Fale com um especialista +55 11 3141 9009

  • Follow
  • Follow
  • Follow
  • Follow
  • Follow
  • Portuguese (Brazil)
  • English
  • LGPD
  • Areas of Expertise
  • Team
  • About Us

Consultoria jurídica

Conte conosco para adequação à LGPD

U

Sobre a LGPD

O que é e para quem vale



Materiais Exclusivos

E-books com muita informação sobre LGPD

Preciso de uma consultoria 



Dados Cast

Dados Cast: O podcast do Assis e Mendes

LGPD

Informações sobre Lei Geral de Proteção de Dados


DIREITO DIGITAL

Informações sobre Direito Digital


DIREITO EMPRESARIAL

Informações sobre Direito Empresarial

E-BOOKS PARA DOWNLOAD

b

2021

b

2020

b

2019



Anos anteriores

Fale com o Assis e Mendes

Brazilian General Data Protection Law No. 13.709 FROM AUGUST 14th, 2018.

by Assis e Mendes | Sep 30, 2021 | Uncategorized

Gen­er­al Per­son­al Data Pro­tec­tion Law (LGPD). [Eng­lish trans­la­tion made by ASSIS E MENDES ADVOGADOS]

 

THE PRESIDENT OF THE REPUBLIC I here­by make it known that the Nation­al Con­gress decrees and I enact the fol­low­ing Law:

CHAPTER I 

PRELIMINARY PROVISIONS

Art. 1. This Law pro­vides for the pro­cess­ing of per­son­al data, includ­ing in dig­i­tal media, by a nat­ur­al per­son or a legal enti­ty gov­erned by pub­lic or pri­vate law, in order to pro­tect the fun­da­men­tal rights of free­dom and pri­va­cy and the free devel­op­ment of the nat­ur­al per­son­’s personality.

Sole para­graph. The gen­er­al rules con­tained in this Law are of nation­al inter­est and must be observed by the Union, States, Fed­er­al Dis­trict, and Munic­i­pal­i­ties. (Includ­ed by Law No. 13.853, from 2019)Term

Art. 2. The dis­ci­pline of per­son­al data pro­tec­tion is based on:

  1. - respect for privacy;

  2. - infor­ma­tion self-determination;

  3. - free­dom of expres­sion, infor­ma­tion, com­mu­ni­ca­tion, and opinion;

  4. - the invi­o­la­bil­i­ty of inti­ma­cy, hon­or, and image;

  5. - eco­nom­ic and tech­no­log­i­cal devel­op­ment and the innovation;

  6. - free enter­prise, free com­pe­ti­tion, and con­sumer pro­tec­tion; and

  7. - human rights, free devel­op­ment of per­son­al­i­ty, dig­ni­ty, and exer­cise of cit­i­zen­ship by nat­ur­al persons.

Art. 3. This Law applies to any pro­cess­ing oper­a­tion car­ried out by an nat­ur­al per­son or by a legal enti­ty gov­erned by pub­lic or pri­vate law, regard­less of the envi­ron­ment, coun­try of its head­quar­ters, or coun­try where the data are locat­ed, pro­vid­ed that:

  1. - the pro­cess­ing oper­a­tion is car­ried out in the nation­al territory;

  2. - the pro­cess­ing activ­i­ty has as its objec­tive the offer or sup­ply of goods or ser­vices or the pro­cess­ing of data of nat­ur­al per­sons locat­ed in the nation­al ter­ri­to­ry; or (Word­ing giv­en by Law No. 13.853 from 2019)     Term

  3. - the per­son­al data to the pro­cess­ing have been col­lect­ed in the nation­al territory.

§ 1 Per­son­al data whose data sub­ject is found in the nation­al ter­ri­to­ry at the time of col­lec­tion is con­sid­ered col­lect­ed in the nation­al territory.

§ 2 Data pro­cess­ing as pro­vid­ed in item IV of the caput of art. 4 of this Law is exempt­ed from the pro­vi­sions of item I of this article.

Art. 4. This Law does not apply to the pro­cess­ing of per­son­al data:

  1. - car­ried out by an nat­ur­al per­son for exclu­sive­ly pri­vate and non-eco­nom­ic purposes;

  2. - car­ried out exclu­sive­ly for:

  1. jour­nal­is­tic and artis­tic pur­pos­es; or

  2. aca­d­e­m­ic pur­pos­es, apply­ing arts. 7 and 11 of this Law; 

III — car­ried out exclu­sive­ly for:

  1. pub­lic security;

  2. nation­al defense;

  3. State secu­ri­ty; or

  4. activ­i­ties of inves­ti­ga­tion and pros­e­cu­tion of crim­i­nal offens­es; or

IV — orig­i­nat­ed out­side the nation­al ter­ri­to­ry and that are not objects of com­mu­ni­ca­tion, shared use of data with Brazil­ian pro­cess­ing agents or inter­na­tion­al data trans­fer with a coun­try oth­er than the coun­try of ori­gin, pro­vid­ed that the coun­try of ori­gin pro­vides an ade­quate lev­el of pro­tec­tion of per­son­al data in accor­dance with the pro­vi­sions of this Law.

§  1 The pro­cess­ing of per­son­al data pro­vid­ed for in item III shall be gov­erned by spe­cif­ic leg­is­la­tion, which shall pro­vide for pro­por­tion­al and strict­ly nec­es­sary mea­sures to meet the pub­lic inter­est, sub­ject to due process of law, the gen­er­al prin­ci­ples of pro­tec­tion, and the rights of the data sub­jects pro­vid­ed for in this Law.

§  2 It is for­bid­den the pro­cess­ing of the data referred to in item III of the caput of this arti­cle by a per­son gov­erned by pri­vate law, except in pro­ceed­ings under the con­trol of a legal enti­ty gov­erned by pub­lic law, of which the nation­al author­i­ty shall be specif­i­cal­ly informed and which shall observe the lim­i­ta­tion imposed in para­graph 4 of this article.

§ 3 The nation­al author­i­ty shall issue tech­ni­cal opin­ions or rec­om­men­da­tions regard­ing the excep­tions pro­vid­ed for in item III of the caput of this arti­cle and shall request the respon­si­ble agents for data pro­tec­tion impact assessment.

§ 4 In no case shall the total­i­ty of the per­son­al data in the data­base referred to in item III of the caput of this arti­cle be treat­ed by a per­son under pri­vate law, except for one who has cap­i­tal whol­ly con­sti­tut­ed by the pub­lic author­i­ties. (Word­ing giv­en by Law No. 13.853, from 2019)Term

Art. 5. For pur­pos­es of this Law, it is considered:

  1. - per­son­al data: infor­ma­tion relat­ed to an iden­ti­fied or iden­ti­fi­able nat­ur­al per­son (nat­ur­al per­son);

  2. - sen­si­tive per­son­al data: per­son­al data on racial or eth­nic ori­gin, reli­gious belief, polit­i­cal opin­ion, trade union or orga­ni­za­tion of a reli­gious, philo­soph­i­cal or polit­i­cal nature mem­ber­ship, data relat­ed to health or sex life, genet­ic or bio­met­ric data, when linked to an nat­ur­al person;

  3. - anonymized data: data relat­ing to a data sub­ject that can­not be iden­ti­fied, con­sid­er­ing the use of rea­son­able tech­ni­cal means avail­able at the time of processing;

  4. - data­base: a struc­tured set of per­son­al data, estab­lished in one or sev­er­al places, in elec­tron­ic or phys­i­cal support;

  5. - data sub­ject: the nat­ur­al per­son (nat­ur­al per­son) to whom the per­son­al data being processed refer to;

  6. - con­troller: nat­ur­al per­son or legal enti­ty, either gov­erned by pub­lic or pri­vate law, who is respon­si­ble for deci­sions con­cern­ing the pro­cess­ing of per­son­al data; and

  7. - proces­sor (oper­a­tor): the nat­ur­al per­son or legal enti­ty, whether pub­lic or pri­vate, who process­es per­son­al data on behalf of the controller;

  8. - data pro­tec­tion offi­cer: a per­son appoint­ed by the con­troller and proces­sor to act as a com­mu­ni­ca­tion chan­nel between the con­troller, the data sub­jects, and the Nation­al Data Pro­tec­tion Author­i­ty (ANPD);                   (Word­ing giv­en by Law No. 13.853 from 2019)     Term

 

  1. - pro­cess­ing agents: the con­troller and the processor;

  2. - pro­cess­ing: any oper­a­tion car­ried out with per­son­al data, such as those relat­ed to the col­lec­tion, pro­duc­tion, recep­tion, clas­si­fi­ca­tion, use, access, repro­duc­tion, trans­mis­sion, dis­tri­b­u­tion, pro­cess­ing, fil­ing, stor­age, destruc­tion, eval­u­a­tion or con­trol of infor­ma­tion, change, com­mu­ni­ca­tion, trans­fer, dis­sem­i­na­tion or extraction;

  3. - anonymiza­tion: the use of rea­son­able tech­ni­cal means avail­able at the time of pro­cess­ing, where­by a data los­es the pos­si­bil­i­ty of direct or indi­rect link with an nat­ur­al person;

  4. - con­sent: free, informed, and unam­bigu­ous man­i­fes­ta­tion by which the data sub­ject agrees to the pro­cess­ing of his/her per­son­al data for a spe­cif­ic purpose;

  5. - block­ing: tem­po­rary sus­pen­sion of any pro­cess­ing oper­a­tion, keep­ing the per­son­al data or the database;

  6. - dele­tion: exclu­sion of data or set of data stored in a data­base, regard­less of the pro­ce­dure used;

  7. - inter­na­tion­al data trans­fer: trans­fer of per­son­al data to a for­eign coun­try or inter­na­tion­al orga­ni­za­tion of which the coun­try is a member;

  8. - the shared use of data: com­mu­ni­ca­tion, dis­sem­i­na­tion, inter­na­tion­al trans­fer, inter­con­nec­tion of per­son­al data or the shared pro­cess­ing of per­son­al data­bas­es by pub­lic agen­cies and enti­ties, in com­pli­ance with their legal com­pe­ten­cies, or between them and pri­vate enti­ties, rec­i­p­ro­cal­ly, with spe­cif­ic autho­riza­tion, for one or more pro­cess­ing modal­i­ties per­mit­ted by those pub­lic enti­ties, or between pri­vate entities;

  9. – data pro­tec­tion impact assess­ment: doc­u­men­ta­tion of the con­troller con­tain­ing the descrip­tion of the process­es for pro­cess­ing per­son­al data that may pose risks to civ­il free­dom and fun­da­men­tal rights, as well as mea­sures, safe­guards, and risk mit­i­ga­tion mechanisms;

  10. - research body: body or enti­ty of direct or indi­rect pub­lic admin­is­tra­tion or a non-prof­it legal enti­ty gov­erned by pri­vate law, legal­ly con­sti­tut­ed under Brazil­ian law, with head­quar­ters and juris­dic­tion in the coun­try, which includes in its insti­tu­tion­al mis­sion or in its social or statu­to­ry pur­pose basic or applied research of a his­tor­i­cal, sci­en­tif­ic, tech­no­log­i­cal or sta­tis­ti­cal nature; and (Word­ing giv­en by Law No. 13.853 from 2019)Term

  11. - nation­al author­i­ty: pub­lic admin­is­tra­tion body respon­si­ble for over­see­ing, imple­ment­ing, and mon­i­tor­ing com­pli­ance with this Law in all the nation­al ter­ri­to­ry. (Word­ing giv­en by Law No. 13.853 from 2019)Term

Art. 6. The activ­i­ties of the pro­cess­ing of per­son­al data shall com­ply with the good faith and the fol­low­ing principles:

  1. - pur­pose: to car­ry out the pro­cess­ing for legit­i­mate, spe­cif­ic, explic­it, and informed pur­pos­es to the data sub­ject, with­out the pos­si­bil­i­ty of fur­ther pro­cess­ing in a way incom­pat­i­ble with those purposes;

  2. – ade­qua­cy: com­pat­i­bil­i­ty of the pro­cess­ing with the pur­pos­es informed to the data sub­ject, in accor­dance with the con­text of the processing;

  3. - neces­si­ty: lim­i­ta­tion of the pro­cess­ing to the min­i­mum nec­es­sary required for the achieve­ment of its pur­pos­es, encom­pass­ing per­ti­nent, pro­por­tion­al, and non-exces­sive data con­cern­ing the pur­pos­es of the data processing;

  4. - free access:  guar­an­tee, to the data sub­jects, of facil­i­tat­ed and free con­sul­ta­tion on the form and dura­tion of the pro­cess­ing, as well as on all their per­son­al data;

  5. - qual­i­ty of data: guar­an­tee, to the data sub­jects, of accu­ra­cy, clar­i­ty, rel­e­vance, and update of the data, accord­ing to the need and for com­pli­ance with the pur­pose of the pro­cess­ing thereof;

  6. - trans­paren­cy: guar­an­tee, to the data sub­jects, of clear, accu­rate, and eas­i­ly acces­si­ble infor­ma­tion on the pro­cess­ing and the respec­tive pro­cess­ing agents, sub­ject to busi­ness and indus­tri­al secrets;

  7. - secu­ri­ty: use of tech­ni­cal and admin­is­tra­tive mea­sures able to pro­tect the per­son­al data from unau­tho­rized access­es and acci­den­tal or unlaw­ful sit­u­a­tions of destruc­tion, loss, change, com­mu­ni­ca­tion, or diffusion;

  8. - pre­ven­tion: adop­tion of mea­sures to pre­vent the occur­rence of dam­age giv­en the pro­cess­ing of per­son­al data;

  9. - non-dis­crim­i­na­tion: the impos­si­bil­i­ty for pro­cess­ing data for dis­crim­i­na­to­ry, unlaw­ful or abu­sive purposes;

  10. - lia­bil­i­ty and account­abil­i­ty: proof, by the agent, of adop­tion of effec­tive mea­sures able to prove obser­vance of and com­pli­ance with the per­son­al data pro­tec­tion rules, and also with the effec­tive­ness of these measures.

CHAPTER II 

PROCESSING OF PERSONAL DATA

Section I 

Requirements for the Processing of Personal Data

 

Art. 7. The pro­cess­ing of per­son­al data can only be car­ried out in the fol­low­ing cases:

  1. - by pro­vid­ing con­sent by the data subject;

  2. - for com­pli­ance with a legal or reg­u­la­to­ry oblig­a­tion by the controller;

  3. - by the pub­lic admin­is­tra­tion, for the pro­cess­ing and shared use of data nec­es­sary for the exe­cu­tion of pub­lic poli­cies pro­vid­ed for on laws, reg­u­la­tions or backed by con­tracts, agree­ments or sim­i­lar instru­ments, sub­ject to the pro­vi­sions of Chap­ter IV of this Law;

  4. - to car­ry out stud­ies by a research agency, wher­ev­er pos­si­ble, the anonymiza­tion of per­son­al data is guaranteed;

  5. - where nec­es­sary for the exe­cu­tion of a con­tract or pre­lim­i­nary pro­ce­dures relat­ing to a con­tract to which the data sub­ject is a part of, at the request of the data subject;

  6. - for the reg­u­lar exer­cise of rights in judi­cial, admin­is­tra­tive, or arbi­tra­tion pro­ceed­ings, the lat­ter under the terms of Law No. 9307, from Sep­tem­ber 23 ‚1996(Arbi­tra­tion Law) ;

  7. - for the pro­tec­tion of the life or phys­i­cal safe­ty of the data sub­ject or third party;

  8. - for the pro­tec­tion of health, exclu­sive­ly, in a pro­ce­dure per­formed by health pro­fes­sion­als, health ser­vices, or health author­i­ties; (Word­ing giv­en by Law No. 13.853 from 2019)      Term

  9. - when nec­es­sary to meet the legit­i­mate inter­ests of the con­troller or third par­ty, except in the case of the data sub­jec­t’s fun­da­men­tal rights and free­doms that require the pro­tec­tion of per­son­al data; or

  10. - for the pro­tec­tion of cred­it, includ­ing the pro­vi­sions of the rel­e­vant legislation.

§ 1 (Revoked). (Word­ing giv­en by Law No. 13.853, from 2019)Term

§ 2 (Revoked). (Word­ing giv­en by Law No. 13.853, from 2019)Term

§ 3 The pro­cess­ing of per­son­al data to which pub­lic access must con­sid­er the pur­pose, good faith, and pub­lic inter­est that jus­ti­fied its availability.

§ 4 The con­sent require­ment pro­vid­ed in the caput of this arti­cle is waived for data made man­i­fest­ly made pub­lic by the data sub­ject, safe­guard­ing the rights of the data sub­ject and the prin­ci­ples pro­vid­ed for in this Law.

§ 5 The con­troller who obtained the con­sent referred to in item I of the caput of this arti­cle, who needs to com­mu­ni­cate or share per­son­al data with oth­er con­trollers, must obtain spe­cif­ic con­sent from the data sub­ject for this pur­pose, except in the cas­es of waiv­er of con­sent pro­vid­ed for in this Law.

§ 6 Any even­tu­al waiv­er of the con­sent require­ment does not release the agents from han­dling the oth­er oblig­a­tions out­lined in this Law, espe­cial­ly com­pli­ance with the gen­er­al prin­ci­ples and guar­an­tee of the data subject’s rights.

§ 7 The sub­se­quent pro­cess­ing of per­son­al data referred to in §§ 3 and 4 of this arti­cle may car­ry out for new pur­pos­es, pro­vid­ed that the legit­i­mate and spe­cif­ic pur­pos­es for the new pro­cess­ing and preser­va­tion of the data subject’s rights, as well as the fun­da­men­tals and prin­ci­ples pro­vid­ed for in this Law.       (Includ­ed by Law No. 13.853 from 2019 )     Term

Art. 8. The con­sent pro­vid­ed for in item I of art. 7 of this Law shall be pro­vid­ed in writ­ing or by oth­er means that demon­strate the data sub­jec­t’s intention.

§ 1 If the con­sent is giv­en in writ­ing, it should be includ­ed in a clause that stands out from the oth­er con­trac­tu­al provisions.

§  2 The con­troller shall bear the bur­den of prov­ing that he obtained the con­sent under the pro­vi­sions of this Law.

§ 3 The pro­cess­ing of per­son­al data is pro­hib­it­ed due to defec­tive consent.

§ 4 The con­sent must refer to spe­cif­ic pur­pos­es and will be null and void the gener­ic autho­riza­tions for the pro­cess­ing of per­son­al data.

§ 5 The con­sent may be revoked at any time, through the express man­i­fes­ta­tion of the data sub­ject, through a free and facil­i­tat­ed pro­ce­dure, rat­i­fied the pro­cess­ing per­formed under cov­er of the con­sent pre­vi­ous­ly man­i­fest­ed while there is no request for dele­tion, under the terms of item VI of the caput of art. 18 of this Law.

 

§  6 In case of change of infor­ma­tion referred to in items I, II, III, or V of art. 9 of this Law, the con­troller must inform the data sub­ject, explic­it­ly high­light­ing the con­tent of the changes.  In cas­es in which his/her con­sent is required, the data sub­ject may revoke it if he/she dis­agrees with the change.

Art. 9. The data sub­ject has the right to easy access to infor­ma­tion on the pro­cess­ing of his/her data, which should be made avail­able in a trans­par­ent, ade­quate, and osten­ta­tious man­ner, among oth­er char­ac­ter­is­tics pro­vid­ed for in reg­u­la­tion to com­ply with the prin­ci­ple of free access:

  1. - spe­cif­ic pur­pose of the processing;

  2. - form and dura­tion of the pro­cess­ing, observ­ing com­mer­cial and indus­tri­al secrets;

  3. - con­troller identification;

  4. - con­tact infor­ma­tion of the controller;

  5. - infor­ma­tion about the con­troller’s shared use of data and the purpose;

  6. - respon­si­bil­i­ties of the agents who will car­ry out the pro­cess­ing; and

  7. - data subject’s rights, with explic­it men­tion of the rights con­tained in art. 18 of this Law.

§ 1 In the event that con­sent is required, the con­sent shall be con­sid­ered null if the infor­ma­tion pro­vid­ed to the data sub­ject has mis­lead­ing or abu­sive con­tent or has not pre­vi­ous­ly been pre­sent­ed trans­par­ent­ly, in a clear­ly and unequiv­o­cal­ly way.

§ 2 When con­sent is required, if there are changes in the pur­pose of the pro­cess­ing not com­pat­i­ble with the orig­i­nal con­sent, the con­troller must inform the data sub­ject in advance of the changes of mean­ing, and the data sub­ject may revoke con­sent if he/she dis­agrees with the changes.

§ 3 When the pro­cess­ing of per­son­al data is a con­di­tion for the pro­vi­sion of prod­uct or ser­vice or to the exer­cise of rights, the data sub­ject shall be informed in detail about this fact and how he/she may exer­cise his/her rights list­ed in art. 18 of this Law.

Art. 10. The legit­i­mate inter­est of the con­troller may only be based on the pro­cess­ing of per­son­al data for legit­i­mate pur­pos­es, con­sid­ered from con­crete sit­u­a­tions, which include, but are not lim­it­ed to:

  1. - sup­port and pro­mo­tion of con­troller activ­i­ties; and

  2. - pro­tec­tion con­cern­ing the data sub­ject, the reg­u­lar exer­cise of his/her rights or pro­vi­sion of ser­vices that ben­e­fit him/her, respect­ing legit­i­mate expec­ta­tions and fun­da­men­tal rights and free­doms, under the terms of this Law.

§ 1 When the pro­cess­ing is based on the con­troller’s legit­i­mate inter­est, only the per­son­al data strict­ly nec­es­sary for the intend­ed pur­pose can be processed.

§ 2 The con­troller shall adopt mea­sures to guar­an­tee the trans­paren­cy of data pro­cess­ing based on its legit­i­mate interest.

§ 3 The nation­al author­i­ty may request from the con­troller the data pro­tec­tion impact assess­ment when the pro­cess­ing is based on its legit­i­mate inter­est, sub­ject to com­mer­cial and indus­tri­al secrets.

Section II 

Processing of Sensitive Personal Data

 

Art. 11. The pro­cess­ing of sen­si­tive per­son­al data can only occur in the fol­low­ing cases:

  1. - when the data sub­ject or her/his legal guardian con­sents, in a spe­cif­ic and promi­nent way, for spe­cif­ic purposes;

  2. - with­out con­sent from the data sub­ject being giv­en, in cas­es in which it is indis­pens­able for:

  1. the com­pli­ance with legal or reg­u­la­to­ry oblig­a­tions by the controller;

  2. pro­cess­ing of shared data nec­es­sary for the imple­men­ta­tion, by the pub­lic admin­is­tra­tion, of pub­lic poli­cies pro­vid­ed for in laws or regulations;

  3. to car­ry out stud­ies by a research agency, wher­ev­er pos­si­ble, the anonymiza­tion of sen­si­tive per­son­al data;

  4. reg­u­lar exer­cise of rights, includ­ing in con­tract and in judi­cial, admin­is­tra­tive, and arbi­tra­tion pro­ceed­ings, the lat­ter accord­ing to Law No. 9.307 from Sep­tem­ber 23, 1996(Arbi­tra­tion Law) ;

  5. the pro­tec­tion of the life or phys­i­cal safe­ty of the data sub­ject or third party;

  6. pro­tec­tion of health, exclu­sive­ly, in a pro­ce­dure per­formed by health pro­fes­sion­als, health ser­vices, or health author­i­ty; or (Word­ing giv­en by Law No. 13.853 of2019).  

 

  1. ensure fraud pre­ven­tion and secu­ri­ty of the data sub­ject, in the process­es of iden­ti­fi­ca­tion and authen­ti­ca­tion of reg­is­tra­tion in elec­tron­ic sys­tems, safe­guard­ing the rights men­tioned in art. 9 of this Law and except in case of the fun­da­men­tal rights and free­dom of the data sub­ject that require the pro­tec­tion of per­son­al data.

§ 1 The pro­vi­sions of this arti­cle shall apply to any pro­cess­ing of per­son­al data that reveals sen­si­tive per­son­al data and may cause harm to the data sub­ject, sub­ject to the con­di­tions of spe­cif­ic legislation.

§ 2 In cas­es of appli­ca­tion of the pro­vi­sions of items “a” and “b” of item II of caput of this arti­cle by pub­lic bod­ies and enti­ties, the waiv­er men­tioned above of con­sent shall be pub­li­cized, accord­ing to item I of the main sec­tion of art. 23 of this Law.

§ 3 Com­mu­ni­ca­tion or the shared use of sen­si­tive per­son­al data among con­trollers to obtain eco­nom­ic advan­tage may be pro­hib­it­ed or sub­ject to reg­u­la­tion by the nation­al author­i­ty, after hear­ing the sec­toral agen­cies of the Gov­ern­ment, with­in the scope of their competencies.

§ 4 Com­mu­ni­ca­tion or shared use between con­trollers of sen­si­tive per­son­al data refer­ring to health in order to obtain an eco­nom­ic advan­tage is pro­hib­it­ed, except in hypothe­ses relat­ed to the pro­vi­sion of health ser­vices, phar­ma­ceu­ti­cal assis­tance, and health insur­ance, as long as §5 of this arti­cle is observed, includ­ing aux­il­iary diag­nos­tic and ther­a­peu­tic ser­vices, in ben­e­fit of the inter­ests of the data sub­ject and also to allow:  (Word­ing giv­en by Law No. 13.853 of 2019). 

  1. - data porta­bil­i­ty when request­ed by the data sub­ject; or (Includ­ed by Law No. 13.853 from 2019)

Term

  1. - finan­cial and admin­is­tra­tive trans­ac­tions result­ing from the use and pro­vi­sion of the ser­vices referred to in this para­graph. (Includ­ed by Law No. 13.853from 2019 ) Term

§ 5 Oper­a­tors of pri­vate health care plans are pro­hib­it­ed from pro­cess­ing health data for the prac­tice of risk selec­tion in the con­tract­ing of any modal­i­ty, as well as in the con­tract­ing and exclu­sion of ben­e­fi­cia­ries. (Includ­ed by Law No. 13.853from 2019) Term

Art. 12. Anonymized data shall not be con­sid­ered per­son­al data for the pur­pos­es of this Law, except when the anonymiza­tion process to which it has been sub­mit­ted is reversed, using exclu­sive­ly pro­pri­etary means, or when it can be reversed with rea­son­able efforts.

§ 1 The deter­mi­na­tion of what is rea­son­able must con­sid­er objec­tive fac­tors, such as cost and time nec­es­sary to reverse the anonymiza­tion process, accord­ing to the avail­able tech­nolo­gies, and the exclu­sive use of own means.

§ 2 Per­son­al data, for this Law, may also be con­sid­ered those used to form the behav­ioral pro­file of a par­tic­u­lar nat­ur­al per­son, if identified.

§ 3 The nation­al author­i­ty may dis­pose of stan­dards and tech­niques used in anonymiza­tion process­es and car­ry out ver­i­fi­ca­tions about its secu­ri­ty after hear­ing the Nation­al Coun­cil for the Pro­tec­tion of Per­son­al Data.

Art. 13. When car­ry­ing out pub­lic health stud­ies, research agen­cies may have access to per­son­al data­bas­es, which shall be processed exclu­sive­ly with­in the enti­ty and strict­ly to car­ry out stud­ies and research. Those data­bas­es shall be kept in a con­trolled and secure envi­ron­ment, in accor­dance with spe­cif­ic reg­u­la­tions and includ­ing, wher­ev­er pos­si­ble, the anonymiza­tion or pseu­do­nymiza­tion of the data and the due eth­i­cal stan­dards relat­ed to stud­ies and research.

§ 1 The dis­clo­sure of the results or any excerpt of the study or research referred to in the caput of this arti­cle under no cir­cum­stances shall reveal per­son­al data.

§ 2 The research enti­ty shall be respon­si­ble for the secu­ri­ty of infor­ma­tion in the caput of this arti­cle. In any case, the trans­fer of the data to third par­ties is not allowed.

§ 3 Access to the data referred to in this arti­cle will be sub­ject to reg­u­la­tion by the nation­al author­i­ty and health and san­i­tary author­i­ties with­in the scope of its competencies.

§ 4 For this arti­cle, pseu­do­nymiza­tion is the pro­cess­ing by which a data los­es the pos­si­bil­i­ty of an asso­ci­a­tion, direct­ly or indi­rect­ly, to a nat­ur­al per­son, by the use of addi­tion­al infor­ma­tion main­tained sep­a­rate­ly by the con­troller in a con­trolled and safe environment.

Section III 

Processing of Personal Data of Children and Adolescents

 

Art. 14. The pro­cess­ing of per­son­al data of chil­dren and ado­les­cents shall car­ry out in their best inter­est, pur­suant to this arti­cle and the spe­cif­ic legislation.

§ 1 The pro­cess­ing of per­son­al data of chil­dren shall be car­ried out with the spe­cif­ic and promi­nent con­sent giv­en by at least one par­ent or legal guardian.

§ 2 In the pro­cess­ing of data referred to in § 1 of this arti­cle, con­trollers shall keep pub­lic infor­ma­tion on types of data col­lect­ed, the form of their use, and the pro­ce­dures for exer­cis­ing the rights referred to in art. 18 of this Law.

§ 3 3 Chil­dren’s per­son­al data with­out the con­sent referred to in § 1 of this arti­cle may be col­lect­ed when the col­lec­tion is nec­es­sary to con­tact the par­ents or legal guardian, used once and with­out stor­age, or for their pro­tec­tion. In no case may they be passed on to third par­ties with­out the con­sent referred to in § 1 of this article.

§ 4 The con­trollers shall not con­di­tion the par­tic­i­pa­tion of the data sub­jects referred to in § 1 of this arti­cle to games, inter­net appli­ca­tions, or oth­er activ­i­ties to pro­vide per­son­al infor­ma­tion beyond what is strict­ly nec­es­sary for the activity.

§ 5 The Con­trollers shall make all rea­son­able efforts to ver­i­fy that the con­sent referred to in § 1 of this arti­cle has been giv­en by the respon­si­ble par­ty of the child, con­sid­er­ing the avail­able technologies.

§ 6 The infor­ma­tion on the pro­cess­ing of data referred to in this arti­cle shall be pro­vid­ed in a sim­ple, clear, and acces­si­ble man­ner, con­sid­er­ing the phys­i­cal-motor, per­cep­tive, sen­so­ry, intel­lec­tu­al, and men­tal char­ac­ter­is­tics of the user, using audio­vi­su­al resources when appro­pri­ate, in order to pro­vide the nec­es­sary infor­ma­tion to the par­ents or legal guardian and ade­quate to the under­stand­ing of the child.

Section IV 

Termination of Data Processing

 

Art. 15. The ter­mi­na­tion of the pro­cess­ing of per­son­al data will occur in the fol­low­ing cases:

  1. - ver­i­fi­ca­tion that the pur­pose has been achieved or the data is no longer nec­es­sary or rel­e­vant to the achieve­ment of the spe­cif­ic pur­pose sought;

  2. - end of pro­cess­ing period;

  3. - com­mu­ni­ca­tion by the data sub­ject, includ­ing in the exer­cise of his right to revoke the con­sent pro­vid­ed in § 5 of art. 8 of this Law, safe­guard­ing the pub­lic inter­est; or

  4. - deter­mi­na­tion of the nation­al author­i­ty when there is a vio­la­tion of the pro­vi­sions of this Law.

Art. 16. Per­son­al data shall be delet­ed after the end of its pro­cess­ing, with­in the scope and tech­ni­cal lim­its of the activ­i­ties, autho­rized the main­te­nance for the fol­low­ing purposes:

  1. - the com­pli­ance with legal or reg­u­la­to­ry oblig­a­tions by the controller;

  2. - study by a research agency, guar­an­teed, wher­ev­er pos­si­ble, the anonymiza­tion of per­son­al data;

  3. - trans­fer to a third par­ty, pro­vid­ed that the data pro­cess­ing require­ments set out in this Law is respect­ed; or 

IV — exclu­sive use of the con­troller, with its access by a third par­ty being pro­hib­it­ed, and pro­vid­ed that the data is anonymized.

CHAPTER III 

DATA SUBJECT’S RIGHTS

Art. 17. Every nat­ur­al per­son is guar­an­teed the own­er­ship of his/her per­son­al data, guar­an­tee­ing the fun­da­men­tal rights of free­dom, inti­ma­cy, and pri­va­cy, under the terms of this Law.

Art. 18. The data sub­ject is enti­tled to obtain from the con­troller, in rela­tion to the data subject’s data processed by the lat­ter, at any time and upon request:

  1. - con­fir­ma­tion of the exis­tence of processing;

  2. - access to the data;

  3. - cor­rec­tion of incom­plete, inac­cu­rate or out­dat­ed data;

  4. - anonymiza­tion, block­ing, or elim­i­na­tion of unnec­es­sary or exces­sive data or data process in dis­agree­ment with the pro­vi­sions of this Law;

  5. - data porta­bil­i­ty to anoth­er ser­vice or prod­uct provider, upon express request, in accor­dance with the reg­u­la­tions of the nation­al author­i­ty, observ­ing com­mer­cial and indus­tri­al secrets;   (Word­ing giv­en by Law No. 13.853 from 2019)      Term

  6. - elim­i­na­tion of per­son­al data processed with the con­sent of the data sub­ject, except in the cas­es pro­vid­ed for in art.16 of this Law;

  1. - infor­ma­tion from pub­lic and pri­vate enti­ties with which the con­troller made shared use of data;

  2. - infor­ma­tion about the pos­si­bil­i­ty of not giv­ing con­sent and about the con­se­quences of the refusal;

  3. - revo­ca­tion of con­sent, pur­suant to § 5 of art. 8 of this Law.

§ 1 The per­son­al data sub­ject has the right to peti­tion in rela­tion to his/her data against the con­troller before the nation­al authority.

§ 2 The data sub­ject may oppose pro­cess­ing based on one of the hypothe­ses of exemp­tion from con­sent, in case of non-com­pli­ance with the pro­vi­sions of this Law.

§ 3 The rights pro­vid­ed for in this arti­cle shall be exer­cised upon the express request by the data sub­ject or a legal­ly con­sti­tut­ed rep­re­sen­ta­tive, to the pro­cess­ing agent.

§ 4 In case of impos­si­bil­i­ty of imme­di­ate adop­tion of the pro­vi­sion referred to in para­graph 3 of this arti­cle, the con­troller will send the data sub­ject an answer in which he/she may:

I — com­mu­ni­cate that he/she is not a data pro­cess­ing agent and indi­cate, when­ev­er pos­si­ble, the agent; or 

II — indi­cate the rea­sons of fact or of law that pre­vent the imme­di­ate adop­tion of the providence.

§ 5 The appli­ca­tion referred to in § 3 of this arti­cle will be met free of charge for the data sub­ject, with­in the terms and con­di­tions pro­vid­ed for in the regulation.

§ 6 The respon­si­ble per­son shall imme­di­ate­ly inform the pro­cess­ing agents with whom he/she has shared the use of data, the cor­rec­tion, dele­tion, anonymiza­tion, or block­ing of the data, so that they repeat the same pro­ce­dure, except in cas­es where this com­mu­ni­ca­tion proves impos­si­ble or involves dis­pro­por­tion­ate effort. (Word­ing giv­en by Law No. 13.853, from 2019)Term

§ 7 The porta­bil­i­ty of the per­son­al data referred to in item V of the caput of this arti­cle does not include data that has already been anonymized by the controller.

§ 8 The right referred to in para­graph 1 of this arti­cle may also be exer­cised before the con­sumer pro­tec­tion organizations.

Art. 19. Con­fir­ma­tion of exis­tence or access to per­son­al data will be pro­vid­ed, upon request by the data subject:

 

  1. - in a sim­pli­fied for­mat, imme­di­ate­ly; or

  2. - by means of a clear and com­plete state­ment indi­cat­ing the ori­gin of the data, the lack of reg­is­tra­tion, the cri­te­ria used, and the pur­pose of the pro­cess­ing, observ­ing the com­mer­cial and indus­tri­al secrets, sup­plied with­in a peri­od of up to 15 days, date of the data sub­jec­t’s request.

§ 1 The per­son­al data will be stored in a for­mat that favors the exer­cise of the right of access.

§ 2 The infor­ma­tion and data may be pro­vid­ed, at the data sub­ject discretion:

I — by elec­tron­ic means, secure and suit­able for this pur­pose; or 

II — in print­ed form.

§ 3 When pro­cess­ing orig­i­nates in the con­sent of the data sub­ject or in con­tract, the data sub­ject may request a com­plete elec­tron­ic copy of his/her per­son­al data, observ­ing the com­mer­cial and indus­tri­al secrets, in accor­dance with the reg­u­la­tions of the nation­al author­i­ty, in a for­mat that allows its sub­se­quent use, includ­ing in oth­er pro­cess­ing operations.

§ 4 The nation­al author­i­ty may dis­pose in a dif­fer­en­ti­at­ed man­ner about the peri­ods pro­vid­ed for in items I and II of the caput of this arti­cle for spe­cif­ic sectors.

Art. 20. The data sub­ject is enti­tled to request a review of deci­sions made sole­ly on the basis of auto­mat­ed pro­cess­ing of per­son­al data that affect their inter­ests, includ­ing deci­sions designed to define their per­son­al, pro­fes­sion­al, con­sumer, and cred­it pro­file or aspects of their per­son­al­i­ty. (Word­ing giv­en by Law No. 13.853 from 2019)      Term

§ 1 The con­troller shall pro­vide, when­ev­er request­ed, clear and ade­quate infor­ma­tion regard­ing the cri­te­ria and pro­ce­dures used for the auto­mat­ed deci­sion, observ­ing the com­mer­cial and indus­tri­al secrets.

§ 2 In case of non-offer of infor­ma­tion referred to in § 1 of this arti­cle based on com­pli­ance with com­mer­cial and indus­tri­al secre­cy, the nation­al author­i­ty may per­form an audit to ver­i­fy dis­crim­i­na­to­ry aspects in auto­mat­ed pro­cess­ing of per­son­al data.

§ 3 (VETOED). (Includ­ed by Law No. 13.853 from 2019 ) Term

Art. 21. Per­son­al data relat­ing to the data sub­ject reg­u­lar exer­cise of rights may not be used to his/her detriment.

Art. 22. The defense of the inter­ests and rights of data sub­jects may be exer­cised in court, indi­vid­u­al­ly or col­lec­tive­ly, as pro­vid­ed in the rel­e­vant leg­is­la­tion, regard­ing indi­vid­ual and col­lec­tive pro­tec­tion instruments.

CHAPTER IV 

PROCESSING OF PERSONAL DATA BY PUBLIC AUTHORITIES

Section I 

The Rules

Art. 23. The pro­cess­ing of per­son­al data by legal enti­ties gov­erned by pub­lic law referred to in the sole para­graph of art. 1 of Law No. 12,527,from November18 ‚2011 (Access to Infor­ma­tion Law) , shall be car­ried out for the ful­fill­ment of its pub­lic pur­pose, in pur­suit of the pub­lic inter­est, in order to per­form legal pow­ers or ful­fill legal attri­bu­tions of the pub­lic ser­vice, pro­vid­ed that:

  1. - they are informed of the cas­es in which, in the exer­cise of their pow­ers, they car­ry out the pro­cess­ing of per­son­al data, pro­vid­ing clear and up-to-date infor­ma­tion on the legal fore­cast, pur­pose, pro­ce­dures, and prac­tices used to per­form these activ­i­ties in eas­i­ly acces­si­ble media, prefer­ably in their elec­tron­ic sites;

  2. - (VETOED); and

  3. - a data pro­tec­tion offi­cer is appoint­ed when car­ry­ing out per­son­al data pro­cess­ing oper­a­tions, pur­suant to art. 39 of this Law; and (Word­ing giv­en by Law No. 13.853 from 2019 ) Term

  4. - (VETOED). (Includ­ed by Law No. 13.853 from 2019) Term

§ 1 The nation­al author­i­ty may decide on the dis­clo­sure of pro­cess­ing operations.

§ 2 The pro­vi­sions of this Law do not exempt the legal enti­ties men­tioned in the caput of this arti­cle from estab­lish­ing the author­i­ties referred to in Law No. 12.527from Novem­ber 18, 2011(Access to Infor­ma­tion Law) .

§ 3 The dead­lines and pro­ce­dures for exer­cis­ing the rights of the data sub­ject before the pub­lic author­i­ties shall com­ply with of Law, from Novem­ber 12, 1997(Habeas Data Law) of Law, from(Administrative Process Law), of Law No. 12.527 from Novem­ber 18, 2011(Access to Infor­ma­tion Law).

§ 4 The notary and reg­is­tra­tion ser­vices exer­cised in pri­vate, by a del­e­ga­tion of the pub­lic author­i­ties, shall have the same treat­ment as the legal enti­ties men­tioned in the caput of this arti­cle, under the terms of this Law.

§ 5 Notary reg­istry enti­ties shall pro­vide access to the data by elec­tron­ic means for pub­lic admin­is­tra­tion, in view of the pur­pos­es referred to in the caput of this article.

Art. 24. Pub­lic com­pa­nies and mixed-cap­i­tal com­pa­nies that oper­ate under a regime of com­pe­ti­tion, sub­ject to the pro­vi­sions of art. 173 of the Fed­er­al Con­sti­tu­tion, will have the same treat­ment giv­en to pri­vate legal enti­ties under the terms of this Law.

Sole para­graph. Pub­lic com­pa­nies and mixed-cap­i­tal com­pa­nies, when they are oper­at­ing pub­lic poli­cies and in the scope of their exe­cu­tion, will have the same treat­ment as the agen­cies and enti­ties of the pub­lic author­i­ties, under the terms of this Chapter.

Art. 25. Data should be main­tained in an inter­op­er­a­ble and struc­tured for­mat for shared use for pub­lic pol­i­cy imple­men­ta­tion, pub­lic ser­vice deliv­ery, decen­tral­iza­tion of pub­lic activ­i­ty, dis­sem­i­na­tion, and access to infor­ma­tion by the gen­er­al public.

Art. 26. The shared use of per­son­al data by the pub­lic author­i­ty must meet the spe­cif­ic pur­pos­es of pub­lic pol­i­cy exe­cu­tion and legal attri­bu­tion by pub­lic agen­cies and enti­ties, respect­ing the prin­ci­ples of per­son­al data pro­tec­tion list­ed in art. 6 of this Law.

§ 1 The Pub­lic Pow­er is for­bid­den from trans­fer­ring to pri­vate enti­ties per­son­al data con­tained in data­bas­es to which it has access, except:

  1. - in cas­es of decen­tral­ized exe­cu­tion of pub­lic activ­i­ty that requires the trans­fer, exclu­sive­ly for this spe­cif­ic and deter­mined pur­pose, observ­ing the pro­vi­sions  of law No. 12,527 from Novem­ber 18,2011 (Access to Infor­ma­tion Law) ;

  2. - (VETOED);

  3. - in cas­es where the data are pub­licly acces­si­ble, sub­ject to the pro­vi­sions of this Law.

  4. - when there is a legal pro­vi­sion or the trans­fer is sup­port­ed by con­tracts, agree­ments, or sim­i­lar instru­ments; or (Includ­ed by Law No. 13.853 from 2019)     Term

  5. - in the event that the trans­fer of data is intend­ed sole­ly to pre­vent fraud and irreg­u­lar­i­ties, or to pro­tect and safe­guard the secu­ri­ty and integri­ty of the data sub­ject, pro­vid­ed that pro­cess­ing for oth­er pur­pos­es is pro­hib­it­ed. (Includ­ed by Law No. 13.853 from 2019 ) Term

§ 2 The con­tracts and agree­ments referred to in § 1 of this arti­cle shall be com­mu­ni­cat­ed to the nation­al authority.

Art. 27. The com­mu­ni­ca­tion or shared use of per­son­al data from legal enti­ties under pub­lic law to per­sons under pri­vate law will be report­ed to the nation­al author­i­ty and will depend on the con­sent of the data sub­ject, except:

  1. - in the cas­es of exemp­tion from con­sent pro­vid­ed for in this Law;

  2. - in cas­es of shared use of data, in which pub­lic­i­ty will be giv­en in terms of item I of the caput of art. 23 of this Law; or

  3. - in the excep­tions con­tained in § 1 of art. 26 of this Law.

Sole para­graph. The infor­ma­tion to the nation­al author­i­ty referred to in the caput of this arti­cle will be sub­ject to reg­u­la­tion. (Includ­ed by Law No. 13.853from 2019) Term

Art. 28. (VETOED).

Art. 29. The nation­al author­i­ty may request, at any time, to the bod­ies and enti­ties of the Pub­lic Pow­er to car­ry out oper­a­tions for pro­cess­ing per­son­al data, spe­cif­ic infor­ma­tion on the scope and nature of the data and oth­er details of the pro­cess­ing car­ried out and may issue a com­pli­men­ta­ry tech­ni­cal opin­ion to guar­an­tee com­pli­ance with this Law. (Word­ing giv­en by Law No. 13.853 from 2019) Term

Art. 30. The nation­al author­i­ty may estab­lish sup­ple­men­tary stan­dards for com­mu­ni­ca­tion activ­i­ties and the shared use of per­son­al data.

Section II 

The Responsibility

Art. 31. When there is a breach of this Law as a result of the pro­cess­ing of per­son­al data by pub­lic agen­cies, the nation­al author­i­ty may send a report with appro­pri­ate mea­sures to stop the breach.

Art. 32. The nation­al author­i­ty may request agents of the pub­lic author­i­ties to pub­lish the data pro­tec­tion impacts and sug­gest the adop­tion of stan­dards and good prac­tices for the pro­cess­ing of per­son­al data by the pub­lic authorities.

CHAPTER V 

INTERNATIONAL DATA TRANSFER

Art. 33. The inter­na­tion­al trans­fer of per­son­al data is only allowed in the fol­low­ing cases:

  1. - for coun­tries or inter­na­tion­al orga­ni­za­tions that pro­vide a lev­el of per­son­al data pro­tec­tion ade­quate to the pro­vi­sions of this Law;

  2. - when the con­troller offers and demon­strates guar­an­tees of com­pli­ance with the prin­ci­ples, data sub­ject rights, and the data pro­tec­tion regime pro­vid­ed for in this Law, in the form of:

  1. spe­cif­ic con­trac­tu­al claus­es for a par­tic­u­lar transfer;

  2. stan­dard con­trac­tu­al clauses;

  3. bind­ing cor­po­rate standards;

  4. stamps, cer­tifi­cates and codes of con­duct issued on a reg­u­lar basis;

  1. - when the trans­fer is nec­es­sary for inter­na­tion­al legal coop­er­a­tion between pub­lic intel­li­gence, inves­ti­ga­tion, and pros­e­cu­tion agen­cies, in accor­dance with the instru­ments of inter­na­tion­al law;

  2. - when the trans­fer is nec­es­sary for the pro­tec­tion of the life or phys­i­cal safe­ty of the data sub­ject or third party;

  3. - when the nation­al author­i­ty autho­rizes the transfer;

  4. - when the trans­fer results in a com­mit­ment made in an inter­na­tion­al coop­er­a­tion agreement;

  5. - when the trans­fer is nec­es­sary for the exe­cu­tion of pub­lic pol­i­cy or legal attri­bu­tion of the pub­lic ser­vice, being pub­li­cized under the terms of item I of the caput of art. 23 of this Law;

  6. - when the data sub­ject has giv­en his/her spe­cif­ic con­sent and in par­tic­u­lar the trans­fer, with pri­or infor­ma­tion on the inter­na­tion­al char­ac­ter of the oper­a­tion, clear­ly dis­tin­guish­ing this from oth­er pur­pos­es; or

  7. - when nec­es­sary to meet the hypothe­ses pro­vid­ed for in items II, V, and VI of art. 7 of this Law.

Sole para­graph. For the pur­pos­es of item I of this arti­cle, legal enti­ties gov­erned by pub­lic law referred to in the sole para­graph of art. 1 of Law No. 12.527,from Novem­ber18 ‚2011 (Access to Infor­ma­tion Law), with­in the scope of their legal pow­ers, and those respon­si­ble, with­in the scope of their activ­i­ties, may request the nation­al author­i­ty to assess the lev­el of pro­tec­tion of per­son­al data con­ferred by a coun­try or inter­na­tion­al organization.

Art. 34. The lev­el of data pro­tec­tion of the for­eign coun­try or the inter­na­tion­al orga­ni­za­tion men­tioned on item I of the caput of art. 33 of this Law will be assessed by the nation­al author­i­ty, which will take into consideration:

I — the gen­er­al and sec­toral rules of the leg­is­la­tion in force in the coun­try of des­ti­na­tion or in the inter­na­tion­al agency; 

II — the nature of the data;

  1. - com­pli­ance with the gen­er­al prin­ci­ples of pro­tec­tion of per­son­al data and data subject’s rights pro­vid­ed for in this Law;

  2. - the adop­tion of secu­ri­ty mea­sures fore­seen by regulation;

  3. - the exis­tence of judi­cial and insti­tu­tion­al guar­an­tees for the respect of per­son­al data pro­tec­tion rights; and VI — oth­er spe­cif­ic cir­cum­stances relat­ing to the transfer.

Art. 35. The def­i­n­i­tion of the con­tent of stan­dard con­trac­tu­al claus­es, as well as the ver­i­fi­ca­tion of spe­cif­ic con­trac­tu­al claus­es for a cer­tain trans­fer, bind­ing cor­po­rate rules or stamps, cer­tifi­cates, and codes of con­duct, referred to in item II of the caput of art. 33 of this Law, shall be car­ried out by the nation­al authority.

§ 1 In order to ver­i­fy the pro­vi­sions of the caput of this arti­cle, it should be con­sid­ered the require­ments, con­di­tions, and min­i­mum guar­an­tees for the trans­fer that observe the rights, guar­an­tees, and prin­ci­ples of this Law.

§ 2 In the analy­sis of con­trac­tu­al claus­es, doc­u­ments, or bind­ing cor­po­rate rules sub­mit­ted to the approval of the nation­al author­i­ty, addi­tion­al infor­ma­tion may be required or ver­i­fi­ca­tion pro­ce­dures should be car­ried out regard­ing the pro­cess­ing oper­a­tions, when necessary.

§ 3 The nation­al author­i­ty may des­ig­nate cer­ti­fi­ca­tion agen­cies to car­ry out the caput of this arti­cle, which shall remain under its super­vi­sion under the terms defined in regulation.

§ 4 The acts per­formed by the cer­ti­fi­ca­tion agency may be reviewed by the nation­al author­i­ty and, if not in com­pli­ance with this Law, sub­mit­ted to revi­sion or annulled.

§ 5 The suf­fi­cient guar­an­tees of com­pli­ance with the gen­er­al prin­ci­ples of pro­tec­tion and the data subject’s rights referred to in caput of this arti­cle will also be ana­lyzed accord­ing to the tech­ni­cal and orga­ni­za­tion­al mea­sures adopt­ed by the proces­sor, in accor­dance with the pro­vi­sions of §§ 1 and 2 of art. 46 of this Law.

Art. 36. The changes in the guar­an­tees pre­sent­ed as suf­fi­cient to com­ply with the gen­er­al prin­ci­ples of pro­tec­tion and the data subject’s rights referred to in item II of art. 33 of this Law shall be com­mu­ni­cat­ed to the nation­al authority.

CHAPTER VI 

AGENTS OF PERSONAL DATA PROCESSING

Section I  

Controller and Processor

Art. 37. The con­troller and proces­sor must keep a record of the per­son­al data pro­cess­ing oper­a­tions they per­form, espe­cial­ly when based on legit­i­mate interest.

Art. 38. The nation­al author­i­ty may order the con­troller to pre­pare a data pro­tec­tion impact assess­ment of per­son­al data, includ­ing sen­si­tive data, relat­ing to its data pro­cess­ing oper­a­tions, in accor­dance with the reg­u­la­tion, and accord­ing to the com­mer­cial and indus­tri­al secrets.

Sole para­graph. Sub­ject to the pro­vi­sions of the caput of this arti­cle, the report shall con­tain, at a min­i­mum, a descrip­tion of the types of data col­lect­ed, the method­ol­o­gy used for col­lect­ing them and ensur­ing infor­ma­tion secu­ri­ty, as well as the con­troller’s analy­sis of the mea­sures, safe­guards and mit­i­ga­tion mech­a­nisms adopted.

Art. 39. The proces­sor must car­ry out the pro­cess­ing accord­ing to the instruc­tions pro­vid­ed by the con­troller, who will ver­i­fy com­pli­ance with the instruc­tions and the rel­e­vant regulations.

Art. 40. The nation­al author­i­ty may pro­vide for inter­op­er­abil­i­ty stan­dards for porta­bil­i­ty, free access to data and secu­ri­ty, as well as record-keep­ing time, espe­cial­ly with regard to the need and transparency.

Section II  

Data Protection Officer

Art. 41. The con­troller must indi­cate the data pro­tec­tion offi­cer in charge of the pro­cess­ing of per­son­al data.

§ 1 The iden­ti­ty and con­tact infor­ma­tion of the man­ag­er shall be pub­licly dis­closed, clear­ly and objec­tive­ly, prefer­ably on the con­troller’s website.

§ 2 The activ­i­ties of the data pro­tec­tion offi­cer con­sist of:

  1. - accept com­plaints and com­mu­ni­ca­tions from data sub­jects, pro­vide clar­i­fi­ca­tions and take measures;

  2. - receive com­mu­ni­ca­tions from the nation­al author­i­ty and take action;

  3. - advise the enti­ty’s employ­ees and con­trac­tors regard­ing the prac­tices to be tak­en in rela­tion to the pro­tec­tion of per­son­al data; and

  4. - per­form the oth­er duties deter­mined by the con­troller or estab­lished in com­ple­men­tary regulations.

§ 3 The nation­al author­i­ty may estab­lish addi­tion­al rules on the def­i­n­i­tion and the duties of the data pro­tec­tion offi­cer, includ­ing the pos­si­bil­i­ty of exemp­tion from the need for his/her appoint­ment, depend­ing on the nature and size of the enti­ty or the vol­ume of data pro­cess­ing operations.

§ 4 (VETOED). (Includ­ed by Law No. 13.853 from 2019)    Term

Section III  

Liability and Compensation

Art. 42. The con­troller or proces­sor who, due to the exer­cise of per­son­al data pro­cess­ing activ­i­ty, caus­es to anoth­er prop­er­ty, moral, nat­ur­al per­son, or col­lec­tive dam­age, in vio­la­tion of the leg­is­la­tion for the pro­tec­tion of per­son­al data, is oblig­ed to repair it.

§ 1 In order to ensure the effec­tive indem­ni­fi­ca­tion of the data subject:

  1. - the proces­sor shall be joint­ly and sev­er­al­ly liable for dam­age caused by the pro­cess­ing when he/she fails to com­ply with the oblig­a­tions of the data pro­tec­tion leg­is­la­tion or when he/she has not fol­lowed the lic­it instruc­tions of the con­troller, in which case the proces­sor is con­sid­ered as a con­troller, except in the cas­es of exclu­sion pro­vid­ed for in art. 43 of this Law;

  2. - the con­trollers who are direct­ly involved in the pro­cess­ing of which the data sub­ject has suf­fered dam­ages are joint­ly and sev­er­al­ly liable, except in the cas­es of exclu­sion pro­vid­ed for in art. 43 of this Law.

§ 2. The judge in the civ­il pro­ceed­ing may reverse the bur­den of proof in favor of the data sub­ject when, in its opin­ion, the alle­ga­tion is prob­a­ble, there is a hypoth­e­sis for the pur­pose of pro­duc­ing evi­dence or where the pro­duc­tion of evi­dence by the data sub­ject is found to be exces­sive­ly onerous.

§ 3 The actions for redress for col­lec­tive dam­ages that have the sub­ject of lia­bil­i­ty under the caput of this arti­cle may be exer­cised col­lec­tive­ly in court, sub­ject to the pro­vi­sions of the per­ti­nent legislation.

§ 4 Any­one who repairs the dam­age to the own­er has the right of return against the oth­er respon­si­ble per­sons, inso­far as they par­tic­i­pate in the harm­ful event.

Art. 43. Pro­cess­ing agents will not be held liable only when they prove:

  1. - that they have not processed the per­son­al data assigned to them;

  2. - although they have processed the per­son­al data that had been assigned to them, there has been no breach of the data pro­tec­tion leg­is­la­tion; or

  3. - the dam­age is the sole fault of the data sub­ject or third party.

Art. 44. The pro­cess­ing of per­son­al data will be irreg­u­lar when it fails to observe the leg­is­la­tion or when it does not pro­vide the secu­ri­ty the data sub­ject can expect, con­sid­er­ing the rel­e­vant cir­cum­stances, among which:

  1. - the way in which it is car­ried out;

  2. - the result and the risks rea­son­ably expect­ed of it;

  3. - the tech­niques for pro­cess­ing per­son­al data avail­able at the time it was performed.

Sole para­graph. It responds to the dam­ages result­ing from the vio­la­tion of data secu­ri­ty to the con­troller or the proces­sor who, in fail­ing to adopt the secu­ri­ty mea­sures set forth in art. 46 of this Law, caus­es damage.

Art. 45. The hypothe­ses of vio­la­tion of the data sub­jec­t’s rights in the con­text of con­sumer rela­tions remain sub­ject to the lia­bil­i­ty rules pro­vid­ed for in the rel­e­vant legislation.

CHAPTER VII 

SECURITY AND GOOD PRACTICE

Section I 

Security and Confidentiality

Art. 46. The pro­cess­ing agents must adopt tech­ni­cal, secu­ri­ty, and admin­is­tra­tive mea­sures to pro­tect per­son­al data from unau­tho­rized access and from acci­den­tal or unlaw­ful sit­u­a­tions of destruc­tion, loss, alter­ation, com­mu­ni­ca­tion, or any form of inap­pro­pri­ate or unlaw­ful processing.

§ 1 The nation­al author­i­ty may lay down min­i­mum tech­ni­cal stan­dards to make applic­a­ble the pro­vi­sions of the caput of this arti­cle, con­sid­er­ing the nature of the infor­ma­tion processed, the spe­cif­ic char­ac­ter­is­tics of the pro­cess­ing, and the cur­rent state of the tech­nol­o­gy, espe­cial­ly in the case of sen­si­tive per­son­al data, as well as the prin­ci­ples pro­vid­ed in the caput of art. 6 of this Law.

§ 2 The mea­sures referred to in the caput of this arti­cle shall be observed from the design stage of the prod­uct or ser­vice until its execution.

Art. 47. The pro­cess­ing agents or any oth­er per­son involved in one of the stages of pro­cess­ing must ensure the secu­ri­ty of the infor­ma­tion pro­vid­ed by this Law in rela­tion to per­son­al data, even after its termination.

Art. 48. The con­troller shall inform the nation­al author­i­ty and the data sub­ject of the occur­rence of a secu­ri­ty inci­dent that may entail sig­nif­i­cant risk or dam­age to the data subjects.

§ 1 The com­mu­ni­ca­tion shall be made with­in a rea­son­able time, as defined by the nation­al author­i­ty, and shall men­tion, at least:

  1. - a descrip­tion of the nature of the affect­ed per­son­al data;

  2. - infor­ma­tion about the data sub­jects involved;

  3. - an indi­ca­tion of the tech­ni­cal and secu­ri­ty mea­sures used for the pro­tec­tion of data, in com­pli­ance with com­mer­cial and indus­tri­al secrets;

  4. - risks relat­ed to the incident;

  5. - the rea­sons for the delay, if the com­mu­ni­ca­tion was not imme­di­ate; and

  6. - the mea­sures that have been or will be tak­en to reverse or mit­i­gate the effects of the damage.

§ 2 The nation­al author­i­ty shall ver­i­fy the seri­ous­ness of the inci­dent and may, if nec­es­sary to safe­guard the data subject’s rights, deter­mine to the con­troller the adop­tion of mea­sures, such as:

  1. - wide dis­sem­i­na­tion of the fact in the media; and

  2. - mea­sures to reverse or mit­i­gate the effects of the incident.

§ 3 In the judg­ment of grav­i­ty of the inci­dent, it will be eval­u­at­ed whether it is proven that ade­quate tech­ni­cal mea­sures have been tak­en to make the per­son­al data affect­ed unin­tel­li­gi­ble, with­in the scope and tech­ni­cal lim­its of its ser­vices, to unau­tho­rized third par­ties to access them.

Art. 49. The sys­tems used for the pro­cess­ing of per­son­al data must be struc­tured in such a way as to meet the safe­ty require­ments, the stan­dards of good prac­tice and gov­er­nance, and the gen­er­al prin­ci­ples set forth in this Law, as well as oth­er reg­u­la­to­ry standards.

Section II 

Good Practices and Governance

Art. 50. The con­trollers and proces­sors, with­in the scope of their com­pe­ten­cies, for the pro­cess­ing of per­son­al data, either indi­vid­u­al­ly  or through asso­ci­a­tions, may for­mu­late rules of good prac­tice and gov­er­nance which estab­lish the con­di­tions of the orga­ni­za­tion, the oper­at­ing regime, pro­ce­dures, includ­ing com­plaints and peti­tions, secu­ri­ty stan­dards, tech­ni­cal stan­dards, spe­cif­ic oblig­a­tions for the var­i­ous par­ties involved in the pro­cess­ing, edu­ca­tion­al actions, inter­nal super­vi­so­ry and mit­i­ga­tion mech­a­nisms and oth­er aspects relat­ed to the pro­cess­ing of per­son­al data.

§ 1 In estab­lish­ing rules of good prac­tice, the con­troller and proces­sor shall take into account, in rela­tion to the pro­cess­ing and the data, the nature, scope, pur­pose, and like­li­hood and sever­i­ty of risks and ben­e­fits aris­ing from the pro­cess­ing of the data sub­jec­t’s data.

§ 2 In apply­ing the prin­ci­ples indi­cat­ed in items VII and VIII of the caput of art. 6 of this Law, the con­troller observ­ing the struc­ture, scale, and vol­ume of its oper­a­tions, as well as the sen­si­tiv­i­ty of the data processed, the like­li­hood and sever­i­ty of the dam­ages to the data sub­jects, may:

I — imple­ment a pri­va­cy gov­er­nance pro­gram that, at least:

  1. demon­strate the con­troller’s com­mit­ment to adopt­ing inter­nal process­es and poli­cies that ensure the com­pre­hen­sive com­pli­ance with stan­dards and good prac­tices relat­ing to the pro­tec­tion of per­son­al data;

 

  1. is applic­a­ble to the entire set of per­son­al data that are under its con­trol, regard­less of the mode how it was collected;

 

  1. is adapt­ed to the struc­ture, scale, and vol­ume of its oper­a­tions and to the sen­si­tiv­i­ty of the data processed;

 

  1. estab­lish­es ade­quate poli­cies and safe­guards based on a process of sys­tem­at­ic eval­u­a­tion of impacts and  risks to privacy;

 

  1. aims to estab­lish a rela­tion­ship of trust with the data sub­ject, through trans­par­ent action and that ensures the data sub­jec­t’s par­tic­i­pa­tion mechanisms;

 

  1. is inte­grat­ed into its over­all gov­er­nance struc­ture and estab­lish­es and imple­ments inter­nal and exter­nal over­sight mechanisms;

  1. con­tains inci­dent response and reme­di­a­tion plans; and

  2. is con­stant­ly updat­ed based on infor­ma­tion obtained from con­tin­u­ous mon­i­tor­ing and peri­od­ic evaluations;

 

II — demon­strate the effec­tive­ness of its pri­va­cy gov­er­nance pro­gram where appro­pri­ate, and in par­tic­u­lar at the request of the nation­al author­i­ty or oth­er enti­ty respon­si­ble for pro­mot­ing com­pli­ance with good prac­tices or codes of con­duct, which inde­pen­dent­ly pro­motes com­pli­ance with this Law.

§ 3 The rules of good prac­tice and gov­er­nance shall be pub­lished and updat­ed peri­od­i­cal­ly and may be rec­og­nized and dis­closed by the nation­al authority.

Art. 51. The nation­al author­i­ty shall encour­age the adop­tion of tech­ni­cal stan­dards to facil­i­tate con­trol by the data sub­jects of their per­son­al data.

CHAPTER VIII 

MONITORING

Section I 

Administrative Sanctions

Art. 52. Data pro­cess­ing agents are sub­ject to the fol­low­ing admin­is­tra­tive sanc­tions applic­a­ble by the nation­al author­i­ty for vio­la­tions of the rules pro­vid­ed for in this Law: (Term)

  1. - warn­ing, indi­cat­ing the dead­line for the adop­tion of cor­rec­tive measures;

  2. - fine up to 2% (two per­cent) of the rev­enue of the pri­vate legal enti­ty, group or con­glom­er­ate in Brazil in its last fis­cal year, exclud­ing tax­es, lim­it­ed in total to BRL 50,000,000.00 (fifty mil­lion Brazil­ian reais) due to infraction;

  3. - dai­ly fine, observ­ing the total lim­it referred to in item II;

  4. - pub­li­ca­tion of the vio­la­tion after its occur­rence is duly inves­ti­gat­ed and confirmed;

  5. - block­ing of per­son­al data to which the vio­la­tion relates until it’s regularization;

  6. - destruc­tion of per­son­al data to which the vio­la­tion refers;

  7.  — (VETOED);

  8. - (VETOED); 

IX — (VETOED);

  1. - par­tial sus­pen­sion of the oper­a­tion of the data­base referred to in the infrac­tion for a max­i­mum peri­od of 6 (six) months, extend­able for the same peri­od until the reg­u­lar­iza­tion of the pro­cess­ing activ­i­ty by the con­troller; (Includ­ed by Law No. 13.853 from 2019)

 

  1. - sus­pen­sion of the exer­cise of the activ­i­ty of pro­cess­ing per­son­al data to which the infringe­ment refers for a max­i­mum peri­od of 6 (six) months, extend­able for an equal peri­od; (Includ­ed by Law No. 13.853 from 2019)

  2. - par­tial or total pro­hi­bi­tion of the exer­cise of activ­i­ties relat­ed to data pro­cess­ing. (Includ­ed by Law No. 13.853 from 2019)   

§ 1 — The sanc­tions will be applied after an admin­is­tra­tive pro­ce­dure that allows the oppor­tu­ni­ty of the ample defense, in a grad­ual, iso­lat­ed, or cumu­la­tive man­ner, accord­ing to the pecu­liar­i­ties of the con­crete case and con­sid­er­ing the fol­low­ing para­me­ters and criteria:

  1. - the seri­ous­ness and nature of the infringe­ments and the per­son­al rights affected;

  2. - the offend­er’s good faith;

  3. - the advan­tage obtained or intend­ed by the offender;

  4. - the eco­nom­ic con­di­tion of the offender;

  5. - recidi­vism;

  6. - the degree of damage;

  7. - the coop­er­a­tion of the offender;

  8. - the reit­er­at­ed and demon­strat­ed adop­tion of inter­nal mech­a­nisms and pro­ce­dures capa­ble of min­i­miz­ing harm, aimed at the safe and ade­quate pro­cess­ing of data, in accor­dance with the pro­vi­sions of item II of § 2 of art. 48 of this Law;

  9. - the adop­tion of good prac­tices and gov­er­nance policy;

  10. - prompt adop­tion of cor­rec­tive mea­sures; and

  11. - the pro­por­tion­al­i­ty between the sever­i­ty of the fault and the inten­si­ty of the sanction.

§ 2 The pro­vi­sions of this arti­cle do not replace the appli­ca­tion of admin­is­tra­tive, civ­il, or crim­i­nal sanc­tions defined in Law No. 8,078 from Sep­tem­ber 11, 1990, and in spe­cif­ic leg­is­la­tion.         (Word­ing giv­en by Law No. 13.853 from2019)

 

§ 3 The pro­vi­sions of items I, IV, V, VI, X, XI, and XII of the caput of this arti­cle may be applied to pub­lic enti­ties and bod­ies, with­out prej­u­dice to the pro­vi­sions  of Law No.8112 from Decem­ber 11, 1990 ‚in Law No.8429 from June 2, 1992, andLaw No. 12,527 from Novem­ber 18, 2011.    (Pro­mul­ga­tion of vetoed parts)  

§ 4 In cal­cu­lat­ing the amount of the fine referred to in item II of the caput of this arti­cle, the nation­al author­i­ty may con­sid­er the total turnover of the com­pa­ny or group of com­pa­nies when it does not have the val­ue of the billing in the branch of busi­ness activ­i­ty in which the infrac­tion occurred, as defined by the nation­al author­i­ty, or when the val­ue is pre­sent­ed incom­plete or is not demon­strat­ed unequiv­o­cal­ly and suitably.

§ 5 The pro­ceeds from the col­lec­tion of fines imposed by ANPD, reg­is­tered or not in active debt, will be des­tined to the Fund for the Defense of Dif­fuse Rights referred to in art. referred to in art. 13 of Law No. 7.347 from July 24, 1985, and Law No. 9.008 from March 21, 1995. (Includ­ed by Law No. 13.853 from 2019)

§ 6 The sanc­tions pro­vid­ed for in items X, XI, and XII of the caput of this arti­cle shall apply:     (Includ­ed by Law no.13.853 from 2019)

  1. - only after hav­ing already imposed at least 1 (one) of the sanc­tions referred to in items II, III, IV, V, and VI of the caput of this arti­cle for the same spe­cif­ic case; and (Includ­ed by Law No. 13.853 from 2019)

  2. - in the case of con­trollers sub­mit­ted to oth­er bod­ies and enti­ties with sanc­tion­ing pow­ers, after hear­ing these bod­ies. (Includ­ed by Law No. 13.853 from 2019)

§ 7 nat­ur­al per­son leaks or unau­tho­rized access referred to in the caput of art. 46 of this Law may be sub­ject to direct con­cil­i­a­tion between con­troller and data sub­ject and, if there is no agree­ment, the con­troller will be sub­ject to the appli­ca­tion of the penal­ties referred to in this arti­cle. (Includ­ed by Law No. 13.853 from 2019)

Art. 53. The nation­al author­i­ty shall define, through its own reg­u­la­tion on admin­is­tra­tive sanc­tions for infrac­tions to this Law that should be sub­ject to pub­lic con­sul­ta­tion, the method­olo­gies that will guide the cal­cu­la­tion of the basic val­ue of the fine sanc­tions. (Term)

§ 1 The method­olo­gies referred to in the caput of this arti­cle must be pre­vi­ous­ly pub­lished for the pro­cess­ing agents’ knowl­edge and must present objec­tive­ly the forms and dosime­try for the cal­cu­la­tion of the basic val­ue of fine sanc­tions, which must con­tain a detailed state­ment of all its ele­ments, demon­strat­ing com­pli­ance with the cri­te­ria pro­vid­ed for in this Law.

§ 2 The reg­u­la­tion of cor­re­spond­ing sanc­tions and method­olo­gies must estab­lish the cir­cum­stances and the con­di­tions for the adop­tion of a sim­ple or dai­ly fines.

Art. 54. The amount of the penal­ty of dai­ly fine applic­a­ble to infrac­tions to this Law must observe the grav­i­ty of the fault and the extent of the dam­age or injury caused and be sub­stan­ti­at­ed by the nation­al author­i­ty. (Term)

Sole para­graph. The notice impos­ing a dai­ly fine must con­tain at least the descrip­tion of the oblig­a­tion imposed, the rea­son­able peri­od stip­u­lat­ed by the agency for com­pli­ance and the amount of the dai­ly fine to be imposed for its noncompliance.

CHAPTER IX 

NATIONAL DATA PROTECTION AUTHORITY (ANPD) AND NATIONAL COUNCIL OF PERSONAL DATA AND PRIVACY PROTECTION

Section I  

National Data Protection Authority (ANPD)

Art. 55. (VETOED).

Art. 55‑A. The Nation­al Data Pro­tec­tion Author­i­ty (ANPD), a body of the fed­er­al pub­lic admin­is­tra­tion, inte­gral to the Pres­i­den­cy of the Repub­lic, is here­by cre­at­ed, with­out increas­ing expen­di­ture. (Includ­ed by Law No. 13.853 from2019)

§ 1. The legal nature of ANPD is tran­si­to­ry and may be trans­formed by the Exec­u­tive Branch into an enti­ty of the indi­rect fed­er­al pub­lic admin­is­tra­tion, sub­mit­ted to a spe­cial munic­i­pal regime, and linked to the Pres­i­den­cy of the Repub­lic. (Includ­ed by Law No. 13.853 from 2019)

§ 2. The assess­ment regard­ing the trans­for­ma­tion pro­vid­ed for in § 1 of this arti­cle must take place with­in 2 (two) years from the date of entry into force of ANPD’s reg­u­la­to­ry struc­ture. (Includ­ed by Law No. 13.853 from 2019)

§ 3 The pro­vi­sion of the posi­tions and func­tions nec­es­sary for ANPD’s cre­ation and per­for­mance is sub­ject to the express phys­i­cal and finan­cial autho­riza­tion in the annu­al bud­get law and the per­mis­sion in the law of bud­get guide­lines. (Includ­ed by Law No. 13.853 from 2019)

Art. 55‑B. Tech­ni­cal and deci­sion-mak­ing auton­o­my is guar­an­teed to the ANPD. (Includ­ed by Law No. 13.853 from 2019)

Art. 55‑C. ANPD is com­posed of: (Includ­ed by Law No. 13.853 from 2019)

  1. - Board of Direc­tors, the high­est man­age­ment body; (Includ­ed by Law No. 13.853 from 2019)

  2. - Nation­al Coun­cil for the Pro­tec­tion of Per­son­al Data and Pri­va­cy; (Includ­ed by Law No. 13.853 from2019)

 

  1. - Inter­nal Affairs; (Includ­ed by Law No. 13.853 from 2019)

  2. - Ombuds­man; (Includ­ed by Law No. 13.853 from 2019)

  3. - own legal advi­so­ry body; and (Includ­ed by Law No. 13.853 from 2019)

  4. - admin­is­tra­tive units and spe­cial­ized units which are nec­es­sary for the appli­ca­tion of the pro­vi­sions of this Law. (Includ­ed by Law No. 13.853 from 2019)

Art. 55‑D. ANPD’s Board of Direc­tors will be made up of 5 (five) direc­tors, includ­ing the Chief Exec­u­tive Offi­cer. (Includ­ed by Law No. 13.853 from 2019)

 

§ 1. The mem­bers of ANPD’s Board of Direc­tors will be cho­sen by the Pres­i­dent of the Repub­lic and appoint­ed by him, after approval by the Fed­er­al Sen­ate, under the terms of sec­tion f of item III of art. 52 of the Fed­er­al Con­sti­tu­tion, and will occu­py a posi­tion in a com­mit­tee of the Supe­ri­or Steer­ing and Advi­so­ry Group — DAS, at least at level5. (Includ­ed by Law No. 13.853 from 2019)

 

§ 2 The mem­bers of the Board of Direc­tors will be cho­sen among Brazil­ians who have an unblem­ished rep­u­ta­tion, a high­er lev­el of edu­ca­tion, and high regard in the spe­cial­ty field of the posi­tions to which they will be appoint­ed. (Includ­ed by Law No. 13.853 from 2019)

§ 3 The term of office of the mem­bers of the Board of Direc­tors will be of 4 (four) years. (Includ­ed by Law No. 13.964 from 2019)

§ 4 The terms of office for the first appoint­ed mem­bers of the Board of Direc­tors will be 2 (two), 3 (three), 4 (four), 5 (five), and 6 (six) years, as estab­lished in the nom­i­na­tion. (Includ­ed by Law No. 13.853 from 2019)

§ 5 In the event of a vacan­cy in the posi­tion dur­ing the term of office of a mem­ber of the Board of Direc­tors, the remain­ing term will be com­plet­ed by the suc­ces­sor. (Includ­ed by Law No. 13.853 from 2019)

Art. 55‑E. The mem­bers of the Board of Direc­tors will only lose their posi­tions due to res­ig­na­tion, final judi­cial con­vic­tion, or penal­ty of dis­missal due to dis­ci­pli­nary admin­is­tra­tive pro­ceed­ings. (Includ­ed by Law No. 13.853 from 2019)

§ 1 Accord­ing to the caput of this arti­cle, it is the respon­si­bil­i­ty of the Chief Min­is­ter of the Chief of Staff of the Pres­i­den­cy of the Repub­lic to ini­ti­ate dis­ci­pli­nary admin­is­tra­tive pro­ceed­ings, which will be car­ried out by a spe­cial com­mis­sion made up of sta­ble fed­er­al civ­il ser­vants. (Includ­ed by Law No. 13.853 from 2019)

§ 2 It is the respon­si­bil­i­ty of the Pres­i­dent of the Repub­lic to deter­mine pre­ven­tive removal, only when so rec­om­mend­ed by the spe­cial com­mis­sion referred to in para­graph 1 of this arti­cle, and to ren­der judg­ment. (Includ­ed by Law No. 13.853 from 2019)

Art. 55‑F. It is applied to the mem­bers of the Board of Direc­tors, after exer­cis­ing their posi­tion, the pro­vi­sions of art. 6 of Law No. 12.813 from May 16, 2013. (Includ­ed by Law No. 13.853 from 2019)

Sole para­graph. Infringe­ment of the pro­vi­sion in the caput of this arti­cle char­ac­ter­izes an act of admin­is­tra­tive impro­bity. (Includ­ed by Law No. 13.853 from 2019)

 

Art. 55‑G. Act of the Pres­i­dent of the Repub­lic will pro­vide for the reg­u­la­to­ry struc­ture of the ANPD. (Includ­ed by Law No. 13.853 from 2019)

 

§ 1 Until the date of entry into force of its reg­u­la­to­ry struc­ture, the ANPD will receive tech­ni­cal and admin­is­tra­tive sup­port from the Civ­il Office of the Pres­i­den­cy of the Repub­lic for the exer­cise of its activ­i­ties. (Includ­ed by Law No. 13.853 from 2019)

 

§ 2 The Board of Direc­tors will pro­vide for ANPD’s inter­nal reg­u­la­tions. (Includ­ed by Law No. 13.853 from 2019)

Art. 55‑H. ANPD’s com­mis­sioned posi­tions and trust func­tions will be relo­cat­ed from oth­er bod­ies and enti­ties of the fed­er­al Exec­u­tive Branch. (Includ­ed by Law No. 13.853 from 2019)

Art. 55‑I. The occu­pants of ANPD’s com­mis­sioned and trust­ed func­tions will be appoint­ed by the Board of Direc­tors and appoint­ed or des­ig­nat­ed by the Chief Exec­u­tive Offi­cer. (Includ­ed by Law No. 13.853 from 2019)

Art. 55‑J. It is incum­bent upon ANPD: (Includ­ed by Law No. 13.853 from 2019)

  1. - ensure the pro­tec­tion of per­son­al data, under the terms of the law; (Includ­ed by Law No. 13.853 from 2019)

 

  1. - ensur­ing the obser­vance of com­mer­cial and indus­tri­al secrets, with due regard for the pro­tec­tion of per­son­al data and the con­fi­den­tial­i­ty of infor­ma­tion when pro­tect­ed by law or when a breach of con­fi­den­tial­i­ty vio­lates the fun­da­men­tals of art. 2 of this Law; (Includ­ed by Law No. 13.853 from 2019)

  2. - pre­pare guide­lines for the Nation­al Pol­i­cy for the Pro­tec­tion of Per­son­al Data and Pri­va­cy; (Includ­ed by Law No. 13.853 from 2019)

  3. - inspect and apply sanc­tions in the event of data pro­cess­ing car­ried out in breach of the law, through an admin­is­tra­tive process that ensures the con­tra­dic­to­ry, full defense and the right to appeal; (Includ­ed by Law No. 13.853 from 2019)

  4. - to con­sid­er peti­tions from the data sub­ject against the con­troller after the data sub­ject has proven the sub­mis­sion of a com­plaint to the con­troller that has not been resolved with­in the peri­od estab­lished in the reg­u­la­tions; (Includ­ed by Law No. 13.853 from 2019)

  5. - pro­mote in the pop­u­la­tion the knowl­edge of the norms and pub­lic poli­cies on the pro­tec­tion of per­son­al data and secu­ri­ty mea­sures; (Includ­ed by Law No. 13.853 from 2019)

  6. - pro­mote and pre­pare stud­ies on nation­al and inter­na­tion­al prac­tices for the pro­tec­tion of per­son­al data and pri­va­cy; (Includ­ed by Law No. 13.853 from 2019)

  7. - encour­age the adop­tion of stan­dards for ser­vices and prod­ucts that facil­i­tate the exer­cise of con­trol by the data sub­jects over their per­son­al data, which should take into account the speci­fici­ties of the activ­i­ties and the size of those respon­si­ble; (Includ­ed by Law No. 13.853 from 2019)

  8. - pro­mote coop­er­a­tive actions between data pro­tec­tion author­i­ties from oth­er coun­tries, of

inter­na­tion­al or transna­tion­al nature; (Includ­ed by Law No. 13.853 from 2019)

  1. - pro­vide for the forms of pub­lic­i­ty for the pro­cess­ing of per­son­al data, respect­ing com­mer­cial and indus­tri­al secrets; (Includ­ed by Law No. 13.853 from 2019)

  2. - request, at any time, pub­lic author­i­ties to car­ry out per­son­al data pro­cess­ing oper­a­tions spe­cif­ic infor­ma­tion on the scope, nature of the data and oth­er details of the pro­cess­ing car­ried out, with the pos­si­bil­i­ty of issu­ing a com­ple­men­tary tech­ni­cal opin­ion to ensure com­pli­ance with this Law; (Includ­ed by Law No. 13.853 from 2019)

  3. - pre­pare annu­al man­age­ment reports about its activ­i­ties; (Includ­ed by Law No. 13.853 from 2019)

 

  1. - edit reg­u­la­tions and pro­ce­dures on the pro­tec­tion of per­son­al data and pri­va­cy, as well as on data pro­tec­tion impact assess­ment for cas­es in which the pro­cess­ing rep­re­sents a high risk to guar­an­tee the gen­er­al prin­ci­ples of per­son­al data pro­tec­tion pro­vid­ed for in this Law; (Includ­ed by Law No. 13.853 from 2019)

  2. - lis­ten to pro­cess­ing agents and the soci­ety in mat­ters of rel­e­vant inter­est and report­ing on their activ­i­ties and plan­ning; (Includ­ed by Law No. 13.853 from 2019)

  3. - col­lect and apply its rev­enues and pub­lish, in the man­age­ment report referred to in item XII of the caput of this arti­cle, the details of its rev­enues and expens­es; (Includ­ed by Law No. 13.853 from 2019)

  4. - car­ry out audits, or deter­mine their per­for­mance, with­in the scope of the inspec­tion activ­i­ty referred to in item IV and with due obser­vance of the pro­vi­sions of item II of the caput of this arti­cle, on the pro­cess­ing of per­son­al data car­ried out by the pro­cess­ing agents, includ­ing the pub­lic Pow­er; (Includ­ed by Law No. 13.853 from 2019)

  5. - enter into, at any time, a com­mit­ment with pro­cess­ing agents to elim­i­nate irreg­u­lar­i­ties, legal uncer­tain­ty, or con­tentious sit­u­a­tions in the con­text of admin­is­tra­tive pro­ceed­ings, in accor­dance with the pro­vi­sions of

Decree-Law No. 4.657 from Sep­tem­ber 4, 1942; (Includ­ed by Law No. 13.853 from 2019)

  1. - edit sim­pli­fied and dif­fer­en­ti­at­ed rules, guide­lines, and pro­ce­dures, includ­ing dead­lines, so that micro and small busi­ness­es, as well as incre­men­tal or dis­rup­tive busi­ness ini­tia­tives that declare them­selves star­tups or inno­va­tion com­pa­nies can adapt to this Law; (Includ­ed by Law No. 13.853 from 2019)

  2. - ensure that the pro­cess­ing of data from elder­ly peo­ple is car­ried out in a sim­ple, clear, acces­si­ble, and suit­able way for their under­stand­ing, under the terms of this Law and Law No. 10.741 from Octo­ber 1, 2003 (Statute of the Elder­ly); (Includ­ed by Law No.13.853 from 2019)

  3. - resolve, in the admin­is­tra­tive sphere, in a ter­mi­na­tive nature, on the inter­pre­ta­tion of this Law, its pow­ers and omis­sions; (Includ­ed by Law No. 13.853 from 2019)

  4. - report to the com­pe­tent author­i­ties the crim­i­nal offens­es of which it becomes aware; (Includ­ed by Law No. 13.853 from 2019)

  5. - com­mu­ni­cate to the inter­nal con­trol bod­ies the non-com­pli­ance with the pro­vi­sions of this Law by bod­ies and enti­ties of the fed­er­al pub­lic admin­is­tra­tion; (Includ­ed by Law No. 13.853 from 2019)

  6. - liaise with pub­lic reg­u­la­to­ry author­i­ties to exer­cise their pow­ers in spe­cif­ic sec­tors of eco­nom­ic and gov­ern­men­tal activ­i­ties sub­ject to reg­u­la­tion; and (Includ­ed by Law No. 13.853 from 2019)

  7. - imple­ment sim­pli­fied mech­a­nisms, includ­ing by elec­tron­ic means, for reg­is­ter­ing com­plaints on the pro­cess­ing of per­son­al data that does not com­ply with this Law. (Includ­ed by Law No. 13.853 from 2019)

§ 1 When impos­ing admin­is­tra­tive con­straints on the pro­cess­ing of per­son­al data by a pri­vate pro­cess­ing agent, be it lim­its, charges, or lia­bil­i­ties, ANPD must observe the min­i­mum inter­ven­tion require­ment, ensur­ing the fun­da­men­tals, prin­ci­ples, and data subject’s rights pro­vid­ed for in art. 170 of the Fed­er­al Con­sti­tu­tion and this Law. (Includ­ed by Law No. 13.853 from 2019)

§ 2 The reg­u­la­tions and stan­dards issued by the ANPD must be pre­ced­ed by pub­lic con­sul­ta­tion and hear­ing, as well as reg­u­la­to­ry impact analy­ses. (Includ­ed by Law No. 13.853 from 2019)

§ 3 The ANPD and pub­lic bod­ies and enti­ties respon­si­ble for reg­u­lat­ing spe­cif­ic sec­tors of eco­nom­ic and gov­ern­men­tal activ­i­ty must coor­di­nate their activ­i­ties, in the cor­re­spond­ing spheres of activ­i­ty, with a view to ensur­ing the ful­fill­ment of their duties with the great­est effi­cien­cy and pro­mot­ing the prop­er func­tion­ing of the sec­tors reg­u­lat­ed, accord­ing to spe­cif­ic leg­is­la­tion, and the pro­cess­ing of per­son­al data, as pro­vid­ed for in this Law. (Includ­ed by Law No. 13.853 from 2019)

§ 4 ANPD will main­tain a per­ma­nent com­mu­ni­ca­tion forum, includ­ing through tech­ni­cal coop­er­a­tion, with pub­lic admin­is­tra­tion bod­ies and enti­ties respon­si­ble for reg­u­lat­ing spe­cif­ic sec­tors of eco­nom­ic and gov­ern­men­tal activ­i­ty, in order to facil­i­tate ANPD’s reg­u­la­to­ry, super­vi­so­ry and puni­tive pow­ers. (Includ­ed by Law No. 13.853 from 2019)

§ 5 In the exer­cise of the pow­ers referred to in the caput of this arti­cle, the com­pe­tent author­i­ty shall ensure the preser­va­tion of busi­ness secre­cy and the secre­cy of infor­ma­tion, under the terms of the law. (Includ­ed by Law No. 13.853 from 2019)

§ 6 The com­plaints col­lect­ed in accor­dance with the pro­vi­sions of item V of the caput of this arti­cle may be ana­lyzed in an aggre­gate man­ner, and the even­tu­al mea­sures result­ing from them may be adopt­ed in a stan­dard­ized manner. 

(Includ­ed by Law No. 13.853 from 2019)

Art. 55‑K. The appli­ca­tion of the sanc­tions pro­vid­ed for in this Law is the exclu­sive respon­si­bil­i­ty of the ANPD, and its pow­ers will pre­vail with regard to the pro­tec­tion of per­son­al data, over the relat­ed pow­ers of oth­er pub­lic admin­is­tra­tion enti­ties or bod­ies. (Includ­ed by Law No. 13.853 from 2019)

Sole para­graph. ANPD will artic­u­late its oper­a­tion with oth­er bod­ies and enti­ties with sanc­tion­ing and nor­ma­tive pow­ers relat­ed to the top­ic of pro­tec­tion of per­son­al data and will be the cen­tral body for the inter­pre­ta­tion of this Law and the estab­lish­ment of rules and guide­lines for its imple­men­ta­tion. (Includ­ed by Law No. 13.853 from 2019)

Art. 55‑L. The fol­low­ing con­sti­tutes ANPD’s rev­enues: (Includ­ed by Law No. 13.853 from 2019)

  1. - the appro­pri­a­tions, con­signed in the gen­er­al bud­get of the Fed­er­al Gov­ern­ment, spe­cial cred­its, addi­tion­al cred­its, trans­fers, and loans grant­ed to it; (Includ­ed by Law No. 13.853 from 2019)

  2. - dona­tions, bequests, grants and oth­er resources allo­cat­ed to it;  (Includ­ed by 

Law No. 13.853 from 2019)

  1. - the amounts cal­cu­lat­ed in the sale or rental of mov­able and immov­able prop­er­ty owned by it;                       (Includ­ed by Law No. 13.853 from 2019)

  2. - the amounts cal­cu­lat­ed in invest­ments in the finan­cial mar­ket of the rev­enues pro­vid­ed for in this arti­cle; (Includ­ed by Law No. 13.853 from 2019)

  3. - (VETOED); (Includ­ed by Law No. 13.853 from 2019)

  4. - resources aris­ing from agree­ments, agree­ments or con­tracts entered into with enti­ties, bod­ies or com­pa­nies, pub­lic or pri­vate, nation­al or inter­na­tion­al; (Includ­ed by Law No. 13.853 from 2019)

  5. - the pro­ceeds from the sale of pub­li­ca­tions, tech­ni­cal mate­r­i­al, data, and infor­ma­tion, includ­ing for pub­lic bid­ding pur­pos­es. (Includ­ed by Law No. 13.853 from 2019)

Art. 56. (VETOED).

Art. 57. (VETOED).

Section II 

National Council for the Protection of Personal Data and Privacy

Art. 58. (VETOED).

Art. 58‑A. The Nation­al Coun­cil for the Pro­tec­tion of Per­son­al Data and Pri­va­cy will be com­posed of 23 (twen­ty-three) rep­re­sen­ta­tives, data sub­jects, and sub­sti­tutes, from the fol­low­ing bod­ies: (Includ­ed by Law No. 13.853 from 2019)

  1. - 5 (five) from the Fed­er­al Exec­u­tive Branch; (Includ­ed by Law No. 13.853 from 2019)

  2. - 1 (one) from the Fed­er­al Sen­ate; (Includ­ed by Law No. 13.853 from 2019)

  3. - 1 (one) from the Cham­ber of Deputies; (Includ­ed by Law No. 13.853 from 2019)

  4. - 1 (one) from the Nation­al Coun­cil of Jus­tice; (Includ­ed by Law No. 13.853 from 2019)

  5. - 1 (one) from the Nation­al Coun­cil of the Pub­lic Min­istry; (Includ­ed by Law No. 13.853 from 2019)

  6. - 1 (one) from the Brazil­ian Inter­net Steer­ing Com­mit­tee; (Includ­ed by Law No. 13.853 from 2019)

  7. - 3 (three) from civ­il soci­ety enti­ties with activ­i­ties relat­ed to the pro­tec­tion of per­son­al data; (Includ­ed by Law No. 13.853 from 2019)

  8. - 3 (three) from sci­en­tif­ic, tech­no­log­i­cal, and inno­va­tion insti­tu­tions; (Includ­ed by Law No. 13.853 from2019)

  9. - 3 (three) from union con­fed­er­a­tions rep­re­sent­ing eco­nom­ic cat­e­gories in the pro­duc­tive sec­tor; (Includ­ed by Law No. 13.853 from 2019)

 

  1. - 2 (two) from enti­ties rep­re­sent­ing the busi­ness sec­tor relat­ed to the area of per­son­al data pro­cess­ing; and (Includ­ed by Law No. 13.853 from 2019)

  2. - 2 (two) from enti­ties rep­re­sent­ing the labor sec­tor. (Includ­ed by Law No. 13.853 from 2019)

§ 1 Rep­re­sen­ta­tives will be appoint­ed by act of the Pres­i­dent of the Repub­lic, del­e­ga­tion is per­mit­ted. (Includ­ed by Law No. 13.853 from 2019)

 

§ 2 The rep­re­sen­ta­tives referred to in items I, II, III, IV, V, and VI of the caput of this arti­cle and their alter­nates will be appoint­ed by the data sub­jects of the respec­tive pub­lic admin­is­tra­tion bod­ies and enti­ties. (Includ­ed by Law No. 13.853 from 2019)

§ 3 The rep­re­sen­ta­tives referred to in items VII, VIII, IX, X, and XI of the caput of this arti­cle and their sub­sti­tutes: (Includ­ed by Law No. 13.853 from 2019)

 

  1. - will be indi­cat­ed in the form of reg­u­la­tion; (Includ­ed by Law No. 13.853 from 2019)

  2. - can­not be mem­bers of the Inter­net Steer­ing Com­mit­tee in Brazil; (Includ­ed by Law No. 13.853 from 2019)

  3. - shall have a term of 2 (two) years, with 1 (one) renew­al allowed. (Includ­ed by Law No. 13.853 from 2019)

§ 4 Par­tic­i­pa­tion in the Nation­al Coun­cil for the Pro­tec­tion of Per­son­al Data and Pri­va­cy will be con­sid­ered a rel­e­vant, unpaid pub­lic ser­vice. (Includ­ed by Law No. 13.853 from 2019)

Art. 58‑B. It is incum­bent upon the Nation­al Coun­cil for the Pro­tec­tion of Per­son­al Data and Pri­va­cy: (Includ­ed by Law No. 13.853 from 2019)

  1. - pro­pose strate­gic guide­lines and pro­vide sub­si­dies for the prepa­ra­tion of the Nation­al Pol­i­cy for the Pro­tec­tion of Per­son­al Data and Pri­va­cy and for ANPD’s per­for­mance; (Includ­ed by Law No. 13.853 from 2019)

  2. - prepar­ing annu­al reports to eval­u­ate the imple­men­ta­tion of the actions of the Nation­al Pol­i­cy for the Pro­tec­tion ofPer­son­al Data and Pri­va­cy; (Includ­ed by Law No. 13.853 from 2019)

  3. - sug­gest actions to be tak­en by ANPD; (Includ­ed by Law No. 13.853 from 2019)

  4. - pre­pare stud­ies and hold­ing debates and pub­lic hear­ings on the pro­tec­tion of per­son­al data and pri­va­cy; and (Includ­ed by Law No. 13.853 from 2019)

 

  1. - dis­sem­i­nat­ing knowl­edge on the pro­tec­tion of per­son­al data and pri­va­cy to the pop­u­la­tion.  (Includ­ed by Law No. 13.853 from 2019)

 

Art. 59. (VETOED).

CHAPTER X 

FINAL AND INTERIM PROVISIONS

Art. 60. Law No. 12.965 from April 23, 2014(Inter­net Civ­il Mark), becomes effec­tive with the fol­low­ing changes:

“Art. 7 …

X — defin­i­tive exclu­sion of per­son­al data that you have pro­vid­ed to a cer­tain inter­net appli­ca­tion, at your request, at the end of the rela­tion­ship between the Par­ties, except for the hypothe­ses of manda­to­ry record-keep­ing pro­vid­ed for in this Law and in which it deals with the pro­tec­tion of per­son­al data;”

“Art. 16 …

II — per­son­al data that are exces­sive in rela­tion to the pur­pose for which con­sent was giv­en by its data sub­ject, except in the cas­es pro­vid­ed for in the Law that pro­vides for the pro­tec­tion of per­son­al data.” (NR)

Art. 61. The for­eign com­pa­ny will be noti­fied and sum­moned of all pro­ce­dur­al acts pro­vid­ed for in this Law, regard­less of pow­er of attor­ney or con­trac­tu­al or statu­to­ry pro­vi­sion, in the per­son of the agent or rep­re­sen­ta­tive or per­son respon­si­ble for its branch, agency, branch office, estab­lish­ment or office installed in Brazil.

Art. 62. The Nation­al Author­i­ty and the Nation­al Insti­tute of Edu­ca­tion­al Stud­ies and Research Aní­sio Teix­eira (Inep), with­in the scope of their com­pe­ten­cies, will issue spe­cif­ic reg­u­la­tions for access to data processed by the Fed­er­al Gov­ern­ment for com­pli­ance with the pro­vi­sions of § 2 of art. 9 of Law No. 9.394 from Decem­ber 20, 1996(Law on Guide­lines and Bases for Nation­al Edu­ca­tion), and those refer­ring to the Nation­al High­er Edu­ca­tion Assess­ment Sys­tem (Sinaes), which Law No. 10.861 from April 14, 2004, address­es.

Art. 63. The nation­al author­i­ty shall estab­lish rules on the pro­gres­sive suit­abil­i­ty of data­bas­es estab­lished up to the date of entry into force of this Law, tak­ing into account the com­plex­i­ty of the pro­cess­ing oper­a­tions and the nature of the data.

Art. 64. The rights and prin­ci­ples expressed in this Law do not exclude oth­ers pro­vid­ed for in the legal order of the coun­try relat­ed to the mat­ter or in the inter­na­tion­al treaties to which the Fed­er­a­tive Repub­lic of Brazil is a part of.

Art. 65. This Law comes into force: (Word­ing giv­en by Law No. 13.853 from 2019)

  1. - on Decem­ber 28, 2018, regard­ing arts. 55‑A, 55‑B, 55‑C, 55‑D, 55‑E, 55‑F, 55‑G, 55‑H, 55‑I, 55‑J, 55K, 55‑L, 58‑A e 58‑B; e                (Includ­ed by Law No. 13.853 from 2019)

I‑A — August 1, 2021, as to arti­cles 52, 53 and 54; (Includ­ed by Law No. 14.010 from 2020)

  1. - 24 (twen­ty-four) months after the date of its pub­li­ca­tion, regard­ing the oth­er arti­cles.     (Includ­ed by Law No. 13.853 from 2019)

Brasília, August 14, 2018.

MICHEL TEMER

Torqua­to Jardim

Aloy­sio Nunes Fer­reira Filho

Eduar­do Refinet­ti Guardia

Esteves Pedro Col­na­go Junior

Gilber­to Mag­a­l­hães Occhi

Gilber­to Kassab

Wag­n­er de Cam­pos Rosário

Gus­ta­vo do Vale Rocha

Ilan Gold­fa­jn

Raul Jung­mann

Eliseu Padil­ha

Categorias

  • Uncategorized

Inscreva-se para nossa NewsLetter

O escritório

  • About Us
  • Awards and recognition
  • Areas of Expertise
  • Laywers

Informações Legais

  • Press
  • Contact

Fale com um especialista

11 3141 9009
Alameda Santos, 1165
Paulista - CEP 01419-001 - SP

Redes Sociais

  • Follow
  • Follow
  • Follow
  • Follow
  • Follow

© Assis e Mendes Advogados - Direito Digital, Empresarial e Proteção de Dados - 2020