Art. 55 - (vetoed)Art. 56 - (vetoed)Art. 57 - (vetoed)Art. 58 - (vetoed)Art. 59 - (vetoed)
This Law provides for the processing of personal data, including by digital means, by a natural person or a legal entity of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
This Law applies to any processing operation carried out by a natural person or a legal entity of public or private law, irrespective of the mean, the country in which its headquarter is located or the country where the data are located, provided that:
a) public safety;
§1 Processing of personal data as provided in Item III shall be governed by specific legislation, which shall provide proportional and strictly necessary measures for fulfilling the public interest, subject to due legal process, the general principles of protection and the rights of the data subjects as provided in this Law.
§2 Processing of the data referred to in Item III of the lead sentence of this article is forbidden for legal entity of private law, except in procedures under the authority of legal entity of public law, of which the national authority shall be specifically informed and which shall observe the limitation imposed in §4 of this article.
VI – controller: natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data;
VII – processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller;
XVI – shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared processing of banks of personal data by public agencies and entities, in compliance with their legal competences, or between these and private entities, reciprocally, with specific authorisation, for one or more types of processing allowed by these public entities, or among private entities;
XVIII – research body: body or entity of the direct or indirect public administration or a nonprofit legal entity of private law, legally organised under the Brazilian law, with headquarter and jurisdiction in Brazil, that includes in its institutional mission or in its corporate or statutory purposes basic or applied research of historic, scientific, technological or statistical nature;
XIX – national authority: body of the indirect public administration responsible for supervising, implementing and monitoring the compliance with this Law.
III – by the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments, subject to the provisions of Chapter IV of this Law;
§3 The processing of publicly accessible personal data shall consider the purpose, the good faith and the public interest that justify its being made available.
§4 The consent requirement provided in the lead sentence of this article is waived for data manifestly made public by the data subject, safeguarding the rights of the data subject and the principles provided in this Law.
b) shared processing of data when necessary by the public administration for the execution of public policies provided in laws or regulations;
§2 When the provisions of lines a and b of Item II of the lead sentence of this article are applied by public agencies and entities, said waiver of consent shall be publicised, pursuant to Item I of the lead sentence of Art. 23 of this Law.
§3 Communication or shared use of sensitive personal data between controllers for the purpose of obtaining an economic advantage may be prohibited or regulated by the national authority, being heard the sectoral entities of the public authority, within their competences.
When carrying out public health studies, research entities may have access to personal databases, which shall be processed exclusively within the entity and strictly for the purpose of carrying out studies and research and shall be kept in a controlled and secure environment, in accordance with security practices provided in specific regulation and that include, whenever possible, anonymisation or pseudonymization of the data, as well as taking into account the proper ethical standards related to studies and research.
§2 When processing data as mentioned in §1 of this article, controllers shall make public the information about the types of data collected, the way it is used and the procedures for exercising the rights referred to in Art. 18 of this Law.
III – communication by the data subject, including when exercising her/his right to revoke consent, as provided in §5 of Art. 8 of this Law, subject to the public interest;
VII – information about public and private entities with which the controller has shared data;
Processing of personal data by legal entities of public law referred to in sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), shall be done in fulfillment of its public purpose, in benefit of the public interest, for the purpose of performing legal competences or discharging legal attributions of the public service, provided that:
§1 The national authority may provide for the forms of publicity regarding processing operations.
§3 The time periods and procedures for exercising data subjects’ rights before the public authorities shall obey the provisions of specific legislation, especially the provisions of Law No. 9,507, of November 12, 1997 (the “Brazilian Habeas Data Law”), of Law No. 9,784, of January 29, 1999 (the “Federal Administrative Procedure Law”), and of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”).
§4 Notarial and registry services, carried out under private nature by delegation of public authorities, shall receive the same treatment given to legal entities as provided in the lead sentence of this article, in accordance with the terms of this Law.
§5o Notarial and registry bodies shall provide access to data by electronic means to the public administration, in view of the purposes mentioned in the lead sentence of this article.
Public companies and mixed-capital companies that operate in the competing market, subject to the provisions of Art. 173 of the Federal Constitution, shall receive the same treatment given to private legal entities of private law, under the terms of this Law. Sole paragraph. Public and mixed-capital companies, when they are carrying out public policies and within the scope of their execution, shall receive the same treatment given to the bodies and entities of the public authorities, under the terms of this Chapter.
Data shall be kept in an interoperable format and structured for shared use intended for the execution of public policies, provision of public services, decentralization of public activity, dissemination and access to information by the general public.
The shared use of personal data by public authorities shall fulfill the specific purposes of execution of public policies and legal attributions by agencies and public entities, subject to the principles of personal data protection listed in Art. 6 of this Law. §1 It is forbidden for public authorities to transfer to private entities personal data contained in databases to which they have access, except: I – in cases of decentralized execution of public activity that requires transfer, exclusively for this specific and distinct purpose, subject to the provisions of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”); II – (vetoed); and II – in cases in which the data are publicly accessible, subject to the provisions of this Law. §2 Contracts and agreements as mentioned in §1 of this article shall be communicated to the national authority.
Communication or shared use of personal data from a legal entity of public law to a legal entity of private law shall be communicated to the national authority and shall rely on the consent of the data subject, except: I – in situations in which consent is waived as provided in this Law; II – when there is shared use of data, which will be publicized pursuant to Item I of the lead sentence of Art. 23 of this Law; or III – in the exceptions contained in §1 of Art. 26 of this Law.
The national authority may request, at any time, that entities of the public authority carry out operations of processing of personal data, specific report about the scope and nature of the data and other details of the processing, and may issue complementary technical opinion to ensure compliance with this Law.
When there is an infringement of this Law as a result of personal data processing by public agencies, the national authority may send a report with applicable measures to stop the violation.
The national authority may request agents of the public authorities to publish impact reports on protection of personal data and may suggest the adoption of standards and good practices for processing personal data by the public authorities.
III – when the transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;
VII – when the transfer is necessary for the execution of a public policy or legal attribution of public service, which shall be publicised pursuant to Item I of the lead sentence of Art. 23 of this Law;
IX – when it is necessary to satisfy the situations provided in Items II, V and VI of Art. 7 of this Law. Sole paragraph. For purposes of Item I of this article, the legal entities of public law referred to in the sole paragraph of Art. 1 of Law No. 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”), within their legal competences, and those parties accountable, within the scope of their activities, may request the national authority to evaluate the level of protection of personal data provided by a country or international organisation.
The controller shall appoint an officer to be in charge of processing personal data. §1 The identity and contact information of the officer shall be publicly disclosed, in a clear and objective manner, preferably on the controller’s website. §2 Officer’s activities consist of: I – accepting complaints and communications from data subjects, providing explanations and adopting measures; II – receiving communications from the national authority and adopting measures; III – orienting entity’s employees and contractors regarding practices to be taken in relation to personal data protection; and IV – carrying out other duties as determined by the controller or set forth in complementary rules. §3 The national authority may establish complementary rules about the definition and the duties of the officer, including situations in which the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.
IV – publicising of the infraction once it has been duly ascertained and its occurrence has been confirmed;
§3 The provisions of Items I, IV, V, VI, VII, VIII and IX of the lead sentence of this article may be applied to public entities and bodies, without prejudice to the provisions of Laws Nos. 8,112, of December 11, 1990 (the “Legal Framework for Public Servants”), 8,429, of June 2, 1992 (the “Administrative Improbity Law”), and 12,527, of November 18, 2011 (the “Brazilian Access to Information Law”).
The national authority shall define the methodologies that will be used for the calculation of the base value for fines, by means of its own regulations concerning administrative sanctions for violations of this Law, which must be the object of a public consultation.
The rights and principles expressed in this Law do not exclude others provided in the Brazilian legal system related to the matter or in international treaties to which the Federative Republic of Brazil is a party.
This Law shall come into force eighteen (18) months following its official publication.