On August 14, President Michel Temer sanctioned the law that regulates the protection of personal data in Brazil (General Law of Data Protection – LGPD).

As expected, the creation of the National Data Protection Agency, as foreseen in the text approved by the Senate, was not approved by the President due to a lack of competence. As a result, new legislation to be enacted in the coming months will provide for the competent authority to supervise and impose penalties on those subject to the new regulation.

The LGPD is inspired by the European GDPR, which came into force last May. The LGPD will enter into force in February 2020, after a transition period (vacatio legis) of 18 months

Among the new rules sanctioned by the Brazilian President, we highlight:

Principles.  The LGPD establishes principles that should be observed in the activities of processing personal data, including good faith, purpose, necessity, free access, security, and accountability, as proof of the adoption of effective measures capable of compliance with the rules for the protection of personal data.

Treatment of Personal Data.  The processing of personal data may only be carried out in the cases provided for in the LGPD. Among the hypotheses foreseen are the express consent of the holder and the legitimate interest of the controller. In the case of consent, this must be provided in writing or by other means that demonstrates the manifestation of the will, and the controller bears the burden of proving that it was obtained in accordance with the law, and may be revoked at any time. In turn, legitimate interest would theoretically allow the use of data for purposes other than those initially authorized by its owners or those that led to its creation.

Personal Data, Sensitive Personal Data, and Public Data.  “Personal data” means any information related to the natural person identified or identifiable (holder) – name, CPF, e-mail address, etc. The LGPD still defines “sensitive personal data” as any information on racial or ethnic origin, religious belief, political opinion, trade union membership or organization of a religious, philosophical or political nature, as well as data relating to health or sex life, genetic data or biometric when linked to a natural person. The requirement of consent provided for in the LGPD may be waived for personal data made manifestly public by the holder.

Rights of the Holders. The holders of personal data have had their rights expanded, especially direct access to data, rectification, cancellation/exclusion, opposition to treatment, information and explanation on the use and portability of personal data.

Responsibility of the Agents. Agents responsible for the collection/processing of personal data (controllers and operators) may be held jointly and severally liable in case of violation of the LGPD. However, the liability of the operator may be limited to its contractual and information security obligations, provided that it does not violate its obligations under the LGPD.

Data Protection Officer. The controllers must define who will be in charge of data protection in the company. This professional, usually called the  Data Protection Officer, will be the focal point between the controllers, the Authority, and the data holders.

Data Protection Impact Report. Authority may determine to the controller to prepare an impact report on the protection of personal data (RIPD) regarding its data processing operations. The elaboration of the RIPD may be mandatory in situations already characterized as risky or, at the request of the Authority, when the data processing is based on legitimate interest. The RIPD should contain at least a description of the types of data collected, the methodology used for its collection, and details of information security.

International Transfer of Personal Data. The international transfer of personal data is permitted only in specific cases, among them, (1) when the controller offers and demonstrates guarantees of compliance with the principles, rights of the holder and the data protection rules set forth in the LGPD, in the form of (a) specific contractual clauses for a particular transfer; b) contractual standard clauses; c) global corporate standards; (d) regularly issued stamps, certificates and codes of conduct subject to the approval of the Authority, or (2) where the holder provides specific consent for the international transfer.

Incident Reporting. The controller shall notify the Authority and the holder of the occurrence of a security incident that could cause significant risk or damage to the owners within a reasonable time.

Penalties. The LGPD establishes penalties in case of noncompliance, including warnings, suspension, and prohibition of data processing regarding the infraction, or application of a fine equivalent to up to 2% of gross sales in Brazil, limited to R $ 50 million.

The teams of the Fraga, Bekierman & Cristiano Advogados office in Rio de Janeiro and São Paulo are available to clarify any doubts and assist in the implementation of the essential changes required to comply with the briefly expected new legislation on the protection of personal data.