Do you know what the General Data Protection Law (LGPD) is?
It is the set of rules that regulates any and all personal data processing activities in Brazil.
Since August 2020, the LGPD has been in force and, starting August 2021, any violation of its rules could be subject to penalties, which can reach up to R$ 50,000,000.00.
Do you know what personal data is?
Would you be able to know if third-party information passes, somehow, through the control of your company?
Personal information is any and all information related to an identified or identifiable individual, whether they are customers, employees, suppliers, service providers, freelancers, among others. This definition includes information such as name, address, telephone, photo, date of birth, CPF, e-mail, bank details, navigation data, personal preferences, etc.
If any information of this nature is collected, stored, classified, reproduced, transmitted, or otherwise used by your company, it is necessary to conform such activities to the General Data Protection Law (LGPD), as well as internal policies and contracts.
Thus, if your company has not yet encouraged a project to adapt to the new law, there is no more time to waste and, in order to help you prepare for this new phase, we have prepared this material with basic guidelines.
Legal basis for the treatment of data according to the LGPD:
All activities carried out related to personal information must be supported by one of the legal bases provided for by law, among which the following stand out:
- Proper and highlighted consent by the holder;
- Regular practice of rights, in the context of contracts or judicial, administrative or arbitration proceedings;
- Compliance of legal obligations;
- When necessary to meet legitimate interests, as long as the holder’s fundamental rights and freedoms are respected;
- For the protection of health or protection of life.
Any data processing carried out without support in any of the legal bases, represents a violation of the law and, therefore, is subject to sanctions.
Security obligations arising from the LGPD:
Do you know how to protect the personal data used by your company?
One of the LGPD’s principles is security, which implies the obligation, for the person responsible for the use of the data, to use technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful destruction situations, loss, alteration, communication or diffusion.
In the event of an incident, which may entail risk of damage to holders of data, the agent is obliged to notify the National Authority and the holder, within 2 working days. Therefore, it is extremely important to adopt effective security mechanisms.
Any and all treatment activities must comply with all the principles provided for in the LGPD and, therefore, it is always necessary to question oneself, among other aspects:
- Purpose: Why am I using third-party personal data?
All processing purposes must be legitimate, explicit and specific.
- Adequacy: do I really use personal data for the purpose I have indicated to its owner?
All processing activity must be compatible with the purposes informed to the holder.
- Need: will the process only affect the data needed for the proposed purpose?
All processing activity must be limited to the minimum necessary for the intended purpose.
- Transparency: if requested, can I inform the holder of the personal data what I do with his information?
It is always necessary to assure the holders of clear and precise information regarding the treatment.
- Security and Prevention: Do I have information security systems that ensure data is protected from leakage?
It is mandatory to adopt measures to prevent the occurrence of damage as a result of the treatment.
Written by Fernando Borges, Caio Brito and Daniel Rangel