Brazilian General Data Protection Law No. 13.709 FROM AUGUST 14th, 2018.

30 de setembro de 2021

General Personal Data Protection Law (LGPD). [English translation made by ASSIS E MENDES ADVOGADOS]

 

THE PRESIDENT OF THE REPUBLIC I hereby make it known that the National Congress decrees and I enact the following Law:

CHAPTER I 

PRELIMINARY PROVISIONS

Art. 1. This Law provides for the processing of personal data, including in digital media, by a natural person or a legal entity governed by public or private law, in order to protect the fundamental rights of freedom and privacy and the free development of the natural person’s personality.

Sole paragraph. The general rules contained in this Law are of national interest and must be observed by the Union, States, Federal District, and Municipalities. (Included by Law No. 13.853, from 2019)Term

Art. 2. The discipline of personal data protection is based on:

  1. – respect for privacy;

  2. – information self-determination;

  3. – freedom of expression, information, communication, and opinion;

  4. – the inviolability of intimacy, honor, and image;

  5. – economic and technological development and the innovation;

  6. – free enterprise, free competition, and consumer protection; and

  7. – human rights, free development of personality, dignity, and exercise of citizenship by natural persons.

Art. 3. This Law applies to any processing operation carried out by an natural person or by a legal entity governed by public or private law, regardless of the environment, country of its headquarters, or country where the data are located, provided that:

  1. – the processing operation is carried out in the national territory;

  2. – the processing activity has as its objective the offer or supply of goods or services or the processing of data of natural persons located in the national territory; or (Wording given by Law No. 13.853 from 2019)     Term

  3. – the personal data to the processing have been collected in the national territory.

§ 1 Personal data whose data subject is found in the national territory at the time of collection is considered collected in the national territory.

§ 2 Data processing as provided in item IV of the caput of art. 4 of this Law is exempted from the provisions of item I of this article.

Art. 4. This Law does not apply to the processing of personal data:

  1. – carried out by an natural person for exclusively private and non-economic purposes;

  2. – carried out exclusively for:

  1. journalistic and artistic purposes; or

  2. academic purposes, applying arts. 7 and 11 of this Law; 

III – carried out exclusively for:

  1. public security;

  2. national defense;

  3. State security; or

  4. activities of investigation and prosecution of criminal offenses; or

IV – originated outside the national territory and that are not objects of communication, shared use of data with Brazilian processing agents or international data transfer with a country other than the country of origin, provided that the country of origin provides an adequate level of protection of personal data in accordance with the provisions of this Law.

§  1 The processing of personal data provided for in item III shall be governed by specific legislation, which shall provide for proportional and strictly necessary measures to meet the public interest, subject to due process of law, the general principles of protection, and the rights of the data subjects provided for in this Law.

§  2 It is forbidden the processing of the data referred to in item III of the caput of this article by a person governed by private law, except in proceedings under the control of a legal entity governed by public law, of which the national authority shall be specifically informed and which shall observe the limitation imposed in paragraph 4 of this article.

§ 3 The national authority shall issue technical opinions or recommendations regarding the exceptions provided for in item III of the caput of this article and shall request the responsible agents for data protection impact assessment.

§ 4 In no case shall the totality of the personal data in the database referred to in item III of the caput of this article be treated by a person under private law, except for one who has capital wholly constituted by the public authorities. (Wording given by Law No. 13.853, from 2019)Term

Art. 5. For purposes of this Law, it is considered:

  1. – personal data: information related to an identified or identifiable natural person (natural person);

  2. – sensitive personal data: personal data on racial or ethnic origin, religious belief, political opinion, trade union or organization of a religious, philosophical or political nature membership, data related to health or sex life, genetic or biometric data, when linked to an natural person;

  3. – anonymized data: data relating to a data subject that cannot be identified, considering the use of reasonable technical means available at the time of processing;

  4. – database: a structured set of personal data, established in one or several places, in electronic or physical support;

  5. – data subject: the natural person (natural person) to whom the personal data being processed refer to;

  6. – controller: natural person or legal entity, either governed by public or private law, who is responsible for decisions concerning the processing of personal data; and

  7. – processor (operator): the natural person or legal entity, whether public or private, who processes personal data on behalf of the controller;

  8. – data protection officer: a person appointed by the controller and processor to act as a communication channel between the controller, the data subjects, and the National Data Protection Authority (ANPD);                   (Wording given by Law No. 13.853 from 2019)     Term

 

  1. – processing agents: the controller and the processor;

  2. – processing: any operation carried out with personal data, such as those related to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, destruction, evaluation or control of information, change, communication, transfer, dissemination or extraction;

  3. – anonymization: the use of reasonable technical means available at the time of processing, whereby a data loses the possibility of direct or indirect link with an natural person;

  4. – consent: free, informed, and unambiguous manifestation by which the data subject agrees to the processing of his/her personal data for a specific purpose;

  5. – blocking: temporary suspension of any processing operation, keeping the personal data or the database;

  6. – deletion: exclusion of data or set of data stored in a database, regardless of the procedure used;

  7. – international data transfer: transfer of personal data to a foreign country or international organization of which the country is a member;

  8. – the shared use of data: communication, dissemination, international transfer, interconnection of personal data or the shared processing of personal databases by public agencies and entities, in compliance with their legal competencies, or between them and private entities, reciprocally, with specific authorization, for one or more processing modalities permitted by those public entities, or between private entities;

  9. – data protection impact assessment: documentation of the controller containing the description of the processes for processing personal data that may pose risks to civil freedom and fundamental rights, as well as measures, safeguards, and risk mitigation mechanisms;

  10. – research body: body or entity of direct or indirect public administration or a non-profit legal entity governed by private law, legally constituted under Brazilian law, with headquarters and jurisdiction in the country, which includes in its institutional mission or in its social or statutory purpose basic or applied research of a historical, scientific, technological or statistical nature; and (Wording given by Law No. 13.853 from 2019)Term

  11. – national authority: public administration body responsible for overseeing, implementing, and monitoring compliance with this Law in all the national territory. (Wording given by Law No. 13.853 from 2019)Term

Art. 6. The activities of the processing of personal data shall comply with the good faith and the following principles:

  1. – purpose: to carry out the processing for legitimate, specific, explicit, and informed purposes to the data subject, without the possibility of further processing in a way incompatible with those purposes;

  2. – adequacy: compatibility of the processing with the purposes informed to the data subject, in accordance with the context of the processing;

  3. – necessity: limitation of the processing to the minimum necessary required for the achievement of its purposes, encompassing pertinent, proportional, and non-excessive data concerning the purposes of the data processing;

  4. – free access:  guarantee, to the data subjects, of facilitated and free consultation on the form and duration of the processing, as well as on all their personal data;

  5. – quality of data: guarantee, to the data subjects, of accuracy, clarity, relevance, and update of the data, according to the need and for compliance with the purpose of the processing thereof;

  6. – transparency: guarantee, to the data subjects, of clear, accurate, and easily accessible information on the processing and the respective processing agents, subject to business and industrial secrets;

  7. – security: use of technical and administrative measures able to protect the personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, change, communication, or diffusion;

  8. – prevention: adoption of measures to prevent the occurrence of damage given the processing of personal data;

  9. – non-discrimination: the impossibility for processing data for discriminatory, unlawful or abusive purposes;

  10. – liability and accountability: proof, by the agent, of adoption of effective measures able to prove observance of and compliance with the personal data protection rules, and also with the effectiveness of these measures.

CHAPTER II 

PROCESSING OF PERSONAL DATA

Section I 

Requirements for the Processing of Personal Data

 

Art. 7. The processing of personal data can only be carried out in the following cases:

  1. – by providing consent by the data subject;

  2. – for compliance with a legal or regulatory obligation by the controller;

  3. – by the public administration, for the processing and shared use of data necessary for the execution of public policies provided for on laws, regulations or backed by contracts, agreements or similar instruments, subject to the provisions of Chapter IV of this Law;

  4. – to carry out studies by a research agency, wherever possible, the anonymization of personal data is guaranteed;

  5. – where necessary for the execution of a contract or preliminary procedures relating to a contract to which the data subject is a part of, at the request of the data subject;

  6. – for the regular exercise of rights in judicial, administrative, or arbitration proceedings, the latter under the terms of Law No. 9307, from September 23 ,1996(Arbitration Law) ;

  7. – for the protection of the life or physical safety of the data subject or third party;

  8. – for the protection of health, exclusively, in a procedure performed by health professionals, health services, or health authorities; (Wording given by Law No. 13.853 from 2019)      Term

  9. – when necessary to meet the legitimate interests of the controller or third party, except in the case of the data subject’s fundamental rights and freedoms that require the protection of personal data; or

  10. – for the protection of credit, including the provisions of the relevant legislation.

§ 1 (Revoked). (Wording given by Law No. 13.853, from 2019)Term

§ 2 (Revoked). (Wording given by Law No. 13.853, from 2019)Term

§ 3 The processing of personal data to which public access must consider the purpose, good faith, and public interest that justified its availability.

§ 4 The consent requirement provided in the caput of this article is waived for data made manifestly made public by the data subject, safeguarding the rights of the data subject and the principles provided for in this Law.

§ 5 The controller who obtained the consent referred to in item I of the caput of this article, who needs to communicate or share personal data with other controllers, must obtain specific consent from the data subject for this purpose, except in the cases of waiver of consent provided for in this Law.

§ 6 Any eventual waiver of the consent requirement does not release the agents from handling the other obligations outlined in this Law, especially compliance with the general principles and guarantee of the data subject’s rights.

§ 7 The subsequent processing of personal data referred to in §§ 3 and 4 of this article may carry out for new purposes, provided that the legitimate and specific purposes for the new processing and preservation of the data subject’s rights, as well as the fundamentals and principles provided for in this Law.       (Included by Law No. 13.853 from 2019 )     Term

Art. 8. The consent provided for in item I of art. 7 of this Law shall be provided in writing or by other means that demonstrate the data subject’s intention.

§ 1 If the consent is given in writing, it should be included in a clause that stands out from the other contractual provisions.

§  2 The controller shall bear the burden of proving that he obtained the consent under the provisions of this Law.

§ 3 The processing of personal data is prohibited due to defective consent.

§ 4 The consent must refer to specific purposes and will be null and void the generic authorizations for the processing of personal data.

§ 5 The consent may be revoked at any time, through the express manifestation of the data subject, through a free and facilitated procedure, ratified the processing performed under cover of the consent previously manifested while there is no request for deletion, under the terms of item VI of the caput of art. 18 of this Law.

 

§  6 In case of change of information referred to in items I, II, III, or V of art. 9 of this Law, the controller must inform the data subject, explicitly highlighting the content of the changes.  In cases in which his/her consent is required, the data subject may revoke it if he/she disagrees with the change.

Art. 9. The data subject has the right to easy access to information on the processing of his/her data, which should be made available in a transparent, adequate, and ostentatious manner, among other characteristics provided for in regulation to comply with the principle of free access:

  1. – specific purpose of the processing;

  2. – form and duration of the processing, observing commercial and industrial secrets;

  3. – controller identification;

  4. – contact information of the controller;

  5. – information about the controller’s shared use of data and the purpose;

  6. – responsibilities of the agents who will carry out the processing; and

  7. – data subject’s rights, with explicit mention of the rights contained in art. 18 of this Law.

§ 1 In the event that consent is required, the consent shall be considered null if the information provided to the data subject has misleading or abusive content or has not previously been presented transparently, in a clearly and unequivocally way.

§ 2 When consent is required, if there are changes in the purpose of the processing not compatible with the original consent, the controller must inform the data subject in advance of the changes of meaning, and the data subject may revoke consent if he/she disagrees with the changes.

§ 3 When the processing of personal data is a condition for the provision of product or service or to the exercise of rights, the data subject shall be informed in detail about this fact and how he/she may exercise his/her rights listed in art. 18 of this Law.

Art. 10. The legitimate interest of the controller may only be based on the processing of personal data for legitimate purposes, considered from concrete situations, which include, but are not limited to:

  1. – support and promotion of controller activities; and

  2. protection concerning the data subject, the regular exercise of his/her rights or provision of services that benefit him/her, respecting legitimate expectations and fundamental rights and freedoms, under the terms of this Law.

§ 1 When the processing is based on the controller’s legitimate interest, only the personal data strictly necessary for the intended purpose can be processed.

§ 2 The controller shall adopt measures to guarantee the transparency of data processing based on its legitimate interest.

§ 3 The national authority may request from the controller the data protection impact assessment when the processing is based on its legitimate interest, subject to commercial and industrial secrets.

Section II 

Processing of Sensitive Personal Data

 

Art. 11. The processing of sensitive personal data can only occur in the following cases:

  1. – when the data subject or her/his legal guardian consents, in a specific and prominent way, for specific purposes;

  2. – without consent from the data subject being given, in cases in which it is indispensable for:

  1. the compliance with legal or regulatory obligations by the controller;

  2. processing of shared data necessary for the implementation, by the public administration, of public policies provided for in laws or regulations;

  3. to carry out studies by a research agency, wherever possible, the anonymization of sensitive personal data;

  4. regular exercise of rights, including in contract and in judicial, administrative, and arbitration proceedings, the latter according to Law No. 9.307 from September 23, 1996(Arbitration Law) ;

  5. the protection of the life or physical safety of the data subject or third party;

  6. protection of health, exclusively, in a procedure performed by health professionals, health services, or health authority; or (Wording given by Law No. 13.853 of2019).  

 

  1. ensure fraud prevention and security of the data subject, in the processes of identification and authentication of registration in electronic systems, safeguarding the rights mentioned in art. 9 of this Law and except in case of the fundamental rights and freedom of the data subject that require the protection of personal data.

§ 1 The provisions of this article shall apply to any processing of personal data that reveals sensitive personal data and may cause harm to the data subject, subject to the conditions of specific legislation.

§ 2 In cases of application of the provisions of items “a” and “b” of item II of caput of this article by public bodies and entities, the waiver mentioned above of consent shall be publicized, according to item I of the main section of art. 23 of this Law.

§ 3 Communication or the shared use of sensitive personal data among controllers to obtain economic advantage may be prohibited or subject to regulation by the national authority, after hearing the sectoral agencies of the Government, within the scope of their competencies.

§ 4 Communication or shared use between controllers of sensitive personal data referring to health in order to obtain an economic advantage is prohibited, except in hypotheses related to the provision of health services, pharmaceutical assistance, and health insurance, as long as §5 of this article is observed, including auxiliary diagnostic and therapeutic services, in benefit of the interests of the data subject and also to allow:  (Wording given by Law No. 13.853 of 2019). 

  1. – data portability when requested by the data subject; or (Included by Law No. 13.853 from 2019)

Term

  1. – financial and administrative transactions resulting from the use and provision of the services referred to in this paragraph. (Included by Law No. 13.853from 2019 )     Term

§ 5 Operators of private health care plans are prohibited from processing health data for the practice of risk selection in the contracting of any modality, as well as in the contracting and exclusion of beneficiaries. (Included by Law No. 13.853from 2019)     Term

Art. 12. Anonymized data shall not be considered personal data for the purposes of this Law, except when the anonymization process to which it has been submitted is reversed, using exclusively proprietary means, or when it can be reversed with reasonable efforts.

§ 1 The determination of what is reasonable must consider objective factors, such as cost and time necessary to reverse the anonymization process, according to the available technologies, and the exclusive use of own means.

§ 2 Personal data, for this Law, may also be considered those used to form the behavioral profile of a particular natural person, if identified.

§ 3 The national authority may dispose of standards and techniques used in anonymization processes and carry out verifications about its security after hearing the National Council for the Protection of Personal Data.

Art. 13. When carrying out public health studies, research agencies may have access to personal databases, which shall be processed exclusively within the entity and strictly to carry out studies and research. Those databases shall be kept in a controlled and secure environment, in accordance with specific regulations and including, wherever possible, the anonymization or pseudonymization of the data and the due ethical standards related to studies and research.

§ 1 The disclosure of the results or any excerpt of the study or research referred to in the caput of this article under no circumstances shall reveal personal data.

§ 2 The research entity shall be responsible for the security of information in the caput of this article. In any case, the transfer of the data to third parties is not allowed.

§ 3 Access to the data referred to in this article will be subject to regulation by the national authority and health and sanitary authorities within the scope of its competencies.

§ 4 For this article, pseudonymization is the processing by which a data loses the possibility of an association, directly or indirectly, to a natural person, by the use of additional information maintained separately by the controller in a controlled and safe environment.

Section III 

Processing of Personal Data of Children and Adolescents

 

Art. 14. The processing of personal data of children and adolescents shall carry out in their best interest, pursuant to this article and the specific legislation.

§ 1 The processing of personal data of children shall be carried out with the specific and prominent consent given by at least one parent or legal guardian.

§ 2 In the processing of data referred to in § 1 of this article, controllers shall keep public information on types of data collected, the form of their use, and the procedures for exercising the rights referred to in art. 18 of this Law.

§ 3 3 Children’s personal data without the consent referred to in § 1 of this article may be collected when the collection is necessary to contact the parents or legal guardian, used once and without storage, or for their protection. In no case may they be passed on to third parties without the consent referred to in § 1 of this article.

§ 4 The controllers shall not condition the participation of the data subjects referred to in § 1 of this article to games, internet applications, or other activities to provide personal information beyond what is strictly necessary for the activity.

§ 5 The Controllers shall make all reasonable efforts to verify that the consent referred to in § 1 of this article has been given by the responsible party of the child, considering the available technologies.

§ 6 The information on the processing of data referred to in this article shall be provided in a simple, clear, and accessible manner, considering the physical-motor, perceptive, sensory, intellectual, and mental characteristics of the user, using audiovisual resources when appropriate, in order to provide the necessary information to the parents or legal guardian and adequate to the understanding of the child.

Section IV 

Termination of Data Processing

 

Art. 15. The termination of the processing of personal data will occur in the following cases:

  1. – verification that the purpose has been achieved or the data is no longer necessary or relevant to the achievement of the specific purpose sought;

  2. – end of processing period;

  3. communication by the data subject, including in the exercise of his right to revoke the consent provided in § 5 of art. 8 of this Law, safeguarding the public interest; or

  4. – determination of the national authority when there is a violation of the provisions of this Law.

Art. 16. Personal data shall be deleted after the end of its processing, within the scope and technical limits of the activities, authorized the maintenance for the following purposes:

  1. – the compliance with legal or regulatory obligations by the controller;

  2. – study by a research agency, guaranteed, wherever possible, the anonymization of personal data;

  3. – transfer to a third party, provided that the data processing requirements set out in this Law is respected; or 

IV – exclusive use of the controller, with its access by a third party being prohibited, and provided that the data is anonymized.

CHAPTER III 

DATA SUBJECT’S RIGHTS

Art. 17. Every natural person is guaranteed the ownership of his/her personal data, guaranteeing the fundamental rights of freedom, intimacy, and privacy, under the terms of this Law.

Art. 18. The data subject is entitled to obtain from the controller, in relation to the data subject’s data processed by the latter, at any time and upon request:

  1. – confirmation of the existence of processing;

  2. – access to the data;

  3. – correction of incomplete, inaccurate or outdated data;

  4. – anonymization, blocking, or elimination of unnecessary or excessive data or data process in disagreement with the provisions of this Law;

  5. – data portability to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;   (Wording given by Law No. 13.853 from 2019)      Term

  6. – elimination of personal data processed with the consent of the data subject, except in the cases provided for in art.16 of this Law;

  1. – information from public and private entities with which the controller made shared use of data;

  2. – information about the possibility of not giving consent and about the consequences of the refusal;

  3. – revocation of consent, pursuant to § 5 of art. 8 of this Law.

§ 1 The personal data subject has the right to petition in relation to his/her data against the controller before the national authority.

§ 2 The data subject may oppose processing based on one of the hypotheses of exemption from consent, in case of non-compliance with the provisions of this Law.

§ 3 The rights provided for in this article shall be exercised upon the express request by the data subject or a legally constituted representative, to the processing agent.

§ 4 In case of impossibility of immediate adoption of the provision referred to in paragraph 3 of this article, the controller will send the data subject an answer in which he/she may:

I – communicate that he/she is not a data processing agent and indicate, whenever possible, the agent; or 

II – indicate the reasons of fact or of law that prevent the immediate adoption of the providence.

§ 5 The application referred to in § 3 of this article will be met free of charge for the data subject, within the terms and conditions provided for in the regulation.

§ 6 The responsible person shall immediately inform the processing agents with whom he/she has shared the use of data, the correction, deletion, anonymization, or blocking of the data, so that they repeat the same procedure, except in cases where this communication proves impossible or involves disproportionate effort. (Wording given by Law No. 13.853, from 2019)Term

§ 7 The portability of the personal data referred to in item V of the caput of this article does not include data that has already been anonymized by the controller.

§ 8 The right referred to in paragraph 1 of this article may also be exercised before the consumer protection organizations.

Art. 19. Confirmation of existence or access to personal data will be provided, upon request by the data subject:

 

  1. – in a simplified format, immediately; or

  2. – by means of a clear and complete statement indicating the origin of the data, the lack of registration, the criteria used, and the purpose of the processing, observing the commercial and industrial secrets, supplied within a period of up to 15 days, date of the data subject’s request.

§ 1 The personal data will be stored in a format that favors the exercise of the right of access.

§ 2 The information and data may be provided, at the data subject discretion:

I – by electronic means, secure and suitable for this purpose; or 

II – in printed form.

§ 3 When processing originates in the consent of the data subject or in contract, the data subject may request a complete electronic copy of his/her personal data, observing the commercial and industrial secrets, in accordance with the regulations of the national authority, in a format that allows its subsequent use, including in other processing operations.

§ 4 The national authority may dispose in a differentiated manner about the periods provided for in items I and II of the caput of this article for specific sectors.

Art. 20. The data subject is entitled to request a review of decisions made solely on the basis of automated processing of personal data that affect their interests, including decisions designed to define their personal, professional, consumer, and credit profile or aspects of their personality. (Wording given by Law No. 13.853 from 2019)      Term

§ 1 The controller shall provide, whenever requested, clear and adequate information regarding the criteria and procedures used for the automated decision, observing the commercial and industrial secrets.

§ 2 In case of non-offer of information referred to in § 1 of this article based on compliance with commercial and industrial secrecy, the national authority may perform an audit to verify discriminatory aspects in automated processing of personal data.

§ 3 (VETOED). (Included by Law No. 13.853 from 2019 )     Term

Art. 21. Personal data relating to the data subject regular exercise of rights may not be used to his/her detriment.

Art. 22. The defense of the interests and rights of data subjects may be exercised in court, individually or collectively, as provided in the relevant legislation, regarding individual and collective protection instruments.

CHAPTER IV 

PROCESSING OF PERSONAL DATA BY PUBLIC AUTHORITIES

Section I 

The Rules

Art. 23. The processing of personal data by legal entities governed by public law referred to in the sole paragraph of art. 1 of Law No. 12,527,from November18 ,2011 (Access to Information Law) , shall be carried out for the fulfillment of its public purpose, in pursuit of the public interest, in order to perform legal powers or fulfill legal attributions of the public service, provided that:

  1. – they are informed of the cases in which, in the exercise of their powers, they carry out the processing of personal data, providing clear and up-to-date information on the legal forecast, purpose, procedures, and practices used to perform these activities in easily accessible media, preferably in their electronic sites;

  2. – (VETOED); and

  3. – a data protection officer is appointed when carrying out personal data processing operations, pursuant to art. 39 of this Law; and (Wording given by Law No. 13.853 from 2019 )     Term

  4. – (VETOED). (Included by Law No. 13.853 from 2019)      Term

§ 1 The national authority may decide on the disclosure of processing operations.

§ 2 The provisions of this Law do not exempt the legal entities mentioned in the caput of this article from establishing the authorities referred to in Law No. 12.527from November 18, 2011(Access to Information Law) .

§ 3 The deadlines and procedures for exercising the rights of the data subject before the public authorities shall comply with of Law, from November 12, 1997(Habeas Data Law) of Law, from(Administrative Process Law), of Law No. 12.527 from November 18, 2011(Access to Information Law).

§ 4 The notary and registration services exercised in private, by a delegation of the public authorities, shall have the same treatment as the legal entities mentioned in the caput of this article, under the terms of this Law.

§ 5 Notary registry entities shall provide access to the data by electronic means for public administration, in view of the purposes referred to in the caput of this article.

Art. 24. Public companies and mixed-capital companies that operate under a regime of competition, subject to the provisions of art. 173 of the Federal Constitution, will have the same treatment given to private legal entities under the terms of this Law.

Sole paragraph. Public companies and mixed-capital companies, when they are operating public policies and in the scope of their execution, will have the same treatment as the agencies and entities of the public authorities, under the terms of this Chapter.

Art. 25. Data should be maintained in an interoperable and structured format for shared use for public policy implementation, public service delivery, decentralization of public activity, dissemination, and access to information by the general public.

Art. 26. The shared use of personal data by the public authority must meet the specific purposes of public policy execution and legal attribution by public agencies and entities, respecting the principles of personal data protection listed in art. 6 of this Law.

§ 1 The Public Power is forbidden from transferring to private entities personal data contained in databases to which it has access, except:

  1. – in cases of decentralized execution of public activity that requires the transfer, exclusively for this specific and determined purpose, observing the provisions  of law No. 12,527 from November 18,2011 (Access to Information Law) ;

  2. – (VETOED);

  3. – in cases where the data are publicly accessible, subject to the provisions of this Law.

  4. – when there is a legal provision or the transfer is supported by contracts, agreements, or similar instruments; or (Included by Law No. 13.853 from 2019)     Term

  5. – in the event that the transfer of data is intended solely to prevent fraud and irregularities, or to protect and safeguard the security and integrity of the data subject, provided that processing for other purposes is prohibited. (Included by Law No. 13.853 from 2019 )      Term

§ 2 The contracts and agreements referred to in § 1 of this article shall be communicated to the national authority.

Art. 27. The communication or shared use of personal data from legal entities under public law to persons under private law will be reported to the national authority and will depend on the consent of the data subject, except:

  1. – in the cases of exemption from consent provided for in this Law;

  2. – in cases of shared use of data, in which publicity will be given in terms of item I of the caput of art. 23 of this Law; or

  3. – in the exceptions contained in § 1 of art. 26 of this Law.

Sole paragraph. The information to the national authority referred to in the caput of this article will be subject to regulation. (Included by Law No. 13.853from 2019)     Term

Art. 28. (VETOED).

Art. 29. The national authority may request, at any time, to the bodies and entities of the Public Power to carry out operations for processing personal data, specific information on the scope and nature of the data and other details of the processing carried out and may issue a complimentary technical opinion to guarantee compliance with this Law. (Wording given by Law No. 13.853 from 2019)   Term

Art. 30. The national authority may establish supplementary standards for communication activities and the shared use of personal data.

Section II 

The Responsibility

Art. 31. When there is a breach of this Law as a result of the processing of personal data by public agencies, the national authority may send a report with appropriate measures to stop the breach.

Art. 32. The national authority may request agents of the public authorities to publish the data protection impacts and suggest the adoption of standards and good practices for the processing of personal data by the public authorities.

CHAPTER V 

INTERNATIONAL DATA TRANSFER

Art. 33. The international transfer of personal data is only allowed in the following cases:

  1. – for countries or international organizations that provide a level of personal data protection adequate to the provisions of this Law;

  2. – when the controller offers and demonstrates guarantees of compliance with the principles, data subject rights, and the data protection regime provided for in this Law, in the form of:

  1. specific contractual clauses for a particular transfer;

  2. standard contractual clauses;

  3. binding corporate standards;

  4. stamps, certificates and codes of conduct issued on a regular basis;

  1. – when the transfer is necessary for international legal cooperation between public intelligence, investigation, and prosecution agencies, in accordance with the instruments of international law;

  2. – when the transfer is necessary for the protection of the life or physical safety of the data subject or third party;

  3. – when the national authority authorizes the transfer;

  4. – when the transfer results in a commitment made in an international cooperation agreement;

  5. – when the transfer is necessary for the execution of public policy or legal attribution of the public service, being publicized under the terms of item I of the caput of art. 23 of this Law;

  6. – when the data subject has given his/her specific consent and in particular the transfer, with prior information on the international character of the operation, clearly distinguishing this from other purposes; or

  7. – when necessary to meet the hypotheses provided for in items II, V, and VI of art. 7 of this Law.

Sole paragraph. For the purposes of item I of this article, legal entities governed by public law referred to in the sole paragraph of art. 1 of Law No. 12.527,from November18 ,2011 (Access to Information Law), within the scope of their legal powers, and those responsible, within the scope of their activities, may request the national authority to assess the level of protection of personal data conferred by a country or international organization.

Art. 34. The level of data protection of the foreign country or the international organization mentioned on item I of the caput of art. 33 of this Law will be assessed by the national authority, which will take into consideration:

I – the general and sectoral rules of the legislation in force in the country of destination or in the international agency; 

II – the nature of the data;

  1. – compliance with the general principles of protection of personal data and data subject’s rights provided for in this Law;

  2. – the adoption of security measures foreseen by regulation;

  3. – the existence of judicial and institutional guarantees for the respect of personal data protection rights; and VI – other specific circumstances relating to the transfer.

Art. 35. The definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for a certain transfer, binding corporate rules or stamps, certificates, and codes of conduct, referred to in item II of the caput of art. 33 of this Law, shall be carried out by the national authority.

§ 1 In order to verify the provisions of the caput of this article, it should be considered the requirements, conditions, and minimum guarantees for the transfer that observe the rights, guarantees, and principles of this Law.

§ 2 In the analysis of contractual clauses, documents, or binding corporate rules submitted to the approval of the national authority, additional information may be required or verification procedures should be carried out regarding the processing operations, when necessary.

§ 3 The national authority may designate certification agencies to carry out the caput of this article, which shall remain under its supervision under the terms defined in regulation.

§ 4 The acts performed by the certification agency may be reviewed by the national authority and, if not in compliance with this Law, submitted to revision or annulled.

§ 5 The sufficient guarantees of compliance with the general principles of protection and the data subject’s rights referred to in caput of this article will also be analyzed according to the technical and organizational measures adopted by the processor, in accordance with the provisions of §§ 1 and 2 of art. 46 of this Law.

Art. 36. The changes in the guarantees presented as sufficient to comply with the general principles of protection and the data subject’s rights referred to in item II of art. 33 of this Law shall be communicated to the national authority.

CHAPTER VI 

AGENTS OF PERSONAL DATA PROCESSING

Section I  

Controller and Processor

Art. 37. The controller and processor must keep a record of the personal data processing operations they perform, especially when based on legitimate interest.

Art. 38. The national authority may order the controller to prepare a data protection impact assessment of personal data, including sensitive data, relating to its data processing operations, in accordance with the regulation, and according to the commercial and industrial secrets.

Sole paragraph. Subject to the provisions of the caput of this article, the report shall contain, at a minimum, a description of the types of data collected, the methodology used for collecting them and ensuring information security, as well as the controller’s analysis of the measures, safeguards and mitigation mechanisms adopted.

Art. 39. The processor must carry out the processing according to the instructions provided by the controller, who will verify compliance with the instructions and the relevant regulations.

Art. 40. The national authority may provide for interoperability standards for portability, free access to data and security, as well as record-keeping time, especially with regard to the need and transparency.

Section II  

Data Protection Officer

Art. 41. The controller must indicate the data protection officer in charge of the processing of personal data.

§ 1 The identity and contact information of the manager shall be publicly disclosed, clearly and objectively, preferably on the controller’s website.

§ 2 The activities of the data protection officer consist of:

  1. – accept complaints and communications from data subjects, provide clarifications and take measures;

  2. – receive communications from the national authority and take action;

  3. – advise the entity’s employees and contractors regarding the practices to be taken in relation to the protection of personal data; and

  4. – perform the other duties determined by the controller or established in complementary regulations.

§ 3 The national authority may establish additional rules on the definition and the duties of the data protection officer, including the possibility of exemption from the need for his/her appointment, depending on the nature and size of the entity or the volume of data processing operations.

§ 4 (VETOED). (Included by Law No. 13.853 from 2019)    Term

Section III  

Liability and Compensation

Art. 42. The controller or processor who, due to the exercise of personal data processing activity, causes to another property, moral, natural person, or collective damage, in violation of the legislation for the protection of personal data, is obliged to repair it.

§ 1 In order to ensure the effective indemnification of the data subject:

  1. – the processor shall be jointly and severally liable for damage caused by the processing when he/she fails to comply with the obligations of the data protection legislation or when he/she has not followed the licit instructions of the controller, in which case the processor is considered as a controller, except in the cases of exclusion provided for in art. 43 of this Law;

  2. – the controllers who are directly involved in the processing of which the data subject has suffered damages are jointly and severally liable, except in the cases of exclusion provided for in art. 43 of this Law.

§ 2. The judge in the civil proceeding may reverse the burden of proof in favor of the data subject when, in its opinion, the allegation is probable, there is a hypothesis for the purpose of producing evidence or where the production of evidence by the data subject is found to be excessively onerous.

§ 3 The actions for redress for collective damages that have the subject of liability under the caput of this article may be exercised collectively in court, subject to the provisions of the pertinent legislation.

§ 4 Anyone who repairs the damage to the owner has the right of return against the other responsible persons, insofar as they participate in the harmful event.

Art. 43. Processing agents will not be held liable only when they prove:

  1. – that they have not processed the personal data assigned to them;

  2. – although they have processed the personal data that had been assigned to them, there has been no breach of the data protection legislation; or

  3. – the damage is the sole fault of the data subject or third party.

Art. 44. The processing of personal data will be irregular when it fails to observe the legislation or when it does not provide the security the data subject can expect, considering the relevant circumstances, among which:

  1. – the way in which it is carried out;

  2. – the result and the risks reasonably expected of it;

  3. – the techniques for processing personal data available at the time it was performed.

Sole paragraph. It responds to the damages resulting from the violation of data security to the controller or the processor who, in failing to adopt the security measures set forth in art. 46 of this Law, causes damage.

Art. 45. The hypotheses of violation of the data subject’s rights in the context of consumer relations remain subject to the liability rules provided for in the relevant legislation.

CHAPTER VII 

SECURITY AND GOOD PRACTICE

Section I 

Security and Confidentiality

Art. 46. The processing agents must adopt technical, security, and administrative measures to protect personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing.

§ 1 The national authority may lay down minimum technical standards to make applicable the provisions of the caput of this article, considering the nature of the information processed, the specific characteristics of the processing, and the current state of the technology, especially in the case of sensitive personal data, as well as the principles provided in the caput of art. 6 of this Law.

§ 2 The measures referred to in the caput of this article shall be observed from the design stage of the product or service until its execution.

Art. 47. The processing agents or any other person involved in one of the stages of processing must ensure the security of the information provided by this Law in relation to personal data, even after its termination.

Art. 48. The controller shall inform the national authority and the data subject of the occurrence of a security incident that may entail significant risk or damage to the data subjects.

§ 1 The communication shall be made within a reasonable time, as defined by the national authority, and shall mention, at least:

  1. – a description of the nature of the affected personal data;

  2. – information about the data subjects involved;

  3. – an indication of the technical and security measures used for the protection of data, in compliance with commercial and industrial secrets;

  4. – risks related to the incident;

  5. – the reasons for the delay, if the communication was not immediate; and

  6. – the measures that have been or will be taken to reverse or mitigate the effects of the damage.

§ 2 The national authority shall verify the seriousness of the incident and may, if necessary to safeguard the data subject’s rights, determine to the controller the adoption of measures, such as:

  1. – wide dissemination of the fact in the media; and

  2. – measures to reverse or mitigate the effects of the incident.

§ 3 In the judgment of gravity of the incident, it will be evaluated whether it is proven that adequate technical measures have been taken to make the personal data affected unintelligible, within the scope and technical limits of its services, to unauthorized third parties to access them.

Art. 49. The systems used for the processing of personal data must be structured in such a way as to meet the safety requirements, the standards of good practice and governance, and the general principles set forth in this Law, as well as other regulatory standards.

Section II 

Good Practices and Governance

Art. 50. The controllers and processors, within the scope of their competencies, for the processing of personal data, either individually  or through associations, may formulate rules of good practice and governance which establish the conditions of the organization, the operating regime, procedures, including complaints and petitions, security standards, technical standards, specific obligations for the various parties involved in the processing, educational actions, internal supervisory and mitigation mechanisms and other aspects related to the processing of personal data.

§ 1 In establishing rules of good practice, the controller and processor shall take into account, in relation to the processing and the data, the nature, scope, purpose, and likelihood and severity of risks and benefits arising from the processing of the data subject’s data.

§ 2 In applying the principles indicated in items VII and VIII of the caput of art. 6 of this Law, the controller observing the structure, scale, and volume of its operations, as well as the sensitivity of the data processed, the likelihood and severity of the damages to the data subjects, may:

I – implement a privacy governance program that, at least:

  1. demonstrate the controller’s commitment to adopting internal processes and policies that ensure the comprehensive compliance with standards and good practices relating to the protection of personal data;

 

  1. is applicable to the entire set of personal data that are under its control, regardless of the mode how it was collected;

 

  1. is adapted to the structure, scale, and volume of its operations and to the sensitivity of the data processed;

 

  1. establishes adequate policies and safeguards based on a process of systematic evaluation of impacts and  risks to privacy;

 

  1. aims to establish a relationship of trust with the data subject, through transparent action and that ensures the data subject’s participation mechanisms;

 

  1. is integrated into its overall governance structure and establishes and implements internal and external oversight mechanisms;

  1. contains incident response and remediation plans; and

  2. is constantly updated based on information obtained from continuous monitoring and periodic evaluations;

 

II – demonstrate the effectiveness of its privacy governance program where appropriate, and in particular at the request of the national authority or other entity responsible for promoting compliance with good practices or codes of conduct, which independently promotes compliance with this Law.

§ 3 The rules of good practice and governance shall be published and updated periodically and may be recognized and disclosed by the national authority.

Art. 51. The national authority shall encourage the adoption of technical standards to facilitate control by the data subjects of their personal data.

CHAPTER VIII 

MONITORING

Section I 

Administrative Sanctions

Art. 52. Data processing agents are subject to the following administrative sanctions applicable by the national authority for violations of the rules provided for in this Law: (Term)

  1. – warning, indicating the deadline for the adoption of corrective measures;

  2. – fine up to 2% (two percent) of the revenue of the private legal entity, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited in total to BRL 50,000,000.00 (fifty million Brazilian reais) due to infraction;

  3. – daily fine, observing the total limit referred to in item II;

  4. – publication of the violation after its occurrence is duly investigated and confirmed;

  5. – blocking of personal data to which the violation relates until it’s regularization;

  6. – destruction of personal data to which the violation refers;

  7.  – (VETOED);

  8. – (VETOED); 

IX – (VETOED);

  1. – partial suspension of the operation of the database referred to in the infraction for a maximum period of 6 (six) months, extendable for the same period until the regularization of the processing activity by the controller; (Included by Law No. 13.853 from 2019)

 

  1. – suspension of the exercise of the activity of processing personal data to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period; (Included by Law No. 13.853 from 2019)

  2. – partial or total prohibition of the exercise of activities related to data processing. (Included by Law No. 13.853 from 2019)   

§ 1 – The sanctions will be applied after an administrative procedure that allows the opportunity of the ample defense, in a gradual, isolated, or cumulative manner, according to the peculiarities of the concrete case and considering the following parameters and criteria:

  1. – the seriousness and nature of the infringements and the personal rights affected;

  2. – the offender’s good faith;

  3. – the advantage obtained or intended by the offender;

  4. – the economic condition of the offender;

  5. – recidivism;

  6. – the degree of damage;

  7. – the cooperation of the offender;

  8. – the reiterated and demonstrated adoption of internal mechanisms and procedures capable of minimizing harm, aimed at the safe and adequate processing of data, in accordance with the provisions of item II of § 2 of art. 48 of this Law;

  9. – the adoption of good practices and governance policy;

  10. – prompt adoption of corrective measures; and

  11. – the proportionality between the severity of the fault and the intensity of the sanction.

§ 2 The provisions of this article do not replace the application of administrative, civil, or criminal sanctions defined in Law No. 8,078 from September 11, 1990, and in specific legislation.         (Wording given by Law No. 13.853 from2019)

 

§ 3 The provisions of items I, IV, V, VI, X, XI, and XII of the caput of this article may be applied to public entities and bodies, without prejudice to the provisions  of Law No.8112 from December 11, 1990 ,in Law No.8429 from June 2, 1992, andLaw No. 12,527 from November 18, 2011.    (Promulgation of vetoed parts)  

§ 4 In calculating the amount of the fine referred to in item II of the caput of this article, the national authority may consider the total turnover of the company or group of companies when it does not have the value of the billing in the branch of business activity in which the infraction occurred, as defined by the national authority, or when the value is presented incomplete or is not demonstrated unequivocally and suitably.

§ 5 The proceeds from the collection of fines imposed by ANPD, registered or not in active debt, will be destined to the Fund for the Defense of Diffuse Rights referred to in art. referred to in art. 13 of Law No. 7.347 from July 24, 1985, and Law No. 9.008 from March 21, 1995. (Included by Law No. 13.853 from 2019)

§ 6 The sanctions provided for in items X, XI, and XII of the caput of this article shall apply:     (Included by Law no.13.853 from 2019)

  1. – only after having already imposed at least 1 (one) of the sanctions referred to in items II, III, IV, V, and VI of the caput of this article for the same specific case; and (Included by Law No. 13.853 from 2019)

  2. – in the case of controllers submitted to other bodies and entities with sanctioning powers, after hearing these bodies. (Included by Law No. 13.853 from 2019)

§ 7 natural person leaks or unauthorized access referred to in the caput of art. 46 of this Law may be subject to direct conciliation between controller and data subject and, if there is no agreement, the controller will be subject to the application of the penalties referred to in this article. (Included by Law No. 13.853 from 2019)

Art. 53. The national authority shall define, through its own regulation on administrative sanctions for infractions to this Law that should be subject to public consultation, the methodologies that will guide the calculation of the basic value of the fine sanctions. (Term)

§ 1 The methodologies referred to in the caput of this article must be previously published for the processing agents’ knowledge and must present objectively the forms and dosimetry for the calculation of the basic value of fine sanctions, which must contain a detailed statement of all its elements, demonstrating compliance with the criteria provided for in this Law.

§ 2 The regulation of corresponding sanctions and methodologies must establish the circumstances and the conditions for the adoption of a simple or daily fines.

Art. 54. The amount of the penalty of daily fine applicable to infractions to this Law must observe the gravity of the fault and the extent of the damage or injury caused and be substantiated by the national authority. (Term)

Sole paragraph. The notice imposing a daily fine must contain at least the description of the obligation imposed, the reasonable period stipulated by the agency for compliance and the amount of the daily fine to be imposed for its noncompliance.

CHAPTER IX 

NATIONAL DATA PROTECTION AUTHORITY (ANPD) AND NATIONAL COUNCIL OF PERSONAL DATA AND PRIVACY PROTECTION

Section I  

National Data Protection Authority (ANPD)

Art. 55. (VETOED).

Art. 55-A. The National Data Protection Authority (ANPD), a body of the federal public administration, integral to the Presidency of the Republic, is hereby created, without increasing expenditure. (Included by Law No. 13.853 from2019)

§ 1. The legal nature of ANPD is transitory and may be transformed by the Executive Branch into an entity of the indirect federal public administration, submitted to a special municipal regime, and linked to the Presidency of the Republic. (Included by Law No. 13.853 from 2019)

§ 2. The assessment regarding the transformation provided for in § 1 of this article must take place within 2 (two) years from the date of entry into force of ANPD’s regulatory structure. (Included by Law No. 13.853 from 2019)

§ 3 The provision of the positions and functions necessary for ANPD’s creation and performance is subject to the express physical and financial authorization in the annual budget law and the permission in the law of budget guidelines. (Included by Law No. 13.853 from 2019)

Art. 55-B. Technical and decision-making autonomy is guaranteed to the ANPD. (Included by Law No. 13.853 from 2019)

Art. 55-C. ANPD is composed of: (Included by Law No. 13.853 from 2019)

  1. – Board of Directors, the highest management body; (Included by Law No. 13.853 from 2019)

  2. – National Council for the Protection of Personal Data and Privacy; (Included by Law No. 13.853 from2019)

 

  1. – Internal Affairs; (Included by Law No. 13.853 from 2019)

  2. – Ombudsman; (Included by Law No. 13.853 from 2019)

  3. – own legal advisory body; and (Included by Law No. 13.853 from 2019)

  4. – administrative units and specialized units which are necessary for the application of the provisions of this Law. (Included by Law No. 13.853 from 2019)

Art. 55-D. ANPD’s Board of Directors will be made up of 5 (five) directors, including the Chief Executive Officer. (Included by Law No. 13.853 from 2019)

 

§ 1. The members of ANPD’s Board of Directors will be chosen by the President of the Republic and appointed by him, after approval by the Federal Senate, under the terms of section f of item III of art. 52 of the Federal Constitution, and will occupy a position in a committee of the Superior Steering and Advisory Group – DAS, at least at level5. (Included by Law No. 13.853 from 2019)

 

§ 2 The members of the Board of Directors will be chosen among Brazilians who have an unblemished reputation, a higher level of education, and high regard in the specialty field of the positions to which they will be appointed. (Included by Law No. 13.853 from 2019)

§ 3 The term of office of the members of the Board of Directors will be of 4 (four) years. (Included by Law No. 13.964 from 2019)

§ 4 The terms of office for the first appointed members of the Board of Directors will be 2 (two), 3 (three), 4 (four), 5 (five), and 6 (six) years, as established in the nomination. (Included by Law No. 13.853 from 2019)

§ 5 In the event of a vacancy in the position during the term of office of a member of the Board of Directors, the remaining term will be completed by the successor. (Included by Law No. 13.853 from 2019)

Art. 55-E. The members of the Board of Directors will only lose their positions due to resignation, final judicial conviction, or penalty of dismissal due to disciplinary administrative proceedings. (Included by Law No. 13.853 from 2019)

§ 1 According to the caput of this article, it is the responsibility of the Chief Minister of the Chief of Staff of the Presidency of the Republic to initiate disciplinary administrative proceedings, which will be carried out by a special commission made up of stable federal civil servants. (Included by Law No. 13.853 from 2019)

§ 2 It is the responsibility of the President of the Republic to determine preventive removal, only when so recommended by the special commission referred to in paragraph 1 of this article, and to render judgment. (Included by Law No. 13.853 from 2019)

Art. 55-F. It is applied to the members of the Board of Directors, after exercising their position, the provisions of art. 6 of Law No. 12.813 from May 16, 2013. (Included by Law No. 13.853 from 2019)

Sole paragraph. Infringement of the provision in the caput of this article characterizes an act of administrative improbity. (Included by Law No. 13.853 from 2019)

 

Art. 55-G. Act of the President of the Republic will provide for the regulatory structure of the ANPD. (Included by Law No. 13.853 from 2019)

 

§ 1 Until the date of entry into force of its regulatory structure, the ANPD will receive technical and administrative support from the Civil Office of the Presidency of the Republic for the exercise of its activities. (Included by Law No. 13.853 from 2019)

 

§ 2 The Board of Directors will provide for ANPD’s internal regulations. (Included by Law No. 13.853 from 2019)

Art. 55-H. ANPD’s commissioned positions and trust functions will be relocated from other bodies and entities of the federal Executive Branch. (Included by Law No. 13.853 from 2019)

Art. 55-I. The occupants of ANPD’s commissioned and trusted functions will be appointed by the Board of Directors and appointed or designated by the Chief Executive Officer. (Included by Law No. 13.853 from 2019)

Art. 55-J. It is incumbent upon ANPD: (Included by Law No. 13.853 from 2019)

  1. – ensure the protection of personal data, under the terms of the law; (Included by Law No. 13.853 from 2019)

 

  1. – ensuring the observance of commercial and industrial secrets, with due regard for the protection of personal data and the confidentiality of information when protected by law or when a breach of confidentiality violates the fundamentals of art. 2 of this Law; (Included by Law No. 13.853 from 2019)

  2. – prepare guidelines for the National Policy for the Protection of Personal Data and Privacy; (Included by Law No. 13.853 from 2019)

  3. – inspect and apply sanctions in the event of data processing carried out in breach of the law, through an administrative process that ensures the contradictory, full defense and the right to appeal; (Included by Law No. 13.853 from 2019)

  4. – to consider petitions from the data subject against the controller after the data subject has proven the submission of a complaint to the controller that has not been resolved within the period established in the regulations; (Included by Law No. 13.853 from 2019)

  5. – promote in the population the knowledge of the norms and public policies on the protection of personal data and security measures; (Included by Law No. 13.853 from 2019)

  6. – promote and prepare studies on national and international practices for the protection of personal data and privacy; (Included by Law No. 13.853 from 2019)

  7. – encourage the adoption of standards for services and products that facilitate the exercise of control by the data subjects over their personal data, which should take into account the specificities of the activities and the size of those responsible; (Included by Law No. 13.853 from 2019)

  8. – promote cooperative actions between data protection authorities from other countries, of

international or transnational nature; (Included by Law No. 13.853 from 2019)

  1. – provide for the forms of publicity for the processing of personal data, respecting commercial and industrial secrets; (Included by Law No. 13.853 from 2019)

  2. – request, at any time, public authorities to carry out personal data processing operations specific information on the scope, nature of the data and other details of the processing carried out, with the possibility of issuing a complementary technical opinion to ensure compliance with this Law; (Included by Law No. 13.853 from 2019)

  3. – prepare annual management reports about its activities; (Included by Law No. 13.853 from 2019)

 

  1. – edit regulations and procedures on the protection of personal data and privacy, as well as on data protection impact assessment for cases in which the processing represents a high risk to guarantee the general principles of personal data protection provided for in this Law; (Included by Law No. 13.853 from 2019)

  2. – listen to processing agents and the society in matters of relevant interest and reporting on their activities and planning; (Included by Law No. 13.853 from 2019)

  3. – collect and apply its revenues and publish, in the management report referred to in item XII of the caput of this article, the details of its revenues and expenses; (Included by Law No. 13.853 from 2019)

  4. – carry out audits, or determine their performance, within the scope of the inspection activity referred to in item IV and with due observance of the provisions of item II of the caput of this article, on the processing of personal data carried out by the processing agents, including the public Power; (Included by Law No. 13.853 from 2019)

  5. – enter into, at any time, a commitment with processing agents to eliminate irregularities, legal uncertainty, or contentious situations in the context of administrative proceedings, in accordance with the provisions of

Decree-Law No. 4.657 from September 4, 1942; (Included by Law No. 13.853 from 2019)

  1. – edit simplified and differentiated rules, guidelines, and procedures, including deadlines, so that micro and small businesses, as well as incremental or disruptive business initiatives that declare themselves startups or innovation companies can adapt to this Law; (Included by Law No. 13.853 from 2019)

  2. – ensure that the processing of data from elderly people is carried out in a simple, clear, accessible, and suitable way for their understanding, under the terms of this Law and Law No. 10.741 from October 1, 2003 (Statute of the Elderly); (Included by Law No.13.853 from 2019)

  3. – resolve, in the administrative sphere, in a terminative nature, on the interpretation of this Law, its powers and omissions; (Included by Law No. 13.853 from 2019)

  4. – report to the competent authorities the criminal offenses of which it becomes aware; (Included by Law No. 13.853 from 2019)

  5. – communicate to the internal control bodies the non-compliance with the provisions of this Law by bodies and entities of the federal public administration; (Included by Law No. 13.853 from 2019)

  6. – liaise with public regulatory authorities to exercise their powers in specific sectors of economic and governmental activities subject to regulation; and (Included by Law No. 13.853 from 2019)

  7. – implement simplified mechanisms, including by electronic means, for registering complaints on the processing of personal data that does not comply with this Law. (Included by Law No. 13.853 from 2019)

§ 1 When imposing administrative constraints on the processing of personal data by a private processing agent, be it limits, charges, or liabilities, ANPD must observe the minimum intervention requirement, ensuring the fundamentals, principles, and data subject’s rights provided for in art. 170 of the Federal Constitution and this Law. (Included by Law No. 13.853 from 2019)

§ 2 The regulations and standards issued by the ANPD must be preceded by public consultation and hearing, as well as regulatory impact analyses. (Included by Law No. 13.853 from 2019)

§ 3 The ANPD and public bodies and entities responsible for regulating specific sectors of economic and governmental activity must coordinate their activities, in the corresponding spheres of activity, with a view to ensuring the fulfillment of their duties with the greatest efficiency and promoting the proper functioning of the sectors regulated, according to specific legislation, and the processing of personal data, as provided for in this Law. (Included by Law No. 13.853 from 2019)

§ 4 ANPD will maintain a permanent communication forum, including through technical cooperation, with public administration bodies and entities responsible for regulating specific sectors of economic and governmental activity, in order to facilitate ANPD’s regulatory, supervisory and punitive powers. (Included by Law No. 13.853 from 2019)

§ 5 In the exercise of the powers referred to in the caput of this article, the competent authority shall ensure the preservation of business secrecy and the secrecy of information, under the terms of the law. (Included by Law No. 13.853 from 2019)

§ 6 The complaints collected in accordance with the provisions of item V of the caput of this article may be analyzed in an aggregate manner, and the eventual measures resulting from them may be adopted in a standardized manner. 

(Included by Law No. 13.853 from 2019)

Art. 55-K. The application of the sanctions provided for in this Law is the exclusive responsibility of the ANPD, and its powers will prevail with regard to the protection of personal data, over the related powers of other public administration entities or bodies. (Included by Law No. 13.853 from 2019)

Sole paragraph. ANPD will articulate its operation with other bodies and entities with sanctioning and normative powers related to the topic of protection of personal data and will be the central body for the interpretation of this Law and the establishment of rules and guidelines for its implementation. (Included by Law No. 13.853 from 2019)

Art. 55-L. The following constitutes ANPD’s revenues: (Included by Law No. 13.853 from 2019)

  1. – the appropriations, consigned in the general budget of the Federal Government, special credits, additional credits, transfers, and loans granted to it; (Included by Law No. 13.853 from 2019)

  2. – donations, bequests, grants and other resources allocated to it;  (Included by 

Law No. 13.853 from 2019)

  1. – the amounts calculated in the sale or rental of movable and immovable property owned by it;                       (Included by Law No. 13.853 from 2019)

  2. – the amounts calculated in investments in the financial market of the revenues provided for in this article; (Included by Law No. 13.853 from 2019)

  3. – (VETOED); (Included by Law No. 13.853 from 2019)

  4. – resources arising from agreements, agreements or contracts entered into with entities, bodies or companies, public or private, national or international; (Included by Law No. 13.853 from 2019)

  5. – the proceeds from the sale of publications, technical material, data, and information, including for public bidding purposes. (Included by Law No. 13.853 from 2019)

Art. 56. (VETOED).

Art. 57. (VETOED).

Section II 

National Council for the Protection of Personal Data and Privacy

Art. 58. (VETOED).

Art. 58-A. The National Council for the Protection of Personal Data and Privacy will be composed of 23 (twenty-three) representatives, data subjects, and substitutes, from the following bodies: (Included by Law No. 13.853 from 2019)

  1. – 5 (five) from the Federal Executive Branch; (Included by Law No. 13.853 from 2019)

  2. – 1 (one) from the Federal Senate; (Included by Law No. 13.853 from 2019)

  3. – 1 (one) from the Chamber of Deputies; (Included by Law No. 13.853 from 2019)

  4. – 1 (one) from the National Council of Justice; (Included by Law No. 13.853 from 2019)

  5. – 1 (one) from the National Council of the Public Ministry; (Included by Law No. 13.853 from 2019)

  6. – 1 (one) from the Brazilian Internet Steering Committee; (Included by Law No. 13.853 from 2019)

  7. – 3 (three) from civil society entities with activities related to the protection of personal data; (Included by Law No. 13.853 from 2019)

  8. – 3 (three) from scientific, technological, and innovation institutions; (Included by Law No. 13.853 from2019)

  9. – 3 (three) from union confederations representing economic categories in the productive sector; (Included by Law No. 13.853 from 2019)

 

  1. – 2 (two) from entities representing the business sector related to the area of personal data processing; and (Included by Law No. 13.853 from 2019)

  2. – 2 (two) from entities representing the labor sector. (Included by Law No. 13.853 from 2019)

§ 1 Representatives will be appointed by act of the President of the Republic, delegation is permitted. (Included by Law No. 13.853 from 2019)

 

§ 2 The representatives referred to in items I, II, III, IV, V, and VI of the caput of this article and their alternates will be appointed by the data subjects of the respective public administration bodies and entities. (Included by Law No. 13.853 from 2019)

§ 3 The representatives referred to in items VII, VIII, IX, X, and XI of the caput of this article and their substitutes: (Included by Law No. 13.853 from 2019)

 

  1. – will be indicated in the form of regulation; (Included by Law No. 13.853 from 2019)

  2. – cannot be members of the Internet Steering Committee in Brazil; (Included by Law No. 13.853 from 2019)

  3. – shall have a term of 2 (two) years, with 1 (one) renewal allowed. (Included by Law No. 13.853 from 2019)

§ 4 Participation in the National Council for the Protection of Personal Data and Privacy will be considered a relevant, unpaid public service. (Included by Law No. 13.853 from 2019)

Art. 58-B. It is incumbent upon the National Council for the Protection of Personal Data and Privacy: (Included by Law No. 13.853 from 2019)

  1. – propose strategic guidelines and provide subsidies for the preparation of the National Policy for the Protection of Personal Data and Privacy and for ANPD’s performance; (Included by Law No. 13.853 from 2019)

  2. – preparing annual reports to evaluate the implementation of the actions of the National Policy for the Protection ofPersonal Data and Privacy; (Included by Law No. 13.853 from 2019)

  3. – suggest actions to be taken by ANPD; (Included by Law No. 13.853 from 2019)

  4. – prepare studies and holding debates and public hearings on the protection of personal data and privacy; and (Included by Law No. 13.853 from 2019)

 

  1. – disseminating knowledge on the protection of personal data and privacy to the population.  (Included by Law No. 13.853 from 2019)

 

Art. 59. (VETOED).

CHAPTER X 

FINAL AND INTERIM PROVISIONS

Art. 60. Law No. 12.965 from April 23, 2014(Internet Civil Mark), becomes effective with the following changes:

“Art. 7 …

X – definitive exclusion of personal data that you have provided to a certain internet application, at your request, at the end of the relationship between the Parties, except for the hypotheses of mandatory record-keeping provided for in this Law and in which it deals with the protection of personal data;”

“Art. 16 …

II – personal data that are excessive in relation to the purpose for which consent was given by its data subject, except in the cases provided for in the Law that provides for the protection of personal data.” (NR)

Art. 61. The foreign company will be notified and summoned of all procedural acts provided for in this Law, regardless of power of attorney or contractual or statutory provision, in the person of the agent or representative or person responsible for its branch, agency, branch office, establishment or office installed in Brazil.

Art. 62. The National Authority and the National Institute of Educational Studies and Research Anísio Teixeira (Inep), within the scope of their competencies, will issue specific regulations for access to data processed by the Federal Government for compliance with the provisions of § 2 of art. 9 of Law No. 9.394 from December 20, 1996(Law on Guidelines and Bases for National Education), and those referring to the National Higher Education Assessment System (Sinaes), which Law No. 10.861 from April 14, 2004, addresses.

Art. 63. The national authority shall establish rules on the progressive suitability of databases established up to the date of entry into force of this Law, taking into account the complexity of the processing operations and the nature of the data.

Art. 64. The rights and principles expressed in this Law do not exclude others provided for in the legal order of the country related to the matter or in the international treaties to which the Federative Republic of Brazil is a part of.

Art. 65. This Law comes into force: (Wording given by Law No. 13.853 from 2019)

  1. – on December 28, 2018, regarding arts. 55-A, 55-B, 55-C, 55-D, 55-E, 55-F, 55-G, 55-H, 55-I, 55-J, 55K, 55-L, 58-A e 58-B; e                (Included by Law No. 13.853 from 2019)

I-A – August 1, 2021, as to articles 52, 53 and 54; (Included by Law No. 14.010 from 2020)

  1. – 24 (twenty-four) months after the date of its publication, regarding the other articles.     (Included by Law No. 13.853 from 2019)

Brasília, August 14, 2018.

MICHEL TEMER

Torquato Jardim

Aloysio Nunes Ferreira Filho

Eduardo Refinetti Guardia

Esteves Pedro Colnago Junior

Gilberto Magalhães Occhi

Gilberto Kassab

Wagner de Campos Rosário

Gustavo do Vale Rocha

Ilan Goldfajn

Raul Jungmann

Eliseu Padilha

Compartilhe:

Mais Artigos

Informativo sobre distribuição de ação e acompanhamento processual

Resumo para consulta processual no TJSP

MITIGANDO RISCOS CONTRATUAIS: O PAPEL DA CLÁUSULA DE LIMITAÇÃO DE RESPONSABILIDADE

Nas relações contratuais, os riscos derivados da transação são uma ameaça constante, podendo comprometer a estabilidade de um negócio. Diante desse desafio, as empresas buscam estratégias para mitigar esses riscos, …

Guia orientativo: Hipóteses legais de tratamento de dados pessoais com base no legítimo interesse – Você sabe como usar essa base legal dentro da sua organização?

No dia 02/02/2024 a ANPD publicou o seu mais novo guia orientativo denominado “Hipóteses legais de tratamento de dados pessoais – legítimo interesse”, com o objetivo de esclarecer pontos relevantes …

RESPONSABILIDADE LEGAL NAS MÍDIAS SOCIAIS E MARKETING DIGITAL: DIRETRIZES PARA EVITAR QUESTÕES LEGAIS E LITÍGIOS

Nos últimos anos, o crescimento das mídias sociais e do marketing digital transformou o cenário da publicidade, tanto a nível nacional, quanto a nível mundial, oferecendo oportunidades para marcas e …

Maximizando a Proteção Patrimonial: O Papel Estratégico da Holding no Planejamento Sucessório

Quando nos aproximamos da fase da vida em que começamos a refletir sobre a transferência de nosso patrimônio para as próximas gerações, a preocupação com a segurança e a integridade …

O uso do Scraping e Web Crawler pode prejudicar a mim ou minha empresa?

O uso incorreto das ferramentas de raspagem da web pode trazer consequências desastrosas para sua empresa. Entenda como utilizá-las

Entre em contato

Nossa equipe de advogados altamente qualificados está pronta para ajudar. Seja para questões de Direito Digital, Empresarial ou Proteção de Dados estamos aqui para orientá-lo e proteger seus direitos. Entre em contato conosco agora mesmo!

Inscreva-se para nossa NewsLetter

Assine nossa Newsletter gratuitamente. Integre nossa lista de e-mails.