Art. 55-A The National Data Protection Authority (“ANPD”) is hereby created, without any increase in expenses, an entity part of the federal public administration, pertaining to the Presidency of the Republic.
§1 The legal nature of the ANPD is transitional and may be transformed by the Executive Branch into an indirect federal public administration entity, subject to a special autarchic regime and pertaining to the Presidency of the Republic.
§2 The assessment of the transformation referred in the §1 of this article shall occur within two (2) years from the date of entry into force of the ANPD’s regulatory framework.
§3 The provisions of necessary positions and functions to the creation and performance of the ANPD are conditioned to express physical and financial authorization in the annual Budget Law and to the permission in the Budget Directives Law. (Included by Law No. 13,853/2019)
Art. 55-B Technical and operative autonomy is ensured to ANPD.
Art. 55-C ANPD is comprised of:
I – Board of Directors, highest governing body;
II- National Council for Personal Data and Privacy Protection;
III – Internal Affairs Office;
IV – Ombudsman Office;
V – Its own legal advisory body; and
VI – Administrative units and specialized units required for the application of the provisions of this Law. (Included by Law No. 13,853/2019)
Art. 55-D ANPD Board of Directors shall be comprised of five (5) chief officers, including the Chief Executive Officer
§1 The members of ANPD Board of Directors shall be chosen and appointed by the President of the Republic, after approval by the Federal Senate in the terms of line f of Item III of the art. 52 of the Federal Constitution, and they will hold a commission position of the Direction-Group and Superior Advisory – Level 5 DAS.
§2 The members of the Board of Directors shall be chosen among Brazilians, with an immaculate reputation, a high level of education and considered renowned in the field of the positions for which they will be appointed.
§3 Members of the Board of Directors shall serve four-year (4) terms.
§4 The term of the first members of the Board of Directors will be of two, three, four, five and six years, as provided for in the appointment.
§5 In the event of vacancy of the position during the term of a Board of Directors’ member, the remaining term shall be completed by the successor. (Included by Law No. 13,853/2019)
Art. 55-E The members of the Board of Directors will only lose their position upon resignation, final and unappealable judicial conviction or dismissal penalty due to disciplinary administrative proceeding.
§1 Pursuant to the lead sentence of this article, the President’s Chief of Staff shall be responsible for initiating the disciplinary administrative proceeding, which shall be conducted by a special commission composed of stable federal public servants.
§2 The President of the Republic shall be responsible for determining the preventive work leave, solely when recommended by the special commission referred in the §1 of this article, and then hand down the decision. (Included by Law No. 13,853/2019)
Art. 55-F The provision set forth in art. 6 of Law No. 12,813, of May 16, 2013 shall apply to the members of the Board of Directors, once their term comes to an end.
Sole Paragraph. Breach to the provisions set forth in the lead sentence of this article shall characterize an act of administrative improbity.
Art. 55-G The ANPD regimental structure shall be determined by an act from the President of the Republic.
§1 Until ANPD regimental structure comes into force, ANPD will be provided with technical and administrative assistance from the Office of the President’s Chief of Staff in order to fulfill its activities.
§2 The Board of Directors shall decide on the internal regulations of the ANPD. (Included by Law No. 13,853/2019)
Art. 55-H The commission and trust positions of ANPD will be relocated from other bodies and entities of the Federal Executive branch. (Included by Law No. 13,853/2019)
Art. 55-I Those servers in commission and trust positions in ANPD shall be recommended by the Board of Directors and appointed or designated by the Chief Executive Officer. (Included by Law No. 13,853/2019)
Art. 55-J The National Authority has the following duties:
I – to ensure the protection of personal data, as provided in legislation;
II – to ensure the observance of commercial and industrial secrets, as long as the protection of personal data and the confidentiality of information when it is protected by law or when the breach of confidentiality violates the grounds of art. 2 of this Law;
III – to elaborate guidelines for the Personal Data Protection and Privacy National Policy;
IV – to monitor and apply sanctions for data processing that is not compliant with legislation, through an administrative process that ensures right to adversary proceeding, full defense and the right to appeal;
V – to receive pleadings from the data subject against the controller after the data subject has demonstrated that he/she presented a complaint against the controller that was not solved in the timeframe established in regulation;
VI – to promote the knowledge of the norms and public policies on the protection of personal data and of the security measures to the general population;
VII – to promote and elaborate studies on national and international practices for the protection of personal data and privacy;
VIII – to stimulate the adoption of standards for services and products that facilitate the control of data subjects regarding their personal data, which should take into account the specificities of the activities and the size of those responsible;
IX – to promote cooperation initiatives with data protection authorities of other countries, of international or transnational nature;
X – to decide on the forms of publicity regarding personal data processing operations, observing commercial and industrial secrecy;
XI – to request, at any time, that entities of the public authority carry out operations of processing of personal data to give specific report about the scope and nature of the data and other details of the processing, and may issue complementary technical opinion to ensure compliance with this Law;
XII – to draft annual management reports of its activities;
XIII – to amend regulations and procedures on the protection of personal data and privacy, as well as on data protection impact assessment reports in cases in which the processing represents a high risk to the guarantee of the general principles of personal data protection foreseen in this Law;
XIV – to listen to processing agents and to the society in matters of relevant interest and to report on their activities and planning;
XV– to collect and apply its revenues and publish the breakdown of its revenues and expenses in the management report referred to in item XII of the lead sentence of this article;
XVI – to carry out audits, or to determine their occurrence regarding the processing of personal data carried out by processing agents, including public authorities;
XVII – to hold, at any time, agreements with processing agents in order to eliminate irregularities or legal uncertainties in administrative proceedings, in accordance with other provisions in Brazilian Law;
XVIII – to enact rules, guidelines and simplified and special procedures, including deadlines, so that microenterprises and small businesses are able to adapt to this Law, as well as incremental or disruptive business initiatives that declare themselves startups or innovation companies;
XIX – to ensure that data processing of elderly people is carried out in a simple, clear, accessible and adequate form to their understanding, in accordance with this Law the Statute of the Elderly;
XX – to discuss, at the administrative level, on the interpretation of this Law, its authorities and matters on which the Law is silent;
XXI – to report criminal offenses that it becomes aware of to competent authorities;
XXII – to report to the internal control bodies any violation to the provisions set forth in this Law performed by bodies and entities of the federal public administration;
XXIII – to coordinate with public regulatory authorities to exert their authority in specific sectors of economic and governmental activities bound to regulation; and
XXIV – to implement simplified mechanisms, including by electronic means, in order to collect and record complaints on the processing of personal data non-compliant with this Law.
§1 When imposing administrative constraints on the processing of personal data by a private agent, whether they are constituted of limits, charges or subjections, the ANPD must observe the requirement of minimum intervention, ensuring the grounds, principles and rights of data subjects set forth in art. 170 of the Federal Constitution and in this Law.
§2 Regulation and rules enacted by ANPD shall be preceded by public consultation and hearings, as well as regulatory impact assessments.
§3 The ANPD and other public bodies and entities responsible for regulating specific sectors of economic and governmental activity shall coordinate their activities, in their respective spheres of action, in order to ensure the fulfillment of their duties efficiently and to promote the adequate functioning of regulated sectors, according to specific and sectoral legislation, and the processing of personal data, in conformity with this Law.
§4 The ANPD shall maintain a permanent communication forum, including by technical cooperation, with bodies and entities of the public administration responsible for the regulation of specific sectors of economic and governmental activity, in order to facilitate ANPD’s regulatory, monitoring and punitive duties.
§5 In the exercise of the powers referred to in the lead sentence of this article, the relevant authority shall ensure the preservation of industrial and information secrecy, in the terms of the law.
§6 Complaints collected in accordance with the provisions set forth in item V of the lead sentence of this article may be analyzed in an aggregate manner and any measures arising therefrom may be adopted in a standardized manner. (Included by Law No. 13,853/2019)
Art. 55-K Applying the sanctions as provided for herein shall be the sole responsibility of the ANPD, and in matters concerning the protection of personal data, its powers and jurisdiction shall prevail over the jurisdiction of other entities or bodies of the public administration.
Sole Paragraph. ANPD shall articulate its operation and practices with other bodies and entities with sanctioning and normative powers related to matters of personal data protection, and it shall be the central body for the interpretation of this Law and for setting the standards and guidelines for the implementation thereof. (Included by Law No. 13,853/2019)
Art. 55-L Revenues from ANPD are:
I – budget allocations, provided in the general budget of the Union, special credits, additional credits, transfers and payments that are conferred to it;
II – donations, bequests, subsidies and other resources destined to it;
III – amounts determined in the sale or lease of movable and immovable assets of its property;
IV – amount calculated in financial market applications of the revenues provided in this article;
V – (vetoed);
VI – resources derived from agreements, contracts or similar instruments held with entities, bodies or companies, of either public or private law, national or international;
VII – sums of the sale of publications, technical material, data and information, including for public bidding purposes. (Included by Law No. 13,853/2019)