Decree regulating the LGPD within the scope of the Public Administration of the Municipality of São Paulo

Gabriela de Ávila Machado
Lawyer at Marcos Martins Advogados

Municipal Decree No. 59,767 of the city of São Paulo/SP was published on September 16, 2020. The Decree regulates the application of the LGPD within the Municipal Administration.

The Decree determines the responsibilities of the Municipal Executive Branch, which include, among others, keeping the mapping of existing personal data, personal data flows, risk analysis and the adequacy plan continuously updated:

The Decree also appoints the Comptroller General of the Municipality as the person in charge of the Municipal Executive Branch, who will have the attributions provided for in the LGPD, and others provided for in article 6 of the Decree, such as “recommending the preparation of adequacy plans relating to the protection of personal data to the person in charge of the entities that are part of the indirect administration”, “requesting the relevant information from the Secretariats and Subprefectures responsible, in order to compile it in a single report”, among others.

The Decree also prohibits the transfer of personal data to private entities, except when the data is publicly accessible or in the following cases: “decentralized execution of public activity that requires the transfer”, in the event of a legal or contractual provision, for the prevention of fraud and irregularities, or to protect and safeguard the security and integrity of the data subject. In any case, data can only be transferred with specific authorization.

The Decree gives the Secretariats and Subprefectures a period of 180 (one hundred and eighty) days to prove that they are in compliance with the LGPD and the Decree, and 90 (ninety) days to present the adaptation plan by the entities of the indirect administration.

The Decree came into force on the date of its publication.

Questions? Talk to our lawyers and get advice.

Share on social media