1. Does the Law affect my company?
The Law governs processing of personal data in Brazil. The concept of data processing is broad and includes the collection, storage, transfer, deletion and other activities related to personal data.
This means that any company (or individuals processing data for economic purposes) that perform any of these activities in Brazil will be subject to the Law, from small entrepreneurs to large multinationals. The Public Sector is also subject to the new Law. The Law provides for a number of principles and obligations that companies must observe to process personal data. By the time of its enforcement, companies will need to ensure that personal data processing is grounded on at least one legal basis provided for in the Law, and will need to adopt technical and administrative security measures to protect personal data.
2. What is personal data?
Personal data is any and all information related to an identiﬁed or identiﬁable individual. Examples include a person's name, address, telephone number, ID number, Tax ID number, driver's license, and bank account information. Also, data that, by itself, does not allow the identiﬁcation of an individual may be considered personal data if it enables an individual's identiﬁcation when processed with other data.
3. Who are the controllers?
Controllers are companies that make decisions regarding the processing of personal data. These companies determine which data should be processed, for what purposes, for how long, with whom they may be shared etc. Companies that process personal data on behalf of controllers are referred to as processors. Controllers shall appoint a data protection officer, who will act as a liaison for matters related to personal data before the Brazilian Data Protection Authority and before data subjects. Both controllers and processors are obligated to compensate third parties for damages caused by processing activities that violate the Law. Furthermore, the controller will be required to notify the Brazilian Data Protection Authority and data subjects in the event of security incidents.
4. What triggers application of the Law?
The Law applies to any processing of personal data that:
- Takes place in Brazil
- Aims at offering goods or services in Brazil
- Refers to individuals that were in Brazil when data was collected
Therefore, the Law will apply regardless of the data subject’s nationality, the means employed for processing data, the jurisdiction where the company is headquartered, or the location where data is stored.
5. Must the company always obtain consent to process personal data?
Not necessarily. While obtaining consent is an important legal basis for processing personal data, under the Law processing may occur based on any of the alternatives below:
- The company obtains the data subject’s consent for processing personal data
- The company is a controller and processing personal data is required for compliance with a legal or regulatory obligation
- If data processing is required for performance of a contract, at the request of the data subject
- To exercise the company’s rights, whether arising from contract or in a court, administrative or out-of-court proceeding
- The controller or third parties have a legitimate interest to process personal data
- For credit protection
The Law lists other lawful bases, besides the ones above. It is worth mentioning that, if personal data processing is based on the data subject’s consent, the data subject will have the right to revoke such consent at any time and at no cost.
The important thing to keep in mind is that the processing of personal data, even when based on consent, shall always be limited to a purpose, and the company may only process data that is strictly necessary to achieve that purpose.
For instance, if a company is legally required to process the names of its employees, the legal basis for such processing will be the corresponding legal obligation. However, this legal obligation does not allow the company to process such data for other purposes or to process personal data beyond the names of employees. If the company wishes to engage in any of these two options, it must ensure that an adequate legal basis will legitimate such processing.
6. Is caution required when processing sensitive data?
Sensitive data is data that refers to an individual's racial or ethnic origin, religious beliefs, political opinion, trade union membership, health or sex life, and genetic or biometric data. If the company intends to process sensitive data, it must obtain the relevant data subject's speciﬁc consent, except when processing is indispensable for:
- The controller to comply with a legal or regulatory obligation
- The company to exercise its rights, whether arising from contract or in a court, administrative or out-of-court proceeding
- Research by research entities (in this case, when possible, data shall be anonymized, i.e. the individual should not be identiﬁed)
- To ensure fraud prevention and the data subject's safety in identiﬁcation veriﬁcation in electronic systems
The Law lists other lawful bases, besides the ones above.
7. Are there any precautions to consider before transferring personal data offshore?
Yes. Just as the Law allows processing of personal data only in certain cases, the international transfer of data is also allowed only in particular circumstances. Accordingly, the transfer of data from Brazil to other countries may only occur if:
- The country of destination offers adequate protection to personal data
- There are standard contractual clauses between controllers and the recipient of personal data
- The company adopts binding corporate rules
- The company adopts approved data protection seals, certiﬁcations, and code of conduct
- The Brazilian Data Protection Authority authorizes the transfer
- The data subject has given speciﬁc and highlighted consent for the transfer
The Law lists other lawful bases, besides the ones above. Note that most cases listed in the Law depend on regulation by the Brazilian Data Protection Authority. It is the Authority who will determine whether a country offers adequate protection to personal data, whether the standard contractual clauses or binding corporate rules are sufficient to protect personal data, which seals and certiﬁcations are adequate etc.
8. And what is the Brazilian Data Protection Authority?
The Brazilian Data Protection Authority (BDPA) was created in the Bill of Law that was approved by the House of Representatives and the Senate, but its creation was vetoed by President Michel Temer (along with the provisions that would designate its duties, e.g., monitoring compliance with the Law and enforcing sanctions in the event of noncompliance). There is great uncertainty as to how the gap created by the veto will be ﬁlled and who will now take on the role of the BDPA. It is expected that a solution will be proposed by the Federal government soon, as the effectiveness of the Law may be impaired.
9. What are the consequences of noncompliance?
Penalties include warnings, a single ﬁne (capped at 2% of the group's gross revenue in the last ﬁscal year in Brazil, limited to BRL 50 million) and a daily ﬁne, limited to the same amount. Penalties also include blocking and elimination of the personal data at stake. When applying penalties, it will be assessed whether the company adopts measures aimed at processing personal data safely and adequately, in a manner that minimizes damages.
10. What should my company do now?
Companies will now have a period of 18 months to comply with the Law. The ﬁrst step in that direction is to map how it processes personal data, which types of data are processed, for what purposes, which corporate departments are engaged in processing activities and what security measures are adopted to ensure protection of personal data. Having this information in hand, the company will be better positioned to identify vulnerabilities and deﬁne the next steps towards compliance.