Privacy Notice - Biovalid
I - Name and Address of Controller
The controller, a legal person under private law, who oversees decisions concerning the processing of personal data following the General Data Protection Act, is:
Serpro - Serviço Federal de Processamento de Dados
SGAN Quadra 601 Módulo "V"
Brasília-DF
CEP: 70836-900
Websites:
https://www.serpro.gov.br/privacidade-protecao-dados
II - Name and Address of Data Entry Clerk
The Data Entry Clerk representing the controller is:
Andre Luiz Sucupira Antonio
E-mail: encarregado@serpro.gov.br
III - Service Provision Data and Log Data Generation
- How do we treat your personal data?
Biovalid is a solution that conducts liveness detection verifying users' identity without the need for them to be physically present. The solution can compare information directly from government databases and yield a percentage of similarity or assertiveness against the original data submitted by the contractor. For Terminology Purposes:
- Percentage of similarity or assertiveness: this is the result of the positive or negative validation against the data of the owners submitted to the Biovalid solution.
The data processed are personal data and sensitive personal data, which will be used for consultation and validation against pre-existing public databases. Biovalid does not process personal data of children and adolescents.
The categories of data owners whose data are processed by Biovalid are varied, since it is a multi-client solution, offered to the public and private market.
Below is a table with the categories of personal data that we treat:
| Category | Description | Sources |
| Biographical Data | Token (Validation PIN number); Datavalid return data; KBA (other personal data that may or may not come from Datavalid); Date and time of validation and CPF | API and Application |
| Personal data | Facial image (AI validation). The facial image is captured, and pixels are generated (anonymized) for the liveness detection process. These pixels are not considered personal data. | Application |
| Derived Personal Data | Similarity percentage (biometric validation) | API and App Backend |
| Biometric personal data | Photo (biometric validation) received - Photo retrieved from Renach. Biometric validation stores both images for auditing purposes only. | Renach |
Table 1 - Personal Data Categories
Thus, within the scope of Biovalid, the processing of personal data will be conducted as follows:
- We use personal data, CPF and photo for biometric validation in the Datavalid base, where once compared, the percentage of similarity will be informed along with the data that already exists in the Datavalid base.
As can be seen, the solution designed returns only positive or negative validation of the owners' data.
- For what purposes do we process your data?
The following table shows the reasons and legal grounds on which we have based our treatment of the categories of personal data in a lawful manner:
| Purpose | Legal basis* | Category |
| To perform AI-based liveness detection and biometric validation to verify users' identity without requiring them to be physically present. |
|
|
| Data storage for security, control, and audit purposes. |
|
|
Table 2 - Purposes of data treatment
* The legal basis shown is in combination with art. 23, main section of the LGPD.
- Data Sharing
The personal data listed below will be shared only with the categories of recipients shown in the following table, if:
| Recipient | Purpose | Category |
| Contract clients | Running the liveness detection process | Derived personal data |
Table 3 - Data Sharing
- Data retention and deletion
We will remove or anonymize your personal data so that you cannot be identified. There are, however, situations in which we are legally authorized or mandated to keep specific personal data.
Data will be kept for control and audit purposes as shown in the table below for:
- Compliance with a legal or regulatory obligation by the controller, according to Article 16, item I, combined with Article 18 of the LGPD in respect of the rights of the data owners;
- The regular exercise of a right, pursuant to Articles 7 and 11 of the LGPD.
With Biovalid, data will be kept as shown in the following table, and when not needed, data will not be stored.
| Category | Retention Time* |
| Biographical Personal Data | Stored for five years |
| Personal identification data |
|
| Biometric personal data | Stored for five years |
| Derived personal data | Stored for five years |
Table 4 - Retention Time
IV - Rights of Data Owners
Serpro respects the data owner's ability to know, access, rectify, transfer, limit processing and remove personal data. The data owner has rights over his or her processed data, from the moment of collection to deletion.
SERPRO has a Citizen's Digital Privacy Platform (https://cidadao.pdc.serpro.gov.br/cidadao/) for the holder to request and exercise all the rights in Articles 9, 18 and 20 of the LGPD. The deadlines for fulfillment of requests will not exceed 15 days.
There may be situations in which we will not be able to fulfill your request. For example, if a data owner requests the deletion of his or her transaction data and Serpro is required by law to keep a record of that transaction. We may also reject a request when this may jeopardize our use of data for security, anti-fraud, control, and audit purposes.
Below we list the rights of Owners of Personal Data applicable in the context of Biovalid:
| Right | Can it be exercised? | Justification |
| Confirmation of the existence of the processing |
|
Request at https://cidadao.pdc.serpro.gov.br/cidadao/ |
| Access to the data |  |
Request at https://cidadao.pdc.serpro.gov.br/cidadao/ |
| Information about public and private entities with which the controller has shared data |
|
Request at https://cidadao.pdc.serpro.gov.br/cidadao/ |
| Correction of incomplete, inaccurate, or out-of-date data | |
RFB and SENATRAN have the legal competence to attend to these rights. The data owner must apply directly through the channels of the agencies, in accordance with the following guidelines:
1.Access Fala BR, click on Access to Information option
1.1 Requests to RFB:
In the Recipient field, select:
Receita Federal [ME - Ministry of Economy].
1.2 Requests to SENATRAN:
In the Recipient field, select:
MINFRA - Ministry of Infrastructure
2. In the Description field, select Personal Data - LGPD.
3. Enter your request
|
| Anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of LGPD |
|
|
| deletion of personal data processed with the consent of the data owner |  |
These rights do not apply to the processing performed by the Biovalid solution, since the legal bases authorizing the processing do not imply consent. |
| Information about the possibility of denying consent and the consequences of such denial | |
|
| Revocation of consent | |
|
| Right to data portability | |
The right to portability does not apply to the processing of personal data stored for security, anti-fraud, control, and audit purposes. |
Table 5 - Rights of Data Owners
Privacy Notice updated on 06/30/2022