What you need to know about GDPR 62374

On August 26, in a historic and surprising vote, the Federal Senate rejected the extension of the General Data Protection Law (“LGPD”) that had been previously approved by the Chamber of Deputies. 236d6b

On August 25, the Chamber of Deputies had voted on Provisional Measure nº 959/2020 (“MP 959”) in order to determine that the Brazilian General Data Protection Law (LGPD) It should only come into effect on December 31, 2020.

For this new date to be confirmed, however, approval by the Federal Senate was pending. After an unexpected legislative turnaround, the Senate understood that the discussion of the entry into force of the LGPD would be hampered because it had already been dealt with by Law nº 14.010/2020. In this way, the proposal of the Chamber of Deputies for the LGPD to enter into force on December 31, 2020 was denied by the Senate, which means that the LGPD would come into force from the present moment.

In a clarification note published on its official website, however, the Federal Senate stated that the LGPD will not enter into force immediately, but only after a presidential sanction or veto, which should take place until September 17, 2020.

Despite the extension of the effective date of the Brazilian General Data Protection Law (LGPD) has not been approved, the articles of the law related to penalties and fines will only come into force on August 1, 2021, under the of Law No. 14.010/2020.

But after all, why are we talking about the legislative process on a technology site? What is LGPD? And why has there been so much talk about her lately?

What is the General Data Protection Law (LGPD)? y211b

A General Law of Data Protection was originally edited August 14, 2018, and since then it has undergone several changes, mainly in relation to its effective date. It is the first Brazilian law that specifically deals with the protection of personal data, and was strongly inspired by the European Union regulation that is currently in force (the famous “GDPR” – General Data Protection Regulation).

Until then, Brazil had specific provisions in various laws (such as the Consumer Defense Code, the Federal Constitution and the Civil Rights Framework for the Internet) that addressed issues related to privacy and processing of personal data to a certain extent. However, there was no specific general law to address this extremely important topic, especially considering the fundamental role that personal data plays in various businesses and in our society.

The LGPD, therefore, comes to regulate this issue and ensure the protection of personal data of individuals. It is worth mentioning that the law only concerns data/information that identifies individuals (individuals). That is, company information, even if confidential (such as business secrets, for example), are not part of the scope of application of the LGPD.

When we talk about personal data protected by the LGPD, it is common to think of the typical relationship of a consumer who has their data collected by an e-commerce, or by an application, social network or website. The truth is that the law does not only apply to personal data that is collected in the digital environment, but also in other types of relationship, such as employment, for example. The data that a company collects and maintains in relation to its employees is also subject to the provisions of the LGPD.

The LGPD brings a series of principles that must be observed by companies and public bodies that make use of personal data, such as transparency, security, non-discrimination, free access, adequacy and purpose.

If you, the reader, are an observant person, you may have noticed that several companies are updating their of use and privacy policies, and even including new features in services related to privacy controls and notifications. These changes are a reflection and result precisely from the need to adapt to which these companies are subject due to the LGPD.

One of the great novelties brought by the law is the clear definition of the hypotheses that allow the processing of personal data, known as “legal bases”. This means that, in order to make use of personal data, it is necessary to fit into one of the following ten possibilities:

1. With the consent of the data subject;
2. For the fulfillment of a legal obligation;
3. By the public istration, for the treatment and shared use of data necessary for the execution of public policies;
4. To carry out studies by research body;
5. To fulfill a contract to which the data subject is a party;
6. For the regular exercise of rights in judicial, istrative or arbitration proceedings;
7. For the protection of the holder's or third party's life;
8. For the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority;
9. To meet the legitimate interests of the person who processes the data or a third party; or
10. For credit protection.

It is worth mentioning that not all of these possibilities above apply when we are talking about the treatment of sensitive personal data. Sensitive personal data are those relating to racial or ethnic origin, religious conviction, political opinion, hip of a trade union or organization of a religious, philosophical or political nature, health or sex life, genetic or biometric data. Specifically in relation to this data, as well as in relation to data on children and adolescents, the law is more restricted and rigorous in of the possibilities for its treatment.

Speaking of treatment, it is important to clarify what this term means. According to the LGPD, “processing” is any operation carried out with personal data, such as the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information. , modification, communication, transfer, diffusion or extraction. In other words, basically anything that is done with personal data is considered treatment, not just its effective use.

Obligations of companies under the LGPD 5w3f4p

A Brazilian General Data Protection Law (LGPD) it also imposes some obligations that must be put in place by companies in relation to the processing of personal data. Below are some of these main obligations:

• Keeping a record of personal data processing operations – this means that companies must keep a control (a kind of inventory) of their activities related to personal data.

• Indicate a person in charge (better known as “DPO” – Data Protection Officer) who will be responsible for acting as a communication channel with data subjects and the National Data Protection Authority (“ANPD”).

• Adopt security measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or illicit treatment.

• Communicate to the ANPD and the data subject the occurrence of a security incident that may cause significant risk or damage.

s' rights over personal data 5h3h12

From the point of view of the rights that the law guarantees to data subjects, we can mention the following:

• Confirmation of the existence of treatment;
• Access to data;
• Correction of incomplete, inaccurate or outdated data;
• Anonymization, blocking or elimination of unnecessary, excessive or processed data in violation of the provisions of the law;
• Data portability to another service or product provider;
• Deletion of personal data processed with the consent of the holder;
• Information from public and private entities with which the controller shared data use;
• Information about the possibility of not giving consent and about the consequences of the refusal;
• Revocation of consent.

The law brings penalties in case of violation of its devices, which can range from a warning to a fine that can reach up to BRL 50.000.000,00, or even a partial or total ban on the exercise of activities related to data processing. As mentioned above, these penalties will only take effect from August 1, 2021.

The role of the National Data Protection Authority 6r462o

In relation to the National Data Protection Authority (“ANPD”), which is not yet established, the Decree No. 10.474 of 26 August, which approves its regimental structure (as an integral body of the Presidency of the Republic) and the chart demonstrating its positions in commission and functions of trust, relocating commission positions in the Superior Management and Advisory Group (DAS) and Commissioned Functions of the Executive Branch (FE), from the Management Secretariat of the Special Secretariat for Debureaucratization, Management and Digital Government of the Ministry of Economy for the ANPD. This Decree will enter into force on the date of publication of the appointment of the Chief Executive Officer of the ANPD in the Official Gazette of the Union, which is yet to occur.

A ANPD is essential for the LGPD to “work” in the best way, since such authority will be responsible for, among other functions, ensuring the protection of personal data, preparing guidelines for the National Policy for the Protection of Personal Data and Privacy, monitoring and apply sanctions, promote knowledge of the rules and public policies on the protection of personal data and security measures among the population.

Regardless of the full validity of the LGPD and the effective functioning of the ANPD, it is important to emphasize that several authorities, such as Public Prosecutors, SENACON, Procons, and even judges, already use the LGPD as a basis to guide their investigations and decisions. Therefore, it is important that companies are aware and prepared to comply with the provisions of the law.

This article was written by Carla do Couto Hellu Battilana, partner in the Technology, Cybersecurity and Data Privacy area of ​​TozziniFreire Advogados.