post

Articles 21/Novembro/2019

BRAZIL’S GENERAL DATA PROTECTION REGULATIONS – “LGPD” (FEDERAL LAW NO. 13,709/2018)

Is your company prepared for august 2020? Adjusting to the LGPD is still possible.

Introduction

Brazil´s General Data Protection Regulations (“LGPD” or “Law”), sanctioned in August 2018, will come into force in August 2020. Thus, by August 2020 all companies located in Brazil should have methods and policies that ensure that data processing is LGPD compliant.

Inspired by the European regulation (General Data Protection Regulation – “GDPR”), LGPD is considered a milestone in Brazilian law because it is the first time the country has actually had a specific law on data privacy matter.

Personal data and sensitive personal data

LGPD applies to information related to the identified or identifiable individual. That is, the law protects not only the data that identifies the individual, such as social security number and e-mail, but also any other data with which, based on cross-checking, the subject can be identified (the identifiable data). In addition, LGPD more protectively regulates the sensitive data, which, in short, is information with discriminatory potential against a person. In this regard, the requirements for processing health, genetic and biometric data are stricter than those applicable to the processing of name, telephone numbers and address, for example.

To whom it applies to

In practice, LGPD is applicable to the overwhelming majority of companies located in Brazil. This is because the Law regulates the processing (considered, for legal purposes, as any and all transactions with the data) of online and offline personal data (physical files). To this end, it suffices that:

• The personal data is collected in Brazil;

• The data processing operation is performed in Brazil, and/or;

• The processing activity has been performed outside Brazil but aims the offer and/or supply of goods and services, or the processing of data from individuals located in the country.

International data transfer

International data transfer has been subject to some limitations imposed by LGPD, as was the case with GDPR. That is, as of August 2020, the transfer of personal data to a foreign country or international organization should be made to those who have a degree of personal data protection that is adequate to that one provided in the LGPD or in accordance with the other requirements listed by the Law for the mentioned transfer.

Data processing consent

With LGPD, the express and written consent of the personal data subject has become the clearest and most efficient way to handle the data on a regular basis. However, given that the consent of the personal data subject is not always possible, the Law allows processing to be based on other reasons, such as the legitimate interest of the company or the fulfillment of a legal obligation.

Principles

The LGPD provides for several principles. We highlight the following principles as guidelines for a company when processing personal data.

• Purpose limitation: Data must be collected for a specific purpose; the subject must be informed, at the time of consent, of the reason for the collection of the data.

• Necessity: Solely the data strictly necessary for the service being provided should be collected.

• Free access: Subjects are guaranteed free and easy consultation about the form and duration of the data processing, as well as the completeness of their personal data.

• Suitability: compatibility of processing with the purposes informed to the subject, in accordance with the processing context.

Sanctions

According to the LGPD, those who process the data (controller and operator) will be jointly liable for the loss and damage caused to the subject in any security incidents that may occur with their personal data.

Furthermore, the Law also provides for administrative sanctions, which can range from a simple warning to a fine of up to 2% (two percent) of the company’s last fiscal year, limited to fifty million Brazilian Reais (BRL 50,000,000.00) for infringement. There is also the prevision of publication of the incident after confirming its occurrence, which, as a rule, generates image damage to the company.

National Data Protection Authority (“ANPD”)

ANPD is a federal body that is still being structured and which is responsible for editing standards and overseeing procedures on data privacy. In this sense, additionally to imposing sanctions in the event of security incidents, the ANPD also aims to help understand the processing of personal data and to provide guidelines for it.

Data protection officer – DPO

When the Law comes into force, all companies will be required to designate a DPO, which will be responsible for spreading the company’s data protection culture, as well as creating appropriate LGPD standards and procedures. Additionally, the DPO will be responsible for being the company´s contact with the ANPD and the data owners. In the event of a security incident, for example, the DPO will be responsible for informing the ANPD and the subjects about the possible exposure of personal data.

Conclusion

Despite the innovation brought by LGPD, companies have until August 2020 to adapt to a range of data privacy-related measures, especially given the current technology landscape. In this regard, it is essential that the company assess the data mapping and, from there, analyzes the legal risks to which it is subject and adjusts them.

Almeida Advogados has a team with extensive experience in Digital Law and Personal Data Protection, with a history of work related to the development of public policies and relationship with the Public Authorities on the subject, and is available for further clarification on the matter.

SEE ALL ARTICLES SEE ALL ARTICLES