Territory: Brazil
Data Protection Regulations: Law N ° 13.709 / 2018
Link: http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
Regulatory purpose: Processing of personal data, including in digital media, by a natural person or by a legal person under public or private law, in order to protect the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
Parties:
- Data controller: Yes. Natural or legal person, public or private law.
- Data Processor: Yes. Natural or legal person, whether governed by public or private law, who processes personal data on behalf of the controller.
- Data Protection Officer: Yes.
Supervisory Authority: Yes. National Authority for the Protection of Personal Data (ANPD)
Principles:
- Purpose
- Adequacy
- Need
- Free Access
- Data quality
- transparency
- Security
- Prevention
- Non-discrimination
- Responsibility
- Accountability
Obligations:
- Register of Processing Activities: Yes.
- Impact Assessments: Yes.
- Risk analysis: Yes.
- Technical and organisational security measures: Yes.
- Duty to inform: Yes.
- Data Protection Officer: Yes.
Data subjects' rights:
- Right of Access: Yes.
- Right of rectification: Yes.
- Right of Suppression: Yes.
- Right to limitation: Yes.
- Right to portability: Yes.
- Right to object: Yes.
- Automated individual decisions, including profiling: No.
- Other rights:
Right of Explanation: The data subject has the right to receive clear and adequate information about the criteria and procedures used by the controller.
Revocation of consent: The data subject may revoke his or her consent to the processing of his or her personal data at any time, with express manifestation being sufficient, by means of a free and facilitated procedure.
Right to information: The data subject has the right to receive information about the public and private entities with which the controller has shared data.
International transfers:
The international transfer of personal data is only permitted in the cases provided for in Article 33:
- The countries or international bodies provide a level of protection of personal data adequate to that provided for in the LGPD;
- The Controller offers and accredits compliance with the principles, rights of the holder and the data protection regime provided for in the LGPD;
- The transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution bodies, in accordance with the instruments of international law;
- The transfer is necessary to protect the life or physical safety of the holder or third parties; The national authority authorises the transfer;
- The transfer will give rise to a commitment made in an international cooperation agreement;
- The transfer is necessary to protect the life or physical safety of the holder or third parties;
- The transfer is necessary to protect the life or physical safety of the data subject or third parties;
- The national authority authorises the transfer;
- The transfer will give rise to a commitment made in an international cooperation agreement;
- The transfer is necessary for the execution of public policy or legal attribution of the public service;
- The data subject has given his or her specific and prominent consent to the transfer;
- The data subject has given his or her specific and prominent consent to the transfer.
Thus, taking into account the rules provided for in the LGPD, international transfer of personal data by companies in the field of processing activities is possible, provided that all contracts are adequate to the requirements of the law, as well as to compliance with the principles, the correct legal basis for the processing and the rights of data subjects.
There is no magic formula that can be shared and that works for everyone, the transfer will depend on a consultancy and review of the contract.
Sanctioning regime:
- Warning, indicating the deadline for taking corrective measures;
- Simple fine of up to 2% (two per cent) of the revenue of a private law legal entity, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in total, to R$ 50,000,000.00 (fifty million reais) per infraction;
- Daily fine, observing the total limit referred to in item II;
- Disclosure of the infraction after its occurrence has been duly investigated and confirmed;
- Blocking of the personal data to which the infringement refers until its regularisation;
- Deletion of the personal data to which the infringement relates;
- Partial suspension of the operation of the database to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period, until regularisation of the processing activity by the data controller.
- Suspension of the exercise of the personal data processing activity to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period;
- Total or partial prohibition of the exercise of activities related to data processing.
Certification or accreditation of compliance for companies: No.
