Control over personal data is a right of every human being and, therefore, the processing of this data must consider the consent of the holder. The LGPD brazilian law (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) guarantees important definitions to ensure privacy, establishing a new structure to handle and protect personal data.

When does the LGPD come into effect?

It is valid from September 2020 and forward.

What is the fine for those who do not comply with the LGPD?

Feasible to be applied from August 2021, these fines foreseen for non-compliance range from BRL 50 million, per infraction, up to 2% of the company’s revenue.

Does the LGPD apply to your company?

The LGPD applies to any data of Brazilian citizens, according to the following scenarios:

The data belong to citizens located in Brazil.
The data belong to citizens of Brazilian nationality.
Data were collected when the citizen was in Brazil.

In this way, it does not matter where the data is physically processed or stored. The important thing is the focus on the Brazilian citizen.

Personal data

Personal data is any and all information that can uniquely identify a person. In Brazil, for example, we could cite the CPF or RG – these are just examples since any data that uniquely identifies a person will be considered personal data.

Sensitive data

It is any data of discriminatory potential, such as racial or ethnic origin, religious conviction, political opinion, religious, philosophical or political affiliation, data relating to health or sex life and genetic or biometric data.

Anonymized data

The LGPD indicates the anonymized data as being the one that, originally, was related to a person, but that went through stages that ensured the untying, making it impossible to uniquely identify that respective person.

Pseudoanonymized data

The LGPD indicates the pseudo-anonymized data as the one that, by path reconstruction, allows the identification of the holder again. An example could be encoded data (temporary removal of the holder’s identification) but , if decoded, could generate this respective identification again.

Public data

It is data that, on its own initiative or legal obligation, has been made publicly available.

Personal data holder

It is the natural person to whom the personal data refers.

Data processing

Treatment indicates the operations involved in the operation of the data, from collection to disposal. The LGPD stipulates rules for actions to process this data.

Roles

Controller

The controller is defined, according to the LGPD, as a natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data.

This means that the controller is the company or person who coordinates and defines how the personal data will be treated, from collection to elimination. Precisely for this reason, it is on who is most responsible for this treatment.

Policies should consider actions within the data lifecycle, such as:

Collect
Production
Reception
Classification
Use
Access
Reproduction
Streaming
Distribution
Processing
Archiving
Storage
Modification
Communication
Transfer
Diffusion or extraction
Elimination

Operator

The LGPD defines the operator as a natural or legal person, governed by public or private law, who processes personal data on behalf of the controller – processes personal data under the orders and policies of the controller.

Therefore, the operator must carry out the processing of data in accordance with the guidelines of the controller which, in turn, is based on the guidelines of the law.

Data Protection Officer (DPO)

According to the LGPD, DPO represents the person/entity, appointed by the controller and operator, to act as the communication channel between the controller, the owner of personal data and the Brazilian National Data Protection Authority (ANPD). The person in charge is known as DPO (Data Protection Officer), acting independently to technically guide and support corporate decisions so that they comply with personal data protection legislation, in addition to acting as a contact channel between controller, operator, holder and , eventually, ANPD.

ANPD

The National Data Protection Authority (ANPD) is an organ of the public administration in Brazil, being the body responsible for monitoring compliance with the LGPD, imposing fines and sanctions and creating guidelines and guidelines on the law.

Rights of the Holder

These are guarantees that the law provides to the data owner. The goal is to give people more control over their own information.

Right of Access

The data subject may request the company/organization access to all personal data that the company has about him.

Right of Correction

The data subject has the right to request the correction of the data stored by the company for reasons that are necessary such as incompleteness or outdatedness.

Right of Anonymization

The holder has the right to request anonymization of the data.

Right of Portability

Right of data portability to another service or product provider, upon express request, in accordance with the regulation of the national authority, observing commercial and industrial secrets.

Right of Deletion

Right to delete personal data processed with the consent of the holder.

Right of Information

Right to information of public and private entities with which the controller has shared data use.

Right of Withdrawal

Right to revoke the consent previously granted by the holder.

Legal Basis

The LGPD determines 10 hypotheses or legal bases that must justify the processing of personal data.

Consent

Consent is an express and unequivocal declaration that the holder agrees to the use of his data for the respective purposes. This consent needs to meet some requirements, as follows:

It must be of their own free will (the person cannot be forced).
The company must clearly explain all the information so that consent occurs on the part of the holder.
Consent must be expressed by defined means such as acceptance of the privacy policy, cookies from websites, by sending an email, among others.

Legitimate interest

It is the most flexible of the legal bases. However, its application is not simple. Legitimate interest allows the use of data without the need to obtain consent. However, for a company not to infringe this legal basis, the definitions of legitimate interest must be very well observed and applied.

Compliance with legal or regulatory obligation

The processing of data must consider other laws and legislation in force. Brazilian labor laws can be cited, for example.

Execution of public policies

It guarantees that the public authorities will be able to process and make shared use of personal data if they are necessary to put into practice public policies provided for in laws and regulations or supported by contracts and agreements.

Studies by research body

This database provides for the processing of data for studies carried out by research bodies, such as IBGE and IPEA (brazilian entities) among others. These data must be treated exclusively within the research body and strictly for the purpose of the study, which aims at a greater common gain for society.

Execution or creation of contract

The LGPD also provides that personal data may be used to execute or prepare contracts to which the holder is a party, at the request of the holder. An example would be a professional admissions contract.

Regular exercise of rights

The LGPD provides for the hypothesis of data processing to exercise rights in judicial, administrative and arbitration proceedings, that is, data protection does not exclude the use of data within the law to produce evidence and defenses in proceedings, guaranteeing the right to contradictory and to self broad defense.

Life protection

The LGPD provides for the possibility of using the data to protect the life or physical integrity of the holder or a third party. As an example, we can cite access to a person’s documents if he has an accident and needs support.

Health guardianship

Health professionals, health services or health authorities have the legal support of the LGPD to process personal data that are necessary to carry out their activities. As examples, we can cite access to personal data to notify a patient of an exam result.

Credit protection

It is possible that personal data may be consulted to assess the credit profile of the Brazilian citizen for the purpose of credit approval and reducing the risks of financial transactions.

Principles

The principles are specifications to be applied by companies in the treatment of personal data.

Principle of Purpose

Determines not to use personal data for general or undetermined purposes. On the contrary, the processing of personal data must be done for specific and legitimate purposes.

Principle of Adequacy

Personal data must really be used for the purposes informed to the holder, that is, following the purpose principle.

Principle of Transparency

Except for the guarantee of industrial/commercial secrets, all aspects involving the use of their personal data must be transparent to the data subject.

Principle of Necessity

Personal data must be used according to an ostensibly specific and genuine need.

Free Access Principle

Companies must guarantee data subjects the mechanisms for free consultation on where their data is used and processed.

Quality Principle

Companies must ensure that the data of the holders are true and up to date.

Security Principle

Companies must adopt technical and administrative measures to protect personal data from unauthorized access and illegal events. This includes information security best practices.

Prevention Principle

Measures to prevent the incorrect way of handling personal data, involving people and processes, must be applied in order to expand the technological security measures applied.

Principle of Non-Discrimination

Data processing cannot be carried out for discriminatory, illegal or abusive purposes.

Principle of Accountability

Companies must be able to render accounts in order to demonstrate all the measures adopted capable of proving compliance with the LGPD.

Personal Data Privacy Policy

Find out more about our personal data privacy policy by clicking here.

Frequently Asked Questions LGPD

General

What is LGPD?