Personal Data Protection Statement | B3
Voltar

Personal Data Protection Statement

Introduction

Effective July 19, 2024

Hello! 

Do you know why this page is called Personal Data Protection Statement, rather than Privacy Policy, as shown on most websites you have probably seen around? 

Let us explain: B3 wants to let you know which personal data we have on our system and what we do with it. After all, we care about your privacy and know how important it is for you to have your personal data protected. Therefore, we believe it is important that you learn how we treat your personal data and that you have control over it.

This Statement will tell you what we do with your personal data for the provision of services offered by B3. To know more about the use of personal data in our digital channels – please access our Cookies Policy here.

Please read this Statement carefully. If you have any queries, contact us by email at [email protected]. We are here to help you!

  • Definitions

    First of all, we need to explain a few concepts to help you better understand our Personal Data Protection policy.

    Let's go! In order to enable your better understand, how about knowing some concepts?

    Personal Data? Any information that directly or indirectly, on its own or accompanied by other data, identifies or can identify an individual, such as names, identifying numbers, location data, account number, transaction data, electronic identifiers. 

    Sensitive Personal Data: Any personal data on racial or ethnic origin, religious conviction, political opinion, union membership or membership in an organization of religious, philosophical or political nature, data regarding health or sex life, genetic or biometric data, when linked to a natural person .

    Pseudonymized Personal Data: A type of personal data that alone is not capable of identifying somebody. Aggregated data, such as data relating to particular age brackets or groups residing at a given location without individual identification, would be considered pseudonymized.

    Data Protection Officer: The person appointed by B3 to act as a communication channel between the company, you and the Brazilian Data Protection Authority.

    General Data Protection Regulation (GDPR): The European Union regulation for personal data protection.

    Owner: Person to whom Personal Data or Sensitive Personal Data is related, i.e. you.

    Personal Data Treatment: Operation or set of operations performed on Personal Data or Personal Data sets by automated or non-automated means, such as data collection, registration, organization, structuring, storage, adaptation or change, retrieval, inquiry, use, disclosure by transmission, dissemination, or any other form of data provision, comparison or interconnection, limitation, removal or destruction.

    LGPD: is the Data Protection General Law (Law No. 13.709/2018), which regulates personal data protection in Brazil.

  • B3 Segments

    To understand how B3 collects and uses your personal data, first we need to tell you  how the services provided by B3 and the segments in which it trades work.  

    B3 services are divided into 4 segments, as shown in the table below:

    Segment

    What it is
    • Listed

    The Listed segment comprises all B3 services that enable investors to effectively and safely trade exchange-traded securities and that allow securities to be offered on the exchange market.

    B3 provides the infrastructure for the exchange market in vertical form. This means that the entire infrastructure required for a security to be offered on the market and a trade to be executed is provided by B3, like for example trading and post-trading environments, private equity depository, stock loan, and solutions for issuers.
    • OTC

    The OTC segment comprises all B3 services that enable investors to effectively and safely trade securities and also allow traded securities to be offered to the organized over-the-counter market, such as fixed income instruments, derivatives, etc.
    • Financing Infrastructure

    B3 provides services that allow a safer and more efficient vehicle and real estate financing ecosystem and, therefore, help you to secure financing safely. Examples of services in this segment:

    SRGVA – A services platform intended to prevent fraud in auto warranty claims, ensure safety with respect to the financed vehicle, allow for the financing to be completed with registration of the financing contract with the competent transport authority, and enable clients to meet their regulatory obligations regarding credit granting and collateral appraisal.

    Real Estate Platform – Provides property appraisal services that allow for the electronic registration of real estate financing contracts, and services that enable our clients to meet their regulatory obligations regarding credit granting and collateral appraisal.
    • Technology, Data, and Services

    B3 also provides Technology and Data services intended to foster the Brazilian financial system and offer solutions to help players in this market to deliver more efficient and safer services.

     We offer Technology and Access services intended to integrate the market and provide various technology options that streamline and enhance some services.

     Moreover, we have a specific data and analytics products/services area whose purpose is to provide our clients with information and analytical intelligence to allow more secure and efficient environments, thus benefiting both the financial market and society as a whole.
  • But, how does data protection work at B3?

    Now that you already know the services provided by B3, we are going tell you how we collect and use your personal data, considering each segment.

    LISTED AND OTC SEGMENTS
    PERSONAL DATA THAT WE COLLECT

    If you are an investor:

    1. We receive details of your registration from Participants, i.e., brokerage houses and fund managers;
    2. Each trade you execute is generated in the B3 systems and is stored;
    3. We also collect information such as registration data, profile data on your standard/behavior as third-party investor.

    If you are a user of one of the systems:

    1. We receive your registration data from the B3 Participant that you are representing when accessing the system;
    2. We collect your access data.
    WHAT WE USE IT FOR

    If you are an investor:

    We use your personal data to enable you to make investments on the exchange market and on the organized OTC market and, therefore, we have to process your data for some specific purposes, namely to:

    1. Maintain your registration for your identification as an investor - this is a regulatory obligation;
    2. Conduct KYC (know your customer) procedures and ratings for Money Laundering and Terrorist Financing Prevention;
    3. Register all your transactions to ensure ownership of your investments;
    4. Comply with legal and regulatory obligations to report to public and regulatory bodies, such as the Brazilian Securities and Exchange Commission ("CVM"), the Central Bank of Brazil ("BACEN"), etc;
    5. Monitor of your transactions to ensure market security and integrity;
    6. Define B3’s fee structure;
    7. Deliver relevant market information and also provide access to the Investor's Electronic Channel;
    8. Carry out internal studies and define our business, marketing and market promotion strategies;
    9. Report your transactions to authorized Participants, i.e., you custodian, brokerage house, etc.

    If you are a system user:

    We use your personal data to grant you access to the systems and perform security audits.

    Under certain circumstances, we report system access logs to the client that you represent.

    FINANCING INFRASTRUCTURE
    PERSONAL DATA THAT WE COLLECT

    If you finance a vehicle or a property:

    1. We receive information on the financing contract, your registration data and information on the asset that is being financed;
    2. We receive property appraisal information.

    If you are a user of one of the systems:

    1. We receive your registration data from the B3 client that you are representing when accessing the system;
    2. We collect your access data.
    WHAT WE USE IT FOR

    We use your personal data to allow the financing of your vehicle or property to be finalized, once all legal requirements are complied with. Therefore, we have to process your data for some specific purposes, namely to:

    1. Send data about your vehicle financing to the respective State Traffic Department for them to execute the contract registration and issue the vehicle documents;
    2. Send data about your  property financing for the respective registration to be carried out by the Land Registry Office;
    3. Receive property appraisal information so that financial institutions can assess the possibility of financing your property;
    4. Conduct KYC (know your customer) and rating and monitoring for Money Laundering and Terrorist Financing Prevention and any reports to the Council for Financial Activity Control (COAF);
    5.  
    6. Send vehicle and property financing information to BACEN for financial institutions to comply with their regulatory obligations;
    7. Treat your data so that we can comply with our legal and regulatory obligations for reporting to public and regulatory bodies;

    If you are a system user:

    We use your personal data to grant you access to the systems and perform security audits.

    Under certain circumstances, we report system access logs to the client that you represent.

    TECHNOLOGY, DATA, AND SERVICES
    PERSONAL DATA THAT WE COLLECT

    If you directly or indirectly use some of the services provided by B3:

    1. All Personal Data going through B3’s systems in all segments;
    2. Data obtained from public sources, such as the Brazilian Internal Revenue Service, Brazilian Institute of Geography and Statistics (“IBGE”), etc;
    3. Third-party databases.

    If you are a user of one of the systems:

    1. We receive your registration data from the B3 client that you are representing when accessing the system;
    2. We collect your access data.
    WHAT WE USE IT FOR

    If you directly or indirectly use some of the services provided by B3:

    We use your personal data for the creation of analytical services to be offered to the market.

    In all our analytical services, we make sure that confidential data or information that may cause damage to you will not be disclosed. Such services have 4 main components:

    1. Aggregate information on the exchange market and on the organized OTC market: We provide information about market behavior, its roles and how trades are carried out without any investor being identified. In other words, it is aggregated information mainly intended to provide relevant information about the markets to: (i) Help the commercial strategy of market players, (ii) Reduce information asymmetry on market movements, (iii) Provide analyses and other information for market development, as well so  the market can be assessed and the best investment decisions can be taken, among others.
    2. Analytical intelligence: We analyzed several data to develop services that analyze people’s profiles and provide specific information about you to our clients, which may be related to an assets profile, behavior profile, etc. Such information aims to provide our clients with additional information on you, so that the services provided to you by our clients can be safer and more efficient, thus improving the Brazilian Financial System ecosystem.
    3. Information on collateral and contract registration: We provide specific information on collateral conditions (for example, vehicles and/or properties) that will be the subject-matter of a financing or transaction that you wish to purchase or carry out. Such services aim to ensure that the collateral can be used as guarantee to close the financing or transaction, thus enabling greater safety for the financing/transaction ecosystem and for compliance with certain legal and regulatory obligations of our clients.
    4. Service monitoring information: As well as adopting measures for compliance with legal and regulatory obligations as mentioned above, B3 also provides information services intended to make our clients’ internal processes more efficient and accurate to prevent fraud, illegal activities, in particular money laundering and terrorism financing prevention. This prevents the markets in which they trade from being impacted by fraudulent or illegal acts, and prevents criminal organizations from financing and trading amounts obtained from illicit activities.

    If you are a system user:

    We use your personal data to grant you access to the systems and perform security audits.

    Under certain circumstances, we might report system access logs to the client that you represent.
  • Who B3 shares your personal data with

    B3 is a company that provides a diversified portfolio. It is very active in regulated markets, which regulators define for the most part or determine that B3 sets forth trading rules, while other markets, in turn, are not subject to regulation.

    In any circumstance, B3 has partners that help us provide services with the excellence and quality that you and our customers expect.

    We share your data with the following entities:

    • Brazilian public and regulatory bodies (CVM, BACEN, SUSEP, Internal Revenue Service, COAF, etc);
    • External audit firms;
    • Suppliers and service providers;
    • Information services development partners;
    • Our clients;
    • Public authorities and legal authorities for the enforcement of court orders.
  • How long your personal data is under our care for

    Safety and transparency first! B3 keeps your personal data totally secure for the periods described below and to achieve its goals, which vary depending on the service. For example:

    • We need to store your trading data for a minimum period of 10 years to meet the regulations applicable to B3;
    • Your registration data and financing contract data need to be stored for a minimum period of 10 years to meet regulatory obligations and in the event of potential litigations;
    • We also need to store some data to ensure regular exercise of our rights for the statutes of limitation set forth in the Brazilian law.

    It is important to you know that B3 has internal rules in place that provide for information retention and disposal to ensure that the data will cease to be used in a safe and timely manner.

  • What are your rights?

    You have the right to request from B3 certain actions with regard to your personal data.

    You can do this at any time by express request that can be made either in person or by your legal representative.

    After adopting the necessary measures to confirm your identity and, where applicable, the validity of the representation submitted by your legal representative, B3 will evaluate your request according to the following criteria:

    It should be noted that, when dealing with children's and teenagers’ personal data, their parents and/or legal guardians are assured the exercise of the same rights with regard to the treatment of data of persons represented/assisted by them.

    To make a request or if you wish to have additional information, write to [email protected]. You can request to exercise the following rights regardless of your location or nationality.

    RIGHT TO DATA CONFIRMATION, INFORMATION AND ACCESS

    You can ask us to confirm whether we have your personal data in our environments. If so, you can request access to your personal data at any time.

    If we use your data with your consent or to perform a contract, you may also ask for a full electronic copy of your data in a format that allows its use in other situations, also in data treatment operations.

    CONSENT MANAGEMENT AND REVOCATION

    You may, at any time, revoke any consent that you have granted B3.

    Given that the withdrawal of a consent can cause some direct or indirect impacts on products or services that you have purchased or contracted, we will clarify the consequences of withdrawal before we meet your request, okay?

    CORRECTION OF INCOMPLETE, INACCURATE OR OUTDATED DATA

    Under certain circumstances, you may request the correction of personal data that you consider incomplete, inaccurate or outdated.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    DELETION OF PERSONAL DATA TREATED WITH YOUR CONSENT

    In addition to the above rights, with regard to consent, if B3 uses your personal data with your consent, you are entitled to request the deletion of such personal data at any time.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    ANONYMIZATION, BLOCKING OR DELETION OF YOUR PERSONAL DATA

    B3 has a premise to only treats personal data needed for the intended purposes. However, if you feel that your personal data used by us is excessive to achieve those purposes or that we fail to observe the GDPR (General Data Protection Regulation), you may request the anonymization, blocking or deletion of your personal data.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    PORTABILITY

    In some situations, you may request portability of your personal data. At the moment, the exercise of this right depends on the regulation of the Brazilian Personal Data Protection Authority (ANPD).

    Thus, as soon as the authority regulates how we should proceed with regard to such right, we will update this statement and let you know all the details.

    OBJECTION

    B3’s purpose is to observe all the Data Protection General Law (LGPD) rules. However, if you find that B3 fails to observe the LGPD provisions when it uses your personal data, you may object to the treatment of your personal data at any time.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    Request

    You may always make a request or application to B3 or to the Brazilian Personal Data Protection Authority for situations involving the treatment of your personal data.

    REVIEW OF AUTOMATED DECISIONS

    If B3 uses your data to make exclusively automated decisions, i.e., without any human intervention, you may request the review of that decision.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    If you are based in the European Union and your data was collected while you were in the European Union, you should know that, in addition to the LGPD rules, the GDPR regulation also applies and it contains some different rights as described below. But you may also request all the abovementioned rights.

    GDPR - RIGHT TO DATA CONFIRMATION, INFORMATION, ACCESS AND ELECTRONIC COPY

    You may request to confirm whether we have your personal data in our environments and, if so, ask to access such data and you are also entitled to a full electronic copy of your personal data in a format that allows you to use it in other situations, including in other data treatment operations.

    GDPR - CONSENT MANAGEMENT AND REVOCATION

    You may, at any time, withdraw any consent that you have granted to B3.

    As the withdrawal of the consent can cause some direct or indirect impacts, we will inform you of the consequences of the withdrawal before we meet your request.

    GDPR - CORRECTION OF INCOMPLETE, INACCURATE, OR OUTDATED DATA

    Under certain circumstances, you may request the correction of your personal data that you deem to be incomplete, inaccurate or outdated.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    GDPR - DATA DELETION

    You may request deletion of your personal data in the following situations: 

    • If your personal data is no longer necessary for the purpose for which it was collected;
    • If you revoke your consent and there is no legal basis to maintain your personal data;
    • If you exercise your right of objection;
    • If the treatment of the data is considered unlawful;
    • If B3 has a legal obligation under a European Union or a European Union Member State law to erase the data;
    • If your personal data was collected in the context of the information society services provided directly to minors.
    • The deletion of data will not be mandatory when the treatment of data proves necessary, under the following circumstances:
    • For the exercise of the right of freedom of expression and information;
    • For B3 to comply with a legal obligation under a European Union or of a European Union Member State law;
    • For the exercise of functions of public interest or the exercise of the public authority with which B3 is vested;
    • For public interest reasons in the public health area;
    • In cases where the purpose is filing the data due to public interest, scientific and historical research, when the deletion of personal data could significantly impact the outcome of the research;
    • For the purposes of statement, exercise or defense of a right in a lawsuit.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    PERSONAL DATA TREATMENT LIMITATION

    You may request the limitation of your personal data treatment that may apply to the following situations:

    • When you challenge the accuracy of your personal data during a given period that allows B3 to verify its accuracy;
    • The treatment is illegitimate and you object to the deletion of your personal data and request the limitation of its use in contrast;
    • Your personal data is no longer necessary to achieve the purpose intended by B3, but you request that it is maintained requested for the purposes of statement, exercise or defense of a right in a lawsuit;
    • You object to your personal data treatment and the possibility of exercising this right is being assessed by B3 due to its legitimate and reasonable interests.

    Therefore, when you exercise such right, your personal data may only be subject to treatment with your consent or for the purposes of statement, exercise or defense of a right in a lawsuit, in defense of the rights of another individual or legal entity, or for reasons of public interest of the European Union or a European Union Member State.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    PORTABILITY

    In cases where B3 uses your personal data with your consent or to enter into a contract with you, you are entitled to request the portability of your personal data in two ways:

    (i) Receive the data in a structured, interoperable format or a format for everyday use that can be automatically read by computers, so that it can be used by another service or product supplier; or

    (ii) Directly transfer your data to another service or product supplier, equally in a format that allows the use of the data by the new supplier.

    Therefore, it is very important that you let us know specifically how you want us to respond to your request.

    Your portability request will be analyzed and, if possible, only the data actually provided by you will be subject to direct or indirect portability. Anonymized data and data deduced from the use of our products and services will not be subject to portability.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    OBJECTION

    You may object to data treatment in the following situations:

    • In cases where the legal basis for the treatment is the public interest/exercise of public authority or legitimate interests, provided that B3 does not have compelling legitimate grounds that prevail over your interests, rights, and freedom. Or that B3 proves that the treatment is necessary for the purposes of statement, exercise, or defense of a right in a lawsuit;
    • In cases where B3 treats your personal data for a purpose other than the one for which it was collected and does not present compelling legitimate grounds that prevail over the data owner's interests, rights and freedom. Or that B3 shows that the treatment is necessary for the purposes of statement, exercise or defense of a right in a lawsuit.
    • In cases where the purpose of the treatment is direct marketing;
    • In cases where the treatment is for scientific or historic research, or for statistical purposes, except if such treatment is necessary for complying with public interest purposes.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    REQUEST

    You may always make a requestor application to B3 or to our representative in the European Union, or to the Personal Data Protection Authority of your country.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    REVIEW OF AUTOMATED DECISIONS

    If B3 uses your data to make exclusively automated decisions, i.e., without any human intervention, you may request the review of that decision.

    If due to technical or legal reasons B3 cannot meet your request, we will inform the reasons that prevent us from continuing the service.

    Caso a B3 não possa, por razões técnicas ou legais, atender ao seu pedido, informaremos os motivos que nos impedem de seguir com o atendimento.

  • Will your personal data be transferred to another country?
    In order to operate regularly and meet certain regulatory obligations, B3 has partnered up with international public entities and external partners to exercise its rights and ensure the efficiency and quality of its services. Therefore, your personal data might be transferred to other countries.
  • How do we protect your personal data?

    B3 takes the protection of your personal data very seriously in accordance with strict security and confidentiality standards. We provide our clients a secure and reliable environment and we use tools and technologies to maintain the integrity and confidentiality of your information, in addition to protecting it from unauthorized access.

    Moreover, we restrict access to your information only to duly authorized and empowered persons for proper treatment of your data, under confidentiality and secrecy obligations and by adopting a series of security measures.

    It is also required from any organization or individual hired to provide support services to comply with the contractual provisions and/or rules established by B3, such as the Information Security Policy, the Suppliers Code of Conduct, Rules and Manuals, etc.

    B3 exhaustively works to ensure that the information disclosed to our clients be true and complete. We have strict controls in place to monitor the information provided.

  • Amendments to this statement

    This Statement may be amended at any time. The latest version shall always be considered the current version.

    To check the date of the current Statement version, check the "Update date" at the beginning of this document.

Contact us

You can contact us through our Mail or Telephone:

Data Protection Officer

Cristiano Adjuto E Campos

Email
[email protected]

ic_mobile.png

Phone
+55 11 4200 0277

Mail
REQUEST FORM TEMPLATE
B3 S.A. – BRASIL, BOLSA, BALCÃO.
Praça Antonio Prado, 48, Centro – 2nd Floor – Information Services Area, Sao Paulo/SP, CEP 01010-901, Brazil

B3 Representative in the European Union

If you are in the European Union and have any doubts about how B3 treats your personal data, please contact our representative in the European Union:

  • CHENUT OLIVEIRA SANTIAGO Selarl
  • Rua Rodrigues Sampaio, 21, 6° D | 1150-278 Lisboa | Portugal
  • [email protected]