Information Security Management and Cyber Security

Corporate information is an important asset of an organization and everyone is responsible for maintaining, caring for, storing and making correct, diligent and responsible use of it, preserving the level of secrecy, access and correctness of its contents.

With the current trend towards digitalization, cloud data storage, remote work, virtual processing of processes, virtual payments, and remote access to the company’s network and IT systems, it has become necessary to reinforce the resources for protecting corporate data, systems, and networks. This set of mechanisms for information management and data protection within a company is part of information security and cybersecurity.

Having a comprehensive information security process is a governance practice that aims to ensure access to important content by designated persons, registration and archiving of data, integrity, inviolability, and risk mitigation of attacks on systems or information subtraction.

Copel keeps up with the constant and frequent technological evolutions and, for this reason, information security has always been aligned with the Company’s strategy, being one of its most relevant risks.

The level to be reached by the company in information security is defined by the Board of Directors (CAD), from which the Superintendence of Information Technology, under the scope of the Board of Business Management and with the approval of the Board of Executive Officers (Redir), prepares and carries out the executive management of the strategy.

The Statutory Audit Committee (CAE) is responsible for ensuring the quality and efficiency of the internal control and risk management systems, including supervision of the information security strategy, with annual registration in the Statutory Audit Committee Report. This Committee advises and reports to the Board of Directors (CAD), to which it is directly linked.

Thus, the subject “cybersecurity” is part of the development plan for the Board of Directors and the committees, whose objective is to develop their members’ skills in analyzing vulnerabilities and participating in security actions.

To this end, the Company has a set of strategies, policies, technologies, processes and tools designed and periodically updated to prevent access or malicious attacks to servers and systems in order to ensure confidentiality, availability, integrity, authenticity and responsibility over the authorship of content, preserving the confidence and tranquility of stakeholders.

Among the various practices and documents that govern Information Security at Copel, the following stand out: the Information Security and Cybernetics Policy (NPC 0301) and the Information Technology Policy (NPC 0302), both approved by CAD; internal administrative rules, with emphasis on privacy since conception; information security training; communication plan to employees with cyber security tips; business continuity and contingency plan for possible invasion attempts; vulnerability analysis with simulation of a hacker attack, by means of a contract with a specialized company; monitoring of violations; and measurement of the total number of IT infrastructure incidents.

In addition, Federal Law No. 13,709/2018 – General Law of Personal Data Protection (LGPD), which establishes the duties of legal entities for the protection of the fundamental rights of freedom and privacy, provides for the treatment of personal data, including in digital media, and is also provided for in Copel’s Privacy and Personal Data Protection Policy (NPC 0322).

Use and security of personal information

Copel, by means of its Personal Data Protection and Privacy Policy (NPC 0322), is committed to protecting the privacy of personal data of shareholders, clients, officers, employees, legal representatives of corporate clients, legal representatives of suppliers, participants in contests and visitors to Copel’s facilities, which are collected during the relationship with the holder for the accomplishment of contractual obligations (e.g.: rendering of services by Copel), business management activities, as well as for compliance with legal or regulatory obligations.

As a result of this relationship, additional personal data may be collected from the titleholder, always in compliance with the principles established in the data protection legislation.


The processing of personal data occurs in different ways within Copel, adopting the division by categories of holders to better elucidate the ways of processing personal data in our processes. The Privacy and Personal Data Protection Policy (NPC 0322) provides customer privacy information including details about:

  • Premises and guidelines: including how the personal data are protected;
  • Use and nature of collected data: the personal data collected by Copel are only used to achieve the purposes that originated their collection, being treated in accordance with applicable laws and the General Law of Personal Data Protection (LGPD) according to the purposes listed in Policy;
  • Data sharing: in some cases, Copel may share personal data which it controls when required by law, necessary to administer its contractual and/or work relationship or when it has a legitimate purpose in doing so. Such data may be shared with third parties, including service providers, third parties and other group entities, who will treat the data in accordance with the purposes for which it was collected;
  • Data subjects’ rights: the data subject has rights related to the privacy and protection of his data, and Copel, in addition to being concerned with the security of this data, is also concerned that the subject has access and knowledge of all his rights. In order to exercise any of the rights stipulated in the legislation, it is necessary to make an express request to Copel through the form available on the Company’s privacy page. Thus, the rights that data subjects have are: treatment confirmation; data access; correction of personal data; anonymization, blocking or deletion; deletion of data processed with consent; information about sharing; Information on the possibility of not providing consent and on the consequences of the refusal; revocation of consent; automated decisions; data portability. Specific information may be requested from the data subject to help Copel confirm their identity, for their own protection. Also, Copel may reject requests always indicating the reasons of fact or law that prevent the immediate execution of the request;
  • Retention and disposal: Copel undertakes to maintain the accuracy, integrity, confidentiality and relevance of personal data based on the purpose of the treatment. The retention periods, described in the Temporality Matrix in Annex I, and forms of disposal of personal data must follow the procedures and guidelines set forth in the legislation and in accordance with other Copel policies. At the end of the period and the legal necessity for its storage, personal data will be eliminated and/or anonymized using safe disposal methods, in accordance with Copel’s internal guidelines;
  • Response to privacy incidents: in the event of incidents involving personal data, under the terms of the law, all appropriate internal procedures and key personnel of the Company will be put in place to ensure that the necessary measures are taken to mitigate the risks. For this purpose, data protection incidents are considered to be cases of unauthorized access; data leakage; accidental or illicit situations of destruction, loss, alteration or improper communication of personal data; and any inappropriate or unlawful form of data processing.
  • Data protection officer contact; and
  • Legislation and rules related to the subject.

In 2022, Internal Audit, through support from Ernest & Young, assessed the effectiveness of relevant privacy controls.

Information for users

Copel collects information in several ways in different areas of its websites.

Some information is collected automatically, and may include: IP address, browser type, domain names, access time and website page views. To

access to some functionalities, the user must provide information such as e-mail address, name, CPF/CNPJ, address, telephone number and consumer unit.

Note: Copel’s website uses the Google Analytics advertising feature. The user can deactivate this resource by means of the plugin provided by Google on the link


Copel does not sell or rent its user lists to third parties, nor does it authorize third parties to use users’ information, with the exception of providing services to Copel, and only after signing a confidentiality agreement.

Copel does not read the confidential communications of its users and only uses the information captured by the domains and subdomains of to:

  • identify the profile and needs of users in order to improve its products and services;
  • visualize the delivery of its products and services; and
  • promote changes, innovations or promotions to its products and services.

Access and Use Rules

The access to Copel’s website or the use of the resources available therein characterize the adhesion of the users to the terms of the Privacy Policy, whereby the user undertakes to use Copel’s website only for the purposes for which it is intended.

The user must not disable or damage Copel’s website or interfere in the use of other users. Illicit attitudes are dealt with by the Company in conformity with the provisions of the civil and penal legislation in force.

The user assumes any and all responsibility, of civil and/or criminal nature, for the improper use of information, texts, graphs, brands, works, in short, any and all intellectual or industrial property rights of the domains of Copel.

Minors are not allowed to contract or get involved in other legal acts in the sites managed by Copel.

The user, for his own protection, must care for his access data to Copel’s websites, keeping his login and password confidential.

Lilian Renata de Andrade

Board Advisor

Attendance: 8am to 12pm and 1pm to 5pm

Place: Legal and Regulatory Board

Phone: (41) 3310-5321


To request information about the existence of personal data and the treatment performed by Copel or to exercise the other rights of the holders of personal data described in the General Data Protection Act (Law No. 13,709 of August 14, 2018), simply access the following form: Request for personal data