What is the General Data Protection Law?
With the digitalization of society and the popularization of technologies that are based on data, it has become necessary to regulate economic activities that, in some way, process personal data.
Following a movement that is taking place around the world, in 2018 law 13.709/2008 was approved, which aims to regulate data processing activities (LGPD). Much has been said about the impact of this new legislation on consumers, but what changes for entrepreneurs?
It is important to keep in mind that the LGPD not only aims to protect personal data, but also “economic and technological development and innovation”. In other words, it should also be seen as a tool for developing innovative and technological initiatives in the country.
Who is subject to the new law?
Every citizen (natural person) or company (public or private legal entity) that carries out data processing or collection operations, as well as the supply of goods and services in the national territory is subject to the application of the law.
The legislation already provides for some cases in which the law will not be applied. Among the situations foreseen we have the processing of data carried out by an individual for domestic purposes, that is, non-economic, journalistic, artistic and academic purposes.
Who does the new law apply to?
The law is applied to the data of natural persons, that is, natural persons. It is not applicable to data from legal entities, these are treated by other specific regulations.
What is the definition of “Data” for the LGPD?
- Personal data: information related to an identified or identifiable natural person
- Sensitive personal data: personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person;
- Anonymized data: data relating to a holder who cannot be identified, considering the use of reasonable technical means available at the time of processing.
*Attention: It is worth noting that this data will not be considered personal data for the purposes of the LGPD, except when the anonymization process to which it was subjected is reversed, using exclusively its own means, or when, with reasonable efforts, it can be reversed.
- Database: structured set of personal data, established in one or more locations, in electronic or physical format.
When collecting data:
- Purpose and consent: The user must be informed for what purpose their data will be used and agree to the use.
- Free and clear expression: Consent must be given without defects, that is, there is no point in placing small print in the corner of the page and claiming that the user has agreed. The purpose of using data must be stated in such a way that it is clear to the user and there is minimum guarantee that he or she understands it;
- Information about data processing: list to the holder information about: i) purpose of processing (already mentioned); ii) form and duration of data processing; iii) identification of the controller (person responsible for decisions regarding data processing); iv) controller contact; v) information on possible shared use of data and its purpose; vi) responsibilities of the agents who will carry out the processing; vii) complete list of natural person rights to be obtained by the controller.
After collection:
- Revocation of Consent: the consent provided by the user may be revoked at any time, upon express manifestation by the holder, through a free and facilitated procedure;
- Communication about Changes: if there is a change in information about data processing, the holder must be notified, with special emphasis on the changes made, and may revoke them if they disagree with the change.
- Access to information: if the holder requests it, the collected data and other information about processing and purpose must be provided free of charge and in an easy way.
Termination of data processing:
After the end of processing, personal data must be deleted and only kept for the following purposes:
- Compliance with legal or regulatory obligations by the controller;
- Study by research bodies, as long as the data is anonymized;
- Transfer to a third party, as long as the limits set out in the LGPD are respected;
- Exclusive use of the data controller, as long as it is anonymized.
Responsibility
It is joint, that is, the processing agents share responsibility in the event of compensation for property and moral damages, individual or collective;
But it can be removed in the following cases:
- Proof that the agents have not carried out the processing of personal data assigned to them;
- Failure to violate data protection legislation;
- Proof that the damage is the result of the exclusive fault of the person responsible for the damage or third parties.
Top Tips
- Tracking: have control of the data throughout its entire life cycle within the company, from the moment of collection to its deletion;
- Control: it is recommended that monitoring and auditing measures be implemented, as well as internal policies to identify whether employees are actually observing such practices;
- Responsible for compliance: every Startup or company must have someone responsible for supervising data collection and processing procedures to ensure compliance with the LGPD, as well as intermediating communications between the company and the market.
- Prevention and Security: ensure security by adopting technical and administrative measures to prevent leaks or unauthorized access to collected data.
When does the Law come into force?
The law approved in 2018 will take effect from August 2020, that is, until then, individuals and companies must adapt to the new rules.
By Bruno Nassar and Kael Moro
