Art. 55 - (vetoed)Art. 56 - (vetoed)Art. 57 - (vetoed)Art. 58 - (vetoed)Art. 59 - (vetoed)
§2 Processing of the data referred to in Item III of the lead sentence of this article is forbidden for legal entity of private law, except in procedures under the authority of legal entity of public law, of which the national authority shall be specifically informed and which shall observe the limitation imposed in §4 of this article.
§3 The national authority shall issue technical opinions or recommendations regarding the exceptions provided in Item III of the lead sentence of this article, and shall request of the responsible parties impact reports on protection of personal data.
VIII – officer: natural personal, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority;
XIX – national authority: body of the indirect public administration responsible for supervising, implementing and monitoring the compliance with this Law.
§2 The way in which information is made available as provided in §1 and Item I of the lead sentence of Art. 23 of this Law may be specified by the national authority.
§3 The national authority may request of the controller an impact report on protection of personal data, when processing is based on her/his legitimate interest, being observed commercial and industrial secrecy.
§3 Communication or shared use of sensitive personal data between controllers for the purpose of obtaining an economic advantage may be prohibited or regulated by the national authority, being heard the sectoral entities of the public authority, within their competences.
§3 The national authority may provide for standards and techniques to be used in processes of anonymisation, and carry out security checks, with opinions from the National Board for the Protection of Personal Data.
§3 Access to data as provided in this article shall be the object of regulation by the national authority and of the authorities in the area of health and sanitation, within the scope of their competences.
IV – determination by the national authority when there has been a violation of the provisions of this Law.
§1 The personal data subject has the right to petition, regarding her/his data, against the controller before the national authority.
§3 When processing originates from the consent of the data subject or from a contract, the data subject may request a complete electronic copy of her/his personal data, subject to commercial and industrial secrecy, in accordance with regulations of the national authority, in a format that allows its subsequent use, including for other processing operations.
§4 The national authority may provide differently regarding the time periods provided in Items I and II of the lead sentence of this article for specific sectors.
§2 If there is no offer of information as provided in §1 of this article, based on commercial and industrial secrecy, the national authority may carry out an audit to verify discriminatory aspects in automated processing of personal data.
§1 The national authority may provide for the forms of publicity regarding processing operations.
The shared use of personal data by public authorities shall fulfill the specific purposes of execution of public policies and legal attributions by agencies and public entities, subject to the principles of personal data protection listed in Art. 6 of this Law. §1 It is forbidden for public authorities to transfer to private entities personal data contained in databases to which they have access, except: I – in cases of decentralized execution of public activity that requires transfer, exclusively for this specific and distinct purpose, subject to the provisions of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”); II – (vetoed); and II – in cases in which the data are publicly accessible, subject to the provisions of this Law. §2 Contracts and agreements as mentioned in §1 of this article shall be communicated to the national authority.
Communication or shared use of personal data from a legal entity of public law to a legal entity of private law shall be communicated to the national authority and shall rely on the consent of the data subject, except: I – in situations in which consent is waived as provided in this Law; II – when there is shared use of data, which will be publicized pursuant to Item I of the lead sentence of Art. 23 of this Law; or III – in the exceptions contained in §1 of Art. 26 of this Law.
The national authority may request, at any time, that entities of the public authority carry out operations of processing of personal data, specific report about the scope and nature of the data and other details of the processing, and may issue complementary technical opinion to ensure compliance with this Law.
The national authority may establish complementary rules for communication or shared used of personal data activities.
When there is an infringement of this Law as a result of personal data processing by public agencies, the national authority may send a report with applicable measures to stop the violation.
The national authority may request agents of the public authorities to publish impact reports on protection of personal data and may suggest the adoption of standards and good practices for processing personal data by the public authorities.
V – when the national authority authorises the transfer;
IX – when it is necessary to satisfy the situations provided in Items II, V and VI of Art. 7 of this Law. Sole paragraph. For purposes of Item I of this article, the legal entities of public law referred to in the sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), within their legal competences, and those parties accountable, within the scope of their activities, may request the national authority to evaluate the level of protection of personal data provided by a country or international organisation.
The level of data protection in the foreign country or international organisation referred to in Item I of the lead sentence of Art. 33 of this Law shall be evaluated by the national authority, which shall take into consideration:
The definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for a particular transfer, global corporate rules or stamps, certificates and codes of conduct, referred to in Item II of the lead sentence of Art. 33 of this Law, will be done by the national authority.
§2 When analyzing contractual clauses, documents or global corporate rules submitted to the national authority for approval, supplementary information or due diligences performed for verification of the processing operations may be required, when necessary.
§3 The national authority may designate certification entities to carry out the provisions of the lead sentence of this article, which shall remain under their inspection subject to the terms defined in regulation.
§4 Acts carried out by certification entities may be reviewed by the national authority and, if they are not in compliance with this Law, submitted for revision or voided.
Changes to guarantees presented as sufficient for compliance with the general principles of protection and of the data subject’s rights referred to in Item II of Art. 33 of this Law shall be communicated to the national authority.
The national authority may determine that the controller must prepare an impact report on protection of personal data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. Sole paragraph. Subject to the provisions of the lead sentence of this article, the report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.
The national authority may provide standards of interoperability for purposes of portability, free access to data and security, as well as regarding time records must be kept, especially in view of the need and the transparency.
The controller shall appoint an officer to be in charge of processing personal data. §1 The identity and contact information of the officer shall be publicly disclosed, in a clear and objective manner, preferably on the controller’s website. §2 Officer’s activities consist of: I – accepting complaints and communications from data subjects, providing explanations and adopting measures; II – receiving communications from the national authority and adopting measures; III – orienting entity’s employees and contractors regarding practices to be taken in relation to personal data protection; and IV – carrying out other duties as determined by the controller or set forth in complementary rules. §3 The national authority may establish complementary rules about the definition and the duties of the officer, including situations in which the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.
§1 The national authority may provide minimum technical standards to make the provisions of the lead sentence of this article applicable, taking into account the nature of the processed information, the specific characteristics of the processing and the current state of technology, especially in the case of sensitive personal data, as well as the principles provided in the lead sentence of Art. 6 of this Law.
The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects.
§1 The communication shall be done in a reasonable time period, as defined by the national authority, and shall contain, as a minimum:
§2 The national authority shall verify the seriousness of the incident and may, if necessary to safeguard the data subjects’ rights, order the controller to adopt measures, such as:
II – demonstrate the effectiveness of her/his privacy governance program when appropriate and, especially, at the request of the national authority or other entity responsible for promoting compliance with good practices or codes of conduct, which, independently, promote compliance with this Law.
§3 Rules of good practice and governance shall be published and updated periodically and may be recognised and disclosed by the national authority.
The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.
Data processing agents that commit infractions of the rules provided in this Law are subject to the following administrative sanctions, to be applied by the national authority:
§4 When calculating the amount of the fine provided in Item II of the lead sentence of this article, the national authority may consider total revenues of the company or group of companies, when it does not have the amount of revenues from the business activity in which the infraction occurred, defined by the national authority, or when the amount is presented in an incomplete form or is not demonstrated unequivocally and reputably.
The national authority shall define the methodologies that will be used for the calculation of the base value for fines, by means of its own regulations concerning administrative sanctions for violations of this Law, which must be the object of a public consultation.
The amount of daily fines applied to infractions of this Law shall be subject to the severity of the infraction and the extent of the damage or losses caused, and with grounded reasoning by the national authority. Sole paragraph. The notice of imposition of a daily fine shall contain, as a minimum information, the description of the obligation being imposed, the reasonable timeframe stipulated by the body for compliance and the amount of the daily fine to be applied for non-compliance.
The national authority and the Anísio Teixeira National Institute for Educational Studies and Research (Inep), within the scope of their competences, shall enact specific regulations for accessing data processed by the Union for compliance with the provisions of §2 of Art. 9 of Law No. 9,394, of December 20, 1996 (the “Directive and Bases of National Education Act”), and those relating to the National Higher Education Evaluation System (Sinaes), as provided in Law No. 10,861, of April 14, 2004.
The national authority shall establish rules on the progressive suitability of databases established up to the date this Law comes into force, taking into account the complexity of the data processing operations and the nature of the data.