Are you aware of LGPD resolutions?
law number 13,709 of August 14, 2020.
Understand
LGPD is the acronym for the General Data Protection Law of Brazil, enacted in August 2018, which will come into force in August 2020.
LAW No. 13.709, of August 14, 2018, establishes rules on the collection, storage, processing and sharing of personal data, imposing more protection and penalties for non-compliance.
Its purpose is to regulate the processing and protection of personal data on online platforms, guaranteeing fundamental rights related to the protection of people’s freedom, privacy and intimacy, allowing for more transparency and control over the collection and use of individuals’ personal data.
Along with the sanction of the LGPD, a supervisory body was created, the ANPD (Data Protection Regulatory Agency), this body should prepare guidelines, supervise the processing of data and disseminate knowledge related to public policies on the protection of personal data.
What changes in practice?
Law 13.709/18 establishes that personal data is all information related to an “identified” or “identifiable” natural person and determines that the processing of such data is subject to ten basic principles mentioned in the law, namely:
“I – upon the provision of consent by the holder;
II – for compliance with a legal or regulatory obligation by the controller;
III – by the public administration, for the processing and shared use of data necessary for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments, subject to the provisions of Chapter IV of this Law;
IV – to carry out studies by a research body, ensuring, whenever possible, the anonymization of personal data;
V – when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject;
VI – for the regular exercise of rights in judicial, administrative or arbitration proceedings, the latter under the terms of Law No. 9,307 of September 23, 1996 (Arbitration Law) ;
VII – to protect the life or physical safety of the owner or third party;
VIII – for the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority;
IX – when necessary to meet the legitimate interests of the controller or third party, except in the case where fundamental rights and freedoms of the holder that require the protection of personal data prevail; or
X – for credit protection, including the provisions of the relevant legislation. “
By following them, organizations will demonstrate that the personal data collected is necessary, minimal, correct, of quality, fulfills a valid business purpose, among other characteristics. Companies must ensure the security of personal data processed and report information security incidents to the regulatory body, and depending on the incident, the data subject must also be notified. Another significant change is regarding the processing of personal data of children and adolescents, which will require special attention, such as obtaining the consent of a parent before data collection. A special category has been created to handle “sensitive” personal data that includes records on race, political opinions, beliefs, health data, genetic characteristics and biometrics. The law establishes specific conditions for processing this category of data, such as obtaining consent from the data subject before processing. A common point with the GDPR (General Regulation on Data Protection), is that the law will apply to companies with foreign headquarters, provided that the data is processed in national territory. Additionally, data processed in other countries are also subject to the law if collected in Brazil.
Do you need more information about the LGPD and how it applies to your company’s daily life? Our team will be happy to help!
(51) 3737-5897 | (51) 99308-7578 | contato@leef.com.br