The LGPD applies to any data of Brazilian citizens, according to the following scenarios:
In this way, it does not matter where the data is physically processed or stored. The important thing is the focus on the Brazilian citizen.
The LGPD indicates the anonymized data as being the one that, originally, was related to a person, but that went through stages that ensured the untying, making it impossible to uniquely identify that respective person.
The LGPD indicates the pseudo-anonymized data as the one that, by path reconstruction, allows the identification of the holder again. An example could be encoded data (temporary removal of the holder’s identification) but , if decoded, could generate this respective identification again.
It is the natural person to whom the personal data refers.
The controller is defined, according to the LGPD, as a natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data.
This means that the controller is the company or person who coordinates and defines how the personal data will be treated, from collection to elimination. Precisely for this reason, it is on who is most responsible for this treatment.
Policies should consider actions within the data lifecycle, such as:
The LGPD defines the operator as a natural or legal person, governed by public or private law, who processes personal data on behalf of the controller – processes personal data under the orders and policies of the controller.
Therefore, the operator must carry out the processing of data in accordance with the guidelines of the controller which, in turn, is based on the guidelines of the law.
The data subject may request the company/organization access to all personal data that the company has about him.
The data subject has the right to request the correction of the data stored by the company for reasons that are necessary such as incompleteness or outdatedness.
Right of data portability to another service or product provider, upon express request, in accordance with the regulation of the national authority, observing commercial and industrial secrets.
Right to revoke the consent previously granted by the holder.
The LGPD determines 10 hypotheses or legal bases that must justify the processing of personal data.
Consent is an express and unequivocal declaration that the holder agrees to the use of his data for the respective purposes. This consent needs to meet some requirements, as follows:
It is the most flexible of the legal bases. However, its application is not simple. Legitimate interest allows the use of data without the need to obtain consent. However, for a company not to infringe this legal basis, the definitions of legitimate interest must be very well observed and applied.
This database provides for the processing of data for studies carried out by research bodies, such as IBGE and IPEA (brazilian entities) among others. These data must be treated exclusively within the research body and strictly for the purpose of the study, which aims at a greater common gain for society.
The LGPD also provides that personal data may be used to execute or prepare contracts to which the holder is a party, at the request of the holder. An example would be a professional admissions contract.
The LGPD provides for the hypothesis of data processing to exercise rights in judicial, administrative and arbitration proceedings, that is, data protection does not exclude the use of data within the law to produce evidence and defenses in proceedings, guaranteeing the right to contradictory and to self broad defense.
The principles are specifications to be applied by companies in the treatment of personal data.
Determines not to use personal data for general or undetermined purposes. On the contrary, the processing of personal data must be done for specific and legitimate purposes.
Companies must guarantee data subjects the mechanisms for free consultation on where their data is used and processed.
Companies must ensure that the data of the holders are true and up to date.
Companies must adopt technical and administrative measures to protect personal data from unauthorized access and illegal events. This includes information security best practices.
Data processing cannot be carried out for discriminatory, illegal or abusive purposes.
Companies must be able to render accounts in order to demonstrate all the measures adopted capable of proving compliance with the LGPD.
Find out more about our personal data privacy policy by clicking here.
Copyright © 2023. All rights reserved
CNPJ: 07.566.016/0001-05 – ILINK SOLUTIONS SERVICOS DE TECNOLOGIA DA INFORMACAO LTDA