In this Terms of Use and Privacy Policy, you will find information about how the requested service works, provided through applications on the website, systems and applications for mobile devices, and the rules applicable to it; the legal basis related to the provision of the service; your responsibilities when using the service; the responsibilities of the public administration when providing the service; contact information, should you have any questions or need to update information; and the court responsible for any claims, should aspects of this document have been violated.
Furthermore, you will find information about how your personal data is processed, whether automatically or not, and its purpose; what personal data is necessary to provide the service; how it is collected; whether your data is shared with third parties; and what security measures are implemented to protect your data.
The Terms of Use and Privacy Policy of the Federal Revenue Service were prepared in accordance with Federal Law No. 12,965, of April 23, 2014 (Brazilian Internet Bill of Rights), and with the Federal Law No. 13,709, of August 14, 2018 (General Law on the Protection of Personal Data).
The Federal Revenue Service is committed to complying with the regulations set forth in the General Law on the Protection of Personal Data (LGPD), and respect the principles set forth in Article 6:
I – Purpose: processing for legitimate, specific, explicit purposes, informed to the data subject, without the possibility of subsequent processing in a manner incompatible with those purposes;
II – Adequacy: compatibility of the processing with the purposes informed to the data subject, according to the context of the processing;
III – Necessity: limiting the processing to the minimum necessary to achieve its purposes, encompassing relevant, proportionate, and non-excessive data in relation to the purposes of the data processing;
IV – Free access: guaranteeing data subjects easy and free access to information about the form and duration of processing, as well as the completeness of their personal data;
V – Data quality: guaranteeing data subjects the accuracy, clarity, relevance, and timeliness of their data, according to their needs and for the fulfillment of the purpose of its processing;
VI – Transparency: guaranteeing data subjects clear, accurate, and easily accessible information about the processing and the respective data controllers, while respecting commercial and industrial secrets;
VII – Security: the use of technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;
VIII – Prevention: adopting measures to prevent harm from occurring as a result of the processing of personal data;
IX – Non-discrimination: the impossibility of carrying out treatment for unlawful or abusive discriminatory purposes;
X – Accountability and transparency: demonstration, by the agent, of the adoption of effective measures capable of proving the observance and compliance with personal data protection regulations and, including, the effectiveness of these measures.
Acceptance of the Terms of Use and Privacy Policy
By using the services, you confirm that you have read and understood the Terms of Use and Privacy Policy applicable to the requested service and agree to be bound by them.
Definitions
For a better understanding of this document, in this Terms of Use and Privacy Policy, the following definitions apply:
Treatment agents: the controller and the operator.
National Data Protection Authority (ANPD): a public administration body responsible for ensuring, implementing, and overseeing compliance with this Law throughout the national territory.
Public agent: Anyone who exercises, even temporarily or without remuneration, by election, appointment, designation, hiring or any other form of investiture or bond, a mandate, position, job or function in the bodies and entities of the direct and indirect Public Administration.
State agents: includes bodies and entities of the public administration in addition to their public agents.
Database: A structured collection of personal data, established in one or more locations, in electronic or physical format.
Malicious code: This refers to any computer program, or part of a program, designed to cause harm, obtain unauthorized information, or disrupt the operation of computer systems and/or networks.
Controller: a natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data.
Cookies: These are files stored on users’ computers or mobile devices when accessing a web page that store and retrieve information related to their browsing.
Confidentiality: ensuring that information is accessible only to authorized individuals. Integrity: guaranteeing the accuracy and completeness of the information and the methods used to process it.
Personal data: information relating to an identified or identifiable natural person.
Sensitive personal data: Personal data concerning racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
Data Protection Officer: a person appointed by the controller and processor to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD).
Information security: a set of practices and methods aimed at preserving the confidentiality, integrity, and availability of information.
Anonymization: the use of reasonable and available technical means at the time of processing, through which data loses the possibility of direct or indirect association with an individual.
Anonymized data: data relating to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of its processing.
IP Address: Internet Protocol Address, the code assigned to a network terminal to allow its identification, defined according to international standards.
Internet: the system consisting of a set of logical protocols, structured on a global scale for unrestricted public use, with the purpose of enabling data communication between terminals through different networks.
General Data Protection Law (LGPD): Federal Law No. 13.709, of August 14, 2018, which provides for the processing of personal data, including in digital media, by natural persons or legal entities under public or private law, with the objective of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
API Catalog Module: a publicly accessible web page containing information about APIs available for use by the federal government.
API Catalog Administration Module: a system that manages the API Catalog data.
API Management Module: a tool that manages communication between the data receiving system and the data sending system;
API Manager Administration Module: a system that manages API manager information.
Operator: a natural or legal person, governed by public or private law, who processes personal data on behalf of the controller.
Sites e aplicativos: Os sites são um conjunto de páginas disponíveis na internet, e os aplicativos são softwares que executam um grupo de funções com o objetivo de disponibilizar um serviço aos usuários.
Third party: A person or entity that does not directly participate in a contract, legal act, or transaction, or that, in addition to the parties involved, may have an interest in a legal proceeding.
Data subject: the natural person to whom the personal data being processed refers.
Processing: any operation performed on personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.
International data transfer: Transfer of personal data to a foreign country or international organization of which the country is a member.
Shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared processing of personal databases by public bodies and entities in the performance of their legal duties, or between these and private entities, reciprocally, with specific authorization, for one or more processing modalities permitted by these public entities, or between private entities.
Users: all natural persons who use the requested service.
Legal basis
Below we list laws and regulations that you can consult to clarify any questions related to the services of the Federal Revenue Service involving data processing, transparency in public administration, data subject rights, among others.
Access to information
There are several regulations governing access to information and the protection of personal data, which are observed by the Federal Revenue Service in the performance of its duties.
Firstly, Law No. 12,527, of November 18, 2011 stands out, which regulates access to information as provided for in the Federal Constitution, in particular:
- in item XXXIII of article 5 (everyone has the right to receive from public bodies information of their particular interest, or of collective or general interest, which will be provided within the time frame established by law, under penalty of liability, except for those whose secrecy is essential to the security of society and the State);
- in item II of § 3 of article 37 (user access to administrative records and information on government acts, observing the provisions of article 5, X and XXXIII); and
- in § 2 of article 216 (it is the responsibility of the public administration, in accordance with the law, to manage government documentation and to take steps to make it available for consultation by those who need it).
The aforementioned law, regulated within the scope of the Federal Executive Branch by Decree No. 7,724 of May 16, 2012, stipulates that personal information related to intimacy, private life, honor, and image:
I – Access to them will be restricted, regardless of secrecy classification and for a maximum period of 100 (one hundred) years from the date of their production, to legally authorized public agents and to the person to whom they refer; and
II – Their disclosure or access by third parties may be authorized based on legal provisions or the express consent of the person to whom they refer.
The restriction of access to information relating to a person’s private life, honor, and image, however, cannot be invoked by the Federal Revenue Service with the intention of hindering the investigation of irregularities in which the holder of the information is involved, as well as in actions aimed at recovering historical facts of greater relevance.
Services, privacy and protection
Below are listed the main regulations applicable to digital services, privacy, and the protection of personal data:
Decree No. 7,845, of November 14, 2012
It regulates procedures for security clearance and the handling of classified information at any level of secrecy, and provides for the Security and Clearance Center.
Law No. 12,737, of November 30, 2012
This law addresses the criminal classification of computer crimes; amends Decree-Law No. 2,848 of December 7, 1940 – the Penal Code; and provides other measures.
Law No. 12,965, of April 23, 2014 – Brazilian Internet Bill of Rights
It establishes principles, guarantees, rights, and duties for internet use in Brazil.
Decree No. 8,777, of May 11, 2016
Establishes the Open Data Policy of the federal Executive Branch.
Decree No. 8,936, of December 19, 2016
Establishes the Digital Citizenship Platform.
Law No. 13,444, of May 11, 2017
It provides for the National Civil Identification (ICN).
Law No. 13,460, of June 26, 2017
It provides for participation, protection and defense of the rights of users of public services provided by the public administration.
Law No. 13,709, of August 14, 2018
It provides for the processing of personal data, including in digital media, by natural persons or legal entities under public or private law, with the aim of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
Decree No. 9,637, of December 26, 2018
Establishes the National Information Security Policy, provides for the governance of information security, and amends Decree No. 2,295, of August 4, 1997, which regulates the provisions of Article 24, paragraph IX, of Law No. 8,666, of June 21, 1993, and provides for the waiver of bidding in cases that may compromise national security.
Decree No. 10,046, of October 9, 2019
It provides for governance in data sharing within the scope of the federal public administration and establishes the Citizen Basic Registry and the Central Data Governance Committee.
Decree No. 10,332, of April 28, 2020
Establishes the Digital Government Strategy for the period 2020 to 2022, within the scope of the bodies and entities of the direct, autonomous and foundational federal public administration.
Law No. 14,129, of March 29, 2021
Principles, rules and instruments for Digital Government.
Supplementary regulations from the Information Security Office of the Presidency(GSI/PR)
These regulations govern Information and Communications Security Management in the direct and indirect Federal Public Administration, and provide other measures.
Data processing
Without prejudice to the cases of processing not covered by the scope of Law No. 13,709, of August 14, 2018, the provisions of items II and III of article 7 of Law No. 13,709, of August 14, 2018, are identified as predominant cases for the processing of personal data within the scope of the Federal Revenue Service:
Article 7. The processing of personal data may only be carried out in the following circumstances:
[…]
II – for the fulfillment of a legal or regulatory obligation by the controller;
III – by the public administration, for the processing and shared use of data necessary for the execution of public policies foreseen in laws and regulations or supported by contracts, agreements or similar instruments, observing the provisions of Chapter IV of this Law;
The processing of personal data by the Brazilian Federal Revenue Service is intended for the exercise of its legal powers, established in the regulations below, as well as for the processing and shared use of data necessary for the monitoring and execution of public policies:
Law No. 5,172, of October 25, 1966 (National Tax Code)
It provides for the National Tax System and establishes general rules of tax law applicable to the Federal Government, States and Municipalities.
Decree No. 70,235, of March 6, 1972
It provides for the administrative tax process.
Law No. 10,593, of December 6, 2002
Article 6 provides for the responsibilities of the Federal Revenue Service Audit career.
Decree No. 6,759, of February 5, 2009
It regulates the administration of customs activities, and the inspection, control, and taxation of foreign trade operations.
Decree No. 9,094, of July 17, 2017
Regulates provisions of Law No. 13,460, of June 26, 2017, provides for the simplification of services provided to users of public services, establishes the Individual Taxpayer Registry – CPF as a sufficient and substitute instrument for the presentation of citizen data in the exercise of obligations and rights and in obtaining benefits, ratifies the waiver of signature recognition and authentication in documents produced in the country, and establishes the User Service Charter.
Decree No. 9,580, of November 22, 2018
It regulates the taxation, inspection, collection, and administration of Income Tax and Taxes on Profits of Any Nature.
Decree No. 9,745, of April 8, 2019
Approves the Regulations of the Ministry of Economy.
Ministry of Economy Ordinance No. 284, of July 27, 2020
Approves the Internal Regulations of the Special Secretariat of the Federal Revenue of Brazil of the Ministry of Economy.
Description of services and products
Descriptions of all services provided by the Federal Revenue Service, as well as the data processed, its purpose and duration of processing, how to access it, the steps involved, applicable legislation, and whether the collected data is shared, can be found here.
This Terms of Use and Privacy Policy apply to services provided through applications on the Federal Revenue Service website, the Federal Revenue Service Virtual Service Center (e-CAC Portal), the Single Window for Foreign Trade (Pucomex), and Federal Revenue Service mobile applications, namely:
- Scheduling
- e-Process
- eSocial
- MEI
- My Income Tax
- Standards
- Perdcomp
- Individual
- Federal Revenue Service
- NFSe Citizen
- NFSe Mobile
Your rights
You have the right to adequate service provision, which must be offered in accordance with guidelines such as respect; equal treatment of users, without any type of discrimination; accessibility; compliance with deadlines and standards; and adequacy between means and ends – without the imposition of requirements, obligations, restrictions and sanctions not provided for in the legislation.
The handling of personal information must be done transparently and with respect for the privacy, private life, honor, and image of individuals, as well as individual freedoms and guarantees.
You have the right to easy access to information about the processing of your data, which must be made available in a clear, adequate, and conspicuous manner regarding, among other characteristics provided for in regulations to comply with the principle of free access:
I – specific purpose of the treatment;
II – form and duration of treatment, respecting commercial and industrial secrets;
III – identification of the controller;
IV – Controller contact information;
V – Information regarding the shared use of data by the controller and its purpose;
VI – responsibilities of the agents who will carry out the treatment; and
VII – Rights of the holder.
Below is a summary of your rights under the General Data Protection Law:
- Right of confirmation and access (Art. 18, I and II): This is the right to obtain confirmation from the service as to whether or not personal data concerning you is being processed and, if so, the right to access your personal data.
- Right of rectification (Art. 18, III): This is the right to request the correction of incomplete, inaccurate, or outdated data.
- Right to restriction of data processing (Art. 18, IV): This is the right to limit the processing of your personal data, and you may demand the deletion of unnecessary, excessive, or unlawfully processed data.
- Right to object (Art. 18, § 2): This is the right to object, at any time, to the processing of data for reasons related to your particular situation, based on one of the grounds for exemption from consent or in case of non-compliance with the provisions of the General Data Protection Law.
- Right to data portability (Art. 18, V): This is the right to transfer data to another service or product provider, upon express request, in accordance with the regulations of the national authority, respecting commercial and industrial secrets.
- Right not to be subject to automated decisions (Art. 20): This is the right to request a review of decisions taken solely on the basis of automated processing of personal data that affect your interests, including decisions intended to define your personal, professional, consumer and credit profile or aspects of your personality.
Responsibilities
You are responsible for the accuracy and truthfulness of the information provided and acknowledge that any inconsistency in this information may prevent you from using the requested service.
While using the service, in order to safeguard and protect the rights of third parties, you agree to provide only your own personal data, and not that of third parties.
Your login and password cannot be used by anyone else. You agree to keep your password confidential, as it is personal and non-transferable, and under no circumstances can it be claimed that it has been misused after you have shared it.
You are responsible for keeping your personal information up to date and for the consequences of omitting or making errors in the personal information you provide.
You are responsible for repairing any and all damages, direct or indirect (including those arising from the violation of any rights of other users, third parties, intellectual property rights, confidentiality and personality rights), caused to the Federal Revenue Service, any other User, or any third party, as well as due to non-compliance with the provisions of this Terms of Use and Privacy Policy or any act committed from your access to the service.
The Internal Revenue Service cannot be held responsible for the following facts:
a) Equipment infected or compromised by attackers;
b) Equipment malfunctioning at the time of service use;
c) Computer protection;
d) Protection of information based on users’ computers;
e) Abuse of users’ computers;
f) Clandestine monitoring of users’ computers;
g) Vulnerabilities or instabilities existing in users’ systems;
h) Unsafe perimeter.
Under no circumstances will the Federal Revenue Service be responsible for the installation of malicious code (viruses, trojans, malware, worms, bots, backdoors, spyware, rootkits, or any others that may be created) on your equipment or that of third parties, as a result of the User’s internet browsing.
Under no circumstances will the service and its collaborators be liable for any direct, indirect, consequential, special, or incidental damages or penalties caused, in any matter of liability, whether contractual, strict liability, or civil liability (including negligence or otherwise), arising from any form of use of the service, even if advised of the possibility of such damages.
Given that the service handles personal information, you agree that you will not use robots, data scanning and storage systems (such as “spiders” or “scrapers”), hidden links, or any other nefarious resource, tool, program, algorithm, or automatic data collection/extraction method to access, acquire, copy, or monitor the service without the express written permission of the organization.
Regarding mobile applications, their commercialization is expressly prohibited. By agreeing to these Terms of Use and using the mobile application, you will receive permission from the governing body for non-commercial use of the services offered by the application, which, under no circumstances, will make you the owner of the mobile application.
If you violate the Terms of Use or the Privacy Policy, or are investigated for misconduct, the agency may restrict your access. In that case, you will also be held legally responsible for that conduct.
The Federal Revenue Service may, with regard to court orders requesting information, share information necessary for investigations or take measures related to illegal activities, suspected fraud, or potential threats against people, property, or systems that support the service, or as otherwise necessary to comply with legal obligations.
The Brazilian Federal Revenue Service is committed to preserving the functionality of the service or application, using a layout that respects usability and navigability, facilitating navigation whenever possible, and displaying the functionalities in a complete, accurate, and sufficient manner, so that the operations performed in the service are clear.
Contact
Whenever you wish, you can contact us through the Fala.BR Platform to clarify any doubts about this Terms of Use and Privacy Policy, or to obtain more information about the processing of data carried out in accordance with the LGPD (Brazilian General Data Protection Law).
Forum
Any disputes or controversies arising from any actions you take while using the websites and/or applications, including those related to non-compliance with the Terms of Use and Privacy Policy or the violation of the rights of the Federal Public Administration, other Users and/or third parties, including intellectual property rights, confidentiality and personality rights, will be processed by the Federal Court.
Without prejudice to any other administrative or judicial remedy, you have the right to file a complaint with the National Data Protection Authority (ANPD), based on article 18, § 1 of the LGPD, if you believe that any aspect of the Terms of Use has been violated.
Treatment agents
Controller
The General Data Protection Law (LGPD) defines the controller, in its article 5, VI, as the natural or legal person, of public or private law, who is responsible for decisions regarding the processing of personal data.
For the requested service, decisions regarding the processing of personal data are the responsibility of the Special Secretariat of the Federal Revenue of Brazil (RFB).
Operator
The General Data Protection Law (LGPD) defines, in its article 5, VII, the operator as the natural or legal person, of public or private law, who processes personal data on behalf of the controller.
The processing of the collected data may be carried out by the following contracted companies: