Understand Data Privacy Legislation in Brazil

By Gustavo Chaves Barcellos and Layon Lopes*

The LGPD provides for the treatment of personal data, including the digital environment, by natural persons, by the Administration, or by the Private Sector. It aims to protect the fundamental rights of freedom and privacy and free development of the personality of the natural person.

To understand the LGPD, here are some some of the important concepts that every Company, that treats Brazilian data, or data collected in Brazil, should know about:

Personal Data is all the information related to an identified or identifiable natural person. By data of an identifiable natural person the legislator was referring to that person who, by means of other elements, not only by the analysis of the data itself, it is possible to know who it is.

A data of an identified natural person is the name for example. On the other hand, a data of an identifiable natural person it is a social security number (a collective of numbers that put in a determined order and gives us the elements to know that we are facing specific personal data).

Data Treatment is every operation performed with personal data, such as those that characterize its collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, disposal, evaluation or control of information, modification, communication, transfer, diffusion and/or extraction.

Sensitive Data Treatment is the treatment of data linked to a natural person related to racial or ethnic origin, religious belief, political opinion, union membership or organization of a religious, philosophical, or political character, regarding health or sexual life, genetic data and/ or biometric.

Data Holder (or just Holder) is every natural person to whom the personal data treated by the Treatment agents, belong to.

Controller is every natural or legal person who is responsible for decisions regarding the processing of personal data.

Operator is every natural or legal person who performs the processing of personal data on behalf of the Controller.

Data Protection Officer is the person indicated by the Controller to act as a communication channel between the Controller, the Data Holders and the National Data Protection Authority.

National Data Protection Authority (ANPD) is an organ of public administration responsible for ensuring, the implementation and the monitoring compliance with the LGPD.

National Council of Data Protection will be responsible for proposing guideline strategies and providing inputs for the elaboration of the National Policy for the Protection of Personal Data and Privacy and the performance of the ANPD.

The LGPD provides some requirements to be observed for processing personal data, and, for business purposes, the biggest point of attention is the respect for the Holder´s consent. Regarding the consent the consent there are some rules that have to be observed:

1.       If consent is given in writing (for example, through a contract), it must be included in a clause separated from the others;
2.       The obligation to prove the Data Holder consent will fall on companies who process personal data;
3.       Consent will not be given in general, but specific to a purpose foreseen in the LGPD;
4.       Holders will have access to the data processed by the Companies at any time, being able to request their modification, or even exclusion;
5.       It will be possible to carry out the processing of sensitive personal data, only by express authorization to do so;
6.       To treat children or teenager’s personal data it is necessary to express permission from their parents or legal guardians.

Although, not every data will be regulated by the Brazilian authorities as personal data, only that which belongs to an identified or identifiable natural person. Therefore, data related to public knowledge, or commercial transactions (although they are confidential), will not be regulated by the LGPD.

In this regard, it is worth noting that Anonymous Data will not be regulated by the LGPD as well.

But there is a legal definition of Anonymous Data, which is: all the data related to the Holder that cannot be identified, considering the use of reasonable and available technical means at the time of the treatment.

In addition, there is another legal definition regarding the concept of Anonymization that is the use of reasonable technical means available at the time of treatment, wherewith the data treated loses the possibility of association, direct or indirect, to an individual.

The LGPD predicts hypotheses of termination of data processing, which are:

1.       Exhaustion of the purpose sought through the data processing process;
2.       When data processing is shown unnecessary to achieve the intended purpose;
3.       End of the stipulated period for treatment;
4.       When the Data Holder revokes the consent to processing his/ her data; and,,
5.       Upon the determination of the ANPD.

Although there are hypotheses of termination, there is the possibility of preserving personal data by the Treatment Agents in the following cases:

1.       To comply with a legal or regulatory obligation stipulated or determined or established by the controller;
2.       To enable studies by an authorized authority;
3.       Due to the transfer of personal data to a third party, provided that the data processing requirements are respected according to the LGPD; and,
4.       For the exclusive use of the controller, prohibited the access by third a third party, and as long as the data is anonymized.

To achieve its purpose, the LGPD ensures the Holders some express rights:

1.       Confirmation of the existence of treatment;
2.       Access to his/ her data;
3.       Correction of incomplete, inaccurate or outdated data;
4.       Anonymizing, blocking or deleting unnecessary, excessive or treated in non-compliance with the provisions of the LGPD data;
5.       Transferring the data to another service provider or product, upon express request and observed commercial and industrial secrets, according to the ANPD;
6.       Elimination of personal data treated with the consent of the Holder, except in the cases provided in the LGPD;
7.       Information from the Controller about the public and private entities with who the Controller has made shared use of the personal data;
8.       Information about the possibility of not providing consent and the consequences of denial;
9.       Revocation of consent.

Another important point about LGPD is its extraterritorial application. In this regard, the LGPD will be applicable when the treatment is carried out in the Brazilian territory;  The objective of the treatment is to offer goods or services  to individuals located in the Brazilian territory; and, when the personal data treated has been been collected in the Brazilian territory.

The LGPD allows international transfer of personal data, but, for this there are some mandatory hypotheses, such as: when the controller proves the compliance with the principles, rights of the Holder and the protection system in the LGPD; when de ANPD authorizes the international transfer; and, when the Data Holder has given his/ her express consent to the international transfer.

One of the most important parts of the LGPD is about tthe Controller’s and the Operator’s civil responsibilities. The controller or operator who, due to the data processing activity, causes damages to others will be obliged to repair them. The operator responds jointly with the controller when he or she fails to comply with the data protection legislation or when it does not follow the instructions given by the Controller.

To prevent these liabilities, the LGPD stimulates the Companies to create their own internal rules and good practices procedure. It is important to highlight that, if the company has a data governance policy, the penalty can be mitigated.

The penalties for those who fail to comply with the LGPD are:

1.       Warning;
2.       Simple fine, up to 2% (two percent) of billing, limited, in total, to R$ 50.000.000.00 (fifty million reais) per  infraction;
3.       Daily fine;
4.       Publication of the infraction;
5.       Blocking of personal data;
6.       Elimination of the personal data related to the offense;
7.       Partial suspension of database operation referred to the infraction for a maximum period of 6 (six) months, extendable for an equal period of time;
8.       Suspension of the exercise of the treatment activity of the personal data referred to in the offense for the period maximum of 6 (six) months, extendable for an equal period of time; and,
9.       Partial or total prohibition of the exercise of activities related to data processing.

Concerning the LGPD term, it is important to be clear that the provisions related to the ANPD and the National Council for Data Protection came into effect on 12/28/2018. The administrative sanctions provided in the LGPD have been applicable since 08/01/2021.

 The other LGPD provisions have been applicable since 14/08/2020.

*Layon Lopes is the CEO of Silva | Lopes and Gustavo Chaves Barcellos is a member of the Silva | Lopes team.