The new Brazilian General Data Protection Law - GDPL
The Brazilian General Data Protection Law - GDPL is a new data privacy law that will apply to businesses (both inside and outside Brazil) that process the personal data of users located in Brazil.
The Brazilian General Data Protection Law - GDPL (Lei Geral de Proteção de Dados) is a new data privacy law that will apply to businesses (both inside and outside Brazil) that processes the personal data of users located in Brazil. It is expected that the new law will take effect on August 16, 2020. Ongoing discussions in the Brazilian government may change the LGPD effective application date.
Below you will find a summary of the new Brazilian General Data Protection Law (GDPL) as a guide for your firm to start working in compliance. The key features of the GDPL are summarized, and we will publish a new article on the subject as soon as the law is set to take effect officially.
WHAT CHANGES WITH THE NEW BRAZILIAN GENERAL DATA PROTECTION LAW?
Main objectives of the new law
Ensure the right to privacy and protect users' personal data, through transparent and secure practices, guaranteeing fundamental rights.
Establish clear rules on the processing of personal data.
Foster economic and technological development.
Standardization of standards
Establish unique and harmonious rules on the processing of personal data by all agents and controllers that process and collect data.
Strengthen the security of legal relations and the holder's trust in the processing of personal data, guaranteeing free initiative, free competition, and the defense of commercial and consumer affairs.
Promote competition and free economic activity, including data portability.
Data subject's rights
The holders of personal data have had their rights extended and must be guaranteed in an accessible and effective manner. (art.18).
- Confirm the existence of the treatment of your personal data.
- Access your personal data.
- Correct incomplete, inaccurate, or outdated personal data.
- Anonymizing, blocking, or deleting unnecessary, excessive, or treated personal data in non-compliance with the LGPD.
- Portability of personal data to another product or service provider.
- Elimination of data processed with your consent.
- Obtaining information about public and private entities with which the controller shared personal data.
- Gathering information about the possibility of not consenting to the processing of personal data and the consequences of denial.
- Revocation of the consent given for the processing of personal data.
- Data portability (article 18, V), which, similar to what can be done between different telephone companies and banks, allows the holder not only to request a copy of the complete data but also to provide it in a format interoperable, which facilitates the transfer of these to other services, even to competitors. Due to its nature, this new right has been seen as a strong element of competition between different companies that offer similar services based on the use of personal data.
Agents and controllers
Controllers and operators are the personal data processing agents and must keep a record of the processing operations they carry out, especially when based on a legitimate interest (art. 37).
The operator must carry out the data processing according to the instructions provided by the controller (art. 39). The controller must indicate the person in charge (DPO - Data Protection Officer ) for the processing of personal data (art. 41). According to the innovation brought by the wording of Provisional Measure No. 869/2018, the DPO can be an individual or legal entity (national or international), which acts as a communication channel between the controller and the ANPD and the holders.
The identity and contact information of the person in charge must be public, precise and objective, preferably on the controller's website (art. 41, §1); and the person in charge must accept complaints and communications from the holders, provide clarifications and adopt measures; receive communications from the national authority and take action; guide the entity's employees and contractors about the practices to be taken in relation to the protection of personal data; and perform the other attributions determined by the controller or established in complementary rules (art. 41, paragraph 2).
Impact on companies (Impact on company privacy policies)
The GDPL will significantly impact commercial and consumer relations that require data collection, especially given the growing trend of processing personal data of customers/consumers to outline their profile, identifying various information, especially consumption habits and conditions financial and credit.
Transfer and data
The use of personal data must be related to the underlying legal business. Except in the case of proven public interest, the exchange of information between retailers and companies specialized in databases is prohibited.
The regulation of personal data brought by the GDPL requires adjustments by companies that collect data from users, especially concerning the users' express consent to the collection, processing of data, purpose, and the eventual transfer of their data to third parties.
In labor and employment relations, as the employer holds personal information about its employees, it must observe the GDPL, under penalty of civil liability.
Although the GDPL authorizes companies to use the personal data of their employees and service providers (art. 7, V and IX) for the legitimate execution of contracts, for the benefit of the worker himself, caution and observance of the rules of the GDPL are necessary for all its phases, in the acts performed before the contract, during the term of the contract, in the outsourcing and after the termination of the contracts.
When outsourcing services, employees must obtain written consent for the company to process their data, especially when transmitting it to third parties (service providers), as a result of the activity performed, or even due to legal and regulatory requirements. Contractual terms, clearly specifying what data will be passed on and for what purpose.
In addition to employee consent, it is recommended that companies create specific obligations in their commercial contracts, following the requirements imposed by the GDPL on data processing.
What should firms and businesses do? The key points to become GDPL compliant.
Due Diligence on personal data
Identification of data (personal, sensitive, child, public, anonymous), departments, means (physical or digital), internal and external operators to measure the company's exposure to GDPL.
Adherence of the 20 data processing activities (art. 5, X) (collection, control, elimination, etc.) to the general principles provided for in Art. 6 of the GDPL, through review and creation of documents (contracts, terms, policies) for internal and external use.
Consent Management and Anonymization
Control of consent and anonymity to meet a possible request from the holder and the future agency.
Holder Order Management
Creation of a database to control the requests of data subjects (access, confirmation, anonymization, consent, portability, etc.).
Compliance with ANPD and other bodies of the National Consumer Protection System, which may request from the controller an impact report on the protection of personal data.
Adoption of information security measures to protect personal data from unauthorized access and accidental or illegal situations.
The creation of good practice and governance rules establishes procedures, safety standards, educational actions, and risk mitigation in the treatment of personal data.
Communication Plan - Security Incident
Communication to inspection bodies (ANPD, Procon, Senacon) and the press about a security incident entails risk or damage.
Validation of treatment termination
Adopting the necessary measures for the elimination of the processed data and verifying the possible conservation of the data with the elaboration of documents that evidence the removal.
Certification by a specialized audit of practices related to GDPL.
Data Protection Officer (In-Charge)
Identify the person in charge (Individual or Legal Entity) and his / her capacity to carry out the activities foreseen in the LGPD.
Inclusion of an arbitration clause linked to the private online chamber registered with the CNJ to mitigate judicial litigation.
Although the Brazilian GDPL isn't still final nor its obligatory implementation date set, most of the GDPL follows other consumer data protection laws like the GDPR, CCPA.
Official GDPL Reference
http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm (Brazilian Portuguese)