Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulate rules for good practice and governance that set forth conditions of organisation, a regime of operation, procedures, including for complaints and petitions from data subjects, security norms, technical standards, specific obligations for the various parties involved in the processing, educational activities, internal mechanisms of supervision and risk mitigation and other aspects related to the processing of personal data.
§1 When establishing rules of good practice, the controller and the processor shall take into consideration, regarding the processing and the data, the nature, scope, purpose and probability and seriousness of the risks and the benefits that will result from the processing of data subject’s data.
§2 When applying the principles mentioned in Items VII and VIII of the lead sentence of Art. 6 of this Law, and subject to the structure, scale and volume of her/his operations, as well as the sensitivity of the processed data and the probability and seriousness of the damages to data subjects, the controller may:
I – implement governance program for privacy that, as a minimum:
a) demonstrate the controller’s commitment to adopt internal processes and policies that ensure broad compliance with rules and good practices regarding the protection of personal data;
b) are applicable to the entire set of personal data under her/his control, irrespective of the means used to collect them;
c) are adapted to the structure, scale and volume of her/his operations, as well as to the sensitivity of the processed data;
d) establish adequate policies and safeguards based on a process of systematic evaluation of the impacts on and risks to privacy;
e) have the purpose of establishing a relationship of confidence with the data subject, by means of transparent operation, and that ensure mechanisms for the data subject to participate;
f) are integrated into its general governance structure and establish and apply internal and external mechanisms of supervision;
g) have plans for response to incidents and solution; and
h) are constantly updated based on information obtained from continuous monitoring and periodic evaluations;
II – demonstrate the effectiveness of her/his privacy governance program when appropriate and, especially, at the request of the national authority or other entity responsible for promoting compliance with good practices or codes of conduct, which, independently, promote compliance with this Law.
§3 Rules of good practice and governance shall be published and updated periodically and may be recognised and disclosed by the national authority.