On December 28, 2018, the Provision Measure no. 869/2018 was published, which amended certain LGPD provisions and created the National Data Protection Authority (ANPD). Among other modifications, the LGPD will go into full force in August 2020, rather than February 2020 as required when the LGPD was first published. The LPGD, as amended, will take effect in August 2020.
Data Collection and Processing
Under LGPD collection and processing is referred to as data treatment, and defined as all operations carried out with personal data, such as:
- Diffusion, or
The treatment of personal data may only be carried out based on one of the following legal bases, which largely align to the GDPR:
- With data subject consent
- To comply with a legal or regulatory obligation by the controller
- By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
- For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
- For the execution of a contract or preliminary procedures related to a contract of which the data subject is a party
- For the regular exercise of rights in judicial, administrative or arbitration procedures
- As necessary for the protection of life or physical safety of the data subject or a third party
- For the protection of health, in a procedure carried out by health professionals or by health entities
- To fulfil the legitimate interests of the controller or a third party, and
- For the protection of credit
Notwithstanding the above, personal data processing shall be done in good faith and based on the following principles:
- Free access
- Quality of the data
- Nondiscrimination, and
As for the processing of sensitive personal data, the treatment can only occur when the data subject or her or his legal representative consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:
- As necessary for the controller’s compliance with a legal or regulatory obligation
- Shared data processed as necessary for the execution of public policies provided in laws or regulations
- For studies carried out by a research entity
- For the regular exercise of rights, including in a contract or in a judicial, administrative and arbitration procedure
- Where necessary to for the protection of life or physical safety of the data subject or a third party
- The protection of health, carried out by health professionals or by health entities, or
- ensuring the prevention of fraud and the safety of the data subject
The controller and operator must keep records of the data treatment operations they carry out, mainly when the processing is based on a legitimate interest.
In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.
The Relentless Privacy and Compliance Services provide a wide range of LGPD, GDPR services
Find Out More
On May 25th 2018, the EU General Data Protection Regulation came into force, requiring companies based and operating in the European Union to comply with updated regulation about how they handle third party data.
Other countries have taken similar approach to data protection, with Brazil adopting a law governing how organisations collect, use and share customer data. The LGPD (Lei Geral de Proteção de Dados) will go into effect in August 2020, leaving companies with less than a year from now to make sure they are compliant with the strict requirements related to processing and managing personal data.
Lawfulness of Processing
Article 7 LGPD on the lawfulness of data processing contains the ten legal bases that allow organisations to process personal data in Brazil, at least one of which should apply to any data processing operation. The legal bases are:
- compliance with a legal or regulatory obligation
- execution of public policies (only for the public administration)
- research (anonymity, if possible)
- execution of a contract (or the pre-contractual phase)
- exercising of rights in judicial, administrative, or arbitration procedures
- protection of life or physical safety
- protection of health
- protection of legitimate interests
- protection of credit, according to the pertinent legislation
Many of these legal bases are similar to what can be found in laws like the GDPR, although some of the formulations are slightly different, and some additional criteria have been set. Additionally, the LGPD contains specific criteria on how to deal with sensitive data, stipulating that those data cannot be processed unless with a specific legal basis, including the individual’s consent.
When looking at consent, the LGPD seems a little less strict than the GDPR, citing in article 8 that consent needs to be provided in writing or by another means that demonstrates “the manifestation of the will of the data subject.” The burden to prove that consent was validly obtained is on the data controller, and consent should be clearly distinguished from other items, such as contractual clauses. Consent can be revoked at any time and at no cost. Also, consent needs to refer to “particular purposes.” In other words, it needs to be specific.
Legitimate interest under the LGPD is further explained in article 10 of the law. It is rather similar to legitimate interest as we know it from the European Union. It includes the need for data controllers to identify the specific activities for which they process data, as well as the way the rights of the data subject are protected. Also, the data controller needs to make sure the data subject will not be surprised by the fact that his/her data will be processed, i.e. that there is a reasonable expectation of data processing. Some level of transparency is expected from the data controller. The supervisory authority can request that a privacy impact assessment (PIA) be performed when a data controller wants to rely upon legitimate interest.
The LGPD is yet another data protection law that is built on the accountability principle, which means that organisations are required to adopt measures that help to demonstrate compliance. One of those measures is the obligation to maintain a register of processing activities, similar to the one that is required under the GDPR. However, the LGPD does not spell out which elements need to be documented as part of the register. The same is true for the obligation to complete privacy impact assessments. The obligation is part of the law, but it needs to be further specified by the supervisory authority, including in which situations PIAs are