Art. 1 - This Law provides for the processing of personal data, including by digital means, by a natural person or a legalArt. 2 - The discipline of personal data protection is grounded on the following:Art. 3 - This Law applies to any processing operation carried out by a natural person or a legal entity of public orArt. 4 - This Law does not apply to the processing of personal data that:Art. 5 - For purposes of this Law, the following definitions apply:Art. 6 - Activities of processing of personal data shall be done in good faith and be subject to the following principles:
Section I - Requirements for the Processing of Personal Data
Art. 7 - Processing of personal data shall only be carried out under the following circumstances:Art. 8 - The consent provided in Item I of Art. 7 of this Law shall be given in writing or by anotherArt. 9 - The data subject has the right to facilitated access to information concerning the processing of her/his data, which much beArt. 10 - Controller’s legitimate interest can only be grounds for processing personal data for legitimate purposes, based on particular situations, which includeSection II - Processing of Sensitive Personal Data
Art. 11 - The processing of sensitive personal data shall only occur in the following situations:Art. 12 - anonymised data shall not be considered personal data, for purposes of this Law, except when the process of anonymisation toArt. 13 - When carrying out public health studies, research entities may have access to personal databases, which shall be processed exclusively withinSection III - Processing of Children and Adolescents’ Personal Data
Art. 14 - The processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to thisSection IV - Termination of Data Processing
Art. 15 - The processing of personal data shall be terminated under the following circumstances:Art. 16 - Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities,Art. 17 - All natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy beingArt. 18 - The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data beingArt. 19 - Confirmation of the existence of or access to personal data shall be provided by means of request by the dataArt. 20 - The data subject has the right to request review, by a natural person, of decisions taken solely on the basesArt. 21 - Personal data concerning the regular exercise of rights by the data subject cannot be used to her/his detriment.Art. 22 - The defence of the interests and rights of data subjects may be carried out in court, individually or collectively, as
Section I - Rules
Art. 23 - Processing of personal data by legal entities of public law referred to in sole paragraph of Art. 1 of LawArt. 24 - Public companies and mixed-capital companies that operate in the competing market, subject to the provisions of Art. 173 of theArt. 25 - Data shall be kept in an interoperable format and structured for shared use intended for the execution of public policies,Art. 26 - The shared use of personal data by public authorities shall fulfill the specific purposes of execution of public policies andArt. 27 - Communication or shared use of personal data from a legal entity of public law to a legal entity of privateArt. 28 - (vetoed)Art. 29 - The national authority may request, at any time, that entities of the public authority carry out operations of processing ofArt. 30 - The national authority may establish complementary rules for communication or shared used of personal data activities.Section II - Accountability
Art. 31 - When there is an infringement of this Law as a result of personal data processing by public agencies, the nationalArt. 32 - The national authority may request agents of the public authorities to publish impact reports on protection of personal data andArt. 33 - International transfer of personal data is only allowed in the followingArt. 34 - The level of data protection in the foreign country or international organisation referred to in Item I of the leadArt. 35 - The definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for aArt. 36 - Changes to guarantees presented as sufficient for compliance with the general principles of protection and of the data subject’s rights
Section I - Controller and Processor
Art. 37 - The controller and the processor shall keep records of personal data processing operations carried out by them, especially when basedArt. 38 - The national authority may determine that the controller must prepare an impact report on protection of personal data, including sensitiveArt. 39 - The processor shall carry out the processing according to the instructions provided by the controller, which shall verify the obedienceArt. 40 - The national authority may provide standards of interoperability for purposes of portability, free access to data and security, as wellSection II - Data Protection Officer
Art. 41 - The controller shall appoint an officer to be in charge of processing personal data. §1 The identity and contact informationSection III - Liability and Loss Compensation
Art. 42 - The controller or the processor that, as a result of carrying out their activity of processing personal data, cause material,Art. 43 - Processing agents shall only not be held liable when they prove that:Art. 44 - Processing of personal data shall be irregular when it does not obey the legislation or when it does not provideArt. 45 - When there is violation of data subject’s right in the scope of consumer relations, the rules of liability provided inSection I - Security and Secrecy of Data
Art. 46 - Processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorised accesses and accidental orArt. 47 - Processing agents or any other person that intervenes in one of the processing phases undertake to ensure the security ofArt. 48 - The controller must communicate to the national authority and to the data subject the occurrence of a security incident thatArt. 49 - The systems used for processing personal data shall be structured in order to meet the security requirements, standards of goodSection II - Good Practice and Governance
Art. 50 - Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulateArt. 51 - The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.Section I - Administrative Sanctions
Art. 52 - Data processing agents that commit infractions of the rules provided in this Law are subject to the following administrative sanctions,Art. 53 - The national authority shall define the methodologies that will be used for the calculation of the base value for fines,Art. 54 - The amount of daily fines applied to infractions of this Law shall be subject to the severity of the infractionSection I - The National Authority for Protection of Data (“ANPD”)
Art. 55 - (vetoed)Art. 56 - (vetoed)Art. 57 - (vetoed)Section II - The National Board for the Protection of Personal Data and Privacy
Art. 58 - (vetoed)Art. 59 - (vetoed)Art. 60 - Law No. 12,965, of April 23, 2014 (the “Brazilian Internet Law”), shall henceforth contain the following alterations: “Art. 7 …Art. 61 - The foreign company shall be notified and summonsed of all procedural acts provided in this Law, irrespective of power ofArt. 62 - The national authority and the Anísio Teixeira National Institute for Educational Studies and Research (Inep), within the scope of theirArt. 63 - The national authority shall establish rules on the progressive suitability of databases established up to the date this Law comesArt. 64 - The rights and principles expressed in this Law do not exclude others provided in the Brazilian legal system related toArt. 65 - This Law shall come into force eighteen (18) months following its official publication.
This Law provides for the processing of personal data, including by digital means, by a natural person or a legal entity of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
This Law applies to any processing operation carried out by a natural person or a legal entity of public or private law, irrespective of the mean, the country in which its headquarter is located or the country where the data are located, provided that:
§2 Data processing as provided in Item IV of the lead sentence of Art. 4 of this Law is exempted from the provisions of Item I of this article.
This Law does not apply to the processing of personal data that:
b) academic purposes, with Arts. 7 and 11 of this Law being applicable in these cases;
IV – have their origin outside the national territory and are not the object of communication, shared use of data with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, since the country of origin provides a level of personal data protection adequate to that established in this Law.
§1 Processing of personal data as provided in Item III shall be governed by specific legislation, which shall provide proportional and strictly necessary measures for fulfilling the public interest, subject to due legal process, the general principles of protection and the rights of the data subjects as provided in this Law.
§2 Processing of the data referred to in Item III of the lead sentence of this article is forbidden for legal entity of private law, except in procedures under the authority of legal entity of public law, of which the national authority shall be specifically informed and which shall observe the limitation imposed in §4 of this article.
§4 Under no circumstances the entirety of the personal data in a database, as provided in Item III of the lead sentence of this article, may be processed by a legal entity of private law.
For purposes of this Law, the following definitions apply:
VI – controller: natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data;
VII – processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller;
XVIII – research body: body or entity of the direct or indirect public administration or a nonprofit legal entity of private law, legally organised under the Brazilian law, with headquarter and jurisdiction in Brazil, that includes in its institutional mission or in its corporate or statutory purposes basic or applied research of historic, scientific, technological or statistical nature;
XIX – national authority: body of the indirect public administration responsible for supervising, implementing and monitoring the compliance with this Law.
VII – security: use of technical and administrative measures which are able to protect personal data from unauthorised accesses and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination; VIII – prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data;
IX – nondiscrimination: impossibility of carrying out the processing for unlawful or abusive discriminatory purposes; and
III – by the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments, subject to the provisions of Chapter IV of this Law;
V – when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; VI – for the regular exercise of rights in judicial, administrative or arbitration procedures, the last pursuant to Law No. 9,307, of September 23, 1996 (the “Brazilian Arbitration Law”);
§1 When the provisions of Items II and III of the lead sentence of this article are applicable, and except in the situations provided in Art. 4 of this Law, the data subject shall be informed of the situations in which processing of her/his data will be allowed.
§2 The way in which information is made available as provided in §1 and Item I of the lead sentence of Art. 23 of this Law may be specified by the national authority.
§4 The consent requirement provided in the lead sentence of this article is waived for data manifestly made public by the data subject, safeguarding the rights of the data subject and the principles provided in this Law.
§5 The controller who has obtained the consent referred to in Item I of the lead sentence of this article that needs to communicate or share personal data with other controllers shall obtain specific consent from the data subject for this purpose, except when the need for such consent is waived as provided in this Law.
§6 Any eventual waiver of the consent requirement does not release processing agents from the other obligations provided in this Law, especially that of obeying the general principles and guarantees of the data subject’s rights.
The consent provided in Item I of Art. 7 of this Law shall be given in writing or by another means that demonstrates the manifestation of the will of the data subject.
§2 The burden of proof is on the controller to show that consent was obtained in compliance with the provisions of this Law.
§5 Consent may be revoked at any time, by express manifestation of the data subject, through a facilitated and free of charge procedure, with processing carried out under previously given consent remaining valid as long as there is no request for deletion, pursuant to Item VI of the lead sentence of Art. 18 of this Law.
§6 If there is a change in the information as referred to in Items I, II, III or V of Art. 9 of this Law, the controller shall inform the data subject, with specific highlight of the content of the changes, in which case the data subject, in those cases where her/his consent is required, may revoke it if she/he disagrees with the change.
VII – the data subject’s rights, with explicit mention of the rights provided in Art. 18 of this Law.
§3 When the processing of personal data is a condition for the provision of a product or service or for the exercise of a right, the data subject shall be informed with special highlight of this fact and of the means by which she/he may exercise her/his data subject’s rights as listed in Art. 18 of this Law.
II – protection of data subject’s regular exercise of her/his rights or provision of services that benefit her/him, subject to her/his legitimate expectations and fundamental rights and freedoms, in accordance with this Law.
b) shared processing of data when necessary by the public administration for the execution of public policies provided in laws or regulations;
d) the regular exercise of rights, including in a contract and in a judicial, administrative and arbitration procedure, the last in accordance with the terms of Law No. 9,307, of September 23, 1996 (the “Brazilian Arbitration Law”);
g) ensuring the prevention of fraud and the safety of the data subject, in processes of identification and authentication of registration in electronic systems, respecting the rights mentioned in Art. 9 of this Law and except when fundamental rights and liberties of the data subject which require protection of personal data prevail.
§2 When the provisions of lines a and b of Item II of the lead sentence of this article are applied by public agencies and entities, said waiver of consent shall be publicised, pursuant to Item I of the lead sentence of Art. 23 of this Law.
anonymised data shall not be considered personal data, for purposes of this Law, except when the process of anonymisation to which the data were submitted has been reversed, using exclusively its own means, or when it can be reversed applying reasonable efforts.
§2 Data can be considered personal, for purposes of this Law, when they are used to formulate behavioural profiles of a particular natural person, if that person is identified.
§2 When processing data as mentioned in §1 of this article, controllers shall make public the information about the types of data collected, the way it is used and the procedures for exercising the rights referred to in Art. 18 of this Law.
III – communication by the data subject, including when exercising her/his right to revoke consent, as provided in §5 of Art. 8 of this Law, subject to the public interest;
IV – determination by the national authority when there has been a violation of the provisions of this Law.
III – transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or
All natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed, under the terms of this Law.
IV – anonymisation, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this Law;
VI – deletion of personal data processed with the consent of the data subject, except in the situations provided in Art. 16 of this Law;
IX – revocation of consent as provided in §5 of Art. 8 of this Law.
§2 The data subject may oppose the processing carried out based on one of the situations of waiver of consent, if there is noncompliance with the provisions of this Law.
II – indicate the reasons of fact or of law that prevent the immediate adoption of the measure.
Processing of personal data by legal entities of public law referred to in sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), shall be done in fulfillment of its public purpose, in benefit of the public interest, for the purpose of performing legal competences or discharging legal attributions of the public service, provided that:
II – an officer is appointed when carrying out personal data processing operations, in accordance with Art. 39 of this Law.
§2 The provisions of this Law do not release the legal entities mentioned in the lead sentence of this article from establishing the authorities as provided in Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”).
§3 The time periods and procedures for exercising data subjects’ rights before the public authorities shall obey the provisions of specific legislation, especially the provisions of Law No. 9,507, of November 12, 1997 (the “Brazilian Habeas Data Law”), of Law No. 9,784, of January 29, 1999 (the “Federal Administrative Procedure Law”), and of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”).
§4 Notarial and registry services, carried out under private nature by delegation of public authorities, shall receive the same treatment given to legal entities as provided in the lead sentence of this article, in accordance with the terms of this Law.
Public companies and mixed-capital companies that operate in the competing market, subject to the provisions of Art. 173 of the Federal Constitution, shall receive the same treatment given to private legal entities of private law, under the terms of this Law. Sole paragraph. Public and mixed-capital companies, when they are carrying out public policies and within the scope of their execution, shall receive the same treatment given to the bodies and entities of the public authorities, under the terms of this Chapter.
The shared use of personal data by public authorities shall fulfill the specific purposes of execution of public policies and legal attributions by agencies and public entities, subject to the principles of personal data protection listed in Art. 6 of this Law. §1 It is forbidden for public authorities to transfer to private entities personal data contained in databases to which they have access, except: I – in cases of decentralized execution of public activity that requires transfer, exclusively for this specific and distinct purpose, subject to the provisions of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”); II – (vetoed); and II – in cases in which the data are publicly accessible, subject to the provisions of this Law. §2 Contracts and agreements as mentioned in §1 of this article shall be communicated to the national authority.
Communication or shared use of personal data from a legal entity of public law to a legal entity of private law shall be communicated to the national authority and shall rely on the consent of the data subject, except: I – in situations in which consent is waived as provided in this Law; II – when there is shared use of data, which will be publicized pursuant to Item I of the lead sentence of Art. 23 of this Law; or III – in the exceptions contained in §1 of Art. 26 of this Law.
The national authority may request, at any time, that entities of the public authority carry out operations of processing of personal data, specific report about the scope and nature of the data and other details of the processing, and may issue complementary technical opinion to ensure compliance with this Law.
When there is an infringement of this Law as a result of personal data processing by public agencies, the national authority may send a report with applicable measures to stop the violation.
I – to countries or international organisations that provide a level of protection of personal data that is adequate to the provisions of this Law;
II – when the controller offers and proves guarantees of compliance with the principles and the rights of the data subject and the regime of data protection provided in this Law, in the form of:
III – when the transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;
VII – when the transfer is necessary for the execution of a public policy or legal attribution of public service, which shall be publicised pursuant to Item I of the lead sentence of Art. 23 of this Law;
IX – when it is necessary to satisfy the situations provided in Items II, V and VI of Art. 7 of this Law. Sole paragraph. For purposes of Item I of this article, the legal entities of public law referred to in the sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), within their legal competences, and those parties accountable, within the scope of their activities, may request the national authority to evaluate the level of protection of personal data provided by a country or international organisation.
The level of data protection in the foreign country or international organisation referred to in Item I of the lead sentence of Art. 33 of this Law shall be evaluated by the national authority, which shall take into consideration:
III – the compliance with the general principles of personal data protection and data subjects’ rights as provided in this Law;
The definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for a particular transfer, global corporate rules or stamps, certificates and codes of conduct, referred to in Item II of the lead sentence of Art. 33 of this Law, will be done by the national authority.
§1 To verify the provision of the lead sentence of this article, requirements, conditions and minimum guarantees for the transfer that obey the rights, guarantees and principles of this Law must be considered.
§4 Acts carried out by certification entities may be reviewed by the national authority and, if they are not in compliance with this Law, submitted for revision or voided.
§5 Guarantees sufficient for compliance with the general principles of protection and data subject’s rights referred to in the lead sentence of this article shall also be analysed in accordance with the technical and organisational measures adopted by the processor, according to the provisions of §§1 and 2 of Art. 46 of this Law.
Changes to guarantees presented as sufficient for compliance with the general principles of protection and of the data subject’s rights referred to in Item II of Art. 33 of this Law shall be communicated to the national authority.
I – the processor jointly answers for the damages caused by the processing when they do not comply with the obligations of data protection legislation or when she/he has not followed controller’s lawful instructions, in which case the processor is deemed equivalent to the controller, except in cases of exclusion as provided in Art. 43 of this Law;
II – controllers who are directly involved in the processing from which damages resulted to the data subject shall jointly answer, except in cases of exclusion as provided in Art. 43 of this Law.
§2 The judge, in a civil lawsuit, may reverse the burden of proof in favor of the data subject when, at her/his discretion, the allegation appears to be true, there are no funds for the purpose of producing evidence or when production of evidence by the data subject would be overly burdensome.
§3 Lawsuits for compensation for collective damages, the objective of which is liability pursuant to the terms of the lead sentence of this article, may be filed collectively in court, subject to the provisions of pertinent legislation.
III – the techniques for processing personal data available at the time it was done. Sole paragraph. The controller or the processor who neglect to adopt the security measures provided in Art. 46 of this Law shall be held liable for the damages caused by the violation of the security of the data that caused the damage.
Processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorised accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.
§1 The national authority may provide minimum technical standards to make the provisions of the lead sentence of this article applicable, taking into account the nature of the processed information, the specific characteristics of the processing and the current state of technology, especially in the case of sensitive personal data, as well as the principles provided in the lead sentence of Art. 6 of this Law.
Processing agents or any other person that intervenes in one of the processing phases undertake to ensure the security of the information as provided in this Law regarding personal data, even following conclusion thereof.
The systems used for processing personal data shall be structured in order to meet the security requirements, standards of good practice and governance, general principles provided in this Law and other regulatory rules.
§2 When applying the principles mentioned in Items VII and VIII of the lead sentence of Art. 6 of this Law, and subject to the structure, scale and volume of her/his operations, as well as the sensitivity of the processed data and the probability and seriousness of the damages to data subjects, the controller may:
II – demonstrate the effectiveness of her/his privacy governance program when appropriate and, especially, at the request of the national authority or other entity responsible for promoting compliance with good practices or codes of conduct, which, independently, promote compliance with this Law.
Data processing agents that commit infractions of the rules provided in this Law are subject to the following administrative sanctions, to be applied by the national authority:
VIII – repeated and demonstrated adoption of internal mechanisms and procedures capable of minimising the damage, for secure and proper data processing, in accordance with the provisions of Item II of §2 of Art. 48 of this Law.
§3 The provisions of Items I, IV, V, VI, VII, VIII and IX of the lead sentence of this article may be applied to public entities and bodies, without prejudice to the provisions of Laws Nos. 8,112, of December 11, 1990 (the “Legal Framework for Public Servants”), 8,429, of June 2, 1992 (the “Administrative Improbity Law”), and 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”).
The national authority shall define the methodologies that will be used for the calculation of the base value for fines, by means of its own regulations concerning administrative sanctions for violations of this Law, which must be the object of a public consultation.
§1 The methodologies referred to in the lead sentence of this article shall be previously published, for the information of the processing agents, and shall objectively present the forms and methods for calculating the base value of the fines, which shall contain detailed grounds for all its elements, demonstrating obedience to the criteria provided in this Law.
The amount of daily fines applied to infractions of this Law shall be subject to the severity of the infraction and the extent of the damage or losses caused, and with grounded reasoning by the national authority. Sole paragraph. The notice of imposition of a daily fine shall contain, as a minimum information, the description of the obligation being imposed, the reasonable timeframe stipulated by the body for compliance and the amount of the daily fine to be applied for non-compliance.
Law No. 12,965, of April 23, 2014 (the “Brazilian Internet Law”), shall henceforth contain the following alterations: “Art. 7 … X – permanent deletion of personal data that has been provided to an internet application, upon request, at the termination of the relationship between the parties, except in the situations in which storage of records is obligatory, as provided in this Law and in that which governs personal data protection;…”(New Wording) “Art. 16… II – from personal data that are excessive in relation to the purpose for which consent was given by the data subject, except in situations provided in the Law that governs personal data protection.”(New Wording)
The foreign company shall be notified and summonsed of all procedural acts provided in this Law, irrespective of power of attorney or contractual or statutory provisions, in the person of the agent or representative or person responsible for its subsidiary, agency, branch, establishment or office located in Brazil.
The national authority and the Anísio Teixeira National Institute for Educational Studies and Research (Inep), within the scope of their competences, shall enact specific regulations for accessing data processed by the Union for compliance with the provisions of §2 of Art. 9 of Law No. 9,394, of December 20, 1996 (the “Directive and Bases of National Education Act”), and those relating to the National Higher Education Evaluation System (Sinaes), as provided in Law No. 10,861, of April 14, 2004.
The national authority shall establish rules on the progressive suitability of databases established up to the date this Law comes into force, taking into account the complexity of the data processing operations and the nature of the data.
The rights and principles expressed in this Law do not exclude others provided in the Brazilian legal system related to the matter or in international treaties to which the Federative Republic of Brazil is a party.
This Law shall come into force eighteen (18) months following its official publication.