Art. 1 - This Law provides for the processing of personal data, including by digital means, by a natural person or a legalArt. 2 - The discipline of personal data protection is grounded on the following:Art. 3 - This Law applies to any processing operation carried out by a natural person or a legal entity of public orArt. 4 - This Law does not apply to the processing of personal data that:Art. 5 - For purposes of this Law, the following definitions apply:Art. 6 - Activities of processing of personal data shall be done in good faith and be subject to the following principles:
Section I - Requirements for the Processing of Personal Data
Art. 7 - Processing of personal data shall only be carried out under the following circumstances:Art. 8 - The consent provided in Item I of Art. 7 of this Law shall be given in writing or by anotherArt. 9 - The data subject has the right to facilitated access to information concerning the processing of her/his data, which much beArt. 10 - Controller’s legitimate interest can only be grounds for processing personal data for legitimate purposes, based on particular situations, which includeSection II - Processing of Sensitive Personal Data
Art. 11 - The processing of sensitive personal data shall only occur in the following situations:Art. 12 - anonymised data shall not be considered personal data, for purposes of this Law, except when the process of anonymisation toArt. 13 - When carrying out public health studies, research entities may have access to personal databases, which shall be processed exclusively withinSection III - Processing of Children and Adolescents’ Personal Data
Art. 14 - The processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to thisSection IV - Termination of Data Processing
Art. 15 - The processing of personal data shall be terminated under the following circumstances:Art. 16 - Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities,Art. 17 - All natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy beingArt. 18 - The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data beingArt. 19 - Confirmation of the existence of or access to personal data shall be provided by means of request by the dataArt. 20 - The data subject has the right to request review, by a natural person, of decisions taken solely on the basesArt. 21 - Personal data concerning the regular exercise of rights by the data subject cannot be used to her/his detriment.Art. 22 - The defence of the interests and rights of data subjects may be carried out in court, individually or collectively, as
Section I - Rules
Art. 23 - Processing of personal data by legal entities of public law referred to in sole paragraph of Art. 1 of LawArt. 24 - Public companies and mixed-capital companies that operate in the competing market, subject to the provisions of Art. 173 of theArt. 25 - Data shall be kept in an interoperable format and structured for shared use intended for the execution of public policies,Art. 26 - The shared use of personal data by public authorities shall fulfill the specific purposes of execution of public policies andArt. 27 - Communication or shared use of personal data from a legal entity of public law to a legal entity of privateArt. 28 - (vetoed)Art. 29 - The national authority may request, at any time, that entities of the public authority carry out operations of processing ofArt. 30 - The national authority may establish complementary rules for communication or shared used of personal data activities.Section II - Accountability
Art. 31 - When there is an infringement of this Law as a result of personal data processing by public agencies, the nationalArt. 32 - The national authority may request agents of the public authorities to publish impact reports on protection of personal data andArt. 33 - International transfer of personal data is only allowed in the followingArt. 34 - The level of data protection in the foreign country or international organisation referred to in Item I of the leadArt. 35 - The definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for aArt. 36 - Changes to guarantees presented as sufficient for compliance with the general principles of protection and of the data subject’s rights
Section I - Controller and Processor
Art. 37 - The controller and the processor shall keep records of personal data processing operations carried out by them, especially when basedArt. 38 - The national authority may determine that the controller must prepare an impact report on protection of personal data, including sensitiveArt. 39 - The processor shall carry out the processing according to the instructions provided by the controller, which shall verify the obedienceArt. 40 - The national authority may provide standards of interoperability for purposes of portability, free access to data and security, as wellSection II - Data Protection Officer
Art. 41 - The controller shall appoint an officer to be in charge of processing personal data. §1 The identity and contact informationSection III - Liability and Loss Compensation
Art. 42 - The controller or the processor that, as a result of carrying out their activity of processing personal data, cause material,Art. 43 - Processing agents shall only not be held liable when they prove that:Art. 44 - Processing of personal data shall be irregular when it does not obey the legislation or when it does not provideArt. 45 - When there is violation of data subject’s right in the scope of consumer relations, the rules of liability provided inSection I - Security and Secrecy of Data
Art. 46 - Processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorised accesses and accidental orArt. 47 - Processing agents or any other person that intervenes in one of the processing phases undertake to ensure the security ofArt. 48 - The controller must communicate to the national authority and to the data subject the occurrence of a security incident thatArt. 49 - The systems used for processing personal data shall be structured in order to meet the security requirements, standards of goodSection II - Good Practice and Governance
Art. 50 - Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulateArt. 51 - The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.Section I - Administrative Sanctions
Art. 52 - Data processing agents that commit infractions of the rules provided in this Law are subject to the following administrative sanctions,Art. 53 - The national authority shall define the methodologies that will be used for the calculation of the base value for fines,Art. 54 - The amount of daily fines applied to infractions of this Law shall be subject to the severity of the infractionSection I - The National Authority for Protection of Data (“ANPD”)
Art. 55 - (vetoed)Art. 56 - (vetoed)Art. 57 - (vetoed)Section II - The National Board for the Protection of Personal Data and Privacy
Art. 58 - (vetoed)Art. 59 - (vetoed)Art. 60 - Law No. 12,965, of April 23, 2014 (the “Brazilian Internet Law”), shall henceforth contain the following alterations: “Art. 7 …Art. 61 - The foreign company shall be notified and summonsed of all procedural acts provided in this Law, irrespective of power ofArt. 62 - The national authority and the Anísio Teixeira National Institute for Educational Studies and Research (Inep), within the scope of theirArt. 63 - The national authority shall establish rules on the progressive suitability of databases established up to the date this Law comesArt. 64 - The rights and principles expressed in this Law do not exclude others provided in the Brazilian legal system related toArt. 65 - This Law shall come into force eighteen (18) months following its official publication.
This Law provides for the processing of personal data, including by digital means, by a natural person or a legal entity of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
The discipline of personal data protection is grounded on the following:
III – the personal data being processed were collected in the national territory.
This Law does not apply to the processing of personal data that:
IV – have their origin outside the national territory and are not the object of communication, shared use of data with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, since the country of origin provides a level of personal data protection adequate to that established in this Law.
§1 Processing of personal data as provided in Item III shall be governed by specific legislation, which shall provide proportional and strictly necessary measures for fulfilling the public interest, subject to due legal process, the general principles of protection and the rights of the data subjects as provided in this Law.
§3 The national authority shall issue technical opinions or recommendations regarding the exceptions provided in Item III of the lead sentence of this article, and shall request of the responsible parties impact reports on protection of personal data.
§4 Under no circumstances the entirety of the personal data in a database, as provided in Item III of the lead sentence of this article, may be processed by a legal entity of private law.
I – personal data: information regarding an identified or identifiable natural person;
II – sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organisation membership, data concerning health or sex life, genetic or biometric data, when related to a natural person;
IV – database: structured set of personal data, kept in one or several locations, in electronic or physical support;
V – data subject: a natural person to whom the personal data that are the object of processing refer to;
VI – controller: natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data;
VII – processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller;
X – processing: any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction;
XII – consent: free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose;
XIII – blocking: temporary suspension of any processing operation, by means of retention of the personal data or the database;
XV – international data transfer: transfer of personal data to a foreign country or to an international entity of which the country is a member;
XVI – shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared processing of banks of personal data by public agencies and entities, in compliance with their legal competences, or between these and private entities, reciprocally, with specific authorisation, for one or more types of processing allowed by these public entities, or among private entities;
XVII –impact report on protection of personal data: documentation from the controller that contains the description of the proceedings of processing of the personal data that could generate risks to civil liberties and fundamental rights, as well as measures, safeguards and mechanisms to mitigate the risk;
Activities of processing of personal data shall be done in good faith and be subject to the following principles:
IV – free access: guarantee to the data subjects of facilitated and free of charge consultation about the form and duration of the processing, as well as about the integrity of their personal data;
VII – security: use of technical and administrative measures which are able to protect personal data from unauthorised accesses and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination; VIII – prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data;
X – accountability: demonstration by the agent of the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures.
Processing of personal data shall only be carried out under the following circumstances:
IV – for carrying out studies by research entities, ensuring, whenever possible, the anonymisation of personal data;
IX – when necessary to fulfil the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail; or
§3 The processing of publicly accessible personal data shall consider the purpose, the good faith and the public interest that justify its being made available.
§5 The controller who has obtained the consent referred to in Item I of the lead sentence of this article that needs to communicate or share personal data with other controllers shall obtain specific consent from the data subject for this purpose, except when the need for such consent is waived as provided in this Law.
§3 It is prohibited to process personal data if the consent is defective.
§4 Consent shall refer to particular purposes, and generic authorisations for processing personal data shall be void.
§2 In the situation when consent is required, if there are changes in the purpose of the processing of personal data that are not compatible with the original consent, the controller shall previously inform the data subject of the changes of purpose, and the data subject may revoke her/his consent if she/he disagrees with the changes.
§3 When the processing of personal data is a condition for the provision of a product or service or for the exercise of a right, the data subject shall be informed with special highlight of this fact and of the means by which she/he may exercise her/his data subject’s rights as listed in Art. 18 of this Law.
Controller’s legitimate interest can only be grounds for processing personal data for legitimate purposes, based on particular situations, which include but are not limited to:
§1 When processing is based on the controller’s legitimate interest, only the personal data which are strictly necessary for the intended purpose may be processed.
§3 The national authority may request of the controller an impact report on protection of personal data, when processing is based on her/his legitimate interest, being observed commercial and industrial secrecy.
The processing of sensitive personal data shall only occur in the following situations:
c) studies carried out by a research entity, whenever possible ensuring the anonymisation of sensitive personal data;
g) ensuring the prevention of fraud and the safety of the data subject, in processes of identification and authentication of registration in electronic systems, respecting the rights mentioned in Art. 9 of this Law and except when fundamental rights and liberties of the data subject which require protection of personal data prevail.
§1 The provisions of this article apply to any processing of personal data that reveals sensitive personal data and that may cause harm to the data subject, subject to the provisions of specific legislation.
§3 Communication or shared use of sensitive personal data between controllers for the purpose of obtaining an economic advantage may be prohibited or regulated by the national authority, being heard the sectoral entities of the public authority, within their competences.
§4 Communication or shared use between controllers of sensitive personal data referring to health for the purpose of obtaining an economic advantage is prohibited, except in cases of portability of data when consented by the data subject.
anonymised data shall not be considered personal data, for purposes of this Law, except when the process of anonymisation to which the data were submitted has been reversed, using exclusively its own means, or when it can be reversed applying reasonable efforts.
§3 The national authority may provide for standards and techniques to be used in processes of anonymisation, and carry out security checks, with opinions from the National Board for the Protection of Personal Data.
When carrying out public health studies, research entities may have access to personal databases, which shall be processed exclusively within the entity and strictly for the purpose of carrying out studies and research and shall be kept in a controlled and secure environment, in accordance with security practices provided in specific regulation and that include, whenever possible, anonymisation or pseudonymization of the data, as well as taking into account the proper ethical standards related to studies and research.
§1 Disclosure of the results or of any portion of the study or the research, as mentioned in the lead sentence of this article, shall under no circumstances reveal personal data.
The processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to this article and pertinent legislation.
§1 The processing of children’s personal data shall be done with specific and highlighted consent given by at least one of the parents or the legal representative.
§3 Children’s personal data may be collected without the consent mentioned in §1 of this article when collection is necessary to contact the parents or the legal representative, used one single time and not stored, or for their protection, and under no circumstances shall the data be passed on to third parties without consent as provided in §1 of this article.
The processing of personal data shall be terminated under the following circumstances:
Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, being their storage authorised for the following purposes:
II – study by a research entity, ensuring, whenever possible, the anonymisation of the personal data;
All natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed, under the terms of this Law.
The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data being processed by the controller, at any time and by means of request:
VI – deletion of personal data processed with the consent of the data subject, except in the situations provided in Art. 16 of this Law;
§1 The personal data subject has the right to petition, regarding her/his data, against the controller before the national authority.
§7 The portability of personal data referred to in Item V of the lead sentence of this article does not include data that have already been anonymised by the controller.
Confirmation of the existence of or access to personal data shall be provided by means of request by the data subject:
§1 Personal data shall be stored in a format that facilitates the exercise of the right to access.
§3 When processing originates from the consent of the data subject or from a contract, the data subject may request a complete electronic copy of her/his personal data, subject to commercial and industrial secrecy, in accordance with regulations of the national authority, in a format that allows its subsequent use, including for other processing operations.
The data subject has the right to request review, by a natural person, of decisions taken solely on the bases of automated processing of personal data that affects her/his interests, including decisions intended to define her/his personal, professional, consumer or credit profile or aspects of her/his personality.
§2 If there is no offer of information as provided in §1 of this article, based on commercial and industrial secrecy, the national authority may carry out an audit to verify discriminatory aspects in automated processing of personal data.
Personal data concerning the regular exercise of rights by the data subject cannot be used to her/his detriment.
Processing of personal data by legal entities of public law referred to in sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), shall be done in fulfillment of its public purpose, in benefit of the public interest, for the purpose of performing legal competences or discharging legal attributions of the public service, provided that:
I – they communicate the situations in which, in the exercise of their competences, they carry out processing of personal data, supplying clear and up-to-date information about the legal base, purpose, procedures and practices used to carry out these activities in easily accessible media, preferably on their websites;
II – an officer is appointed when carrying out personal data processing operations, in accordance with Art. 39 of this Law.
The shared use of personal data by public authorities shall fulfill the specific purposes of execution of public policies and legal attributions by agencies and public entities, subject to the principles of personal data protection listed in Art. 6 of this Law. §1 It is forbidden for public authorities to transfer to private entities personal data contained in databases to which they have access, except: I – in cases of decentralized execution of public activity that requires transfer, exclusively for this specific and distinct purpose, subject to the provisions of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”); II – (vetoed); and II – in cases in which the data are publicly accessible, subject to the provisions of this Law. §2 Contracts and agreements as mentioned in §1 of this article shall be communicated to the national authority.
Communication or shared use of personal data from a legal entity of public law to a legal entity of private law shall be communicated to the national authority and shall rely on the consent of the data subject, except: I – in situations in which consent is waived as provided in this Law; II – when there is shared use of data, which will be publicized pursuant to Item I of the lead sentence of Art. 23 of this Law; or III – in the exceptions contained in §1 of Art. 26 of this Law.
The national authority may request, at any time, that entities of the public authority carry out operations of processing of personal data, specific report about the scope and nature of the data and other details of the processing, and may issue complementary technical opinion to ensure compliance with this Law.
The national authority may establish complementary rules for communication or shared used of personal data activities.
When there is an infringement of this Law as a result of personal data processing by public agencies, the national authority may send a report with applicable measures to stop the violation.
The national authority may request agents of the public authorities to publish impact reports on protection of personal data and may suggest the adoption of standards and good practices for processing personal data by the public authorities.
International transfer of personal data is only allowed in the following
I – to countries or international organisations that provide a level of protection of personal data that is adequate to the provisions of this Law;
IX – when it is necessary to satisfy the situations provided in Items II, V and VI of Art. 7 of this Law. Sole paragraph. For purposes of Item I of this article, the legal entities of public law referred to in the sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), within their legal competences, and those parties accountable, within the scope of their activities, may request the national authority to evaluate the level of protection of personal data provided by a country or international organisation.
III – the compliance with the general principles of personal data protection and data subjects’ rights as provided in this Law;
V – the existence of judicial and institutional guarantees for respecting the rights of personal data protection; and
The controller and the processor shall keep records of personal data processing operations carried out by them, especially when based on legitimate interest.
The national authority may determine that the controller must prepare an impact report on protection of personal data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. Sole paragraph. Subject to the provisions of the lead sentence of this article, the report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.
The controller shall appoint an officer to be in charge of processing personal data. §1 The identity and contact information of the officer shall be publicly disclosed, in a clear and objective manner, preferably on the controller’s website. §2 Officer’s activities consist of: I – accepting complaints and communications from data subjects, providing explanations and adopting measures; II – receiving communications from the national authority and adopting measures; III – orienting entity’s employees and contractors regarding practices to be taken in relation to personal data protection; and IV – carrying out other duties as determined by the controller or set forth in complementary rules. §3 The national authority may establish complementary rules about the definition and the duties of the officer, including situations in which the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.
The controller or the processor that, as a result of carrying out their activity of processing personal data, cause material, moral, individual or collective damage to others, in violation of legislation for the protection of personal data, are obligated to redress it.
I – they did not carry out the processing of personal data that is attributed to them;
II – although they did carry out the processing of personal data that is attributed to them, there was no violation of the data protection legislation; or
Processing of personal data shall be irregular when it does not obey the legislation or when it does not provide the security that its data subject can expect of it, considering the relevant circumstances, among which are:
III – the techniques for processing personal data available at the time it was done. Sole paragraph. The controller or the processor who neglect to adopt the security measures provided in Art. 46 of this Law shall be held liable for the damages caused by the violation of the security of the data that caused the damage.
Processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorised accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.
§1 The national authority may provide minimum technical standards to make the provisions of the lead sentence of this article applicable, taking into account the nature of the processed information, the specific characteristics of the processing and the current state of technology, especially in the case of sensitive personal data, as well as the principles provided in the lead sentence of Art. 6 of this Law.
Processing agents or any other person that intervenes in one of the processing phases undertake to ensure the security of the information as provided in this Law regarding personal data, even following conclusion thereof.
I – a description of the nature of the affected personal data;
§3 When judging the severity of the incident, eventual demonstration that adequate technical measures were adopted to render the affected personal data unintelligible will be analysed, within the scope and the technical limits of the services, to third parties who were not authorised to access them.
The systems used for processing personal data shall be structured in order to meet the security requirements, standards of good practice and governance, general principles provided in this Law and other regulatory rules.
Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulate rules for good practice and governance that set forth conditions of organisation, a regime of operation, procedures, including for complaints and petitions from data subjects, security norms, technical standards, specific obligations for the various parties involved in the processing, educational activities, internal mechanisms of supervision and risk mitigation and other aspects related to the processing of personal data.
a) demonstrate the controller’s commitment to adopt internal processes and policies that ensure broad compliance with rules and good practices regarding the protection of personal data;
b) are applicable to the entire set of personal data under her/his control, irrespective of the means used to collect them;
The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.
V – blocking of the personal data to which the infraction refers to until its regularisation;
VI – deletion of the personal data to which the infraction refers to;
Law No. 12,965, of April 23, 2014 (the “Brazilian Internet Law”), shall henceforth contain the following alterations: “Art. 7 … X – permanent deletion of personal data that has been provided to an internet application, upon request, at the termination of the relationship between the parties, except in the situations in which storage of records is obligatory, as provided in this Law and in that which governs personal data protection;…”(New Wording) “Art. 16… II – from personal data that are excessive in relation to the purpose for which consent was given by the data subject, except in situations provided in the Law that governs personal data protection.”(New Wording)