Brazil LGPD: Risk - The free to use privacy research database

Clear filters
Brazil LGPD X
Risk X

CHAPTER IPRELIMINARY PROVISIONS

Art. 1 - This Law provides for the processing of personal data, including by digital means, by a natural person or a legal Art. 2 - The discipline of personal data protection is grounded on the following:Art. 3 - This Law applies to any processing operation carried out by a natural person or a legal entity of public or Art. 4 - This Law does not apply to the processing of personal data that:Art. 5 - For purposes of this Law, the following definitions apply:Art. 6 - Activities of processing of personal data shall be done in good faith and be subject to the following principles:

CHAPTER IIPROCESSING OF PERSONAL DATA

Section I - Requirements for the Processing of Personal Data

Art. 7 - Processing of personal data shall only be carried out under the following circumstances:Art. 8 - The consent provided in Item I of Art. 7 of this Law shall be given in writing or by another Art. 9 - The data subject has the right to facilitated access to information concerning the processing of her/his data, which much be Art. 10 - Controller’s legitimate interest can only be grounds for processing personal data for legitimate purposes, based on particular situations, which include

Section II - Processing of Sensitive Personal Data

Art. 11 - The processing of sensitive personal data shall only occur in the following situations:Art. 12 - anonymised data shall not be considered personal data, for purposes of this Law, except when the process of anonymisation to Art. 13 - When carrying out public health studies, research entities may have access to personal databases, which shall be processed exclusively within

Section III - Processing of Children and Adolescents’ Personal Data

Art. 14 - The processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to this

Section IV - Termination of Data Processing

Art. 15 - The processing of personal data shall be terminated under the following circumstances:Art. 16 - Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities,

CHAPTER IIIDATA SUBJECTS’ RIGHTS

Art. 17 - All natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being Art. 18 - The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data being Art. 19 - Confirmation of the existence of or access to personal data shall be provided by means of request by the data Art. 20 - The data subject has the right to request review, by a natural person, of decisions taken solely on the bases Art. 21 - Personal data concerning the regular exercise of rights by the data subject cannot be used to her/his detriment.Art. 22 - The defence of the interests and rights of data subjects may be carried out in court, individually or collectively, as

CHAPTER IVPROCESSING OF PERSONAL DATA BY PUBLIC AUTHORITIES

Section I - Rules

Art. 23 - Processing of personal data by legal entities of public law referred to in sole paragraph of Art. 1 of Law Art. 24 - Public companies and mixed-capital companies that operate in the competing market, subject to the provisions of Art. 173 of the Art. 25 - Data shall be kept in an interoperable format and structured for shared use intended for the execution of public policies,Art. 26 - The shared use of personal data by public authorities shall fulfill the specific purposes of execution of public policies and Art. 27 - Communication or shared use of personal data from a legal entity of public law to a legal entity of private Art. 28 - (vetoed)Art. 29 - The national authority may request, at any time, that entities of the public authority carry out operations of processing of Art. 30 - The national authority may establish complementary rules for communication or shared used of personal data activities.

Section II - Accountability

Art. 31 - When there is an infringement of this Law as a result of personal data processing by public agencies, the national Art. 32 - The national authority may request agents of the public authorities to publish impact reports on protection of personal data and

CHAPTER VINTERNATIONAL TRANSFER OF DATA

Art. 33 - International transfer of personal data is only allowed in the following Art. 34 - The level of data protection in the foreign country or international organisation referred to in Item I of the lead Art. 35 - The definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for a Art. 36 - Changes to guarantees presented as sufficient for compliance with the general principles of protection and of the data subject’s rights

CHAPTER VIPERSONAL DATA PROCESSING AGENTS

Section I - Controller and Processor

Art. 37 - The controller and the processor shall keep records of personal data processing operations carried out by them, especially when based Art. 38 - The national authority may determine that the controller must prepare an impact report on protection of personal data, including sensitive Art. 39 - The processor shall carry out the processing according to the instructions provided by the controller, which shall verify the obedience Art. 40 - The national authority may provide standards of interoperability for purposes of portability, free access to data and security, as well

Section II - Data Protection Officer

Art. 41 - The controller shall appoint an officer to be in charge of processing personal data. §1 The identity and contact information

Section III - Liability and Loss Compensation

Art. 42 - The controller or the processor that, as a result of carrying out their activity of processing personal data, cause material,Art. 43 - Processing agents shall only not be held liable when they prove that:Art. 44 - Processing of personal data shall be irregular when it does not obey the legislation or when it does not provide Art. 45 - When there is violation of data subject’s right in the scope of consumer relations, the rules of liability provided in

CHAPTER VIISECURITY AND GOOD PRACTICES

Section I - Security and Secrecy of Data

Art. 46 - Processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorised accesses and accidental or Art. 47 - Processing agents or any other person that intervenes in one of the processing phases undertake to ensure the security of Art. 48 - The controller must communicate to the national authority and to the data subject the occurrence of a security incident that Art. 49 - The systems used for processing personal data shall be structured in order to meet the security requirements, standards of good

Section II - Good Practice and Governance

Art. 50 - Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulate Art. 51 - The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.

CHAPTER VIIIMONITORING

Section I - Administrative Sanctions

Art. 52 - Data processing agents that commit infractions of the rules provided in this Law are subject to the following administrative sanctions,Art. 53 - The national authority shall define the methodologies that will be used for the calculation of the base value for fines,Art. 54 - The amount of daily fines applied to infractions of this Law shall be subject to the severity of the infraction

CHAPTER IXTHE NATIONAL AUTHORITY FOR PROTECTION OF DATA (“ANPD”) AND THE NATIONAL BOARD FOR PROTECTION OF PERSONAL DATA AND PRIVACY

Section I - The National Authority for Protection of Data (“ANPD”)

Art. 55 - (vetoed)Art. 56 - (vetoed)Art. 57 - (vetoed)

Section II - The National Board for the Protection of Personal Data and Privacy

Art. 58 - (vetoed)Art. 59 - (vetoed)

CHAPTER XFINAL AND TRANSITIONAL PROVISIONS

Art. 60 - Law No. 12,965, of April 23, 2014 (the “Brazilian Internet Law”), shall henceforth contain the following alterations: “Art. 7 …Art. 61 - The foreign company shall be notified and summonsed of all procedural acts provided in this Law, irrespective of power of Art. 62 - The national authority and the Anísio Teixeira National Institute for Educational Studies and Research (Inep), within the scope of their Art. 63 - The national authority shall establish rules on the progressive suitability of databases established up to the date this Law comes Art. 64 - The rights and principles expressed in this Law do not exclude others provided in the Brazilian legal system related to Art. 65 - This Law shall come into force eighteen (18) months following its official publication.

XVII –impact report on protection of personal data: documentation from the controller that contains the description of the proceedings of processing of the personal data that could generate risks to civil liberties and fundamental rights, as well as measures, safeguards and mechanisms to mitigate the risk;

The national authority may determine that the controller must prepare an impact report on protection of personal data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. Sole paragraph. Subject to the provisions of the lead sentence of this article, the report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.

II – the result and the risks that one can reasonably expect of it;

The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects.

IV – the risks related to the incident;

Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulate rules for good practice and governance that set forth conditions of organisation, a regime of operation, procedures, including for complaints and petitions from data subjects, security norms, technical standards, specific obligations for the various parties involved in the processing, educational activities, internal mechanisms of supervision and risk mitigation and other aspects related to the processing of personal data.

§1 When establishing rules of good practice, the controller and the processor shall take into consideration, regarding the processing and the data, the nature, scope, purpose and probability and seriousness of the risks and the benefits that will result from the processing of data subject’s data.

d) establish adequate policies and safeguards based on a process of systematic evaluation of the impacts on and risks to privacy;