Art. 1 - This Law provides for the processing of personal data, including by digital means, by a natural person or a legalArt. 2 - The discipline of personal data protection is grounded on the following:Art. 3 - This Law applies to any processing operation carried out by a natural person or a legal entity of public orArt. 4 - This Law does not apply to the processing of personal data that:Art. 5 - For purposes of this Law, the following definitions apply:Art. 6 - Activities of processing of personal data shall be done in good faith and be subject to the following principles:
Section I - Requirements for the Processing of Personal Data
Art. 7 - Processing of personal data shall only be carried out under the following circumstances:Art. 8 - The consent provided in Item I of Art. 7 of this Law shall be given in writing or by anotherArt. 9 - The data subject has the right to facilitated access to information concerning the processing of her/his data, which much beArt. 10 - Controller’s legitimate interest can only be grounds for processing personal data for legitimate purposes, based on particular situations, which includeSection II - Processing of Sensitive Personal Data
Art. 11 - The processing of sensitive personal data shall only occur in the following situations:Art. 12 - anonymised data shall not be considered personal data, for purposes of this Law, except when the process of anonymisation toArt. 13 - When carrying out public health studies, research entities may have access to personal databases, which shall be processed exclusively withinSection III - Processing of Children and Adolescents’ Personal Data
Art. 14 - The processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to thisSection IV - Termination of Data Processing
Art. 15 - The processing of personal data shall be terminated under the following circumstances:Art. 16 - Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities,Art. 17 - All natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy beingArt. 18 - The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data beingArt. 19 - Confirmation of the existence of or access to personal data shall be provided by means of request by the dataArt. 20 - The data subject has the right to request review, by a natural person, of decisions taken solely on the basesArt. 21 - Personal data concerning the regular exercise of rights by the data subject cannot be used to her/his detriment.Art. 22 - The defence of the interests and rights of data subjects may be carried out in court, individually or collectively, as
Section I - Rules
Art. 23 - Processing of personal data by legal entities of public law referred to in sole paragraph of Art. 1 of LawArt. 24 - Public companies and mixed-capital companies that operate in the competing market, subject to the provisions of Art. 173 of theArt. 25 - Data shall be kept in an interoperable format and structured for shared use intended for the execution of public policies,Art. 26 - The shared use of personal data by public authorities shall fulfill the specific purposes of execution of public policies andArt. 27 - Communication or shared use of personal data from a legal entity of public law to a legal entity of privateArt. 28 - (vetoed)Art. 29 - The national authority may request, at any time, that entities of the public authority carry out operations of processing ofArt. 30 - The national authority may establish complementary rules for communication or shared used of personal data activities.Section II - Accountability
Art. 31 - When there is an infringement of this Law as a result of personal data processing by public agencies, the nationalArt. 32 - The national authority may request agents of the public authorities to publish impact reports on protection of personal data andArt. 33 - International transfer of personal data is only allowed in the followingArt. 34 - The level of data protection in the foreign country or international organisation referred to in Item I of the leadArt. 35 - The definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for aArt. 36 - Changes to guarantees presented as sufficient for compliance with the general principles of protection and of the data subject’s rights
Section I - Controller and Processor
Art. 37 - The controller and the processor shall keep records of personal data processing operations carried out by them, especially when basedArt. 38 - The national authority may determine that the controller must prepare an impact report on protection of personal data, including sensitiveArt. 39 - The processor shall carry out the processing according to the instructions provided by the controller, which shall verify the obedienceArt. 40 - The national authority may provide standards of interoperability for purposes of portability, free access to data and security, as wellSection II - Data Protection Officer
Art. 41 - The controller shall appoint an officer to be in charge of processing personal data. §1 The identity and contact informationSection III - Liability and Loss Compensation
Art. 42 - The controller or the processor that, as a result of carrying out their activity of processing personal data, cause material,Art. 43 - Processing agents shall only not be held liable when they prove that:Art. 44 - Processing of personal data shall be irregular when it does not obey the legislation or when it does not provideArt. 45 - When there is violation of data subject’s right in the scope of consumer relations, the rules of liability provided inSection I - Security and Secrecy of Data
Art. 46 - Processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorised accesses and accidental orArt. 47 - Processing agents or any other person that intervenes in one of the processing phases undertake to ensure the security ofArt. 48 - The controller must communicate to the national authority and to the data subject the occurrence of a security incident thatArt. 49 - The systems used for processing personal data shall be structured in order to meet the security requirements, standards of goodSection II - Good Practice and Governance
Art. 50 - Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulateArt. 51 - The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.Section I - Administrative Sanctions
Art. 52 - Data processing agents that commit infractions of the rules provided in this Law are subject to the following administrative sanctions,Art. 53 - The national authority shall define the methodologies that will be used for the calculation of the base value for fines,Art. 54 - The amount of daily fines applied to infractions of this Law shall be subject to the severity of the infractionSection I - The National Authority for Protection of Data (“ANPD”)
Art. 55 - (vetoed)Art. 56 - (vetoed)Art. 57 - (vetoed)Section II - The National Board for the Protection of Personal Data and Privacy
Art. 58 - (vetoed)Art. 59 - (vetoed)Art. 60 - Law No. 12,965, of April 23, 2014 (the “Brazilian Internet Law”), shall henceforth contain the following alterations: “Art. 7 …Art. 61 - The foreign company shall be notified and summonsed of all procedural acts provided in this Law, irrespective of power ofArt. 62 - The national authority and the Anísio Teixeira National Institute for Educational Studies and Research (Inep), within the scope of theirArt. 63 - The national authority shall establish rules on the progressive suitability of databases established up to the date this Law comesArt. 64 - The rights and principles expressed in this Law do not exclude others provided in the Brazilian legal system related toArt. 65 - This Law shall come into force eighteen (18) months following its official publication.
§2 Data processing as provided in Item IV of the lead sentence of Art. 4 of this Law is exempted from the provisions of Item I of this article.
§2 Processing of the data referred to in Item III of the lead sentence of this article is forbidden for legal entity of private law, except in procedures under the authority of legal entity of public law, of which the national authority shall be specifically informed and which shall observe the limitation imposed in §4 of this article.
§3 The national authority shall issue technical opinions or recommendations regarding the exceptions provided in Item III of the lead sentence of this article, and shall request of the responsible parties impact reports on protection of personal data.
§4 Under no circumstances the entirety of the personal data in a database, as provided in Item III of the lead sentence of this article, may be processed by a legal entity of private law.
§1 When the provisions of Items II and III of the lead sentence of this article are applicable, and except in the situations provided in Art. 4 of this Law, the data subject shall be informed of the situations in which processing of her/his data will be allowed.
§4 The consent requirement provided in the lead sentence of this article is waived for data manifestly made public by the data subject, safeguarding the rights of the data subject and the principles provided in this Law.
§5 The controller who has obtained the consent referred to in Item I of the lead sentence of this article that needs to communicate or share personal data with other controllers shall obtain specific consent from the data subject for this purpose, except when the need for such consent is waived as provided in this Law.
§1 The provisions of this article apply to any processing of personal data that reveals sensitive personal data and that may cause harm to the data subject, subject to the provisions of specific legislation.
§2 When the provisions of lines a and b of Item II of the lead sentence of this article are applied by public agencies and entities, said waiver of consent shall be publicised, pursuant to Item I of the lead sentence of Art. 23 of this Law.
§1 Disclosure of the results or of any portion of the study or the research, as mentioned in the lead sentence of this article, shall under no circumstances reveal personal data.
§2 The research entity shall be liable for the security of the information provided in the lead sentence of this article, and it is forbidden, under no circumstances, to transfer the data to a third party.
§3 Access to data as provided in this article shall be the object of regulation by the national authority and of the authorities in the area of health and sanitation, within the scope of their competences.
§4 For purposes of this article, pseudonymization is the processing by means of which data can no longer be directly or indirectly associated with an individual, except by using additional information kept separately by the controller in a controlled and secure environment.
The processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to this article and pertinent legislation.
§2 When processing data as mentioned in §1 of this article, controllers shall make public the information about the types of data collected, the way it is used and the procedures for exercising the rights referred to in Art. 18 of this Law.
§3 Children’s personal data may be collected without the consent mentioned in §1 of this article when collection is necessary to contact the parents or the legal representative, used one single time and not stored, or for their protection, and under no circumstances shall the data be passed on to third parties without consent as provided in §1 of this article.
§4 Controllers shall not condition the participation of data subjects, as referred to in §1 of this article, to games, internet applications or other activities for providing personal information beyond what is strictly necessary for the activity.
§5 The controller shall use all reasonable efforts to verify that the consent referred to in §1 of this article was given by the child’s representative, considering available technologies.
§6 Information on the processing of data referred to in this article shall be provided in a simple, clear and accessible manner, taking into account the physical-motor, perceptive, sensorial, intellectual and mental characteristics of the user, using audiovisual resources when appropriate, in order to provide the necessary information to the parents or the legal representative and that is appropriate for the children’s understanding.
§3 The rights provided in this article shall be exercised by means of express request by the data subject or her/his legally constituted representative to the processing agent.
§4 If it is impossible to immediately adopt the measure mentioned in §3 of this article, the controller shall send a reply to the data subject in which she/he may:
§5 The request as mentioned in §3 of this article shall be fulfilled without costs to the data subject, within the time periods and under the terms as provided in regulation.
§7 The portability of personal data referred to in Item V of the lead sentence of this article does not include data that have already been anonymised by the controller.
§8 The right referred to in §1 of this article may also be exercised before consumer-defence entities.
§4 The national authority may provide differently regarding the time periods provided in Items I and II of the lead sentence of this article for specific sectors.
§2 If there is no offer of information as provided in §1 of this article, based on commercial and industrial secrecy, the national authority may carry out an audit to verify discriminatory aspects in automated processing of personal data.
§2 The provisions of this Law do not release the legal entities mentioned in the lead sentence of this article from establishing the authorities as provided in Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”).
§4 Notarial and registry services, carried out under private nature by delegation of public authorities, shall receive the same treatment given to legal entities as provided in the lead sentence of this article, in accordance with the terms of this Law.
§5o Notarial and registry bodies shall provide access to data by electronic means to the public administration, in view of the purposes mentioned in the lead sentence of this article.
The shared use of personal data by public authorities shall fulfill the specific purposes of execution of public policies and legal attributions by agencies and public entities, subject to the principles of personal data protection listed in Art. 6 of this Law. §1 It is forbidden for public authorities to transfer to private entities personal data contained in databases to which they have access, except: I – in cases of decentralized execution of public activity that requires transfer, exclusively for this specific and distinct purpose, subject to the provisions of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”); II – (vetoed); and II – in cases in which the data are publicly accessible, subject to the provisions of this Law. §2 Contracts and agreements as mentioned in §1 of this article shall be communicated to the national authority.
IX – when it is necessary to satisfy the situations provided in Items II, V and VI of Art. 7 of this Law. Sole paragraph. For purposes of Item I of this article, the legal entities of public law referred to in the sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), within their legal competences, and those parties accountable, within the scope of their activities, may request the national authority to evaluate the level of protection of personal data provided by a country or international organisation.
§1 To verify the provision of the lead sentence of this article, requirements, conditions and minimum guarantees for the transfer that obey the rights, guarantees and principles of this Law must be considered.
§3 The national authority may designate certification entities to carry out the provisions of the lead sentence of this article, which shall remain under their inspection subject to the terms defined in regulation.
§5 Guarantees sufficient for compliance with the general principles of protection and data subject’s rights referred to in the lead sentence of this article shall also be analysed in accordance with the technical and organisational measures adopted by the processor, according to the provisions of §§1 and 2 of Art. 46 of this Law.
The national authority may determine that the controller must prepare an impact report on protection of personal data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. Sole paragraph. Subject to the provisions of the lead sentence of this article, the report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.
§3 Lawsuits for compensation for collective damages, the objective of which is liability pursuant to the terms of the lead sentence of this article, may be filed collectively in court, subject to the provisions of pertinent legislation.
§1 The national authority may provide minimum technical standards to make the provisions of the lead sentence of this article applicable, taking into account the nature of the processed information, the specific characteristics of the processing and the current state of technology, especially in the case of sensitive personal data, as well as the principles provided in the lead sentence of Art. 6 of this Law.
§2 The measures mentioned in the lead sentence of this article shall be complied with as from the conception phase of the product or service through to its execution.
§2 The provisions of this article do not substitute the application of administrative, civil or criminal sanctions defined in specific legislation.
§3 The provisions of Items I, IV, V, VI, VII, VIII and IX of the lead sentence of this article may be applied to public entities and bodies, without prejudice to the provisions of Laws Nos. 8,112, of December 11, 1990 (the “Legal Framework for Public Servants”), 8,429, of June 2, 1992 (the “Administrative Improbity Law”), and 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”).
§4 When calculating the amount of the fine provided in Item II of the lead sentence of this article, the national authority may consider total revenues of the company or group of companies, when it does not have the amount of revenues from the business activity in which the infraction occurred, defined by the national authority, or when the amount is presented in an incomplete form or is not demonstrated unequivocally and reputably.
§1 The methodologies referred to in the lead sentence of this article shall be previously published, for the information of the processing agents, and shall objectively present the forms and methods for calculating the base value of the fines, which shall contain detailed grounds for all its elements, demonstrating obedience to the criteria provided in this Law.
