August 14, 2018), simply access the following form: Request for personal data