Brazil - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD').
The LGPD will come into force in 16 August 2020.
1.3. Case Law
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
The LGPD applies to the processing of personal data, including by digital means, carried out by a natural person or legal entity governed by public or private law.
2.2. What types of processing are covered/exempted?
The LGPD applies to any processing operation irrespective of the means, of the country in which its headquarters is located, or of the country in which the data is located, provided that:
- the processing operation is carried out in the Brazilian territory;
- the processing activity has for an objective the offer or the supply of goods or services or the data processing of individuals located in the national territory; or
- the processed personal data has been collected in the Brazilian territory.
Personal data collected in the Brazilian territory is understood as personal data belonging to a data subject that is in the Brazilian territory at the time of the collection.
The following data processing activities are exempted from the application of the LGPD:
- processing carried out by a natural person, exclusively for private and non-economic purposes;
- processing for journalistic and artistic purposes;
- processing for academic purposes (but observing the rules foreseen in Articles 7 and 11 of the LGPD);
- processing carried out with the exclusive purpose of public safety, national defence, state security or investigation activities and prosecution of criminal offences; or
- processing activities of personal data originated outside of Brazil, from countries that provide an adequate level of data protection (compared with the LGPD) are not subject to the LGPD, since this personal data is not shared or communicated with Brazilian processing agents.
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
The Brazilian data protection authority ('ANPD') is the main regulator. The ANPD is a body of federal public administration, member of the Presidency of the Republic, and is composed of:
- Board of Directors, as the highest body of direction;
- National Board of Personal Data Protection and Privacy;
- Internal Affairs Office;
- Legal Advisory Body; and
- other administrative and specialised units required for the enforcement of the LGPD.
The Board of Directors of the ANPD is composed of five directors, including the chief executive officer, all of them to be nominated by the President of the Republic, and which must be Brazilians with unblemished reputation, a high level of education and great reputation in the field of specialty of the position for which they will be nominated for.
These five directors have a 4-year term, but at the first nomination, the President of the Brazilian Republic could assign a 2 to 6-year term, as established in the act of appointment.
3.2. Main powers, duties and responsibilities
The ANPD is responsible for the enforcement of the LGPD and has the following powers available to ensure the protection of individuals' data:
- supervise the protection of personal data, accordingly to LGPD, including through the conduction of inspections, or the determination to their occurrence;
- supervise the commercial and industrial secrets, observing the protection of the personal data and the secrecy of information when protected by law or when the breach of secrecy violates the fundamentals of LGPD;
- develop guidelines for the personal data protection and privacy national policy;
- receive and process data subject claims against the controllers (after being submitted to the controller and not solved according to the LGPD);
- decide how data processing agents could be transparent regarding the personal data processing activities;
- request from public authorities that carry out personal data processing activities, information regarding the scope, nature of the data and other details of the processing, with the possibility to issue technical opinions to ensure the compliance with the LGPD;
- amend privacy and personal data protection regulations and procedures, including regarding Data Protection Impact Assessments ('DPIAs');
- listen to data processing agents and the society in matters of relevant interest;
- collect and apply its revenue and publish a detailed report regarding its revenue expenses;
- conclude agreements with data processing agents in order to eliminate irregularities, legal uncertainties or litigious situations in administrative proceedings;
- enact rules, guidelines and simplified procedures, including regarding deadlines, for small and micro companies, startups and innovative businesses in order to help them achieve compliance with the LGPD;
- ensure that processing activities of personal data from elderly people is carried out in a simple, clear accessible and adequate manner to their understanding;
- decide, at an administrative level, on the LGPD's interpretation, its competences and cases in which it is silent;
- implement simplified mechanisms, including by electronic means, for the registration of complaints about personal data processing that is non-compliant with the LGPD;
- inspect and sanction cases of data processing that are non-compliant with the LGPD through administrative proceedings that ensure the right to adversary proceedings, full defence and the right to appeal;
- report to the appropriate authorities the criminal offences that come to their knowledge;
- report to the internal affairs bodies any non-compliance with the LGPD by bodies and entities of federal public administration;
- disseminate in the society knowledge about legal norms and policy on personal data protection and its security measures;
- encourage the adoption of standards for services and products that facilitate the control and the protection of personal data by their subjects, considering the specificities of the activities and the size of controllers;
- prepare studies about national and international practices on personal data protection and privacy;
- promote actions of cooperation with personal data protection authorities from other countries, of international or transnational nature; and
- draft managing reports on its annual activities.
4. KEY DEFINITIONS | BASIC CONCEPTS
Personal Data: Information related to an identified or identifiable natural person.
Sensitive Data: Personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious affiliation, philosophical or political organisation membership, data relating to health or sex life, genetic or biometric data, when related to a natural person. The rules concerning sensitive data apply to any processing of personal data that discloses sensitive personal data and which may cause damage to the data subjects, except as otherwise provided in a specific law.
Consent: Free, informed and unambiguous manifestation whereby the data subject agrees with the processing of their personal data for a given purpose.
Data Controller: Natural person or legal entity, governed by public or private law, in charge of making decisions about the processing of personal data.
Data Processor: Natural person or legal entity, governed by public or private law, which processes personal data in the name of the controller.
Data Protection Officer: Person designated by the controller or processor to function as a communication channel between the data subjects and the ANPD.
Anonymisation: Use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of direct or indirect association to a natural person.
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
Notification or registration of databases with the ANPD is not required under the LGPD. Only data breach notification is mandatory.
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
Controllers are responsible for complying with data subject rights and data breach notification.
Controllers are also required to process personal data in accordance with one of the ten legal grounds set out in the LGPD (which are wider than the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')):
- with the data subject's consent;
- for compliance with a statutory or regulatory obligation by the controller;
- by the public administration, for the processing and shared use of data required for the performance of public policies set forth in laws or regulations or supported by contracts, agreements or similar instruments;
- for carrying out studies by research bodies, guaranteeing, whenever possible, the anonymisation of personal data;
- when necessary for the performance of agreements or preliminary procedures relating to agreements to which the data subject is a party, at the request of the data subject;
- for the regular exercise of rights in lawsuits, administrative or arbitration proceedings;
- for protection of the life or of the physical safety of the data subject or of third parties;
- for protection of health, exclusively in a procedure carried out by health professionals, health service providers or by sanitary entities;
- when necessary to serve the legitimate interests of the controller or of third parties, except in the event that the fundamental rights and liberties of the data subject which require the protection of the personal data prevail; and
- for the protection of credit, including in accordance with the provisions of the applicable law.
Moreover, controllers are encouraged to implement good practices and governance. In particular, controllers may implement a privacy governance programme that shall at a minimum:
- demonstrate the controller's commitment to adopt internal processes and policies that ensure broad compliance with rules and good practices concerning personal data protection;
- be applicable to the entire set of personal data under its control, regardless of the manner in which it carried out the collection of the same;
- be adapted to the structure, level and volume of its operations, and to the sensitivity of the data processed;
- establish appropriate policies and safeguards based on a process of systematic assessment of the impact on and risks to privacy;
- be intended to establish a relationship of trust with the data subject, by means of transparent actions that ensure mechanisms of participation for the data subject;
- be integrated to its general governance structure and establish and apply internal and external supervision mechanisms;
- have an incident response and remediation plan; and
- be constantly updated based on information obtained from continuous monitoring and periodic assessments.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
Processors must act according to data controllers' instructions. In addition, the processor shall be jointly liable for any damages caused by the processing if the processor fails to comply with the obligations of the LGPD or fails to follow the lawful instructions of the controller, in which case the processor shall be regarded as equivalent to the controller, except in the event that the exemption established under Article 43 of the LGPD applies.
The controllers and processors, within the scope of their authority for personal data processing, individually or by means of associations, may prepare good practices and governance rules that provide for organisation conditions, operation system, procedures, including complaints and petitions of data subjects, security rules, technical standards, specific obligations for the different parties involved in the processing, educative actions, internal mechanisms of supervision and risk mitigation, and any other aspects relating to personal data processing.
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
There are no specific rules on controller and processor agreements under the LGPD.
9. DATA SUBJECT RIGHTS
The LGPD establishes the following rights for data subjects:
- confirmation of the existence of processing;
- access to data;
- correction of incomplete, inaccurate or outdated data;
- anonymisation, blocking or elimination of unnecessary or excessive data or of data processed in noncompliance with the provisions of the LGPD;
- portability of the data to other service providers or suppliers of products, at the express request, accordingly to the Data Protection National Authority and observing the business and industrial secrets;
- elimination of the personal data processed with the consent of the data subjects, except in the cases set forth in Article 16 of the LGPD;
- information on the public and private entities with which the controller has shared data;
- information on the possibility of not providing consent and on the consequences of such denial; and
- revocation of the consent, pursuant to the provisions of paragraph 5 of Article 8 of the LGPD.
When a correction, elimination, anonymisation or blocking request is received, the controller or processor should inform immediately the processing agents with which it has shared personal data in order that they are able to repeat an identical procedure, except in cases where this action is proven impossible or involves disproportionate effort.
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment (yes/no)
A data protection officer ('DPO') must be appointed by controllers.
The ANPD could exempt controllers to appoint a DPO accordingly to the nature and the size of the entity or the volume of data processing operations.
The identity and contact data of the DPO must be publicly, clearly and objectively disclosed, preferably in the controllers' website.
The activities of the DPO consist of the following:
- to accept complaints and communications from data subjects, provide clarifications and take measures;
- to receive communications from the supervisory authority and take measures;
- to instruct the employees and contractors of the entity on the practices to be adopted in relation to personal data protection; and
- to carry out any other duties established by the controller or in supplementary rules.
The ANPD may establish supplementary rules on the definition and duties of the DPO.
11. DATA BREACH NOTIFICATION
11.1. General obligation (yes/no)
The controller must notify the ANPD and data subjects of the occurrence of any security incident that may result in any relevant risk or damage to the data subjects.
The content of the notice, must at a minimum, contain the following information:
- a description of the nature of the affected personal data;
- information on the data subjects involved;
- indication of the technical and security measures used for data protection, with due regard for trade and industrial secrets;
- the risks relating to the incident;
- the reasons for the delay, in case the notice is not immediate; and
- the measures that were or shall be adopted to reverse or mitigate the effects of the loss.
11.2. Sectoral obligations
The Internet Law, Federal Law No. 12.965 of 23 April 2014 (only available in Portuguese here) applies to internet companies (internet service providers ('ISP') and application providers) and establishes:
- data retention rules (logs);
- protection of electronic messages; and
- specific conditions for the processing of personal data (which partially conflicts with LGPD, therefore ANPD and court decisions are needed in order to clarify this matter).
Decree No. 8.771/2016 (only available in Portuguese here) for internet companies (ISP and application providers) establishes:
- information security standards.
Resolution No. 4.658/2018 of the Central Bank (only available in Portuguese here) for financial entities establishes:
- specific requirements for cloud computing agreements.
Under the LGPD, the following sanctions may be imposed:
- warnings, with indication of a term for adoption of corrective measures;
- simple fines of up to two percent of the sales revenue of the legal entity of private law, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in the aggregate, to BRL $50,000,000 (approx. €11,342,000) per infraction;
- daily fine, with due regard for the total limit referred to in item 2;
- disclosure of the infraction after it has been duly investigated and its occurrence has been confirmed;
- blockage of the personal data to which the infraction relates, until its regularisation; and
- elimination of the personal data to which the infraction relates.
13. ADDITIONAL RELEVANT TOPICS
13.1. Data Transfers and Outsourcing
International data transfers rules under the LGPD are quite similar to the GDPR:
The international transfer of personal data is permitted solely in the following cases:
- to countries or international organisations that provide an appropriate level of protection of personal data provided for by the LGPD;
- when the controller provides and demonstrates guarantees of compliance with the principles, rights of the data subject and data protection regime established in the LGPD, in the form of:
- specific contractual sections for a given transfer;
- standard contractual sections;
- global corporate rules;
- seals, certificates and codes of conduct regularly issued;
- when the transfer is required for international legal cooperation between government intelligence, investigation and police bodies, in accordance with international law instruments;
- when the transfer is required for the protection of life or physical integrity of the data subject or any third party;
- when the ANPD authorises such transfer;
- when the transfer results in a commitment undertaken under an international cooperation agreement;
- when the transfer is required for the enforcement of a public policy or legal attribution of the public utility, upon disclosure of the provisions of item I of the main provision of Article 23 of the LGPD;
- when the data subject has provided specific and highlighted consent for such transfer, with prior information on the international nature of the operation, clearly distinguishing it from any other purposes; or
- when required to meet the hypotheses established in items II, V and VI of Article 7 of the LGPD.
There are no specific requirements on outsourcing. It is not prohibited under the LGPD, however, if it involves cross-border transfers of personal data, the rules under the LGPD must be observed.
The Superior Labour Court permits the monitoring of corporate devices, provided that this activity is transparent enough to the employee, who shall not have privacy expectations regarding the usage of technological devices provided by his/her employer. The LGPD is expected to intensify debates on data protection at the workplace.
13.3. Data Retention
Each sector has it owns rules related to data retention. The LGPD only sets forth that data shall be stored for the shortest period of time. Moreover, the ANPD may regulate the period of time in which controllers and processors must keep their records of processing activities.
14. OTHER SPECIFIC JURISDICTIONAL ISSUES
Under the LGPD, marketing activities will usually be justified by one of the following legal grounds: consent or legitimate interest (depending on the specific context). Regarding telemarking activities, there are Do Not Call Registers held by consumer protection agencies (soft regulation).