Newsletter IP and Data Protection | October 2020
THE GENERAL DATA PROTECTION LAW ENTERS INTO FORCE IN BRAZIL
The General Data Protection Law (Federal Law no. 13,709/2018 or “LGPD”) entered into force on September 18, 2020, after the Brazilian President, Jair Bolsonaro, sanctioned the Provisional Measure (MP) 959/2020, which was converted into Law no. 14,058/2020.
Thus, the President maintained the veto to the article that provided for the extension of the enforceability of the LGPD, so that it would be in force immediately, except for the articles related to the National Authority – which were already in force – and the specific sanctions provided for by the law – which were previously extended to August 2021, when they will then be valid.
Notwithstanding the foregoing, public authorities (such as consumer protection bodies and public prosecutors) are already monitoring data protection matters and may apply sanctions provided for in other rules, such as those of Consumer Law.
Please find below the main points of attention of the law, duly updated according to the final redaction now in force.
Application: The Law will apply to any transaction or operation involving treatment of data that (i) is performed in Brazil; (ii) has the objective of offering or supplying goods and/or services to people located in Brazil; or (iii) is carried out with personal data collected in Brazil.
Exceptions: The Law will not apply to the treatment of personal data (i) carried out by individuals for private and nonprofit purposes; (ii) performed for journalistic, artistic or academic purposes; (iii) carried out for purposes of public safety, national security and defense or activities for investigation and deterrence of crimes (which will be the subject of a specific law); or (iv) with foreign provenance and that are not the target of communication, shares use with Brazilian data treatment agents or the object of transfer of data with another country that other than the country of provenance, provided such country provides a degree of protection adequate to the Brazilian Law.
Definition of Data: The expression “personal data” is defined as any data or information related to an identified or identifiable individual (called “data subject”), with “sensitive personal data” being data about racial or ethnic background, religious belief, political opinion, membership labor unions or religious, philosophical or political organizations, as well as referring to the health or sexual life, genetic or biometric data.
Data Treatment: “Treatment” is considered to be all operations carried out with personal data, such as collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation, control, modification, communication, transfer, diffusion or extraction of data or information.
Treatment Agents: Agents fall into two categories, “controller”, defined as any individual or public or private legal entity responsible for the decisions related to the treatment of personal data, and the “operator”, defined as the individual or legal entity that carries out the treatment of personal data at the behest of the controller.
National Data Protection Authority: The National Data Protection Authority (“ANPD”) is a federal public administration body, member of the Presidency of the Republic, which is endowed with technical and decision-making autonomy, with jurisdiction over the Brazilian territory and headquarters in the Federal District. The ANPD will be composed by a Board of Directors (highest-level decision-making body), National Council for the Protection of Personal Data and Privacy (advisory body), bodies of direct and immediate assistance to the Board of Directors, sectional bodies and specific and singular bodies. Among its competences, the ANPD will be responsible for (i) ensuring the protection of personal data; (ii) developing guidelines for the National Policy on Protection of Personal Data and Privacy; (iii) supervising and applying sanctions in the event of data processing performed in violation of the LGPD; (iv) editing regulations and procedures on the protection of personal data and privacy, among other attributions. Although its structure was created by Decree no. 10,474/2020 in August of this year, such decree will enter into force only on the date of publication of the appointment of the Director-President of ANPD in the Federal Official Gazette, which is still pending.
Principles: Important principles must be observed in the treatment activity, such as (i) purposes: the treatment must be carried out for specific and legitimate purposes, explicitly and informed to the data subject, without the possibility of subsequent treatment in a form incompatible with these purposes; (ii) adequacy: compatibility of the treatment with the purposes reported to the data subject; (iii) need: limitation of treatment only to the extent necessary to achieve the purposes; (iv) free access: guarantee that the data subjects can consult, easily and at no cost, the form and time frame of the treatment, as well as the integrity of their data; (v) quality of the data: guarantee of the precision, clarity, relevance and currency of the data; (vi) transparence: guarantee of clear and accurate information that is easily accessible by the data subjects; (vii) security: use of technical and administrative measures to protect the data from unauthorized access and misuse; (viii) prevention: adoption of measures to prevent the occurrence of damages due to treatment of personal data; (ix) nondiscrimination: impossibility of treatment for discrimination, illicit or abusive purposes; and (x) accountability: demonstration of effective means to observe and prove compliance with the rules on protection of personal data.
Requirements for Treatment: The treatment may only be carried out (i) with consent; (ii) to comply with a legal or regulatory obligation of the controller; (iii) by the public administration, for treatment and shared use of data necessary for public policy purposes; (iv) for conduction of studies by a research entity, with guarantee of anonymization whenever possible; (v) when necessary to perform a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; (vi) for regular exercise of rights in a judicial, administrative or arbitral proceeding; (vii) for protection of the life or physical integrity of the data subject or third parties; (viii) for the protection of health, exclusively, in a procedure performed by health professionals, health services or sanitary authority; and (ix) in the legitimate interests of the controller or third parties, except in the event of prevailing the fundamental rights and freedoms of the data subject that require the protection of personal data; and (x) for the protection of credit.
Consent: The consent must be provided in writing (in this case, highlighted with respect to the other clauses) or by other means that demonstrate the manifestation of the will of the data subject, with the controller have the burden of proving consent was obtained pursuant to the Law. Generic consent will be deemed null and void, and treatment in cases of defective consent is forbidden.
Revocation of Consent: The consent can be revoked at any moment, by express manifestation of the data subject on a free and easy procedure, with ratification of any treatment performed under the consent provided previously.
Access to the Data: The data subject shall have the right to facilitated access to information about the treatment of his/her data, which must be provided in a clear, appropriate and ostensive manner, with mention of the purpose, form and duration of the treatment, identification of the controller and the corresponding contact information, explanation of the shared use of data and the purpose, responsibilities of the treatment agents, besides explicit mention of the rights of the data subject specified in Article 18 of the Law (next).
Data Subject’s Rights (art. 18): The data subject has the following rights: (i) confirmation of the existence of treatment; (ii) access to the data; (iii) correction of incomplete, inexact or outdated data; (iv) anonymization, blockage or erasure of unnecessary or excessive data or data treated in non-compliance with the provisions of the LGPD; (v) portability of the data, the exercise of which will be defined by specific ANPD regulations; (vi) erasure of personal data treated with consent; (vii) information about the public or private entities with which the controller has carried out shared used of the data; (viii) information about the possibility of not providing consent and the consequences of denial; and (ix) withdrawal of consent. In addition, the data subject also has the right to petitioning in relation to his/her data against the controller before the national authority (once in operation), to object to the processing carried out based on one of the legal basis of exemption from consent, in case of non-compliance with the LGPD, and to request the review of decisions taken solely on the basis of automated treatment.
Treatment of Sensitive Data: The treatment can only occur when the data subject or its legal representative consents, specifically and in highlight, for specific purposes, or without consent of the data subject in cases of compliance with a legal or regulatory obligation by the controller, need to carry out public policies by the public administration set forth in law; studies by research entities, with anonymization of sensitive personal data whenever possible; regular exercise of rights, including in contract and in judicial, administrative and arbitration proceedings; protection of the life or physical integrity of the data subject or third party; the protection of health, exclusively, in a procedure performed by health professionals, health services or sanitary authority; ensuring the prevention of fraud and security of the data subject.
Anonymized Data: They are defined as data by which the data subject cannot be identified, for which reason they will not be considered as personal, unless they can be reversed and identify the data subject.
Children and Adolescents: The treatment of data on children and adolescents must be performed with the specific and highlighted consent of at least one of the parents or legal guardians, except when necessary to contact the parents or guardians, or for their protection.
End of the Treatment: The treatment must end when the purpose has been achieved or the data cease being necessary or pertinent; at the end of the treatment period; by communication from the data subject; or determination of the national authority (once in operation), when there is a violation of the provisions of the Law. The data must be deleted after the end of the treatment, other than specific exceptions.
Treatment of Data by the Public Authorities: The treatment must be performed only to serve the corresponding public purpose, in pursuit of public interest, with the objective of execution of legal competence or satisfying the legal attributions of the public service, with observation of the conditions determined in law.
International Transfer of Data: The transfer of personal data to other jurisdictions will be allowed only in the cases set forth in law, such as: (i) with the specific and highlighted consent of the data subject for the transfer; (ii) to satisfy a legal or regulatory obligation, when necessary to perform contracts or preliminary proceedings related to a contract which the data subject is part, or for regular exercise of rights in a judicial, administrative or arbitral proceeding; (iii) to countries or international organizations that provide an adequate degree of protection of personal data as specified in law or determined by the national authority; (iv) when the controller of the data provides and proves guarantees of compliance with the principles, the data subject’s rights and data protection regime set forth in Brazilian law; (v) for protection of the life of physical integrity of the data subject or a third party, among other situations.
Records of Operations for Treatment of Personal Data: The controller and operator must keep records of the operations for treatment of personal data they carry out, mainly when the treatment is based on a legitimate interest.
Data Protection Impact Assessment: In relation with data processing operations, the national authority (once in operation) may request the preparation of a “Data Protection Impact Assessment,” which must contain, at least, description of the types of data collected, the methodology used for collection and to ensure the information security, as well as the analysis of the data controller of the measures, safeguards, and mechanisms for risk mitigation adopted.
Data Protection Officer (“DPO”): The Data Protection Officer will be responsible for accepting complaints and other communications from the data subjects and the national authority, providing clarifications and adopting necessary measures, guiding the entity’s employees and outsourced staff about good practices, among others attributions. The DPO must be appointed by the controller and his/her identity and contact information must be disclosed clearly and objectively. Furthermore, the ANPD may establish complementary rules on the definition and the duties of the DPO, including to determine when its indication will be dismissed, according to the nature and size of the entity or the volume of data processing operations.
Joint Liability: Other than in exceptional cases identified in law, the operator and controller are deemed to be jointly and severally liable for the data with respect to pecuniary or moral damages, either individual or collective, caused by the date treatment.
Security Measures: It is mandatory to adopt technical and administrative security measures to protect the personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, disclosure or any other form of inadequate or illicit treatment. The minimum technical standards must be disclosed by the ANPD opportunely, considering the specificities of the personal data and their treatment.
Communication in Cases of Security Incidents: The controller must report to the national authority (once in operation) and to the data subjects when any security incidents occur that can cause a relevant risk or damage to data subjects.
Administrative Sanctions: Infringements to the rules of the law can subject the Treatment Agents to the applicable administrative sanctions by the ANPD, after an administrative proceeding that allows a full defense, such as official warning; publicizing the infraction, simple or daily fine, up to 2% (two percent) of the gross revenue of a private company, business group or conglomerate in Brazil in the preceding year, excluding taxes, capped at R$ 50,000,000.00 (fifty million Brazilian real) per infraction; blocking and deleting personal data relating to the infraction; partial suspension of the operation of the database to which the infringement refers for a maximum period of six (6) months; suspension of the personal data processing activity to which the infringement refers for a maximum period of six (6) months; partial or total prohibition of activities related to data processing.
In case of any doubts about this subject, please do not hesitate to contact us.
T: +55 21 3262 3042
T: +55 21 2217-2041