BSM Personal Data Protection Statement

BSM Personal Data Protection Statement

Do you know why this page is named Personal Data Protection Statement instead of Privacy Policy, as you might have seen on most websites?
We explain: BSM wants to tell you what personal data we have and what we do with it. After all, we care about your privacy and understand how important it is for you to have your personal data protected. Therefore, it is important that you know how we handle your personal data and that you have control over it.
This Statement will explain what we do with your personal data for the performance of BSM's self-regulation activities. Regarding our digital channels and the use of Cookies, you can access the Statements for each of them on our website.
It is important that you read this Statement carefully and, if you have any questions, contact us by sending an email to [email protected]. We will be happy to assist you!

Let's go! To ensure your complete understanding, how about getting to know some concepts?

  • Personal Data: Any information that, directly or indirectly, alone or accompanied by other data, identifies or can identify a natural person, such as names, identification numbers, location data, account numbers, transaction data, electronic identifiers.
  • Sensitive Personal Data: Personal data about racial or ethnic origin, religious belief, political opinion, union membership or membership in a religious, philosophical, or political organization, data concerning health or sexual life, genetic or biometric data, when linked to a natural person.
  • Pseudonymized Personal Data: A type of personal data that, in isolation, is not capable of identifying someone. Aggregated data, such as those related to groups of a certain age range or groups domiciled in a certain location, without individual identification, would be considered pseudonymized.
  • Data Protection Officer: The person appointed by BSM to act as the communication channel between BSM, you, and the National Data Protection Authority.
  • General Data Protection Regulation (GDPR): The European Union's personal data protection regulation.
  • Data Subject: The natural person to whom the Personal Data or Sensitive Personal Data relates, that is, you.
  • Personal Data Processing: An operation or set of operations performed on Personal Data or sets of Personal Data, by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, comparison or interconnection, restriction, removal, or destruction.
  • LGPD: Law No. 13.709/2018 that regulates the protection of personal data.
  • To help you understand how BSM collects and uses your personal data, we first need to explain what BSM is and how its activities work, according to the authority granted by the Securities and Exchange Commission (CVM). So, let's go:
    BSM is the self-regulation of the markets managed by B3 and other organized market administrators and market infrastructures authorized to operate by the CVM that may hire its self-regulation services. According to CVM regulations, these organized securities market institutions must have self-regulation as a requirement for operation. BSM acts as an auxiliary body to the CVM in supervising organized markets and their Participants (such as securities brokers and distributors) and representatives.
    BSM's activities are divided into three pillars, as shown in the table below:

    Pillar 1: GUIDANCE

    We share knowledge and guide market Participants

    Pillar 2: MARKET INTEGRITY

    Our activities are aimed at ensuring compliance with the rules and regulations that govern the markets under our supervision. We supervise 100% of the offers and operations of the markets managed by B3 and other market infrastructures, and we audit their Participants. To perform this activity, CVM regulations guarantee BSM broad and unrestricted access to the offers and operations of the markets under its supervision and determine that the entities managing organized exchange and over-the-counter markets, the market infrastructures authorized to operate by the CVM, and the Participants provide the information requested by BSM.

    Pillar 3: INVESTOR PROTECTION

    We promote market confidence and transparency. We manage B3's Investor Compensation Mechanism (MRP), which aims to compensate investors for losses resulting from operational failures of Participants in the intermediation of securities transactions in the stock market.
    Now that you are familiar with BSM's activities, let's explain how we collect and use your personal data:

    PERSONAL DATA WE COLLECT

    If You are an investor:
    a. We receive your registration data and investor profile from Participants.
    b. Each transaction you make is recorded in the B3 systems and/or in the systems of other BSM self-regulation and is shared with BSM.

    WHAT WE USE THEM FOR:

    If You are an investor:
    We use your personal data to perform BSM's activities based on the previously defined pillars.

    1. a.We comply with legal and regulatory obligations and report to regulators such as the CVM, the Central Bank of Brazil (BACEN), public authorities, among others.
    2. b.We monitor your transactions, ensuring the security and integrity of the markets managed by B3 and other organized market administrators and market infrastructures authorized to operate by the CVM that may hire BSM's self-regulation services.
    If You are an MRP Applicant:
    a.We use your personal data to analyze and adjudicate the Request you submitted to the MRP.
    1. b.Once the MRP process is completed, the information from your process is published on the BSM website, as required by CVM regulations and the MRP Regulation.

    BSM is the self-regulation of the markets managed by B3 and other organized market administrators and market infrastructures authorized to operate by the CVM that may hire its self-regulation services.
    The self-regulation activities are monitored by the CVM. Therefore, we share your data with the CVM, as well as other institutions to comply with regulatory obligations and judicial determinations.

    Security above all! Transparency too. BSM will keep your personal data securely, according to the periods stipulated below and to achieve the purposes, which vary depending on the service. For example:

  • We need to store your data for a minimum period of 10 years to comply with the regulations applicable to BSM.
  • We also need to store some data to ensure the regular exercise of BSM's rights within the prescription periods provided for in Brazilian legislation.
  • It is important for you to know that BSM has internal rules regarding the retention and disposal of information to ensure that the data will no longer be used at the right time and in a secure manner.

    You have the right to request certain actions from BSM regarding your personal data.
    You can do this at any time through an express request, which can be made by you or your legal representative.
    After taking the necessary steps to confirm your identity (and, when applicable, the validity of the representation presented by your legal representative), BSM will evaluate your request as described below.
    It is important to remember that when processing personal data of children and adolescents, parents and/or legal guardians will be guaranteed the exercise of the same rights regarding the processing of their represented/assisted data.
    To make a request or if you want additional information, access: [email protected]. You can request the exercise of the following rights regardless of your location or nationality.

  • RIGHT TO CONFIRMATION, INFORMATION, AND ACCESS
  • You can ask to confirm if we have your personal data in our environments. If so, you can request access to your personal data at any time.
    If we are using your data based on your consent or to execute a contract, you can also request a full electronic copy of your data in a format that allows its use in other situations, including in processing operations.
  • CONSENT MANAGEMENT AND REVOCATION 
  • You can revoke any consent you have given to BSM at any time.
    As the withdrawal of consent may have some direct or indirect consequences on products or services you have contracted, we will clarify the consequences of this withdrawal before fulfilling your request, okay?
  • CORRECTION OF INCOMPLETE, INACCURATE, OR OUTDATED DATA
  • In certain circumstances, you can request the correction of personal data that you consider incomplete, inaccurate, or outdated.
    If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
  • DELETION OF PERSONAL DATA PROCESSED BASED ON YOUR CONSENT
  • In addition to the rights above related to consent, if BSM is using your personal data because you consented, you have the right to request the deletion of this personal data at any time.
    If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
  • ANONYMIZATION, BLOCKING, OR DELETION OF YOUR PERSONAL DATA
  • BSM's premise is to process only the personal data necessary for the intended purposes. However, if you consider that your personal data used by BSM is excessive for achieving the purposes or BSM is not observing what the LGPD determines, you can request the anonymization, blocking, or deletion of this personal data.
    If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
  • PORTABILITY
  • In cases where BSM uses your data with your consent or to execute a contract signed with you, you have the right to request the portability of your personal data in two ways:
    • Receiving the data in a structured, interoperable, or commonly used format that can be automatically read by computers, so that it can be used by another service or product provider; or
    • Direct transfer of the data to another service or product provider, also in a format that allows the new provider to use the data.
    For this reason, it is very important that you expressly tell us how you want us to respond to your request. Agreed?
    Your portability request will be analyzed, and when we can fulfill it, only the data you have effectively provided will be subject to portability, directly or indirectly. Anonymized data and data inferred from the use of our products and services will not be subject to portability.
  • PORTABILITY
  • In cases where BSM uses your data with your consent or to execute a contract signed with you, you have the right to request the portability of your personal data in two ways:
    • Receiving the data in a structured, interoperable, or commonly used format that can be automatically read by computers, so that it can be used by another service or product provider; or
    • Direct transfer of the data to another service or product provider, also in a format that allows the new provider to use the data.
    For this reason, it is very important that you expressly tell us how you want us to respond to your request. Agreed?
    Your portability request will be analyzed, and when we can fulfill it, only the data you have effectively provided will be subject to portability, directly or indirectly. Anonymized data and data inferred from the use of our products and services will not be subject to portability.
  • OBJECTION
  • BSM's premise is to observe all LGPD rules. However, if you consider that BSM is not observing what the LGPD determines when using your personal data, you can object to the processing of your personal data at any time.
    If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
  • PETITION
  • You can always make a request or petition to BSM or the national personal data protection authority about situations involving the processing of your personal data.
  • REVIER OF AUTOMATED DECISIONS
  • If BSM uses your data to make exclusively automated decisions, that is, without any human intervention, you can request a review of the decision.
    If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
    Now, if you are a person located in the European Union and your data was collected while you were in the European Union, know that, in addition to the LGPD, the GDPR regulation will also apply, which has some different rights, as described below. But you can also request all the rights described above.
  • GDPR - RIGHT TO CONFIRMATION, INFORMATION, ACCESS, AND ELECTRONIC COPY OF DATA
  • You can ask to confirm if we have your personal data in our environments and, if so, request access to it and also request a full electronic copy of your personal data in a format that allows its use in other situations, including in other processing operations.
  • GDPR - CONSENT MANAGEMENT AND REVOCATION
  • You can revoke any consent you have given to BSM at any time.
    As the withdrawal of consent may have some direct or indirect consequences, we will inform you of the consequences of this withdrawal before fulfilling your request.
  • GDPR - CORRECTION OF INCOMPLETE, INACCURATE, OR OUTDATED DATA
  • In certain circumstances, you can request the correction of your personal data that you consider incomplete, inaccurate, or outdated.
    If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
    GDPR - DELETION OF DATA
    You can request the deletion of your personal data in the following situations:
  • if the personal data is no longer necessary for the purpose for which it was collected;
  • If you revoke your consent and there is no legal basis for maintaining the personal data;
  • if you exercise your right to object
  • if the processing is considered unlawful;
  • if there is a legal obligation for BSM, arising from European Union law or a Member State of the European Union, that requires the deletion of the data;
  • If the personal data was collected in the context of offering information society services directly to minors
  • Data deletion will not be mandatory when data processing is necessary for:
  • The exercise of the right to freedom of expression and information;
  • Compliance with a legal obligation by BSM under European Union law or a Member State of the European Union
  • The exercise of public interest functions or the exercise of public authority vested in BSM;
  • Reasons of public interest in the area of public health;
  • Cases where the purpose is archiving in the public interest, scientific and historical research, where the deletion of personal data may significantly impact the research results;
  • For the purposes of declaration, exercise, or defense of a right in judicial proceedings.
  • If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
  • LIMITATION OF PERSONAL DATA PROCESSING You can request the limitation of the processing of your personal data, which may apply to the following situations:
  • You contest the accuracy of the personal data, for a period that allows BSM to verify its accuracy;
  • The processing is unlawful, and you oppose the deletion of the personal data and request, instead, the limitation of its use;
  • The personal data is no longer necessary to achieve the intended purpose by BSM, but its retention is requested by you for the purposes of declaration, exercise, or defense of a right in judicial proceedings;
  • You object to the processing of personal data, and the possibility of exercising this right is being evaluated, considering BSM's legitimate and compelling interests.
  • Thus, when you exercise this right, personal data can only be processed with your consent or for the purposes of declaration, exercise, or defense of a right in judicial proceedings, defense of the rights of another natural or legal person, or for reasons of public interest of the European Union or a Member State of the European Union.
    If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
  • PORTABILITY In cases where BSM uses your data with your consent or to execute a contract signed with you, you have the right to request the portability of your personal data in two ways:
  • Direct transfer of the data to another service or product provider, also in a format that allows the new provider to use the data.
  • For this reason, it is very important that you expressly tell us how you want us to respond to your request. Agreed?
    Your portability request will be analyzed, and when we can fulfill it, only the data you have effectively provided will be subject to portability, directly or indirectly. Anonymized data and data inferred from the use of our products and services will not be subject to portability.
    If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
  • OBJECTION You can object to processing in the following situations:
  • In cases where the legal basis for processing is public interest/exercise of public authority or legitimate interests, provided that BSM does not present compelling and legitimate reasons that prevail over your interests, rights, and freedoms. Or that BSM demonstrates that the processing is necessary for the purposes of declaration, exercise, or defense of a right in judicial proceedings;
  • In cases where BSM processes personal data for a purpose different from that for which it was collected, provided that BSM does not present compelling and legitimate reasons that prevail over the interests, rights, and freedoms of the data subject. Or that BSM demonstrates that the processing is necessary for the purposes of declaration, exercise, or defense of a right in judicial proceedings;
  • In cases where the purpose of processing is direct marketing;
  • In cases where the processing is for scientific or historical research, or for statistical purposes, except if such processing is necessary for the pursuit of public interest assignments
  • If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
    PETITION You can always make a request or petition to BSM, to our representative in the European Union via email [email protected], or to the Personal Data Protection Authority of your country.
    If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
    REVIEW OF AUTOMATED DECISIONS If BSM uses your data to make exclusively automated decisions, that is, without any human intervention, you can request a review of the decision.
    If BSM cannot, for technical or legal reasons, fulfill your request, we will inform you of the reasons that prevent us from proceeding.
     
  • BSM, to ensure the efficiency and quality of its services, has relationships with international regulatory and self-regulatory entities. Therefore, your personal data may be transferred to other countries.

    BSM takes the protection of your personal data seriously in its activities, adhering to strict security and confidentiality standards to provide a safe and reliable environment. We use tools and technologies to maintain the integrity and confidentiality of your information, as well as to protect it from unauthorized access.
    Additionally, we restrict access to your information only to authorized and trained individuals who are obligated to maintain confidentiality and secrecy, and who adopt security measures.
    We also require all organizations or individuals contracted to provide support services to comply with contractual provisions and/or rules established by BSM, such as the Information Security Policy, the Supplier Code of Conduct, Regulations, and Manuals, among others.
    BSM works tirelessly to ensure that the information disclosed to clients is true and accurate, with rigorous monitoring controls of the information provided.

    This statement may be changed at any time. The latest version will always be considered the current version.
    If we make any changes to the statement, we may post a notice or send you an email along with the updated Statement. Therefore, it is always important to keep your contact information up to date.
    To check the date of the current version, refer to the "Update Date" at the beginning of this document.

    Exercise of Rights

    If after reading this Personal Data Protection Statement you need to contact us regarding matters involving your personal data, please reach out through the channels below:

    Electronic Service:

    Digital Request

    If you have any questions regarding the opening of your request or the validation of your identity

    access the step-by-step guide below: Step-by-step electronic service guide

    Letter:

    Download letter template BSM – Market Supervision (A/C: Governance Management) Praça Antônio Prado, 48 – 1st Basement – Protocol Centro – São Paulo – CEP: 01010-901 Contact Us
    If you have any other questions, criticisms, or suggestions exclusively related to the LGPD (General Data Protection Law), please contact us through the channel below:

     

    Email:
    [email protected]

    Data Protection Officer:
    Cristiano Adjuto E Campos