On December 28, 2018, the Provision Measure no. 869/2018 was published, which amended certain LGPD provisions and created the National Data Protection Authority (ANPD). Among other modifications, the LGPD will go into full force in August 2020, rather than February 2020 as required when the LGPD was first published. The LPGD, as amended, will take effect in August 2020.
Data Collection and Processing
Under LGPD collection and processing is referred to as data treatment, and defined as all operations carried out with personal data, such as:
The treatment of personal data may only be carried out based on one of the following legal bases, which largely align to the GDPR:
With data subject consent
To comply with a legal or regulatory obligation by the controller
By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
For the execution of a contract or preliminary procedures related to a contract of which the data subject is a party
For the regular exercise of rights in judicial, administrative or arbitration procedures
As necessary for the protection of life or physical safety of the data subject or a third party
For the protection of health, in a procedure carried out by health professionals or by health entities
To fulfil the legitimate interests of the controller or a third party, and
For the protection of credit
Notwithstanding the above, personal data processing shall be done in good faith and based on the following principles:
Quality of the data
As for the processing of sensitive personal data, the treatment can only occur when the data subject or her or his legal representative consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:
As necessary for the controller’s compliance with a legal or regulatory obligation
Shared data processed as necessary for the execution of public policies provided in laws or regulations
For studies carried out by a research entity
For the regular exercise of rights, including in a contract or in a judicial, administrative and arbitration procedure
Where necessary to for the protection of life or physical safety of the data subject or a third party
The protection of health, carried out by health professionals or by health entities, or
ensuring the prevention of fraud and the safety of the data subject
The controller and operator must keep records of the data treatment operations they carry out, mainly when the processing is based on a legitimate interest.
In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.
The Relentless Privacy and Compliance Services provide a wide range of LGPD, GDPR services
On May 25th 2018, the EU General Data Protection Regulation came into force, requiring companies based and operating in the European Union to comply with updated regulation about how they handle third party data.
Other countries have taken similar approach to data protection, with Brazil adopting a law governing how organisations collect, use and share customer data. The LGPD (Lei Geral de Proteção de Dados) will go into effect in August 2020, leaving companies with less than a year from now to make sure they are compliant with the strict requirements related to processing and managing personal data.
Lawfulness of Processing
Article 7 LGPD on the lawfulness of data processing contains the ten legal bases that allow organisations to process personal data in Brazil, at least one of which should apply to any data processing operation. The legal bases are:
compliance with a legal or regulatory obligation
execution of public policies (only for the public administration)
research (anonymity, if possible)
execution of a contract (or the pre-contractual phase)
exercising of rights in judicial, administrative, or arbitration procedures
protection of life or physical safety
protection of health
protection of legitimate interests
protection of credit, according to the pertinent legislation
Many of these legal bases are similar to what can be found in laws like the GDPR, although some of the formulations are slightly different, and some additional criteria have been set. Additionally, the LGPD contains specific criteria on how to deal with sensitive data, stipulating that those data cannot be processed unless with a specific legal basis, including the individual’s consent.
When looking at consent, the LGPD seems a little less strict than the GDPR, citing in article 8 that consent needs to be provided in writing or by another means that demonstrates “the manifestation of the will of the data subject.” The burden to prove that consent was validly obtained is on the data controller, and consent should be clearly distinguished from other items, such as contractual clauses. Consent can be revoked at any time and at no cost. Also, consent needs to refer to “particular purposes.” In other words, it needs to be specific.
Legitimate interest under the LGPD is further explained in article 10 of the law. It is rather similar to legitimate interest as we know it from the European Union. It includes the need for data controllers to identify the specific activities for which they process data, as well as the way the rights of the data subject are protected. Also, the data controller needs to make sure the data subject will not be surprised by the fact that his/her data will be processed, i.e. that there is a reasonable expectation of data processing. Some level of transparency is expected from the data controller. The supervisory authority can request that a privacy impact assessment (PIA) be performed when a data controller wants to rely upon legitimate interest.
The LGPD is yet another data protection law that is built on the accountability principle, which means that organisations are required to adopt measures that help to demonstrate compliance. One of those measures is the obligation to maintain a register of processing activities, similar to the one that is required under the GDPR. However, the LGPD does not spell out which elements need to be documented as part of the register. The same is true for the obligation to complete privacy impact assessments. The obligation is part of the law, but it needs to be further specified by the supervisory authority, including in which situations PIAs are mandatory and how they need to be completed. Based on the law, it seems private sector organisations may only need to complete impact assessments when processing personal data on the basis of legitimate interest, and a broader obligation would be imposed on the Brazilian public sector.
Data Subject Rights
Chapter III LGPD is devoted to data subject rights. Brazil will extend several rights to individuals, including a right of confirmation that an individual’s data are being processed, as well as the more traditional rights of access, correction, blocking, and deletion. Under the LGPD, an individual can also request the anonymisation of their data. Requests can be filed at any time, and organisations are bound to respond within 15 days (for the right of access, at least). Data subject rights can be exercised at no cost to the data subject.
LGPD guarantees a number of rights and guarantees to holders of personal data, which may be exercised upon request the holder or their legal representative: • Right to information • Right of access • Right of rectification • Right of data deletion • Right of opposition • Portability right
Contraventions under the LGPD can be sanctioned with a fine of up to 2% of the annual turnover of an organization, with a maximum of 50 million real (US$ 12.85 million). Also, a warning can be issued. The enforcement notice can furthermore contain the order to block or delete the data to which the infraction refers. Other sanctions, which were part of the draft law, including the possible suspension of processing, were vetoed by Brazilian president Temer when the LGPD was presented to him for his signature. Similarly, the provisions on the creation of an independent supervisory authority were vetoed. Therefore, it is not clear how the LGPD will be enforced. Previously, the Brazilian government had announced that the supervisory authority would be established by a different act, although a bill to this end has not yet been published.
How Relentless Helps
Like the GDPR, the LGPD is an omnibus law. This means that it covers many principles of data protection law, unlike, for example, the California Consumer Privacy Act which focuses on data subject rights. Relentless has identified 24 provisions of the LGPD that contain accountability requirements for which some form of evidence would be required. These 24 provisions map to 43 privacy management activities from the Relentless Privacy Management Maturity Framework. For comparison, the GDPR contains 55 mandatory privacy management activities.
Brazil passed the General Data Protection Law in 2018, and it will come into effect August 2020. This article examines the GDPR vs. the LGPD, how it differs, and what business owners globally need to do to prepare.
Brazil’s Lei Geral de Proteção de Dados (or LGPD) brings sorely needed clarification to the Brazilian legal framework. The LGPD attempts to unify the over 40 different statutes that currently govern personal data, both online and offline, by replacing certain regulations and supplementing others. This unification of previously disparate and oftentimes contradictory regulations is only one similarity it shares with the EU’s General Data Protection Regulation, a document from which it clearly takes inspiration.
Another similarity is that the LGPD applies to any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located. So, if your company has any customers or clients in Brazil, you should begin preparing for LGPD compliance. Fortunately, you still have time before the law takes effect. And if you are already GDPR compliant, then you have already done the bulk of the work necessary to comply with the LGPD.
While the LGPD does not have a single definition for personal data, if you read the entirety of the text, you can see echoes of the GDPR’s definition of personal data. The LGPD states in various places that personal data can mean any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment. While this definition will likely be clarified as Brazil nears implementation of the LGPD, as currently stated, the LGPD takes a broad view of what data qualifies as personal data, even more expansive than the GDPR.
Data subject rights
Article 18 is another section of the LGPD that will look familiar to businesses that have dealt with GDPR compliance. It explains the nine fundamental rights that data subjects have, which include:
The right to confirmation of the existence of the processing;
The right to access the data;
The right to correct incomplete, inaccurate or out-of-date data;
The right to anonymise, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
The right to the portability of data to another service or product provider, by means of an express request
The right to delete personal data processed with the consent of the data subject;
The right to information about public and private entities with which the controller has shared data;
The right to information about the possibility of denying consent and the consequences of such denial; and
The right to revoke consent.
While the GDPR is known for granting its data subjects eight fundamental rights, they are essentially the same rights the LGPD mentions. It seems the LGPD split “The right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit.
Differences between the LGPD and the GDPR
Despite their similar goals and the apparent influence the GDPR had on Brazilian lawmakers, there are some key differences to note between the two pieces of legislation.
Data protection officers
Both acts require businesses and organisations to hire a Data Protection Officer (DPO). However, while the GDPR outlines when a DPO is required, Article 41 in the LGPD simply says, “The controller shall appoint an officer to be in charge of the processing of data,” which suggests that any organization that processes the data of people in Brazil will need to hire a DPO. This is another area that will likely receive further clarification, but as written, it is one of the few areas where the LGPD is more stringent than the GDPR.
Legal basis for processing data
Possibly the most significant difference between the LGPD and the GDPR concerns what qualifies as a legal basis for processing data. The GDPR has six lawful bases for processing, and a data controller must choose one of them as a justification for using a data subject’s information. However, in Article 7, the LGPD lists 10. They are:
With the consent of the data subject;
To comply with a legal or regulatory obligation of the controller;
To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
To carry out studies by research entities that ensure, whenever possible, the anonymisation of personal data;
To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
To exercise rights in judicial, administrative or arbitration procedures;
To protect the life or physical safety of the data subject or a third party;
To protect health, in a procedure carried out by health professionals or by health entities;
To fulfil the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
To protect credit (referring to a credit score).
Having the protection of credit as a legal basis for the processing of data is indeed a substantial departure from the GDPR.
Reporting data breaches
While both the GDPR and the LGPD require organisations to report data breaches to the local data protection authority, the level of specificity varies widely between the two laws. The GDPR is explicit: an organization must report a data breach within 72 hours of its discovery (although different organisations are already testing that deadline).
The LGPD does not give any firm deadline: Article 48 merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority.” Since the national data protection agency has not, as yet, been established, there is no guidance for what constitutes a “reasonable time period.”
A regulation is only as strong as its teeth. That is why the maximum GDPR fines are substantial, requiring organisations that commit grave GDPR violations to pay to up to €20 million or 4% of annual global revenue, whichever is higher.
The fines under the LGPD are much less severe. Article 52 states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (this works out to roughly €11 million). The LGPD fines are in line with GDPR’s fines for less egregious infractions, but €11 million is not going to concern the world’s largest data processors.
This is not an exhaustive overview of the LGPD, but it should reassure business owners that, in most respects, if you have achieved GDPR compliance, you are already well on your way to complying with the LGPD. Data protection laws are beginning to be considered all around the world, from India to the USA. Relentless privacy and Compliance will be here to help you keep up with the latest developments and assess and attain compliance.
On July 10, 2018, the Brazilian Federal Senate approved a General Data Protection Regulation (“Lei Geral de Proteção de Dados” or “LGPD”). The bill, was largely inspired by the European General Data Protection Regulation (“GDPR”). Although several LGPD provisions were vetoed by Brazil’s president in August 2018, a December 2018 executive order reinstated many of the vetoed provisions. Most significantly, the executive order reinstated sections establishing an agency tasked with enforcing Brazil’s data protection laws.
This alert summarises the key provisions of the bill and addresses its applicability to US-based clients.
Territorial Scope and Definition of Personal Data
In a similar way to the GDPR, the LGPD defines “personal data” as any information relating to an identified or identifiable natural person. Additionally, in order to prevent the use of personal data for discriminatory practices, the LGPD establishes additional restrictions applicable to the processing of sensitive data. Article 5, II defines “sensitive data” as any data pertaining to racial or ethnic origin, religious beliefs, political opinions, membership of syndicates or religious, philosophical or political organisations, data relating to health or sexual life, and genetic or bio-metric data when linked to a natural person.
The LGPD applies broadly to any data processing operation occurring in Brazil, regardless of the location of the entity conducting the operation or holding the data. Further, the LGPD aims to broadly protect personal data, whether obtained by electronic or physical means, or by the public or private sector.
Under the LGPD, there are situations where anonymised data may be considered to be personal data. Specifically, when the anonymisation process to which the data has been submitted is reversible by the use of “reasonable efforts”, the data will be deemed personal data and thus subject to the LGPD rules. Similarly, if anonymised data is used for the purposes of establishing behaviour profiles, the LGPD will also apply.
Consent and Rights of Data Subjects
Article 7 of the LGPD sets forth a limited number of situations where the processing of personal data is allowed. Notably, the LGPD provides that the collection, use or processing of personal data may be conditioned upon first obtaining the explicit consent of the data subject.
Further, consent must be given in writing, in a clear and separate provision from other contractual provisions, or by “any other means that demonstrate the data subject’s consent.” The data processor or controller bears the burden of proof of showing that consent was given according to the terms of the LGPD.Additionally, any generic, blanket authorisation regarding the use of personal data is expressly prohibited. Similarly, data subjects may revoke their consent at any time, making consent a less reliable basis for processing.
The LGPD confers extended rights upon data subjects. Specifically, pursuant to the LGPD, data subjects have the right to access, rectify, cancel or exclude their data. Further, data subjects may also oppose the processing of their data. The LGPD also sets forth a right to data portability, pursuant to which an individual may request a copy of his or her data in a transferable format. Individuals may then opt to transfer their data to other service providers of their choice.
Legal Bases for Processing and Transfer
Similarly to the GDPR, organisations must identify a specific legal basis for any data processing. As mentioned above, the LGPD provides several legal bases in addition to consent, some of the more significant of which include:
Fulfilment the controller’s legitimate interests, or the legitimate interests of a third party; or
For research purposes, but the personal data should be anonymised.
The LGPD also restricts cross border transfers. Companies must ensure that personal data receives adequate protection when transferred. Therefore, data transfers are allowed under a number of circumstances, including if any of the following bases are met, the specifics of which will be further developed by the regulator:
transfers to countries offering adequate protection;
transfers pursuant to specific contractual clauses for a given transfer; standard contractual clauses; and global corporate rules;
where the regulator specifically approves the transfer; or
after obtaining the specific consent of the data subject.
Data Protection Officers (DPO)
The LGPD requires companies to appoint a DPO seemingly without exception. The law also mandates that the DPO perform the following duties: accepting complaints and communications from data subjects; providing explanations and adopting measures; receiving communications from the national authority and adopting new measures; training the entity’s employees and contractors regarding best practices; and carrying out other duties as determined by the controller or set forth in complementary rules. Unlike in the GDPR, the DPO does not have to be a natural person and can be performed by a third party, which means that the DPO role may be outsourced to a third party legal entity or individual. Therefore, entities such as companies or working groups can fulfil the DPO’s responsibilities.
Civil Liability and Administrative Sanctions
Pursuant to the LGPD, the processor and the controller may be held jointly and severally liable for any damage resulting from a violation of the terms of the LGPD. The processor may also be held liable for failure to comply with the controller’s clear and legal instructions.
In addition to civil liability, failure to comply with the LGPD may also result in administrative penalties. Article 52 of the LGPD sets forth a number of penalties, which include warnings, fines, suspension or even prohibition of the activity related to the data processing. Fines are calculated based on a company’s annual net revenue, and are limited to a total amount of fifty million Brazilian reais (R$ 50,000,000), nearly thirteen million dollars (US$ 13,000,000). It must be noted that the fines are applied separately to each violation, resulting in a significant risk to data controllers and processors in the event of non-compliance.
The National Data Protection Authority
Article 55 of the LGPD establishes the creation of an independent federal agency named Autoridade Nacional de Proteção de Dados (“ANPD”). The ANPD will be responsible for the regulation of all matters related to data protection and for monitoring and enforcing the LGPD. Although initially vetoed by the Brazilian President, the ANPD was reinstated by executive order in December 2018. However, in order to remain effective, that executive order must be converted into law by the Brazilian congress in 2019. The ANPD does not have the power to audit companies, but may request information pursuant to an investigation.
The LGPD will come into effect 24 months following the original publication of the law.Therefore, enforcement is now set to begin in February 2020. Accordingly, US-based clients with operations in Brazil must plan to comply with the new regulation. Initial compliance steps include:
Identify to which data the LGPD applies;
Establish and document legal bases for processing;
Review data subject rights and establish processes for meeting those rights, including data subject requests;
Establish and document legal bases for international data transfers; and
Appoint a data protection officer.
Relentless Global Privacy Services have you covered
Comparing South Korea Personal Information Protection Act to GDPR
South Korea’s substantial Personal Information Protection Act ( PIPA) was enacted on Sept. 30, 2011. PIPA is known for being one of the world’s strictest privacy administrations.
PIPA has many similarities to the GDPR, it protects privacy rights from the viewpoint of the data subject and it is wide ranging, applying to most organizations, even government entities.
It is not only applicable and robust, but its penalties — which include criminal and regulatory fines and even imprisonment — are vigorously enforced.
On June 30 of last year, South Korea became the fifth member to join the APEC Cross Border Privacy Rules, joining the U.S., Japan, Canada and Mexico.
As trade and cross border data agreements exponentially grow global organisations cannot simply rely on being compliant on local privacy laws, Privacy compliance must now be thought of as a global umbrella or compliance with many regional and country laws nestling beneath the umbrella.
The below table compares aspects of the GDPR directly with South Korea’s PIPA.
South Korea’s Personal Information Protection Act
To provide for the processing of the personal information for the purpose of enhancing the right and interest of citizens, and further realizing the dignity and value of the individuals by protecting their privacy from the unauthorized collection, leak, abuse or misuse of personal information.
To enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
Applies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties.
Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.
Although the territorial scope is not specified in the law, the standard for enforcement of South Korean data protection law is similar to the GDPR in that companies established in South Korea are certainly subject the law, and foreign companies that target South Korean users are likely also within the ambit of enforcement action.
Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union.
“Personal information” means information pertaining to any living person that makes it possible to identify such individual by their name and resident registration number, image, etc. (including the information which, if not by itself, makes it possible to identify any specific individual if combined with other information).
Personal data means any information relating to an identified or identifiable natural person.
Sensitive Personal Data
Sensitive personal information pertains to ideology, belief, joining and withdrawing from trade unions or political parties, political opinion, health, sexual life, criminal history dat, and DNA information acquired from genetic examination, as well as other personal information that, if processed, is likely to infringe the privacy of data subjects.
Special categories of data that are considered particularly sensitive are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The act does not distinguish between controllers and processors. Both a controller and a processor are considered a “Personal information processor.”
Means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Personal information processor” means a public institution, legal person, organization, individual, etc. that processes directly or indirectly personal information to operate personal information files for official or business purposes. Because the act does not distinguish between controllers and processors, it is important to note that processors in South Korea are subject to many requirements that are reserved for controllers under the GDPR.
Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Publicly Available Information
There is no specific exception to applicability that relates to publicly available information.
The processing of publicly available information may be permitted for certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
Preventing Harm Principle
The law provides that state and local governments shall devise policies to prevent harmful consequences of beyond-purpose collection; abuse and misuse of personal information; and enhance the dignity of human beings and individual privacy. Preventing harm is also expressed as a reason for certain personal information to be classified as sensitive.
Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Lawfulness, Fairness and Transparency
The personal information processor shall make the personal information processing purposes explicit and specified and shall collect minimum personal information lawfully and fairly to the extent necessary for such purposes.
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
An information processor should use personal information only for the purposes specified to the data subject in any applicable consent.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
A personal information processor should collect only the minimum amount of personal information necessary for the purposes specified to the data subject.
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
The personal information processor shall ensure the personal information is accurate, complete and up-to-date to the extent necessary to attain the personal information processing purposes.
Personal data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.
Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The personal information processor shall inform the data subject of the duration of data retention when obtaining consent for processing as well as make efforts to process personal information in anonymity, if possible.
Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this regulation in order to safeguard the rights and freedoms of the data subject.
· The purpose of personal information procession.
· The period for processing and retention of the personal information.
· Any provision of the personal information to a third party (if applicable).
· Any consignment of personal information processing (if applicable).
· The rights and obligations of data subjects and how to exercise the rights.
· Other matters in relation to personal information processing as stated in the Presidential Decree.
Articles 12, 13, and 14 address the requirement that a data controller provide notice to data subjects of processing that is concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.
The notice must contain:
· Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer
· Purpose of the processing and the legal basis for the processing
· The legitimate interests of the controller or third party, where applicable
· Categories of personal data
· Any recipient or categories of recipients of the personal data
· Details of transfers to third country and safeguards
· Retention period or criteria used to determine the retention period
· The existence of each of data subject’s rights
· The right to withdraw consent at any time, where relevant
· The right to lodge a complaint with a supervisory authority
· The source the personal data originates from and whether it came from publicly accessible sources
· Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
· The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
Choice and Consent
The law specifies that when obtaining consent from the data subjections, the personal information processor shall notify the data subjects of the fact by separating the matters requiring consent and helping the data subjects to recognize it explicitly. When obtaining consent for processing, the personal information requiring consent should be segregated from the personal information not requiring consent.
The personal information processor shall not deny goods and services on the basis that the data subject did not consent to certain processing (such as agreeing to receive solicitations).
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
If the data subject’s consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
Integrity and Confidentiality
The act imposes detailed technical and administrative measures for the security of personal information. The personal information processor shall take such technical, managerial and physical measures as internal management plan and preservation of log-on records, etc., necessary to ensure the safety so that personal information may not be lost, stolen, leaked, altered or damaged.
Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The personal information processor must appoint a privacy officer.
The Minister of Public Administration and Security has the right to request goods and documents that demonstrate compliance with the law and to enter the premises and inspect if the personal information processor fails to furnish the materials.
The controller must appoint a data protection officer.
The controller shall be responsible for and be able to demonstrate compliance with the principles of the processing of personal data under the GDPR. The controller and the processor shall designate a data protection officer where processing requires regular and systematic monitoring of data subjects on a large scale or the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data or personal data relating to criminal convictions and offenses.
Access and Correction
The data subject has the right to demand access to and suspend processing of, and to make correction, deletion and destruction of their personal information.
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and to access the personal data and information about the processing, including what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject).
Data subjects may demand access to data, with some exceptions. The law does not specify that access must be in the form of an export or other form of portability.
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Transfer of Personal Data to Another Person or country
A data protection agreement must be in place between the personal information processor in the context of any outsourcing. This requirement applies also to international personal information transfers.
The personal information processor must also inform data subjects when the personal information processor provides personal information to a third party overseas, and the personal information processor shall not enter into a contract for unlawful cross-border transfer when it obtains consent.
When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data. Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification.
The law does not define a breach, but refers to it as an event where personal information has been breached.
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
The personal information processor must notify the aggrieved data subjects without delay when it becomes aware that personal information has been breached.
Breaches that affect more than a certain number of individuals as set forth in a presidential decree must be disclosed to the data protection authority.
The GDPR requires assessment of data incidents and prompt notification of the breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons.
There’s no specific provision that allows for a harm or risk test or application of mitigation to avoid the requirement to notify of a breach, but the personal information processor is obligated to take countermeasures to minimize damage.
Notification to data subjects is not required if:
· The controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular, those that render the data unintelligible to any person who is not authorized to access it, such as encryption; or
· The controller has taken subsequent measures that ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialize; or
· It would involve a disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.