Data Collection and Data Processing Under the Brazil LGPD

Data Collection and Data Processing Under the Brazil LGPD

On December 28, 2018, the Provision Measure no. 869/2018 was published, which amended certain LGPD provisions and created the National Data Protection Authority (ANPD). Among other modifications, the LGPD will go into full force in August 2020, rather than February 2020 as required when the LGPD was first published. The LPGD, as amended, will take effect in August 2020.

Data Collection and Processing 

Under LGPD collection and processing is referred to as data treatment, and defined as all operations carried out with personal data, such as:

  • Collection
  • Production
  • Reception
  • Classification
  • Utilisation
  • Access
  • Reproduction
  • Transmission
  • Distribution
  • Processing
  • Filing
  • Storage
  • Elimination
  • Evaluation
  • Control
  • Modification
  • Communication
  • Transfer
  • Diffusion, or
  • Extraction

The treatment of personal data may only be carried out based on one of the following legal bases, which largely align to the GDPR:

  • With data subject consent
  • To comply with a legal or regulatory obligation by the controller
  • By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
  • For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
  • For the execution of a contract or preliminary procedures related to a contract of which the data subject is a party
  • For the regular exercise of rights in judicial, administrative or arbitration procedures
  • As necessary for the protection of life or physical safety of the data subject or a third party
  • For the protection of health, in a procedure carried out by health professionals or by health entities
  • To fulfil the legitimate interests of the controller or a third party, and
  • For the protection of credit

Notwithstanding the above, personal data processing shall be done in good faith and based on the following principles:

  • Purpose
  • Suitability
  • Necessity
  • Free access
  • Quality of the data
  • Transparency
  • Security
  • Prevention
  • Nondiscrimination, and
  • Accountability

As for the processing of sensitive personal data, the treatment can only occur when the data subject or her or his legal representative consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:

  • As necessary for the controller’s compliance with a legal or regulatory obligation
  • Shared data processed as necessary for the execution of public policies provided in laws or regulations
  • For studies carried out by a research entity
  • For the regular exercise of rights, including in a contract or in a judicial, administrative and arbitration procedure
  • Where necessary to for the protection of life or physical safety of the data subject or a third party
  • The protection of health, carried out by health professionals or by health entities, or
  • ensuring the prevention of fraud and the safety of the data subject

The controller and operator must keep records of the data treatment operations they carry out, mainly when the processing is based on a legitimate interest.

In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.

The Relentless Privacy and Compliance Services  provide  a wide range of LGPDGDPR  services

Sharing is caring!

shares
error: Content is protected !!