Art. 55 - (vetoed)Art. 56 - (vetoed)Art. 57 - (vetoed)Art. 58 - (vetoed)Art. 59 - (vetoed)
This Law provides for the processing of personal data, including by digital means, by a natural person or a legal entity of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
This Law does not apply to the processing of personal data that:
§1 Processing of personal data as provided in Item III shall be governed by specific legislation, which shall provide proportional and strictly necessary measures for fulfilling the public interest, subject to due legal process, the general principles of protection and the rights of the data subjects as provided in this Law.
VI – controller: natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data;
XII – consent: free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose;
Activities of processing of personal data shall be done in good faith and be subject to the following principles:
VII – security: use of technical and administrative measures which are able to protect personal data from unauthorised accesses and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination; VIII – prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data;
Processing of personal data shall only be carried out under the following circumstances:
§2 In the situation when consent is required, if there are changes in the purpose of the processing of personal data that are not compatible with the original consent, the controller shall previously inform the data subject of the changes of purpose, and the data subject may revoke her/his consent if she/he disagrees with the changes.
§3 When the processing of personal data is a condition for the provision of a product or service or for the exercise of a right, the data subject shall be informed with special highlight of this fact and of the means by which she/he may exercise her/his data subject’s rights as listed in Art. 18 of this Law.
§1 The provisions of this article apply to any processing of personal data that reveals sensitive personal data and that may cause harm to the data subject, subject to the provisions of specific legislation.
The processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to this article and pertinent legislation.
The processing of personal data shall be terminated under the following circumstances:
The data subject has the right to request review, by a natural person, of decisions taken solely on the bases of automated processing of personal data that affects her/his interests, including decisions intended to define her/his personal, professional, consumer or credit profile or aspects of her/his personality.
§2 If there is no offer of information as provided in §1 of this article, based on commercial and industrial secrecy, the national authority may carry out an audit to verify discriminatory aspects in automated processing of personal data.
Processing of personal data by legal entities of public law referred to in sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), shall be done in fulfillment of its public purpose, in benefit of the public interest, for the purpose of performing legal competences or discharging legal attributions of the public service, provided that:
I – they communicate the situations in which, in the exercise of their competences, they carry out processing of personal data, supplying clear and up-to-date information about the legal base, purpose, procedures and practices used to carry out these activities in easily accessible media, preferably on their websites;
The national authority may request, at any time, that entities of the public authority carry out operations of processing of personal data, specific report about the scope and nature of the data and other details of the processing, and may issue complementary technical opinion to ensure compliance with this Law.
I – they did not carry out the processing of personal data that is attributed to them;
II – although they did carry out the processing of personal data that is attributed to them, there was no violation of the data protection legislation; or
Processing of personal data shall be irregular when it does not obey the legislation or when it does not provide the security that its data subject can expect of it, considering the relevant circumstances, among which are:
Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulate rules for good practice and governance that set forth conditions of organisation, a regime of operation, procedures, including for complaints and petitions from data subjects, security norms, technical standards, specific obligations for the various parties involved in the processing, educational activities, internal mechanisms of supervision and risk mitigation and other aspects related to the processing of personal data.