Ana Carolina Rovida de Oliveira
Lawyer at Marcos Martins Advogados
On August 14, 2018, the General Data Protection Law, No. 13,709/2018, was approved, originating from House Bill 53/2018 (“LGPD”), which amends the wording of Law No. 12,965/2014 (“Marco Civil da Internet”).
The LGPD determines how the data and personal information of “identified” or “identifiable” subjects (“Holder”) will be handled by a natural person, or by a legal entity governed by public or private law (“Controller”). For the LGPD, “identified” are individuals who have expressly provided their data, and “identifiable” are individuals whose data, when alone, does not reveal who they are related to, but when computed together with other data, can identify the subject in question.
With the new legislation, in order for the Controller to obtain and process data, the consent of the Data Subject will be required, and the request must be made in a clear and objective manner. If there is any change in the purpose for which the data was received, it will be necessary to obtain new consent.
However, the LGPD contains some exceptions, in which it will not be necessary to obtain consent, such as protection of life, compliance with a legal obligation and also for the legitimate interest of the Controller, in which case the data collected for one purpose is used for another, provided that the purposes are legitimate.
The new law also prescribes that the Data Subject can request access to the information that a Controller has about them, which must be provided easily and free of charge, including the manner and duration with which the data will be processed, and whether there has been any use or sharing of the data with third parties, as well as the justification for this.
In addition, the entities must guarantee the security of the data, preventing any access by unauthorized persons, as well as making it impossible to leak, in which case, if any, the Data Subject must be informed immediately.
If the Controller, or a related party, fails to comply with the legislation, they will be punished with a fine of up to 2% of their turnover in the last financial year, limited to a total of R$50,000,000.00 (fifty million reais), among other sanctions.
Entities and citizens will have a period of 18 (eighteen) months from the publication of the LGPD in the Official Gazette, which took place on August 15, 2018, to adapt to the new rules.
As this is a law that aims to implement a culture of data protection, which until then had not been regulated in Brazil, inspections and sanctions by public authorities are expected and, consequently, the need to adapt the internal policies of Controllers and related companies that work with data processing.
Marcos Martins Advogados is available to assist you with the application of the General Data Protection Law, as well as with other matters related to the business and corporate environment.
